May 1998 |
"Edit Plus V1.4" (Cracked using the memory echo trick ) |
Win '95 PROGRAM Win Code Reversing |
|
by The Sandman |
|
|
Code Reversing For Beginners |
|
Program Details Program Name: editplus104.zip Program Type: Clipboard utility Program Location: Here or Here Program Size: 968K |
||
Tools Used: Softice 3.2 - Debugger W32Dasm V8.9 - Disassembler |
||
Rating |
Easy ( X ) Medium ( ) Hard ( ) Pro ( ) |
There is a crack, a crack in everything. That's how the light gets in. |
Clipmate V4.5 ( Cracked using the memory echo trick ) Written by The Sandman
Introduction |
"EditPlus is Internet-ready 32-bit text editor for
Windows 95/98 and Windows NT 4.0 or higher. It is not only a good replacement for
Notepad, but also it has much more powerful features for web-page authors and
programmers."
About this protection system |
User
Name :
Registration Key :
The registration code is based on what you type in for your name/handle, it is Case
sensitive, so entering The Sandman will produce a different
registration key than if you had typed in the sandman and the
resulting registration key appears to always contain a total of 17 characters.
Once registered, the program saves the registration info within your System Registry file,
at:
HKEY_LOCAL_MACHINE\SOFTWARE\ES-Computing\EditPlus\1
Creating these two entries:-
Install 93 00 00 00
License DB 89 29 18 F6 5D 01 5E
78 9C E3 0E C9 4D
CC 33 70 B2 B0 70 73 72 31 D1 75 74 74 B4
34 71 B6 30 03 00 80
08 07 FF
Some of these bytes might be different for you if these bytes
were generated from the registration key entered into Edit Plus.
The Essay |
EditPlus, while still cracked with this technique required
a little massaging of it's code to get it to work but nothing too drastic. Since
this was the first time I was faced with this particular situation of massaging the code
to make it do what I wanted it to do it's worth explaining the process from start to
finish in detail.
Right, run up EditPlus and go into the Registration screen,
via 'Help' then 'Enter Registration Key...". Type in a name or
handle and for the actual regkey just type an anything that comes to mind but DON'T
press the 'OK' button just yet.
We're going to first tell Softice to break on any requests to
use the MessageBoxA routine, so press 'CTRL-D' then type: bpx messageboxa
Since this is a 32-bit application it will be fair to say it
will use 32-bit system functions which messageboxa is, rather than it's 16-bit
counterparts like messagebox. The difference is the 'a' at the end of the function
name, the 'a' signifies that it is a 32-bit function.
Press x to leave Softice and now you press the 'OK'
button to have EditPlus check our registration key. Once Softice breaks, press the F11
key once. You should now be at this interesting piece of code:-
:00486527
8B4F1C
mov ecx, dword ptr [edi+1C]
:0048652A
8B55FC
mov edx, dword ptr [ebp-04]
:0048652D
FF750C
push [ebp+0C];Save Messagebox
parameters
:00486530
FF7278
push [edx+78];Save Messagebox
parameters
:00486533
FF7508
push [ebp+08];Save memory pointer to
;to the beggar off message
:00486536
51
push ecx Save Messagebox
parameters
:00486537
FF15FCFD4C00 Call dword
ptr [User32!MessageBoxa]
:0048653D
8BF8
mov edi, eax ;We land here
:0048653F
891E
mov dword ptr [esi], ebx
:00486541
837DF800
cmp dword ptr [ebp-08], 00000000
:00486545
740B
je 00486552
Before the 'Beggar off cracker' message
can be displayed the system function 'MessageBoxA' requires certain information to be
placed onto the 'Stack' (an area of memory reserved for
short-time passing of parameters to functions, which in this case for our MessageboxA
function) so that it knows how to display the messagebox when
it's shown on your screen. The kind of information required before the messagebox can be
shown is:-
What type of message box to use, how many
buttons (like 'ok','yes','no','cancel' it will have, what text to display within it and
what title the messagebox will have. The order of these parameters passed onto the
STACK is very important so we must maintain this same order when we start to massage the
code.
