²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²²² ²² ____ __ __ ²²ßÛ ²² / _/_ _ __ _ ___ ____/ /____ _/ / ²² ÛßÛ ²² _/ // ' \/ ' \/ _ \/ __/ __/ _ `/ / ²² Û Û ²² /___/_/_/_/_/_/_/\___/_/ \__/\_,_/_/ ²² Û Û ²² ____ __ __ ²² Û Û ²² / __ \___ ___ _______ ___ ___/ /__ ____ / /____²² Û Û ²² / /_/ / -_|_- Register menu. Enter your name (my case: WhizKiD), and enter a fake serial number (12341234). there's no need to enter a company name, because the registaration routine doesn't check that. Type Ctrl+D to enter SoftICE. in softice we should set a breakpoint over GetWindowTextA. You should do it by typing 'bpx GetWindowTextA' without the brackets in softice. Go back to our program and there click OK. SoftICE breaks and now press F11 5 times. Trace by pressing F10 until you Get to this line: O15F:00425761 CMP [EBP-14], EAX type '? EAX' and you get a number. Clear all breakpoints by typing 'BC *'. Go back to the program and then enter the number and the app is regged. I'm sorry for not explaining how the serial is generated and why i did such stuff, but you can reffer to another tut in the immortal descendants website: www.immortaldescendants.org where you will find an essay about that subject. Second Part ----------- If you will continue using the program, you will eventually get a nag saying: 'This program has been altered, possibly by a virus; program execution will stop now.' Now we should crack in the dead-listing method. Open up w32dasm, and load the file pro.exe into it. after the disassemble is done, go to the StrnRef button, and look for that message there. after you found it, double-click on it, and you should be here now: * Possible StringData Ref from Data Obj ->"This program has been altered, " ->"possibly by a virus; program execution " ->"will stop now." | :0040B996 68F4D64700 push 0047D6F4 :0040B99B E8CE060400 call 0044C06E :0040B9A0 6A03 push 00000003 :0040B9A2 E8E91D0200 call 0042D790 :0040B9A7 59 pop ecx Scroll up a bit, until you get to tis point of code: :0040B987 3BFB cmp edi, ebx :0040B989 741D je 0040B9A8 --> a jump to 0040B9A8 * Possible StringData Ref from Data Obj ->"2" | :0040B98B A1E4D64700 mov eax, dword ptr [0047D6E4] :0040B990 3B30 cmp esi, dword ptr [eax] :0040B992 7414 je 0040B9A8 --> another jump to 0040B9A8 :0040B994 53 push ebx :0040B995 53 push ebx you see that there are 2 conditional jumps to 0040B9A8.. Press Shift+12 and enter 0040B9A8. Now you are here: * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:0040B989(C), :0040B992(C) | :0040B9A8 834DFCFF or dword ptr [ebp-04], FFFFFFFF :0040B9AC 395DE4 cmp dword ptr [ebp-1C], ebx :0040B9AF 7409 je 0040B9BA :0040B9B1 FF75E4 push [ebp-1C] :0040B9B4 E85C960300 call 00445015 :0040B9B9 59 pop ecx Hey! that just below the code of that darn nag! i guess that those jumps need to be changed, in order that the nag will skip at the startup! Check out the offsets of those jumps: 1) AD89h 2) AD92h first make a copy of pro.exe and call it pro1.exe. Open up Hacker's View (HIEW) and load pro1.exe into it. Press F4 and choose the decode mode in order to be in the asm code. Press F5 and type the first offset: AD89. Press F3 and change the 741D into EB1D. Press F9 to update the file. Now the second offset: Press F5 and type the first offset: AD92. Press F3 and change the 7414 into EB14. Press F9 to update the file. What i did here, was changing the conditional jump 74, into and UNconditional jump EB. that way the app doesn't need any conditions to skip the nag, it just skips it anyway :) I guess we are done now. open up pro1.exe to check how the nag is dissappeared, but wait OH NO!!!! we get another fucking NAG!!!! this time it says: 'This program's name has been changed; please rename the program to its original name' oh sure we can rename it and then it will work, but then again, we are reversers aren't we? we should now do the same as we did in the first nag. Find it in the StrnRef, and here's the following code: :0040B8EB B870064600 mov eax, 00460670 :0040B8F0 E83B020200 call 0042BB30 :0040B8F5 83EC10 sub esp, 00000010 :0040B8F8 53 push ebx :0040B8F9 56 push esi :0040B8FA 33DB xor ebx, ebx :0040B8FC 57 push edi :0040B8FD 53 push ebx :0040B8FE 6A20 push 00000020 :0040B900 53 push ebx :0040B901 8D4DE4 lea ecx, dword ptr [ebp-1C] :0040B904 E8AC65FFFF call 00401EB5 :0040B909 FF35446B4800 push dword ptr [00486B44] :0040B90F 8D4DE4 lea ecx, dword ptr [ebp-1C] :0040B912 895DFC mov dword ptr [ebp-04], ebx :0040B915 E8AF000000 call 