============================================================================
TITLE:
Icontoy v3.1
============================================================================
BEST VIEWED:
Notepad with word wrap enabled, and in restored window mode
============================================================================
TOOLS USED:
OllyDbg v1.09d(step 4)
Hiew 6.85
HexDecOctBin Converter v1.00
Brain (Preferably version human or above)
============================================================================
TARGET:
Icontoy.exe
============================================================================
LOCATION OF TOOLS AND PROGRAM:
http://www.grinders.withernsea.com/tools/odbg109d.rar
http://www.grinders.withernsea.com/tools/hiew685.rar
http://www.grinders.withernsea.com/tools/Icontoyv31.rar
http://www.grinders.withernsea.com/tools/HexDecOctBinv1.00.rar
============================================================================
WEBSITE:
http://cracking.accessroot.com/
============================================================================
CONTACT INFORMATION:
Msn Messenger - jammysa@hotmail.com
Icq# - 46313648
Email Address - Merlin@accessroot.com
============================================================================
TUTORIAL VERSION:
v1.0 Written 12th of December 2003
============================================================================
AUTHOR AND OTHER ALIASES:
Merlin

Nilrem2
Nilrem
Grimgnaw
Khulad
Khulad Illphukiir
(-~Merlin~-)
============================================================================
Lesson 1 - Finding a correct serial for Icontoy
First make a backup of Icontoy.exe
Load up Icontoy, click the 'R' (registration) icon, and type in any 'Registration name' and 'Registration code' you want, but for the sake of this tutorial we'll use Merlin as the name and 77777777 (that's eight sevens) for the serial, then hit 'Register', and we get the error message (as expected) "Registration key error!", write that down somewhere, or remember it because that's what we'll use to begin our assault on the program.
Close Icontoy (the button on the bottom right of the application window), and fire up OllyDbg, once in Olly open Icontoy.exe by going to 'File -> Open'. First things first, once you've opened Icontoy.exe in Olly, right click and choose, 'Appearance -> Highlighting -> Jumpsncalls' to make things a little clearer for us. Now what we want to do is search for our error message, so right click and select, 'Search for -> All referenced text strings'; in the new window that opens up, scroll up to the top, select the top line, and right click, and then choose 'Search for text', make sure that 'Entire scope' is unchecked, and then enter our error message "Registration key error!" without the quotation marks into the search field and hit enter, you should land here:

Text strings referenced in ICONTOY:CODE, item 3502
 Address=00486076
 Disassembly=MOV EAX,ICONTOY.00486138
 Text string=ASCII "Registration key error!"

Hit enter again to follow in disassembler and you should land yourself here:

00486076   > B8 38614800    MOV EAX,ICONTOY.00486138                        ;  ASCII "Registration key error!"

If you scroll up, then you should see the following directly above where we landed:

00486074   . EB 0A          JMP SHORT ICONTOY.00486080

N.B. this is very significant, because it is telling Iconview to jump (JMP) to 00486080, and this is a different address to the one we are currently at (the bad message address), so that means that to get to our current code position there must have been another jump somewhere else jumping to our registration error message; so what we shall do is right click, and select, 'Find references to -> Selected command'. We see there are two values shown, the red one is our current position, the black one is the code that jumps to our bad error message, so let's double click it to follow it in the disassembler, you should land here:

00485FAC     0F85 C4000000  JNZ ICONTOY.00486076

Now if you scroll up a little, just above where we landed you should see two very important things, the one just avove the Jump if Not Equal (JNZ) statement statement is a compare (CMP) statement:

00485FA5   . 803D 00E94800 >CMP BYTE PTR DS:[48E900],1

what this does is compare your serial with a correct one, "Correct one? There's more then one?" I hear you ask, yes there is, and they are calculated in the call statement just above the cmp statement:

00485FA0   . E8 B3FCFFFF    CALL ICONTOY.00485C58

Select this call statement and set a breakpoint on it (F2), now hit F9 to start the program through Olly, and then work your way to the registration part of the program and enter Merlin as the 'Registration name' and 77777777 as the 'Registration key code', hit 'Register', and you'll be brought to our breakpoint the call statement. Now press F7 to enter the call, and you should land here:

00485C58  /$ 55             PUSH EBP

Hit F8 to single step through the code until you reach the following:

