I made a Serial Number Program, lets see if anyone can crack it

**dimava** · Sep 23rd, 2000, 09:36 PM

I made a Serial Number program, and I wanna see if anyone can crack it. Feel free to use any hex editors, decompliers, what ever you want. here's the url:

http://members.fortunecity.com/dimava/Serial.exe

Note: if an error comes up, please copy and paste the url into a new browser window

if you get it right a message box will come up with a secret password, so if you get the secret password, post it here.

I made this for a company, so unless someone cracks it, I'm not going to give out a serial number

BTW there is over 1550 diffrent serial numbers that are avalible

**HarryW** · Sep 23rd, 2000, 10:19 PM

Actually that's a point - know where I can get a simple hex editor? Don't think I've got one any more.

What do you mean when you say 1550 serials available? That how many combos or something?

**dimava** · Sep 23rd, 2000, 10:21 PM

yea, thats how many combos there are you can get one at download.com (thats where I got mine)

**dimava** · Sep 24th, 2000, 11:24 AM

corrcet, now please post the combination that you entered

**Yonatan** · Sep 24th, 2000, 12:07 PM

ABCDE ABCDE ABCDE ABCDE ABCDE

Oh, by the way, before entering the combination, I cracked your program and made it so that any combination works.

People:
Will you please stop asking me on ICQ how I cracked it? It's driving me crazy!

**dimava** · Sep 24th, 2000, 12:09 PM

That is not a valid Combination (which I programmed)

and what program did you use to change it and how?

**Yonatan** · Sep 24th, 2000, 12:51 PM

I cracked it!
What program did I use?
My own!

Code:

Option Explicit

' By changing just the constants and the two functions,
' this crack can be applied to many programs!

Const PathOfEXEToCrack = "C:\Windows\Desktop\"
Const NameOfEXEToCrack = "Serial.exe"
Const NameOfBackupEXE = "Backup.exe" ' Set to vbNullString to not back up
Const CrackDescription = "accepts any combination"

Function WhatToLookFor() As String
    ' For dimava's program:
    ' Looking for: jne 00406369
    ' EXE alias: 0F8501170000
    WhatToLookFor = Chr(&HF) & Chr(&H85) & Chr(&H1) & Chr(&H17) & Chr(&H0) & Chr(&H0)
End Function

Function WhatToReplaceItWith() As String
    ' For dimava's program:
    ' Replacing with: 6 nops
    ' EXE alias: 909090909090
    WhatToReplaceItWith = String(6, &H90)
End Function

Sub Main()
    Dim btFileNum As Byte, sFile As String, lPos As Long
    
    ' Check crack sizes
    If Not Len(WhatToLookFor) = Len(WhatToReplaceItWith) Then
        Call MsgBox("Error: Invalid crack sizes.", vbCritical)
        Exit Sub
    End If
    
    ' Back up, if needed
    If Not NameOfBackupEXE = vbNullString Then
        Call FileCopy(PathOfEXEToCrack & NameOfEXEToCrack, PathOfEXEToCrack & NameOfBackupEXE)
        Call MsgBox(NameOfEXEToCrack & " has been backed up." & vbCrLf & _
            "The original file was backed up, and is now called " & NameOfBackupEXE & ".", _
            vbExclamation)
    End If
    
    ' Read file
    btFileNum = FreeFile
    Open PathOfEXEToCrack & NameOfEXEToCrack For Binary As btFileNum
        sFile = Input(LOF(btFileNum), btFileNum)
    Close btFileNum
    
    ' Find item to crack in file
    lPos = InStr(sFile, WhatToLookFor)
    If lPos = 0 Then
        Call MsgBox("Error: Invalid data.", vbCritical)
        Exit Sub
    End If
    
    ' Crack it!
    Mid(sFile, lPos) = WhatToReplaceItWith
    
    ' Save the data to the file
    btFileNum = FreeFile
    Open PathOfEXEToCrack & NameOfEXEToCrack For Binary As btFileNum
        Put #btFileNum, , sFile
    Close btFileNum
    
    ' Finished
    Call MsgBox("Successfully cracked " & NameOfEXEToCrack & "!" & vbCrLf & _
        "Now, " & NameOfEXEToCrack & " " & CrackDescription & ".", vbInformation)
End Sub

Enjoy!

**dimava** · Sep 24th, 2000, 03:38 PM

when I tried it, it didn't work

**Yonatan** · Sep 24th, 2000, 03:53 PM

Aww

You'll get over it.

