-----------------------------------------------------+
These informations are for educational purposes only!|
-----------------------------------------------------+



                     L                ZZZZZZ         RRRRR           SSSSS
                     L                    Z          R    R         S
                     L          aaa      Z      aaa  R    R  u   u  S
                     L            a     Z         a  RRRRR   u   u  SSSSS
               XX    L         aaaa    Z       aaaa  R    R  u   u       S
              XXXX   L        a   a   Z       a   a  R    R  u   u       S
             XXXXXX  LLLLLLL  aaaaa  ZZZZZZZ  aaaaa  R    R  uuuuu  SSSSSS
             XXXXXX       
        XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
       XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
        XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
             XXXXXX
             XXXXXX
              XXXX        proudly presents his 6.Cracking Tutorial (06.04.1999)
               XX                          MP3 TO EXE 1.2

I.   Tools you need for my tutorial
II.  Cracking the Nag-Screen
III. Getting the serial
IV.  BTW

I.   Tools you need for my tutorial
     Win32Dasm 8.9  (get at http://Qserve.8m.com)
     Registry Monitor (get at http://Qserve.8m.com ?)
     (perhaps) Soft-Ice for Windows (get at http://Qserve.8m.com)
     A hex-editor, I prefer Hex Workshop 2.54
     MP3 TO EXE 1.02, the target (http://software.webset.de/buschjost/mp3eng.htm
                                  mail me if you don't find the version 1.02 there)
     
II.  Cracking with Win32Dasm:
     There are three reasons I write this tutorial:
     1. At my first attempt it was damn hard to crack it. I installed it, tried it and 
        deinstalled it again, saying that I can't crack it. Next day I installed it again saying
        to myself it can't beat you. But I gave up again and deinstalled it. This procedure I
        made three more times until I got it.
     2. In my opinion it is a good newbie target (easy, but not too easy)
     3. I'm sitting in holidays and outside it is raining cats and dogs. So I haven't got to do
        anything.

     But now let's start cracking. When you look at the target, there are several differences
     between the shareware and the full version. In the sw version the first thing you see is a
     nag-screen (Strange, it doesn't say you should register, but only that you are not allowed
     to distribute files created with the sw version). When you look at the about box, you see
     that is is registered to noone (Did you guess that ;) When you create a MP3.EXE file you
     see a "Unregistered" message, too but that's not our problem.
     To register MP3 TO EXE, you have to enter a name, a serial and a registration code. The
     last one is calculated off the name and the serial.

     When we fire up Registry Monitor, we see three important values.
     HKEY_LOCAL_MACHINE\SOFTWARE\Oliver Buschjost\MP3TOEXE\Name     ;;name
     HKEY_LOCAL_MACHINE\SOFTWARE\Oliver Buschjost\MP3TOEXE\Serial   ;;serial
     HKEY_LOCAL_MACHINE\SOFTWARE\Oliver Buschjost\MP3TOEXE\Free     ;;registration code

     OK, let's get rid of the nag-screen. These approaches all failed:
     1. My beloved I-DON'T-WANT-TO-USE-MY-BRAIN-BRUTE-FORCE method (see tutorial six)
     2. searching for a string that appears in the nag-screen
     3. Searching for MessageBoxA

     Now it's time for a little ZEN (That means USE your brain) cracking. OK, what do we know ?
     Not much, except that it calculates the valid serial again at the beginning of the program
     (better: we assume that because of the style the program saves the reg information). So 
     let's check for the string "Free". I search for "Free" and not for "Name", because most time
     it is like this:

     Get Name
     Get Serial
     Get RegCode (in this case)
     Calculate correct code and compare
     Show MessageBox if unregistered

     The string "Free" appears four times: One time when we try to register it, as you can see at
     the other strings nearby. The three other times we don't have a clue where that could be.
     So we place a breakpoint (I'm using W32Dasm) some lines above "Free" and run the program.
     If it breaks, we know that this is the check that takes place at the beginning. I tell you,
     it will be last "Free". You see:

     :0045BADD 8B45C0                  mov eax, dword ptr [ebp-40]
     :0045BAE0 50                      push eax
     :0045BAE1 8D4DBC                  lea ecx, dword ptr [ebp-44]

