Aug 1998
"Cracking Who-Is v1.01"
Win '95 PROGRAM
Win Code Reversing
 
 
by KLee8084 
  
 
Code Reversing For Beginners 
 
 
 
Program Details
Program Name: whois.exe
Program Type: Internet Utility
Program URL: HERE 
Program Size: 1.5 MB
 
   
Tools Used:
W32Dasm V8.9 - Disassembler
Hiew 5.66
 
Rating
Easy ( X )  Medium (  )  Hard (    )  Pro (    ) 
 There is a crack, a crack in everything. That's how the light gets in.
 
  
 
Cracking Who-Is v1.01
"Nag screens and time limit"
Written by KLee8084
 
 
 
Introduction
 
Whois is a program that lets you put in a person's name, telephone number, address, or email address and returns information about that person from various databases around the world.
About this protection system
 
When you first run the program there is an annoying nag screen telling you how many days you have left before the program expires (starts at 14 days). Everytime you start a new search, there is another nag screen telling you that you are using the free preview copy of Who-Is.
 
The Essay 
     
For this crack I decided to use the dead listing approach (a la The Sandman). Ready?
 
Fire up W32Dasm and load whois.exe. Now, when you first run whois.exe, you are presented with a nag screen telling you that you have only so many days to evaluate the program before it expires. That's the first nag. The second nag pops up when you start a search. This nag informs you ( as if you didn't already know, eh?) that you are using the free preview copy of Who-Is. Annoying, aren't they?
 
Click on the String Ref button and scroll down until you find "Thank you for trying Who-Is."  and Double click on this string reference.
 
* StringData Ref from Data Obj -> "Thank you for trying Who-Is. The trial"
                               -> "time period for Who-Is has expired."
 
:0041847B 68A89F4200        PUSH 00429FA8

To see if there are any other references, double click on the string reference again. Ahh...

* StringData Ref from Data Obj -> "Thank you for trying Who-Is. The trail"
                               -> "Your trial period expires in %d days."
 
:004184C1 68089F4200        PUSH 0042AF08
:004184C6 52                PUSH EDX

Hm...did you notice the difference? If the time limit is reached, then the first routine ( :0041847B ) is called. If you still have time left, then the second routine at ( :004184C1 ) is called.

We don't care about this, though. We want to totally bypass the nag.

From :004184C1 scroll upwards to see if there are any compare/conditional jump pairs near by. Nope. There IS, though, a reference to a conditional jump from :00418475. Did you notice that this address is very close to the first nag routine ( :0041847B )?

OK, now go to :00418472

:00418472  83FE0E       CMP ESI, 0000000E   ;<- 14 day limit is up?
:00418475  7E2A         JLE 004184A1        ;<- Not yet so jump to the
                                            ;<- second routine

So. Remember my curiosity? Let's scroll farther upwards, shall we?
Ahh...Do you see the two conditional jumps?

:0041841F  833A01         CMP DWORD PTR [EDX], 00000001
:00418422  0F85C9000000   JNE 004184F1    ;<- Not a 1? Must be registered!
:00418428  8B742418       MOV ESI, DWORD PTR [ESP+18]
:0041842C  F7C600000080   TEST ESI, 80000000
:00418432  0F85B9000000   JNE 004184F1    ;<- No? Must be registered!

If you change both JNE 004184F1 instructions to JE 004184F1 , that will kill the first nag. It also kills, the time limit too..:).

Second nag. Go back to the Data String Resouces in W32Dasm  and scroll down. Do you see "This is the free preview copy"?  then Double click on it.

 
:00414FA0 6870994200  PUSH 00429970 ;"This is the free preview copy of
                                     "Who-Is."

As usual, scroll upwards to see if there is a compare/conditional jump pair. There is.

:00414F97  833901     CMP DWORD PTR [ECX], 00000001
:00414F9A  750E       JNE 00414FAA  <- Not a 1? Then must be *registered*

Change the JNE 00414FAA  to JE 00414FAA.

Go back to the String Ref and double click again to see if there is another reference.
 
There is.

* StringData Ref -> "This is the free preview copy of Who-Is."

:00416EEC 6870994200   PUSH 00429970  ;Scroll upwards to see if there is a
                                      ;compare / conditional jump pair.
                                      ;There sure is!

:00416EE3 833901     CMP DWORD PTR [ECX],00000001
:00416EE6 750E       JNE 004166F6 ;Not a 1? This program must be registered
 
Change the JNE 004166F6 to JE 004166F6.
 
Set your computer's date ahead 1 month and run that program. Look Ma---no nags!!!
 
Program cracked.
The 'Crack' 
 
Load up whois.exe into your favorite Hex-Editor ( I prefer hiew v5.66) but just about any Hex-Editor will do..
 
SEARCH FOR THE FOLLOWING BYTES : 833A010F85C9000000F7C6000000800F85B9000000

REPLACE WITH HIGHLIGHTED BYTES :  833A010F84C9000000F7C6000000800F84B9000000

SEARCH FOR THE FOLLOWING BYTES :  833901750E6A00
REPLACE WITH HIGHLIGHTED BYTES :  833901740E6A00
 
Note: the last search above has 2 occurances. Change both.
 
Final Notes 
 
This program's protection scheme is simple but annoying.

 
My thanks and gratitude goes to:-
 
Fravia+ for providing possibly the greatest source of Reverse Engineering
knowledge on the Web.
 
+ORC for showing me the light at the end of the tunnel.
 
Ob Duh 
 
 
Do I really have to remind you all that by buying and NOT stealing the software you use will ensure that these software houses will continue to  produce even *better* software for us to use and more importantly, to continue offering even more challenges to breaking their often weak protection systems.
 
If your looking for cracks or serial numbers from these pages then your wasting your time, try searching elsewhere on the Web under Warze, Cracks etc.
 

 
 
 [ Return ] 
 

Essay by: KLee8084
Page Created: 24th July 1998