***************************************************************************** *Subject: Cracking * *Target: Partit v2.01 * *Author: BlackB * *Date: 1999-08-05 * *Tools used: W32DSM89, Hex Workshop, SoftIce * *Difficulty (scale 1-5): 1 * *Requirements: Basic knowledge of cracking * ***************************************************************************** 1. Intro ~~~~~~~~ Hi there!! This is my first tutor especially and exclusively written for the EVC-group. A miracle coz i've got a lot of work in august :-/ Nevertheless i enjoyed writing this tutor...spreading more cracking knowledge! :-) 2. Tha Program: Partit v2.01 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Nice looking interface...but i still don't know why i'd use a file splitter, as all compression programs can split their files to fit on 1,44 MB disks. However, that's not why i wrote this tutor... Tha protection: Nagscreen, 30 day trial, and some limitations....e.a. the sharewareprogram just sux big time! 3. Cracking Partit v2.01 ~~~~~~~~~~~~~~~~~~~~~~~~ Aha, the most important part of this essay ;) Load our favorite Softice Symbol Loader (however...use Sice v3.24 or lower, since the newer versions crash like hell!) Press CTRL-D and let the program run...nag screen appears...and you get several options. Choose "Enter keycode". Fill in a bogus key, fill in your name and company. Go back to Softice en set a breakpoint on GetDlgItemtextA (bpx GetdlgitemtextA). You see this: (Remark! The code presented below is quite a lot. Important steps are explained. Remember that you can only explain those steps by tracing through the code and trying to understand what they do) -------------------------Start of partial code------------------------------- * Reference To: USER32.GetDlgItemTextA, Ord:0000h | :00402610 E8D5AC0400 Call 0044D2EA * Possible Reference to String Resource ID=00080: "Operation Aborted! Drive %.2s is not available on your syst" | :00402615 6A50 push 00000050 :00402617 8D8560FFFFFF lea eax, dword ptr [ebp+FFFFFF60] :0040261D 50 push eax :0040261E 6A65 push 00000065 :00402620 8B16 mov edx, dword ptr [esi] :00402622 8B4A0C mov ecx, dword ptr [edx+0C] :00402625 51 push ecx * Reference To: USER32.GetDlgItemTextA, Ord:0000h | :00402626 E8BFAC0400 Call 0044D2EA * Possible Reference to String Resource ID=00080: "Operation Aborted! Drive %.2s is not available on your syst" | :0040262B 6A50 push 00000050 :0040262D 8D8510FFFFFF lea eax, dword ptr [ebp+FFFFFF10] :00402633 50 push eax :00402634 6A66 push 00000066 :00402636 8B16 mov edx, dword ptr [esi] :00402638 8B4A0C mov ecx, dword ptr [edx+0C] :0040263B 51 push ecx * Reference To: USER32.GetDlgItemTextA, Ord:0000h | :0040263C E8A9AC0400 Call 0044D2EA :00402641 8D45B0 lea eax, dword ptr [ebp-50] :00402644 50 push eax * Reference To: KERNEL32.lstrlenA, Ord:0000h | :00402645 E868A90400 Call 0044CFB2 [<- Gets length of keycode] :0040264A 8BD8 mov ebx, eax :0040264C 8D8560FFFFFF lea eax, dword ptr [ebp+FFFFFF60] :00402652 50 push eax * Reference To: KERNEL32.lstrlenA, Ord:0000h | :00402653 E85AA90400 Call 0044CFB2 :00402658 83FB05 cmp ebx, 00000005 [<- Keycode must be longer than 5 chars] :0040265B 0F8EE9000000 jle 0040274A :00402661 83F804 cmp eax, 00000004 [<- Username must be longer than 4 chars] :00402664 0F8EE0000000 jle 0040274A * Reference To: KERNEL32.GetTickCount, Ord:0000h [<- Guess sort of anti-debugging] | :0040266A E8E1A70400 Call 0044CE50 :0040266F 2BC7 sub eax, edi :00402671 83F801 cmp eax, 00000001 :00402674 7607 jbe 0040267D [<- With Sice loaded, it will always jump...] [ So be sure if you trace through the code...] [ it does NOT jump!] :00402676 33DB xor ebx, ebx :00402678 E9CF000000 jmp 0040274C * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00402674(C) | :0040267D 