*************************************************************************************************TITLE: Cracking tutorial for PDF2Word/PDF2RTF v1.3 ************************************************************************************************* BEST VIEWED: Notepad with word wrap enabled, and in restored window mode ************************************************************************************************* TOOLS USED: Ollydbg v1.09d *************************************************************************************************TARGET: pdf2rtf.exe *************************************************************************************************LOCATION OF TOOLS AND PROGRAM: Ollydbg v1.09d http://grinders.withernsea.com/tools/odbg109d.rar PDF2Word/PDF2RTF v1.3 http://grinders.withernsea.com/tools/pdf2word_v3.1.rar ************************************************************************************************* CONTACT INFORMATION: vinceandjane@hotmail.com ************************************************************************************************* TUTORIAL WRITTEN: 03/03/2004 ************************************************************************************************* AUTHOR: Pompeyfan ************************************************************************************************* Okay,lets attack our target, open Olly, and if you haven't done so already, to make things easier for yourself, right click, select appearance/highlighting/jumps'n'calls, makes things so much easier to follow. Open pdf2rtf.exe in Olly, and you land here: 00443CFC >/$ 55 PUSH EBP Press F9 run Up comes PDF2Word with a dialogue box, enter your email and fake serial number, I used pompeyfan@pompeyfan.com.au and all 7's, and then hit okay, and of course we guessed wrong, we get the message ""Series number error, bla, bla bla", click once on CPU screen, then F12 (pause), then Alt & K to bring up the call stack screen, and you get: Call stack of main thread Address Stack Procedure / arguments Called from Frame 0012EC7C 77D43C53 Includes 7FFE0304 USER32.77D43C51 0012ECB0 0012EC80 77D4B3F2 USER32.WaitMessage USER32.77D4B3ED 0012ECB0 0012ECB4 77D4D9A0 USER32.77D4B265 USER32.77D4D99B 0012ECB0 0012ECDC 77D6AE8E USER32.77D4D8EC USER32.77D6AE89 0012ECD8 0012EF94 77D6A911 ? USER32.SoftModalMessageBox USER32.77D6A90C 0012EF1C 0012F0DC 77D6AFD5 ? USER32.77D6A7D7 USER32.77D6AFD0 0012F064 0012F134 77D6B0BD USER32.MessageBoxTimeoutW USER32.77D6B0B8 0012F130 0012F168 77D6B04A ? USER32.MessageBoxTimeoutA USER32.77D6B045 0012F164 0012F188 77D6B02E ? USER32.MessageBoxExA USER32.77D6B029 0012F184 0012F18C 0007024E hOwner = 0007024E ('Please registe 0012F190 004662D4 Text = "Series number error, pleas 0012F194 00000000 Title = NULL 0012F198 00000010 Style = MB_OK|MB_ICONHAND|MB_APPLM 0012F19C 00000000 LanguageID = 0 (LANG_NEUTRAL) 0012F1A0 00429757 ? USER32.MessageBoxA pdf2rtf.00429751 0012F1A4 0007024E hOwner = 0007024E ('Please registe 0012F1A8 004662D4 Text = "Series number error, pleas 0012F1AC 00000000 Title = NULL 0012F1B0 00000010 Style = MB_OK|MB_ICONHAND|MB_APPLM Okay, restart the program in Olly (Ctrl & F2), in my case it froze, and I had to close Olly and re-open, anyway whatever you have to do to re-start it, then Right click/Go to expression and enter 00429751 where the error message is called from, and let us have a look at the section of code as follows: 004296D2 > 8BB424 E800000>MOV ESI,DWORD PTR SS:[ESP+E8] ; Case 1 of switch 00429648 004296D9 . 