CRACKPAD by R!SC Tutorial by SV

CRACKPAD by R!SC Tutorial by SV
23/06/1999

Tools

Softice 3.24
Procdump 1.4

Goal

To have a nag free version, that never expires.

Lets go

This target is compressed

First of all, compressed program have to be unpacked before execution
Unpacking routine do also some allocation task before jumping to the real entry point.
This method consist in breakpoint at Getprocaddress which is used for allocation task.

Then load crackpad.exe into symbol loader,it break here.

:0040CO40 AND [EAX],EAX
:0040CO42 MOV EAX,0040COOO
:0040CO47 PUSH 00407C9A
:004OC04C PUSH DWORD PTR FS:[00000000]
:0040CO53 MOV FS:[00000000],ESP
:004OC05A PUSHF
:004OC05C PUSHAD
:004OC05D PUSH EAX
:004OC05E XOR EBX,EBX
:0040CO60 LEA EDX,[EAX+00000178]
:0040CO66 PUSH 00400000
:004OC06B MOV ECX,[EDX]
:004OC06D BTR ECX,1F
:0040CO71 JAE 0040C089
:0040CO73 MOV EAX,[ESP]
:0040CO76 STD

'bpx getprocaddress'
'x'
break and F11
now you are in the loop, here (407eb4):

:00407EIA MOV ECX,[EBP+00000128]
:00407E20 ADD ESI,EBP
:00407E22 ADD ECX,EBP
:00407E24 MOV EBX,EAX
:OO4O7E26 CMP DWORD PTR [ESI],00
:00407E29 JZ 00407FAE MAIN LOOP IMPORT TABLE
:00407E2F PUSH ECX
:00407E30 PUSH DWORD PTR [ECX+OC]
:00407E33 ADD [ESP],EBP
:00407E36 MOV EDX,[EBX]
:00407E38 MOV [EBX+EDX+10]
:00407E3C TEST EAX,EAX
:00407E3E JZ 00407F19
:00407E44 MOV EDI,EAX
:00407E46 ADD EAX,[EAX+3C]
:00407E49 MOV EAX,[EAX+78]
:00407E4C PUSH DWORD PTR [EDI+EAX+18]
:00407E50 MOV ECX,[EDI+EAX+24]
:00407E54 ADD ECX,EDI
:00407E56 PUSH ECX
:00407E57 MOV ECX,[EDI+EAX+20]
:00407E5B ADD ECX,EDI
:00407E5D PUSH ECX
:00407E5E PUSH DWORD PTR [EDI+EAX+10]
:00407E62 PUSH DWORD PTR [EDI+EAX+14]
:00407E66 MOV EA.X,[EDI+EAX+1C]
:00407E6A ADD EAX,EDI
:00407E6C PUSH EAX
:00407E6D PUSH ESI
.
.
.
:00407EB4 CALL [EBX+EDX+14] GETPROCADDRESS
:00407EB8 TEST EAX,EAX
:00407EBA JZ 00407F25
:00407EBC DEC DWORD PTR [ESP+28]
:00407ECO JGE 00407EE7
:00407EC2 MOV EDX,[ESP+24]
:00407EC6 CMP EDX,[ESP+20)
:00407ECA JA 00407EE0
:00407ECC MOV BYTE PTR [EDX],E9
:00407ECF SUB EAX,EDX
:00407EDI SUB EAX,05
:00407ED4 MOV [EDX+01],EAX
:00407ED7 MOV EAX,EDX
:00407ED9 ADD EDX,05
:00407EDC MOV [ESP+24],EDX
:00407EEO AND EDX,07
:00407EE3 MOV [ESP+28],EDX
:00407EE7 MOV [ESI],EAX
:00407EE9 XCHG EDI,[ESP]
:00407EEC OR ECX,-01
:00407EEF XOR EAX,EAX
:00407EFI REPNZ SCASB
:00407EF3 STD
:00407EF4 NOT ECX
:00407EF6 DEC EDI
:00407EF7 REPZ STOSB
:00407EF9 POP EDI
:00407EFA CLD
:00407EFB ADD ESI,04
:00407EFE JMP 00407E72

'bc *'
If you take a look a this part of code, you can see that there is a main loop at 407e26.
The exit loop is at 407fae (407e29 jz 407fae).
'bpx 407fae'
'x'
another piece of code with a loop and the end is at 407fec.