The bit we're interested in is the text that
will be displayed in this messagebox, in this case the 'Beggar off cracker' message. But
before we can start altering this section of code we must understand how it works,
so type bc * to clear away any breakpoints we may still have in Softice
then type bpx 0048652A then x to leave softice. We are going to get
Softice to break before the program generates our message box so we can see what
information is being passed to it. Once more we're back in the Edit Plus
Registration screen. Click the 'OK' button again and once again Softice breaks and
we're back in the Edit Plus code, only this time just before our 'Beggar off cracker' is
shown.
Right, Softice stops on this line:-
Lets see what the state of some of those registers are.
EBP = 72F304 *Address will be slightly different on your puter *
For our *crack* we need to check on the ebp register, to see if our 'real' serial no is close by..
So type: d ebp
Yep, our real serial number is close by, so if all we wanted was to grab the serial
number and use it to register the program with then that would be a lame thing to do,
especially when we can do much more here. While we are here try and work out the EXACT
memory location of the beginning of our our serial number, this is important because from
this address we can work out the displacement value for our ebp register for when the time
comes to use it.
Once you have the EXACT memory address of the serial number we now have to work out the
displacement value so that we can find this location every time the program is run,
regardless of where in memory the program is.
Example: Here's what I mean.
On my computer the memory location of the serial number was found at: 0072F418 and the
value in the ebp register was 0072F3D4. To get the displacement value all I did was
type:
? 72F418-ebp
Which gave me the answer of 44h. The question
mark tells Softice to work out the expression, in this case a simple subtraction (serial
No address) of one value from another (address of the ebp register). Hope this makes
sense?.
The next register we will look at is the ECX register,
because the program by passed the line:
:00486527 8B4F1C mov ecx, dword ptr [edi+1C]
when it jumped to this block of code.
OK, the Register ECX has been pre-loaded with the address
00000???, the question marks represent a three digit number that varies each time the
program is run. However, it will ALWAYS point a memory location that contains the
following three bytes: 00 00 03
Lets now dissect the what happens before the MessageBoxA routine is called:
Press F10 once, we have just executed this
instruction:- mov edx, dword ptr [ebp-04]
Register EDX has now been given a memory address 'pointed' to by our ebp register with a displacement of four
bytes. To understand this we can do the following:-
Type d ebp-4
Look in Softice's hex code window, can you see the first
four bytes, these four bytes
[38 20 4A 00] make up a memory address that the
MessageBoxA routine will use when it's asked to create the messagebox. These four
bytes are in stored in REVERSE ORDER, so to get the actual memory location
they represent we reverse this order so that they read: 004A2038, don't blame me for this
confusion, blame Intel!
Now press the F10 key once more..
We have just executed this instruction: push
[ebp+0C]
This instruction is now pushing onto the STACK a memory
location that the MessageBoxA function will read as a numerical value that represents what
type of Icon this messagebox will use when it display's our messagebox. We are not
concerned with what Icon is shown so lets proceed onto the next instruction. Press
the F10 key once more..
We have just executed this instruction: push [edx+78]
We can use the same procedure as before to find out what's being saved onto the STACK by typing d edx+78 then typing D followed by (in reverse order) the first four bytes shown in the hex code window. If you've done this properly you will see the text "Edit Plus"
This will be used for the Message Box's
Title.
Now press the F10 key once more.
We have just executed the following
instruction. push [ebp+08]
Our friend the ebp register
again, only this time using a displacement value of +8 bytes.
Lets type d ebp+8 and then using the four bytes shown
in the hex code window (make sure to reverse the order) type d ????????,
replace the question marks with the four bytes shown in the hex code window.. Example, if
you see the bytes 3C A7 B8 00 then you will need to type d 00B8A73C
Bingo!, we've found the instruction that 'point's to the
memory location of where our 'Beggar off cracker' text is located. So what do we do about
it.
