How to crack mIRC by ?ferret



Skill Level: Newbie
Attack Plan: Patching
Target: mIRC v5.61 32 bit
(Available @ http://www.mircscripts.com/old/)


Tools Needed: HexEditor
W32Dasm




Comment: There is no real reason that I can find for cracking this program ( other than just the sake of defeating the protection scheme).

It doesn't have any limitations that I know of.


Now on to the tutorial. ;-)


Disassemble mirc32.exe.

Search for "thank" (a good chance it will be in the success message)

Right above this is a dialog reference and a string ref to mirc registration.

Now search for "sorry" (Bet u know where you'll see this) ;-)

Now we know to avoid this section of code starting at cs:43B6C2. (ref'ed by a conditional jump at location CS:43B621)

Scroll down from CS:43B621 a little and you will see the successful reg message!

Hmm....CS:43B621.... if we change this jump, it will go to the reg message every time!...BUT, will it stay regged?



No, it won't. There is a check at program startup for either a keyfile or a registry entry, so, if we patch it here we'll have re-register every time we run it(common newbie mistake, hence the reason I brought you here, to explain).

However, this particular program writes to the registry when you get the success message, and deletes the key after the program starts if it is invalid. As long as the Registry key exists....you are registered. So, go ahead and patch the jump at CS:43B621, then search for RegDeleteKeyA. You will find an instance of this API with a string data reference to "code". Interesting. The one directly below that one has an SDR to "name".

Scroll up a bit to see where this section is accessed from. You will see 2 conditional jumps. Let's NOP them both, so it will never jump to delete the key.

Reg the proggy, close it, and restart it. It should now stay regged. ;-)


P.S. There are definitely better ways to crack this, but I wanted to show an easy approach that doesn't get taught every day.









GREETZ & THANX to all of the people who've helped me @ the Newbies Forum. (I'm too damn lazy to type all the names ;-)) s results if they are not properly cleaned from your drive on a periodic basis.

System Cleaner 98 is a safe, fast, and thorough way of keeping your system running like new.


We are limited to 30 Days of use + 5 days of grace period as an unregistered user. The register option in the tray area won't do nothing .. even we kick on it ! Let's pushed the system date 2 months forward .. run the program .. boom .. the expiration message pops up follow by the registration dialog ! Heh believe me you can't make it registered even you entered the correct code ! So let's forget this stupid things !

Now  push the system date backward and run the program .. boom .. " The system clock has been moved back .. bla bla bla " .. huh let's finish this naughty delphi. We should use GETLOCALTIME function whenever we're trying to crack time limit protection. Set BPX GETLOCALTIME and run the program .. boom .. X [ENTER] .. F11 once to get the caller .. you should land in sc98 now .. keep tracing (F10) untill you see 1E value being compare / move  into register .. snip .. snip ..  oh ! :

0049CE53 BA1E000000 mov edx, 0000001E ; recognize this ?! .. yep it's our 30 days trial period
0049CE58 E8ABA3FEFF call 00487208
0049CE5D 8B03 mov eax, [ebx]
0049CE5F BA05000000 mov edx, 00000005 ; and this ?! .. sure it's our 5 days grace period
0049CE64 E86FA4FEFF call 004872D8
0049CE69 8B03 mov eax, [ebx]

.. we can make our trial period more longer ! e.g :

mov edx, 00000001E CHANGE TO mov edx, 00FFFFFFF ; this will give us 268,435,455 days
mov edx, 000000005 CHANGE TO mov edx, 00FFFFFFF ; plus 268,435,455 days of grace period

so we'll have 536,870,910 days of trial period !! he he he seems we'll enjoy the grace period in hell .. but let's continue our exciting trip 'coz thiz is not our target ..

