|
Zbrush by Pixologic A Fun, New 3D Sculpting Program with a Thoughtful Protection Scheme |
||
| 6/30/00 |
by
Sojourner
|
|
|
There is a crack, a crack in everything. That's how
the light gets in.
|
||
| Rating |
()Beginner (x )Intermediate
( )Advanced ( )Expert
|
This one took some
decent brainpower but was well worth it if you use this sort of prog.
|
|
This program was a blast from the get-go. I had seen the advertisement for it in one of the 3D mags out in the market and thought it looked very cool. It is still in beta and this is a free download that requires a password to run. I guess I should say, it used to require a password to run. What we will accomplish today is to: 1. Get rid of the need for a password at all, then 2. Be able to change our computer clock forward and back without having to worry about the prog shutting down
|
|
w32dasm 8.x--your choice of flavors
hex editor needed- UltraEdit 7.xx or whatever you want to use
resource tool--I use Restorator 2.5
|
|
Just go to this site and then download what you need. You will have to have
a usable email in order to get a password sent to you. A minor form of protection.
|
|
History lesson - As mentioned earlier, this program is still in beta, but I understand the company is already vamping up to sell a pre-version 1.0 to the public. At this writing the company is providing beta build 954b. It has never been offered before and this is the company's first product.
|
|
All right. Have you gotten the prog yet? You can not follow along without something to look at. Now go get that program
and have a little fun before you disassemble it. Back so soon? Got your password already? Of course I want you to have it
at first, because how else are you going to know how to follow the schema of these programmers at Pixologic? You do get
one shot:
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0060C74B(C)
|
:0060C768 BAC4D28400 mov edx, 0084D2C4
:0060C76D 8D4C2420 lea ecx, dword ptr [esp+20]
:0060C771 E84A631400 call 00752AC0
:0060C776 85C0 test eax, eax
:0060C778 5F pop edi
:0060C779 5E pop esi
:0060C77A 5D pop ebp
:0060C77B 5B pop ebx
:0060C77C 7409 je 0060C787 <--HERE Back
:0060C77E B001 mov al, 01
:0060C780 81C410010000 add esp, 00000110
:0060C786 C3 ret
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0060C77C(C)
:0060C787 6840000100 push 00010040
* Possible StringData Ref from Data Obj ->"Incorrect password"
|
:0060C78C 68E0BC7E00 push 007EBCE0
* Possible StringData Ref from Data Obj ->"ZBrush password is date sensitive."
|
:0060C791 68F4BC7E00 push 007EBCF4
:0060C796 6A00 push 00000000
* Reference To: USER32.MessageBoxA, Ord:01BEh
|
:0060C798 FF1578C47D00 Call dword ptr [007DC478]
:0060C79E 6AFF push FFFFFFFF
:0060C7A0 E8DE6A1B00 call 007C3283
So, already we know that the program needs a password and that password lets you have a certain amount of time to play,
based on a date format. This is very important. If you enter the password as given there is a certain amount of time you
are allocated. On the other hand, if you set your computer date way ahead after that, as you know I do frequently, and
try to run the prog, you'll have to re-register after you get the above message, because, remember, "ZBrush password is
date sensitive." Of course, if you were anyone else, you'd have to go back to Pixologic and request another password.
Obviously, we aren't just the guy down the street. We are reversers and crackers. Antiprogrammers in a way, I guess.
Incidentally, if you set your clocks back to before you first ran the prog and registered it, let's just say a year, you
will definitely have a problem because Zbrush does not like that one bit. It just refuses to load at all---but you do get a
little box--
* Possible StringData Ref from Data Obj ->"\winmemai.MEM"
|
:0060CBE0 B930BF7E00 mov ecx, 007EBF30
:0060CBE5 E866621400 call 00752E50
:0060CBEA 6A01 push 00000001
:0060CBEC 8D84249C000000 lea eax, dword ptr [esp+0000009C]
:0060CBF3 50 push eax
:0060CBF4 8BCE mov ecx, esi
:0060CBF6 E8454ADFFF call 00401640
:0060CBFB 85C0 test eax, eax <--HERE BACK
* Reference To: KERNEL32.GetWindowsDirectoryA, Ord:017Dh
|
:0060CBFD 8B2DA0C27D00 mov ebp, dword ptr [007DC2A0]
:0060CC03 0F85B6000000 jne 0060CCBF
:0060CC09 6840000100 push 00010040
* Possible StringData Ref from Data Obj ->"Startup error"
|
:0060CC0E 6840BF7E00 push 007EBF40
* Possible StringData Ref from Data Obj ->"Startup error has been detected. "
->"Please email support@pixologic.com "
->"for correction code#9522."
|
:0060CC13 6850BF7E00 push 007EBF50
:0060CC18 6A00 push 00000000
OK, if you've had enough playing, then we can get to work. This program really has a nice time protection built in. You'll
notice that the main executable is quite large. Everything we need is inside that package. There is a unique resource:
zresdv954b.zrs. Probably stands for the Zbrush DemoVersion resource, build 954(zresdv954b). It doesn't matter really that we
can't easily get inside. You can go ahead and look inside the zbrush.exe, though. It has everything we really need. While
you're at it, if you have a resource tool, have a look around inside the executable. Lot's of goodies there.
