|
|
|
|
|
|
|
|
|
|
||
|
||
|
|
There is a crack, a crack in everything. That's how the light gets in. |
|
Win Image is a nice Win'95 32-bit utility
that will create disk images of almost any kind of disk media you have,
so you could copy 1.4 MB floppy disks and transfer then to the new 1.72
MB DMF format if you so wish.
|
Your asked to enter:
Your Name
Registration Code
before registration begins.
The way the program is setup you have a choice of two registration codes, one will let you use the Standard interface, the other will let you use both the Standard and Professional interface which includes the Batch Wizard facility.
The actual registration key is based on
the User Name you enter and wether you wish to use either the Standard
or Professional interface ( remember, their are a possible two registration
keys generated from your User Name ).
This program is not compacted or encrypted
in anyway.
|
Start up Softice, type in BPX messageboxA
MessageboxA is a Win'95 system function that runs in the 32-bit environment, had Win Image been a 16-bit utility then I would then have to use the Messagebox (without the 'A') function instead.
Type X to leave Softice and now start up Win Image pro.
Wham, Softice breaks at the start of the MessageboxA routine, from here press F12 once then answer Yes to the 'Expire notice' then 'OK' to the Nag Screen that now pops up.
We should see the following snippet of code in Softice.
* Reference To: KERNEL32.GetSystemTime,
Ord:0135h
:0042FA46 FF15F8E74300
Call dword ptr [0043E7F8]
:0042FA4C 66817DE4CD07
cmp word ptr [ebp-1C], 07CD ;year =1997?
:0042FA52 7709
ja 0042FA5D ;Oh dear,our Time-limit is up
;if the year is greater than 1997
;so show 'Expire Notice'
:0042FA54 7520
jne 0042FA76 ;If year is less or equal to 1997
;then don't bother checking for
;the month, just continue on with
;with the program itself.
:0042FA56 66837DE609
cmp word ptr [ebp-1A], 0009 ;Month=9 (Sept)?
:0042FA5B 7219
jb 0042FA76 ;Yes? then Jump to 0042Fa76.
* Referenced by a (C)onditional
Jump at Address: 0042FA52(C)
*
Our routine that deals with displaying the 'Expire Notice'.*
|
:0042FA5D 6A24
push 00000024
:0042FA5F 53
push ebx
:0042FA60 6830964300
push 00439630 ===>Msg "This copy has expired."
:0042FA65 57
push edi
:0042FA66 FF1510E94300
Call dword ptr [0043E910] ;USER32.MessageBoxA
:0042FA6C 83F807
cmp eax, 00000007 ;We land here
:0042FA6F 7505
jne 0042FA76
:0042FA71 83C8FF
or eax, FFFFFFFF
:0042FA74 EB23
jmp 0042FA99
Right, looking at the code we can see that we must have arrived at this messagebox routine from one of TWO ways. (There might be other's but since this is called ONLY at the start of the program, it would not make any sense to show this message during the running of the program ). So we can assume that what we're looking at is the only place where this kind of decision takes place.
The first way this routine gets called
is from:-
:0042FA54 7520
jne 0042FA76
Where if the comparison that checks what year we're currently in is Greater than 1997, then display 'Expire Notice'.
The second way is if the year is 1997 but the month is not September then instead of jumping to location 0043FA99 at line:-
:0042FA74 EB23 jmp 0042FA99
It will simply proceed onto our 'Expire
Notice' routine.
We can 'fix' routine this by simply changing line:-
:0042FA52 7709 ja 0042FA5D
TO
:0042FA52 EB22 jmp 0042FA76
That would then make the program always ignore the 'Expire Notice' checks and proceed on with the program itself. Since this is an UN-Condition Jump the program will never get past this line to check for the month etc so we don't have to do any more patching to this routine.
OK, now to finish off this program.. Having
experimented with this program, using different cracking methods to achieve
the outcome I wanted I can tell you that the best method found was to simple
sniff out the generated Registration Keys ( there are two remember ) and
use them to register the program with. My attempt to patch the program
seemed to result in the program 'forgetting' to remember my User Name and
Registration key when I re-ran it, so the patch only worked so long as
the program was running after it had been 'registered'.
Let's sniff out those two registration
keys by 'backtracking our steps through the program...
Run up Win Image pro, select Yes to the
'Expire Notice' message, then OK to the Nag screen. Go into the Registration
Screen via Options then Registration.
Type in the User Name you wish to use,
then enter a few numbers of your choice.
