I used to post one message yesterday.
I have a problem trying to crack go screen. It seems to have trial period and we can put a serial number to register.

I used softice and W32DSM89

The problem is:

when we enter a serial, no message is displayed if it is wrong or right.
and for the trial period protection, just a msgbox is displayed and when we disassembly the prog no string can give information.

i tried some api, getLocalTime,...

heeelllp

Hello,

I've just looked 2 min, so maybe my advice may not be the best, and I didn't use SoftIce, but looking with OllyDbg:

Actually there is a message. Kind of "take care to the way you write the message". Not found in main exe.... but you may
have to search on this string....from where does the prog
get it ?

But if this is not working, think another way :


0040868D > 6A 01 PUSH 1 ; /IsShown = 1
0040868F . 6A 00 PUSH 0 ; |DefDir = NULL
00408691 . 6A 00 PUSH 0 ; |Parameters = NULL
00408693 . 68 E0524500 PUSH goScreen.004552E0 ; |FileName = "https://www.regnow.com/softsell/nph-softsell.cgi?item=1596-1"
00408698 . 68 A4524500 PUSH goScreen.004552A4 ; |Operation = "open"
0040869D . 56 PUSH ESI ; |hWnd
0040869E . FF15 40534400 CALL DWORD PTR DS:[<&SHELL32.ShellExecut>; \ShellExecuteA


What does this does ? open IE for registration page ?

Where do you go when you click the Buy button ? :

h**ps://www.regnow.com/softsell/nph-softsell.cgi?item=1596-1

mmmm.....

maybe looking around may help you, trace back where this
part was called should land you in the section where there
is a choice, either the user press the Buy or Register button,
you have foudn one, finding the second may help you to
solve your trouble.....

to find where it goes when the other button is pressed...

Regards
FoolFox

Thank you for your help, but it is not really helping me.

I know now how it works, it set many information in the registry. And create a key called RegNo where it puts the serial number.
But i still not be able to find the serial routine.
i put a bpx regqueryvalueexa but no luck it breaks many times) and i dont find the right place.

You can have a look to help me a little bit more ?

thx in advance.

Cupidon.

You need to change the tools. Use IDA (freeware) and a good resource editor.

If the error message is NOT in the disassembly, chances are that it is in the stringtable. Therefore, find the stringtable identity, convert to hex and search for a relavent push.

EG:

....sample string table.....

0987 "Thank you for registering"
0988 "You are on the last day of your trial"
0997 "Please contact you local dealer..."
9966 "Sorry, your trial has expired"
9967 "Application Name"

Now in the disassembly, the code would look like:

push 12
push 26EF
push 26EE
push 23
Call MessageBoxA

No string. Your message cannot be seen. So search for the push 26EE or 26EF (note, they are HEX versions of 9966 and 9967)

You have encountered the error message. You can take it from there.

Have Phun

If you wanna go the path of regqueryvalueexa this might help...

(esp+0 ReturnAdress)

esp+4 HKEY hKey, // handle of key to query
esp+8 LPTSTR lpValueName, // address of name of value to query
esp+c LPDWORD lpReserved, // reserved
esp+10 LPDWORD lpType, // address of buffer for value type
esp+14 LPBYTE lpData, // address of data buffer
esp+18 LPDWORD lpcbData // address of data buffer size

(Hmm... adress should be dword and size byte... a typo in win32.hlp?)

when it breaks do d *(esp+8), to see if the right key is being read.
then do a d *(esp+14) to see where the result will be stored.
(ofcourse emty until...) press f12 to make it happen. if it's the right data do bpm on that adress, else push f5 and wait for it to pop again...
I tried and got both serial and name. But I got lazy and didn't follow it through.... it did som stupid computations on the name, over and over again...

SORRY!!! I put esp-x where it's supposed to be esp+x...

/Manko

Thx Manko,
but what's about this sentence ?
SORRY!!! I put esp-x where it's supposed to be esp+x...

I tried, what u said, when softice break, after the "Push" button pressed, I looked esp+8 ok i saw the name i entered for example "Test" but i dont see my serial.

