Aug 98
"Cracking Rhino Beta 1.0"
Win '95 Program
Win Code Reversing
 
 
by KLee8084 
  
 
Code Reversing For Beginners 
 
 
 
Program Details
Program Name: rhino32.exe
Program Type: 3D Graphic Program
Program Location: Here 
Program Size: 6.2 meg
 
   
Tools Used:
W32Dasm V8.9 - Disassembler
Softice V3.2 - Debugger
Hiew 5.66
 
Rating
Easy ( X )  Medium (  )  Hard (    )  Pro (    ) 
 There is a crack, a crack in everything. That's how the light gets in.
 
  
 
Rhino3D Beta 1.0
'Patching A Demo'
Written by KLee8084
 
 
 
Introduction
 
Rhino3d is a NURBS program that allows you to create 3D objects and export them in a variety of formats, such as VRML, which makes it ideal for creating virtual worlds.
About this protection system
 
The only protection that this program has (relevant) is a time protection that is hard-coded in Rh_Main.exe. After 30 days, the program ceases to run.
 
The Essay 
     
First, you need to see if anything is written in an .ini file, or the system registry. To do this, advance the system's date 2 months and attempt to run the program. It won't run. Next,  set your system's date back to normal. Now attempt to run the program again.
 
This time it runs perfectly. This should tell you that nothing was written to the registry or to an ini file about the date (else the program would not have run). Knowing that the program checks the system's date/time, it seems logical to set a breakpoint in Softice at GetSystemTime. Press CTRL-D to go into Softice, then type bpx GetSystemTime.
 
Next, get out of Softice by typing x , and run Rhino.exe.
 
After the rhino loader displays it's credit window, it'll start to load Rh_Main.exe and you'll be thrown into Softice at the beginning of Kernel32.dll's GetSystemTime function.
 
Press 'F11' to step out of this call. What do you see? A simple compare instruction following the call.

:0041F669 FF15701C8C00      CALL [KERNEL32!GetSystemTime]
:0041F66F 66817C2404CE07    CMP WORD PTR [ESP+04], 07CE ;Check for 1998
:0041F676 7519              JNZ 0041F691 ;Beggar off cracker

If you check the 07CE (by typing "? 07CE" in Softice), you'll see that it is 1998. The current year. If the value at WORD PTR [ESP+04] wasn't 07CE, then the program would jump to a nasty MessageBox routine. Next, there is another compare:

:0041F678  66837C240608   CMP WORD PTR [ESP+06], 08 ;Check for August
:0041F67E  720A           JB 0041F68A
:0041F680  750F           JNZ 0041F691 ;Beggar off cracker
 
This compare (WORD PTR [ESP+06] ) checks the month. If the month is earlier than August, jump to 0041F68A, else jump to nasty MessageBox routine.
Finally, there is one last compare:
 
:0041F682  66837C240A1F   CMP WORD PTR [ESP+0A], 1F ;Check for Day = 31st
:0041F688  7307           JAE 0041F691 ;Beggar off cracker
:0041F68A  33C0           XOR EAX,EAX
:0041F68C  5B             POP EBX
:0041F68D  83C410         ADD ESP,10
:0041F690  C3             RET
 
If you type "? 1F" you'll see that 1F is 31 in decimal. What this compare does is check for the 31st day. If it is, the program will jump to the nasty Beggar off cracker routine.
 
Since this is a Beta program, there are no registration routines. To crack this program, we have to patch it. From the above code, we know that the "Program Expired" code is at 0137:0041F691, and that the good code is at 0137:0041F68A. You could add NOPs (25 of them) between the GetSystemTime call and the good code routine, but that would be very messy. Far simpler would be to change the conditional jump (to the Beggar off cracker routine) after the first compare to an unconditional jump to the good code.

0137:0041F676   7519   JNZ 0041F691

changed to:

0137:0041F676   EB12   JMP 0041F68A

NOTE: EB12 means jump 12 bytes forward.

To get the number of bytes to jump, type "? 0041F68A - 0041F678". Remember, 0041F68A is the start of the good code routine, and 0041F678 is the instruction right after the JNZ instruction that we are changing.
 
To do the actual patching, load Rh_Main.exe in your favorite hex-editor (I use HIEW) and go to offset 0041F676.
 
Place the cursor over 7519 (JNZ 0041F691) and change it to EB12.
 
Finally hit F9 to update the file and exit (F10). Back at the desktop, advance your system's date 2 months and run Rhino.exe. It runs beautifully. Program cracked.
 
The 'Crack' 
 
Load up Rh_Main.exe into your favorite Hex-Editor ( I prefer hiew v5.66) but just about any Hex-Editor will do..
 
SEARCH FOR THE FOLLOWING BYTES : 66817C2404CE077519
REPLACE WITH HIGHLIGHTED BYTES : 66817C2404CE07EB12
 
 
Final Notes 
 
Rhino Beta 1.0 has practically no protection. As you saw, it has only simple compare routines to determine whether to expire or not.

 
My thanks and gratitude goes to:-
 
Fravia+ for providing possibly the greatest source of Reverse Engineering
knowledge on the Web.
 
+ORC for showing me the light at the end of the tunnel.
 
Ob Duh 
 
 
Do I really have to remind you all that by buying and NOT stealing the software you use will ensure that these software houses will continue to  produce even *better* software for us to use and more importantly, to continue offering even more challenges to breaking their often weak protection systems.
 
If your looking for cracks or serial numbers from these pages then your wasting your time, try searching elsewhere on the Web under Warze, Cracks etc.
 

 
 
 [ Return ] 
 
Essay by: KLee8084
Page Created: 24th July 1998