|
|
|
|
|
|
|
|
|
|
||
|
||
|
|
There is a crack, a crack in everything. That's how the light gets in. |
|
RegView not only provides almost all the features which "RegEdit" has but also adds some very useful features which "RegEdit" misses, such as select root or whole registry for registry key or value search, replace and delete with one single search and which can also combine with multiple keyword string search.
Another key feature of
RegView is to provide registry "record and compare" so that users can track
any registry change. And better yet, you can restore those registry changes
with one single click. RegView also "record and compare" and restore ini
files and any "directory and file" change. These provides a good system
recovery to restore back to original system status at the time of recording.
For examples, users can use RegView to record registry, ini files and "directory
and file" before installing some
application under test.
Then after the test, you can use RegView to restore the system change which
has been affected by that application."
|
HKEY_CURRENT_USER\Software\Vchiu's Software\RegView\Count
HKEY_CURRENT_USER\Software\Vchiu's Software\RegView\Drive
HKEY_CURRENT_USER\Software\Vchiu's Software\RegView\Root
HKEY_CURRENT_USER\Software\Vchiu's Software\RegView\Startup
|
Once you've run RegView I want you to now exit from it then fire up RegEdit, this is your Win'95 system utility and it allows us to edit any entry in your System Registry File.
Search for: Vchiu
Then once found, press on the DEL key, you will be asked if
you want to delete this entry, answer YES. Now close
RegEdit.
Don't worry, the next time you run RegView it will re-create this entry and the values we've just deleted, however, now the program will tell us that our 'Trial Period' is over and that we should register the program. This is just the same as running and exiting from the program 30 times, only this way it's much quicker..:)
Next, create a 'Dead
Listing' using W32Dasm, your going to need it if you are going to *crack*
and *learn* from this babe. The resulting file is going to be around
10mb in size so it might take a W32Dasm to create it so why not take this
opportunity and put some music on and relax, a cool glass of Wodka will
also help as well..:)
Once your 'dead
listing' is ready, open up the 'String Data Resources' and check
for anything that might look as if it might come in handy in our quest
to crack this program..
While your at it
double-click on the text message "Maximum
number of trials has been " then keep
double-clicking on this text message and count how many occurrences
their are!.
Their are four occurrences of this text message, with almost a dozen entry points used by the program to call these four messages during the course of the program being used. So, the programmers want to either confuse us or want to make sure that if we disable one program check, then there are three others to fall back on.. hehehe, lets see if we can get passed these checks...
Many programs and RegView is no exception, uses the pc's EAX register to hold the starting number of 'Trial Uses' allowed with this shareware program, in fact this method is also by many Shareware programs to hold the number of days allowed to evaluate the program with, it's just this program has opted to use if for number of 'Trial Uses' the User is allowed before it must be registered. So while still in W32Dasm get it to search for the following sequence of bytes:-
Search for: B81E000000
Basically, this sequence of numbers represent the following Assembler instruction:
mov eax,0000001E
; Set EAX register with the value of 30
; 1F is the hex value of 30 decimal.
; The value 30 is our allowed total 'Trial Uses'.
You will find only one occurrence, shown
below, so Lets examine this code more closely, and see what's happening
here.
;
The program is checking to see if memory location 00477694 contains a
;
value of '0', then it follows this with a conditional jump based on the
;
the results of comparing memory location 0047769.
;
The significance here is that if this memory location does NOT contain
a
;
value of 0 then it JUMPS over all the code that handles and displays the
;
number of Trail Uses left!.
;
If you've ran RegView then you'll know that the only place where it
;
displays the number of 'Uses' left to you is in the 'About' screen.
;
One of the major differences between a Shareware & Registered program
;
is that in the Registered program it does NOT display how many days/uses
;
left before you have to register the program with.
;
So, if cmp byte ptr [00477694]
= 0 then the program must be Shareware!
;
but if cmp byte ptr [00477694]
= 1 then the program must be Registered!
:00462F29 803D9476470000
cmp byte ptr [00477694], 00 ;Program Shareware?
:00462F30 7567
jne 00462F99 ;Jump if program *Registered* else
;still
Shareware so display the
;number of Uses left.
:00462F32 8D55F8
lea edx, dword ptr [ebp-08]
:00462F35 8B45FC
mov eax, dword ptr [ebp-04]
:00462F38 8B98F0010000
mov ebx, dword ptr [eax+000001F0]
:00462F3E 8BC3
mov eax, ebx
:00462F40 E85B18FBFF
call 004147A0
:00462F45 8D45F8
lea eax, dword ptr [ebp-08]
:00462F48 BAF42F4600
mov edx, 00462FF4
:00462F4D E85607FAFF
call 004036A8
:00462F52 8D45F8
lea eax, dword ptr [ebp-08]
:00462F55 50
push eax
:00462F56 8D55F4
lea edx, dword ptr [ebp-0C]
:00462F59 B81E000000
mov eax, 0000001E ;Total Tries allowed 30 Dec.
