-----cut here-------------------------------------------------------------------
Making a loader for IconForge 4.7 (crypted exe)
Target: IconForge 4.7
WWW: http://www.cursorarts.com
Cracker: --..__J_o_h_n_n_y__A_U_M__..-- (TNT)
Protections to be removed: expiration, nags, others
Tools: Deshrink 1.6, R!sc Process Patcher, Hiew, W32Dasm, Softice & Windows Commander 4.03
--------Motto for my actions:-------
I'm for peace, love and prosperity and one global nation but without money to
divide us and without ego, who keeps men separated! Be a man of good sense - be
naturally, be divine! Try to progress on spiritual way! No God, no freedom!
I'm against tyranny under any form, against mondial iudeo-masonic occult
domination and against infiltrated bad rase of aliens! Out with Satan from this
planet! Real happiness, free and freedom for all!
--------
Yeah, I know that a previous version of IconForge was cracked also by me (4.6) in a tut, but
it's interesting to see differences from a version to other and how to crack knowing some dates,
on future versions, plus some new approachings. Also, tKC saids that it's interested in this
program too, so why not playing a little?
More, this will be not only a lesson on how to crack but to make loaders too. Yeah, why bother
to use cracks, decrypt, etc, when it's more simple with a loader on original software, ha?
A. Cracking the program to find the significant dates for loader
----------------------------------------------------------------
1. Removing the first two nags with boring stuff... you know registering... etc...bullshit...
Disassemble with W32Dasm a copy of IconForge.Exe which was decrypted before with Job deshrinker.
A copy named y.exe, for instance (many will say - hey, Johnny, not always a program is working
corectlly when you put another name - I know, for example Awave Studio 7.0). What we do know?
We do like this: search for this group of instructions (from version 4.6 - concerning nags) or
better after the hex string above in hiew.exe coz it's faster than w32dasm:
64FF30 push dword ptr fs:[eax] <<< --- here are the instructions
648920 mov dword ptr fs:[eax], esp common to both versions of
B001 mov al, 01 IconForge
and the string is this hex piece: "64 FF 30 64 89 20 B0 01". We find the string at FCB86 (hiew).
Now look at this piece of hiew code:
FCB72: 8BC0
FCB74: 55 <- here starts the function with nags bullshit, etc...
FCB75: 8BEC
FCB77: 6A00
FCB79: 6A00
FCB7B: 53
FCB7C: 8BD8
FCB7E: 33C0
FCB80: 55
FCB81: 6854CC
FCB84: 4F
FCB85: 0064FF <- our string is here
FCB88: 006489
FCB8B: 20B001E8 <- and end here
This piece of code is the one who interest us and is more or less like the 4.6 version, except
that there are no text strings in w332dasm (that's the reason I searched so).
And you also see at FCB74 or 4FCB74 (w32dasm) that there is no specific text about calls, coz
it's Delphi program. OK, let's make 55 -> C3 (FCB74 - hiew). Good job, coz nags are history now!
2. The final nag with that man laughing, but not for much longer. My old trick doesnt work in
this new version which could be a sign that the author did saw my tut. OK, no big deal, we make
some breakpoints in Softice like this: bpx LoadBitmap and bpx LoadBitmapA. Bingo, press F11 to
get the caller which is at w32dasm adress 521DFB. Now we look at this piece of w32dasm code:
:00521DAD 00C4 add ah, al
:00521DAF 7444 je 00521DF5 <-- here is the jump boy we're interested in
:00521DB1 008BC0B81D52 add byte ptr [ebx+521DB8C0], cl
:00521DB7 0007 add byte ptr [edi], al
:00521DB9 0B54476F or edx, dword ptr [edi+2*eax+6F]
:00521DBD 6F outsd
:00521DBE 64 BYTE 064h
:00521DBF 42 inc edx
:00521DC0 7965 jns 00521E27
:00521DC2 4E dec esi
:00521DC3 61 popad
:00521DC4 67E41C in al, 1C
:00521DC7 52 push edx
:00521DC8 00B8A942003B add byte ptr [eax+3B0042A9], bh
:00521DCE 00044E add byte ptr [esi+2*ecx], al
:00521DD1 61 popad
:00521DD2 673400 xor al, 00
:00521DD5 008BC0558BEC add byte ptr [ebx+EC8B55C0], cl
:00521DDB 6A00 push 00000000
:00521DDD 53 push ebx
:00521DDE 8BD8 mov ebx, eax
:00521DE0 33C0 xor eax, eax
:00521DE2 55 push ebp
:00521DE3 686F1E5200 push 00521E6F
:00521DE8 64FF30 push dword ptr fs:[eax]
:00521DEB 648920 mov dword ptr fs:[eax], esp
* Possible StringData Ref from Code Obj ->"Teddy" <-- Teddy, the name of the laughing man who
saids goodbay from now on!
:00521DEE 687C1E5200 push 00521E7C
:00521DF3 A188845800 mov eax, dword ptr [00588488]
:00521DF8 8B00 mov eax, dword ptr [eax]
:00521DFA 50 push eax
* Reference To: user32.LoadBitmapA, Ord:0000h
|
:00521DFB E8304AEEFF Call 00406830 <-- here's the breakpointed function with Sice
:00521E00 50 push eax
You can see up that I've marked a jump. Let's change this 74 -> EB to abort displaying the final
nag with the bitmap. Don't ask how I got this conclusion, I just tryied first (hiew 121DAF). OK,
the laughing man just passed away.
