Cracking "SmartDir v2.0"
Date: July 1, 1999
Author : +ViPeR+
[E]bola [V]irus [C]rew

Program Name : SmartDir ver 2.0
Location     : http://www.gavlockconsulting.com/smartdir.htm

Method : ECHO

<<Note : this document is only for educational purpose ONLY.>>
-------------------------------------------------------------------------------
Yo, man. It's me again. This time, I am going to show you how to find the 
correct registration code for this proggy 'SmartDir'. First let me say this 
proggy is a really handy window utility. If you have been frustrated by the 
follow two things: 
1.The inability to easily print a list of files in a given directory. 
2.The lack of tools to help manage disk space usage.  
Then, you should try it out. 

Ok. enough crap, let's begin our job. 

Install the program, and open the registration window. You need to supply the
name and registration code in order to register this program.

I enter the following info:

Name : evc_viper
Code : 54545454

Fire-up Soft-Ice and set a breakpoint by typing 'bpx getwindowtexta'.
Press 'x Enter' to exit Soft-Ice.

Click the 'Ok' button now and you will be sent back to Soft-Ice again.
Now, listen carefully, press 'x Enter' 3 times and then F11 to go back to the 
caller routine. You will find yourself land at here

:
:
* Reference To: USER32.GetWindowTextA, Ord:013Fh
                                  |
:0043C180 FF15D0544600            Call dword ptr [004654D0] ; 
:0043C186 3BC6                    cmp eax, esi  ; <-- WE LAND HERE
:0043C188 7514                    jne 0043C19E
:0043C18A FF750C                  push [ebp+0C]
:0043C18D 8D8500FFFFFF            lea eax, dword ptr [ebp+FFFFFF00]
:0043C193 50                      push eax

* Reference To: KERNEL32.lstrcmpA <-- what a nice thing to know, but 
                                      I don't find it is really 
				      useful. ><
                                  |
:0043C194 FF157C534600            Call dword ptr [0046537C]
:0043C19A 85C0                    test eax, eax
:0043C19C 740C                    je 0043C1AA

Now, again, listen carefully, press F10 (about thousands of times) all the way
until you reach 00409B19. Here, I need to say something. While you F10 .....
you probably see a lot of function calls in between and a lot of test, je, jne, 
blah, blah, blah. So, how do I know I need to stop at the 00409B19? Let's see 
what is there.

:00409B19 E8722A0000              call 0040C590
:00409B1E 85C0                    test eax, eax
:00409B20 7432                    je 00409B54

A very typical call, test, jump block. The reason I know I need to stop at 
00409B19 is if this test fail, we are not registered. Again, how do you know 
you might ask. Let's display 00409B54 code below.

:
:
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00409B20(C)
|
:00409B54 6A00                    push 00000000
:00409B56 6A10                    push 00000010

* Possible StringData Ref from Data Obj ->"Registration Code is not valid."
                                  |
:00409B58 6864044800              push 00480464

See the statement "Registration Code is not valid."? Now, you know why the 
call at 00409B19 is important. Here, I show you the deadlisting using 
W32Dasm. Usually, I don't use it to crack program, I only use Soft-Ice. (If
you have used Soft-Ice a lot, you will automatically have some weird ability
to spot where is the right place to trace inside the code.) so
while you are in Soft-Ice, type 'd 00480464' and you will see that 
statement in your data window. 

Ok. Back to our job. Let's F8 into the call at 00409B19.

If you are interested in writing a key generator, you need to study the
call from 0040C590. Otherwise, read on.

* Referenced by a CALL at Addresses:
|:00409B19   , :0040ACFC   
|
:0040C590 6AFF                    push FFFFFFFF
:0040C592 6800144600              push 00461400
:0040C597 64A100000000            mov eax, dword ptr fs:[00000000]
:0040C59D 50                      push eax
:0040C59E 64892500000000          mov dword ptr fs:[00000000], esp
:0040C5A5 83EC08                  sub esp, 00000008
:0040C5A8 55                      push ebp
:0040C5A9 56                      push esi
:0040C5AA 57                      push edi
:0040C5AB 8BE9                    mov ebp, ecx
:0040C5AD 8D442424                lea eax, dword ptr [esp+24]
:0040C5B1 8D4C240C                lea ecx, dword ptr [esp+0C]
:0040C5B5 50                      push eax
:0040C5B6 C744242001000000        mov [esp+20], 00000001
:0040C5BE E815970200              call 00435CD8
:0040C5C3 8D4C240C                lea ecx, dword ptr [esp+0C]
:0040C5C7 C644241C02              mov [esp+1C], 02
:0040C5CC E84E9D0200              call 0043631F
:0040C5D1 8B7C240C                mov edi, dword ptr [esp+0C]
:0040C5D5 33F6                    xor esi, esi
:0040C5D7 8B4FF8                  mov ecx, dword ptr [edi-08]
:0040C5DA 85C9                    test ecx, ecx
:0040C5DC 7E1A                    jle 0040C5F8
:0040C5DE B801000000              mov eax, 00000001

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040C5F6(C)
|
:0040C5E3 33D2                    xor edx, edx
:0040C5E5 8A5407FF                mov dl, byte ptr [edi+eax-01]
:0040C5E9 03D0                    add edx, eax
:0040C5EB 0FAFD0                  imul edx, eax
:0040C5EE 03F2                    add esi, edx
:0040C5F0 40                      inc eax
:0040C5F1 8D50FF                  lea edx, dword ptr [eax-01]
:0040C5F4 3BD1                    cmp edx, ecx
:0040C5F6 7CEB                    jl 0040C5E3

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040C5DC(C)
|
:0040C5F8 B89B990E00              mov eax, 000E999B ; magic number?
:0040C5FD 8D4C2410                lea ecx, dword ptr [esp+10]
:0040C601 2BC6                    sub eax, esi
:0040C603 50                      push eax
:0040C604 51                      push ecx
:0040C605 8BCD                    mov ecx, ebp
:0040C607 E8B4FEFFFF              call 0040C4C0
:0040C60C 8B742410                mov esi, dword ptr [esp+10]
:0040C610 8B442428                mov eax, dword ptr [esp+28]
<<stop here>>

Basically, the above code manipulate your name and then call 0040C4C0
at 0040C607 to obtain the correct registeration code. Make sure you are
on line after 0040C610. Now, type 'd esi', you will see number and type
'd eax' you will see your fake registeration code. In my case, I saw

951764   in data window by 'd esi'
54545454 in data window by 'd eax'

The rest of the program is doing the comparison with your fake code 
and the real code. 

Now, open the registration window and key in

name: evc_viper
code: 951764

and you will see the registration successful window. 

Final Note:
   Don't be frustrated by so many useless function calls. In order to
   becomea real cracker, one of the most important thing you need to have
   is : Patience. 

Ob Duh
   Do I really have to remind you all that by buying and NOT stealing the 
   software you use will ensure that these software houses will continue to
   produce even *better* software for us to use and more importantly, to
   continue offering even more challenges to breaking their often weak
   protection systems.

+ViPeR+
[E]bola [V]irus [C]rew
July 1, 1999




