*************************************************************************************************TITLE: Cracking tutorial for PDF Extract TIFF v1.3 ************************************************************************************************* BEST VIEWED: Notepad with word wrap enabled, and in restored window mode ************************************************************************************************* TOOLS USED: Ollydbg v1.09d *************************************************************************************************TARGET: pdf2tiff.exe *************************************************************************************************LOCATION OF TOOLS AND PROGRAM: Ollydbg v1.09d http://www.grinders.withernsea.com/tools/Ollydbg/odbg109d.rar PDF Extract TIFF v1.3 http://www.grinders.withernsea.com/tools/pdf2tif.rar ************************************************************************************************* CONTACT INFORMATION: vinceandjane@hotmail.com ************************************************************************************************* TUTORIAL WRITTEN: 15/03/2004 ************************************************************************************************* AUTHOR: Pompeyfan ************************************************************************************************* The protection for this program is similar to that of PDF2TEXT which I covered in my last tutorial, however I have done this tut because the code where you patch is a bit more complicated. If you first open your target, you will see that you get a dialogue asking you to input a series number, or if you want click on try, and then it tells you have 100 uses, then the program opens, and you see a message it is a trial version. Okay close the program, and on with the crack. Okay,lets attack our target, open Olly, and if you haven't done so already, to make things easier for yourself, right click, select appearance/highlighting/jumps'n'calls, makes things so much easier to follow. Open pdf2tiff.exe in Olly, and you land here: 0042AC02 >/$ 55 PUSH EBP Press F9 run Up comes PDF2TIFF with a dialogue box, it shows a product ID which is already computed, you just have to enter series, I'll try all 7's, and then hit okay, and of course we guessed wrong, we get the message ""Series number error, bla, bla bla", click once on CPU screen, then F12 (pause), then Alt & K to bring up the call stack screen, and you get: Call stack of main thread Address Stack Procedure / arguments Called from Frame 0012EB3C 77D43C53 Includes 7FFE0304 USER32.77D43C51 0012EB70 0012EB40 77D4B3F2 USER32.WaitMessage USER32.77D4B3ED 0012EB70 0012EB74 77D4D9A0 USER32.77D4B265 USER32.77D4D99B 0012EB70 0012EB9C 77D6AE8E USER32.77D4D8EC USER32.77D6AE89 0012EB98 0012EE54 77D6A911 ? USER32.SoftModalMessageBox USER32.77D6A90C 0012EDDC 0012EF9C 77D6AFD5 ? USER32.77D6A7D7 USER32.77D6AFD0 0012EF24 0012EFF4 77D6B0BD USER32.MessageBoxTimeoutW USER32.77D6B0B8 0012EFF0 0012F028 77D6B04A ? USER32.MessageBoxTimeoutA USER32.77D6B045 0012F024 0012F048 77D6B02E ? USER32.MessageBoxExA USER32.77D6B029 0012F044 0012F04C 00380090 hOwner = 00380090 ('Please registe 0012F050 100172D0 Text = "Series number error, pleas 0012F054 00000000 Title = NULL 0012F058 00000010 Style = MB_OK|MB_ICONHAND|MB_APPLM 0012F05C 00000000 LanguageID = 0 (LANG_NEUTRAL) 0012F060 10001847 ? USER32.MessageBoxA verypdf.10001841 0012F064 00380090 hOwner = 00380090 ('Please registe 0012F068 100172D0 Text = "Series number error, pleas 0012F06C 00000000 Title = NULL 0012F070 00000010 Style = MB_OK|MB_ICONHAND|MB_APPLM Okay, you can see from this that the dialogue box is called from one of the dll's rather than pdf2tiff.exe, like the PDF2TEXT program by the same author. So, restart the program in Olly (Ctrl & F2), then Right click/Go to expression and enter 10001841, which is where the error message is called from, and let us have a look at the section of code as follows: 100017F2 E8 09F8FFFF CALL verypdf.10001000 100017F7 83C4 04 ADD ESP,4 100017FA 85C0 TEST EAX,EAX 100017FC 74 39 JE SHORT verypdf.10001837 100017FE 6A 40 PUSH 40 10001800 68 30730110 PUSH verypdf.10017330 ; ASCII "Thank you registered" 10001805 68 04730110 PUSH verypdf.10017304 ; ASCII "Thank you registered PDFExtractTIFF v1.3." 