     * Possible StringData Ref from Code Obj ->"Free"
                                       |
     :0045BAE4 BA04C04500              mov edx, 0045C004
     :0045BAE9 8BC7                    mov eax, edi
     :0045BAEB E82827FFFF              call 0044E218
     :0045BAF0 8B55BC                  mov edx, dword ptr [ebp-44]
     :0045BAF3 58                      pop eax
     :0045BAF4 E81F7DFAFF              call 00403818      ;;*could* be the calculation/comparison
     :0045BAF9 7412                    je 0045BB0D        ;;*could* be the "Beggar off"
     :0045BAFB 8B45FC                  mov eax, dword ptr [ebp-04]       ;;*could* be the flag
     :0045BAFE 8B803C020000            mov eax, dword ptr [eax+0000023C] ;;*could* be the flag
     :0045BB04 B201                    mov dl, 01                        ;;*could* be the flag
     :0045BB06 E8791FFDFF              call 0042DA84                     
     :0045BB0B EB10                    jmp 0045BB1D                      ;;*could* be "Good Guy"

     Plenty of *could* here :( So now we have to check. I set a breakpoint on the line with the
     conditional jump and change the value of the Zero flag when we reach this jump. And when I
     have done this, the nag-screen was gone :), the "Register" button was gone :), but the
     "About" box still said registered to noone :(. Of course, we didn't enter any values in the
     windows registry. So fire up regedit.exe and create some values with the names: name and 
     serial in HKEY_LOCAL_MACHINE\SOFTWARE\Oliver Buschjost\MP3TOEXE. Then set the breakpoint and
     restart again. Change the Zero flag and push "Run". Now we see our name in the "About" box,
     too :). But NO when we create a EXE file from an MP3 we get a unregistered message there :(
     So we have to find out the correct serial for MP3 TO EXE. (If anybody has cracked the
     files that are created with MP3 TO EXE, please mail me)
     btw: If you want to patch the file anyway, there is a nice "The file has been modified" 
     message waiting for you, but this one is pretty easy to bypass, because you can easily 
     locate the string of the messagebox.

III. Getting the correct serial:
     In the first section we saw that the first "Free" is near the "Thank you" message. So let's
     start there. If you scroll some lines up, you should see this:

     * Referenced by a (U)nconditional or (C)onditional Jump at Address:
     |:00454BEC(U)
     |
     :00454BF9 DB2B                    fld tbyte ptr [ebx]
     :00454BFB DB2D2C524500            fld tbyte ptr [0045522C]
     :00454C01 DED9                    fcompp
     :00454C03 DFE0                    fstsw ax
     :00454C05 9E                      sahf
     :00454C06 72E6                    jb 00454BEE
     :00454C08 8D55F8                  lea edx, dword ptr [ebp-08]
     :00454C0B 8B45FC                  mov eax, dword ptr [ebp-04]
     :00454C0E 8B80AC010000            mov eax, dword ptr [eax+000001AC]
     :00454C14 E81B01FCFF              call 00414D34
     :00454C19 837DF800                cmp dword ptr [ebp-08], 00000000
     :00454C1D 7532                    jne 00454C51                       ;; JUMP TO "Thanks"
     :00454C1F 8D55E4                  lea edx, dword ptr [ebp-1C]
     :00454C22 8B45FC                  mov eax, dword ptr [ebp-04]
     :00454C25 8B80B4010000            mov eax, dword ptr [eax+000001B4]
     :00454C2B E80401FCFF              call 00414D34
     :00454C30 837DE400                cmp dword ptr [ebp-1C], 00000000
     :00454C34 751B                    jne 00454C51                       ;; JUMP TO "Thanks"
     :00454C36 8D55E0                  lea edx, dword ptr [ebp-20]
     :00454C39 8B45FC                  mov eax, dword ptr [ebp-04]
     :00454C3C 8B80B0010000            mov eax, dword ptr [eax+000001B0]
     :00454C42 E8ED00FCFF              call 00414D34
     :00454C47 837DE000                cmp dword ptr [ebp-20], 00000000
     :00454C4B 0F8427010000            je 00454D78                        ;; JUMP TO "Wrong"

     There are two jumps to "Thanks" (perhaps two valid serial for every name like in Winzip ?)
     OK, it strongly seem that the valid serial is calculated somewhere in the call at :00454C14
     and that the value at [ebp-08] is a correct/wrong flag. So let's trace into the call.
     DON'T believe everything I tell you. You can trace forever if you enter this call. 
     There are TWO "Wrong serial" messages. The first at :00454D58, the second at :00454D7F. We
     just looked at the first one. The second one is referenced by an unconditional jump at
     :00454CA4 (that is deep inside what we called it "Thanks"). The first checks we looked at
     were just to see if we entered something as name, serial and regcode. So around :00454CA4 
     you should see this:

     * Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
     |:00454C1D(C), :00454C34(C)
     | ;;the start of our "Thanks" (haha)
     :00454C51 8D55F8                  lea edx, dword ptr [ebp-08]    
     :00454C54 8B45FC                  mov eax, dword ptr [ebp-04]
     :00454C57 8B80B0010000            mov eax, dword ptr [eax+000001B0]
     :00454C5D E8D200FCFF              call 00414D34
     :00454C62 8B45F8                  mov eax, dword ptr [ebp-08]
     :00454C65 50                      push eax
     :00454C66 DB2E                    fld tbyte ptr [esi]
     :00454C68 E8BBDDFAFF              call 00402A28
     :00454C6D 8D4DDC                  lea ecx, dword ptr [ebp-24]
     :00454C70 BA08000000              mov edx, 00000008
     :00454C75 E8E213FBFF              call 0040605C
     :00454C7A 8D45DC                  lea eax, dword ptr [ebp-24]
     :00454C7D 50                      push eax
     :00454C7E DB2B                    fld tbyte ptr [ebx]
     :00454C80 E8A3DDFAFF              call 00402A28       ;; calculate first part
     :00454C85 8D4DD8                  lea ecx, dword ptr [ebp-28]
     :00454C88 BA08000000              mov edx, 00000008
     :00454C8D E8CA13FBFF              call 0040605C       ;; calculate second part
     :00454C92 8B55D8                  mov edx, dword ptr [ebp-28]
     :00454C95 58                      pop eax
     :00454C96 E875EAFAFF              call 00403710       ;; add second part to first part
     :00454C9B 8B55DC                  mov edx, dword ptr [ebp-24] ;; valid code is stored in ECX
     :00454C9E 58                      pop eax             ;; d edx = valid regcode
     :00454C9F E874EBFAFF              call 00403818       ;; this one compares
     :00454CA4 0F85A7000000            jne 00454D51        ;; that't the important jump
     :00454CAA B201                    mov dl, 01
     :00454CAC B8A4DE4400              mov eax, 0044DEA4
     :00454CB1 E8A292FFFF              call 0044DF58
     :00454CB6 8BD8                    mov ebx, eax
     :00454CB8 BA02000080              mov edx, 80000002
     :00454CBD 8BC3                    mov eax, ebx
     :00454CBF E82493FFFF              call 0044DFE8
     :00454CC4 B101                    mov cl, 01

     To make it quick. When you execute the program till :00454C9E and look the registers.
     You see your correct regcode (16 chars hexadezimal) at EDX.
     SICE: d edx 
     W32Dasm: Click at ECX in the debug window
     If anyone makes a key generator for this one I would be pleased to hear about it.


IV.  BTW
     Hope my tutorial was helpful for you and see you again in my next tutorial. 
     
     Greets to: Fravia+, tKC, ED!SON, Moral Insanity, The Sandman, Eternal Bliss, DaVinci and 
     all [hf] members

     All Tutorials by LaZaRuS [hf]
       
#|  date  |   name           |version|W32Dasm|Soft-Ice|kind of crack            |
-|--------|------------------|-------|-------|--------|-------------------------|
1|20.01.99|Jaylock           |1,0,0,1|  (X)  |   (X)  |serial#                  |
2|31.01.99|Goldwave          |4.02   |  (X)  |   (X)  |serial#,nag-screens      |
3|28.03.99|AxMan             |3.00   |  (X)  |   (X)  |serial#,remove date-limit|
 |        |                  |       |       |        |nag-screen, key generator|
4|29.03.99|C++Builder Strings|       |  (X)  |   (X)  |how to find strings in   |
 |        |                  |       |       |        |C++ Builder that are not |
 |        |                  |       |       |        |hardcoded                |
5|29.03.99|Better Protection |       |       |        |How to protect shareware |
 |        |                  |       |       |        |better against crackers  |
6|04.04.99|Start Clean       |1.2    |  (X)  |   (X)  |nag-screen/serial/keygen |
7|06.04.99|MP3 TO EXE        |1.02   |  (X)  |   (X)  |nag-screen/serial        |

     
LaZaRuS [hf]
Visit Hellforge at http://members.xoom.com/hell_crack for more tutorials and high quality
cracking links.
If you want to mail me: lazarus666@gnwmail.com