
                 Cracking for newbies #2 - by woody^drn

How to crack NoteTab Pro v4.6a at www.notetab.com

Run the program to see what happens. Hmm that's wierd, it says
"Sorry, the trial periode is over" .. I havn't even tried it before.

Lets disassemble the program and find the "nag". But first we have to
check if the file is packet or cryptet in any way. A good program for
this job would be gtui (found at http://surf.to/phax). Now run gtui
and let it check the file.

- [NotePro.exe] -----
    DOS executable file - 643072 bytes
 
    Portable executable (starting at 256 for 642816 bytes)
      Packer: ASPack 1.07b
      Calculated entrypoint: 542443 / 000846EBh  (RVA: 000852EBh)

Packer ASPack v1.07b .. okay well now we have to depack it, and if
you read Vaczine #2 - Cracking for advanced #2 you know how to depack
a file that has been packed with ASPack. But I'll be nice and tell you
how to do it. I wont go into details ..

Startup ProcDump and press the PE Editor button, load NotePro.exe.
Now press the section button, and change the CODE Characteristics from
C0000040 to E0000020. You can do that by pressing right mouse button on
the CODE. Press okay until you exit procdump.

Load SofticeLoader and press ctrl+o and find NotePro.exe, now load the
module (Module->Load) and softice will appear. Press F10 until you come
to the first PUSHAD. It would look like this:

.0059E000: 60                           pushad

You would be here .. now just press F10 until the opposite of PUSHAD and
that's POPAD.

.0059E001: E800000000                   call     .00059E006   ---- (1)
.0059E006: 5D                           pop       ebp
.0059E007: 81ED3ED94300                 sub       ebp,00043D93E ;" C>"
.0059E00D: B838D94300                   mov       eax,00043D938 ;" C8"
.0059E012: 03C5                         add       eax,ebp
.0059E014: 2B850BDE4300                 sub       eax,[ebp][00043DE0B]
.0059E01A: 898517DE4300                 mov       [ebp][00043DE17],eax
.0059E020: 80BD01DE430000               cmp       b,[ebp][00043DE01],000
.0059E027: 7515                         jne      .00059E03E   ------ (2)
.0059E029: FE8501DE4300                 inc       b,[ebp][00043DE01]
.0059E02F: E81D000000                   call     .00059E051   ------ (3)
.0059E034: E879020000                   call     .00059E2B2   ------ (4)
.0059E039: E812030000                   call     .00059E350   ------ (5)
.0059E03E: 8B8503DE4300                 mov       eax,[ebp][00043DE03]
.0059E044: 038517DE4300                 add       eax,[ebp][00043DE17]
.0059E04A: 8944241C                     mov       [esp][0001C],eax
.0059E04E: 61                           popad

Right here ... now the 3 calls is the "magic" of ASPack .. but who cares
We just don't care about those. When you're at POPAD write down eax.
You're gonna need this, cause it's the real entry point to the file
we're gonna dump soon. Press F10 again.

.0059E04F: FFE0                         jmp       eax

Okay .. this was the depacking routine, but we don't want the program to
do anything more. So we make a loop. When you're at JMP EAX type 'a eip'
eip is the place you are .. the offset .. the opcode that has to be
executed soon. When you have typed 'a eip' write 'jmp eip', now that
makes the program jump to this place all the time. In pascal that would
have been 

lab:
  goto lab;

Now the program just loops all the time, now is a good time to dump it.
Start procdump again and scroll down on the task list. Find NotePro.exe
and click right mouse button, and choose Dump (Full). Now it wants you
to select a name for the dumped file, I just write dump.exe.

Just close the program NotePro.exe that still is in unlimited loops ;)
ctrl+alt+delete and choose the program and close it ..

Cewl .. now you have depacked the file and broken ASPack :)
The only thing you're missing now is the right entry point, cause if you
try executing the file as it is now, it will deffently hang the computer
or atleast make an error .... well sometimes it's lucky and has the
right entry point .. try it out ;) If it doesn't work do this:

Start procdump and choose PE Editor. The new entry point is
EAX-imagebase number. Write the new one and press ok. Does it work now ?
yearh! Cewl .. now we can get on and find that damn nag.

First make a backup of the old file that was packed, and make one for
w32dasm and one if we should screw it up ;) of the new unpacket file.
Now we have notepro.old, notepro.w32 notepro.exe and notepro.bac.

Gosh! it take too long to load it in w32dasm .. try pressing the ALT key
while it's loading .. does it go faster ?? yer .. dunno why but it does!
Found this error (???) while multienvironmenting .. alt+tab .. so now
you know it too :) darn 36454 calls 48404 jumps .. well it's a big file.

Now you remebered to write down the nag message didn't you ?? :)
Search for it in Strn Refs ... Refs->Strings ..
If found it here:

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:005067F4(U), :0050683C(U), :00506874(U)
|
:00506879 803E01                  cmp byte ptr [esi], 01
:0050687C A198BD5300              mov eax, dword ptr [0053BD98]
:00506881 0F9400                  sete byte ptr [eax]
:00506884 803E02                  cmp byte ptr [esi], 02
:00506887 0F851D010000            jne 005069AA

* Possible StringData Ref from Code Obj ->"Sorry, the trial period is
                                           over."
                                  |
:0050688D 68386A5000              push 00506A38

The first thing that comes to my mind is to patch those 3 unconditional
jumps, but lets see what it actually does here. It checks if the char
at esi is 02 and if it is, it will display the nag.
So we could just make the first char at esi be 01.