Press Ctrl-D to enter Softice and
type BPX MessageboxA then x to leave.
At this point simple press the OK button
and lets see what happens next.. Wham, Softice breaks at the start of the
messageboxA routine, from here press F11 once then answer OK to the 'Invalid
Registration Key' dialog box that appears on our screen which again Softice
breaks and we're now in the actual Win Image Code.
:0041D7B4 | push ebp |
:0041D7B5 | mov ebp, esp |
:0041D7B7 | push ecx |
:0041D7B8 | mov eax, dword ptr [0043B058] |
:0041D7BD | push esi |
:0041D7BE | test eax, eax |
:0041D7C0 | je 0041D7C7 |
:0041D7C2 | call eax |
:0041D7C4 | mov dword ptr [ebp-04], eax |
:0041D7C7 | push [ebp+14] |
:0041D7CA | push [ebp+10] |
:0041D7CD | push [ebp+0C] |
:0041D7D0 | push [ebp+08] |
:0041D7D3 | Call dword ptr [0043E910] ; Call MessageboxA function |
:0041D7D9 | mov esi, eax ; We land here from the above function call |
:0041D7DB | mov eax, dword ptr [0043B05C] |
:0041D7E0 | test eax, eax |
:0041D7E2 | je 0041D7EA |
:0041D7E4 | push [ebp-04] |
:0041D7E7 | call eax |
:0041D7E9 | pop ecx |
:0041D7EA | mov eax, esi |
:0041D7EC | pop esi |
:0041D7ED | leave |
:0041D7EE | ret |
:0041D82C | xor esi, esi ;Set up the correct message to display in the Dialog Box. |
:0041D82E | push [ebp+14] |
:0041D831 | lea eax, dword ptr [ebp+FFFFFB80] |
:0041D837 | push esi |
:0041D838 | push eax |
:0041D839 | push [ebp+08] |
:0041D83C | call 0041D7B4 ; Calls the routine that deals with messagebox creation |
:0041D841 | add esp, 00000010 ; We land here |
:0041D844 | pop esi |
:0041D845 | leave |
:0041D846 | ret |
Well, as you can see this routine branches out from here in one place, namely to the routine we just left that delt with the displaying of our 'Invalid Registration' dialog box and since there are no conditional jumps or comparing instructions to be found here we know that this is not where the program decides wether our entered registration key is correct or not so we need backtrack further into the program.
From here press the F10 key 4
times so that we now land in this routine:-
:004290C5 | push 00002000 |
:004290CA | push 0000042D ; => "Win Image registration" |
:004290CF | push 0000042A ; => "Your registration code is valid. |
:004290D4 | mov dword ptr [0043C73C], edx |
:004290DA | push [ebp+08] |
:004290DD | mov dword ptr [0043C894], edx |
:004290E3 | call 0041D7EF
;Lets show either the 'Beggar off' or
;the 'Thanks for Registering' message |
:004290E8 | add esp, 00000010 ; We land here |
:004290EB | push esi |
:004290EC | push [ebp+08] |
:004290EF | Call dword ptr [USER32.EndDialog] ;Clear 'begger off' Msg. |
:004290F5 | mov eax, esi |
:004290F7 | jmp 00429132 |
Hmm, it's looking better but as you can see (feel), we're at the stage in the program where it has already processed our invalid registration and because it was the wrong one we were sent here where the 'begger off' message is first created.
Look at the above code and where we've just landed, notice that if we proceed five more steps we hit a JMP instruction which is not what we want if we wish to find out where this routine was called from. Had there been a RET instruction instead of the JMP instruction then we would have had a good chance in returning to the routine that first placed us here.
There
are of course, times when a program can manipulate the stack that holds
the address of where the program execution begins after executing a routine,
in which case we would not always return back to the original calling routine,
but in this example this is not the case.
OK, so where do we go?. A good bet
is to examine the code above and below this routine, looking for a condition
or unconditional jump to the START
of the routine we're currently stuck in. In our this case if
we look above this routine you will see a Jump Not Equal instruction at:
:00429097 752C
jne 004290C5
Bingo!, this looks very promising, so
just to be sure we will place a break point at the START of this new routine
but first lets clear any/all other Softice breakpoints first by typing:-
BC *
Then type:-
BPX 42902C
Then type:-
x to exit Softice
I have chosen to set a breakpoint at the
beginning of this new routine rather than on the actual line that jump's
to present routine we're in because I feel it's the
right thing to do.
