The Crack:
Ok then, I tried unpacking the exe
with the various unpackers that handle ASpacked files - you can see
it is packed withj ASpack by looking at the header of the file with
a hex-editor, look for '.aspack' as one of the sections. All of these
unpackers did not unpack the file so it must be a new version of ASpack.
This makes things slightly trickier.
Let's try unpacking the file manually then shall we??
First of all we need to edit part
of the d3dm.exe to make it break when loaded into the symbol loader.
To this simply run Procdump and click on 'PE Editor', then choose your
file then choose 'Sections'. Now right click on the .text section and
choose 'Edit section'. Under the 'Offset' box you will see the value
'C0000040'. Change this value to' E0000060'. This will make the program
break when loaded into the symbol loader.
OK, now load the d3dm.exe into the symbol loader and you will see the
following code:
:005BD001 60 pushad
:005BD002 E870050000 call 005BD577
:005BD007 EB4C jmp 005BD055
Trace the last jump then page down
a few screens util you get to here:
:005BD288 43 inc ebx
:005BD289 49 dec ecx
:005BD28A EBED jmp 005BD279
* Referenced by a (U)nconditional
or (C)onditional Jump at Addresses:
:005BD280(C), :005BD286(C)
:005BD28C 8B06 mov eax, dword ptr [esi] ----------------> Set 1st
breakpoint here
:005BD28E EB00 jmp 005BD290
Clear breakpoint then set next one:
:005BD2DD 83C608 add esi, 00000008
:005BD2E0 833E00 cmp dword ptr [esi], 00000000
:005BD2E3 0F8528FFFFFF jne 005BD211
:005BD2E9 6800800000 push 00008000 ---------------> Set 2nd breakpoint
here
:005BD2EE 6A00 push 00000000
Clear breakpoint then set next one:
:005BD4E8 59 pop ecx -------------------------------------> Set 3rd
breakpoint here
:005BD4E9 0BC9 or ecx, ecx
:005BD4EB 8985953E4400 mov dword ptr [ebp+00443E95], eax
:005BD4F1 61 popad
:005BD4F2 7508 jne 005BD4FC
:005BD4F4 B801000000 mov eax, 00000001
:005BD4F9 C20C00 ret 000C
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
:005BD4F2(C)
:005BD4FC 6800000000 push 00000000 -------------> These zeroes will
hold the new entry point of the program.
:005BD501 C3 ret ------------------------------------------> Force
program to loop at this point.
You must make a note of the value
that is 'pushed' at the address above (it should be 4251BC).
Now when you get to the last instruction, we want to make the program
freeze while we dump the unpacked data. Do this by typing 'a' followed
by enter, then 'jmp eip' followed by enter. Now press F5 to go back
the desktop and run Procdump again. Scroll down the list of running
tasks until you see d3dm.exe, right click and select 'Dump [Full]',
give it a file name then kill the task by right clicking again and selecting
'Kill task'.
Still using procdump, select 'PE
Editor', choose you newly dumped file and choose 'Sections'. Change
the value 001BD001 to 251BC. This is the newly found entrypoint minus
the imagebase of 400000. Press OK and exit procdump.
Delete the old d3dm.exe and also delete the c:\windows\did3dm.ini file
that holds the registration code (last 4 bytes in the file). Now run
your new file and it works perfectly. BUT it still needs cracking though.
Use Wdasm to disassemble it first so you have a reference to the code.
So, when you are asked for the registration code, go back into SI, by
doing ctrl-D and set a breakpoint on GetWindowTextA by typing 'bpx getwindowtexta'
followed by enter.
Enter any old registration
number and you will be popped back into SI, now press F12 once and you
will be looking at the following code:
:0040180A 52 push edx
:0040180B E8B7240200 call 00423CC7
:00401810 83C404 add esp, 00000004
:00401813 A1884D4300 mov eax, dword ptr [00434D88]
:00401818 50 push eax
:00401819 E8E6FDFFFF call 00401604 ---------------------------->
Trace this call to the code below
:0040181E 83C404 add esp, 00000004
:00401821 3D4B1B0000 cmp eax, 00001B4B
--------------------> Test on correct reg code
:00401826 7507 jne 0040182F
--- ---- --- --- --- --- --- --- --- --- --- --- --- --- --- ---
:00401604 55 push ebp
:00401605 8BEC mov ebp, esp
:00401607 51 push ecx
:00401608 6A00 push 00000000
:0040160A 6A00 push 00000000
:0040160C 6A00 push 00000000
Keep tracing until you
reach the following code:
:0040168A 8B4508 mov eax, dword ptr [ebp+08] -------------------->
Our reg code
:0040168D 3B45FC cmp eax, dword ptr [ebp-04] -------------------->
Real reg code
:00401690 7507 jne 00401699 --------------------------------------------->
If they do not match then fail
:00401692 B84B1B0000 mov eax, 00001B4B
------------------------> If they do match then success
:00401697 EB03 jmp 0040169C ------------------------------------------>
Carry on if successful
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
:00401690(C)
:00401699 83C8FF or eax, FFFFFFFF ---------------------------------->
Failure = -1
* Referenced by a
(U)nconditional or (C)onditional Jump at Address:
:00401697(U)
:0040169C 8BE5 mov esp, ebp
:0040169E 5D pop ebp
:0040169F C3 ret
If you check the value
at [ebp-4] then you will find the correct registration code. It is in
reverse so if it is 23FD4523 then it will really be 2345FD23. You can
write the number down and quit the program and clear you breakpoints
and enter the code when asked for it and it will work fine.
OR you can permenantly crack the file so that the correct code is used
all time.
To do this simply put replace the 'mov eax, dword ptr [ebp+08]' with
' mov eax, dword ptr [ebp+-4'. This will force the program to check
the real regcode against the real ag code - and of course, they will
both be the same!
You only need to change 1 byte, 08 to FC. So open the fiel in a hexeditor
and goto offset C8C and replace the 04 with FC and save the file.
Again, delete c:\windows\did3dm.ini as the program has a tendancy to
crash (sometimes with a blue screen) if there is already an existing
file.
Now run you newly unpacked and cracked program..........you did it again...you
clever sod.
There has been an update to 0.87 and the same method applies to unpacking
and cracking but the entry point is different - 427314.
|