I have cracked one bulgarian software for window

I have used ollydbg.

The steps were:

  1. I want to attach on “Start” button, but it was in cyrillic so I have to start some resource editor to change the text to latin characters.
  2. I have put a breakpoint on the start handle and button messages
  3. I got the message “Good bye” from the program.
    NEVER put such a messages in your program if you want to survive longer. It is better to quit silently instead of point to the cracker “Here, here, crack me, please”.
  4. I have run Boarland Decompiler, check the address where “Good bye” is used, and I have put a breakpointer there.
  5. Then bypass the “protection” by making the jnz to jmp
  6. save the executable to have in this stable state

Then it was simple. The code was in memory. But how I could be able to show it to the poor users? I have decided to use memory viewer and put some instructions there….not good. not nice. Then I have a plan. There was a button “Instructions for registrations” I thoutgh that this is the perfect place to give the real instructions for registrations and show the code there :)

  1. Some googling on how to display MessageBoxA and I have found this example here . \
  2. Then I have replaced the end of the “Instructions for registrations” function with the following code

0047F903     A1 6C694800    MOV EAX,DWORD PTR DS:[48696C]
0047F908     6A 00          PUSH 0
0047F90A     50             PUSH EAX
0047F90B     50             PUSH EAX
0047F90C     6A 00          PUSH 0
0047F90E     E8 EF0DFD7D    CALL user32.MessageBoxA
0047F913     A1 70694800    MOV EAX,DWORD PTR DS:[486970]
0047F918     6A 00          PUSH 0
0047F91A     50             PUSH EAX
0047F91B     50             PUSH EAX
0047F91C     6A 00          PUSH 0
0047F91E     E8 DF0DFD7D    CALL user32.MessageBoxA
0047F923     A1 74694800    MOV EAX,DWORD PTR DS:[486974]
0047F928     6A 00          PUSH 0
0047F92A     50             PUSH EAX
0047F92B     50             PUSH EAX
0047F92C     6A 00          PUSH 0
0047F92E     E8 CF0DFD7D    CALL user32.MessageBoxA
0047F933     A1 78694800    MOV EAX,DWORD PTR DS:[486978]
0047F938     6A 00          PUSH 0
0047F93A     50             PUSH EAX
0047F93B     50             PUSH EAX
0047F93C     6A 00          PUSH 0
0047F93E     E8 BF0DFD7D    CALL user32.MessageBoxA
0047F943     90             NOP
0047F944     90             NOP                                      ; |

nop-ping till the end of the function here...

0047FA39     90             NOP
0047FA3A     90             NOP
0047FA3B     90             NOP
0047FA3C   . 5E             POP ESI
0047FA3D   > 5B             POP EBX
0047FA3E   . C3             RETN

Then save the patched file from ollydebug.

Final notes.

I am not happy on what I have done. I am writing also software and I know what means someone to crack your software. So I will publish the crack here but you should find it yourself. It is simple protection for the users which don’t want to pay :)