teleport.html

This is a e-book How to Crack with Softice. HTML type document.

<P><FONT FACE="Courier New,Courier"><FONT COLOR="#000000"><FONT SIZE=-1>:00449D80&nbsp;&nbsp;&nbsp;
CALL [USER32!GetWindowTextA]&nbsp; &lt;- get what is in the</FONT></FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1><FONT COLOR="#000000">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
&lt;- Registration Code text box</FONT></FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1><FONT COLOR="#000000">:00449D86&nbsp;&nbsp;&nbsp;
MOV ECX, [EBP+10]&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;
&lt;- fake registration code</FONT></FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1><FONT COLOR="#000000">:00449D89&nbsp;&nbsp;&nbsp;
PUSH FF</FONT></FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1><FONT COLOR="#000000">:00449D8B&nbsp;&nbsp;&nbsp;
CALL 004430CA</FONT></FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1><FONT COLOR="#000000">:00449D90&nbsp;&nbsp;&nbsp;
JMP 00449D9D</FONT></FONT></FONT>

<P><FONT COLOR="#000000"><B>F10</B> over the call at 00449D8B (you can
<B>F8</B> into it, but it is not very interesting).</FONT>
<BR><FONT COLOR="#000000"><B>F10</B> until:</FONT>

<P><FONT COLOR="#000000">:004246D2&nbsp;&nbsp;&nbsp; PUSH DWORD PTR [ESI+000000DD]</FONT>

<P><FONT COLOR="#000000">If you type <B>d esi+dd</B> you'll see this in
your data window:</FONT>

<P><FONT COLOR="#000000">:006FFA2D&nbsp;&nbsp;&nbsp; 1C 2B D3 00 50 41
00 .....</FONT>

<P><FONT COLOR="#000000">Do you see the first 3 pairs of numbers (1C 2B
D3)? Reverse them and type:</FONT>
<BR><B><FONT COLOR="#000000">d D32B1C</FONT></B><FONT COLOR="#000000"></FONT>

<P><FONT COLOR="#000000">Ahhh...your fake registration code.</FONT>
<BR><FONT COLOR="#000000">&nbsp;</FONT>
<BR><FONT COLOR="#000000">Below this PUSH instruction you'll find:</FONT>

<P><FONT FACE="Courier New,Courier"><FONT SIZE=-1><FONT COLOR="#000000">:004246D8&nbsp;&nbsp;&nbsp;
CALL 0042A960</FONT></FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1><FONT COLOR="#000000">:004246DD&nbsp;&nbsp;&nbsp;
MOV EBP, EAX</FONT></FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1><FONT COLOR="#000000">:004246DF&nbsp;&nbsp;&nbsp;
MOV EAX, [00484C5C]</FONT></FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1><FONT COLOR="#000000">:004246E4&nbsp;&nbsp;&nbsp;
ADD ESP, 0C</FONT></FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1><FONT COLOR="#000000">:004246E7&nbsp;&nbsp;&nbsp;
CMP [EAX+0000029F], BL</FONT></FONT></FONT>
<BR><FONT FACE="Courier New,Courier"><FONT SIZE=-1><FONT COLOR="#000000">:004246ED&nbsp;&nbsp;&nbsp;
JZ 0042482A</FONT></FONT></FONT>

<P><FONT COLOR="#000000">Doesn't look very interesting, does it? No dramatic
test of EAX right after the call, etc...</FONT><FONT COLOR="#000000"></FONT>

<P><FONT COLOR="#000000">This call, therefore, most likely does not check
the fake registration code against the real registration code.</FONT>
<BR><B><FONT COLOR="#000000">&nbsp;</FONT></B>
<BR><FONT COLOR="#000000"><B>F10</B> over the call at 004246D8</FONT><FONT COLOR="#000000"></FONT>

