bar96020.jpg

Cracking Tutorial #35:
CrAcKiNG Proxy Checker 6.3
[cracked bY:] sLeEpYż[FWA/NWA/FTPR8Z] iN 05/2002
[difficulty:] beginner
[where:] can't remember =) davecentral.com?
[tOOLz:] W32dasm 8.93, Hiew 6.1, Resource Hacker



Date: February 18th, 2002
License: Shareware
Size: 338.3K
Cost: $25.00
Evaluation: 21 days

Information:
Proxy Checker tests HTTP and SOCKS proxy servers. It detects the anonymity level of
HTTP and version of protocol of SOCKS proxies. The program is able to query whois
information about them. Proxy Checker can work through the SOCKS firewall. It also
features smart proxy list import and export abilities. Proxy Checker tests HTTP and
SOCKS proxy servers. It's capable of working through SOCKS firewalls, getting whois
information about proxies, and importing and exporting proxy lists.

Hullo all, once again lets crack this prog!
Disassembled in w32dasm:



* Referenced by a CALL at Address:
|:0040DED0
|
:00410BF0 B8E8B94400 mov eax, 0044B9E8
:00410BF5 E8620E0100 call 00421A5C
:00410BFA 83EC64 sub esp, 00000064
:00410BFD 56 push esi
:00410BFE 8BF1 mov esi, ecx
:00410C00 57 push edi
:00410C01 6A00 push 00000000
:00410C03 8D4D90 lea ecx, dword ptr [ebp-70]
:00410C06 E86D2E0000 call 00413A78
:00410C0B 8365FC00 and dword ptr [ebp-04], 00000000
:00410C0F 8D4D90 lea ecx, dword ptr [ebp-70]
:00410C12 E8A72D0200 call 004339BE
:00410C17 6A01 push 00000001
:00410C19 5F pop edi
:00410C1A 3BC7 cmp eax, edi
:00410C1C 7567 jne 00410C85
<--jump to bad nothing (offset 10C1C)
:00410C1E FF75EC push [ebp-14]
:00410C21 8BCE mov ecx, esi
:00410C23 E887FFFFFF call 00410BAF
:00410C28 85C0 test eax, eax
:00410C2A 7459 je 00410C85
<--jump to bad nothing (offset 10C2A)
:00410C2C 8B8660110000 mov eax, dword ptr [esi+00001160]
:00410C32 6A00 push 00000000

* Possible StringData Ref from Data Obj ->"Proxy Checker v6"
|

:00410C34 68D4064600 push 004606D4
:00410C39 89BE64110000 mov dword ptr [esi+00001164], edi

* Possible StringData Ref from Data Obj ->"Thank You for purchase!"
|
:00410C3F 680C104600 push 0046100C
:00410C44 8BCE mov ecx, esi
:00410C46 897810 mov dword ptr [eax+10], edi
:00410C49 E8594D0200 call 004359A7
:00410C4E FF75EC push [ebp-14]
:00410C51 8BCE mov ecx, esi
:00410C53 E87AFFFFFF call 00410BD2
:00410C58 FF75F0 push [ebp-10]
:00410C5B 8D869A070000 lea eax, dword ptr [esi+0000079A]
:00410C61 50 push eax
:00410C62 E889120100 call 00421EF0
:00410C67 6801000080 push 80000001
:00410C6C 81C670010000 add esi, 00000170
:00410C72 68EC0F0000 push 00000FEC

:00410C77 56 push esi

* Possible StringData Ref from Data Obj ->"Software\Hell Labs\Proxy Checker "
->"v6"
|
:00410C78 68740A4600 push 00460A74
:00410C7D E85A2C0000 call 004138DC
:00410C82 83C418 add esp, 00000018

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00410C1C(C), :00410C2A(C)
|
:00410C85 834DFCFF or dword ptr [ebp-04], FFFFFFFF
:00410C89 8D4D90 lea ecx, dword ptr [ebp-70]
:00410C8C E80E000000 call 00410C9F
:00410C91 8B4DF4 mov ecx, dword ptr [ebp-0C]
:00410C94 5F pop edi
:00410C95 5E pop esi
:00410C96 64890D00000000 mov dword ptr fs:[00000000], ecx
:00410C9D C9 leave
:00410C9E C3 ret




Nop out these two:
:00410C1C 7567 jne 00410C85 (offset 10C1C)
:00410C2A 7459 je 00410C85 (offset 10C2A)




