i have read this forum for *some time ago,
at first, i would simply want a Dongle Emul. software to simply do the job
but, later on , i found that almost everyone saying that SHK cannot be broken ....
of course, it is, base on my limited programming skills( i just can write some command prompt C++, php , VBA, )
softice and IDA just in a kindergarten level.
ok, after my BS enough, here is my experience just done by today
i have a software it use sentinel pro, i have the real dongle, but i am stupid enough not able to clone it anyway ..
just so lucky that the newer software it use SHK.
i open IDA again and see it .
very simple to see a SFNTGetLicense.
double-click twice ( depends.) and go back to where this fn is called... see the line below ,
mov edx, offset aCannotFindAVal ; "Cannot find a lock."
okok , the line above can see
CODE:007698B3 mov esi, eax
CODE:007698B5 test esi, esi
CODE:007698B7 jz short loc_769900
actually , i don't know if it is jump or not ..
by my limited knowledge ..
jz changed to jnz , 74 -> 75
similar to do for
"Query key failed"
and another message,
the programe can finally open ....
BUT !!! ...
after several minutes, the program closed suddenly
it is same when i use a real dongle while using the software , and unplug it
so now i am working on another line to see what wrong. ..
Hope this could help somebody , with luck , that the sw he wants is as weak as mine..
double click , then go back to the fn it call
[ Please DO NOT reply to yourself. If you have information to add to your post then use the Edit button ]
after getting lots of trial and improve..
i figured something to share
the program can be run , seem ok for the first 90 seconds, after that , it close.
so i try to find "settimer" in the program..
before that sentence, there are few jumps (jz) pointing to the same location (after settimer)
so i think i may by pass the "enable of timer" by forcing the jz to jnz
(again , i don't know what code is for jmp , so i simply reverse the code from 74 to 75 or vice verse ... )
now the program looks ok .
i will try to by tmr for whole day , see if something is wrong..
i changed 6 nos Jz to JNZ, then the program is ok .
by using IDA free
and Hex Edit (free ware as well).
find the program
no need dongle.
use IDA to open it ( wait for an hour)
in the "names windows" , find SFNTGetLicense
go back to fn who called it ,
find somthing like "test esi esi" before "dongle not found" message
reverse the jz <> jnz
do similar for SFNTQueryFeature,SFNTREADString
then found "settimer"
lookup few lines (in my case ..)
below with few line
CODE:0043D9C5 call KillTimer
CODE:0043D9CA mov esi, [ebx+30h]
CODE:0043D9CD test esi, esi
CODE:0043D9CF jz short loc_43DA11
CODE:0043D9D1 cmp byte ptr [ebx+40h], 0
CODE:0043D9D5 jz short loc_43DA11
CODE:0043D9D7 cmp word ptr [ebx+3Ah], 0
CODE:0043D9DC jz short loc_43DA11
CODE:0043D9DE push 0 ; lpTimerFunc
CODE:0043D9E0 push esi ; uElapse
CODE:0043D9E1 push 1 ; nIDEvent
CODE:0043D9E3 mov eax, [ebx+34h]
CODE:0043D9E6 push eax ; hWnd
CODE:0043D9E7 call SetTimer ;
CODE:0043D9EC test eax, eax
i simply changed the line in bold to jnz,
lots of trials in there .
everyone, you may find this useful.
hope this would help ~
Last edited by Git : 05-17-2010 at 01:48 PM.
Thank you for share your experience here.
I will test your procedure. i have two software with shk protection.
I did work one in 99%.
Nobody has said we can't crack SHK. It entirely depends on how the developer has implemented it. It can be anything from simnple to almost impossible.
What we HAVE said on many occasions is that there is no free emulator.
as i have searched the forum few times,
i know most of answer out there were "no free emul."
so, i go back to where we are: reverse it!
and from the tutorial i read from woodman,
the weakest part, most of time come from the implementation .
so , that is why i try to do the crack myself.
be honest , i have no experience before , and this is the first time i have done *successfully .
hope everybody else find this helpful to crack your own software.
I only need patch one instruction in SFNTGetLicense.
Four instructions for full options and skip message error protocol connection.
Now working with full options + no dongle.
may be i didn't stop it from query ..
so even i stop it from quitting due to "fail getlicence"
i still need to do similar for SFNTQueryFeature,SFNTREADString
strange .. any it was my first time, so far these days , the sw run great ....
beyond that , the sw i use has a older version (but still worth to use it ) using Sentinel Pro (not any newer )
i just changed one byte, then it became dongle free !
so far i got
1 sw in SHK
4 sw in Sentinel Pro,
all using IDA Pro Free + Hexedit only, no real dongle needed.
help me too!
help me sir, My email :firstname.lastname@example.org
I also have a soft protected by shk, I use IDA and hexedit, but unsucess. Thanks!