|
|
( 'Last for this millennium' ) |
Win Code Reversing |
|
|
|
|
|
|
|
|
|
Program Name: Awebpro.exe Program Type: web publishing utility Program Location: Here Program Size: 2.5MB |
||
|
Softice V4.0 - Win'95 Debugger W32Dasm V8.93 - Win'95 Dissembler |
||
|
|
|
|
|
The author of AddWeb Pro v3.20 says :
Web submission
software that drives traffic to your site!
Search engine
submission is a vital first step in marketing your website.
With hundreds
of millions of websites on the internet, visibility is critical.
The
first action
you must take is to get your web indexed by search engines and
directories.
AddWeb is a software application that saves you hundreds of
hours by doing
it for you.
AddWeb is the
leading solution for website submissions, having received
countless awards
and rave reviews!
|
|
This program was packed with Aspack
v1.07b. This info can be found by using
Gettype. (you can dn-ld it from
my tools page). The easiest way to unpack it, is using ProcDump with the
option "Aspack<108". For some
good unpacking tutorials, go to http://procdump32.cjb.net.
The only reason we need to
unpack it, is because we will need the strings from the assembler dead
list.
We are going to crack it thru the
serial sniffing. I can tell you now, it's going to be interesting...
The program save it's settings in the registy file :
HKLM\Software\CLASSES\CLSID\{65CAF223-2324-15D6-B4FC-0080C83C50D5}\Blsi\1
your
name here
HKLM\Software\CLASSES\CLSID\{65CAF223-2324-15D6-B4FC-0080C83C50D5}\Blsi\2
serial
here
|
|
Run the program. the registration
screen can be found under Help/About/Enter Registration number.
Type in your name and any registration
you like. Hit the "ok" button" and message pops up :
"Invalid
Serial Number. Continuing in Unregistered mode."
Hope you have by now an executable
UNPACKED version of the program. Load it in W32dasm.
In the dead list, at the "string
data references", you will find this message, scroll down some lines, you
will
see some other interesting strings
:
"Invalid Serial
Number. Continuing in Lite mode."
"Invalid
Serial Number. Current Registration is unchanged."
"Thank you
for registering AddWeb!"
Right now, the most interesting
string for us is the "Thank you..", we want to see where we can come
there from, so double click on
it, and scroll up a few lines, you should see now this code :
* Referenced by
a (U)nconditional or (C)onditional Jump at Address:
|:004FF6C4(C)
|
:004FF74F B201
mov dl, 01
:004FF756 E8ED78F5FF
call 00457048
:004FF751 A1EC6E4500
mov eax, dword ptr [00456EEC]
:004FF75B 8BD8
mov ebx, eax
:004FF75D BA00000080
mov edx, 80000000
:004FF762 8BC3
mov eax, ebx
----- snip snip -----
:004FF780 8BB0E8090000
mov esi, dword ptr [eax+000009E8]
:004FF786 8BC6
mov eax, esi
* Possible StringData
Ref from Code Obj ->"Thank you for registering AddWeb!"
|
:004FF788 BA30F94F00
mov edx, 004FF930
:004FF78D E84634FAFF
call 004A2BD8
We know now what we're looking for, but just to get the best location to
break with Softice, let's go to
the condition that will send
us here. Here is the code :
:004FF6B6 5A
pop edx
:004FF6B7 E80CF0FFFF
call 004FE6C8
:004FF6BC A160155400
mov eax, dword ptr [00541560]
:004FF6C1 803800
cmp byte ptr [eax], 00
:004FF6C4 0F8585000000
jne 004FF74F
:004FF6CA 84DB
test bl, bl
:004FF6CC 7527
jne 004FF6F5
What we see is a "call" and then
a "cmp" on the location that EAX points to, if it's equal to 0. If it's
not,
we will jump to the
"Thank you.." message. OK, this "call" is what we want to check.
Type in your name, and a serial
with length of 12 numbers. Set BP in SI "bpx getwindowtexta", and push
the "Ok' button. SI break, press
"F11" to get back to the caller for this API, and we're in AddWeb3
code. Dissable this BP, and setup
a new one : "bpx 4ff6b7", and type "x". Error message pops.
