Software: Deep.Finesse.v1.6
URL: http://www.deepfinesse.com/
Cracker: Hambo/CORE
Author: Hambo/CORE
Coder: Hambo/CORE
Date: 2001-1-22 22:48
Note:
I have not written tutorial for a long time. recently i have
a long time holiday.
and this is easy to crack, so do it. HAHA
1) Use "Load Exports" of Softice's Symbol Loader To Load df_main.dll.
2) Enter "1234567890" as Unlock Code, and ctrl-d enter softice, bpx df_main!mbedEntryPoint
3) Back To Program, and click Unlock button.
4) Get Break in Softice
df_main!mbedEntryPoint
001B:01AC6580 MOV DWORD PTR [01ADFFF8],00000001
001B:01AC658A CALL 01AC1270
001B:01AC658F MOV EAX,[01CDAEF0]
001B:01AC6594 MOV ECX,EAX
001B:01AC6596 INC EAX
001B:01AC6597 TEST ECX,ECX
001B:01AC6599 MOV [01CDAEF0],EAX
001B:01AC659E JNZ 01AC65A5
001B:01AC65A0 CALL 01AC3010
001B:01AC65A5 MOV EDX,[01AD4060]
001B:01AC65AB PUSH EBX
001B:01AC65AC XOR EBX,EBX
001B:01AC65AE PUSH ESI
001B:01AC65AF MOV EAX,[EDX+0000071C]
001B:01AC65B5 MOV ESI,[ESP+0C]
<-- a point to "regvalida1234567890"
"regvalida" is a mask of entrypoint
it need looking for.
and following code is looking for that
entrypoint.
001B:01AC65B9 CMP EAX,EBX
001B:01AC65BB PUSH EDI
001B:01AC65BC JZ 01AC65F2
001B:01AC65BE PUSH 09
001B:01AC65C0 PUSH 01AD4F78
001B:01AC65C5 PUSH ESI
001B:01AC65C6 CALL 01AD16B0
001B:01AC65CB ADD ESP,0C
001B:01AC65CE TEST EAX,EAX
001B:01AC65D0 JZ 01AC65F2
001B:01AC65D2 MOV EAX,[01AD4060]
001B:01AC65D7 MOV ECX,[EAX+0000071C]
001B:01AC65DD PUSH ECX
001B:01AC65DE CALL 01AC5630
001B:01AC65E3 MOV EDX,[01AD4060]
001B:01AC65E9 ADD ESP,04
001B:01AC65EC MOV [EDX+0000071C],EBX
001B:01AC65F2 PUSH 09
001B:01AC65F4 PUSH 01AD4F78
001B:01AC65F9 PUSH ESI
001B:01AC65FA CALL 01AD16B0
001B:01AC65FF ADD ESP,0C
001B:01AC6602 TEST EAX,EAX
001B:01AC6604 JNZ 01AC6631
..........................
001B:01AC6DE7 PUSH 09
001B:01AC6DE9 PUSH 01AD4DB8
<-- a point to "regvalida"
001B:01AC6DEE PUSH ESI
<-- a point to "regvalida1234567890"
001B:01AC6DEF CALL 01AD16B0
<-- compare string with first 9 chars
001B:01AC6DF4 ADD ESP,0C
001B:01AC6DF7 TEST EAX,EAX
001B:01AC6DF9 JNZ 01AC6E37
001B:01AC6DFB ADD ESI,09
<-- a point to "1234567890" that you enter.
