|
|
|
|
|
|
|
|
|
|
|
|
|
|
||
|
|
||
|
|
|
There is a crack, a crack in everything. That's how the light gets in. |
|
|
"NJWIN v1.6 is designed to
support any windows program to display Chinese, Japanese and Korean characters
under the standard Windows environment. All Chinese / Japanese / Korean
(CJK) coding standards are supported in NJWIN, and coding can be switched
on the fly from one
coding to another depending
on the document being viewed.
The Internet is the fastest
growing communication tool today. Therefore, many of NJWIN's features are
added specifically for Internet. As the result, NJWIN is best Internet
CJK viewer for browsing CJK Web pages, reading CJK news in UseNet newsgroups
and reading CJK email messages. NJWIN is distributed as Shareware, permission
granted for any one to distribute NJWIN free of charge by any media."
|
|
I won't tell you how many times I tried
patching this program before the penny dropped that there had to be a reason
why I kept losing this program from my hard disk. Good job I had plenty
of cigarettes at hand, helped steady my nerves during the crucial learning
period..:) One last thing, this is a 16-bit program.
|
|
The program uses a Call 2E3C to execute a routine that does the actual
deleting of the program itself from your Hard drive, which I found by single
stepping through the code as it closed down. I found this by bpx'ing on
the system function GetModuleFilename then stepped through the code and
noting what happens after each call instruction was executed..
GetModuleFilename
is a system function found in the KERNEL.DLL
file, so make sure you have this line in your Winice.dat file if you wish
to see Softice show you the symbols in this DLL file in our target file.
EXP=C:\WINDOWS\SYSTEM\KERNEL.DLL
What
this function does is to return to the calling program (in this case NJ.EXE)
the exact location on your hard drive where NJ.EXE can be found. My knowledge
is very scarce on this function but had a good idea that this program would
use this function in order to delete itself if it found any changes to
it's code.
Having made sure that the Call 2E3C instruction was the one that did
the actual deleting of our target program it was then a matter of locating
ALL further occurrences of this particular Call 2E3C instruction
(there are a total of THREE locations) within the target program and testing
which one of these call instructions gets called when the program finds
out it's code has been changed.
I could, if I wish, simply nop (90h) all three Call's to memory location
2E3C which would then mean the program never gets the opportunity to delete
itself but this *could* effect one or two registers which get used both
before and after this instruction or, I could patch ALL three memory locations
so that the program 'skips' over these particular Call's. In the
end I tested the program several times and found that only one of these
calls actually gets used and that by patching just this one routine allowed
the program to remain on my hard drive even after the program detected
changes to it's code.
Here is the location and patch required to get this program to ignore any changes to it's code.:-
Location 1.
THE ORIGINAL CODE
:0001.467A 8B46EA
mov ax, [bp-16]
:0001.467D 8B56EC
mov dx, [bp-14]
:0001.4680 3946EE
cmp [bp-12], ax
:0001.4683 7505
jne 468A ;1st occurrence of program check
:0001.4685 3956F0
cmp [bp-10], dx
:0001.4688 740E
je 4698
:0001.468A 8D86EAFE
lea ax, [bp+FEEA]
:0001.468E 16
push ss
:0001.468F 50
push ax
:0001.4690 9A3C2E7842
call 0001.2E3C
OUR PATCHED CODE
:0001.467A 8B46EA
mov ax, [bp-16]
:0001.467D 8B56EC
mov dx, [bp-14]
:0001.4680 3946EE
cmp [bp-12], ax
:0001.4683 EB13
jmp 4698 ;Ignore changes to program code.
:0001.4685 3956F0
cmp [bp-10], dx
:0001.4688 740E
je 4698
:0001.468A 8D86EAFE
lea ax, [bp+FEEA]
:0001.468E 16
push ss
:0001.468F 50
push ax
:0001.4690 9A3C2E7842
call 0001.2E3C
Lets test this before going any further..