<P><FONT COLOR="#000000">Just out of curiosity, check out EAX by typing
<B>? EAX</B></FONT>
<BR><FONT COLOR="#000000">&nbsp;</FONT>
<BR><FONT COLOR="#000000">Look at the decimal value of EAX. Ahhh....the
fake registration code.</FONT>
<BR><B><FONT COLOR="#000000">&nbsp;</FONT></B>
<BR><FONT COLOR="#000000"><B>F10</B> until:</FONT>

<P><FONT COLOR="#000000">:004246F3&nbsp;&nbsp;&nbsp; CMP EBP, EBX</FONT>

<P><FONT COLOR="#000000">If you type <B>? EBP</B> you'll see that it holds
the hex value of the fake registration code. EBX holds nothing.</FONT>
<BR><B><FONT COLOR="#000000">&nbsp;</FONT></B>
<BR><FONT COLOR="#000000"><B>F10</B> some more until:</FONT>

<P><FONT COLOR="#000000">:004246FC&nbsp;&nbsp;&nbsp; PUSH DWORD PTR [ESI+000000D5]</FONT>

<P><FONT COLOR="#000000">If you check the value at this location (00D32AEC),
you'll see the name that you had entered.</FONT>&nbsp; <FONT COLOR="#000000">So,
the next instruction:</FONT>

<P><FONT COLOR="#000000">:00424702&nbsp;&nbsp;&nbsp; CALL 00424FAF</FONT>

<P><FONT COLOR="#000000">must do something with your name, eh? Perhaps
it calculates the real registration code?<BR>
</FONT>
<BR><FONT COLOR="#000000">Right after the call at 00424702 is something
very interesting: a CMP instruction.</FONT>

<P><FONT COLOR="#000000">:00424707&nbsp;&nbsp;&nbsp; CMP EBP, EAX</FONT>

<P><FONT COLOR="#000000"><B>F10</B> until you reach this CMP instruction
(:00424707).</FONT>
<BR><FONT COLOR="#000000">&nbsp;</FONT>
<BR><FONT COLOR="#000000">If you type <B>? EBP</B> you'll see that it holds
the hex value of your fake registration code.</FONT>
<BR><FONT COLOR="#000000">Notice that EBP is being compared with EAX. I
wonder what EAX holds?</FONT><FONT COLOR="#000000"></FONT>

<P><FONT COLOR="#000000">Type <B>? EAX</B></FONT>
<BR><FONT COLOR="#000000">&nbsp;</FONT>
<BR><FONT COLOR="#000000">See the decimal value of EAX? Write it down.
That's the real registration code.</FONT>
<BR><FONT COLOR="#000000">&nbsp;</FONT>
<BR><FONT COLOR="#000000">Type <B>X</B> to return to the program.</FONT>&nbsp;
<FONT COLOR="#000000">Now, click on "OK" (nasty message box!).</FONT>
<BR><FONT COLOR="#000000">Ready? Enter in the number that you had written
down and click on "OK".</FONT>
<BR><FONT COLOR="#000000">Congratulations!</FONT>
<BR><FONT COLOR="#000000">&nbsp;</FONT>
<BR><FONT COLOR="#000000">Program cracked.</FONT>
<BR>&nbsp;
<TABLE BORDER CELLSPACING=2 WIDTH="100%" HEIGHT="22" >
<TR>
<TD BGCOLOR="#C6E7C6">
<CENTER><FONT SIZE=+2><FONT COLOR="#0000FF">The 'Crack'</FONT>&nbsp;</FONT></CENTER>
</TD>
</TR>
</TABLE>
<FONT FACE="Arial,Helvetica">&nbsp;</FONT>
<BR>None.
<BR><FONT FACE="Arial,Helvetica">&nbsp;</FONT>
<TABLE BORDER CELLSPACING=2 WIDTH="100%" HEIGHT="22" >
<TR>
<TD BGCOLOR="#C6E7C6">
<CENTER><FONT SIZE=+2><FONT COLOR="#0000FF">Final Notes</FONT>&nbsp;</FONT></CENTER>
</TD>
</TR>
</TABLE>
<FONT FACE="Arial,Helvetica"><FONT COLOR="#333333">&nbsp;</FONT></FONT>
<BR>This essay is meant to show a little of how to use intuition when reverse-engineering
a program. If there are no tests or compares right after a call, chances
are that the call was not critical to your cracking. If, however, there
IS a test or compare, it might be wise to step into the call. It might
be wise, too, to periodically check on the decimal values that the registers
hold. When I first tried to crack this program as a newbie, I failed to
check the values of EAX and EBP. Needless to say, I wasn't able to crack
it.
<BR>&nbsp;
<BR>This is an excellent program to use when searching for an app or web
page. Very easy to mirror a web site to your hard drive. The company that
created this program deserves to be paid for it.

