Hey you guys at Glacier Software, your program is still bug ridden, it needs more testing, especially when, after installing the program and Strip_it is unable to find WinAmp it asks the User to either download this program or Cancel this until later, so your program then displays an "Information" dialog box telling the User how to get Strip_it to communicate with WinAmp when they do download it" however, any attempts to click on the 'OK' button results in this dialog being displayed over and over again in an endless loop.  The only way to stop this is by pressing CTRL + ALT + DEL keys and selecting END TASK on your program or by re-booting the pc!..
 

About this protection system

 
The Protection system is based  on a serial number that is based on you name/handle and you can access the Registration Screen via the initial Nag Screen that reminds you to register.
 
On installation MP3  Strip_it! will create the following Keys in your System Registry File:
 
HKey_CURRENT_USER\Software\GlacierSoft\MP3 Strip_It!\CDDB
HKey_CURRENT_USER\Software\GlacierSoft\MP3 Strip_It!\ENCODER
HKey_CURRENT_USER\Software\GlacierSoft\MP3 Strip_It!\INDEXING
HKey_CURRENT_USER\Software\GlacierSoft\MP3 Strip_It!\L3ENC
HKey_CURRENT_USER\Software\GlacierSoft\MP3 Strip_It!\REG
HKey_CURRENT_USER\Software\GlacierSoft\MP3 Strip_It!\RIPPER
 

The key we're interested in is the \REG entry, which contains the following values:-
 
REG_CODE =0
REG_NAME ="" 
         
One other item of Interest...
 
If you run the program and then after exiting from it you set the computer's date to BEFORE the original date you ran Strip_It then a message box appears asking you if your trying to get round the Shareware restriction!.. Selecting the 'OK' button the program then exits and you can't then run the program UNTILL you set the computer's date back to the date you original ran the program..  If this happens and you can't run the program with the the real day/month/year then Open up your System Registry File with REG-EDIT (Windoz '95 utility ) then search for Glacier then DELETE the whole branch including sub keys.
 
Then, re-run Strip_It and re-register it with your sniffed out serial number.

Nice try guys, but this is a rather lame trick and one that can be easily patched or re-set in about 5 second flat..:)
 

The Essay

     
Once I got over the initial bug in this program I immediately set about getting W32Dasm to create a 'Dead Listing' of this program, what more surprises awaits me wonder..
 
I didn't want to spend too much time on this program and luckily enough I didn't have to, because opening up the program's String Data Resource I quickly found the 'Thank you for registering Strip_it!" message here:-
 
:00487133 E8A8CEF7FF       call 00403FE0 ;Create then check both serials
:00487138 7565             jne 0048719F  ;invalid serial? Then "beggar off"
 
; If our serial number was correct then save the User Name/Handle and
; serial number to the User's System Registry File at:
;
; HKey_CURRENT_USER\Software\GlacierSoft\MP3 Strip_It!\REG\REG_NAME
; HKey_CURRENT_USER\Software\GlacierSoft\MP3 Strip_It!\REG\REG_CODE
 
:0048713A 8D4590           lea eax, dword ptr [ebp-70]
:0048713D E872AA0000       call 00491BB4
:00487142 8D9588FEFFFF     lea edx, dword ptr [ebp+FFFFFE88]
:00487148 8B8314020000     mov eax, dword ptr [ebx+00000214]
:0048714E E83DAAF9FF       call 00421B90
:00487153 8B9588FEFFFF     mov edx, dword ptr [ebp+FFFFFE88]
:00487159 8D45BC           lea eax, dword ptr [ebp-44]
:0048715C E88BCBF7FF       call 00403CEC
:00487161 8D9588FEFFFF     lea edx, dword ptr [ebp+FFFFFE88]
:00487167 8B8318020000     mov eax, dword ptr [ebx+00000218]
:0048716D E81EAAF9FF       call 00421B90
:00487172 8B8588FEFFFF     mov eax, dword ptr [ebp+FFFFFE88]
:00487178 E8A70BF8FF       call 00407D24
:0048717D 8945C0           mov dword ptr [ebp-40], eax
:00487180 8D4590           lea eax, dword ptr [ebp-70]
:00487183 E8D0B40000       call 00492658
:00487188 6A00             push 00000000
:0048718A 668B0DFC714800   mov cx, word ptr [004871FC]
:00487191 B202             mov dl, 02
 
* StringData Ref ->"Thank you for registering Strip_It!"
 
:00487193 B808724800       mov eax, 00487208
:00487198 E8C390FBFF       call 00440260
:0048719D EB15             jmp 004871B4
 
Looking at this section of code we can see that the program uses a Jump Not Equal conditional statement to determine wether or not the user's serial number matches the one the program has generated based on the User's name/handle.

So it seems all we have to do is nop (90h) out this conditional jump instruction for the program to accept any serial number we give it!.

Lets see what happens shall we..