00485C6B  |. 3D 8CA6BA00    CMP EAX,0BAA68C

What this does is compares EAX with 0BAA68C, if you look to the far top right hand section of the Olly window, you can see that EAX holds the HEX value 04A2CB71, which in decimal is 77777777 (our serial), and 0BAA68C once converted to decimal is 12232332 (download HexDecOctBin v1.00 Converter from the link found at the top of the tutorial to do the Hex to Dec conversions). Hit F9, then click IconToy back up, click ok on the error message, now enter go through the routine again, but this time enter any 'Registration name' you want to find the correct serial name for. 8-) Congratulations cracker!
Remember, if you use the program then buy it; this tutorial was purely for educational purposes.
============================================================================
Lesson 2 - Patching Icontoy to accept any 'Registration name' and 'Registration code'
Do 'Lesson 1' before doing 'Lesson 2'.
You should be registered, so to become unregistered, instead of uninstalling and reinstalling, go to 'Start - Run' and type regedit, and click the plus next to 'HKEY_CURRENT_USER -> Software -> lighttek -> icontoy' then double click 02 and change its value to 1 and click 'OK', then 'Registry -> Exit'.
Now make sure Icontoy is loaded in Olly by hitting 'Ctrl+F2' (Restart the program in Olly).
Hit 'Alt+b' to view breakpoints, there should be one there, double click it to follow in disassembler, if you don't have the breakpoint set still for some reason then hit 'Ctrl+g' (Goto) and type 00485FA0 and then click 'OK'. Now, with the call statement selected press enter to 'Follow' the call, and you will be presented with serial comparison routines, well all the JE (Jump if Equal) commands lead the same place, however, where is the JNZ (Jump if Not Equal command), there must be one (hopefully) that jumps to the error message descirbed in 'Lesson 1'. Well if you scroll down paste all the JEs you should come to:

00485E2D  |. 75 7C          JNZ SHORT ICONTOY.00485EAB

Select this line, and press 'Ctrl+e' (edit command) and replace 75 7C with 90 90, 90 stands for No-Operation, also commonly known as NOP/NOPPING.
Now hit F9, to launch Icontoy, make your way to the registration page, and enter any 'Registration name' and 'Registration code' you want; however the changes made to the Icontoy executable are only temporary.
What we now need to do to make the changes to the Icontoy executable permanent is to use a Hex Editor, we'll use Hiew. Open up Hiew, once in Hiew open up the Icontoy executable from Hiew, things will look a little hairy, so hit F4 (Mode) and choose 'Decode', then hit F5 (Goto) and type a . followed by the  JNZ address, so type (without quotation marks) ".00485E2D" you have to put the "." before the address because that's the syntax used to search for an address in Hiew. Before we hit F3 (Edit), we must go back to OllyDbg, and choose from the menubar 'Debug -> Close', otherwise you wouldn't be able to do any editing in Hiew because it would be in 'Read-Only Mode', now go back to Hiew, and hit F3, and type 9090 to replace 757C, hit F9 (Update), and then finally F10 (Quit). Congratulations cracker! 8-D
Remember, if you use the program then buy it; this tutorial was purely for educational purposes.
============================================================================
Lesson 3 - Patching Icontoy so our trial period never runs out.
Do 'Lesson 2' before 'Lesson 3'.
Make a backup of your backup, and name the new backup time_trial_crack (or something along those lines so you don't get mixed up), now open up the time_trial_crack in Olly.
Now what? Well, the program must get our System time and date through a command, and the most common ones to do this are:
{GetTimeZoneInformation
GetSystemTime
GetFileTime
GetLocalTime}
We could check for either one, but we'll go for the 'GetSystemTime' command.
Right click in Olly and select, 'Search for -> Name (label) in current module'. Right click in the new window that has opened up and choose, 'Sort by -> Name' to make searching for commands easier, now scroll down until you find:

Names in COPY_OF_, item 182
 Address=0048F1CC
 Section=.idata
 Type=Import  (Known)
 Name=kernel32.GetSystemTime

Select this line and then press 'Enter' to 'Find references to import' and you should see the following:

References in COPY_OF_:CODE to kernel32.GetSystemTime
Address    Disassembly                               Comment
00401230   JMP DWORD PTR DS:[<&kernel32.GetSystemTi  DS:[0048F1CC]=89EACF48, (Thunk to KERNEL32.GetSystemTime)
00402A32   CALL <JMP.&kernel32.GetSystemTime>