;
Memory location [477698] holds the number
of Uses you've had from the
;
program so far. So this is our 'counter'.
This value is then subtracted
;
from the value 1F (30 dec) to give you
tries remaining before you must
;
register it.
:00462F5E 2B0598764700
sub eax, dword ptr [00477698] ;Subtract the
;number of uses
;you have already
;had.
:00462F64 E8D331FAFF
call 0040613C
:00462F69 8B55F4
mov edx, dword ptr [ebp-0C]
:00462F6C 58
pop eax
:00462F6D E83607FAFF
call 004036A8
:00462F72 8D45F8
lea eax, dword ptr [ebp-08]
:00462F75 BA00304600
mov edx, 00463000 ;= "XX More trials left"
:00462F7A E82907FAFF
call 004036A8
So as you can see, we've learned a great deal about this program just by examining this one routine..
Lets re-cap...
Memory location 00477694
is used as a *Shareware/Register flag*, default value '0' meaning
Shareware, else a value (usually '1') representing that this program has
been registered.
Memory location 00477698
is used as a *Counter Flag*, it holds the number of Uses you have made
of the program.
After setting Softice breakpoints on all the conditional jumps that calls the four memory routines that handle and display the message:
->"Maximum number of trials has been "
->"reached! To continue use of this "
->"program, you need to register "
->"now!"
I found the routine that is used primarily
by RegView to display and handle this message at:
:004676C8 84C0
test al, al
:004676CA 0F84DE010000
je 004678AE ;Tampering of Registry File?
:004676D0 BAA47A4600
mov edx, 00467AA4
:004676D5 8B45F8
mov eax, dword ptr [ebp-08]
:004676D8 E8FFC4FCFF
call 00433BDC
:004676DD A398764700
mov dword ptr [00477698], eax
:004676E2 832D9876470084
sub dword ptr [00477698], FFFFFF84
:004676E9 813D9876470017FAFFFF
cmp dword ptr [00477698], FFFFFA17
:004676F3 750C
jne 00467701 ;jump if still Shareware
:004676F5 C6059476470001
mov byte ptr [00477694], 01 ;Make program
;Registered!
:004676FC E981020000
jmp 00467982
Basically, the program checks to see if there are any signs of you messing with it's entries in the System Registry file and if it does find evidence of this then the je 004678AE instruction skips over any further checks on the Counter flag and goes to a different routine that handles the message "Maximum number of trials has been reached...."
If all goes well then it performs a series of check-sums on it's 'counter flag' stored in memory location [00477698] which determines wether or not it's still in Shareware mode or wether it's to run in *Regsitered* mode.
If the program finds it's suppose to run in *Registered* mode then the jne 00467701 instruction is not 'set' and so the program automatically goes onto execute the next instruction, move byte ptr [00477694],01 which we now know is checked by the program to see wether or not the program has been registered or not. Since this routine is called BEFORE the main program this means that if the program becomes *registered* at this point then we won't see any nag screens, we won't have to worry about our "30 tries and your out" setup and the program will disable access to the 'Registration Screen' because it believes we've already registered it!.
OK, we've found where we think is our 'Patch' location so lets start patching!..
BEFORE:-
:004676C8 84C0
test al, al
:004676CA 0F84DE010000
je 004678AE ;Tampering of Registry File?
:004676D0 BAA47A4600
mov edx, 00467AA4
:004676D5 8B45F8
mov eax, dword ptr [ebp-08]
:004676D8 E8FFC4FCFF
call 00433BDC
:004676DD A398764700
mov dword ptr [00477698], eax
:004676E2 832D9876470084
sub dword ptr [00477698], FFFFFF84
:004676E9 813D9876470017FAFFFF
cmp dword ptr [00477698], FFFFFA17
:004676F3 750C
jne 00467701 ;jump if still Shareware
:004676F5 C6059476470001
mov byte ptr [00477694], 01 ;Make program
;Registered!
:004676FC E981020000
jmp 00467982
AFTER:
:004676C8
EB2B
jmp 004676F5 ;Always register this program
:004676CA 0F84DE010000
je 004678AE ;Tampering of Registry File?
:004676D0 BAA47A4600
mov edx, 00467AA4
:004676D5 8B45F8
mov eax, dword ptr [ebp-08]
:004676D8 E8FFC4FCFF
call 00433BDC
:004676DD A398764700
mov dword ptr [00477698], eax
:004676E2 832D9876470084
sub dword ptr [00477698], FFFFFF84
:004676E9 813D9876470017FAFFFF
cmp dword ptr [00477698], FFFFFA17
:004676F3 750C
jne 00467701 ;jump if still Shareware
:004676F5 C6059476470001
mov byte ptr [00477694], 01 ;Make program
;Registered!