Fire up the program and on the initial Nag Screen choose to Register it.. Fill in you Name and any sequence of numbers you care to use.

Press Ctrl-D and then type: bpx hmemcpy then x to exit out of Softice.
 
We can't get softice to break on our favorite functions like messageboxa or getwindowtexta or getdlgitemtexta because this program does not use any of these functions during it's processing of our serial number so we fall back on good old hmemcpy.  If you find another way into the program then by all means use that instead of hmemcpy since we only want to get into the program's code at this point.

Now try and add a SPACE character to the end of your name or serial number..
 
Softice breaks, so press the 'F11' key then keep pressing the 'F10' key many times (be patient) until Softice tells you that your now in the Strip_it's code..  Softice should display:-
 
STRIP_IT!Code+XXXXXXXX  ;The 'x''s represent a memory offset value.
From here we want to set a breakpoint to just before the Jump Not Equal instruction at memory offset: 00487138 that we suspects decides wether or not our Serial Number is valid or not.

So type: bc * to clear any previous breakpoints within Softice then type: u 00487114 to show us that section of code were interested in.  Make sure Softice displays section of  code:
 
:00487114 8B858CFEFFFF     mov eax, dword ptr [ebp+FFFFFE8C]
:0048711A 50               push eax
:0048711B 8D9588FEFFFF     lea edx, dword ptr [ebp+FFFFFE88]
:00487121 8B8318020000     mov eax, dword ptr [ebx+00000218]
:00487127 E864AAF9FF       call 00421B90
:0048712C 8B9588FEFFFF     mov edx, dword ptr [ebp+FFFFFE88]
:00487132 58               pop eax
:00487133 E8A8CEF7FF       call 00403FE0
:00487138 7565             jne 0048719F ;The jump we're interested in.

From here you will need to type: bpx 00487114 followed by x to leave Softice.
 
Right, now delete the extra SPACE character you've just added to your name or serial number then click once on the 'Register' button.

Softice now breaks once again..
 
:00487114 8B858CFEFFFF     mov eax, dword ptr [ebp+FFFFFE8C];You Land here.
:0048711A 50               push eax ;
:0048711B 8D9588FEFFFF     lea edx, dword ptr [ebp+FFFFFE88]
:00487121 8B8318020000     mov eax, dword ptr [ebx+00000218]
:00487127 E864AAF9FF       call 00421B90
:0048712C 8B9588FEFFFF     mov edx, dword ptr [ebp+FFFFFE88]
:00487132 58               pop eax
:00487133 E8A8CEF7FF       call 00403FE0
:00487138 7565             jne 0048719F ;The jump we're interested in.

If you press the 'F10' key once and then type: d eax then you should see your REAL serial number for the Name/Handle you've used in Softice's Code Window!.

Pressing the 'F10' key and displaying the contents of the registers you will quickly be able to build up a better picture to what is happening here:-

:00487114 8B858CFEFFFF   mov eax, dword ptr [ebp+FFFFFE8C];Get Real Serial
:0048711A 50             push eax                         ;Save real Serial
:0048711B 8D9588FEFFFF   lea edx, dword ptr [ebp+FFFFFE88];Get your Name
:00487121 8B8318020000   mov eax, dword ptr [ebx+00000218];

:00487127 E864AAF9FF     call 00421B90                    ;Returns:
                                                          ;EAX = length of
                                                          ;your serial No

:0048712C 8B9588FEFFFF   mov edx, dword ptr [ebp+FFFFFE88];EDX=Your Serial
:00487132 58             pop eax                          ;Get real Serial

:00487133 E8A8CEF7FF     call 00403FE0                    ;Returns:
                                                          ;EAX = FFFFFFFF
                                                          ;if invalid or
                                                          ;EAX = 00000000
                                                          ;if valid serial
 
:00487138 7565           jne 0048719F ;The jump we're interested in.
 
As you can see, we don't need to patch that jne 0048719F instruction after all, we can sniff out the real serial number much easier..:)
  
Job Done.
 

The 'Crack'

 
None required..:)
 

Final Notes

 
This was too easy and should make a good program to practice on for those of you who have already cracked a few programs on your own. In this essay I've tried to show how, from studying a 'Dead Listing' we quickly formulated a plan to attack this program.

However, once we had set a breakpoint a few instructions before our conditional jump instruction and took the time to see what information was being manipulated we quickly saw yet another, much easier way to *crack* this program.
 
My thanks and gratitude goes to:-
 
Fravia+ for providing possibly the greatest source of Reverse Engineering
knowledge on the Web.
 
+ORC for showing me the light at the end of the tunnel.
 

Ob Duh

 
Do I really have to remind you all that by buying and NOT stealing the software you use will ensure that these software houses will continue to  produce even *better* software for us to use and more importantly, to continue offering even more challenges to breaking their often weak protection systems.
 
If your looking for cracks or serial numbers from these pages then your wasting your time, try searching elsewhere on the Web under Warze, Cracks etc.