6A00 push 00000000 :0040267F 8D850CFEFFFF lea eax, dword ptr [ebp+FFFFFE0C] :00402685 50 push eax :00402686 E87DEAFFFF call 00401108 :0040268B 83C408 add esp, 00000008 :0040268E 8D9560FFFFFF lea edx, dword ptr [ebp+FFFFFF60] :00402694 8D4DB0 lea ecx, dword ptr [ebp-50] :00402697 8D850CFEFFFF lea eax, dword ptr [ebp+FFFFFE0C] :0040269D 52 push edx :0040269E 51 push ecx :0040269F 50 push eax :004026A0 E893EFFFFF call 00401638 [<- Validates your serial] :004026A5 83C40C add esp, 0000000C :004026A8 8BD8 mov ebx, eax [<- Mov registered-or-not-flag in ebx] :004026AA 84DB test bl, bl [<- Register program?] :004026AC 0F849A000000 je 0040274C [<- Jump if invalid serial...otherwize stay] :004026B2 33C0 xor eax, eax :004026B4 C6057C19460001 mov byte ptr [0046197C], 01 [<- SET REGISTERED FLAG!!] :004026BB 56 push esi :004026BC C6057D19460000 mov byte ptr [0046197D], 00 [<- Of no importance] -------------------------End of partial code--------------------------------- What do ya say? Nopping the "je 0040274C" ?? Nopes :p It will set the registered flag, but somehow the program won't be registered. BUT.....!! We now know that memory location [0046197C] contains the registered-flag! :-) We could now disassemble the .EXE and search for every "cmp byte ptr [0046197C], 00" and nop out all the conditional jumps....but that would be a lot of work...and finally you would see that the program has a second check...when you start the program. Close Partit, reload it in Sice Symbol Loader and type "bpm 0046177C". (= set a breakpoint on all instructions that read or write from/to address 0046177C). Press CTRL-D to let the program run. Keep pressing CTRL-D until you see this: -------------------------Start of partial code------------------------------- :0040150C E827010000 call 00401638 [<- Validate serial!] :00401511 83C40C add esp, 0000000C :00401514 888700010000 mov byte ptr [edi+00000100], al [<- Mov registered-or-not-] [ flag in edi+100!!!] * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:00401461(C), :0040146B(C) | :0040151A 68FDE14300 push 0043E1FD :0040151F 6A01 push 00000001 :00401521 6A03 push 00000003 :00401523 6A18 push 00000018 :00401525 8D55A4 lea edx, dword ptr [ebp-5C] :00401528 52 push edx :00401529 E8C67D0400 call 004492F4 :0040152E 83C414 add esp, 00000014 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00401409(C) | :00401531 80BF0001000000 cmp byte ptr [edi+00000100], 00 [<- Check if registered] :00401538 752E jne 00401568 [<- Jump if registered] -------------------------End of partial code--------------------------------- You could make the program ALWAYS jump, but....again....then you would have to search for ALL cmp edi+100 's AND cmp [46197C] 's ....too much work :-) So let us (try and) think logic: -Our serial is checked when "call 00401638" is executed. -The result is stored in AL -Then AL is put in edi+100 or bl or 0046197C Then there was one good and short solution for me: NOP the "call 00401638" at :0040150C and use those NOP's to move 1 into AL.....don't understand? Look at this: [Before cracking] : :0040150C call 00401638 :00401511 add esp, 0000000C [After cracking] : :0040150C mov al, 01 :0040150E nop :0040150F nop :00401510 nop :00401511 add esp, 0000000C Use HIEW to do this...hope you know how...otherwize: mail me :) The offset address is 0B0C. So....that's it! :-) 4. Outtro ~~~~~~~~~ All greets go to the EVC-members: Magic Mike, sn00pee, Incredible Fighter, SiGMA, r!sc and otherz i forgot :) Do I have to remind you that you should buy the program? Hehe, i just did :p Visit my anti-virus hp (no cracking page) at http://myplace.to.be/blackb I'm searching for a websiteprovider that allows cracking contents to put my cracking site on...if anyone can help me...thx :-) BlackB [EVC] 1999