:00407FAE LEA ESI,[EBP+FFCOOOOO]
:00407FB4 LEA ECX,[EBP+OOOOBOOO]
:00407FBA MOV EDI,ECX
:00407FBC XOR EDX,EDX
:00407FBE MOV EAX,[ECX]
:00407FCO TEST EAX,EAX
:00407FC2 JZ 00407FDE
:00407FC4 CMP AL,FF
:00407FC6 JNZ 00407FDO
:00407FC8 mov EDX,[ECX+01]
:00407FCB ADD ECX,05
:00407FCE JMP 00407FDS
:00407FDO INC ECX
:00407FDI AND EAX,OOOOOOFF
:00407FD6 ADD EDX,EAX
:00407FD8 ADD [EDX+EBP+00],ESI
:00407FDC JMP 00407FBE
:00407FDE SUB ECX,EDI
:00407FEO REPZ STOSB
:00407FE2 POP ECX
:00407FE3 POP ESI
:00407FE4 STD
:00407FE5 XOR EAX,EAX
:00407FE7 MOV ECX,00000358
:00407FEC CALL 0040CO39
:00407FFI ADD [EAX],AL
:00407FF3 ADD [EAX],AL

'bpx 407fec'
'x'
Now in the call !
F8
You are here :

:0040CO39 POP EDI
:004OC03A REPZ STOSB
:004OC03C POPAD
:004OC03D POPF
:004OC03F ADD ESP,08
:0040CO42 JMP 00406230
:0040CO47 JMP SHELL32!ShellExecuteA
:004OC04C JMP KERNEL32!GlobalAlloc
:0040CO51 JMP KERNEL32!LocalReAlloc
:0040CO56 JMP KERNEL32!lstrcpyn
:004OC05B JMP KERNEL32!GlobalLock
:0040CO60 JMP KERNEL32!GlobalAllac
:0040CO65 JMP KERNEL32!lstrcat
:004OC06A JMP KERNEL32!lstrcpy
:004OC06F JMP KERNEL32!GetModuleHandleA
:0040CO74 JMP USER32!IsDialogMessage

F10 until jmp 406230 and lets go F10.
Now look at this part of code and protection :-))

:00406230 PUSHAD
:00406231 MOV EDI,004062A0
:00406236 PUSH EDI
:00406237 CALL [KERNEL32!GetLocalTime]
:0040623D CMP WORD PTR [ED1],07CF (1999 ?)
:00406242 JG 00406280
:00406244 JL 0040624D
:00406246 CMP WORD PTR [EDI+02],06 (june ?)
:0040624B JGE 00406280 bad boy :-)
:0040624D PUSH 30 right way !
:0040624F PUSH 004062EO
:00406254 PUSH 004062FO
:00406259 PUSH 00
:0040625B CALL [USER32!MessageBoxA]
:00406261 POPAD
:00406262 JMP 00401000 REAL ENTRY CODE
:00406267 ADD [EAX],AL

F10 until 40624b
We have to go at 40624d because the month is greather to 6 (june)!
'r eip eip+2'
F10 until jmp 401000
Hehe ... take a look at 401000 !!
'u 401000' Yes !!!! Real entry code !
'.'
remove all breakpoint
'bc *'
Now we have to change the code to make a infinite loop :
'a eip'
'jmp eip'
''
'g'
You can start procdump, select crackpad and right click to dump (full).
Give a name, ok, another right click on it to kill process, ok.
Now look at PE editor. Select your prog (the prog you saved). We have to modify with the real entry code.
Remember it was 401000 ... minus 400000 (base), then replace Entry point with 1000.
OK try it now ............. Yes !!!!! it works without nag and limit (i hope for you :-)

JOB DONE !!!!

This is my first tutorial, I hope it will be usefull.
SV