The Nag (you can see this in w32dasm):

Name: DialogID_008E, # of Controls=009, Caption:"Trial Version", ClassName:""
001 - ControlID:0001, Control Class:"BUTTON" Control Text:"Run trial"
002 - ControlID:0002, Control Class:"BUTTON" Control Text:"Enter code"
003 - ControlID:FFFF, Control Class:"STATIC" Control Text:"You are starting a
trial version of the"
004 - ControlID:FFFF, Control Class:"STATIC" Control Text:""
005 - ControlID:FFFF, Control Class:"STATIC" Control Text:"Hell Labs Proxy
Checker v6"
006 - ControlID:0437, Control Class:"STATIC" Control Text:""
007 - ControlID:FFFF, Control Class:"STATIC" Control Text:"Please visit the"
008 - ControlID:0438, Control Class:"STATIC" Control Text:"Proxy Checker
Registration Page"
009 - ControlID:FFFF, Control Class:"STATIC" Control Text:"to register this
software"




DialogID_008E <--what we needed
Search for it and its in these locations:
:00406FE2
:0040A604
:00413B56 <-most promising! because it is just "DialogID_008E" and nothing else
:00413BC5
:00413BD7
:0041466C
:004148D4
:00414CA4
:00414F4C
:00415080
:0041573E
:00415993
:00415EA9
:00417DEC



* Referenced by a CALL at Address:
|:0040DE9C
<-called from here
|
:00413B41 B826BE4400 mov eax, 0044BE26
:00413B46 E811DF0000 call 00421A5C
:00413B4B 51 push ecx
:00413B4C 56 push esi
:00413B4D 57 push edi
:00413B4E FF7508 push [ebp+08]
:00413B51 8BF1 mov esi, ecx
:00413B53 8975F0 mov dword ptr [ebp-10], esi

* Possible Reference to Dialog: DialogID_008E
|
:00413B56 688E000000 push 0000008E
<-start here and look up



traces back to this call:
:0040DE9C


* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040DDCF(C)
|
:0040DE3E 53 push ebx
:0040DE3F 8BCE mov ecx, esi
:0040DE41 E82A100000 call 0040EE70
:0040DE46 53 push ebx
:0040DE47 6802000080 push 80000002

* Possible StringData Ref from Data Obj ->"Log1"
|
:0040DE4C BF480C4600 mov edi, 00460C48


* Possible StringData Ref from Data Obj ->"Software"
|
:0040DE51 683C0C4600 push 00460C3C
:0040DE56 57 push edi
:0040DE57 6A15 push 00000015
:0040DE59 E8D7BB0000 call 00419A35
:0040DE5E 83C414 add esp, 00000014
:0040DE61 399E64110000 cmp dword ptr [esi+00001164], ebx
:0040DE67 0F8591000000 jne 0040DEFE <-here is our nag kill, offset DE67
:0040DE6D 6802000080 push 80000002

* Possible StringData Ref from Data Obj ->"Software"
|
:0040DE72 683C0C4600 push 00460C3C
:0040DE77 57 push edi
:0040DE78 E816BC0000 call 00419A93
:0040DE7D 8BF8 mov edi, eax
:0040DE7F 8D8580FDFFFF lea eax, dword ptr [ebp+FFFFFD80]
:0040DE85 57 push edi


* Possible StringData Ref from Data Obj ->"%d day(s) of 21 left to try"
|
:0040DE86 68200C4600 push 00460C20
:0040DE8B 50 push eax

* Reference To: USER32.wsprintfA, Ord:02ACh
|
:0040DE8C FF1508E64400 Call dword ptr [0044E608]
:0040DE92 83C418 add esp, 00000018
:0040DE95 8D8D80FEFFFF lea ecx, dword ptr [ebp+FFFFFE80]
:0040DE9B 53 push ebx
:0040DE9C E8A05C0000 call 00413B41
<-Here we are! look up!



:0040DDCF 746D je 0040DE3E <-you can kill the nag here too
offset:DDCF

its a lil farther if you wanna trace back..I use this one because i dunno if the
other one will kill the 21 day trial.



Ok, dead startup nag, now we have nag at end..
"thank you for tring evaluation version!"


* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0040D473(U), :0040D487(C)
|

:0040D493 6A05 push 00000005
:0040D495 55 push ebp
:0040D496 8BCE mov ecx, esi
:0040D498 E89D400000 call 0041153A
:0040D49D 55 push ebp
:0040D49E 8D4E48 lea ecx, dword ptr [esi+48]
:0040D4A1 E8D1A10000 call 00417677
:0040D4A6 8B8E60110000 mov ecx, dword ptr [esi+00001160]
:0040D4AC E809E7FFFF call 0040BBBA
:0040D4B1 E84D920000 call 00416703
:0040D4B6 8B463C mov eax, dword ptr [esi+3C]
:0040D4B9 8B7820 mov edi, dword ptr [eax+20]
:0040D4BC E801A20300 call 004476C2
:0040D4C1 8B4004 mov eax, dword ptr [eax+04]
:0040D4C4 57 push edi

* Possible StringData Ref from Data Obj ->"LastDbase"
|
:0040D4C5 68F80A4600 push 00460AF8
:0040D4CA 68E8584600 push 004658E8
:0040D4CF 8BC8 mov ecx, eax
:0040D4D1 E8411E0300 call 0043F317
:0040D4D6 6801000080 push 80000001
:0040D4DB 8D8670010000 lea eax, dword ptr [esi+00000170]
:0040D4E1 68EC0F0000 push 00000FEC
:0040D4E6 50 push eax


* Possible StringData Ref from Data Obj ->"Software\Hell Labs\Proxy Checker "
->"v6"
|
:0040D4E7 68740A4600 push 00460A74
:0040D4EC E8EB630000 call 004138DC
:0040D4F1 83C410 add esp, 00000010

* Reference To: WS2_32.WSACleanup, Ord:0074h
|
:0040D4F4 FF15B4E64400 Call dword ptr [0044E6B4]
:0040D4FA 39AE64110000 cmp dword ptr [esi+00001164], ebp
:0040D500 7513 jne 0040D515
<-change to jmp(EB) so no more end
nag..(offset D500)

:0040D502 6A40 push 00000040

* Possible StringData Ref from Data Obj ->"Proxy Checker v6"
|
:0040D504 68D4064600 push 004606D4

* Possible StringData Ref from Data Obj ->"Thank You for trying evaluation "
->"version!"





Ok now the trial ending message:
Well we killed this with the startup nag.



Change where it says Evaluation to FULL
w32dasm and its here:

:00410B16 7419 je 00410B31 <-change to nop! offset 10B16
* Possible StringData Ref from Data Obj ->"Full"

:00410B16 9090 nop nop



All thats left is to hack in our registration details because the program is not
limited in anyway anymore.

Use Ultraedit if you prefer to Hex it, i'm gonna be lazy today and use Resource Hacker!
Well first goto: Menu, 128, 1033, scroll down to here:

POPUP "&Help"
{
MENUITEM "&Help Index", 32780
MENUITEM SEPARATOR
MENUITEM "&About...", 57664
MENUITEM SEPARATOR
MENUITEM "&Registration...", 32781
}
}

Remove these too lines,

MENUITEM SEPARATOR
MENUITEM "&Registration...", 32781


Compile the script and save it..Ok no more registration button!

Next goto
POPUP "&Web"
{
MENUITEM "&Hell Labs Homesite", 32784
MENUITEM SEPARATOR
MENUITEM "&Product Registration Page", 32785
MENUITEM SEPARATOR
MENUITEM "&Tech Support Query Form", 32787
MENUITEM "&Bug Report Online Form", 32786
MENUITEM "&Misc Questions Online Form", 32788
}

change it to this:
POPUP "&Web"
{
MENUITEM "&Hell Labs Homesite", 32784
MENUITEM SEPARATOR
MENUITEM "&Tech Support Query Form", 32787
MENUITEM "&Bug Report Online Form", 32786
MENUITEM "&Misc Questions Online Form", 32788
}


To get rid of that stupid registration link button too...

Next goto here:
Dialog, 100, 1033,


Click on the Gui just to the right of where it says License Owner.
You'll see a little red star next to it on the Right with all the controls
* CONTROL "", 1075, STATIC, SS_LEFT | WS_CHILD | WS_VISIBLE | WS_GROUP, 210, 183, 5, 8

On the GUI area, resize it all the way to the right so its nearly a small box thats
is invisible anyway. Next click on License Owner and stretch the box that contains it
on the gui as far right as you think you will need room to type. When you highlight it
you will know you are right by seeing a red star by this:
* CONTROL "License Owner", -1, STATIC, SS_LEFT | WS_CHILD | WS_VISIBLE | WS_GROUP, 9,
183, 194, 8

Once you have it stretched modify it so it looks like this only with your name or
whatever:
CONTROL "License Owner Cracked bY: sLeEpYż", -1, STATIC, SS_LEFT | WS_CHILD |
WS_VISIBLE | WS_GROUP, 9, 183, 194, 8

I put about 5 spaces from license owner so it looks right when you view it.