<P><FONT FACE="Arial,Helvetica">&nbsp;</FONT>
<BR><FONT FACE="Arial,Helvetica">My thanks and gratitude goes to:-</FONT>
<BR><FONT FACE="Arial,Helvetica">&nbsp;</FONT>
<BR><FONT FACE="Arial,Helvetica">Fravia+ for providing possibly the greatest
source of Reverse Engineering</FONT>
<BR><FONT FACE="Arial,Helvetica">knowledge on the Web.</FONT>
<BR><FONT FACE="Arial,Helvetica">&nbsp;</FONT>
<BR><FONT FACE="Arial,Helvetica">+ORC for showing me the light at the end
of the tunnel.</FONT>
<BR>&nbsp;
<TABLE BORDER CELLSPACING=2 WIDTH="100%" HEIGHT="22" >
<TR>
<TD BGCOLOR="#C6E7C6">
<CENTER><FONT COLOR="#0000FF"><FONT SIZE=+2>Ob Duh</FONT></FONT>&nbsp;</CENTER>
</TD>
</TR>
</TABLE>
<I><FONT FACE="Arial,Helvetica">&nbsp;</FONT></I>
<BR><FONT FACE="Arial,Helvetica">&nbsp;</FONT>
<BR><I><FONT FACE="Arial,Helvetica">Do I really have to remind you all
that by buying and NOT stealing the software you use will ensure that these
software houses will continue to&nbsp; produce even *better* software for
us to use and more importantly, to continue offering even more challenges
to breaking their often weak protection systems.</FONT></I>
<BR><FONT FACE="Arial,Helvetica">&nbsp;</FONT>
<BR><I><FONT FACE="Arial,Helvetica">If your looking for cracks or serial
numbers from these pages then your wasting your time, try searching elsewhere
on the Web under Warez, Cracks etc.</FONT></I>
<BR><FONT FACE="Arial,Helvetica">&nbsp;</FONT>
<BR>
<HR SIZE=3 WIDTH="100%">
<CENTER><FONT FACE="Arial,Helvetica">&nbsp;</FONT></CENTER>

<CENTER><FONT FACE="Arial,Helvetica">&nbsp;</FONT></CENTER>

<CENTER><TABLE BORDER=2 >
<TR>
<TD>&nbsp;<FONT FACE="Arial,Helvetica"><FONT SIZE=+1>[ <A HREF="Main.html">Return</A>
]</FONT></FONT>&nbsp;</TD>
</TR>
</TABLE></CENTER>

<CENTER><B><FONT FACE="Arial,Helvetica"><FONT SIZE=+1>&nbsp;</FONT></FONT></B></CENTER>

<HR SIZE=3 WIDTH="100%">
<BR><FONT FACE="Arial,Helvetica"><FONT SIZE=-2>Essay by: <A HREF="mailto:KLee8084@snet.net">KLee8084</A></FONT></FONT>
<BR><FONT FACE="Arial,Helvetica"><FONT SIZE=-2>Page Created: 17th August
1998</FONT></FONT>
</BODY>
</HTML>