"TechFacts 95 is a powerful Windows 95/NT tool that empowers you to diagnose, solve and report Windows problems.

TechFacts is structured into 3 separate areas:

 1. A Resource \ Disk \ CPU \ Memory monitor with several unique views and individual alarms.
 2. A Spy \ Trace \ Diagnostic tool that explores all aspects of Windows.
 3. A powerful reporting tool that lets you transmit TechFacts information via 3 different communications options.

TechFacts is unique in that it is 100% self contained. The Setup program, the executable and the Help file are all inclusive in the EXE file."
 

About this protection system

 
This program is registered by selecting the 'Help' button, then the 'About' button and finally via the 'Use Registration Key' Button'!!. 
 
First Name:
Last Name:
Registration Key:
 
On successful registration the following entries are created within your Registry File:
 
HKEY CURRENT USER\Software\Dean Software\Techfacts\Config\
 
sUser = "The Sandman"
sRegStat= "TFIETSBJJ7800"  ;May be different for your name/handle
 

The Essay

     
Our Essay today is on TechFacts '95, from the same authors who created  TeckView - (See my Essay No 26). Since this Utility is quite useful I've decided to show you how we can *crack* this babe in order for you to properly evaluate it and if you wish to use it after it's trial period then please register it legally..
 
Before delving into into it's code I suggest you run this program a few times, get to know how it works, note down any error messages you encounter while *trying* to register it through it's 'Registration Screen'.. If you've already seen TechView '95, another of it's sister programs then you'll quickly get the 'feel' for this program and won't want to waste much time before getting to it's inner code...
 
Right, now create a 'Dead Listing' of this program using W32Dasm, it will probably take a few minutes or more to disassemble it so why not take this opportunity in pouring yourself a class of Wine and savor the moment for a while.. W32Dasm should now be ready...
 
Where do we know begin?.  Well, lets kick off with that error message that keeps popping up each time we get the serial number wrong:-
 
Search for: 'Registration Key Failed!'

The following snippet of code should now be shown..
 
* Referenced by a (C)onditional Jump at Address: 00485D9B(C)
 
:00485ED3 6A30             push 00000030
:00485ED5 E81611F8FF       Call User32!Messagebeep
:00485EDA B830604800       mov eax, 00486030 ;"Registration Key Failed!"
:00485EDF E8E8D9FBFF       call 004438CC
 
What we're interested in here, is where in the target program this 'Beggar off Cracker' message is called from and here W32Dasm tells us that at memory offset 00485D9B there is a single conditional  jump instruction that executes this routine, so lets go and examine this jump instruction a little more closely..

:00485D95 41              inc ecx
:00485D96 E8B1CFF7FF      call 00402D4C ;Check our serial no
:00485D9B 0F8532010000    jne 00485ED3  ;If serial not equal to original
                                        ;serial no then display 'Beggar off
                                        ;Cracker' message.

:00485DA1 8D45AF          lea eax, dword ptr [ebp-51] ;Else register this
                                                      ;babe.
:00485DA4 BA945F4800      mov edx, 00485F94

OK, we now 'suspect' that this is where the program decides wether or entered serial no is correct or invalid and displays the appropriate message.. We now want to make sure our thinking is correct and we can do this very quickly by using our trusty Softice to test this out before we start patching this program..

1. Close down W32Dasm, save it's contents first if you wish.
2. Run TechFacts, go into it's 'Registration Screen'.
3. Fill in the required fields.
4. Press the  Ctrl & D keys together to start up Softice.
5. type: bpx getwindowtexta then x to leave Softice.
6. Click the 'register' key.
7. Softice Breaks at the start of the system function getwindowtexta routine.
8. While still in Softice press the 'F11' key once. We return back into the TeckFacts code
9. type u 485d9b this will display our jne instruction.
10. Type bpx 485d9b  this tells Softice we want to break on this instruction.
11. Type bc 00 this tells Softice to clear our previous breakpoint.
12. Press x to leave Softice and let the program run as normal.
13. Softice now breaks on our jne instruction.
14. type r eip=00485DA1
 
This tells Softice to 'skip' over this jump instruction and start on the next assembly instruction below it.  Once you've done this type x to leave Softice.

This is a manual way of doing what the program does automatically when the User enters the correct serial no, or, had we Nop'd out this jump instruction completely. What we are trying to achieve here is to test the program to see if it will 'accept' our invalid serial and not reject it later on as it tries to register itself.. Some programs will perform further checks on the Serial number entered by the User just to see if someone has made any attempts to patch the program itself.. Some programmers know about Nop'ing conditional jumps just as well as we do..:)

We also want to see and check that the program on restarting, will still accept our 'invalid' serial number.. It doesn't always mean we've registered a program if we patch it like this, many programs can and do reject entries found in the System Registry file if it doesn't make sense..

OK, you should now see in the 'About' Screen that the text in it has changed to:

Licensed Version. Do Not Copy!

So far so good..

Now exit the program and restart it.. If you see no nag screen and can still go into the 'About Screen' and still see the 'Licensed Copy. Do Not Copy' message then our job is completed.. It's always a good idea to now test the program just to satisfy to ourselves that there are no other checks that the program does.. Some programs have more than one protection system attached to it, just in case of tampering etc.. You could also set your computer's clock say two months in advance from now and see if any new shareware messages pop-up..

I've tested the program these past two days and haven't seen anything out of the ordinary so I'm happy that this patch works as expected..
 
Job Done.
 

The 'Crack'

 
In order to *crack* this babe we're going to patch just one memory location with a few Nops (90h) so that the program will never execute a conditional jump instruction at offset:485D9B.

Load up tekfct95.exe into your favourite Hex-Editor ( I prefer hexWorkshop-32) but just about any will do..

SEARCH FOR THE FOLLOWING BYTES : F7FF0F8532010000
REPLACE WITH HIGHLIGHTED BYTES : F7FF909090909090
 
Our patch should look like this:
 
:00485D95 41              inc ecx
:00485D96 E8B1CFF7FF      call 00402D4C ;Check our serial no
:00485D9B 90              nop
:00485D9C 90              nop
:00485D9D 90              nop
:00485D9E 90              nop
:00485D9F 90              nop
:00485DA0 90              nop
:00485DA1 8D45AF          lea eax, dword ptr [ebp-51] ;register this babe
:00485DA4 BA945F4800      mov edx, 00485F94

Final Notes

 
Yet another interesting program for newbies to practice on. In fact here are other ways to *crack* this program, perhaps you would like to see if you can find them?.

My thanks and gratitude goes to:-
 
Fravia+ for providing possibly the greatest source of Reverse Engineering
knowledge on the Web.
 
+ORC for showing me the light at the end of the tunnel.
 

Ob Duh

 
Do I really have to remind you all that by buying and NOT stealing the software you use will ensure that these software houses will continue to  produce even *better* software for us to use and more importantly, to continue offering even more challenges to breaking their often weak protection systems.
 
If your looking for cracks or serial numbers from these pages then your wasting your time, try searching elsewhere on the Web under Warze, Cracks etc.