Run the Win Image Registration screen
again, type in Your Handle & a few numbers again then press the OK
button.
Wham, we're in Softice and right where
we want to be.
:0042902C 8B358CEA4300
mov esi,dword ptr [USER32.GetDlgItemTextA]
:00429032 BB98C84300
mov ebx, 0043C898
:00429037 6801010000
push 00000101
:0042903C 53
push ebx
:0042903D 6816080000
push 00000816
:00429042 FF7508
push [ebp+08]
:00429045 FFD6
call esi
:00429047 BF90C44300
mov edi, 0043C490
:0042904C 6A7F
push 0000007F
:0042904E 57
push edi
:0042904F 6817080000
push 00000817
:00429054 FF7508
push [ebp+08]
:00429057 FFD6
call esi
:00429059 6870C84300
push 0043C870
:0042905E 57
push edi
:0042905F 53
push ebx
:00429060 E8D03C0000
call 0042CD35
:00429065 8B0D70C84300
mov ecx, dword ptr [0043C870]
:0042906B 33D2
xor edx, edx
:0042906D 83C40C
add esp, 0000000C
:00429070 3BC2
cmp eax, edx
:00429072 A358C64300
mov dword ptr [0043C658], eax
:00429077 7406
je 0042907F
:00429079 890D34C84300
mov dword ptr [0043C834], ecx
:0042907F 391534C84300
cmp dword ptr [0043C834], edx
:00429085 890DC4CA4300
mov dword ptr [0043CAC4], ecx
:0042908B 7505
jne 00429092
:0042908D A3C4CA4300
mov dword ptr [0043CAC4], eax
:00429092 6A01
push 00000001
:00429094 3BC2
cmp eax, edx
:00429096 5E
pop esi
:00429097 752C
jne 004290C5 ; Good Guy Jump!
:00429099 6800200000
push 00002000 ; Else 'Beggar off'
:0042909E 682D040000
push 0000042D
:004290A3 682B040000
push 0000042B ;=>"Registering information
; is invalid"
:004290A8 89353CC74300
mov dword ptr [0043C73C], esi
:004290AE FF7508
push [ebp+08]
:004290B1 893594C84300
mov dword ptr [0043C894], esi
:004290B7 881590C44300
mov byte ptr [0043C490], dl
:004290BD 881598C84300
mov byte ptr [0043C898], dl
:004290C3 EB1E
jmp 004290E3
Looking at the above we can see a *possible*
patch of the code at line:-
:00429097 752C
jne 004290C5 ; Good Guy Jump!
But if you change this so that it always
jumps to the routine that handles valid registration keys you will find
it does not work. It will still say 'Invalid Registration Key'. OK, after
some more work you will find that at line:-
:0042908B 7505 jne 00429092
would also have to be changed so that it too would always jump then even that wouldn't be enough. You will find that as you follow this through there will be other places to patch before the program will accept any registration key you enter into it. For this essay I will stick to 'sniffing' out the 'real' key(s) rather than go on a patching spree..
Right, use F10 until we get to the line:
:00429060 E8D03C0000
call 0042CD35
At which point we press the t (
trace into ) key which will now bring us to the main routine that creates
our Registration Key.
* If you run through this routine a few times you will be able to work out the following as I did..:)
:0042CD35 55
push ebp ; == Save Mem loc 68F1d4
:0042CD36 8BEC
mov ebp, esp ; == New Mem Loc 68F1B4
:0042CD38 81EC00020000
sub esp, 00000200 ; Subtract 200h from
; 68F1B4 = 68EFB4
;Memory Location for our REAL RegKey!
:0042CD3E 56
push esi
:0042CD3F 8B7510
mov esi, dword ptr [ebp+10]
:0042CD42 85F6
test esi, esi
:0042CD44 57
push edi ;Mem Loc of our fake Regkey
; at 0157:43c490
------------------ Snip
---------------- Snip -------------
At this point if you type: d 68efb4
then place your cursor on the ret instruction at line
:0042CE75
C3
ret
then type: here you will see in
your softice code window the registration No for the user name you just
typed in!
Job Done.....
|
SEARCH FOR
: 66817DE4CD077709 then
REPLACE WITH:
6817DE4CD077EB22
|--| <--Change these two bytes only.
|
My thanks and gratitude goes to:
Fravia+ for providing possibly the greatest
source of Reverse Engineering
knowledge on the Web.
+ORC for showing me the light at the end
of the tunnel.
|
Next | Return to Essay Index | Previous |