Make your own free website on Tripod.com
 
Sept. 2001
"Mirc v5.81"
Win32 Program
Win32 Code Reversing
 
by Bengaly
 
 
Code Reversing For Beginners 
Program Details:
Program Name:Mirc v5.81
Program Type: Chat Utile  
Program Location: [ here ]
Program Size: 1+MB         

 

Tools Required:
W32Dasm  - Win'95/98 Dissasembler
Softice V4.X -  De-Bugger (Optional)
Hex-Edior - Any 
Level
Easy ( X )  Medium (   )  Hard (   )  Pro (   )
"The Better We read, the better We Crack, The Better you Crack, The Better you Teach "


 Cracking A Win32 Chat Utility
('Simple Protection, Simple Patch')
Written by Bengaly


Introduction

Welcome to mIRC, an Internet Relay Chat Client.

 mIRC attempts to provide a user-friendly interface for use with
 the Internet Relay Chat network. The IRC network is a virtual
 meeting place where people from all over the world can meet and
 talk.

 To IRC all you need to do is Connect to a server, Join a channel,
 and Chat!

                                                             About this protection

This program is registered by selecting the 'Help' button, then the 'Register...' button.
User name:
Registration:

if you want to use this software please Buy it, it's on 25$ the program is very good, please support it!

The Essay

Hello and welcome to my 31'th Tutorial.

mIRC old and fashioned and not even a slightly Changed.
There are allot mIRC tutorials out there, Cheyenne tutorials and etc..
But i made this tut not because no one made this version or anything, actually
This tutorial was made cuz my isp has killed my connection and the only Unregistered application
I had installed was mIRC :-)
So i was bored and tried to reverse and make it registered...why not ? :-)
Actually i don't even know what the registrated version does offer us..mabye some cash to the author ?..:-)
Any way, here begins the journey to reverse mIRC 5.81 .
Thank to +Sandman techniques (yeah i do love his tuts..sue me) i could imitate his way to crack that app.

First thing i did was to disassembly mIRC...well we don't really need SoftICE unless you want
To check where the name/serial are in the code no more..(mabye to check the generated serial..dunno,
Franctly i don't care, since we gonna make this baby self-Registerd :-)..no need to spend time downloading
Some Keygen...(altalavista? ;-)) or even in mirc it self...there is a good places for Keygens channels, do a
Search and be happy...but still time consuming :-) a 30k gaygen :-) for 1 opcode changed in ½ second...
Still prefer the good old Opcode changing, also will give you the same effect..Registered :-).
A good thing about mIRC is that it provide us a beautiful patch demand, clean one, fast and not dirty with
Other opcodes :-).
I will check up 5.91 later, until my isp will bring back the internet :-(

Starting our mission...Load up mIRC, about,Regiter..
Enter anything, or even leave the text boxes blank..not matter, press OK button:
"Hmm,  your registration name and  number don't match"
Nice message no ? :-)  i wonder why mIRC author doen't kill this messagebox,
I assume he saw alot of cracks of his app no ? hehe :-)
Any way Disassemble our Target...
Sit back, drink something cold (coca-cola ? :-) ) i prefer with ice...
Ok done disassembled...fewwww took some time on my P1 :-(
Well the Strn-ref is pretty long and it's annoy to search for our message box there..
Clicking on the 'Search-->Find Text" will help us allot, insert "Hmm" and we click 'Find Next'
With direction point Down, ok takes alittle time..waiting...waiting...ahh found, few i though it isn't there :-)
Let see what we have here:

-----------------------------------------------------------------------------------------------------------------------------------------------------
*Possible Reference to string resource ID=01913: "Hmm, your registration name and  number don't match..."
                                                        |
:0049D971 6879070000            push 0000779
----------------------------------------------------------------------------------------------------------------------------------------------------

Now we can suspect there is a Conditional / Unconditional jump to this Message, but there isn't...hm...
Lets Back Trace, try to search for the first JE/JNE we will encounter, i found it in this address:
 
                        PUSH               000543BD3h
                        PUSH               0005437ECh
                       CALL                LOC_0049D3C5
                        TEST                EAX,EAX
49D877         JZ                      LOC_0049D92D
Store name
Store Serial
Call the check routine
is EAX = 0 ?
Bad_Boy Message

We see the nice JZ that takes us to the message we found earlier.
Now a good place to search is the Call to LOC_0049D3C5 .
Lets Examine the call...hm...there is allot of code. a good thing i can tell is that it is started with Push EBP :-)
Anyway,  let's see the code:
 
 
PUSH               EBP
 MOV                EBP,ESP
 PUSH              EBX
 PUSH              ESI
 PUSH              EDI
 MOV                ESI,DWORD PTR [EBP+00Ch]         ;ESI = Serial
 MOV                EBX,DWORD PTR [EBP+008h]        ;EDX = Name
 PUSH              ESI                                                         ;Store Name
 MOV                ESI,000554A00h                                 ;Crap
;---------------------------------------------------------------------------------------------
                                            UseLess Code Here
;---------------------------------------------------------------------------------------------
                   PUSH             000554B04h                 ;Save Name
                   PUSH             000554A00h                 ;Save Serial 
 49D427   CALL              LOC_0049D2D2         ; Algo
                   TEST              EAX,EAX                      ; Enter good serial ?
                  JZ                    LOC_0049D437          ; Nope you haven't, Go away Bad_Cracker
                   MOV               EAX,000000001h        ; Good_Boy
                   JMP                LOC_0049D4AB         ; Jump to Good Message

Well, it seems we have found the Treasure Aren't we ? :-)
We have here 2 choised that both will give us a registered Version.
1. Enter the call 0049D2D2 and face the algo and will eventually we will get a working serial
2. Using a short Cut and change JZ to JNZ which will give us a clean crack working 100%

Hmm...I think that my intuition takes me to the ALGO but still it's a waste of time :-)..but i got time, so i will
Try do a keygen, but i like ShortCuts as well, so lets Change JZ->JNZ
Open Hex Editor,Load Mirc32.exe into it, Decode Mode, goto offset 9CA2E and change the  7407->7507
Save the file, and take your money Back  :-)
And remember Cracking is more than a Crime, it's a Survival trick ;-)
*No metter which name you enter, it will be accepted :-)

Have Fun
 
Oh And..

Do I really have to remind you all that by buying and NOT stealing the software you use will ensure that these software houses will continue to produce even *better* software for us to use and more importantly, to continue offering even more challenges to breaking their often weak protection systems.

If your looking for cracks or serial numbers then your wasting your time, try searching elsewhere on the Web under Warez, Cracks and etc.

+SandMan...
 
Greetings

I would like to say thank you to all who has supported me, and helped me through my cracking days:
 
 

 +ORC
For his Great Essays And Skills
+SandMan
For his awesome Tutorials