New Page 3,030,022

Cracking Tutorial #32:
CrAcKiNG Artgem 1.2
[cracked bY:] sLeEpY¿[FWA/NWA/FTPR8Z] iN 05/2002
[difficulty:] beginner
[where:] http://www.rlvision.com
[tOOLz:] W32dasm 8.93, Hiew 6.1

Artgem 1.2
LW2000 of CiA did a tutorial on artgem 1.0, this one is on 1.2, basically the same
thing, he cracked it a lil more elite but the same trick wont work in this version. As
it doesn't hold the regcode after 30 days for some reason even though it stays cracked.
Extra steps are also needed in order to kill the nag as well and fully crack the app.
Still simple!

Install the program and try to register it, our error:
Invalid Key!

Open up w32dasm and check the Strn Ref for that error msg, double click
it and you will get dropped here:

:0043D694 6800814700 push 00478100

Lets open up the code a little bit and check it out:

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0043D5FE(C) <--what jumps us to our crap error
|
:0043D687 8B0D20378A00 mov eax, dword ptr [008A3720]
:0043D68D 6A10 push 00000010

* Possible StringData Ref from Data Obj ->"ArtGem"

:0043D68F 68CC7F4700 push 00477FCC

* Possible StringData Ref from Data Obj ->"Invalid Key!"

:0043D694 6800814700 push 00478100

So lets go to where the error is called from: 0043D5FE

:0043D5F4 E847BCFFFF call 00439240 <-serial checking call
:0043D5F9 83C410 add esp, 00000010
:0043D5FC 85C0 test eax, eax
:0043D5FE 0F8483000000 je 0043D687 <-jump to above crap
:0043D604 8D7C2444 lea edi, dword ptr [esp+44]
:0043D608 83C9FF or ecx, FFFFFFFF

Change this:
:0043D5FE 0F8483000000 je 0043D687 (offset 3D5FE)
to this:
:0043D5FE 909090909090 nopX6

Save and now any code should register! You wont get the confirmation "thank you"
message unless you wait 30 days before you reg it. It will be regged though, check the
about box.

This product does stay regged after startup so no other checks are done on the
serial (hopefully) even though it does have that 30 day trial nag at the beginning.
I moved the month up one and it and the registered name disappeared =0( but it works
past the 30 days.

So lets get rid of that nag.
Nag title = "ArtGem 30 Days Trial"

This only appears in one place, that makes things easier!

* Possible StringData Ref from Data Obj ->"ArtGem 30 Days Trial"

:0042A43F 68446B4700 push 00476B44

Scroll up a little bit and lets to this the lame way, look for the first
conditional jump that goes past that Strn Ref!

:0042A3F2 755D jne 0042A451

there is another one a little above that as well

:0042A3EA 7465 je 0042A451

I just happened to notice it or i probably wouldnt have used it. I always
like to use the first one because it makes the crack a lil cleaner so lets kill it:

Change this:
:0042A3EA 7465 je 0042A451 (offset 2A3EA)
to this:
:0042A3EA EB65 jmp 0042A451

Start the prog, Nag screen is no more.
Well this prog is cracked for all needs anyway, it doesnt hold your username in the
"registered to" box after the 30 days is up though, Now this program never expires
because we fixed it but I am picky about crap like that sometimes and today am feeling
in tune with this program. So lets go fix this problem and make the reg info stay even
after 30 days...Keep in mind if you just want a workng program you can end here cause
this doesnt make any difference in anything except being Vain.

Now the first thing I ran into was where to start on this part of the crack....
So I decided to look in the SDR's to find all the weakness's in the prog.

Places to target this program just in String Data Refs:

"%d days left"
"ArtGem 30 Days Trial"
"Enter serial number to register "
"name"
"Name:"
"RegCode"
"RegCompany" <--this looks like it would be out simplest approach
"Register"
"RegName"
"Thank You for Registering!"
"Trial Period Over"
"TRIAL PERIOD OVER"
"Your registration key has expired!

I targeted regcompany because regname appears a lot more and regcode isnt even near
where we want. The rest were items we took care of.

Now where in the program have we seen "RegCompany" and im not talking the deadlist,
im talking the actual program exe after its running:

"RegCompany" (3 places in the program for your regcompany)
One is the startup screen, one is the about screen, one is in reg box when we register
the prog.

