************************************************************************************************* IconToy V3.1 ************************************************************************************************* Author: Lighttek Software Protection: Name / Serial URL: http://www.lighttek.com/files/icontoy.zip Tools: W32Dasm V8.93 Hex-Editor ---> Let's Begin... Start the program and click on "?" on top of the program then we'll get the about box. Click on the second tab which says "Registration". Then we can enter a Registration Name and Code, enter anything you want and click on "Register!". Then you'll get a Message Box saying: "Registration key error!" Ok, remember this line or write it down on some paper and open up W32Dasm. Then disassemble the file "icontoy.exe" and click on "Strn Ref" (String Data References). Now search for that line we found and double click on it and we're here: * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00485FAC (C) | * Possible StringData Ref from Code Obj -> "Registration key error!" | :00486076 B838614800 mov eax, 00486138 :0048607B E80080FCFF call 0044E080 Notice the (C)onditional Jump from Address "00485FAC" there must be the choice between good and bad :) So trace a few lines up till that Address and you'll see this: :00485F9B A104E94800 mov eax, dword ptr [0048E904] :00485FA0 E8B3FCFFFF call 00485C58 <--- Check out this call :00485FA5 803D00E9480001 cmp byte ptr [0048E900], 01 :00485FAC 0F85C4000000 jne 00486076 <--- THIS IS THE PLACE!!! :00485FB2 8D55F8 lea edx, dword ptr [ebp-08] :00485FB5 8B45FC mov eax, dword ptr [ebp-04] :00485FB8 8B800C030000 mov eax, dword ptr [eax+0000030C] Now we know the place to patch but before we're going to patch the program check out the call. So double click on the "call 00485C58" and press "Left", now we're stepping into the call. Now if you trace a little bit down you'll notice a lot of compares, these are all serials. If you want to check this out a little better use SoftICE and break with "hmemcpy" then you'll see that it makes a value out of your serial number you've entered and it just compares that value with these values :) If you want to know what serials are made out of these values then write a program of your own and use "wsprintfA" and the value "%d" then you'll see the real serials :) But anyway get back to that JNE and double click on it then look at the bottom of the window. You'll see this: @Offset 000853AC Write down the Offset or keep in mind and open up a Hex-Editor and close W32Dasm. Then in your Hex-Editor open up the program (icontoy.exe) and get to that Address (000853AC). Then change it into this: 0F85C4000000 ---> 909090909090 I've just used the NOP function, i can also let it jump a little bit but why should I :) Now when you've done all this and you entered a fake Name and Serial you'll probably notice something, it says that your registered now, so that's ok :) But the Registration tab isn't away hmm... maybe it doesn't go away i suggest to restart the program so close it and start again. Goddamnit, the Registration is still here so it does another check :) Ok, remember all those values it compares to we're going to take a better look there so fire up W32Dasm again (Sorry if you closed it :) and get to that Address of all those compares (00485C6B) Now you'll see something like this: cmp eax, xxxxxxxx je 00485E2F cmp eax, xxxxxxxx je 00485E2F ... When you've entered a correct serial all those JE's jumps to the Address 00485E2F. Ok check out the last compare it looks like this: cmp eax, xxxxxxxx jne 00485EAB See the last one jumps to another location and we fail :) So we're going to patch this JNE to NOP and every entered serial will work. Double click on the JNE and look down below you'll see this: @Offset 0008522D Write down on some paper or keep in mind and close W32Dasm and open up your Hex-Editor. Then go to that location and change it into this: 757C ---> 9090 Save it and start the program. You probably noticed something when the program starts it has no Registration tab anymore and we're allready registered :) So it checks the place with the compares allready when the program begins. Ok, program patched !!! If you have questions mail me at: code.inside@home.nl ---> Greetings Everybody at TrickSoft, Everybody at FCC, Everybody in #Cracking4Newbies and YOU :) Don't trust the Outside, trust the InSiDe !!! Cya... CoDe_InSiDe 8B03 mov eax, [ebx] 0049CE5F BA05000000 mov edx, 00000005 ; and this ?! .. sure it's our 5 days grace period 0049CE64 E86FA4FEFF call 004872D8 0049CE69 8B03 mov eax, [ebx]

.. we can make our trial period more longer ! e.g :

mov edx, 00000001E CHANGE TO mov edx, 00FFFFFFF ; this will give us 268,435,455 days
mov edx, 000000005 CHANGE TO mov edx, 00FFFFFFF ; plus 268,435,455 days of grace period

so we'll have 536,870,910 days of trial period !! he he he seems we'll enjoy the grace period in hell .. but let's continue our exciting trip 'coz thiz is not our target ..

