|
|
|
|
|
|
|
|
|
|
|
|
|
|
||
|
|
||
|
|
|
There is a crack, a crack in everything. That's how the light gets in. |
|
|
"As you probably realize, the native cut/copy/paste capability of Windows works well for transferring single items of data, but becomes very cumbersome if you want to move a lot of data, or keep data for extended periods of time. Every time that you cut or copy, the new data overwrites the previous clipboard contents, whether you were ready for that or not!
ClipMate works alongside the regular clipboard
functionality in Windows by capturing every piece of data (Clip Item) that
you copy to the clipboard, and storing it in one of its internal Collections.
ClipMate can easily store hundreds of these Clip Items."
I must admit, that while cracking
this program and preparing this essay that it did help me considerably
when it came time to paste lots of different sections from the 'dead Listing'
in W32Dasm to this web page. Normally this would have to be done in single
steps via the clipboard.
|
|
Licensed to
:
Registration Key :
The registration code is based on what you type in for your name/handle, and it seems to always begin with a capital 'F' followed by at least 10 numbers.
Once registered, the program saves the name & registration code
at:
C:\Windows\Clpmt40.ini file under the heading of: [clipmt40]
[clipmt40]
SystemSettings=614710585
VideoProfile=28991
DialogConstants=31093121
DiagSettings=0
Name=The Sandman
RegistrationNumber=F0108251788
Don't be lame and use my registration key, use one of you own.
|
|
Unlike the other methods we could use to crack this babe, where we might now be looking for that all important 'Cmp a value\register against another value/register then decided to jump on the results' in this particular case it looks like we have all in the information we need to go onto the next stage.
If you place a Softice breakpoint at memory
location :0045A5C5 ( Ctr-D then
bpx 014F:0045A5C5 ) then single step your way to 0045A5DE
then you will see the memory location of our 'Beggar off cracker' message
is placed into the eax register just
before the call instruction. That call instruction will eventually
get to the routine that prints to the screen the following: "This
Is An Invalid Name/Number Combination".
Lets now see if we can get this message to say something much nicer,
like what the 'real' serial number should have been..
In my eagerness I went straight for the kill and proceeded to implement my *crack* on the program while it was still in memory. ( That way if it was the wrong decision to make and the program crashed out on me then all I would then have to do is re-load the program again ). However, since we're not looking to collect serial's from our target programs we should always take our time and get to know our target program well, it's the only way we can learn our trade. Think of these simple Shareware programs as our testing grounds, where we can learn and improve our cracking techniques for when we come across more difficult protection systems.
Anyway, let us continue...
If we have set our Softice bpx 014F:0045A5C5
breakpoint and after re-running the registration screen again we should
now be back in Softice and at this memory location with the above code
showing in our Code Window.
What I did now was to type: e 0045A5D9 (edit memory location 0045A5D9) and we should now be in the 'edit' mode, our cursor is now somewhere in the top window in Softice and over the hex number B8.
We're now going to change mov eax, 0045A780 and turn it into lea eax, dword ptr [ebp-0C] and then fill the two now 'empty' memory locations created by this change with a couple of Nop's (90h).
Right, make sure you cursor is flashing over the B8 instruction in the Softice hex window and type in these bytes exactly as shown here.
8D45F49090
Ok, press the ESC button to get out of the 'Edit' mode and you
should now see the disassemble listing shown in Softice change to this:-
:0045A5C5 833DA4A04A0000
cmp dword ptr [004AA0A4], 00000000
:0045A5CC 7515
jne 0045A5E3
:0045A5CE 6A00
push 00000000
:0045A5D0 668B0D20A64500
mov cx, word ptr [0045A620]
:0045A5D7 B201
mov dl, 01
:0045A5D9 8D45F4
lea eax, dword ptr [ebp-0C]
:0045A5DC
90
Nop
:0045A5DD
90
Nop
:0045A5DE E8315BFEFF
call 00440114 ;Display this message.
What we've done is to use an assembler
instruction that this program uses to always 'find' out where in memory
it has created the 'real' serial number. It has to use this method because
the program cannot guarantee that it can use the same memory location the
next time it is run, so using the ebp
register (base pointer register) it
does not have to worry about this problem. All the he target program
needs to do is just give this register an area of memory to work on then
it is then easy to specify an offset to this register's memory
area to find almost anything it want's (like a sliding ruler), which is
in this case, the location of the 'Real' serial number.
Using this *crack* relies on two main
things, firstly, that the target program has not *yet* cleared the area
of memory where our 'real* serial number is kept ( most programs do clear
this area as quickly as it can to avoid prying eyes ) but normally only
does this after the 'beggar off' message has been displayed.
Secondly, that the target program hasn't reassigned the ebp register to
another area of memory that is unconnected with the location of our 'Real'
serial number. This shouldn't be of major concern to us since it's too
early for the target program to do this as it has only *just* created the
'real' serial number and hasn't had chance to start on anything else that
would require this register to be changed, so we're *safe* on this for
now.
So OK, does this *crack* work?, does the
program now display the 'real' serial number in a message box when we get
it wrong?. Yes it does, but for reason's I'm not sure, the displayed
message box takes up the whole width of your screen and so, to see the
serial number in it you have to move it to the right of your screen. Does
anyone know why this happens?
What else did I learn about this program's
protection system.. Well, it uses your System Registry file to hold the
Days Left and Uses Left counters before it
expires, but why it doesn't store the User Name & Serial number there
beats me. Anyway, if you were to run up RegEdit and search for "CM40\6147"
then you will come across this line:-
"CM40/614710585/????/31093121/0"
I'm not exactly
sure not sure how Clipmate is able to work out the days & uses left
from this line but the numbers represented by the '????'
deal with the 'Uses Left' counter, and that if you change the '0'
to a number greater than '1' then Clipmate informs you that you
have used your extra 10 days grace for using this program. Deleting this
whole line won't make the program think it's registered but will put an
end to it's two counters because it won't know how many times you've used
the program or for how long.
Job Done.....
|
|
000599D0 668B0D20 A64500B2
01B880A7 4500E831 f.. .E......E..1
000599E0 5BFEFF33 C05A5959
64891068 19A64500 [..3.ZYYd..h..E.
000599F0 8D85E8FE FFFFE8E9
94FAFF8D 85ECFEFF ...............
Now REPLACE the following HIGHLIGHTED
bytes:
000599D0 668B0D20 A64500B2
018D45F4 9090E831 f.. .E......E..1
000599E0 5BFEFF33 C05A5959
64891068 19A64500 [..3.ZYYd..h..E.
000599F0 8D85E8FE FFFFE8E9
94FAFF8D 85ECFEFF ...............
|
|
Fravia+ for providing possibly the greatest
source of Reverse Engineering
knowledge on the Web.
+ORC for showing me the light at the end
of the tunnel.
|
|
| Next | Return to Essay Index | Previous |