Cracking "SmartDir v2.0" Date: July 1, 1999 Author : +ViPeR+ [E]bola [V]irus [C]rew Program Name : SmartDir ver 2.0 Location : http://www.gavlockconsulting.com/smartdir.htm Method : ECHO <> ------------------------------------------------------------------------------- Yo, man. It's me again. This time, I am going to show you how to find the correct registration code for this proggy 'SmartDir'. First let me say this proggy is a really handy window utility. If you have been frustrated by the follow two things: 1.The inability to easily print a list of files in a given directory. 2.The lack of tools to help manage disk space usage. Then, you should try it out. Ok. enough crap, let's begin our job. Install the program, and open the registration window. You need to supply the name and registration code in order to register this program. I enter the following info: Name : evc_viper Code : 54545454 Fire-up Soft-Ice and set a breakpoint by typing 'bpx getwindowtexta'. Press 'x Enter' to exit Soft-Ice. Click the 'Ok' button now and you will be sent back to Soft-Ice again. Now, listen carefully, press 'x Enter' 3 times and then F11 to go back to the caller routine. You will find yourself land at here : : * Reference To: USER32.GetWindowTextA, Ord:013Fh | :0043C180 FF15D0544600 Call dword ptr [004654D0] ; :0043C186 3BC6 cmp eax, esi ; <-- WE LAND HERE :0043C188 7514 jne 0043C19E :0043C18A FF750C push [ebp+0C] :0043C18D 8D8500FFFFFF lea eax, dword ptr [ebp+FFFFFF00] :0043C193 50 push eax * Reference To: KERNEL32.lstrcmpA <-- what a nice thing to know, but I don't find it is really useful. >< | :0043C194 FF157C534600 Call dword ptr [0046537C] :0043C19A 85C0 test eax, eax :0043C19C 740C je 0043C1AA Now, again, listen carefully, press F10 (about thousands of times) all the way until you reach 00409B19. Here, I need to say something. While you F10 ..... you probably see a lot of function calls in between and a lot of test, je, jne, blah, blah, blah. So, how do I know I need to stop at the 00409B19? Let's see what is there. :00409B19 E8722A0000 call 0040C590 :00409B1E 85C0 test eax, eax :00409B20 7432 je 00409B54 A very typical call, test, jump block. The reason I know I need to stop at 00409B19 is if this test fail, we are not registered. Again, how do you know you might ask. Let's display 00409B54 code below. : : * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00409B20(C) | :00409B54 6A00 push 00000000 :00409B56 6A10 push 00000010 * Possible StringData Ref from Data Obj ->"Registration Code is not valid." | :00409B58 6864044800 push 00480464 See the statement "Registration Code is not valid."? Now, you know why the call at 00409B19 is important. Here, I show you the deadlisting using W32Dasm. Usually, I don't use it to crack program, I only use Soft-Ice. (If you have used Soft-Ice a lot, you will automatically have some weird ability to spot where is the right place to trace inside the code.) so while you are in Soft-Ice, type 'd 00480464' and you will see that statement in your data window. Ok. Back to our job. Let's F8 into the call at 00409B19. If you are interested in writing a key generator, you need to study the call from 0040C590. Otherwise, read on. * Referenced by a CALL at Addresses: |:00409B19 , :0040ACFC | :0040C590 6AFF push FFFFFFFF :0040C592 6800144600 push 00461400 :0040C597 64A100000000 mov eax, dword ptr fs:[00000000] :0040C59D 50 push eax :0040C59E 64892500000000 mov dword ptr fs:[00000000], esp :0040C5A5 83EC08 sub esp, 00000008 :0040C5A8 55 push ebp :0040C5A9 56 push esi :0040C5AA 57 push edi :0040C5AB 8BE9 mov ebp, ecx :0040C5AD 8D442424 lea eax, dword ptr [esp+24] :0040C5B1 8D4C240C lea ecx, dword ptr [esp+0C] :0040C5B5 50 push eax :0040C5B6 C744242001000000 mov [esp+20], 00000001 :0040C5BE E815970200 call 00435CD8 :0040C5C3 8D4C240C lea ecx, dword ptr [esp+0C] :0040C5C7 C644241C02 mov [esp+1C], 02 :0040C5CC E84E9D0200 call 0043631F :0040C5D1 8B7C240C mov edi, dword ptr [esp+0C] :0040C5D5 33F6 xor esi, esi :0040C5D7 8B4FF8 mov ecx, dword ptr [edi-08] :0040C5DA 85C9 test ecx, ecx :0040C5DC 7E1A jle 0040C5F8 :0040C5DE B801000000 mov eax, 00000001 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0040C5F6(C) | :0040C5E3 33D2 xor edx, edx :0040C5E5 8A5407FF mov dl, byte ptr [edi+eax-01] :0040C5E9 03D0 add edx, eax :0040C5EB 0FAFD0 imul edx, eax :0040C5EE 03F2 add esi, edx :0040C5F0 40 inc eax :0040C5F1 8D50FF lea edx, dword ptr [eax-01] :0040C5F4 3BD1 cmp edx, ecx :0040C5F6 7CEB jl 0040C5E3 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0040C5DC(C) | :0040C5F8 B89B990E00 mov eax, 000E999B ; magic number? :0040C5FD 8D4C2410 lea ecx, dword ptr [esp+10] :0040C601 2BC6 sub eax, esi :0040C603 50 push eax :0040C604 51 push ecx :0040C605 8BCD mov ecx, ebp :0040C607 E8B4FEFFFF call 0040C4C0 :0040C60C 8B742410 mov esi, dword ptr [esp+10] :0040C610 8B442428 mov eax, dword ptr [esp+28] <> Basically, the above code manipulate your name and then call 0040C4C0 at 0040C607 to obtain the correct registeration code. Make sure you are on line after 0040C610. Now, type 'd esi', you will see number and type 'd eax' you will see your fake registeration code. In my case, I saw 951764 in data window by 'd esi' 54545454 in data window by 'd eax' The rest of the program is doing the comparison with your fake code and the real code. Now, open the registration window and key in name: evc_viper code: 951764 and you will see the registration successful window. Final Note: Don't be frustrated by so many useless function calls. In order to becomea real cracker, one of the most important thing you need to have is : Patience. Ob Duh Do I really have to remind you all that by buying and NOT stealing the software you use will ensure that these software houses will continue to produce even *better* software for us to use and more importantly, to continue offering even more challenges to breaking their often weak protection systems. +ViPeR+ [E]bola [V]irus [C]rew July 1, 1999