0040B9C9 :0040B91A 395D08 cmp dword ptr [ebp+08], ebx :0040B91D 742F je 0040B94E --> Jump 1 to 0040B94E :0040B91F FF7508 push [ebp+08] :0040B922 FF35446B4800 push dword ptr [00486B44] :0040B928 E8A1F4FFFF call 0040ADCE :0040B92D 59 pop ecx :0040B92E 50 push eax :0040B92F E80C990200 call 00435240 :0040B934 59 pop ecx :0040B935 85C0 test eax, eax :0040B937 59 pop ecx :0040B938 7414 je 0040B94E --> Jump 2 to 0040B94E :0040B93A 53 push ebx :0040B93B 53 push ebx * Possible StringData Ref from Data Obj ->"This program's name has been changed; " ->"please rename the program to its " ->"original name." | :0040B93C 684CD74700 push 0047D74C :0040B941 E828070400 call 0044C06E :0040B946 6A02 push 00000002 :0040B948 E8431E0200 call 0042D790 :0040B94D 59 pop ecx * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:0040B91D(C), :0040B938(C) | * Possible StringData Ref from Data Obj ->"2" | :0040B94E A1E4D64700 mov eax, dword ptr [0047D6E4] --> Location 0040B94E Followd by those 2 jumps Note the offsets of the 2 jumps: 1)AD1Dh 2)AD38H Do the same as we did in HIEW in the first NAG: 1) change 742F to EB2F 2) change 7414 to EB14 and there is no more nag!! SECOND METHOD - PATCHING TO ACCEPT ANY SERIAL --------------------------------------------- Open pro.exe and go to the Help > Register menu. Enter your name and a fake serial. you'll get a message saying that it is wrong. now you should go look for it in the StrnRef in w32dasm. after you have found it, you are here: * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004257EB(C) | :00425823 8D4DF0 lea ecx, dword ptr [ebp-10] :00425826 E863F10100 call 0044498E * Possible Reference to String Resource ID=07033: "We're sorry! The registration number you entered appears to" | :0042582B 68791B0000 push 00001B79 hmm, this message is refrenced by a jump in 004257EB. Press Shift+F12 and enter that address you are here: * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004257AA(C) | :004257E2 57 push edi :004257E3 E80D090000 call 004260F5 :004257E8 85C0 test eax, eax :004257EA 59 pop ecx :004257EB 7536 jne 00425823 :004257ED 8D4DF0 lea ecx, dword ptr [ebp-10] :004257F0 E899F10100 call 0044498E * Possible Reference to String Resource ID=07032: "You haven't entered a valid username. Your username must be" Refrenced by ANOTHER jump?? well do the same as the last step with the address 004257AA. this jump will be refrenced by another one at the address 00425765. go to that address. and this is the code location: :00425765 753A jne 004257A1 ---> The Jump :00425767 8D4DF0 lea ecx, dword ptr [ebp-10] :0042576A E81FF20100 call 0044498E * Possible Reference to String Resource ID=07030: "Thank you! Your copy of Teleport Pro is now registered. Al" | :0042576F 68761B0000 push 00001B76 Hmm, this is the good serial message. let's change that jump in order that we could enter any name and registration to the app. the offset is 24b65. change 753A to 743A. Go back to the program, and now enter any reg key and you'll get the good serial msg. Open & Close TeleportPro few more times, until you get the nag saying you are halfway through the evaluation period. find that msg in the SDR (StrnRef): :00412905 7535 jne 0041293C :00412907 8D4D0C lea ecx, dword ptr [ebp+0C] :0041290A E87F200300 call 0044498E * Possible Reference to String Resource ID=07151: "Hello again! You're halfway through the free evaluation per" hmm, a jump. its offset is 11d05. change 7535 to EB35. You will never get this nag again. Open & Close Teleport pro few more times, til you get the message saying that this is the last session b4 the last session. Find it in w32dasm: :0041293F 7531 jne 00412972 :00412941 8D4D0C lea ecx, dword ptr [ebp+0C] :00412944 E845200300 call 0044498E * Possible Reference to String Resource ID=07152: "Hello again! After this session, you will have only one mor" Hmm, another jump. the offset is 11D3F. change 7531 to EB31. Now open teleport pro again. and you get another nag telling you this is your last session. do i have to tell you what to do now? :) :00412975 7572 jne 004129E9 :00412977 8D4D0C lea ecx, dword ptr [ebp+0C] :0041297A E80F200300 call 0044498E * Possible Reference to String Resource ID=07153: "Hello again! This session marks the end the free evaluation" The offset of that jump is 11D75. change it from 7572 to EB72. Is that end of those pasky nags? lets see. open TeleportPro, and you will get the message that he evaluation period is over. Find that nag in w32dasm: :0041CC6C 743D je 