Click on Save at the top because this prog automakes you a backup anyway, and run it,
check the Help, About, and you should see your info. You can modify other junk in there
to, i changed the url to my homepage out of boredom. The link will work and take you
there after its saved =0) The email one wont though you'll have to do more to get it to
work. Ok so now this prog has been brutally beaten down and cracked real good.




email me if you are bored: sleepy@linuxwaves.com

._Tutorialz_.

[ 1. Cracking Cosmi's Generic Installshield Protection ]
[ 2. CRACKING(?) MATH WORKSHOP 2.0 ]
[ 3. CrAcKiNG DLSuperCBT Resynchronizing Byte Compare Program ]
[ 4. CrAcKiNG the nag on DLSuperCBF - Dir Binary File Compare Program ]
[ 5. CrAcKiNG n)0(va crackme v3 (crazy approach) ]
[ 6. CrAcKiNG mIRC(R) v5.91 Internet Relay Chat Client ]
[ 7. CrAcKiNG Actionizer 1.4 ]
[ 8. CrAcKiNG Tag Wizard 4.3.0 ]
[ 9. CrAcKiNG Freecell for Win2k and WinXP ]
[10. CrAcKiNG Netrace 1.0a ]
[11. CrAcKiNG Winrar 3 Beta 2 THROUGHLY ]
[12. CrAcKiNG Aditor Pro 3.05 build 1 ]
[13. CrAcKiNG EasyType 1.0 ]
[14. CrAcKiNG The Psychedelic Screen Saver v2002.0215 ]
[15. CrAcKiNG Applet Headline Factory Version 4.0 ]
[16. CrAcKiNG Codewhiz Editor Version 1.7 (build 1.01b) ]
[17. CrAcKiNG iuVCR 4.0.0.205 beta5 Trial (R_02-28-2002) ]
[18. CrAcKiNG The Weakest Link -NOCD- ]
[19. CrAcKiNG Blowfish 2000 V2.3 by finding a valid serial ]
[20. CrAcKiNG the CD Check in Tony Hawk Pro Skater 3 ]
[21. CrAcKiNG DLL Show 4.7 bY Turning it Into its Own Keygen ]
[22. CrAcKiNG Opera 6.01 bY making a valid serial and manually unpacking Aspack ]
[23. CrAcKiNG Tickle 2.8 with w32dasm, & finding a valid serial with SI hmemcpy ]
[24. CrAcKiNG AxMan 3.12 with a valid serial using softice Hmemcpy ]
[25. CrAcKiNG Acid_Cool_178 Assembler Crackme01 using W32dasm ]
[26. CrAcKiNG Mirc 6.1 bY finding a valid serial using Softice Hmemcpy ]
[27. CrAcKiNG Bitmap to Icon 3.5 two ways with w32dasm & Softice ]
[28. CrAcKiNG Power Edit 1.1 by unpacking UPX w/procdump and using w32dasm, then]
[ finding a valid serial with Softice ]
[29. CrAcKiNG Blackboard Encrypt 1.1 using w32dasm and resource hacker ]
[30. CrAcKiNG Wine Label 3 by changing 6 bytes in the program ]
[31. CrAcKiNG WinRescue XP 1.07.06 with a hardcoded serial ]
[32. CrAcKiNG Artgem 1.2 ]
[33. CrAcKiNG QuickMemo 1.5 & WorkLog4All 3.26 by hardcoded serials ]
[34. CrAcKiNG Hellforge Win32 ASM Crackme 1 ]
[35. CrAcKiNG Proxy Checker 6.3 ]


gReEtz: MiNioN, GreycZ, KlutCh, KiNgEr, MidNight, FWA, NWA, FTPiRatEz! HAR! BEASTFXP!
This one was cracked on request from TJ.


CopyLeft:
sLeEpYż
[all rights reversed]
Boredom causes crackers and babies.
Visit http://zor.org/sleepy