August 1998
"Cracking Teleport Pro v1.28"
Win '95 PROGRAM
Win Code Reversing
 
 
by KLee8084 
  
 
Code Reversing For Beginners 
 
 
 
Program Details
Program Name: pro.exe
Program Type: Web Robot
Program Location: HERE 
Program Size: 1.6 meg
 
   
Tools Used:
Softice V3.2 - Debugger
 
Rating
Easy ( X )  Medium (  )  Hard (    )  Pro (    ) 
 There is a crack, a crack in everything. That's how the light gets in.
 
  
 
Cracking Teleport Pro v1.28
Written by KLee8084
 
 
 
Introduction
 
Teleport Pro is a very useful program. You feed it a url to start from and it will crawl over that site and any other sites that are linked to it, retrieving files (of the type that you specify) or the names of files. Officially it is classified as an offline browser, but it is great for searching for that special program that you just KNOW is to be found at a particular url. How about inputting the url of a warez site? 
 
About this protection system
 
This program calculates a registration code based on the user name that you enter.
 
The Essay 
     
This crack was surprisingly easy. Ready? Ok. Run the program.

Enter your Name, Company, and fake Registration Code (if you need to access the registration window, click on Help and then click on Register...).
 
Press CTRL-D to go into Softice.
 
Now, we want to set a breakpoint. Let's try bpx GetWindowTextA (that is what the program uses, actually).
 
Type X to return to the program.
Click on "OK".
 
Bang! We are now in Softice at the start of USER32!GetWindowTextA.
Since the program is going to get the text 3 times (Name, Company, and Registration Code), we want to do this:

Type
Type X
 
Press F11 to step out of the function call.
 
Type bc * to kill your breakpoints, as they will no longer be needed.
 
We should now be at the instruction following the call to USER32!GetWindowTextA.

:00449D80    CALL [USER32!GetWindowTextA]  <- get what is in the
                                           <- Registration Code text box
:00449D86    MOV ECX, [EBP+10]             <- fake registration code
:00449D89    PUSH FF
:00449D8B    CALL 004430CA
:00449D90    JMP 00449D9D

F10 over the call at 00449D8B (you can F8 into it, but it is not very interesting).
F10 until:

:004246D2    PUSH DWORD PTR [ESI+000000DD]

If you type d esi+dd you'll see this in your data window:

:006FFA2D    1C 2B D3 00 50 41 00 .....

Do you see the first 3 pairs of numbers (1C 2B D3)? Reverse them and type:
d D32B1C

Ahhh...your fake registration code.
 
Below this PUSH instruction you'll find:

:004246D8    CALL 0042A960
:004246DD    MOV EBP, EAX
:004246DF    MOV EAX, [00484C5C]
:004246E4    ADD ESP, 0C
:004246E7    CMP [EAX+0000029F], BL
:004246ED    JZ 0042482A

Doesn't look very interesting, does it? No dramatic test of EAX right after the call, etc...

This call, therefore, most likely does not check the fake registration code against the real registration code.
 
F10 over the call at 004246D8

Just out of curiosity, check out EAX by typing ? EAX
 
Look at the decimal value of EAX. Ahhh....the fake registration code.
 
F10 until:

:004246F3    CMP EBP, EBX

If you type ? EBP you'll see that it holds the hex value of the fake registration code. EBX holds nothing.
 
F10 some more until:

:004246FC    PUSH DWORD PTR [ESI+000000D5]

If you check the value at this location (00D32AEC), you'll see the name that you had entered.  So, the next instruction:

:00424702    CALL 00424FAF

must do something with your name, eh? Perhaps it calculates the real registration code?
Right after the call at 00424702 is something very interesting: a CMP instruction.

:00424707    CMP EBP, EAX

F10 until you reach this CMP instruction (:00424707).
 
If you type ? EBP you'll see that it holds the hex value of your fake registration code.
Notice that EBP is being compared with EAX. I wonder what EAX holds?

Type ? EAX
 
See the decimal value of EAX? Write it down. That's the real registration code.
 
Type X to return to the program.  Now, click on "OK" (nasty message box!).
Ready? Enter in the number that you had written down and click on "OK".
Congratulations!
 
Program cracked.
 
The 'Crack' 
 
None.
 
Final Notes 
 
This essay is meant to show a little of how to use intuition when reverse-engineering a program. If there are no tests or compares right after a call, chances are that the call was not critical to your cracking. If, however, there IS a test or compare, it might be wise to step into the call. It might be wise, too, to periodically check on the decimal values that the registers hold. When I first tried to crack this program as a newbie, I failed to check the values of EAX and EBP. Needless to say, I wasn't able to crack it.
 
This is an excellent program to use when searching for an app or web page. Very easy to mirror a web site to your hard drive. The company that created this program deserves to be paid for it.

 
My thanks and gratitude goes to:-
 
Fravia+ for providing possibly the greatest source of Reverse Engineering
knowledge on the Web.
 
+ORC for showing me the light at the end of the tunnel.
 
Ob Duh 
 
 
Do I really have to remind you all that by buying and NOT stealing the software you use will ensure that these software houses will continue to  produce even *better* software for us to use and more importantly, to continue offering even more challenges to breaking their often weak protection systems.
 
If your looking for cracks or serial numbers from these pages then your wasting your time, try searching elsewhere on the Web under Warez, Cracks etc.
 

 
 
 [ Return ] 
 

Essay by: KLee8084
Page Created: 17th August 1998