Type your details again, and press
"Ok". Now we break on the call. press "F8" so we can go into the call :
:004FE6C8 55
push ebp ;
start
of the "call" code
:004FE6C9 8BEC
mov ebp, esp
:004FE6CB 33C9
xor ecx, ecx
:004FE6CD 51
push ecx
Keep press "f10" 55 times to get here :
:004FE76F
E8A457F0FF
call 00403F18 ;
after the call, eax=length of code
:004FE774 83E80C
sub eax, 0000000C ; eax - 12
:004FE777 7411
je 004FE78A ;
eax = 0 ?? length=12 jump
:004FE779 83E802
sub eax, 00000002 ; eax - 2
:004FE77C 7410
je 004FE78E ;
eax = 0 ?? length=14 jump
:004FE77E 83E802
sub eax, 00000002 ; eax - 2
:004FE781 740F
je 004FE792 ;
eax = 0 ?? length=16 jump
:004FE783 83E802
sub eax, 00000002 ; eax - 2
:004FE786 740E
je 004FE796 ;
eax = 0 ?? length=18 jump
:004FE788 EB0E
jmp 004FE798 ;
not 12 14 16
18
not
valid code
:004FE78A B301
mov bl, 01 ;
length = 12 jumps here
:004FE78C EB0A
jmp 004FE798
:004FE78E B302
mov bl, 02 ;
length = 14 jumps here
:004FE790 EB06
jmp 004FE798
:004FE792 B303
mov bl, 03 ;
length = 16 jumps here
:004FE794 EB02
jmp 004FE798
:004FE796 B304
mov bl, 04 ;
length = 18 jumps here
:004FE798 8D4DF4
lea ecx, dword ptr [ebp-0C]
:004FE79B 8BD3
mov edx, ebx
:004FE79D 8B45FC
mov eax, dword ptr [ebp-04] ; your
name
Well,
what do we have up here ? When we return from the call at location 004FE76F,
EAX
will hold
the length of the serial you entered.
Then, "c" (12 decimal) beeing subtracted from EAX, if it's set the
zero flag, meaning that the length
was 12, it will jump to location 004FE78A
and bl will set with "01".
If the length of the serial wasn't
12, at location 004FE779
"2"
is beeing subtracted from EAX, if it's set the
zero flag, meaning that the length
was 14, it will jump to location 004FE78E
and bl will set with "02".
If the length of the serial wasn't
14, at location 004FE77E
"2"
is beeing subtracted from EAX, if it's set the
zero flag, meaning that the length
was 16, it will jump to location 004FE792
and bl will set with "03".
If the length of the serial wasn't
16, at location 004FE783
"2"
is beeing subtracted from EAX, if it's set the
zero flag, meaning that the length
was 18, it will jump to location 004FE796
and bl will set with "04".
If the length of the serial entered
wasn't 12, 14, 16 nor 18, that means that the length of the serial is not
valid, "bl" will not hold one of
those values, and the program will go on without checking the serial.
All this make sense now, do you
remember the string we saw in w32dasm ? look again :
"Invalid
Serial Number. Current Registration is unchanged.". Seems that this
program have 4 levels for
registering, each level will give
the user more function/options to use. (probably will cost more :))
Here is the code beeing executed
after the length check :
:004FE7A0 E853020000
call 004FE9F8
; generates the real code depending
; on the value of "bl"
:004FE7A5 8B45F4
mov eax, dword ptr [ebp-0C] ; eax = the
real code
:004FE7A8 8B55F0
mov edx, dword ptr [ebp-10]
From
here the program will go to check the entered serial against the real one,
then we will be back from
this call, back to the code you
saw at the beginning of this tutorial were you saw the conditional jump
to the
"Thank you.." message :
:004FF6B6
5A
pop edx
:004FF6B7 E80CF0FFFF
call 004FE6C8
; back from this call
:004FF6BC A160155400
mov eax, dword ptr [00541560]
:004FF6C1 803800
cmp byte ptr [eax], 00 ;
the important check
:004FF6C4 0F8585000000
jne 004FF74F
if it's equal "0", the program won't
jump - not registered.
Why is this check is important
? with the "cmp byte
ptr [eax], 00" the program
checks what level you
register with, 1, 2 , 3 or 4.
This is the meaning of this values :
Value "1" length of 12 digits -
Standard Edition
Value "2" length of 14 digits -
Gold Edition
Value "3" length of 16 digits -
Professional Edition
Value "4" length of 18 digits -
Enterprise Edition
That's it, i don't think there is
any more important info about this program...
Job done..
|
|
Nothing needed.
REMEMBER,
i'm doing my cracks as a hobby and challenge, so please, if you
like this
utility and want to keep using it, support the author and pay for it.
|
|
My thanks and gratitude goes to:-
The Sandman for all what he is doing for us, newbies.
Rhayader for helping me with Reverse Code Engineering and useful tips.