:004676FC E981020000
jmp 00467982
OK, if you have RegView running then close
it..
Load up regview.exe into your favorite
Hex-Editor ( I prefer hexWorkshop-32) but just about any Hex-Editor will
do..
SEARCH FOR THE FOLLOWING BYTES
: E838BFFCFF84C00F
REPLACE WITH HIGHLIGHTED
BYTES : E838BFFCFFEB2B0F
This patch will permanently make this program register itself each time it is run.
Now fire up Regview.... What!, the program now display's the message:
"This file is corrupt. Please download and install RegView again."
Hehe, no problem, there must be a routine that performs a kind of CRC check on the program itself which would then detect any changes to the program's code..
Back into our Dead Listing...
Search for the text "This file is corrupt" which we know is part of the message displayed by RegView.
We should now be shown the following snippet of code:-
:004738AD 7921
jns 004738D0 ;ignore this instruction, it's
;part of a DATA BYTE.
:004738AF 00538B
add byte ptr [ebx-75], dl
:004738B2 D86A00
fsubr dword ptr [edx+00]
:004738B5 668B0DD4384700
mov cx, word ptr [004738D4]
:004738BC 33D2
xor edx, edx
* StringData Ref from
Code Obj ->"This file is corrupted. Please "
->"download and install RegView again!"
:004738BE B8E0384700
mov eax, 004738E0
:004738C3 E880F5FBFF
call 00432E48
:004738C8 8BC3
mov eax, ebx
:004738CA E81910FBFF
call 004248E8
:004738CF 5B
pop ebx
:004738D0 C3
ret
By placing a Softice Breakpoint at 4738CF
POP EBX and then following where the
RET instruction took me I found it
placed me here:-
:0044D2F0 3B05DC614700
cmp eax, dword ptr [004761DC] ;1st Check
:0044D2F6 742E
jz 0044D326 ;Jump if OK
:0044D2F8 66837B2A00
cmp word ptr [ebx+2A], 0000 ;2nd check
:0044D2FD 740A
jz 0044D309 ;Jump if check failed
:0044D2FF 8BD3
mov edx, ebx
:0044D301 8B432C
mov eax, dword ptr [ebx+2C]
:0044D304 FF5328
call [ebx+28] ;This calls the routine that
;displays "This file is corrupt."
:0044D307 EB1D
jmp 0044D326
:0044D309 6A10
push 00000010 ;This is our second "Virus
;Warning" message.
:0044D30B 6888D34400
push 0044D388 ;Message Title: "Program Error"
* StringData Ref from
Code Obj ->"This program has been modified
"
->"either by a virus or by a transfer "
->"problem. It will terminate now."
:0044D310 6898D34400
push 0044D398
:0044D315 6A00
push 00000000
:0044D317 E82082FBFF
Call user32.MessageBoxA
As we can see, if we patch the program at the 1st check so that it ALWAYS jumps to the 'program checked, no tampering detected' routine then we need never worry about this program detecting our patches and it will ALSO disable the SECOND program check that would result in a further "Virus Warning" message being displayed!
OK, if you have RegView running then close it..
Load up regview.exe into your favorite
Hex-Editor ( I prefer hexWorkshop-32) but just about any Hex-Editor will
do..
SEARCH FOR THE FOLLOWING BYTES
: 3B05DC614700742E
REPLACE WITH HIGHLIGHTED
BYTES : 3B05DC614700EB2E
This patch will permanently disable the two checks it performs to see if it's been patched.
OK, now once more
fire up RegView, lets see if it runs now...
It does..:)
Job Done.
|
SEARCH FOR THE FOLLOWING BYTES
: 3B05DC614700742E
REPLACE WITH HIGHLIGHTED
BYTES : 3B05DC614700EB2E
|
So if a program gives you say, 30 trial uses or 30 days to evaluate the software then in your 'Dead Listing try searching for:
Search for: B81E000000
which should display the instruction mov
eax,0000001E
Remember, just about all Shareware programs
need a memory location to store a value in that tells it wether or not
it has been registered and that as a general rule the default value will
be a '0' meaning unregistered.. If this is so then some where within the
program this memory location HAS to be changed so that it
contains *usually* a value of '1' meaning now *registered*.
Notice also that the text messages used within the program helped us
greatly to quickly locate the relevant routines that we were looking for..
They are like flashing beacons to *crackers*..:)
My thanks and gratitude goes to:-
Fravia+ for providing possibly the greatest
source of Reverse Engineering
knowledge on the Web.
+ORC for showing me the light at the end
of the tunnel.
|
Ripping off software through serials
and cracks is for lamers..
If your looking for cracks or serial
numbers from these pages then your wasting your time, try searching elsewhere
on the Web under Warze, Cracks etc.
Next | Return to Essay Index | Previous |