Bassline.WinPopup.v2.54a Cracking Tutorial by UFK updated in 03/21/99 ----------------------------------------------------------------------- Hiya people. This program doesn't have a really hard protection but it still has something that can give you some new ideas about cracking. in here it's a 50 days trial program with 2 nag screens. ok now lets work. i wanna thank to _y for helping me in this tutorial and for making lamerslog worth looking at :) another big thanks to ytc Neural and iczelion! Execute the program! wow! amazing! i get a message "Messanger Service or another WinPopUp might be running. Reciver was Disabled!" ok that's got nothing to do with me, and you'll probebly won't even get this one. ok next! ok now i see "You have 50 days to evaluate this software, would you bla bla bla.. ". Run IDA and start disassembling it. wait for it to finish :) now we can't search for "you have 50 days.." cause 50 get changes in each day. so lets do a binary search just for "you have". .data:0046A250 59 6F 75 20 68 61+str->YouHaveDDaysToE db 'You have %d\ days to evaluate this software',0 .data:0046A250 76 65 20 25 64 20+ .data:0046A27B 0 cool! next! now we can't get this program registered.. at least in the easy way cause when i searched for the word "registered" i found nothing. so what we're gonna do is to find the call that creates the window and we eliminate it with nops. so first press on the X-Ref to that string, to see what's using it. _||_ (the X-Ref points here) \ / \/ .text:004020AF 68 50 A2 46 00 push offset str->YouHaveDDaysToE (our string) .text:004020B4 52 push edx .text:004020B5 E8 F8 B5 02 00 call _text_42D6B2 .text:004020BA 83 C4 0C add esp, 0Ch .text:004020BD _text_4020BD: .text:004020BD 68 18 A2 46 00 push offset str->WouldYouSeeTheR (the rest of the nag screen text) .text:004020C2 8D 4C 24 30 lea ecx, [esp+2Ch+arg_0] .text:004020C6 E8 64 D5 02 00 call _text_42F62F .text:004020CB 8B 86 18 03 00 00 mov eax, [esi+318h] ok so run softice symbol loader. load our program and when it breaks on the 1st line of the program create a break point on the address "4020AF" and we'll go step by step by using the s-ice command P or F10 (Step Skipping Calls, Ints, Etc) till it will show us the nag so we'll know what command creates it. we press F10 a few times till we get the nag screen, now it asks us if we want to view the WWW pages. we say no. and then SoftIce Pops up and we see a call to some address. means this is the nag screen creator! yuck! :D lets delete it. we see in softice that it's address is 001B:004020F2. and when you jump to it with IDA you see this: .text:004020F2 E8 61 DA 03 00 call _text_43FB58 .text:004020F7 83 F8 06 cmp eax, 6 .text:004020FA 75 07 jnz short _text_402103 cool so now run an hex editor and go to this address, you can do that by searching for the hex values of the call command or just using the exelent program by Iczelion called "Virtual Address to File Offset" that you can get from iczelion.cjb.net. in there you just write the memory address and it gives you the files offset. so the file offset of the call command is $14F2. so use an hex editor and go to that place. (save a backup of your original exe file 1st). now change all of the hex numbers of this command to nops. (nop in asm means do nothing and it's hex value is 90h) so make it look like that: .text:004020F2 90 nop .text:004020F3 90 nop .text:004020F4 90 nop .text:004020F5 90 nop .text:004020F6 90 nop .text:004020F7 83 F8 06 cmp eax, 6 .text:004020FA 75 07 jnz short _text_402103 now save it and run the program, lets see what happends. damn! it crushes!! why???!?!! well that's something that can help you in the future. it seems that in this program the function that creates a nag returns a value that something else uses so if we eliminate this thingy and it returns nothing so the program crushes! what do we do? break on that command, press F10 and in softice any register that got changed is in a light blue color (maybe in your computer it's in a different color). so just copy all of this registeres and their numbers to a paper. lets do that 1st. ok so run the symbol loader, make a breakpoint on 