1000180A 56 PUSH ESI 1000180B FF15 34330110 CALL DWORD PTR DS:[<&USER32.MessageBoxA>>; USER32.MessageBoxA 10001811 68 20A80110 PUSH verypdf.1001A820 10001816 56 PUSH ESI 10001817 E8 04F9FFFF CALL verypdf.10001120 1000181C 83C4 08 ADD ESP,8 1000181F C705 E8A80110 01>MOV DWORD PTR DS:[1001A8E8],1 10001829 6A 01 PUSH 1 1000182B 56 PUSH ESI 1000182C FF15 30330110 CALL DWORD PTR DS:[<&USER32.EndDialog>] ; USER32.EndDialog 10001832 E9 75020000 JMP verypdf.10001AAC 10001837 6A 10 PUSH 10 10001839 6A 00 PUSH 0 1000183B 68 D0720110 PUSH verypdf.100172D0 ; ASCII "Series number error, please check it and try again." Okay, at the start of this section of code above, you can see a call, followed by an Add ESP,4 and a TEST, then a conditional jump, which decides whether you get the good boy or bad boy message, again like PDF2TEXT. You will find if you reverse the conditional jump that you will get a good boy message, but on opening the program next time you will be asked to register again, of course we have to patch it at the deepest level possible, so lets go inside the call at 100019E4, we want it to return a value for EAX which isn't zero, then it wont jump, so Right click/GO to/Expression and enter 10001170, and you are here: 10001000 83EC 18 SUB ESP,18 10001003 8B4424 1C MOV EAX,DWORD PTR SS:[ESP+1C] 10001007 56 PUSH ESI 10001008 8A08 MOV CL,BYTE PTR DS:[EAX] 1000100A 8A50 0F MOV DL,BYTE PTR DS:[EAX+F] 1000100D 884C24 10 MOV BYTE PTR SS:[ESP+10],CL 10001011 8D4424 04 LEA EAX,DWORD PTR SS:[ESP+4] 10001015 32C9 XOR CL,CL 10001017 50 PUSH EAX 10001018 884C24 15 MOV BYTE PTR SS:[ESP+15],CL 1000101C 885424 08 MOV BYTE PTR SS:[ESP+8],DL 10001020 884C24 09 MOV BYTE PTR SS:[ESP+9],CL 10001024 E8 DC140000 CALL verypdf.10002505 10001029 8D4C24 14 LEA ECX,DWORD PTR SS:[ESP+14] 1000102D 8BF0 MOV ESI,EAX 1000102F 51 PUSH ECX 10001030 E8 D0140000 CALL verypdf.10002505 10001035 03F0 ADD ESI,EAX 10001037 83C4 08 ADD ESP,8 1000103A 33C0 XOR EAX,EAX 1000103C 83FE 0A CMP ESI,0A 1000103F 0F94C0 SETE AL 10001042 5E POP ESI 10001043 83C4 18 ADD ESP,18 10001046 C3 RETN Look at the code starting at line 10001035, now if we change the XOR EAX,EAX to INC EAX like with PDF2TEXT it isn't going to do the job here, as the surrounding code is different, so what if we change the code here to: 10001035 03F0 ADD ESI,EAX 10001037 83C4 08 ADD ESP,8 1000103A 83FE 0A CMP ESI,0A 1000103D 5E POP ESI 1000103E 40 INC EAX 1000103F 90 NOP 10001040 90 NOP 10001041 90 NOP 10001042 90 NOP 10001043 83C4 18 ADD ESP,18 10001046 C3 RETN So left click once on 1000103A, then Right click/Assemble, enter ammended code, and hit assemble, then close this box, do the same for the other lines that need changing. Now run the program (F9), enter any series number, you get the thank you message, press ok, and program opens and it doesn't have a message saying it is a trial version. Okay, make changes permanent, Right click/copy to executable/all modifications/copy all, and then right click on new box that comes up/save file, double click on the file to overwrite and select yes to overwrite. Just to make absolutely sure, close Olly, open the application, and Voila!, no message asking us to register, , well done cracker!!! And remember, if you use the program, buy it ,software developers rely on the income from sales to keep going, if nobody buys, no new software would be developed. ************************************************************************************************* SHOUTZ AND GREETZ: To exetools forum, tsrh forum, Ollydbg forum, Ricardo Narvaja, Kruger, Satyric0n, R@dier, LaBBa, Nilrem & Ferarri whoose tuts have helped me more than any others , Ollydbg, and the authors of PDF Extract TIFF. *************************************************************************************************