Phone Book Pro 97 v2.31.0 build 482
Vindicating the "blacklisted" Phrozen crew

by Silicon Surfer
(08 September 1997)

Courtesy of Fravia's page of reverse engineering

Well, here is what Silicon surfer wrote to me:
I chose this on to document for simply becuase there were so many references to Phrozen Crew and their members inside to crash their systems if they were to use those names. I found it fitting retribution to make the Registered To section read Phrozen Crew instead of Unregistered.
Target:   Phone Book Pro 97 v2.31.0 build 482 
Reason:   Found a request dated 09/04/97 asking for it in abc. 
Tools:    Hex Workshop v2.53   (see +HCU's project 1)
          W32Dasm v8.9         (see +HCU's project 0)
OK, first thing I like to do is get a String Data Reference list and  
read through it.  I found some 'interesting' references. 
" PLEASE REGISTER. Read "Register.txt""      ; Nag 
"42F6171D60EF25F30105090B066BA8"             ; Possible Code? 
"43EF2E2A67E144D42BE83FCA45"                 ; " " 
"6C87868FB19963B270AF69B954DE"               ; " " 
"72878A97155AC14CD84CC055"                   ; " " 
"Application has a CRC error!"              >; Hmm... CRC checking eh? 
"Application ID block not found!"            ; " " 
"Can not have more than "                   >; Sounds like some kinda limit 
"CREW"                                       ; Oh my, references to PC97! 
"MAD MAX!"                                   ; " " 
"MADMAX!"                                    ; " " 
"PHROZEN"                                    ; " " 
"Please register your phone book "           ; Nag 
"Registration code:"                         ; Self Explanatory 
"RegistrationCode"                           ; " " 
"SALTINE"                                    ; More PC97 
"Sex"                                        ; Just like the word! 
"The Application CRC is not calculated "     ; Bad CRC Results 
"This is an unregistered version, "         >; Direct from the main Nag  
"Unregistered Version"                       ; Nag 
"Unregistered"                              >; " " 
"USER NAME"                                  ; Self Explanatory 
"Username"                                   ; " " 
Lest test the proggie, see what needs to be done. 
First thing I notice: 
1) This damn thing is slow on entry!  CRC checking will do that.   
Maybe we should speed this up a    little bit, but that will be later.   
2) Our first line in String References shows on the opening Nag Screen. 
3) Register.txt says:  
The registered version will remove the limit of 20 entries  
as well as the nag screen which we all dislike!  So, if you  
use it, register it!  
   So there are only 20 entries allowed. 
4) Changed system date to 2010 and the program still runs. 
Assignment, either crack password & CRC, or crack CRC & Nag Screen &  
20 entries.   
Lets start with the CRC checking... can't apply the crack if CRC fails!   
Here is the code from the reference to "Application has a CRC error!". 
* Referenced by a CALL at Address: 
:00456C14 53                      push ebx 
:00456C15 56                      push esi 
:00456C16 8BF0                    mov esi, eax 
:00456C18 C70580674D0000800000    mov dword ptr [004D6780], 00008000 
:00456C22 8BC6                    mov eax, esi 
:00456C24 E85BFFFFFF              call 00456B84        "Application ID block not found!" 
:00456C44 B8946C4500              mov eax, 00456C94 
:00456C49 E84AB9FEFF              call 00442598 
* Jump from Addresses:00456C2E(C), :00456C42(C) 
:00456C4E 83FBFE                  cmp ebx, FFFFFFFE    "Application has a CRC error!" 
:00456C53 B8BC6C4500              mov eax, 00456CBC 
:00456C58 E83BB9FEFF              call 00442598 
* Jump from Address:00456C51(C) 
:00456C5D 83FBFD                  cmp ebx, FFFFFFFD    "The Application CRC is not calculated 
:00456C62 B8046D4500              mov eax, 00456D04 