001B:01AC6DFE PUSH ESI
001B:01AC6DFF CALL 01AC9780
<-- generate real unlock code with serial number, and compare
with unlock code that you enter
001B:01AC6E04 ADD ESP,04
001B:01AC6E07 TEST EAX,EAX
001B:01AC6E09 JZ 01AC6E21
001B:01AC6E0B PUSH 01AD4DB4
001B:01AC6E10 CALL 01AC1230
001B:01AC6E15 ADD ESP,04
001B:01AC6E18 CALL 01AC1270
001B:01AC6E1D POP EDI
001B:01AC6E1E POP ESI
001B:01AC6E1F POP EBX
001B:01AC6E20 RET
5) Enter CALL(01AC9780)
001B:01AC9780 PUSH ECX
001B:01AC9781 PUSH ESI
001B:01AC9782 MOV ESI,[ESP+0C]
001B:01AC9786 PUSH EDI
001B:01AC9787 XOR EDI,EDI
001B:01AC9789 MOV AL,[ESI]
001B:01AC978B MOV DWORD PTR [ESP+08],00000000
001B:01AC9793 TEST AL,AL
001B:01AC9795 JZ 01AC9821
====== Begin of Convert String of unlock Code To Int ======
001B:01AC979B MOVSX EAX,BYTE PTR [ESI]
001B:01AC979E PUSH EAX
001B:01AC979F CALL 01ACA6C4
001B:01AC97A4 ADD ESP,04
001B:01AC97A7 TEST EAX,EAX
001B:01AC97A9 JZ 01AC97C3
001B:01AC97AB MOV EAX,[ESP+08]
001B:01AC97AF INC EDI
001B:01AC97B0 MOVSX EDX,BYTE PTR [ESI]
001B:01AC97B3 LEA ECX,[EAX*4+EAX]
001B:01AC97B6 CMP EDI,09
001B:01AC97B9 LEA EAX,[ECX*2+EDX-30]
001B:01AC97BD MOV [ESP+08],EAX
001B:01AC97C1 JZ 01AC97D0
001B:01AC97C3 MOV AL,[ESI+01]
001B:01AC97C6 INC ESI
001B:01AC97C7 TEST AL,AL
001B:01AC97C9 JNZ 01AC979B
====== End of Convert String of unlock Code To Int ======
001B:01AC97CB CMP EDI,09
001B:01AC97CE JNZ 01AC9821
001B:01AC97D0 MOV ECX,[ESP+08]
<-- Unlock Code That You Enter
001B:01AC97D4 PUSH ECX
001B:01AC97D5 CALL 01AC93D0
<-- Generate Real Unlock Code, and Compare with Unlock Code
Taht You Ender.
====== Begin Call 01AC93D0 ======
001B:01AC93D0 MOV EAX,[01CDAFF8]
<-- Serial Number
001B:01AC93D5 XOR EDX,EDX
001B:01AC93D7 IMUL EAX,EAX,0004535F
SN * 0x4535f
001B:01AC93DD ADD EAX,466F9629
+ 0x466F9629
001B:01AC93E2 MOV ECX,3B9ACA00
001B:01AC93E7 DIV ECX
% 0x3B9ACA00
001B:01AC93E9 CMP EDX,05F5E100
001B:01AC93EF JAE 01AC93F7
>= 0x05F5E100 then jump
001B:01AC93F1 ADD EDX,05F5E100
Else + 0x05F5E100
001B:01AC93F7 MOV ECX,[ESP+04]
<-- Unlock Code That You Enter
001B:01AC93FB XOR EAX,EAX
001B:01AC93FD CMP EDX,ECX
<-- EDX = Real Unlock Code
001B:01AC93FF SETZ AL
001B:01AC9402 RET
====== End Call 01AC93D0 ======
001B:01AC97DA ADD ESP,04
001B:01AC97DD TEST EAX,EAX
001B:01AC97DF JZ 01AC9821
001B:01AC97E1 MOV EDX,[ESP+08]
001B:01AC97E5 MOV EAX,[01CDAFFC]
001B:01AC97EA ADD EDX,3DFA81B8
001B:01AC97F0 PUSH 04
001B:01AC97F2 MOV [ESP+0C],EDX
001B:01AC97F6 LEA EDX,[ESP+0C]
001B:01AC97FA PUSH EDX
001B:01AC97FB PUSH 04
001B:01AC97FD PUSH 00
001B:01AC97FF PUSH 01AD562C
<-- A Point To "ident"
001B:01AC9804 PUSH EAX
001B:01AC9805 CALL [01AD3010]
<-- RegSetValueExA(Store Unlock Code Into Windows Registry)
001B:01AC980B MOV ECX,[01CDAFFC]
001B:01AC9811 PUSH ECX
001B:01AC9812 CALL [01AD300C]
<-- RegCloseKey
001B:01AC9818 POP EDI
001B:01AC9819 MOV EAX,00000001
001B:01AC981E POP ESI
001B:01AC981F POP ECX
001B:01AC9820 RET
001B:01AC9821 POP EDI
001B:01AC9822 XOR EAX,EAX
001B:01AC9824 POP ESI
001B:01AC9825 POP ECX
001B:01AC9826 RET