Here's a very good essay from Ozymandias, a guy who calls himself a beginner, but that IMO can be considered a REAL cracker yet: he shows that he studied cracking tutorials with attention and his essay seems easy to understand and well organized. Just a few words about the program: if you haven't tried it yet, DOWNLOAD IT IMMEDIATELY at http://www.operasoftware.com and LEARN how programs should be done! And, of course, if you like it... PAY for it!
At any rate, as I said, this may be too simple; it is my first
"unassisted" crack, and took me a total of three hours (two minutes,
therefore, for someone more practiced, I'm sure.) Still, it is not for
your education, but rather for the education of other poor lost souls
like myself... or more accurately, as I was before finding Fravia+ and
the HCU...
Target: Opera 3.21
Protection: 30-day-trial
Tools:
Wdasm 8.9
HeD v1.78b
Borland Resources Workshop 4.5
UltraEdit-32 5.10a
This is a very simple little crack, it is the first program I have ever done
without the assistance of an essay of some sort. The protection is very
simple - I expected it to be much harder to crack, but decided to give it a
try anyway.
I used the software for a few days before attempting to crack it, writing
down any text I felt was relevant; although I have learned a great deal of
Soft-Ice, as yet I am more comfortable with the dead listing approaches. Go
through Fravia+'s "Cracking for Dummies" series (all two lessons) for a quick
intro to this approach.
First thing I did was to make a backup copy. Then I made another backup to
save myself some time. While I set Wdasm to work on one copy, I opened the
other in BRW. There are a ton of stringtables in there, and not all of them
are caught by Wdasm.
By searching through the stringtables, I found the following "relevant"
codes:
Stringtable References:
20092 - "Opera 3.21 - Evaluation" ;This is the title of the program
;when unregistered
20095 - "This evaluation copy of Opera has expired..." ;and so on,
;self explanatory
20099 - "Invalid Registration code" ;also self explanatory
21106 - "Please enter both name and organization" ;this seems pretty
;simple - remember
;it, we'll see it
;again
21107 - "Could not open registration file" ;a mystery - this string
;is never used
21110 - "Opera 3.21" ;This is the "good" version of the first string
21425 - "Your timed evaluation has %i days left..." ;another obvious one
32888 - "This is a restricted version of Opera..." ;another mystery
32889 - "This evaluation copy has expired" ;obvious
By the time I had searched through the entire stringtable (it's really
large) Wdasm had finished decompiling. I saved a text file of it and pulled
it up in UlraEdit, where I began my search.
Because this is a beginner's essay (both on this end and the receiving end)
I will go through some of the more tedious steps that I went through rather
than just skipping to the end.
Although I "fished" for all the strings listed above, the only ones that
proved to be really useful were the "Please enter both name and organization"
string and the "Invalid Registration code" string. The reason will become
apparent as you fish for the others.
Opera has a process set aside to draw the error boxes: finding it does you
no good, as there are several hundred dummy calls to the routine. You can't
backtrace your way through the call, so the strings don't get you anywhere.
EXCEPT for these two error messages.
Opera displays the first message when you attempt to register the software
without a user name or organization. The important part for us is that this
error message is stored in the registration routine itself, NOT in the
process with the other codes. As far as I can understand it, the problem is
that the registration routine cannot run without the name and organization;
without the reg routine, the proper flags don't go into place, and the
screen-drawing routine can't run properly. But that's not important.
The second message is stored just before the end of the registration routine.
It seems that when you are unregistered, instead of returning a "bad" flag it
simply continues through the routine, making it appear that this is not the
reg routine itself.