0049CEA2 E875DFFEFF call 0048AE1C  ; step in here (F8)

we're land here :

0048AE1C 53 push ebx
0048AE1D 8BD8 mov ebx, eax
0048AE1F 8BC3 mov eax, ebx
0048AE21 E87EACFFFF call 00485AA4
0048AE26 84C0 test al, al
0048AE28 7439 je 0048AE63 ; we should change this code
0048AE2A 8BC3 mov eax, ebx
0048AE2C E8D3A1FFFF call 00485004
0048AE31 84C0 test al, al ; AL=1 means we run sc98 for the first time
0048AE33 7407 je 0048AE3C
0048AE35 8BC3 mov eax, ebx
0048AE37 E8A8B1FFFF call 00485FE4 ; this call pop up the message "Thank you for trying ..bla bla"
0048AE3C 8BC3 mov eax, ebx
0048AE3E E829ADFFFF call 00485B6C
0048AE43 8BC3 mov eax, ebx
0048AE45 E8FEA3FFFF call 00485248
0048AE4A 84C0 test al, al
0048AE4C 7515 jne 0048AE63
0048AE4E 8BC3 mov eax, ebx
0048AE50 E86FB9FFFF call 004867C4
0048AE55 8BC3 mov eax, ebx
0048AE57 E8D0A6FFFF call 0048552C ; step in here (F8)

keep tracing until we reach this code :

0048566A 3BD8 cmp ebx, eax
0048566C 7D1A jge 00485688 ; if ebx >= eax then jump to 485688 else pops up " The system clock
; has been moved back .. bla bla bla "

0048AE5C 8BC3 mov eax, ebx
0048AE5E E849B1FFFF call 00485FAC ; step in here (F8) .. you'll see a routine to check the expiration date
0048AE63 5B pop ebx
0048AE64 C3 ret

we don't need that stupid routine right ?! .. let's fix it .. now fire up Hiew and make the following changes:

OFFSET ORIGINAL BYTE NEW BYTE
8A228 7439 EB79

Now push your system date 2 months forward and run the program .. does it expire ? NO ! .. now reset the system date back and run the program .. does the stupid message pops up ?! NO !! .. yep sc98 has updated !

Now let's make our work more perfect ! .. click on the about button you should see  :

This program is licensed to :

Shareware                                                 You have 4 days left to Evaluate
Unregistered evaluation copy

We don't want to see these ugly text .. do we ?! double click on the text in SDR .. we should land here :

0048F20F 83B81801000000 cmp [eax+00000118], 00
0048F216 0F8588000000 jne 0048F2A4 ; we should change this code

* Possible StringData Ref from Code Obj ->"- Shareware -"

 

0048F21C BA34F34800 mov edx, 0048F334
0048F221 8B830C020000 mov eax, [ebx+0000020C]
0048F227 E88CB7F9FF call 0042A9B8

* Possible StringData Ref from Code Obj ->"Unregistered evaluation copy"

Fire up Hiew and make the following changes:

OFFSET ORIGINAL BYTE NEW BYTE
8E616 0F8588000000 0F8488000000

Now the ugly text has been removed ... let's make it licensed to 'someone' :

0048F2A4 A194F34900 mov eax, [0049F394]
0048F2A9 8B00 mov eax, [eax]
0048F2AB 8B9018010000 mov edx, [eax+00000118]
0048F2B1 8B830C020000 mov eax, [ebx+0000020C] ; we should change this code !
0048F2B7 E8FCB6F9FF call 0042A9B8
0048F2BC A194F34900 mov eax, [0049F394]
0048F2C1 8B00 mov eax, [eax]
0048F2C3 8B9020010000 mov edx, [eax+00000120]
0048F2C9 8B832C020000 mov eax, [ebx+0000022C] ; we should change this code !

Fire up Hiew and make the following changes:

OFFSET ORIGINAL BYTES NEW BYTES
8E6B1 8B830C020000 8B8018010000
8E6C9 8B832C020000 8B8020010000

He he he .. now it's just like a registered version !

Notes :

Most applications stored their settings either in the system registry or in the configuration file (INI, DAT, CFG, etc) .. you can use some tools to help u to find it, eg: Win32dasm (search in SDR), SoftIce (using CreateKey(A) function), Filemon (Finding files being used by the program), Regmon ( finding which key are used by the program), or RegCrawler ( to search spesific key in the registry).
Especially in time limit / run time limited cracking .. you could just delete the key / configuration file created by the program  to get your trial period back ! (actually you only need to delete the value used as a counter date but generally delete them all won't do no harm 'coz the program will create them again)

Sc98 stored the settings in the system registry :

HKEY_LOCAL_MACHINE\Config\0001\.SCSecurity
HKEY_CURRENT_USER\Software\InforTech

simply delete these keys to get your 35 days back !

Well .. that's all for now guys .. let me know if you have any comment : widya2011@hotmail.com

 

Copyright 1999, All Rights Reserved.

and leave S-ICE. Edit your fake license number (should be 11