Cracking sharing software: Swiss Army knife for Windows

Author: yulongying
Statement: This article is only about cracking, learning, and communication. If it is used in illegal commerce, the responsibility is borne by the illegal users (it is irrelevant to me anyway)
Tool used: process monitor + od
In the past few days, the reverse VB program is really terrible because it is the reverse VB program in the cainiao stage. In the process of cracking, it is also a piece of speculation, yesterday I cracked a sharing software named "mouse click genie V 3.9.108". Today I just cracked a software named "Windows Swiss Army Knife". The principle is the same, that is, the algorithms are different:
When the program starts, it reads the registration code of the Registry and places it. If the read Registration Code fails to be verified by the verification algorithm, it is not a registered version. If the verification is successful, it is the registered version. So even if you click the register button after you start the program to register this code, it will not help. Because it will still be verified during startup, the actual cracking is achieved only when the verification is cracked.

I would like to discuss the following points in the cracking process, which is not so detailed, because I have guessed it myself. The main VB parameters are rarely of the original type and are some unknown struct, so it is really painful for a newbie like me. Haha
First, use the Process monitor program to start reading the Registry location here:
15:25:47. 9078889 WindowsSAK.exe 1968 RegQueryValue HKCUSoftwareWindowsSAKCONFIGSN SUCCESS Type: REG_SZ, Length: 72, Data: 123

The registration code is saved here. RegQueryValue HKCUSoftwareWindowsSAKCONFIGSN
Then, set the condition breakpoint in all RegQueryValue functions.
RegQueryValueExA RegQueryValueExW RegQueryValueW RegQueryValueA

For functions of the ansi version, set STRING [[esp + 8] = "SN"
For functions of the unicode version, set UNICODE [[esp + 8] = "SN"
In this way, the breakpoint is down.
0012FB78 004B4468/CALL to RegQueryValueExA from WindowsS.004B4463
0012FB7C 00000104 | hKey = 104
0012FB80 0015CEF4 | ValueName = "SN"
0012FB84 00000000 | Reserved = NULL
0012FB88 0012FBB0 | pValueType = 0012FBB0
0012FB8C 0012 FBAC | Buffer = 0012 FBAC
0012FB90 0012 FBFC pBufSize = 0012 FBFC
Then alt + F9 is returned to the airspace
004B445E. 8B55 DC mov edx, dword ptr ss: [ebp-24]
004B4461. 50 push eax
004B4462. 52 push edx
004B4463. E8 7CF4F5FF call WindowsS.004138E4; read registry function
004B4468. 8945 90 mov dword ptr ss: [ebp-70], eax; alt + F9 back here I am also groping to find that this layer does not seem to have a key jump

Back to the upper-layer function, a comparison function is the key sentence.
0048AFE1. 8D55 80 lea edx, dword ptr ss: [ebp-80]
0048AFE4. 52 push edx;/var18
0048AFE5. 8D45 B0 lea eax, dword ptr ss: [ebp-50]; |
0048AFE8. 50 push eax; | var28
0048AFE9. FF15 4C114000 call near dword ptr ds: [<& MSVBVM60. __>; key !!! : String comparison
0048 AFEF. 8D4D E0 lea ecx, dword ptr ss: [ebp-20]
0048AFF2 8BF0 mov esi, eax; eax = 0
0048AFF4 FFD3 call near ebx
0048AFF6 8D4D B0 lea ecx, dword ptr ss: [ebp-50]
0048AFF9 51 push ecx

 

The result returned by the comparison is 0, indicating that the result does not match.
Therefore, change mov esi and eax to mov esi. 1, but the ea ecx and dword ptr ss following the large number of bytes will be: [ebp-50] overwrite so I changed this to lea esi, [eax + 1]
In this case, esi = 0 + 1 = 1. Is there a better solution for the big ox?
Save the file and run it as the registration version.

Is http://www.exusoft.com/software/wsasetupsc.rar

During the tracking process, you will also find clear codes in many places. Mine is:
0012F9F0 0015D42C UNICODE "cdf08c07044aee84a9ae02e46bc4f7f2"
Different machines may be different, because I guess the user name is calculated based on the mac address.
Cannot be changed!

If there is anything wrong with it, please put more bricks in the market. I am also a cainiao. Throwing bricks also helps me grow ..