WIDI 2.7 Build 492/493

[MaRKuS-DJM]

little problem with this... i've found the neccessary bytes to turn the program into fully registered version, but: it doesn't save!

look here:

:00401594 7408 je 0040159E
:00401596 8B0D082B5500 mov ecx, dword ptr [00552B08]
:0040159C EB05 jmp 004015A3

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401594(C)
|
:0040159E B92AB75200 mov ecx, 0052B72A

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040159C(U)
|
:004015A3 51 push ecx
:004015A4 E8DBC50100 call 0041DB84 <<<<< call which checks name and serial
:004015A9 83C408 add esp, 00000008
:004015AC 85C0 test eax, eax
:004015AE 7407 je 004015B7 <<<<< this is the bad boy... i've nopped it and then the program was registered
:004015B0 B801000000 mov eax, 00000001
:004015B5 EB02 jmp 004015B9

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004015AE(C)
|
:004015B7 33C0 xor eax, eax

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004015B5(U)
|
:004015B9 8B15102B5500 mov edx, dword ptr [00552B10]
:004015BF 8902 mov dword ptr [edx], eax
:004015C1 8B8B78030000 mov ecx, dword ptr [ebx+00000378]
:004015C7 8B83E8030000 mov eax, dword ptr [ebx+000003E8]
:004015CD 8B914C010000 mov edx, dword ptr [ecx+0000014C]
:004015D3 E8E4E60900 call 0049FCBC
:004015D8 E83F1C0000 call 0040321C

* Possible StringData Ref from Data Obj ->"SjDP!}!OKpz" <<<< don't understand this string...
|
:004015DD B82BB75200 mov eax, 0052B72B
:004015E2 BA142B5500 mov edx, 00552B14 <<<<< your name

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401601(C)
|
:004015E7 8A08 mov cl, byte ptr [eax]



I'm not a very good cracker and it would be nice if anyone could help me...

MaRKuS TH-DJM

The string is xor'ed almost for sure. You can try Hex Workshop to dexore.

Regards.

Quote:

Originally posted by MaRKuS-DJM
little problem with this... i've found the neccessary bytes to turn the program into fully registered version, but: it doesn't save!

Generally when you crack something and it looks good until you restart, there's simply another registration check on startup (and generally its this check that really matters.. the other bytes you played with were nice since they probably tell the user "good boy" if they bother using the registration interface.. but the program could care less.)

Generally I would open up RegMon and FileMon (one, then the other...) and watch for any instances of the invalid username/key that you entered when you cracked it. Typically it'll be something like "RegKey" or "Key" or something to that effect. Set a filter that only shows the target you are working on, and then have the keyword highlighted.

Go back into your debugger and search for the string and set breakpoints on every instance. Run the program from your debugger (I use Olly for this type of work in most cases). It SHOULD break before you see any highlighting in RegMon/FileMon... after the first break, it's a good idea to trace OVER all the calls until you see highlighting... then when you see the code that caused the highlighting you can kill off all your other breakpoints.. and set a breakpoint on the code that reads the name/serial... since you were tracing over everything you'll likely need to restart the program and then trace INTO a call of some kind (where it does the dirty work of loading the serial into memory).. when you find the actual routine there is typically a bunch of other crap, and then a RETN.. after the return, you will be back outside the call, and on the other side you will typically encounter some kind of CMP/TEST and a conditional JMP (JZ/JNZ, etc)...

This is only one approach, but I find that it helps with a majority of programs.. I'm sure other people have better ways or different ways...

Good luck,

t0xic

[MaRKuS-DJM]

hm... everything works fine, only saving doesn't work (the only thing which matters)
maybe it's a software bug...
yes, there are two strings, "User Name" and "Registration Code". they are called twice, writing to registry and reading from registry. after you have entered any name and serial you have to restart the program to check name and serial. after changing the bytes seen above the program says registered, save is enabled but if you try to save a message box appears "unknown error"
don't know why...

best regards,
MaRKuS TH-DJM

[Squidge]

Maybe you should try and fake the registration routine to always return a good answer, rather than flipping jumps in the hope that one will give the "good boy" message. This is the method I prefer. Flipping jumps is bad as you don't know how many other calls to a registration check procedure there could be (or checks of a global variable for example, which is set inside the reg proc)

[MaRKuS-DJM]

have found another way to get what "SjDP!}!OKpz" means... i think it's a blacklisted name. it means "RiCO | NJoy"
if you use this name, there are many errors, but the program runs registered... "access violation" and saving doesn't work.
i've read the official forum, there are many posts about "unknown error". and the answer: "Of course, it does not relate to you, but sometimes it happens with cracked WIDI versions." and if i try to debug to kill the window, olly suddenly jumps to another place with a error... never had such a problem

Replace the crypted string you found with sth else in your
hexeditor and register with the blacklisted key. I've been using
WIDI in the past, but it was a full copy.

[alephz]

Quote:

Originally posted by MaRKuS-DJM
I'm not a very good cracker and it would be nice if anyone could help me...

I was attracted with topic. Think, U wrote about "WIDI Recognition System 2.7 (WIN)"

h**p://audiosoft.fileburst.com/widi27.zip

MD5:
923648 2001-05-27 13:07:22 3D20C8787B0E2370227F145DDE67891C widi.exe

I play with in a few minutes and think this it is easy target - just unpack UPX, load into IDA and dword_54F0EC seen to be registration flag (used about 12 times). See more close on it.

Any way, sub_40D238 used to read Registry Keys (User Name, Registration Code etc).

[alephz]

Quote:

Originally posted by alephz
II play with in a few minutes and think this it is easy target - just unpack UPX, load into IDA and dword_54F0EC seen to be registration flag (used about 12 times). See more close on it.

[MaRKuS-DJM]

alephz, you are right... the flag is called 11 times... value is 00B57BDC, but it still doesn't save... or i don't understand???

[alephz]

Quote:

Originally posted by MaRKuS-DJM
the flag is called 11 times... value is 00B57BDC, but it still doesn't save

IMHO, it's should be 1 (if registered) . Also don't skip dirty
crash trick ... just see listings from my previous post. Hope
it's all what U need.

P.S.

Also I discover, it use some encryption (not sure, may be RSA-like).
Whole so called "TWavReloadDialog" package really CryptoUnit. Play
a bit with there constants to find more:

.text:004201D6 push 0AC368E28h
.text:004201ED push 779AD22Ah

.text:00420262 push 0AC368E28h
.text:004202A0 push 779AD22Ah

Any way, U don't need to know aboit it until wanna do KG :-\

[alephz]

Quote:

Originally posted by alephz
Whole so called "TWavReloadDialog" package really CryptoUnit.