:00456C67 E82CB9FEFF              call 00442598 
:00456C6C A1E84F4D00              mov eax, dword ptr [004D4FE8] 
:00456C71 8B00                    mov eax, dword ptr [eax] 
:00456C73 E8F4BEFDFF              call 00432B6C 
* Jump from Address:00456C60(C) 
:00456C78 4B                      dec ebx 
:00456C79 740C                    je 00456C87 
:00456C7B A1E84F4D00              mov eax, dword ptr [004D4FE8] 
:00456C80 8B00                    mov eax, dword ptr [eax] 
:00456C82 E8E5BEFDFF              call 00432B6C 
* Jump from Address:00456C79(C) 
:00456C87 5E             pop esi 
:00456C88 5B             pop ebx 
:00456C89 C3             ret         "This copy of Phone" ;is registered 
:004BB9FD 6844BF4B00              push 004BBF44 
:004BBA02 8D4DF4                  lea ecx, dword ptr [ebp-0C] 
:004BBA05 A1D84E4D00              mov eax, dword ptr [004D4ED8] 
:004BBA0A 8B00                    mov eax, dword ptr [eax] 
:004BBA0C 8BD3                    mov edx, ebx 
:004BBA0E E8659FFDFF              call 00495978 
:004BBA13 FF75F4                  push [ebp-0C] 
-- cut to save space -- 
* Jump from Address:004BB9C1(C)       <<--- Check this call! 
:004BBA8E 8B0DE84F4D00            mov ecx, dword ptr [004D4FE8] 
:004BBA94 8B09                    mov ecx, dword ptr [ecx] 
:004BBA96 B201                    mov dl, 01 
:004BBA98 A1508F4700              mov eax, dword ptr [00478F50] 
:004BBA9D E87E20F7FF              call 0042DB20 
:004BBAA2 8B15B84E4D00            mov edx, dword ptr [004D4EB8] 
:004BBAA8 8902                    mov dword ptr [edx], eax 
:004BBAAA A1B84E4D00              mov eax, dword ptr [004D4EB8] 
:004BBAAF 8B00                    mov eax, dword ptr [eax] 
:004BBAB1 8B80DC010000            mov eax, dword ptr [eax+000001DC] 
:004BBAB7 BA9F400000              mov edx, 0000409F 
:004BBABC E88335F8FF              call 0043F044 
:004BBAC1 A1B84E4D00              mov eax, dword ptr [004D4EB8] 
:004BBAC6 8B00                    mov eax, dword ptr [eax] 
:004BBAC8 8B80DC010000            mov eax, dword ptr [eax+000001DC] 
:004BBACE 8B5024                  mov edx, dword ptr [eax+24] 
:004BBAD1 D1EA                    shr edx, 1 
:004BBAD3 8B0DB84E4D00            mov ecx, dword ptr [004D4EB8] 
:004BBAD9 E86635F8FF              call 0043F044 
:004BBADE A1B84E4D00              mov eax, dword ptr [004D4EB8] 
:004BBAE3 8B00                    mov eax, dword ptr [eax] 
:004BBAE5 8B80E0010000            mov eax, dword ptr [eax+000001E0] 
* StringData Ref from Code Obj ->"This is an unregistered version," 
                               ->"please consult "REGISTER.TXT" " 
                               ->"for more details." 
:004BBAEB BAA4BF4B00              mov edx, 004BBFA4 
Simple routine, do check, if match goto Nag, else continue as if
So we change: 
:004BB9C1 0F84C7000000            je 004BBA8E 
:004BB9C1 0F85C7000000            jne 004BBA8E 
Nag screen gone, only one more!!!  But wait, after further review of the  
program, it is COMPLETELY registered.  No more how to purchase, and about  
screen shows registered to UNREGISTERED.  Great!  So we skip the 20 entries  
and are home free.   
However, it seems Damien Rame doesn't like PhrozenC, and since 'Phrozen 
Crew' and  'Unregistered' have the same number of characters... (Evil 
Grin)... let us make one last change. 
Search for "UNREGISTERED" in the hex editor, and change it to Phrozen Crew.   
Crack done!   
  _________.__.____    .__                      
 /   _____/|__|    |   |__| ____  ____   ____   
 \_____  \ |  |    |   |  |/ ___\/  _ \ /    \  
 /        \|  |    |___|  \  \__(  
(c) Silicon Surfer, 1997. All rights reversed.
You are deep inside fravia's page of reverse engineering, choose your way out:

homepage links red anonymity +ORC students' essays tools cocktails
academy database antismut search_forms mail_fravia
is reverse engineering legal?