004020F2 (of course you need to reload the file again cause you changed it). now it broke ? press F10 once and after that copy all the registers that got changed, again they'll be highlighted with some color. in my computer this is what that got changed: EAX=00000007 ECX=0012FD4C ESP=0012FD30 EDX=00020000 EIP=004020F7 well it's not EIP! EIP = extended instruction pointer, points to the current instruction. ok now lets look at our code. .text:004020F2 E8 61 DA 03 00 call _text_43FB58 <- rans NAG .text:004020F7 83 F8 06 cmp eax, 6 .text:004020FA 75 07 jnz short _text_402103 <- if Zero .text:004020FE E8 0D FC FF FF call _text_401D10 Flag on .text:00402103 _text_402103: so show .text:00402103 39 9E 18 03 00 00 cmp [esi+318h], ebx www pages. .text:00402109 7D 1B jge short _text_402126 i commented where it checks if you wanna view the www pages or not. there's not much to explane if you'll break on that line and change the zero flag you'll notice it yourself :) now when it comes to jge it jmps. so it jumps here: .text:00402126 _text_402126: .text:00402126 8D 4C 24 2C lea ecx, [esp+28h+arg_0] .text:0040212A 88 5C 24 24 mov byte ptr [esp+28h+var_4], bl .text:0040212E E8 60 D1 02 00 call _text_42F293 now when you'll keep tracing you see that it crushes on .text:0040212E E8 60 D1 02 00 call _text_42F293 so lets see what registers it used so far! remember! the registers that got changed are: Eax, Ecx, Esp, Edx and EIP. ok in here: .text:004020F7 83 F8 06 cmp eax, 6 we see that eax is for checking if you wanna view the WWW file so that's not our register. in here: .text:00402126 8D 4C 24 2C lea ecx, [esp+28h+arg_0] we see that it loads something to ecx, so that's not our register. what got left is ESP, EDX and EIP. i told you why it's not EIP so what left is ESP and EDX. i don't see that this program uses EDX anywhere so what got left is ESP :) so what does it mean? it means that the program uses the data in ESP register that got returned from the procedure that makes the nag. so instead of noping the call, change it to "mov esp, 0012fd30" and fill the rest with nops. now run an hex editor and go to 14f2h. now notice that the call command takes 5 bytes. change to what we need. now we see that our mov command takes 5 bytes too so we don't need to nop anything. if the mov command took only 4 bytes and we wouldn't nop the 5th byte so it would create a big mass. ok so now it's like that: .text:004020F2 BC 30 FD 12 00 mov esp, 0012fd30 .text:004020F7 83 F8 06 cmp eax, 6 .text:004020FA 75 07 jnz short _text_402103 cool! we don't need to worry about eax cause it will never be 6 so it will never show the WWW pages, if you're so worried so change the jnz to jmp! :D ok now run the program and see what happends. works great! no nag! but it's not enouge! we removed the regular nag but what about the nag when the evalution days are over? change the date to a year after or something, run the program and what do you see? the program just quits. no nag no nothing, why? because welp.. remember that it asks if you wanna view the WWW pages? well it uses the same thingy for both of the nags and when we eliminated it we eliminated both of the nags. so what can we do now? go back to the start :) use your original version of the file to find out what else to change. ok now run the program and what nag appears? "This program has expired". good, do a binary search in IDA. and of course we found it! press on it's X-Ref and it get used from here: .text:00402098 7D 10 jge short _text_4020AA .text:0040209A 68 7C A2 46 00 push offset str->ThisProgramHasE cool.. just above it there is a jge. what if we'll change this jge to "jmp"? lets try! 1st run softice, break on this address and change the flags so it will jmp. means turn the S flag off. what do we see? well i see a nice nag "you have -317 days left to evaluate.." neat! means we change that jmp and eliminate the nag like i explaned at first and we're all done! :D hope it helped you out. bu-bye! don't forget to e-mail for suggestions and stuff. ufk@hotmail.com ICQ:1416041 Irc Nick: UFK code, display the nag, tell it to quit straight away, and then procede with the main code.