In the dead list we find 3 places...scroll up a lil or check the code around these
locations.

0043D477 (regname, regcompany, regcode)
0043D5BC (regname, regcompany, regcode)
0043E21B (regname, regcompany, Name:, Company:) <--

We need to find which is one is about screen and make it stick. So look at the about
screen! What does it say in the about screen:
Name: yourname
Company: your company

Using a little ZEN we know it is the 3rd one:
0043E21B <-go here
Scroll up from here and you will see a reference:

* Reference To: USER32.DrawTextA, Ord:00AFh

then right above that a conditional jump, hmm...
drawtext? put our text in the about box?
nop out that conditional jmp so it isnt taken and out text gets drawn:

Change this:
:0043E192 0F85AB000000 jne 0043E243 (offset 3E192)
to this:
:0043E192 909090909090 nopX6

Run the program, our text is there, kool, shut the program down, change the date ahead
30 days, start the prog, still there, kool, shut the prog down, change the date ahead
a couple more months, start the prog, still there.
kool.....a full crack =0)

email me if you are bored: sleepy@linuxwaves.com

._Tutorialz_.

[ 1. Cracking Cosmi's Generic Installshield Protection ]
[ 2. CRACKING(?) MATH WORKSHOP 2.0 ]
[ 3. CrAcKiNG DLSuperCBT Resynchronizing Byte Compare Program ]
[ 4. CrAcKiNG the nag on DLSuperCBF - Dir Binary File Compare Program ]
[ 5. CrAcKiNG n)0(va crackme v3 (crazy approach) ]
[ 6. CrAcKiNG mIRC(R) v5.91 Internet Relay Chat Client ]
[ 7. CrAcKiNG Actionizer 1.4 ]
[ 8. CrAcKiNG Tag Wizard 4.3.0 ]
[ 9. CrAcKiNG Freecell for Win2k and WinXP ]
[10. CrAcKiNG Netrace 1.0a ]
[11. CrAcKiNG Winrar 3 Beta 2 THROUGHLY ]
[12. CrAcKiNG Aditor Pro 3.05 build 1 ]
[13. CrAcKiNG EasyType 1.0 ]
[14. CrAcKiNG The Psychedelic Screen Saver v2002.0215 ]
[15. CrAcKiNG Applet Headline Factory Version 4.0 ]
[16. CrAcKiNG Codewhiz Editor Version 1.7 (build 1.01b) ]
[17. CrAcKiNG iuVCR 4.0.0.205 beta5 Trial (R_02-28-2002) ]
[18. CrAcKiNG The Weakest Link -NOCD- ]
[19. CrAcKiNG Blowfish 2000 V2.3 by finding a valid serial ]
[20. CrAcKiNG the CD Check in Tony Hawk Pro Skater 3 ]
[21. CrAcKiNG DLL Show 4.7 bY Turning it Into its Own Keygen ]
[22. CrAcKiNG Opera 6.01 bY making a valid serial and manually unpacking Aspack ]
[23. CrAcKiNG Tickle 2.8 with w32dasm, & finding a valid serial with SI hmemcpy ]
[24. CrAcKiNG AxMan 3.12 with a valid serial using softice Hmemcpy ]
[25. CrAcKiNG Acid_Cool_178 Assembler Crackme01 using W32dasm ]
[26. CrAcKiNG Mirc 6.1 bY finding a valid serial using Softice Hmemcpy ]
[27. CrAcKiNG Bitmap to Icon 3.5 two ways with w32dasm & Softice ]
[28. CrAcKiNG Power Edit 1.1 by unpacking UPX w/procdump and using w32dasm, then]
[ finding a valid serial with Softice ]
[29. CrAcKiNG Blackboard Encrypt 1.1 using w32dasm and resource hacker ]
[30. CrAcKiNG Wine Label 3 by changing 6 bytes in the program ]
[31. CrAcKiNG WinRescue XP 1.07.06 with a hardcoded serial ]
[32. CrAcKiNG Artgem 1.2 ]

gReEtz: MiNioN, GreycZ, KlutCh, KiNgEr, MidNight, FWA, NWA, FTPiRatEz! HAR! BEASTFXP!
This one was cracked on request from TJ.

CopyLeft:
sLeEpY¿
[all rights reversed]
Boredom causes crackers and babies.
Visit http://zor.org/sleepy