But if you check at 506876 it actually moves 01 into esi, so we just
have to get our selfes there. okay .. lets see how we can do this.

:005067EF 7508                    jne 005067F9
:005067F1 C60602                  mov byte ptr [esi], 02
:005067F4 E980000000              jmp 00506879

Here is the first jump, lets patch 5067EF so it doesn't put 02 into esi.

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:005067EF(C)
|
:005067F9 8D45FC                  lea eax, dword ptr [ebp-04]

So now we are here ... lets trace a little further.

:005067FC B901000000              mov ecx, 00000001
:00506801 BA01000000              mov edx, 00000001
:00506806 E821DBEFFF              call 0040432C
:0050680B 33D2                    xor edx, edx
:0050680D 8B45FC                  mov eax, dword ptr [ebp-04]
:00506810 E8E3B5F7FF              call 00481DF8
:00506815 8B156CC05300            mov edx, dword ptr [0053C06C]
:0050681B 8902                    mov dword ptr [edx], eax
:0050681D A16CC05300              mov eax, dword ptr [0053C06C]
:00506822 833800                  cmp dword ptr [eax], 00000000
:00506825 7412                    je 00506839

Here is the next je/jne .. this jumps to "mov byte ptr [esi], 02"
and we don't want that. So we patch it to nops .. 90 90.

:00506827 A16CC05300              mov eax, dword ptr [0053C06C]
:0050682C 8B00                    mov eax, dword ptr [eax]
:0050682E 3B45F8                  cmp eax, dword ptr [ebp-08]
:00506831 740B                    je 0050683E
:00506833 837DF8FE                cmp dword ptr [ebp-08], FFFFFFFE
:00506837 7405                    je 0050683E

Here it will jump near the "mov byte ptr [esi], 01" so lets jump it.


:0050683E E8413FF0FF              call 0040A784

So we land here .. close :) all we have to do now is to get to 50686F
cause that's where it puts 01 into esi.

:00506843 E830C4EFFF              call 00402C78
:00506848 A354BB5300              mov dword ptr [0053BB54], eax
:0050684D A16CC05300              mov eax, dword ptr [0053C06C]
:00506852 8B00                    mov eax, dword ptr [eax]
:00506854 2B0554BB5300            sub eax, dword ptr [0053BB54]
:0050685A A334BB5300              mov dword ptr [0053BB34], eax
:0050685F 833D34BB530020          cmp dword ptr [0053BB34], 00000020
:00506866 7F09                    jg 00506871

Hmmm don't wanna goto that one .. it puts 02 into esi .. nop it.


:00506868 833D34BB530001          cmp dword ptr [0053BB34], 00000001
:0050686F 7D05                    jge 00506876


And we're finally there .. jump this and it will goto mov esi,01.
Hope you're with me here ;) All we're doing now is finding the first
jump to the "bad" code, where it displays the "sorry, the trial periode
is over". It will only display the nag screen if [esi] is 02, but if
it isn't 02 it wont display it. That's why we try not to make [esi] to
be 02.

:00506876 C60601                  mov byte ptr [esi], 01

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:005067F4(U), :0050683C(U), :00506874(U)
|
:00506879 803E01                  cmp byte ptr [esi], 01
:0050687C A198BD5300              mov eax, dword ptr [0053BD98]
:00506881 0F9400                  sete byte ptr [eax]
:00506884 803E02                  cmp byte ptr [esi], 02
:00506887 0F851D010000            jne 005069AA

* Possible StringData Ref from Code Obj ->"Sorry, the trial period is
                                           over."

See ? .. it moves 01 into [esi], then it checks if [esi] is 02, and it
isn't cause we just changed it into 01. so now it won't display it.

Okay .. that was the first section. Now we have to make sure that it
doesn't put 02 into [esi]. We *know* that it will jump to 5069AA because
[esi] isn't 02. So lets check what's there:

:005069AA 837DF800                cmp dword ptr [ebp-08], 00000000
:005069AE 7416                    je 005069C6
:005069B0 803E02                  cmp byte ptr [esi], 02
:005069B3 7511                    jne 005069C6

Okay it checks again .. jump if [esi] is not equal to 02, and it should
be 01. So lets make it jump at 5069B3.

:005069C6 837DF8FE                cmp dword ptr [ebp-08], FFFFFFFE
:005069CA 7512                    jne 005069DE
:005069CC 803E01                  cmp byte ptr [esi], 01
:005069CF 750D                    jne 005069DE

Now it checks if [esi] is 01. We want it to be 01. It says if [esi] is
not equal jump to 5069DE. So lets nop those two jne's.

:005069D1 8B156CC05300            mov edx, dword ptr [0053C06C]
:005069D7 33C0                    xor eax, eax
:005069D9 E8E6F9FFFF              call 005063C4

This should be it. A rather hard way of doing it, but it's easier to use
the programs code itself than make up your own ;)

-wOODY^dRN