Time to work. Run everything through w32dasm. You should encounter very few problems. Right off the bat you'll notice a
splash screen and then the opportunity to register your prog. If you single step at this registration screen you'll end
up inside a message area from which you can begin to set some breakpoints if you backtrack enough. Certainly, you should
set breakpoints at your password error areas such as up above at:0060C77C Please note that just above 0060C77C at
0060C776 85C0 test eax, eax , we testing this condition to determine the jump state. It is imperative to just NOP the
0060C77C 7409 je 0060C787 <-- HERE so the flow continues down the pipe. As you see al is then loaded with 01.
Now, the other place to catch the password prob is here at:
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0060CA7F(C)
|
:0060CABA BAC4D28400 mov edx, 0084D2C4
:0060CABF 8D4C2464 lea ecx, dword ptr [esp+64]
:0060CAC3 E8F85F1400 call 00752AC0
:0060CAC8 85C0 test eax, eax <--HERE BACK
:0060CACA 0F8531FDFFFF jne 0060C801
:0060CAD0 8B442420 mov eax, dword ptr [esp+20]
:0060CAD4 8B542418 mov edx, dword ptr [esp+18]
:0060CAD8 8B4C241C mov ecx, dword ptr [esp+1C]
:0060CADC 40 inc eax
:0060CADD 81C280510100 add edx, 00015180
:0060CAE3 3BC1 cmp eax, ecx
:0060CAE5 89442420 mov dword ptr [esp+20], eax
:0060CAE9 89542418 mov dword ptr [esp+18], edx
:0060CAED 0F8E68FDFFFF jle 0060C85B
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0060C840(C)
|
:0060CAF3 6840000100 push 00010040
* Possible StringData Ref from Data Obj ->"Incorrect password"
|
:0060CAF8 68D8BD7E00 push 007EBDD8
* Possible StringData Ref from Data Obj ->"ZBrush password is date sensitive."
|
:0060CAFD 68ECBD7E00 push 007EBDEC
:0060CB02 6A00 push 00000000
* Reference To: USER32.MessageBoxA, Ord:01BEh
|
:0060CB04 FF1578C47D00 Call dword ptr [007DC478]
:0060CB0A 6AFF push FFFFFFFF
:0060CB0C E872671B00 call 007C3283
Through much trial and error I discovered that if you change: see above
:0060CAC8 85C0 test eax, eax to
4090 inc eax,nop
the program will proceed without any problem with any password you may put in.
Now what about that lame nag message when we reset our system clock? That's next. I was just getting to it. Be patient.
See here?
chnage the:
:0060CBFB 85C0 test eax, eax to
:0060CBFB 4090 inc eax, nop
and now you will always force the jump over that lame nag message. There is still one slight little problem. If you go back
in time as I have done, or even as you may have done, you'll find that the program still does not run. I welcome you to dig
a little deeper to find the solution. This will take you through the deep, dark codewoods, with knared and hideously
twisted trunks of seemingly mazelike assembly code. Keep trudging on and you will break through into the light, looking
upon a beautiful, verdant meadow of satisfaction. Now wipe the sweat from your dirty, bug-bitten face and plunge into the
cool, clean, healing waters of insight in the middle of the flowered meadow. I will give you one last bit of info to get
you back home.
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0060CFC9(C)
|
:0060CFD2 8B08 mov ecx, dword ptr [eax]
:0060CFD4 B807452EC2 mov eax, C22E4507
:0060CFD9 F7E9 imul ecx
:0060CFDB 03D1 add edx, ecx
:0060CFDD C1FA10 sar edx, 10
:0060CFE0 8BCA mov ecx, edx
:0060CFE2 C1E91F shr ecx, 1F
:0060CFE5 03D1 add edx, ecx
:0060CFE7 790C jns 0060CFF5 <--HERE
:0060CFE9 E8D2F1FFFF call 0060C1C0
:0060CFEE 6AFF push FFFFFFFF
:0060CFF0 E88E621B00 call 007C3283
So what do we do? All you need to do is to change:
:0060CFE7 790C jns 0060CFF5
to EB0C jmp 0060CFF5
Now the program will not shutdown without warning! You still have three more problems to deal with by yourself.
1. The annoying incessant password screen.
2. Worse, maybe to me, anyway, are the nags that want you to always click on them. There are two. So that makes three
problems to deal with. Good luck!
Of course, I have the complete crack, but I will only give it to someone who can give me the answer to at least one of
the three problems left above. I want offset and complete fix in assembly to whichever problem you solve.
Persistance and perserverance pay off! Incidentally, my patch program is not floating around on any servers, yet.
|
|
This was a somewhat indepth lesson, but certainly worth having to look at to figure things out. Until later. If you have any questions please feel free to contact me at jomamameister@yahoo.com
|
|