BiSHoP's Tutorial # 5 (May 27, 2000)
Topic:  Patching ModemBooster 2.0
Target:  ModemBooster 2.0
Where: http://www.download.com

Index:

1.  Introduction
2.  Requirements
3.  Start
4.  Cracking
5.  Final Notes
6.  Greetz & Thanx
---------------------------------------------------

1.  Introduction-

        Welcome back again, this is my fifth tutorial.
        I feel bored and have no other programs to crack.
        I just got a crack request from someone so I will
        write about it.

2.  Requirements-

        The requirements for this tutorial are
        W32Dasm and a hex editor, Hiew would do.
        You can also use Softice to fish the serial
        out, but it's not neccessary.

3.  Start-

        Our target is ModemBooster 2.0.
        It's very easy to crack, but the protection is
        very weird, in a lame way of course.
        You have to register the program with a serial
        but after you enter the right serial, the program
        only stores your name and company to the registry
        along with a RegID value of 1 (true) telling whether
        or not you are registered.
        You can patch it at the serial comparing address
        and the program will work like a key generator itself.

4.  Cracking-

        First let's run the program and see what the program
        looks like unregistered.  It shows a splash screen
        with "Unregistered Evaluation Copy" and
        "21 Evaluation days left", well don't you just hate
        programs that say that?
        While in the program, click on Registeration and
        Enter Registeration Code.
        Just enter anything right now, all we need is the
        "wrong code" message string.  Click OK and it says
        "Wrong registeration code".
        Run W32Dasm and disassemble modembtr.exe and look
        for the wrong code string in SDR (should be on the
        fifth line).  When you double click on it a few times
        you should see that there's many of them.  The reason
        for that is because the program checks several things
        before comparing the serial, like checking to see if
        the text boxes are empty.  That string is obsolete for
        us now.  Let's give the thank you for your support
        string.  In SDR, right underneath the wrong code string
        should be the thank you for your support string.
        Try that and you find that there's only one of them.
        Double click on it and it should take you to some codes
        like below:
------------------------------------------------------------------------
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00408F8E(C), :00408FAA(C)       <== Two important jumps
|

:0040904A 3DD0220200              cmp eax, 000222D0
:0040904F 0F859F000000            jne 004090F4           <==This might be the jump
:00409055 8B561C                  mov edx, dword ptr [esi+1C]
:00409058 6A36                    push 00000036
:0040905A 52                      push edx

* Possible Reference to String Resource ID=32776: "Thank you for your registration support!"
                                  |
:00409077 6808800000              push 00008008
:0040907C 8D4C2410                lea ecx, dword ptr [esp+10]
:00409080 E8B2040400              call 00449537
-------------------------------------------------------------------------
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00408F0D(C)
|
:00408F84 E844B60200              call 004345CD
:00408F89 83C408                  add esp, 00000008
:00408F8C 85C0                    test eax, eax
:00408F8E 0F8486000000            je 0040901A       <==Important!
:00408F94 8B0DD4E14600            mov ecx, dword ptr [0046E1D4]
:00408F9A 8B542410                mov edx, dword ptr [esp+10]
:00408F9E 51                      push ecx
:00408F9F 52                      push edx
:00408FA0 E828B60200              call 004345CD
:00408FA5 83C408                  add esp, 00000008
:00408FA8 85C0                    test eax, eax
:00408FAA 746E                    je 0040901A       <==Important!
--------------------------------------------------------------------------
        I am sure that the jump at 40904F if the jump to the wrong reg
        message but there are two more at 408FAA and 408F8E that is important
        too.  I just assume they are some serial checking routine, but I am
        not sure of that because I didn't use Softice to check.
        Let's copy down the offsets and try patching those them to test if they
        work or not.  They are 904Fh, 8F8Eh and 8FAAh.
        Let's go to Hiew, open modembtr.exe file and use decode mode.
        Now makes these changes at the offsets:
        904F:  0F859F000000 --> 0F849F000000
               jne 0004090F4 --> je 0004090F4
        8F8E:  0F8486000000 --> 0F8586000000
               je 00040901A --> jne 00040901A
        8FAA:  746E --> 756E
               je 00040901A --> jne 00040901A
        Update the file and quit Hiew, now run ModemBooster again
        and Register using your name and use any serial and click
        OK.  "Thank you for your registeration support!".
        Yeah, we nailed this bitch!  The program now can be registered
        with any Serial.  Now try making a patch :]
        I gave you all the offsets!

5.  Final Notes-

        I don't think that was too hard, if you still don't understand
        somethings in this tutorial, e-mail me diablo337@hotmail.com
        and I'll answer whatever's on your mind ;)

6.  Greetz & Thanx-

        Greetinz: UCF, Mexelite, Phrozen Crew, CiA, CORE, ODDITY, CookieCrK,
        Prophecy, RTD, HellForge, Genocide, and to any of ya I left out!

        Thanx to: tKC for all his tutorials, CookieCrK for providing me with
        some cracking toolz, and to all the sites in the Reverse EngineeRING
        for all their tuts, and oh yeah thanx for reading this tut!
        Peace out 'til next time yall!
        -BiSHoP- diablo337@hotmail.com