68 C8000000 PUSH 0C8 ; /Count = C8 (200.) 004296DE . B9 32000000 MOV ECX,32 ; | 004296E3 . 33C0 XOR EAX,EAX ; | 004296E5 . BF CC954600 MOV EDI,pdf2rtf.004695CC ; | 004296EA . 68 CC954600 PUSH pdf2rtf.004695CC ; |Buffer = pdf2rtf.004695CC 004296EF . 68 FB030000 PUSH 3FB ; |ControlID = 3FB (1019.) 004296F4 . 56 PUSH ESI ; |hWnd 004296F5 . F3:AB REP STOS DWORD PTR ES:[EDI] ; | 004296F7 . FF15 14774400 CALL DWORD PTR DS:[<&USER32.GetDlgItemTe>; \GetDlgItemTextA 004296FD . 68 CC954600 PUSH pdf2rtf.004695CC 00429702 . E8 09F8FFFF CALL pdf2rtf.00428F10 00429707 . 83C4 04 ADD ESP,4 0042970A . 85C0 TEST EAX,EAX 0042970C . 74 39 JE SHORT pdf2rtf.00429747 0042970E . 6A 40 PUSH 40 ; /Style = MB_OK|MB_ICONASTERISK|MB_APPLMODAL 00429710 . 68 2C634600 PUSH pdf2rtf.0046632C ; |Title = "Thank you registered" 00429715 . 68 08634600 PUSH pdf2rtf.00466308 ; |Text = "Thank you registered pdf2word v1.3." 0042971A . 56 PUSH ESI ; |hOwner 0042971B . FF15 1C774400 CALL DWORD PTR DS:[<&USER32.MessageBoxA>>; \MessageBoxA 00429721 . 68 CC954600 PUSH pdf2rtf.004695CC 00429726 . 56 PUSH ESI 00429727 . E8 54F9FFFF CALL pdf2rtf.00429080 0042972C . 83C4 08 ADD ESP,8 0042972F . C705 94964600 >MOV DWORD PTR DS:[469694],1 00429739 . 6A 01 PUSH 1 ; /Result = 1 0042973B . 56 PUSH ESI ; |hWnd 0042973C . FF15 18774400 CALL DWORD PTR DS:[<&USER32.EndDialog>] ; \EndDialog 00429742 . E9 EB010000 JMP pdf2rtf.00429932 00429747 > 6A 10 PUSH 10 ; /Style = MB_OK|MB_ICONHAND|MB_APPLMODAL 00429749 . 6A 00 PUSH 0 ; |Title = NULL 0042974B . 68 D4624600 PUSH pdf2rtf.004662D4 ; |Text = "Series number error, please check it and try again." 00429750 . 56 PUSH ESI ; |hOwner 00429751 . FF15 1C774400 CALL DWORD PTR DS:[<&USER32.MessageBoxA>>; \MessageBoxA 00429757 . 68 FB030000 PUSH 3FB ; /ControlID = 3FB (1019.) Okay, click on this line, it is the start of the routine that leads to the bad cracker message (notice the > symbol): 00429747 > 6A 10 PUSH 10 ; /Style = MB_OK|MB_ICONHAND|MB_APPLMODAL Also note in the window below the conditional jump at 0042970C can jump to this line. The next little routine starts up here: 004296D2 > 8BB424 E800000>MOV ESI,DWORD PTR SS:[ESP+E8] ; Case 1 of switch 00429648 Lets put a breakpoint on this line, left click on this line once then press F2 to toggle your breakpoint. Now press F9 (run), and enter your details again: Okay, Olly breaks, now what is this appearing at the following line: 004296E5 . BF CC954600 MOV EDI,pdf2rtf.004695CC ; |ASCII "DCBA98765432DYIW" And this line: 004296FD . 68 CC954600 PUSH pdf2rtf.004695CC ; ASCII "DCBA98765432DYIW" And if you trace down with F8 to here: 004296FD . 68 CC954600 PUSH pdf2rtf.004695CC ; ASCII "777777777777777777777777777777777" Bingo I reckon, now close Olly, open pdf2rtf.exe, enter your details, bugger still get the error message, okay lets reverse the conditional jump, surely it will then accept any serial, by that I mean this line: 0042970C . 