Software cracking to be registered during installation

Today, I cracked a construction software running on the auto cad platform. Through debugging tracking, I found that the software was installed and registered with a limited number of times.
<-- ArticleBody start -->
Cracking Process: today, a building software running on the auto cad platform was cracked. Through debugging and tracking, it was found that the software was installed and registered with a limited number of times.

1. Registration is performed during installation, unlike general registration after installation.

2. The number of installation and Registration times cannot be greater than 15. If the number is greater than 15, no message is prompted to reject the operation.

OD load, F9 run.

0041116B S> 55 push ebp; program entry point

0041116C 8BEC mov ebp, esp

0041116E 6A FF push-1

00411170 68 705D4100 push setup.0020.d70

00411175 68 F8124100 push

0041117A 64: A1 000000> mov eax, dword ptr fs: 0

00411180 50 push eax

00411181 64: 8925 0000> mov dword ptr fs: 0, esp

00411188 83EC 68 sub esp, 68

0041118B 53 push ebx

0041118C 56 push esi

0041118D 57 push edi

0041118E 8965 E8 mov dword ptr ss: ebp-18, esp

00411191 33DB xor ebx, ebx

00411193 895D FC mov dword ptr ss: ebp-4, ebx

00411196 6A 02 push 2

00411198 FF15 7C44410> call dword ptr ds: <& MSVCRT. _ set_app _>; msvcrt. _ set_app_type

========================================================== ========================================

1. modify the number of installation times for verification.

Through tracking, find the key comparison 2, store the installation times in eax, compare with 0F, and decide to jump.

Bytes -----------------------------------------------------------------------------------------------------------

Original program verification code 1:

004041FB 83F8 0F cmp eax, 0F; allowed installation times F = 15

004041FE 0F8F 8104000> jg Setup.00404685; transfer when the value is greater than/not less than or equal

00404204 8D5424 28 lea edx, dword ptr ss: esp + 28

Modify the program verification code 1:

004041FB 83F8 10 cmp eax, 0F; installation times less than F = 15

004041FE 0F84 8104000> je Setup.00404685; Modify jg --> je

Bytes -----------------------------------------------------------------------------------------------------------

Original Program Verification Code 2:

00404B77 83F8 0F cmp eax, 0F

00404B7A 7E 49 jle short Setup.00404BC5; transfer when the value is less than or equal to/not greater

00404B7C 8DB7 0407000> lea esi, dword ptr ds: edi + 704

Modify the Program Verification Code 2:

00404B77 83F8 10 cmp eax, 0F

00404B7A EB 49 jmp short Setup.00404BC5; Modify je --> jmp

========================================================== ============================================

2. Registration Code algorithm tracking.

The verification of installation times has been solved above. Now you can track the registration code algorithm. Otherwise, you will not be able to run the tracking after 15 times.

Through tracking, we can see that the program uses the floating point algorithm, but the real registration code is divided into four groups in the stack to show the code, completely lost interest in tracking, copy the following.

Bytes -----------------------------------------------------------------------------------------------------------

00404D28 E8 FBBF0000 call

00404D2D 8D4C24 28 lea ecx, dword ptr ss: esp + 28; truly registered sn1 = 8961

00404D31 C64424 40 09 mov byte ptr ss: esp + 40,9

00404D36 E8 25BE0000 call

......

00404E34 E8 73BF0000 call

00404E39 8D4C24 28 lea ecx, dword ptr ss: esp + 28; truly registered sn2 = 1154

00404E3D 885C24 40 mov byte ptr ss: esp + 40, bl

00404E41 E8 1ABD0000 call

......

00404F40 E8 67BE0000 call

00404F45 8D4C24 28 lea ecx, dword ptr ss: esp + 28; truly registered sn3 = 4371

00404F49 885C24 40 mov byte ptr ss: esp + 40, bl

00404F4D E8 0EBC0000 call

......

0040504C E8 5BBD0000 call

00405051 8D4C24 28 lea ecx, dword ptr ss: esp + 28; truly registered sn4 = 8050

00405055 885C24 40 mov byte ptr ss: esp + 40, bl

00405059 E8 02BB0000 call

Real Registration = sn1 + sn2 + sn3 + sn4 = 8961 1154 4371 8050 // separated by Spaces

========================================================== ============

3. Memory registration machine settings.

Interrupt address: 00404D20 00404E39 00404F45 00405051

Times: 1

Command: 8D

Length: 4

Registration Code: memory mode

Address: ESP

Offset: 28

Pointer: 1

Insert at the end: 1 Space

========================================================== ======================================

Cracking experiences:

This software is well written and practical. Using a floating-point algorithm to increase the difficulty of cracking, it is a huge vulnerability that can be identified in the stack! I hope the software author can correct it.