Sure you saw ?

If I understand this post correctly, you are using the regqueryvalueexa function, therefore your not going to find a serial number with that unless there's already one stored in the registry (in which case, an easier method to find it would be regedit).

I assume your serial digging, in which case you'll need to trace the code following the regqueryvalueexa code to see how it generates (and compares) it's serial with the name you entered.

Yes you are right ...
With regqueryvalueexa i will see where it wants to store my serial.

But i try to find the right serial too. The problem i dont know where to search.
This software doesn't popup a window to say "Your serial is incorrect" ... so i'm searching what it's doing with my serial.

once it has read your serial/name, set a memory breakpoint on that location and let the program run. As soon as it messes with it, the program will be halted.

Yes it is what i should do, but i dont know where to put my bpx cause .... as i said nothing is helping me for example a messagebox.
when i press button, try to get the software at this address, it doesnt need to install it hxxp://home.eol.ca/~andgur/software/goscreen.html and u will see in the property meny, about frame, when you click "Register" type ur serial, and push the button named "push" nothing is said.


so where to put the bpx is a good question.

maybe a bpx GetDlgItemTextA ? and follow the code ? Can you have a look, i would like to understand how it works.

it doesn't need to say anything - when it pulls your name from the edit box after you push the button, it stores your name in memory. Placing a memory breakpoint at this location enables you to see what code is used to check the name and serial are valid. Trace through this code to find out how it gets to this decision.

No dialogs are needed.

I think we have a problem to understand each other so, to be clear, what's kind of api function can be called to pull my name and serial from the Edit Field ?
Because if i want to put a memory breakpoint i need to know where to put it right ?

P.S: sorry for my troubles....

That'll do.

Hiya,

Seems the programmer of your little GoScreen target was a little more clever than average since he didn't leave a "bad boy" messagebox . Admittedly this makes the task slightly more difficult, but by no means impossible. I would suggest that you start by locating the wm_command message handler for when the 'register' button is pressed.

If you examined your target properly, you should have noted that it was coded C++ using the Microsoft Foundation Classes. I had a look at your target and after digging around a bit I have concluded that finding message handlers in MFC apps is even easier than regular Win32 applications.

You see, MFC stores information about all of its message handlers for a program in a table called AFX_MSGMAP. This table consists of an array of message map structures as follows:

struct AFX_MSGMAP_ENTRY
{
UINT nCode //windows message code (wm_command is 111)
UINT nID
UINT nLastID //control ID
UINT nMessage
UINT nSig
AFX_PMSG pfn //pointer to handler function
}

In this case, since we are want to know what happens when a button is pushed we are going to be interested in the wm_command message. Therefore the message value for the nCode member will be 111 for wm_command. We can also verify the control ID for the register button by using a window spy utility. And of course we will be able to extract the pointer for the handler function from this structure… Well, once we find it…

…And that brings up the most important question… How do we locate this array of AFX_MSGMAP_ENTRY structures? As it ends up, MFC makes it quite easy for us. There is a function called AfxFindMessageEntry. The prototype follows:

const AFX_MSGMAP_ENTRY* AFXAPI AfxFindMessageEntry(const AFX_MSGMAP_ENTRY* lpEntry, UINT nMsg, UINT nCode, UINT nID);

The good news is that our target uses this very function to look up it’s own message handlers! All we have to do is exploit it. Sooo, given some basic information about the message and the identifier of the control, this function will return the pointer into the array of AFX_MSGMAP_ENTRY structures that we need. Once we’ve got this pointer, we can easily extract the address of the handler function for the register button. Dare I theorize that once you have the handler for the register button, the serial routine can’t be far off (OOP at its finest, of course, heh, heh )

Hope this makes sense… I actually don’t know a damn thing about MFC, but a little RE with IDA and the MSDN goes a long way .

What's great about all this is that it lays out a *generic* procedure for finding all kinds of message handlers in MFC applications... Lots of RE possiblites

Cheers,
Clandestiny

I like your explaination ....
So i will look ....