74 39 JE SHORT pdf2rtf.00429747 -> change to JNE Okay, left click once on this line, then Right click/assemble, make your change and hit assemble, then close this box. Then Right click/copy to executable/all modifications/copy all, and then right click on new box that comes up/save file, double click on the file to overwrite and select yes to overwrite. Okay, enter your details, and you get the thank you registered message, click on help/about, right that shows registered too, looks like all is well. Hang on a minute, you open it again and you are unregistered, what the!!!! Okay look further down to this section of code: 00429867 > 8BB424 E800000>MOV ESI,DWORD PTR SS:[ESP+E8] ; Case 110 (WM_INITDIALOG) of switch 0042961F 0042986E . 68 20624600 PUSH pdf2rtf.00466220 ; /Text = "Please register pdf2word v1.3" 00429873 . 56 PUSH ESI ; |hWnd 00429874 . FF15 28774400 CALL DWORD PTR DS:[<&USER32.SetWindowTex>; \SetWindowTextA 0042987A . 68 CC954600 PUSH pdf2rtf.004695CC 0042987F . E8 1CFCFFFF CALL pdf2rtf.004294A0 00429884 . 83C4 04 ADD ESP,4 00429887 . 8D5424 10 LEA EDX,DWORD PTR SS:[ESP+10] 0042988B . C605 DC954600 >MOV BYTE PTR DS:[4695DC],0 00429892 . 68 CC954600 PUSH pdf2rtf.004695CC ; /<%s> = "" 00429897 . 68 18624600 PUSH pdf2rtf.00466218 ; |format = "[%s]" 0042989C . 52 PUSH EDX ; |s 0042989D . FF15 38764400 CALL DWORD PTR DS:[<&MSVCRT.sprintf>] ; \sprintf 004298A3 . 8B3D 2C774400 MOV EDI,DWORD PTR DS:[<&USER32.SetDlgIte>; USER32.SetDlgItemTextA 004298A9 . 83C4 0C ADD ESP,0C 004298AC . 8D4424 10 LEA EAX,DWORD PTR SS:[ESP+10] 004298B0 . 50 PUSH EAX ; /Text 004298B1 . 68 FE030000 PUSH 3FE ; |ControlID = 3FE (1022.) 004298B6 . 56 PUSH ESI ; |hWnd 004298B7 . FFD7 CALL EDI ; \SetDlgItemTextA 004298B9 . E8 72FAFFFF CALL pdf2rtf.00429330 004298BE . 85C0 TEST EAX,EAX 004298C0 75 15 JNZ SHORT pdf2rtf.004298D7 004298C2 . 6A 01 PUSH 1 ; /Result = 1 004298C4 . 56 PUSH ESI ; |hWnd 004298C5 . C705 94964600 >MOV DWORD PTR DS:[469694],1 ; | 004298CF . FF15 18774400 CALL DWORD PTR DS:[<&USER32.EndDialog>] ; \EndDialog 004298D5 . EB 1A JMP SHORT pdf2rtf.004298F1 004298D7 > 68 A4954600 PUSH pdf2rtf.004695A4 004298DC . 68 FB030000 PUSH 3FB 004298E1 . 56 PUSH ESI 004298E2 . FFD7 CALL EDI 004298E4 . 68 44634600 PUSH pdf2rtf.00466344 ; ASCII "Please register pdf2word v1.3!" You have another test here: 004298BE . 85C0 TEST EAX,EAX 004298C0 75 15 JNZ SHORT pdf2rtf.004298D7 Which of course leads to the please register message, let's change the first line to XOR EAX,EAX so that it will never jump, because EAX will always equal zero. Best way to test it is to restart the program in Olly, then go to this line and change it, before you hit F9 (run), we try that and it works fine (no message asking us to register), check the Help/about and it shows registered, okay make the changes permanent, Right click/copy to executable/all modifications/copy all, and then right click on new box that comes up/save file, double click on the file to overwrite and select yes to overwrite. Just to make absolutely sure, close Olly, open the application, and Voila!, no message asking us to register, check help/about and it shows registered, well done cracker!!! And remember, if you use the program, buy it ,software developers rely on the income from sales to keep going, if nobody buys, no new software would be developed. ************************************************************************************************* SHOUTZ AND GREETZ: To exetools forum, tsrh forum, Ollydbg forum, Ricardo Narvaja, Kruger, Satyric0n, R@dier, LaBBa, Nilrem & Ferarri whoose tuts have helped me more than any others , Ollydbg, and the authors of PDF2Word/PDF2RTF. *************************************************************************************************