On selecting the Register option your asked to provide:-
                Registration Name:
                Validation Code::

Both input boxes seem to accept unlimited number of characters for both the Registration Name and Validation Code.. The actual registration key is created from the Registration name you type in, however, using this crack will make the program use any sequence of numbers/letters you choose to use.

This program is not compacted or encrypted in anyway.

 

The Essay

 
Start up Trash Manager and immediately select the File menu and then the Registration option. You should now be in the Registration screen, so now type in a name of your choice, doesn't matter what you use.  Now type in any sequence of numbers/letters in the Validation box.

At this point I decided to use the function Hmemcpy  for Softice to break on so press Ctrl-D and type BPX Hmemcpy.

Hmemcpy is a standard function found in the KERNEL ( a windows system file ) that is used by programs to copy strings from one memory location to another, it is often used to build up strings typed in by the User so that further processing can be carried out on them.  In this example we will use it when the program is in the process of creating a dialog box that will tell us if we are successful or not in registering Trash Manager.

OK, now exit Softice by typing X so that we return back to Trash Manager.

Now click on the Register button and wham, we break into the the Hmemcpy routine, but since we are now in the Kernel Code we want get out of here so that we can examine the Trash Manager code, so now now press the F12 key 8 times which will take us to just after where the Hmemcpy command was issued in the Trash Manager code.
 
 

:0001.469E 7503         jne 46A3  ;Register Good Guy
didn't get used so when I got to this point I typed in the following instruction into Softice:

r eip=46a3  which told Softice to 'forget' what it was doing and begin execution from this point in the Trash manager's code, ignoring any other instructions it passed over.
 
R is softice's FLAG REGISTER command, it allows us to pre-load any of the PC's internal flags with what-ever value we wish,  This is a very powerful command, and it's use by newbies should be limited until we understand this facility much better. The register I used was the EIP register, this register holds the address in memory where the computer will next execute and altering it's value without care and attention can bring about all manner of crashes to your program.  So when we landed at:

:0001.469E 7503         jne 46A3  ;Register Good Guy

by changing the EIP register to 46A3 I was in fact telling Softice to ignore the JNE condition and treat it as a straight forward JUMP to memory location 46A3.  There is of course, other ways to go about this which does not involve tampering with the PC's register flags, I could have changed the jne 46A3 instruction to jmp 46A3 but if this jump proved fruitless then I would then have to locate this instruction and change it back to it's original instruction before proceeding onto checking the next jump on condition instruction in the Trash Manager's code..  In some programs there could be many jne or jnz instructions and changing them all individually to straight forward jp's would take a very long time.
 
Once you have 'set' the EIP register with the value of 46A3 follow this with X and bingo!, you will see that Trash Manager has accepted our name and validation code, it's now registered to you..:)

Because this program is a Win 3.1 program it creates a TRASHMAN.INI file at:-

C:\WINDOWS\TRASHMAN.INI

My ini file looks like this:-

[Tembit_TrashMan]
Usage=8
WinX=320
WinY=240
WinWX=226
WinWY=168
RegName=The Sandman
RegCode=7777777
X_Pos=580
Y_Pos=420

The trashman.ini file also holds our 'Usage count' for the number of times we use this program.  If you want to un-register this program simply delete  the two lines that begin with:
 
RegName=The Sandman
RegCode=7777777

If you try and enter a different name or regcode into these lines instead of letting the program do it then it will detect this and treat it as not being registered, just as if these two lines never existed.

Job Done.....
 

The 'Crack'

 
Using a hex-editor
 
SEARCH FOR THE BYTES: 83C4040BC07503E9
THEN REPLACE WITH   : 83C4040BC0EB03E9
 

 

Final Notes

 
This is a good example for practicing our reverse engineering techniques on since the code is straight forward and offers us many ways to crack it. We could have used the function LSTRCMP to get into our Registration routine but I tend to favour the HMEMCPY function better.

Since the code is relatively small we could even have perhaps cracked it using a 'Dead Listing' created by WIN32DASM since the Trash Manager's code is so well documented and the routine names within it literally tell us where to go!.
 

My thanks and gratitude goes to:

Fravia+ for providing possibly the greatest source of Reverse Engineering
knowledge on the Web.
 
+ORC for showing me the light at the end of the tunnel.

 

Ob Duh

 
Do I really have to remind you all that by buying and NOT stealing the software you use will ensure that these software houses will continue to  produce even *better* software for us to use and more importantly, to continue offering even more challenges to breaking their often weak protection systems.
 
If your looking for cracks or serial numbers from these pages then your wasting your time, try searching elsewhere on the Web under Warze, Cracks etc.
 

Essay by:          The Sandman
Page Created: 10th May 1998