Here's the routine as disassembled by Wdasm with my own comments on the
right:
* Referenced by a CALL at Address:
|:00477D6B
| ;This is the registration sub
:0044AC2A 55 push ebp
:0044AC2B 8BEC mov epb, esp
there are several lines of code, then the first je:
:0044AC31 8BF1 mov esi, ecx
:0044AC33 397DOC cmp dword ptr [ebp+0C], edi
:0044AC36 0F842A010000 je 0044AD66 ;This jumps to the error
;message
As you scroll down the call, there are several of these je's, all preceded
by the same pattern - a mov statement, a cmp, and the je. All of them go to
this error message. But down at the very bottom there are two other jumps;
look closely, just before the bad message, is a series of calls, followed
by the same mov and cmp pattern we saw all through this routine - but
reversed. And then there's one more call, and finally a "test eax, eax"
statement, followed by the familiar conditional jump - but this time, it's
a jne. And after looking more closely, we see that it doesn't go to the same
place as the others - 44AD3D instead of 44AD66. And then there's another je,
to another spot in the same routine - where the "bad guy" message is
displayed.
The jne jump is out of pattern, so let's see where it goes. Hmmm... another
subroutine. How dull. But the final jump is to the screen drawing routine.
Let's see - if we force the jump to this routine, do we get regged?
Well, let's switch it.
Line :0044AD0B 7530 jne 0044AD3D.
Hunt it up in HeD (search for FF B6 C8 06 00 00 first, then search for
7530 - it's easier that way.) Let's change this jne to a jmp, by changing
it from 75 30 to EB 30. Same jump, but now it's forced...
We load up Opera, type in a name and an org, some random number in the reg
box, and click register. The box vanishes, and away we go. No error
messages. But is it really regged?
Close Opera. Open it again. ARRRRGH! That same box! Wailing and gnashing
of teeth ensues...
But wait. We know that should be the right routine (alright, OK, I
cheated - I pulled a valid reg from a friend and used it to see if there
was a "Thank you" type screen if we register. There isn't.) So why isn't
it completing the registration process?
As it happens, this would PROBABLY work; you would just be annoyed a lot.
But this is a dirty crack, not up to our high standards. Let's look again...
Well, what about these calls? Where do they go? Let's find out...
Go back into the code. Trace back to the last call before that jne we
changed. There it is,
:0044AD04 E84B010000 call 0044AE54.
Let's dig...
This call is deep and convoluted. I followed all the calls tracing out what
it did, and there are at least two points where things get to be 4 calls
deep. What IS all this?
Well, only 4 registers really change - and only one, eax, is tested when we
return. Where does eax change for the last time? Don't look too hard - at
the very end of the top routine, there is the following code sequence:
:0044AEA0 7405 je 044AEA7 ;jump to ret
:0044AEA2 6A01 push 00000001 ;put 1 on the top of the
;stack
:0044AEA4 58 pop eax ;pull the top of the
;stack - 1 - into eax
:0044AEA5 eb02 jmp 0044AEA9 ;jump to ret
:0044AEA7 33C0 xor eax,eax ;zeroes eax = BAD FLAG!
:0044AEA9 5E pop esi
:0044AEAA C9 leave
:0044AEAB C20400 ret 0004
That's it. After all that run around, the flag is a 1 in the eax reg.
There are dozens of ways to crack it; I chose a 4 byte crack that was
very easy to do...
I selected the very first jump in the call, this one here...
:0044AE60 7445 je 0044AEA7
Originally, this was a test for a bad flag, so I could just reverse it -
make it a jne - along with every other conditional jump. That would work,
but there are dozens of calls.
So instead, I redirected it, as follows...
:0044AE60 EB40 jmp 0044AEA2
As you can see, I made it a jmp, so it ALWAYS follows the jump - even if
I put in a correct code, an incorrect code, or no code at all - and I
shortened the offset to put it right on the "push" statement above. That
way, we get the "good guy" flag, the rest of the routine runs normally,
and we got no troubles, no worries...
I just want to throw in a "Thank you" to Fravia+, +Gthorne, all the +HCUkers,
and, of course, +ORC... questions, comments, death threats, suggestions can
all be sent to kofk(at)usa(dot)net, they'll eventually reach me, after being
bounced around a few times. On second thought, send the death threats to
Bill@Micro$oft.com... he deserves them more than I do...
Ozymandias
(c) Ozymandias 1998.
WARNING: this tutorial is published for EDUCATIONAL PURPOSES only! Nobody except you is
responsible for what you do with the things you read here. Also, if you intend to use
shareware programs for a period longer than the allowed one remember that you have to BUY
them!