cybercu1.htm Fastraq Post Server; a "best before" protection scheme
snippets
Back to the Snippets
Fastraq Post Server; a "best before" protection scheme
by Cybercurve


Here's a small essay written by a newbie and for newbies.

Protection type : 'best before'
There are some things (e.g. crossreferences) that make it look
like it's protected against cracking, but if that is so, it's a very
stupid way to protect a program: This program is cracked by only changing
4 bytes.

I cracked this and I've written an essay on how i did it. I'm a newbie, 
so I can't be sure it works, but i've tried to start it up with the computer 
clock set to many different dates, and used it a few times after i cracked it 
and it does seem to work. (of course with a invalid reg-code)

----- here starts the essay (a big word for this small piece of text) -------

Cracking FastRaq Postserver.

Target: 
Fastraq Post Server (version 0.7.5.20, post.exe = 2.336.768 bytes)
	Download from: http://www.fastraq.demon.co.uk/post	
Tools used:	
Wdasm 8.9 (free demo version will do)
	Download from: http://www.expage.com/page/w32dasm
Ultraedit (free demo version will do, any decent hexeditor will do)
	Download from: http://www.download.com.

NOTE: all numbers are hexadecimal

I'm in quit a busy period now, so cracking this program took
a few weeks, but I only worked a few hours on it, and believe
you can do it faster, but i started to try to crack this using
softice, which took a lot of time but got me nowhere (that's
propably my fault, certainly not softice's).

This is a very nice program to learn cracking on because they
give away free temporary-registration codes that expire in one
month. So there's no real need to crack this program, but that's
not the point. The point is that they tried to do some protection
(at least that's what i think it is), but as you will see, any newbie
cracker (like me) should be able to crack this without any problem,
and within two hours.

Let's start the work:

I tried to set breakpoints using Softice, but that got me nowhere.
If you installed the program and entered a temporay-registration code,
exit fastraq, start regedit.exe, search for the reg-code. You
should land in : HKEY_LOCAL_MACHINE\SOFTWARE\Fastraq\Post Server\0.93
Change the serial so it is invalid.
copy post.exe to post.wdm.
open post.wdm in wDasm.

Start Fastraq, it shows a messagebox "Register the Post Server"
containing "Please enter your registration number."
Goto Wdasm click on 'Refs'/'String data references' and scroll to
"Please enter your registration" Double click. Double click again.
There's only one location in the program where it appears (535EE1 
which is offset 1352E1 in post.exe). Question is, how does the program
get there? answer, look a few lines above, it comes there by a 
CONDITIONAL(could it be easier ?)-jump from 535FBF. go to there.
it says :
:00535FBF 0F8709FFFFFF ja 00535ECE
and it is offset 1353BF in post.wdm
Open post.exe in a hexeditor. goto 1353BF and change 0F87 into EB04.
(+Orc says that you shouldn't NOP some code out, and I advice you 
to use this simple 'jump ahead' solution to avoid nop's) and save.

Start Post.exe. It says "The evaluation period for this.." 
goto wDasm, do a string-reference search on that. you should
find the following two locations : 535427 and 53545C. on both locations
look a few lines above you should see something like:
	fcomp qword ptr [0057CDB0] 


snippets

Back to the Snippets