Cracking Family Archive v1.1.4 Made By UFK Updated in: 03/20/99 ------------------------------------------ Hiya people. it's time for my 3rd Tutorial. hope you liked the last two. ok this one has a really easy protection. it's a 30 days trial. what you need for this one is IDA, Softice and of course an hex editor in the end. ok so let's start. download the program! done already? run the program! yea.. it runs nicely.. nice little program.. now lets check some stuff out.. press on things see how nicely they work. now press on that nice little cat. you get this nice window says "Unregistered version" ewewew we hate that! and of course you can press on "Register" blah blah blah.. welp lets start. Run IDA and start dissasembling the program and wait for it to finish. people always like to play with softice. i like to play with it! well you can try to break on several things and check things out but of course i won't explane about that cause it's not gonna help you at all :) it's a 30 days trial right? so lets see what it says. change your date to a year after or something and run the program. what do we have here??!?! A NAG SCREEN!!! whoohhoo scary! lets do a binary search for the text in that window. so press alt-b and search for "you are using this product". did we found it? yep! but there's no X-Ref to it. what do we do? lets try searching for "Unregistered". and yep! we find it on CODE:004C5BA8 and there's on X-Ref to it. ok lets press on the X-Ref see where it goes. CODE:004C5B40 CODE_4C5B40: CODE:004C5B40 BA A8 5B 4C 00 mov edx, offset str->UnregisteredCop (you may see it a bit differently) cool! it's moving to eax the offset of that string and there's a label to it. cool! lets press on it's X-Ref and what do we see here? CODE:004C5AF9 74 45 jz short CODE_4C5B40 CODE:004C5AFB BA 84 5B 4C 00 mov edx, offset str->ThisCopyIsLicen lets see! if it doesn't jmp it will use the "This copy is licenced..." instead of that "unregistered string" ok so we change the jmp to 2 nops and we're done! it will never jmp! :) ok so this is good just for the menu that appears when we press on the Cat picture. but what with the nag screen when the trial is over? ok so we really can't find an x-ref to the strings in the nag screen, and it's hard to break on CreateWindow or something with softice. so what can we do? ok so this is the thing. lets check what does the program checks before the JZ :) follow my lead? not yet? ok. lets move up a few more lines before the Jump Zero. CODE:004C5AF1 A1 44 A1 4F 00 mov eax, ds:DATA_4FA144 CODE:004C5AF6 80 38 00 cmp byte ptr [eax], 0 CODE:004C5AF9 74 45 jz short CODE_4C5B40 CODE:004C5AFB BA 84 5B 4C 00 mov edx, offset str->ThisCopyIsLicen here we see that it moves to eax an address. and then it checks this address with the Zero. so lets press on this address and see where it follows us. CODE:004C5AF1 A1 44 A1 4F 00 mov eax, ds:DATA_4FA144 <- PRESS HERE! ^^^^^^^^^ DATA:004FA144 94 D2 4F 00 DATA_4FA144 dd offset BSS_4FD294; DATA XREF: CODE_4C35E4+6 ; CODE:004C5077 ; CODE:004C5113 ... ok we see that this thingy points to an address and it has 8 X-Refs! so what can we do now? my idea is to go to each of the X-Ref, to see what it does with this data and if there's a jz or jnz on this address so to set a breakpoint with softice and to see if this is the one we need. don't follow? well keep reading it will get clearer :) press on the 1st X-Ref "CODE_4C35E4+6". it moves us to CODE:004C35EA A1 44 A1 4F 00 mov eax, ds:DATA_4FA144 CODE:004C35EF 80 38 00 cmp byte ptr [eax], 0 CODE:004C35F2 75 2A jnz short CODE_4C361E ok we see that it takes the data compares to 0 and if it's not equal to 0 it jumps. ok so lets note the jnz address for later on. now pres Esc to go back to the X-ref's list that go to the 2nd X-Ref "CODE:004C5077". in this one we have lots of lines with nothing important. we have there "mov eax, ds:DATA_4FA144" that's our data, after that some xors, pushes, calls to a procedure and "test al, al". now that's got nothing to do with us it probebly checks the outcode of the procedure. Press Esc and move to the 3rd X-Ref. in here again nothing interesting. Press Esc and move to the 4th X-Ref. in here something very interesting. this is the check that we eliminated in the begining of the tutorial. remember ? so when you press on the cat it will say "registered". Press Esc and move to the 5th X-Ref. it brings us to the same place the 4th X-Ref brought us. why? cause the program uses that data twice before actually checking it. why? who cares! :D Press Esc and move to the 6th X-Ref. nothing interesting. Press Esc and move to the 7th X-Ref. ah ah! CODE:004EE10B A1 44 A1 4F 00 mov eax, ds:DATA_4FA144 CODE:004EE110 0F 94 00 setz byte ptr [eax] CODE:004EE133 A1 44 A1 4F 00 mov eax, ds:DATA_4FA144 (if you didn't notice this is our 8th X-Ref) CODE:004EE118 80 38 00 cmp byte ptr [eax], 0 CODE:004EE11B 0F 85 DE 00 00 00 jnz CODE_4EE1FF cool! we have another jump! only this time it's jnz! ok so we'll note this address too. so we have 2 address. one is "4C35F2" from this one: CODE:004C35F2 75 2A jnz short CODE_4C361E and the 2nd is "4EE11B" from this one: CODE:004EE11B 0F 85 DE 00 00 00 jnz CODE_4EE1FF now what we're gonna do is to start the symbol loader of softice, to load our program and when softice breaks before the program starts to set breakpoints on those two address using BPX and offset 001b. why offset 001B? that's the offset of your code :) how do i know? well that's a fact! and besides when softice breaks it breaks on the 1st command of the program and you see this offset! :D 001B:bla bla bla: bla bla.. ok now set bpx on both of the address and continue running the program. what do you say? it breaks on the address "4EE11B" CODE:004EE133 A1 44 A1 4F 00 mov eax, ds:DATA_4FA144 CODE:004EE118 80 38 00 cmp byte ptr [eax], 0 CODE:004EE11B 0F 85 DE 00 00 00 jnz CODE_4EE1FF <- BREAKS HERE!! ok now change the Zero flag from on to off and continue running the program. YES!!! IT'S WORKING!!! means you have to change jnz to JMP! done! see? wasn't too hard. now how do you find where is this code in the exe file? well you can search for the hex value of the commands but that's annoying. there's a nice program made by the mighty one! iczelion, called "Virtual Address to File Offset". you load the exe file with it. write the memory address and it gives you the offset of it in the exe file itself. cool ah? :D you can download it at his site iczelion.cjb.net. i wanna thank to ytc and izcelion and anyone else who helped me in cracking. bu-bye for now! ufk@hotmail.com ICQ:1416041 Irc Nick: UFK nbsp;