Well what I did was to overwrite the instruction push [ebp+08] and replace it with:
LEA EAX,[EBP+44] which fitted in exactly. Notice I'm using the ebp register with our magical 44h displacement number, which we know
is where our serial number is.
If you try and run these sequence of
instructions by trying to enter a serial number into EditPlus then NO message box
will be shown!!. We can use Softice to go over these instructions before it hits the Call
User32!MessageBoxA and everything 'looks' ok, but we're STILL missing something before our
*crack* will work.. Can you *see* what's missing?.
:00486527
8B4F1C
mov ecx, dword ptr [edi+1C]
:0048652A
8B55FC
mov edx, dword ptr [ebp-04]
:0048652D
FF750C
push [ebp+0C];Save Messagebox
parameters
:00486530
FF7278
push [edx+78];Save Messagebox
parameters
:00486533
FF7508
lea eax,[ebp+44];eax =loc of Serial No
:00486536
51
push ecx ;Save Messagebox
parameters
:00486537
FF15FCFD4C00 Call dword
ptr [User32!MessageBoxa]
:0048653D
8BF8
mov edi, eax ;We land here
:0048653F
891E
mov dword ptr [esi], ebx
:00486541
837DF800
cmp dword ptr [ebp-08], 00000000
:00486545
740B
je 00486552
Yep, we haven't pushed the memory location of our serial number onto the STACK, so the
MessageBoxA function can't find it, so the MessageBoxA function gets aborted.
What we need to do is insert a PUSH EAX instruction before the Call [User32!MessageBoxA]
and that will cure this problem, but look, there's no room to insert this 1 byte
instruction. Wish I Knew more Assembler now, might then have found another Assembler
instruction that not only gets the memory location of our serial number but also push's
this value on the STACK in one go!.
Not wanting to give up there seemed only one more course of action left to me, and that
was to massage the code a little, so I checked what instructions got executed after
the call to the MessageBoxA routine and found that the cmp dword ptr [ebp-08], 00000000 instruction
always resulted in the je 00486552 being 'set' to jump. Hmm, in that case we can afford to 'lose' this
instruction and then change the je 00486552 to jmp 00486552 instead!.
Let's now re-write this section of code so
that it will always now show the 'real' serial number when we get it wrong:-
:0048652A
8B55FC
mov edx, dword ptr [ebp-04]
:0048652D
FF750C
push [ebp+0C]
:00486530
FF7278
push [edx+78]
:00486533
8D4544
lea eax,[ebp+44];eax =loc of Serial No
:00486536
50
push eax ;Save it to the stack
:00486537
51
push ecx
:00486538 FF15FCFD4C00
Call dword ptr [User32!MessageBoxA]
:0048653E
8BF8
mov edi, eax ;We land here
:00486540
891E
mov dword ptr [esi], ebx
:00486542
90
Nop ;fill in empty space
:00486543
90
Nop ;fill in empty space
:00486545
EB0B
jmp 00486552
Job Done.....
The 'Crack' |
00085910 83F80477 04804D0C 30E80AF5 0000B900
...w..M.0.......
00085920 00000085 FF74038B 4F1C8B55 FCFF750C .....t..O..U..u.
00085930 FF7278FF 750851FF 15FCFD4C 008BF889 .rx.u.Q....L....
00085940 1E837DF8 00740B6A 01FF75F8 FF157400
..}..t.j..u...t
Now REPLACE the following HIGHLIGHTED
bytes with:
00085910 83F80477 04804D0C 30E80AF5 0000B900
...w..M.0.......
00085920 00000085 FF74038B 4F1C8B55 FCFF750C
.....t..O..U..u.
00085930 FF72788D 45445051 FF15FCFD
4C008BF8 .rx.EDPQ....L...
00085940 891E9090 90EB0B6A 01FF75F8 FF157400 .......j..u...t.
Final Notes |
Fravia+ for providing possibly the greatest source of
Reverse Engineering
knowledge on the Web.
+ORC for showing me the light at the end of the tunnel.
Ob Duh |
Essay
by: The Sandman
Page Created: 28th May 1998