1. First, lets create a test copy of NJWIN.exe, we will use this to our tests on.. Use the File Manger and copy NJWIN.EXE as NJ.EXE
2. Start up your favorite Hex Editor and load in NJ.EXE file. Remember, this is our test copy and NOT the original file.
SEARCH FOR THE BYTES
: 3946EE75053956
THEN REPLACE HIGHLIGHTED
BYTES: 3946EEEB133956
Save the changes then startup the file NJ.EXE.. The moment of truth
has arrived.
3. Now start up NJ.EXE (remember, this is our test copy and so doesn't matter if it gets deleted.
4. Now try and exit our target program. The program will detect the changes we have made to it's code but should still leave the program on the hard drive...
5. Open up the File Manager and
verify that our NJ.EXE is STILL on your hard disk..
The first part of our *crack* is now completed, we can now safely proceed
to *crack* this program without fear of it disappearing from our Hard Disk...
PART TWO - "THE CRACK"
After a quick check in W32Dasm it's obvious from checking the MODULE
IMPORT SECTION that this program does not use the System Registry File,
instead it uses the NJWIN.INI file located in the : C:\WINDOWS directory
to hold all it's settings and User registration details. No problem...
Fire up Softice using Ctrl-D and type: bc * to clear away any previous
breakpoints we may have have made earlier in our previous cracking session
and now lets create a new Softice breakpoint. Type bpx getprivateprofilestring
GetPrivateProfileString
is a system function commonly used in Windoze 3.1 to store information
in .INI files.. It's still used in Win'95, but programmers like to 'hide'
their program's details in the System Registry File for added security.
It's much easier to track a file on your hard disk than to search through
1000's of entries in complicated looking Registry File.. Haven't they heard
of Regmon *grin*..
Now start up NJ.EXE,
Softice will almost straight away halt at the start of the GetPrivateProfileString
function, in which case just press x to let the program continue on.. You
will need to keep doing this many times UNTIL you get here:-
:0001.3C99 16
push ss
:0001.3C9A 50
push ax
:0001.3C9B 9AC26ADA3C
call 0001.6AC2
:0001.3CA0 83C40C
add sp, 000C
:0001.3CA3 48
dec ax
:0001.3CA4 7505
jne 3CAB ; Jump If NOT
registered
:0001.3CA6 C6061A0601
mov byte ptr [061A], 01 ; Else Set 'Reg'
; flag by placing
; a '1' at memory
; loc [061a]
Notice we have a
jne 3CAB instruction, this will either be 'set' if the program couldn't
find the registration code from the NJWIN.INI or, it will place in the
memory location a value of '1' to signal to the rest of the program that
this software is registered. Our first instinct here is to Nop (90h) out
this jne instruction but if we go back to our 'Dead Listing' and perform
a search for any memory references relating to [061A] then we find this:-
:0001.3D31 0BD0
or dx, ax
:0001.3D33 750B
jne 3D40
:0001.3D35 32C0
xor al , al ;Make ax register =0000
:0001.3D37 A21A06
mov byte ptr [061A], al
:0001.3D3A A21B06
mov byte ptr [061B], al
:0001.3D3D EB0D
jmp 3D4C
Can you see what's happening here?.. The program is placing a '0' into our memory location [061A] AND [061B], which is telling the program it has NOT been registered!. To *crack* this program we need to REVERSE this process and make it place a value of ''1" instead into these two memory locations..
Here's our patch then...
:0001.3D31 0BD0
or dx, ax
:0001.3D33 750B
jne 3D40
:0001.3D35 B001
mov al , 1 ;Make ax register =0001
:0001.3D37 A21A06
mov byte ptr [061A], al
:0001.3D3A A21B06
mov byte ptr [061B], al
:0001.3D3D EB0D
jmp 3D4C
By changing the xor al,al instruction into mov al,1 we are now placing a '1' into these two memory locations instead of a '0'!
In order make our *crack* permanent all you need to do is load up NJ.EXE into your favorite Hex Editor and then:-
SEARCH for the bytes
: 0BD0750B32COA2
Then REPLACE HIGHLIGHTED
bytes: 0BDO750BB001A2
Now test this crack out and when your
satisfied you can use this copy of the program instead of the original
NJWIN.EXE which we kept as a backup should any of the patches fail to work.
Job Done.
|
|
|
|
|
|
| Next | Return to Essay Index | Previous |