But the fact is I cracked it.

Sep 24th, 2000, 03:55 PM

It worked for me,
maybe your just stupid...

**dimava** · Sep 24th, 2000, 03:56 PM

is that all that you have to put on a forms code to get it to work? or do you need to call the produdures and stuff?

**Yonatan** · Sep 24th, 2000, 04:16 PM

No forms at all.
Make sure your project has nothing but a module in it, and then paste the code in the module.
Never seen Sub Main() before?

**kb244** · Sep 24th, 2000, 10:27 PM

Take my philosophy, in time nothing is uncrackable

**Dim** · Sep 25th, 2000, 12:32 AM

Sorry i just had to laught at 1337 dimava.

j/j man.

**Yonatan** · Sep 27th, 2000, 01:37 AM

First of all, I disassembled the program.

Feel free to use any hex editors, decompliers, what ever you want.

I noticed something like this in the assembly code:

Code:

mov ax,[the first textbox of the five]
add ax,[the second textbox]
jo <somewhere> ; this means, if overflow, jump to the error line <somewhere>
add ax,[the third]
jo <somewhere>
add ax,[the fourth]
jo <somewhere>
add ax,[the fifth]
jo <somewhere>
cmp ax,0019 ; compare ax to 19h
jne 00406369 ; if ax <> 19h, jump to 00406369
; (otherwise stay where you are!)

; code for "success" msgbox goes here
00406369:
; code for "wrong serial" msgbox goes here

Also, the code told me that the only jump to 00406369 was that jne line.
So that is the only place which could cause an "error" MsgBox.
According to the disassembler, the line jne 00406369 looked in the EXE like this: 0F 85 01 17 00 00
Now, I do not want to jump. If I disabled this jump, the error MsgBox could never be reached, but instead, it would show the success MsgBox either way.
So the solution is to replace it with nop (no-operation).
Now as you saw, jne 00406369 takes up 6 bytes of the EXE.
And the EXE alias for nop is 90. (1 byte)
So we have to put exactly 6 nop codes to skip the jump.

This is what the program does.

Here's how the serial-checking routine in the cracked serial.exe looks like.

Code:

mov ax,[the first textbox of the five]
add ax,[the second textbox]
jo <somewhere> ; this means, if overflow, jump to the error line <somewhere>
add ax,[the third]
jo <somewhere>
add ax,[the fourth]
jo <somewhere>
add ax,[the fifth]
jo <somewhere>
cmp ax,0019 ; compare ax to 19h
nop ;do nothing
nop ;do nothing
nop ;do nothing
nop ;do nothing
nop ;do nothing
nop ;do nothing
; Success MsgBox code goes here

00406369:
; Wrong Serial MsgBox code goes here
; But in the cracked EXE, it cannot be reached

Another solution would be to change it from jne to je. Then, wrong serials will give you the "correct" MsgBox, and correct serials will give you the "wrong" MsgBox.
But there's no reason, so let's not do it and say we did.

**FantastichenEin** · Sep 27th, 2000, 04:02 AM

For those that didn't know.
jne = Jump (if) Not Equal
je = Jump (if) Equal

Yonatan,
What does ax refer to?
Also what does 19h refer to?

What Dissassmbler do you use, I have used wdasm and softice but I prefer wdasm as it doesn't fettle your system like softice.

Cheers

**Yonatan** · Sep 27th, 2000, 06:57 AM

AX is the accumulating register.
In this code, it is the sum of five numbers.
The five numbers are generated from the TextBoxes in dimava's serial program. (I'm not sure about the connection between the text in the TextBox and the number generated)
With dimava's algorithm, if ax = 19h, then the serial number is valid.
I don't know why, I didn't dig into this.

The point is, skip this jump and the program is cracked!

I use wdasm - it is more fun!

**kovan** · Sep 27th, 2000, 07:21 AM

you guyz got way too much time on your hands (points to Yonatan)

**HarryW** · Sep 27th, 2000, 01:08 PM

Aha

Thanks for the explanation.

**kb244** · Sep 27th, 2000, 01:12 PM

It's a software cracker's dream tools, hehe.

Thread: I made a Serial Number Program, lets see if anyone can crack it

Thread Tools

Display

lol

Explanation to anyone who cares

Hi

too much time

Reverse Engerneering and Assembly

Posting Permissions