I used a ressource editor to see if i can get the id of the Register Button but nothing ... maybe he creates it dynamically.

Your explaination is good, but I still can really understand, i looked with IDA, i found where was used AFxFind I looked around but it's quite hard to get the pointer ...

Windows captures.

Spy & Capture by Kobi Krichmar. 06.VIII.1999.
Spy & Capture 2.7 (247K).

On programmers tools.
It will get you the id of any part of a window... ar atleast a program like it should be able too. Don't know if thats the one I've used before...

/Manko

Yeah, you're right... Its created dynamically so you won't find the ID in a resource editor. Really, you don't need the ID, per se, except in the sense that you want to verify that AfxFindMessageEntry is returning you a pointer to the handler for the control you're interested in. If you have Visual Studio, you can use the Spy++ tool to get this ID.



No, its actually quite straight forward to get the pointer... Here is a procedure you can follow that may help you to understand...

1) Locate where AfxFindMessageEntry is called in IDA and write that address down.

2) Use a message spy utility to retrieve the handle for the parent dialog and the register button's ID.

3) Now set a bmsg 'parent dialog handle' wm_command in SoftICE.

4) Click the register button and SoftICE will break. You will be in the window procedure for the dialog box and you can examine the stack to determine if this wm_command message is directed at the register button
.
BOOL CALLBACK DialogProc(

HWND hwndDlg, // handle to dialog box
UINT uMsg, // message
WPARAM wParam, // first message parameter
LPARAM lParam // second message parameter
);

If you look at the stack you will see the uMsg parameter which will be 111 for the wm_command message. The wParam and lParam values are determined by the specific message so have a look at wm_command in your API reference:

WM_COMMAND
wNotifyCode = HIWORD(wParam); // notification code
wID = LOWORD(wParam); // item, control, or accelerator identifier
hwndCtl = (HWND) lParam; // handle of control

You can now examine the wParam argument on the stack to make sure that the low word matches the ID for the register button. I make this note because other controls may also send wm_command messages (SoftICE broke a couple of times for me on wm_command messages for the edit controls before it broke on the wm_command sent by the register button).

5) Now, you know that the AfxFindMessageEntry function will be called somewhere in this WndProc to look up the actual handler for our register button so you can go ahead and set a breakpoint on it.

6) SoftICE will break. Once again you can look at the fucntion prototype and verify the parameters passed on the stack match up with the wm_command message and the register button's ID.
const AFX_MSGMAP_ENTRY* AFXAPI AfxFindMessageEntry(const AFX_MSGMAP_ENTRY* lpEntry, UINT nMsg, UINT nCode, UINT nID);

7) Step over this function in SI. An address will be returned in eax. This address is an index into the AFX_MSGMAP table. It specifically points to a structure of type

struct AFX_MSGMAP_ENTRY
{
UINT nCode //windows message code (wm_command is 111)
UINT nID
UINT nLastID //control ID
UINT nMessage
UINT nSig
AFX_PMSG pfn //pointer to handler function
}

8) Extract the handler address (which is clearly offset 6 DWORDS from the pointer to the structure returned from the previous function call).

And there you have it... Now you can set a breakpoint on the handler address and trace for the serial routine.

Hope this helps,
Clandestiny

First, Thank you to spend time to help me and sorry to be a little bit silly but it's strange, if i put a break point on the window handle of the dialog box SICE break everytime.
So i will not b able to push the button.

You're welcome I used to be a newbie too (still am in a lot of respects) I'd semi-retired from RE for a few months, bit I'm getting back into it a little bit...

If you just place a breakpoint on the dialog window handle without specifying the message *type*, then yeah, SI will break constantly because there is a constant stream of messages being sent to that window. Thing is, you're not interested in most of these messages. Thats why you place the breakpoint on the window handle so SI will only break when the wm_command message is sent.

bmsg 'window handle' wm_command

Now, as I noted previously, there are other controls that can send wm_command messages (like those edit controls). That is why you need to look at the stack when SI breaks and verify that the message is for the register button.

Cheers,
Clandestiny