http://www.smartsound.com - Webpage.
Well, another serial number tutorial, this time with a difference, I'll just highlight how you can defeat this type of protection which software writers use to deter casual crackers. Without further ado, you should see that the installation program placed an icon named Unlock SmartSound, so lets run that and take a look.
As you can see, the immediate dilemma is that the Unlock button is only selectable when a valid code is entered. So during the time that you are entering a serial# the program is checking it against some validity criteria, all we need to do is trigger SoftICE during that process. Here's how. Enter a serial# in the dialog box, then Ctrl+D into SoftICE and >bpx GetWindowTextA , now when you return make a change to the dialog box contents (I use the backspace key), you should be returned to SoftICE, in this applications case inside mfc42.dll.
So lets step out of this dll, to this code inside unlockss.exe (disassembly listing):
:00401CC4 MOV EAX, DWORD PTR [EBP+00] <-- EAX holds
:00401CC7 MOV ECX, DWORD PTR [EAX-08] <-- ECX holds length of # entered.
:00401CCA TEST ECX,ECX <-- Test if a Serial # was entered.
:00401CCC JE 00401D0F <-- Jump_no_serial_# entered.
:00401CCE MOV ESI, 004041B4 <-- ESI holds 'Demo Version'
:00401CD3 MOV DL, BYTE PTR [EAX] <-- DX-low holds first character of # entered.
:00401CD5 MOV BL, BYTE PTR [ESI] <-- BX-low holds first letter of ESI, i.e. D.
:00401CD7 MOV CL,DL <-- CL=DL.
:00401CD9 CMP DL,BL <-- Compare D to first character entered.
:00401CDB JNE 00401CFB <-- Jump_Good_Code.
Well, I'm going to just pause here, this little snippet here just checks the first 2 digits of your code 'De' as in 'Demo Version', so to skip this check just ensure your code doesn't start with the letter D. We move on to the following code:
:00401CFB SBB EAX,EAX <-- Subtract with borrow, carry
flag is set so EAX=-1.
:00401CFD SBB EAX,FFFFFFFF
:00401D00 XOR ECX,ECX <-- Clean up ECX.
:00401D02 TEST EAX,EAX <-- Test EAX for 0, doesn't set the zero-flag.
:00401D04 SETE CL <-- Set CX-low equal to 0 because the zero-flag wasn't set.
:00401D07 TEST CL,CL <-- Test CX-low for 0 - sets ZF.
:00401D09 JNE 00401D0F <-- Jump_Bad_Code.
:00401D0B XOR EAX,EAX <-- Clean up EAX.
:00401D0D JMP 00401D14 <-- Jump_Good_Code.
We continue with this next section of code, I actually fully investigated the determination of this routine which works by checking key values of the code using several loops, these are the critical sections, expect to trace a function to reach them:
:004018D7 MOV ECX,00000009 <-- ECX = 9 decimal.
:004018DC ADD ESP,00000008 <-- Tidy stack.
:004018DF CMP AL,CL <-- Critical compare, your code must be 9 digits.
:004018E1 JE 004018EA <-- Jump_Good_Code.
At this stage you may like to enter a code which passes this check and start tracing again, remember that if you use the backspace key you'll need to have 10 digits before you push the key, so that you can actually examine the compare routine it might also be a good idea to use a code such as ABCDEFGHI rather than a repeating pattern i.e. 12121212. Let us continue and note the following key checks.
:0040190E CALL 00401A20 <-- Trace this if you really
want to see what's happening.
:00401913 MOV CL, BYTE PTR [ESP+1A] <-- Moves CL to the 6th digit of your code.
:00401917 ADD ESP,00000004 <-- Tidy stack.
:0040191A CMP CL,AL <-- AL was set = 9, so 6th digit must be 9.
:0040191C JE 00401925 <-- Jump_Good_Code.
:00401942 MOV CL, BYTE PTR [ESP+1D] <-- CL now holds final digit of your code.
:00401946 ADD ESP,00000004 <-- Tidy stack.
:00401949 CMP CL,AL <-- AL this time = 4, so last digit must be 4.
:0040194B JE 00401954 <-- Jump_Good_Code.
:00401954 MOV AL, BYTE PTR [ESP+11] <-- Now check first digit of code.
:00401958 CMP AL,54 <-- First digit = T.
:0040195A JE 00401989 <-- First digit = T, Jump_Good_Code and now unlock.
:0040195C CMP AL,74 <-- First digit = t.
:0040195E JE 00401989 <-- Jump_Good_Code.
:00401972 CALL 00401A20 <-- Yet again, call this function.
:00401977 MOV CL, BYTE PTR [ESP+17] <-- 3rd digit of code.
:0040197B ADD ESP,00000004 <-- Tidy stack.
:0040197E CMP CL,AL <-- AL = 8, so 3rd digit must be 8.
:00401980 JE 004019D0 <-- Final Jump_Good_Buyer else its not unlocking.
So you can now see the validation criteria for an example code, however the routine is fairly clever in that although it checks the same positions in the code the other parts of the code have to fit those checks so Txxxx9xx4 (where x is anything) will not work unanimously. I'll give you some working codes to be examining this system in more detail.
SmartSound For Multimedia v1.5
Serial#'s: t23459784, T23459784, 128459784.