3. Expiration problem. Well, it's not a problem for me. Coz either you make a reg file to
postpone the time for some hundreds years (like in 4.6) or you do this new way which is easier.
Look at this next code from w32dasm (I localizated it with the reg adress where proggie is
storing trial dates):
:004F7AC0 E8E7E8F4FF call 004463AC
:004F7AC5 B101 mov cl, 01
* Possible StringData Ref from Code Obj ->"CLSID\{A6421B4F-3D7C-602C-1543-7D453980F32A}"
|
:004F7AC7 BA847D4F00 mov edx, 004F7D84
:004F7ACC 8BC3 mov eax, ebx <-- you see, here's the change we are
:004F7ACE E86DEAF4FF call 00446540 gonna make it
:004F7AD3 6A00 push 00000000
:004F7AD5 33C9 xor ecx, ecx
* Possible StringData Ref from Code Obj ->"defaulticon"
|
:004F7AD7 BABC7D4F00 mov edx, 004F7DBC
:004F7ADC 8BC3 mov eax, ebx
:004F7ADE E841F4F4FF call 00446F24
:004F7AE3 8B55FC mov edx, dword ptr [ebp-04]
:004F7AE6 898220070000 mov dword ptr [edx+00000720], eax
* Possible StringData Ref from Code Obj ->"InfoTip"
|
:004F7AEC BAD07D4F00 mov edx, 004F7DD0
:004F7AF1 8BC3 mov eax, ebx
See above my note. So, we see next: eax take the value of ebx, and if ebx=0 then eax=0. right?
If eax=0 is meaning that IconForge is running first time and must store the first day trial dates
there (in reg adress - see up). OK, will do this: instead mov eax,ebx we put 33C0 (xor eax, eax).
You know, yes, this mean that eax is 0 all the time, so IconForge 4.7 will start always like is
the first day from trial (hiew adress F7ACC). Good, is working and expiration is not posible now.
Keep going for next issue.
4. Characters from regbar (the maroon one with "Trial version - day 0"). We can do like in
version 4.6 (the tut) but better will try something else now - like don't display anything on
the maroon regbar. Don't display must be connected somehow with API function DrawTextA, right?
So, I searched and I found this interesting piece of code:
:0043F164 8D55E4 lea edx, dword ptr [ebp-1C]
:0043F167 8BC3 mov eax, ebx
:0043F169 E86E20FEFF call 004211DC <- here's the proccesing of what to display
:0043F16E 8B45E4 mov eax, dword ptr [ebp-1C]
:0043F171 E89A4EFCFF call 00404010
:0043F176 50 push eax
:0043F177 8BC6 mov eax, esi
:0043F179 E8A285FDFF call 00417720
:0043F17E 50 push eax
* Reference To: user32.DrawTextA, Ord:0000h
|
:0043F17F E85C74FCFF Call 004065E0
:0043F184 33C0 xor eax, eax
:0043F186 5A pop edx
We look now at line 43F169 call 4211DC, coz i tryied some changes around and guiding from ASM
code a little I found that I must cancel this call for displaying nothing in regbar. Let's try.
Let's try E8 -> B8 trick (hiew 3F169). This is like we are noping the call (9090, you know...).
Good, good, it worked just fine. OK, this will be all about collecting dates for a loader (of
corse the regbar can be eliminated, but remind this as your homework, if your good enough).
B. Making the promised loader:
------------------------------
1. Our w32dasm adresses looks like that (recapitulation needed for loader):
4FCB74 55 -> C3 <-- removing the begining nags
521DAF 74 -> EB <-- removing the final nag
4F7ACC 8B -> 33 <-- keeping unexpired
4f7ACD C3 -> C0
43F169 E8 -> B8 <-- cancel displaying of dates on regbar
2. And below the text file a.rrp (R!sc Patcher file) maded with notepad (copy & paste it):
--cut from here - without this line----
F=iconforge.exe:
O=a.exe:
P=43F169/E8/B8:
P=4F7ACC/8B/33:
P=4f7ACD/C3/C0:
P=4FCB74/55/C3:
P=521DAF/74/EB:
$
--cut end here - without this line--
After making file a.exe with R!sc Process Patcher 1.4-1.5, put it in the right subdirectory and
press on it directly. Ok, my job is done, bye!
PS. During cracking operations, you can keep an eye from time to time (for some help) on my
previous tut about IconForge 4.6 -> tKCtut 78/5. In special if you wish that regbar to be yellow
(but works only if the exe file is cracked, not with the loader).
----------------
Greets: tKC, CIA, TNT (nice guys!), to all crackers, PRO or newbies, all cracker
teams (keep going, we must eliberate from iudeo-masonic tirany, all must become
free), we are great guys, and nice too. I love you all but be a good soul!
Romanian Greets: Toate cele bune oamenilor inimosi din Romania! O sa vina si
zile mai bune! Incercati sa evoluati spiritual daca vreti sa fiti fericiti!
At last, but from all my heart: I love you Heavenly Father, I know you are with
me all the time!!! God is pure love!
Try this: www.geocities.com/john_aum Incredible infos for YOUR EYES ONLY!!!
Critics, comments, anything at: johnny_aum@yahoo.com
---------------Sorry if my english is not perfect!------------------------------
-----cut here-------------------------------------------------------------------yway if the loader had the nasty idea to relocate the whole thing, it would crash everything for almost all the code is crypted). A simple example: I want to patch at adress EEF123, thats where lies the protection !
1)get the offset within the object: EEF123-(AEC000+400000)=3123