*************************************************************************************************TITLE:
Cracking tutorial for WebWhacker 5.0 
*************************************************************************************************
BEST VIEWED:
Notepad with word wrap enabled, and in restored window mode
*************************************************************************************************
TOOLS USED:
Ollydbg v1.09d
*************************************************************************************************TARGET:
ww.exe & ix.dll
*************************************************************************************************LOCATION OF TOOLS AND PROGRAM:
Ollydbg v1.09d http://www.grinders.withernsea.com/tools/odbg109d.rar
WebWhacker 5.0  http://www.grinders.withernsea.com/tools/WebWhacker5Setup.rar
*************************************************************************************************
CONTACT INFORMATION:
vinceandjane@hotmail.com
*************************************************************************************************
TUTORIAL WRITTEN:
05/03/2004
*************************************************************************************************
AUTHOR:
Pompeyfan
*************************************************************************************************

Okay,lets attack our target, open Olly, and if you haven't done so already, to make things easier for yourself, right click, select appearance/highlighting/jumps'n'calls, makes things so much easier to follow.

Now I tried finding a valid serial for quite a while, but to no avail, so what we are going to do is crack the trial period so that it never expires.

Firstly though, I registered the thing, so at least you don't keep getting asked to register the damn thing everytime you open the program, pretty easily done over the net, give any details you like really.

Now, on with the crack!!!

Open ww.exe in Olly, and you land here:

0045E42C >/$ 55             PUSH EBP

Press F9 run, and you get an evaluation notice telling you how many days you have left, lets just click back on the Olly cpu screen, then F12 (pause), and Alt & K to bring up the call stack:

Call stack of main thread
Address    Stack      Procedure / arguments                 Called from                   Frame
0012F2E8   77D43A09   Includes 7FFE0304                     USER32.77D43A07               0012F30C
0012F2EC   77D443B5   USER32.77D439FD                       USER32.77D443B0               0012F30C
0012F310   10058ACD   USER32.GetMessageA                    IX.10058AC7                   0012F30C
0012F314   1007F890     pMsg = IX.1007F890
0012F318   00000000     hWnd = NULL
0012F31C   00000000     MsgFilterMin = 0
0012F320   00000000     MsgFilterMax = 0
0012F32C   1005646D   Includes IX.10058ACD                  IX.1005646A
0012F350   10053A22   IX.10056393                           IX.10053A1D
0012F38C   1001211D   ? IX.10053941                         IX.10012118
0012F87C   10020998   IX.10011EB0                           IX.10020993
0012F8A4   004158F0   Includes IX.10020998                  WW.004158ED
0012F8C0   00449AAB   WW.004158D0                           WW.00449AA6
0012F934   0044911B   WW.004497D0                           WW.00449116
0012F938   0012F8D4     Arg1 = 0012F8D4
0012FF14   004B6D0D   Includes WW.0044911B                  WW.004B6D0A
0012FF24   004AA9DC   ? WW.004B6CC6                         WW.004AA9D7
0012FF38   0045E50C   ? WW.004AA9C7                         WW.<ModuleEntryPoint>+0DB

Okay, looks to me like the real checking is done in the ix.dll file, now lets click on the E on your toolbar or Alt & E (whichever you prefer), bring up the active modules, then double click on ix.dll, now Right click/search for all referenced text strings, funny thing is a text search for "trial" and "evaluation" bring up nothing.

Okay, try this, bring up your active modules again, now right click on ix.dll, and select view resource strings, ah looks more interesting eh!!!

This line looks interesting:

Resource strings in module IX, item 41
 Address=10094BFA
 Index= 5260 (21088.)
 Language=0409 English (US)
 String=Your evaluation period has expired.

Unfortunately you have no easy way of going from here to find all references for the command, best bet is to take note of the index number (5260), then go back to the cpu window and right click/search for/all sequences and type in the box "PUSH 5260", without the quotation marks, and click on find, and you get this:

Found sequences
Address    Disassembly                               Comment
10001000   PUSH -1                                   (Initial CPU selection)
10016CE4   PUSH 5260
10016D04   PUSH 5260
10016D37   PUSH 5260

Okay, double click on the first one, and it takes you here:

10016CE4   68 60520000      PUSH 5260

Okay, I played around with this section for ages, and I could get rid of evaluation notice, but whenever you put your clock forward, you get the expired message, even if you try and bypass all the push 5260 messages, so I decided I needed to dig deeper, look further up to here:

10016C71   E8 5A83FFFF      CALL IX.GetEvalTimeRemaining

Left click on it once, and in the little window below, you see 1000EFD0=IX.GetEvalTimeRemaining

Okay, right click/go to expression and enter 1000EFD0, and you are here:

1000EFD0 > 56               PUSH ESI

Then on this line, right click/find references to selected command, and you get this:

References in IX:.text to GetEvalTimeRemaining
Address    Disassembly                               Comment
1000EDD9   CALL IX.GetEvalTimeRemaining
1000EFD0   PUSH ESI                                  (Initial CPU selection)
100126B1   CALL IX.GetEvalTimeRemaining
10012710   CALL IX.GetEvalTimeRemaining
10016C71   CALL IX.GetEvalTimeRemaining

Now double click on the first line, and you are here:

1000EDD9   E8 F2010000      CALL IX.GetEvalTimeRemaining
1000EDDE   85C0             TEST EAX,EAX
1000EDE0   77 05            JA SHORT IX.1000EDE7
1000EDE2   800E 10          OR BYTE PTR DS:[ESI],10
1000EDE5   EB 03            JMP SHORT IX.1000EDEA
1000EDE7   8026 EF          AND BYTE PTR DS:[ESI],0EF
1000EDEA   56               PUSH ESI
1000EDEB   E8 30000000      CALL IX.GetIsPurchased
1000EDF0   85C0             TEST EAX,EAX
1000EDF2   74 11            JE SHORT IX.1000EE05
1000EDF4   66:8B06          MOV AX,WORD PTR DS:[ESI]
1000EDF7   24 F7            AND AL,0F7
1000EDF9   0C 20            OR AL,20
1000EDFB   66:8906          MOV WORD PTR DS:[ESI],AX
1000EDFE   5E               POP ESI
1000EDFF   0FBFC0           MOVSX EAX,AX
1000EE02   C2 0400          RETN 4

Okay, I played around with this a bit, but to test it out, you have to make changes permanent, or they will be lost when you restart program ( so back up your ix.dll file, so you can restore it if changes don't work out), so firstly try nopping the jump at 1000EDE0, obviously to make it permanent you have to then Right click/copy to executable/all modifications/copy all, and then right click on new box that comes up/save file, double click on the file to overwrite and select yes to overwrite.

P.S. For any newbies, to nop this jump, left click on the line once, then right click/binary/fill with nops.
 
Now, restart Olly (Ctrl & F2), then F9 (run), and you get the message "WebWhacker encountered error WS0345. Please contact, bla, bla, bla", lets just click back on the Olly cpu screen, then F12 (pause), and Alt & K to bring up the call stack:

Call stack of main thread
Address    Stack      Procedure / arguments                 Called from                   Frame
0012F2BC   77D43C53   Includes 7FFE0304                     USER32.77D43C51               0012F2F0
0012F2C0   77D4B3F2   USER32.WaitMessage                    USER32.77D4B3ED               0012F2F0
0012F2F4   77D4D9A0   USER32.77D4B265                       USER32.77D4D99B               0012F2F0
0012F31C   77D6AE8E   USER32.77D4D8EC                       USER32.77D6AE89               0012F318
0012F5D4   77D6A911   ? USER32.SoftModalMessageBox          USER32.77D6A90C               0012F55C
0012F71C   77D6AFD5   ? USER32.77D6A7D7                     USER32.77D6AFD0               0012F6A4
0012F774   77D6B0BD   USER32.MessageBoxTimeoutW             USER32.77D6B0B8               0012F770
0012F7A8   77D6B04A   ? USER32.MessageBoxTimeoutA           USER32.77D6B045               0012F7A4
0012F7C8   77D6B02E   ? USER32.MessageBoxExA                USER32.77D6B029               0012F7C4
0012F7CC   00000000     hOwner = NULL
0012F7D0   00511BE8     Text = "WebWhacker encountered err
0012F7D4   012023F8     Title = "WebWhacker"
0012F7D8   00000030     Style = MB_OK|MB_ICONEXCLAMATION|M
0012F7DC   00000000     LanguageID = 0 (LANG_NEUTRAL)
0012F7E0   004BBDEB   ? USER32.MessageBoxA                  WW.004BBDE5
0012F7E4   00000000     hOwner = NULL
0012F7E8   00511BE8     Text = "WebWhacker encountered err
0012F7EC   012023F8     Title = "WebWhacker"
0012F7F0   00000030     Style = MB_OK|MB_ICONEXCLAMATION|M

Okay, it is generated by ww.exe, no mention of ix.dll here, so I restart ww.exe (ctrl & F2), then right click/search for all referenced text strings, then left click on 1st line once, then right click/ search for text, and enter "WS0345", without the quotation marks, and you get this:

Text strings referenced in WW:.text, item 670
 Address=004490C4
 Disassembly=PUSH WW.00511BE8
 Text string=ASCII "WebWhacker encountered error WS0345.
Please contact Blue Squirrel for assistance.
(801)352-1551"

Double click on this, and you are here:

004490C4   . 68 E81B5100    PUSH WW.00511BE8                         ; |Arg1 = 00511BE8 ASCII "WebWhacker encountered error WS0345.
Please contact Blue Squirrel for assistance.
(801)352-1551"

Here is the relevant section of code to work on:

00449094   > 50             PUSH EAX                                 ; /Arg1
00449095   . 8D4C24 68      LEA ECX,DWORD PTR SS:[ESP+68]            ; |
00449099   . E8 523CFEFF    CALL WW.0042CCF0                         ; \WW.0042CCF0
0044909E   . 84C0           TEST AL,AL
004490A0   . 74 1E          JE SHORT WW.004490C0
004490A2   . B1 01          MOV CL,1
004490A4   . 33C0           XOR EAX,EAX
004490A6   > 84C9           TEST CL,CL
004490A8   . 74 16          JE SHORT WW.004490C0
004490AA   . 8A5404 64      MOV DL,BYTE PTR SS:[ESP+EAX+64]
004490AE   . 3A5404 48      CMP DL,BYTE PTR SS:[ESP+EAX+48]
004490B2   . 74 02          JE SHORT WW.004490B6
004490B4   . 32C9           XOR CL,CL
004490B6   > 40             INC EAX
004490B7   . 83F8 10        CMP EAX,10
004490BA   .^72 EA          JB SHORT WW.004490A6
004490BC   . 84C9           TEST CL,CL
004490BE   . 75 51          JNZ SHORT WW.00449111
004490C0   > 6A 00          PUSH 0                                   ; /Arg3 = 00000000
004490C2   . 6A 00          PUSH 0                                   ; |Arg2 = 00000000
004490C4   . 68 E81B5100    PUSH WW.00511BE8                         ; |Arg1 = 00511BE8 ASCII "WebWhacker encountered error WS0345.
Please contact Blue Squirrel for assistance.
(801)352-1551"
004490C9   . E8 4C2D0700    CALL WW.004BBE1A                         ; \WW.004BBE1A

OKay, my guess is that we want to jump to oo449111 to avoid the error message, so lets nop the jumps at 004490A0, 004490A8, 004490B2 & 004490BA , then change the JNZ at 004490BE to JMP, seems to easy a solution, but guess what, it fucking works!!!

P.S. For any newbies, to nop these jumps, left click on each line once, then right click/binary/fill with nops. Then to alter the JNZ to JMP, left click once on the line, then Right click/Assemble, make the changes & hit assemble, then close the box.

Okay, restart Olly (Ctrl & F2), press F9 (run), oh shit we still get the evaluation notice, lets go back to that section of code we had before, in particular:

1000EDEB   E8 30000000      CALL IX.GetIsPurchased
1000EDF0   85C0             TEST EAX,EAX
1000EDF2   74 11            JE SHORT IX.1000EE05
1000EDF4   66:8B06          MOV AX,WORD PTR DS:[ESI]
1000EDF7   24 F7            AND AL,0F7
1000EDF9   0C 20            OR AL,20
1000EDFB   66:8906          MOV WORD PTR DS:[ESI],AX
1000EDFE   5E               POP ESI
1000EDFF   0FBFC0           MOVSX EAX,AX
1000EE02   C2 0400          RETN 4
1000EE05   66:8B0E          MOV CX,WORD PTR DS:[ESI]

OKay, I think this line is the culprit:

1000EDF2   74 11            JE SHORT IX.1000EE05

It jumps beyond the RETN 4, so lets try nopping it (by now even the newbies should be able to do this).

NOw lets restart ww.exe in Olly (Ctrl & F2), then F9 run, okay so we hit access violations, so bloody what, just shift and F9 twice and program opens, no evaluation screen, sounds prommising!.

Okay, put your clock forward a month or a year, whatever you like, and open ww.exe, voila!, opens fine and is fully functional, well done cracker!!!

Funny thing is, if you noticed above, when I did a search above for References in IX:.text to GetEvalTimeRemaining, their was mention of other calls, those being:

100126B1   CALL IX.GetEvalTimeRemaining
10012710   CALL IX.GetEvalTimeRemaining
10016C71   CALL IX.GetEvalTimeRemaining

But we only needed to change the first one, 1000EDD9   CALL IX.GetEvalTimeRemaining, to kill the trial, I thought I would have to mess with all these. I guess if any problems develop down the track, these calls would be the place to look.

And remember, if you use the program, buy it ,software developers rely on the income from sales to keep going, if nobody buys, no new software would be developed.

*************************************************************************************************
SHOUTZ AND GREETZ:

To exetools forum, tsrh forum, Ollydbg forum, Ricardo Narvaja, Kruger, Satyric0n, R@dier, LaBBa, Nilrem & Ferarri whoose tuts have helped me more than any others , Ollydbg, my brother for asking me to crack this application, and the authors of WebWhacker 5.0.

*************************************************************************************************