RadiAnt DICOM Viewer v2020.1.1 Cracking by Tonyweb – Part 1

RadiAnt is a PACS DICOM viewer for medical images designed to provide you with a unique experience.
With its intuitive interface and unrivaled performance, you’ll never look back.

<<< Homepage >>>
https://www.radiantviewer.com/
https://www.radiantviewer.com/products/radiant-dicom-viewer-standard/
<<< Download Link >>>
https://www.radiantviewer.com/files/RadiAnt-2020.1.1-Setup.exe

When entering a serial:

  • Routine starts 0140B260 (so you can break right after hitting the ‘next’ button)
  • Serial is retrieved 0140B330 (api getDlgItem)
  • Verification routine is called 0140B357 (>> call 0148AC50)

I think the decision if serial passed the routine is right after at 0140B360.

Also there’s a HASH that’s probably a public key in the verification routine code. Might be some crypto there inside. This routine looks a bit complicated to me for the moment, anyone with the knowledge can continue?

I’m willing to learn a little bit from this live example on how to keygen maybe

(those VA are from olly with a basecode @012A1000 instead of 401000. I changed the imagebase in IDA to have the same)

Validation routine is precisely at your ‘0140B357’ (of course the exact address changes in different systems and/or runs because of ASLR).

The “issue” is that the application actually decrypts the serial/activation key (there’s in fact an embedded public key) and collects some bytes from it, so returning an “okay” result from the call isn’t enough, as you already verified. Had not enough time to understand what that routine is actually decrypting from serial but, in the meantime, there’s a nice shortcut

If you request a trial key online, at
radiantviewer.com/trial

You can set AL to 0 at the following place, to let the program consider the serial as a permanent one.

00D75888 |. E8 E32DEAFF CALL 00C18670
00D7588D |. 8B4E 08 MOV ECX,DWORD PTR DS:[ESI+0x8]
00D75890 |. 68 8C05ED00 PUSH 00ED058C ; UNICODE “Trial”
00D75895 |. 8B89 8C000000 MOV ECX,DWORD PTR DS:[ECX+0x8C]
00D7589B |. E8 8072EAFF CALL 00C1CB20
00D758A0 85C0 TEST EAX,EAX
00D758A2 |. 0F95C0 SETNE AL ; <- TRIAL INDICATOR (EBX+4C)
00D758A5 |. 8843 4C MOV BYTE PTR DS:[EBX+0x4C],AL
00D758A8 |. 8B06 MOV EAX,DWORD PTR DS:[ESI]
00D758AA |. 8B4E 08 MOV ECX,DWORD PTR DS:[ESI+0x8]
00D758AD |. FF70 08 PUSH DWORD PTR DS:[EAX+0x8]
00D758B0 |. 8B89 8C000000 MOV ECX,DWORD PTR DS:[ECX+0x8C]
00D758B6 |. FF70 04 PUSH DWORD PTR DS:[EAX+0x4]
00D758B9 |. E8 B22DEAFF CALL 00C18670
00D758BE |. 8B4E 08 MOV ECX,DWORD PTR DS:[ESI+0x8]
00D758C1 |. 68 6805ED00 PUSH 00ED0568 ; UNICODE “EvTxt”
00D758C6 |. 8B89 8C000000 MOV ECX,DWORD PTR DS:[ECX+0x8C]

The serial will, of course, be very useful in understanding what the application expects to decrypt from it.

Best Regards,
Tony

Leave a Reply

Your email address will not be published. Required fields are marked *