HOW TO CRACK Dz PERL Builder v2.01 get this from http://www.dzsoft.com by +DzA kRAker (Regele Piratilor) dzakraker@yahoo.com Perl (perl - Practical Extraction and Report Language ) is one of my favorites languages,and i think there are many others like me. Perl is an interpreted language optimized for scanning arbitrary text files, extracting information from those text files, and printing reports based on that information. It's also a good language for many system management tasks. The language is intended to be practical (easy to use, efficient, complete) rather than beautiful (tiny, elegant, minimal). It combines (in the author's opinion, anyway) some of the best features of C, sed, awk, and sh, so people familiar with those languages should have little difficulty with it. (Language historians will also note some vestiges of csh, Pascal, and even BASIC-PLUS.) Expression syntax corresponds quite closely to C expression syntax. Unlike most Unix utilities, Perl does not arbitrarily limit the size of your data--if you've got the memory, Perl can slurp in your whole file as a single string. Recursion is of unlimited depth. And the hash tables used by associative arrays grow as necessary to prevent degraded performance. Perl uses sophisticated pattern matching techniques to scan large amounts of data very quickly. Although optimized for scanning text, Perl can also deal with binary data, and can make dbm files look like associative arrays (where dbm is available). Setuid Perl scripts are safer than C programs through a dataflow tracing mechanism which prevents many stupid security holes. If you have a problem that would ordinarily use sed or awk or sh, but it exceeds their capabilities or must run a little faster, and you don't want to write the silly thing in C, then Perl may be for you. There are also translators to turn your sed and awk scripts into Perl scripts. Enough definitions , let's talk about our target... DzSoft Perl Editor is a tool for writing, editing and debugging Perl CGI scripts for Windows and Unix.Soundz good ,heh?...well,what do u think about this:"Note that if you haven't registered DzSoft Perl Editor, you will see the warning when you start the program and you will not be able to edit scripts larger than 6 kilobytes. To register, click Help -> Registration in the main window or visit the Registration section at http://www.dzsoft.com" So we have to deal with 1.The ugly "scroller nag" wich will show for about 10 seconds before starting the progie 2.The most important: remove that damn limitation. TOOL WE WILL NEED: W32DASM 8.9 Softice 4.x HEXEDITOR (i use HIEW 6,but any other HEXEDITOR will do the job) Exescope 5 1.THE NAG I will not insist very much on how i removed the stupid nag,bcoz nags are very easy to do in most cases.The typical method of removing nags (wich will work on Dz Soft Perl Editor also) is to put a breakpoint on some API wich is very used by the target application,then run your progie and wait Softice to break (i always use bpx regqueryvalueexa).After Softice breaks,and u are not in the target process (in our case ,pleditor.exe),press F12 until u are.Now start tracing with F10 until u meet the right call (the one wich will create the nag).How do u know wich call will create the nag? Well,when it's executed , u will be kicked from the debuger...and the nag will show...after u press the "try" button,the debugger will pop again,just after that call.Now the only thing u have to do it's type in TRW : d adress_of_the_call and write down the bytes (6 bytes),now go in HIEW,press F7, look for those bytes,when u found them , nop them (nop=90).For our nag : d 4A97E5 , u should look for FF 92 D8 00 00 00 (u will find many references,but nop only the one from 4A97E5). 2.THE 6kb LIMITATION Try to do a source wich is bigger than 6kb,a message will pop:"U can't edit file larger than 6 kilobytes in the unregistered version.Please register".Now,maybe u will say: "Why don't we win32dasm pleditor.exe and look for that string?".It won't work...there are now strings! Same thing with IDA... Bpx messageboxa does not work...seems like a desperate situation... hEy,wait...there is a API we can breakpoint succesfully! Listen to your speaker...now try to do something larger than 6kb...do we hear the beep from our speaker right when the limitation message shows?Hehe,now we can start tracing the code properly,coz we have our secret weapon : bpx messagebeep. Enter Softice,type bpx messagebeep,now try to do something larger than 6kb again,hehe Softice pops in user32,now return to the caller with F11 ,in pleditor.exe. u will see the folowing code: 0040C361 E8BE7BFFFF call 00403F24 0040C366 81C494000000 add esp, 00000094 0040C36C C3 ret 0040C36D 8D4000 lea eax, dword ptr [eax+00] 0040C370 6A00 push 00000000 0040C372 E861AEFFFF Call USER32!MESSAGEBEEP Good...now that we know this a dead listing of pleditor.exe will be VERY usefull. So,disassemble pleditor.exe...after the listing is ready,press goto/goto code location and enter the offset u saw in softice (wich is 40C372). Heh,the listing is looking far better than what we have in softice,take a look: :0040C361 E8BE7BFFFF call 00403F24 * Referenced by a (U)nconditional or (C)onditional Jump at Address: :0040C32D(C) :0040C366 81C494000000 add esp, 00000094 :0040C36C C3 ret :0040C36D 8D4000 lea eax, dword ptr [eax+00] * Referenced by a CALL at Address:----->>HEHE..THIS IS SOMETHING IMPORTANT :004A5BFC :0040C370 6A00 push 00000000 * Reference To: user32.MessageBeep, Ord:0000h | 0040C372 E861AEFFFF Call 004071D8 Ok,we see the reference from the call at 4A5BFC....let's go there and see what happens:). Again,click goto/goto code location,and enter 4A5BFC. If u have entered the offset corectly,u should see: :004A5BE3 E85051FDFF call 0047AD38 :004A5BE8 5A pop edx :004A5BE9 E8C250FDFF call 0047ACB0 :004A5BEE 83FB06 cmp ebx, 00000006-----compares ebx,wich is our current source size,with 6 (the limit) :004A5BF1 7E60 jle 004A5C53---if less or equal to 6 don't jump and execute eventually the bad call. :004A5BF3 803D4AE64A0000 cmp byte ptr [004AE64A], 00---i wonder...is the user registered? :004A5BFA 7557 jne 004A5C53---if it's not registered, i will execute this nasty call wich follows. :004A5BFC E86F67F6FF call 0040C370 So if we modify the jle at 4A5BEE in a jmp (EB),or the jne at 4A5BFA ina a jmp or je.Let's try to edit something wich is bigger than 6kb...worx perfectly now! Thus the job is not 100% done...try to open a perl source bigger than 6kb,a nag with 4 buttons will show...let's quickly remove the nag:) open pleditor.exe in exescope... click ressource/rcdata...Hum...what's this:"TSIZELIMITFORM"? the nag form,ofcourse, click it,write down the offset (e9978).Hexedit pleditor.exe and go to offset e9978. The hex code of the nag begins with "TPF0"...let's see what happens if the proggie does not longer find the nag ressource...rename TPF0 in what do u wannt or simply nop the code. Cool,no more nag...just a message box with ok button sayng "invalid stream format"...after u click ok the proggie loads your source perfectly ( not truncated!).Now our final task is to remove the stupid message box wich might become annoyng (easy).Just do a bpx messageboxa in softice just before you insert your "over-sized source",softice will pop...press F11...back to messagebox...press ok,back in softice,u should see: 44D415 push eax 44D416 call user32!messageboxa Replace push eax 50 with a nop (90) and the messageboxa will not show. see ya in my next tut!