0041CCAB :0041CC6E 8D4DEC lea ecx, dword ptr [ebp-14] :0041CC71 E8187D0200 call 0044498E * Possible Reference to String Resource ID=07073: "Sorry! The free evaluation period for Teleport Pro is limit" again! the same pattern of the nag! The offset of the jump is 1C06C. change 743D to EB3D. but there are 2 location with the same message. go to the second location: :00412893 7434 je 004128C9 :00412895 8D4D0C lea ecx, dword ptr [ebp+0C] :00412898 E8F1200300 call 0044498E * Possible Reference to String Resource ID=07073: "Sorry! The free evaluation period for Teleport Pro is limit" Amazing how shareware authors can be so pathetic! the offset of that jump is 11C93. change 7434 to EB34. hmm looks like we are done! just one more little thing. open the app and click the Help > About menu. WTF?? it says there that the time trial had expired! hmm, it did expire, but i still don't want that shitty message written there. so, look for it in w32dasm, and you are here: :00415A7E 7435 je 00415AB5 :00415A80 8D4DF0 lea ecx, dword ptr [ebp-10] :00415A83 E806EF0200 call 0044498E * Possible Reference to String Resource ID=07100: "The free evaluation period for Teleport Pro has expired." The offset is 14E7E. change 7435 to EB35. Open the app again, and see what happens, instead of saying we are registered, it says UNREGISTERED!!! just below that last location, was the "UNREGISTERED" string. actually, by changing he jump in the last string, we changed it so it will jump to the unregistered message. return to that location and you should see this: :00415ABB 7435 je 00415AF2 :00415ABD 8D4DF0 lea ecx, dword ptr [ebp-10] :00415AC0 E8C9EE0200 call 0044498E * Possible Reference to String Resource ID=07101: "This copy of Teleport Pro is UNREGISTERED." the offset is 14EBB. change 7435 to EB35. Looks like we are done in this crack, but wait, there's more. one more shitty thing in this app is that it can retrieve only up to 500 files per session of download. here's a part of the readme file: 1. The program, and your license to use it, expire after you have used it 40 times. 2. Until you register it, Teleport Pro will only retrieve up to 500 files per project. looks like we have cracked the first part. let's see if we can crack the second. Load the file into w32dasm and look for the string that says: :004194AD E8DCB40200 call 0044498E * Possible Reference to String Resource ID=07047: "Sorry! Until registered, Teleport Pro cannot retrieve more " | :004194B2 68871B0000 push 00001B87 Scroll up until you see: :0041946E 747F je 004194EF ---> Jump1 :00419470 80BF9E0F000000 cmp byte ptr [edi+00000F9E], 00 :00419477 8D879E0F0000 lea eax, dword ptr [edi+00000F9E] :0041947D 7570 jne 004194EF ---> Jump 2 :0041947F 817F58F4010000 cmp dword ptr [edi+58], 000001F4 :00419486 7267 jb 004194EF ---> Jump 3 :00419488 6A00 push 00000000 hmm 3 calls heading to the same offset. lets change them. jump1: offset 1886E, change 747F to EB7F jump2: offset 1887D, change 7570 to EB70 jump3: offset 18886, change 7267 to EB67 Now we are done!!! let's look at the file compare results and see how many offsets were patched: FileSize: C7800h MsgBox Nags: ------------- DD AD1Dh DB 74h DB EBh DD AD38h DB 74h DB EBh DD AD89h DB 74h DB EBh DD AD92h DB 74h DB EBh Time Trial and window nags: ---------------------------- DD 11C93h DB 74h DB EBh DD 11D05h DB 75h DB EBh DD 11D3Fh DB 75h DB EBh DD 11D75h DB 75h DB EBh DD 14E7Eh DB 74h DB EBh DD 14EBBh DB 74h DB EBh File Download limit: -------------------- DD 1886Eh DB 74h DB EBh DD 1887Dh DB 75h DB EBh DD 18886h DB 72h DB EBh DD 1C06Ch DB 74h DB EBh Patch to enter any serial: -------------------------- DD 24B65h DB 75h DB 74h File Compare Results by the PC FileCompare32 by Plushmm & The+Q In order to Unregister the program open Regedit and go to: HKEY_CURRENT_USER\Software\Tennyson Maxwell\Teleport Pro\User and remove the "Registration" String. Last Words: ----------- This was one hell of an essay to write, actually, it was my longest :) my goal here was to teach you, that if you patch a program, there's always check if your crack is successfull in all the ways. I hope you enjoyed reading this essay, and hope you learned something. Email me for comments, suggestions etc. halokshoorim@hotmail.com :) I would really like to thank amante4 of the Immortal Descendants for uploading those 600 files, so i could test if the crack was successful :) amante: THANKS! -WhizKiD This file is the courstey of the Immortal Descendants 2000 (c)