Set a breakpoint on both of them by right clicking and selecting 'Set breakpoint on every command'. Now close that window and return to the main OllyDbg window. Then hit F9, and you should land at the breakpoint:

00402A32     E8 F9E7FFFF    CALL <JMP.&kernel32.GetSystemTime>       ; \GetSystemTime

Step through the code (F8) until you land here:

00488232   . B2 05          MOV DL,5

Now you can clearly see a few calls, basically what they do is do some calculations concerning our trial period, step through these (F8), all the way to here:

00488265     7C 59          JL SHORT COPY_OF_.004882C0

What this does is, basically, is perform a (Jump if Lower) command, and if EBP isn't lower, then it won't jump, instead it will go into a long routine just below, that isn't important for cracking the time trial protection.
So write down the address of this line, which is 00488265. Press 'Ctrl+F2' to restart Olly (because it'd be pointless to change the JL before we reload the application in Olly because we've already processed the JL command and any alterations would not take effect unless we reload it), then press 'Ctrl+G' (Goto command) and type our JL address in (which is 00488265), and then hit 'Enter'. Press 'Ctrl+E' (Edit command) we want to change this from a 7C (stands for JL) into an EB (which stands for JMP (a straight JUMP command)), so press 'Ctrl+E' to edit 7C 59 and replace it with EB 59. So, no matter what we will always JUMP to 00488C0.
Now set a breakpoint on the line just above where we just edited (set it one the line shown below):

00488263   . 85ED           TEST EBP,EBP

Hit F9 three times (because we have two previous breakpoints set), and you should land on our newly appointed breakpoint.
Press F8 twice and you should land here:

004882C0   > 5D             POP EBP                                  ;  006FFCB8

Keep pressing F8, stepping through the code until you land here:

004410EE   . 74 0A          JE SHORT COPY_OF_.004410FA

Now we don't yet know if this conditional jump is important, so just set a breakpoint (F2) on it for now (JE = Jump if Equal).

Continue stepping through the code (F8) until you land here:

00440DDF   . 74 0F          JE SHORT COPY_OF_.00440DF0

Once again, we do not know the importance and significance of this condition jump, so like the one before it, set a breakpoint on it. (If you don't know how significant and how important a piece of code is, it is good practice to set a breakpoint on it, incase you forget where it was).

Once again keep stepping through the code, until you land yourself here (basically we're trying to find a piece of code (usually a call statement) that stops us from going into the main part of the program, and gives us an error message):

00447C10   . 75 1D          JNZ SHORT COPY_OF_.00447C2F

Another conditional jump, you know what to do (yes that's right set a breakpoint on it). Keep stepping through the code until you land here:

00447C21   . 74 0C          JE SHORT COPY_OF_.00447C2F

Do the same above until you land here:

0048A9FC     E8 B7D1FBFF    CALL COPY_OF_.00447BB8

Yup, we've found our call statement that gives us the error message "This copy of IconTOY... etc". So write down the address (0048A9FC) or remember it.

"What do we do now? I don't see any conditional jumps nearby!" You're right there isn't any nearby, so why don't we just NOP the call statement and see if it lets us in to Icontoy. (NOP = NO-Operation = 90) and we have 5 bytes (E8 B7 D1 FB FF) so let's try replacing them with 5 90s. So press 'Ctrl+F2', then hit 'Ctrl+G', and let's go to our JL statement first ("Why we changed that last time?" Yes but changes to the executable code in OllyDbg is only, temporary.), our JL statement address was 00488265, once there press 'Ctrl+E' and replace two bytes 7C 59 with EB 59. Then use the 'Goto' command and type in our call statement address which was 0048A9FC, and since we want to change all of the bytes to 90, we can just right click the line, and choose 'Binary -> Fill with NOPs'. Now keep pressing F9, OOOOOOOOH! And we're in! Once again, congratulations cracker! 8-D
Now make the changes permanent to time_trial_crack.exe (or whatever you called the backup of the backup) using Hiew, if you followed the other lessons above then you should know how to do it.
Remember, if you use the program then buy it; this tutorial was purely for educational purposes.
============================================================================
SHOUTZ AND GREETZ:
Once again to Kyrstie! We've been going out 11 months today! Still going strong, to James Bentley, Weedy, anticrack.de, exetools.com/forum, dob2.com, Hoof Arted for inspiring me to write tutorials for OllyDbg, the creators of Icontoy, Hiew, and OllyDbg.
============================================================================