Diary Link 97
(Menu disable and active by Register Number)
student 
Most Stupid Protection
27 April 1998 
by Kabhoet 
Courtesy of Fravia's page of reverse engineering
slightly edited
by Fravia+
fra_00xx 
98xxxx 
handle 
1100 
NA 
PC
I love it: "I can't register, may be my program is error or what else ???? Forget it just try another way"... right so, +cracker!
Look here, even in a simple "beginner" essay there is always something to learn (even for old hands)... provided that somebody has the "stuff" to teach. Unfortunately, many self-calling (self-styling?) "crackers" don't seem to understand this simple truth :-(
There is a crack, a crack in everything That's how the light gets in
Rating
(x)Beginner ( )Intermediate ( )Advanced ( )Expert 

Assume that everyone who read this know very basic w32dasm and assembly language.

Dynamic Procedure Call,
And crack by the stupid way.....
Written by Kabhoet
 

Introduction 

After publish my first essay, some guys have emailed me and asked me to crack this program. This is one of the messages I got:
"Hi, I read your essay at Fravia, very interesting.  Thanks for the help you give us newbies.  I'm trying to work with a file called DiaryLink97. This file could be d/l from www.jamesralph.com and its about 2m in size. I have tried everything I know and still can't crack the protection. Maybe you could help me?  Its crippled and only lets you download one record from your PC to a Casio Diary at a time. You don't need the Casio to run or crack the program.  Any help would be appreciated.  Three other gurus have tried but told me that it could'nt be done".
The last words seem to be a story created on the fly, of course. But never mind, I did have a look at the program and I think it uses a pretty stupid protection scheme. So let's have a look... stupid protection schemes are interesting for newbyes...

Tools required 
- W32Dasm
- HIEW(Hacker View) make a patch.

Target's URL/FTP 
DiaryLink97, Please buy it and don't use this crack if you really need this program, else crack it to death... but only if you are just fiddling around for the sake of reversing.

Program History 
This target lets you download records from your PC to your "Casio Diary" (some funny useless gadget, I presume). Of course I don't even have this Casio Diary... wouldn't touch such a thing with a badget pole... and therefore this target is completely useless for me.

Essay 

You should install the program first and then run the program. You will find that in the menu Communication -> Send -> there is only 1 menu can work and the other menu display a message box said "This Evaluation Copy can only send single record". And I try to register at Help Menu but it said "Error and bla-bla-bla". I can't register, may be my program is error or what else ???? Forget it just try another way. Ok, now launch the w32dasm and open the program (filename: dlink.exe). After that find text "This Evaluation Copy" and .....

:004B5C78 33C0                    xor eax, eax
:004B5C7A 8AC3                    mov al, bl
:004B5C7C 66C784460C0700000000    mov word ptr [esi+2*eax+0000070C], 0000
:004B5C86 43                      inc ebx
:004B5C87 80FB0A                  cmp bl, 0A
:004B5C8A 75EC                    jne 004B5C78
:004B5C8C 6A00                    push 00000000
:004B5C8E 668B0DD4614B00          mov cx, word ptr [004B61D4]
:004B5C95 B202                    mov dl, 02
* Possible StringData Ref from Code Obj ->"This Evaluation Copy can only "
                                        ->"send single records!
."
                                  |
:004B5C97 B8E0614B00              mov eax, 004B61E0
:004B5C9C E83311F8FF              call 00436DD4
:004B5CA1 E900050000              jmp 004B61A6          ; Goto To End

; If Registered
:004B5CA6 A1D4294D00              mov eax, dword ptr [004D29D4] 
:004B5CAB 8D98AC020000            lea ebx, dword ptr [eax+000002AC]
:004B5CB1 8D45FC                  lea eax, dword ptr [ebp-04]

* Possible StringData Ref from Code Obj ->"Send record using communication "
                                        ->"parameters:"
                                  |
:004B5CB4 BA1C624B00              mov edx, 004B621C
:004B5CB9 E856D9F4FF              call 00403614
:004B5CBE FF75FC                  push [ebp-04]

* Possible StringData Ref from Code Obj ->"Port: "
                                  |
:004B5CC1 6854624B00              push 004B6254
:004B5CC6 FF7304                  push [ebx+04]
:004B5CC9 6864624B00              push 004B6264
:004B5CCE 8D45FC                  lea eax, dword ptr [ebp-04]
Don't try to look up and see who call it because you would never find it. This program seem to be created by Borland Delphi or other else... But Look at :004B5CA1, it said JMP to another place and not execute anything. Strange....How come after JMP there is a real McCoy at there. Is that very stupid, the compiler or the programmer.
So simply using Hiew to change :004B5C8C from Push 000000 to JMP :004B5CA6.
It means to jump to the real place if not registered. Easy.......And you have activated one of three menu.

All the last step is Seek again and you will find another 2 address (004B63CB and 004B6A52).
And patch it yourself......

Final Notes 

And .... Finish. Nothing to say. "Rush with hurry and you will get it ".

Ob Duh 

I wont even bother explaining you that you should BUY this target program if you intend to use it for a longer period than the allowed one. Should you want to STEAL this software instead, you don't need to crack its protection scheme at all: you'll find it on most Warez sites, complete and already regged, farewell.

You are deep inside Fravia's page of reverse engineering, choose your way out:
redhomepage redlinks redsearch_forms red+ORC redstudents' essays redacademy database
redreality cracking redhow to search redjavascript wars
redtools redanonymity academy redcocktails redantismut CGI-scripts redmail_Fravia
redIs reverse engineering legal?