137 lines
3.9 KiB
Plaintext
137 lines
3.9 KiB
Plaintext
PROG: InfoSpy v2.61
|
|
TYPE: 16-bit
|
|
PROT: Name/Reg
|
|
CHECK: 240F:06EC JZ
|
|
HEX:
|
|
|
|
1. Let's find the protection
|
|
a. BPX GetDlgItemText ; set our breakpoint in SoftICE
|
|
b. Run InfoSpy ; and enter some registration info
|
|
1) help, use registration key
|
|
2) enter your first name, last name, and any reg number
|
|
3) click ok
|
|
c. ICE pops
|
|
1) F11 ; step out of the function
|
|
2) F10, F10, F10,... ; walk thru the code
|
|
d. Gets first string, runs thru loop to calculate reg code
|
|
e. Gets second string, runs thru loop to calculate reg code
|
|
f. After stepping thru the loops I found the final compare at 240F:06EC
|
|
(your memory segment may be differnt; it's the JZ 06F1)
|
|
g. Keep stepping thru and it'll beep and display invalid reg code
|
|
2. Since we now know the final compare (JZ) is at 240F:06EC
|
|
a. BC 0 ; clear the original breakpoint
|
|
b. BPX 240F:06EC ; set a new breakpoint before the compare
|
|
c. Run InfoSpy, enter your first name, last name, and any reg number, ok
|
|
d. ICE pops
|
|
e. R FL Z ; toggle zero flag
|
|
f. F10, F10, F10,... ; continue running
|
|
g. Or just Ctrl-D a few times to get back to the program
|
|
3. Thank you for registering!
|
|
4. Key is written to \windir\infospy.ini
|
|
[InfoSpy]
|
|
RegStat=DLBGJ4320
|
|
5. Happy cracking!
|
|
|
|
PROG: Win-eXpose Registry v1.0
|
|
TYPE: 32-bit
|
|
PROT: Name/Reg
|
|
CHECK: 0137:004024F9 JZ
|
|
HEX: 0F84CF, replace with E9D000
|
|
|
|
1. Use same approach as InfoSpy...
|
|
2. Final compare is at 0137:004024F9
|
|
3. BPX 0137:004024F9
|
|
4. R FL Z ; toggle zero flag
|
|
5. Thank you for registering!
|
|
6. Stepping thru the program, found real password:
|
|
First, Lst name: dr
|
|
Company name: LAN
|
|
Address line #1: 1
|
|
Address line #2: 1
|
|
Serial Number: 1
|
|
Password: f422c070
|
|
|
|
PROG: Win-eXpose I/O v2.0
|
|
TYPE: 32-bit
|
|
PROT: Name/Reg
|
|
CHECK: 0137:004061D9 JZ
|
|
HEX: 0F84CF, replace with E9D000
|
|
|
|
1. Use same approach as Win-eXpose Registry...
|
|
2. Final compare is at 0137:004061D9
|
|
3. BPX 0137:004061D9
|
|
4. R FL Z ; toggle zero flag
|
|
5. Thank you for registering!
|
|
6. Stepping thru the program, found real password:
|
|
First, Last name: dr
|
|
Company name: LAN
|
|
Address line #1: 1
|
|
Address line #2: 1
|
|
Serial Number: 1
|
|
Password: f422c070
|
|
|
|
PROG: StartClean v1.2
|
|
TYPE: 32-bit
|
|
PROT: Name/Reg
|
|
CHECK: BPX lstrcmpA
|
|
HEX:
|
|
|
|
From Qapla's Cracking Tutorial...
|
|
|
|
BPX lstrcmpA ; in sICE
|
|
|
|
Enter name and a bogus registration number and click ok.
|
|
I entered drLAN, 12345.
|
|
|
|
.
|
|
.
|
|
.
|
|
PUSH EAX ; push your code on the stack
|
|
PUSH 406030 ; push the right code on the stack
|
|
CALL [KERNEL32!lstrcmp] ; compare them
|
|
TEST EAX,EAX ; test results of string compare and set Zero flag
|
|
JNZ 00401271 ; 1 = bad boy; not reg'd, 0 = good boy; reg'd
|
|
.
|
|
.
|
|
.
|
|
|
|
d 406030 ; here's the right code
|
|
|
|
972-8766-1717-341
|
|
|
|
PROG: WizCat Pro v4.2
|
|
TYPE:
|
|
PROT: Name/Reg
|
|
CHECK: 2F97:CED9 JZ
|
|
HEX:
|
|
|
|
2F97:CED9 3C01 CMP AL,01 ; holy flag
|
|
2F97:CEDB 7403 JZ CEE0 ; 0=good guy; reg'd
|
|
2F97:CEDD E9DD00 JMP CDBD ; <>0=bad guy; beggar off
|
|
|
|
A good, clean crack would be:
|
|
|
|
MOV AL,01
|
|
JMP CEE0
|
|
|
|
However, the program does some internal checking and won't run if modified.
|
|
So, all we can do is find the correct reg code and then use it.
|
|
|
|
I entered drLAN, 006969. Then searched for my reg code and set BPR's on
|
|
the ranges.
|
|
|
|
s 0 l ffffffff '006969'. Should find the entered code in memory.
|
|
BPR ssss:oooo SSSS:OOOO RW. Where ssss:oooo is segment:offset of starting
|
|
address where string resides. SSSS:OOOO is ending address (last byte of the
|
|
string).
|
|
|
|
I eventually found my reg code somewhere that BX pointed to. It showed up
|
|
as one big ugly number, and then a little earlier in memory in the correct
|
|
format: 42041-7420.
|
|
|
|
So to register, use:
|
|
|
|
drLAN
|
|
42041-7420
|
|
|