Championship Chinese Checkers v2.5 - Tutorial

http://www.geocities.com/SiliconValley/Network/5317 - Webpage (cccheck.zip - (370k)).

Welcome to another tutorial. My target today is Championship Chinese Checkers, a program whose wave files ought to be deleted immediately, launch the program and you'll receive the registration notice. A simple 4 or 5 digit Software ID stands between you and registered status. I guessed here that the corresponding Software Key code would also be fairly short, so I used 1234 as my response.

A >bpx Hmemcpy will be sufficient, although GetWindowTextA works equally as well, upon returning to the caller, 10 presses of F12 or so will put you at this code, in fact I had to copy this code directly from SoftICE because the author has used a commercial program (CodeSafe) to protect the main file from accurate disassembly.

:0040A550 CALL 00404420 <-- Fetch Software Key and return it in EAX.
:0040A555 PUSH EAX <-- Stack it for next function.
:0040A556 CALL [00470A2C] <-- msvcrt40.dll.
:0040A55C ADD ESP,04 <-- Correct stack.
:0040A55F XOR ECX,ECX <-- Clear ECX.
:0040A561 MOV CX,[0046FBAC] <-- Good code.
:0040A568 CMP EAX,ECX <-- Compare.
:0040A56A JZ 0040A590 <-- Jump_nice_buyer.

Yet again, its the same protection which you've seen thousands of times before, a simple >? ecx will reveal the value of the good code. However, there is a further point of interest, I believed patching this program would be something of a problem because of the protection, so I elected to see how the program might track registered status. My attention soon turned to the file (tlaiccc.ini), which upon deletion restored the program to its unregistered state.

However there was a problem, when I re-registered the program the file hadn't changed (or at least I believed it hadn't because it was still 0 bytes long), I also noted that the program created the file each time it started as well. Running File Monitor and Registry Monitor just re-confirmed my suspicions that this initialisation file was the culprit, but how. The answer is quite surprising, in fact registered status is tracked using the date and time stamp of the initialisation file, I verified this by using TouchPro to 'touch' the Last Modified date of the file to the 1st October 1997, 06:24:00 and it acted registered.

An unusual scheme I think you'll agree, and if you had taken the time to read the authors text file you might very well have guessed the significance of this date.