0049CEA2 E875DFFEFF call 0048AE1C  ; step in here (F8)

we're land here :

0048AE1C 53 push ebx
0048AE1D 8BD8 mov ebx, eax
0048AE1F 8BC3 mov eax, ebx
0048AE21 E87EACFFFF call 00485AA4
0048AE26 84C0 test al, al
0048AE28 7439 je 0048AE63 ; we should change this code
0048AE2A 8BC3 mov eax, ebx
0048AE2C E8D3A1FFFF call 00485004
0048AE31 84C0 test al, al ; AL=1 means we run sc98 for the first time
0048AE33 7407 je 0048AE3C
0048AE35 8BC3 mov eax, ebx
0048AE37 E8A8B1FFFF call 00485FE4 ; this call pop up the message "Thank you for trying ..bla bla"
0048AE3C 8BC3 mov eax, ebx
0048AE3E E829ADFFFF call 00485B6C
0048AE43 8BC3 mov eax, ebx
0048AE45 E8FEA3FFFF call 00485248
0048AE4A 84C0 test al, al
0048AE4C 7515 jne 0048AE63
0048AE4E 8BC3 mov eax, ebx
0048AE50 E86FB9FFFF call 004867C4
0048AE55 8BC3 mov eax, ebx
0048AE57 E8D0A6FFFF call 0048552C ; step in here (F8)

keep tracing until we reach this code :
0048566A 3BD8 cmp ebx, eax
0048566C 7D1A jge 00485688 ; if ebx >= eax then jump to 485688 else pops up " The system clock
; has been moved back .. bla bla bla "

0048AE5C 8BC3 mov eax, ebx
0048AE5E E849B1FFFF call 00485FAC ; step in here (F8) .. you'll see a routine to check the expiration date
0048AE63 5B pop ebx
0048AE64 C3 ret

we don't need that stupid routine right ?! .. let's fix it .. now fire up Hiew and make the following changes:

OFFSET ORIGINAL BYTE NEW BYTE
8A228 7439 EB79

Now push your system date 2 months forward and run the program .. does it expire ? NO ! .. now reset the system date back and run the program .. does the stupid message pops up ?! NO !! .. yep sc98 has updated !

Now let's make our work more perfect ! .. click on the about button you should see  :

This program is licensed to :

Shareware                                                 You have 4 days left to Evaluate
Unregistered evaluation copy

We don't want to see these ugly text .. do we ?! double click on the text in SDR .. we should land here :

0048F20F 83B81801000000 cmp [eax+00000118], 00
0048F216 0F8588000000 jne 0048F2A4 ; we should change this code

* Possible StringData Ref from Code Obj ->"- Shareware -"

 
0048F21C BA34F34800 mov edx, 0048F334
0048F221 8B830C020000 mov eax, [ebx+0000020C]
0048F227 E88CB7F9FF call 0042A9B8

* Possible StringData Ref from Code Obj ->"Unregistered evaluation copy"

Fire up Hiew and make the following changes:

OFFSET ORIGINAL BYTE NEW BYTE
8E616 0F8588000000 0F8488000000

Now the ugly text has been removed ... let's make it licensed to 'someone' :

0048F2A4 A194F34900 mov eax, [0049F394]
0048F2A9 8B00 mov eax, [eax]
0048F2AB 8B9018010000 mov edx, [eax+00000118]
0048F2B1 8B830C020000 mov eax, [ebx+0000020C] ; we should change this code !
0048F2B7 E8FCB6F9FF call 0042A9B8
0048F2BC A194F34900 mov eax, [0049F394]
0048F2C1 8B00 mov eax, [eax]
0048F2C3 8B9020010000 mov edx, [eax+00000120]
0048F2C9 8B832C020000 mov eax, [ebx+0000022C] ; we should change this code !

Fire up Hiew and make the following changes:

OFFSET ORIGINAL BYTES NEW BYTES
8E6B1 8B830C020000 8B8018010000
8E6C9 8B832C020000 8B8020010000

He he he .. now it's just like a registered version !

Notes :

Most applications stored their settings either in the system registry or in the configuration file (INI, DAT, CFG, etc) .. you can use some tools to help u to find it, eg: Win32dasm (search in SDR), SoftIce (using CreateKey(A) function), Filemon (Finding files being used by the program), Regmon ( finding which key are used by the program), or RegCrawler ( to search spesific key in the registry).
Especially in time limit / run time limited cracking .. you could just delete the key / configuration file created by the program  to get your trial period back ! (actually you only need to delete the value used as a counter date but generally delete them all won't do no harm 'coz the program will create them again)

Sc98 stored the settings in the system registry :

HKEY_LOCAL_MACHINE\Config\0001\.SCSecurity
HKEY_CURRENT_USER\Software\InforTech

simply delete these keys to get your 35 days back !

Well .. that's all for now guys .. let me know if you have any comment : widya2011@hotmail.com

 

Copyright © 1999, All Rights Reserved.

and leave S-ICE. Edit your fake license number (should be 11