Cracking Search Wolf
by Groovicus


And here's a tute that shows you how useful can be string search inside a file. Read this carefully, it contains precious suggestions for all you newbies!
Thanks to +ORC and +fravia for sowing the seeds, and to +HCU'rs for showing
us the weeds from the flowers...

Target of this crack is SEARCH WOLF and can be downloaded from
www.trillium.com. They also have a few other programs of great interest. The
program has on the surface a very simple reg-code program, but on deepar
analysis, we uncover a very clever protection program.


Anyway, I came across this snippet of text (742.644.146)

    It is really a rarity that we have to look elsewhere for anything. Be sure
    that you don't type in a request and walk away for 5 or ten minutes, these
    things are so damned fast and efficient that it will litterally have
    20,000  files compiled for you and your damned puter will glitch on you.
    Be Advised: You may see a crack or two running around from time to time
    (not often though) for one or more of these wolf's. DO NOT TRY TO USE THEM
    Use your heads a minute, these are the guys that thought up warez
    practically, they ain't brand new lamer's. If you try to utilize a crack
    on a wolf it embeds a message in your comp that, when connecting to
    another computer, identifies you as a software theif!!! E-mail, Chats, etc.
    We have heard some very amusing stories regarding this humorous technique,
    and some others that they employee.You have been advised!!
                                                          
   
Sounds very interesting*..

TOOLS:

Soft-Ice
Wdasm
Hex editor

TARGET:

srchw202.exe       855 kb


Run the prog. A nag window pops up right off the bat letting you know that some
of the search engines are disabled, blah, blah. Click past and into the main
program. Click on the Register button. Standard reg code (user name+serial).
But let's not try to register it yet. Run a search for whatever, and start the
search (Incidentially, I was able to enable all of the engines just by
checking the boxes.)

Watch the window at the bottom. It will say "Contacting altavista, hotbot,
etc.."  You shoud see two rather unusual calls, one being "www.trillium.com"
and the next being "contacting Wolf-HQ" Wonder what those are for?

Pretty soon are search is done, and the results are posted. Quit the program
and open Search32.exe. Here's a couple interesting snippets*......

       "Ask yourself, do you think it Wise to use a pirate copy in a Network
       environment where one can so easily be traced? "

       ?filename=se&sn=
 

Also, if you look carefully, you will be able to find the base comparison code
that will tell you the first three digits of the reg cod, along with length of
ref-code, and spacing. (Look awhile, you'll find it). You'll also find the
register nag strings, and registration accepted strings, other typical stuff.

Close out of this, and let's look at the directory tree. There should be
interesting things like license1.txt, license2.txt, and search.idx.

Now that we have some preliminary information, let's get to work


Start Search Wolf and open the registration window. Enter your name and a
bogus passode based on the string you found in your hex editor fishing. Enter
into Soft-ice and set your favorite bpx (mine was hmemcpy). Leave Soft-ice,
enter your registration, and we're back in Soft-Ice. Do a search for your
registration number. Once you find the right location (shouldn't be too hard)
start stepping through the progam, stepping into calls. Eventually your proper
code will be mirrored very, very close. Disable your breakpoints, and enter
your proper registration.

Incidentially mine is as follows,.........
User: groovicus   Serial: SE3x-993728.

But don't use this code just yet for two reasons.  One, the correct code is
easily fished out, and e beginner with even a slight knowledge of soft-ice
will be able to do it. Just be patient,. ..You may have to trace through a
couple of times to figure which calls to step into and which ones you can
step over. The second reason is the one we want to discuss.

First, look in search.ini. You should see your name and code written there.
Great. Let's continue. Remember the calls we saw to trillium, and wolf-hq?
Let's investigate that a little more. Open up your hex editor and open
search32.exe again. Search for instances of trillium.com. You should find the
following:

http://www.trellian.com/download/search.idx Wolf HQ SE1-000000 ?filename=se&sn=
http://www.trellian.com/cgi-bin/msw/getfile Content-type: application/x-www-form-urlencoded Content-Length:     Connecti

    %rx/%x  FREQ=   search.ini  search32.exe    search.exe  %li/%li VERSION=
    Message from Wolf HQ    VER1=   BYE MESSAGEVEQ= MESSAGEV=   MESSAGE=    Newsflash from Wolf HQ  NEWS=   %x/x%   id=%s

  licensee=%s
    newwin=%i
  next=%i
    filenew=%i
 file=%i
    upgradenew=%i
  upgrade=%i
 version=%i
 lastwarn=%i
    accept=%i
  port=%i
    proxy=%s
   deffile=%s
 browser=%s
 news=%i
    hits=%i
    timeout=%li
    packcount=%i
   Unable to open file 'search.ini'    search.idx  newwin= next=   filenew=    file=   upgradenew= upgrade=    version=    port=   lastwarn=   accept= sort=   licensee=   id= 


Now we have to ask a couple of questions. First, what could we possible need
out of trellian's cgi-bin? And how the hell would Wolf-HQ know anything about
my needing an upgrade? And what is this last warning crap??? I think the first
thing to do is to change a few of these addresses slightly so that it can't
call trillium.com. (be careful changing these. A couple of the trillium
addresses appear to be necessary for the prog to run. You'll figure it out)

Let's run the program again. This time, no calls to trillium.com. Shut down
your search and exit the program. Try and run the program again. Surprise!
The unregistered nag window....What happened??

Take a peek in your search.ini file*..... Your user name is there, but your
reg. serial is gone. What the hell happened?

Time to sit back and think. Apparently when you do your first search, your
user name and code are sent to trillium. My guess is that it is probably
checked for validity, and stored. If your code is wrong, you get nasty
messages like in the snippet at the beginning. Probably also if the same reg.
code is being used in more than one place, the pirate messages nag window
kicks in. Apparently the problem is that the program is expecting some kind
of return code from trillium, and if it doesn't get it, it deletes the serial
number from the .ini file. Going on this assumption, let's proceed.

Re-enter your registration, then set the properties in search.ini to read
only. Re-run the program, do a search, then close it back down. (BTW, I would
highly reccomend Norton's crash guard for what is about to happen next.) A
window will pop up stating the following: Couldn't open search.ini file. And
your computer will lock up tight. (once again, I would recommend Norton's
fine utilities)

After you reboot your computer (he,he), use wdasm32 to obtain a disassembled
listing. Do a search for "couldn't open". Change the necessary jump, and
voila! No nags, fully regged. Jump the date ahead a couple of months just to
be sure. Yep, still works.

Now, if you want to use my passcode, go ahead, but you better make sure you
finish the patch. It's your ass if you don't do it right. I use a different
pass-code on my 'live copy'

One last note, trilliums programs all use a slighly different protection, and
the passcode isn't necessarily going to be mirrored anywhere. But the basic
scheme appears to be the same. I haven't cracked all of them*...

And of course, if you find the program useful, register it. Personally, I
find the search capabilities to be a bit superficial, and a good archie
search will find mostly what I want, however with a few modifications to one
of trilliums other pieces of software
  

(If anyone cares, my hotmail address is encoded in the above text, and I have
given you the keys... ;Q


(c) Groovicus 1998.
WARNING: this tutorial is published for EDUCATIONAL PURPOSES only! Nobody except you is responsible for what you do with the things you read here. Also, if you intend to use shareware programs for a period longer than the allowed one remember that you have to BUY them!