Note : ~~~~~' To read thiz fyl, open it in Notepad, Maiximyz the window, and disable word wrap, and set font to Terminal. Cracking MicroAngelo 5.0 and MicroAngelo OnDisplay 2.0 : ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~' by ChoRdLesS | ChoRdLesS2k@yahoo.com Note : ~~~~~' This tut is 4 those who at least 've some Xperience in Assembly lang., and Crking. The target uses advanced protection, so read it if u feel urself apt enough. * MicroAngelo, The Program : ~~~~~~~~~~~~~~~~~~~~~~~~~~' Angelo 5.0 pack, is a set of proggyz to hanldle all icon and cursor related processing. Itz the finest among the lot, and coolest too ;-). It offers all toolz of the trade in a neat interface. But it do lacks at someplaces (discover for urself ;-)), lyk a strong protection ;-) . * MicroAngelo, The Protection : ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~' Angelo pack utilz r guarded by Nag+TymLimit+CRC-Check (as i found later). So, all the utilz display annoyin Nags timely and on startup. The proggy givs 30-Days evaluation period, and afterwards a 14-Dayz Grace period <--- hehehe, and then Xpires ( so, is the grace 4 the proggy itself? or 4 us mortals? ) * MicroAngelo, The Toolz Used : ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~' What else other then the belovd Three Musketeers : 1). SoftIce (for win9x), 2). Win32Dasm, and 3). Hiew. And b warnd that these things take tym, so 've some snacks ready ;-) * MicroAngelo, The Approach : ~~~~~~~~~~~~~~~~~~~~~~~~~~~' Discovering the Protection : ========================== As soon as i successfully installed the software and ran it (any util among the lot), I was greeted by a wonderful Nag sayin all the usu. stuph, that caused adrenaline to rush in my crking nervs :-). CHK #1). ======= But wait, i m not goin to start disasm all the util exes right now. First, lets chk all the other utils in the Angelo pack. Exec Studio, Animater, Librarian, On Display etc. All the tym , EXCEPT in On Display ( thiz iz interesting), same shareware nag jumped. Ok so, they r all calling similar(!?) functions 2 display nags and chking tymlimit ? hmmm....Lets chk for other similarities. Exec the utils again and c their About section. Strikingly similar again. This strongly compells me to do a dll scan . . . !Tip! ~~~~~ Most of the tym, if a software contains numerous li'l utilities, all 'ving the same protection,nags etc. then always disasm. the dlls in the software's home dirs. Nine out of ten tyms, all the utils 'd b calling the protection functions off a common dll. So, if the dll is crkd, then all the utils r crkd simultaneously !! So, i proceed 2 chk the avail dlls in the installation dir of the software.Wow! only 1 dll iz thr . . . muapp.dll !! So, lets proceed 2 disasm this dll in Win32Dasm. Ureka! All the string resources r filld up with sentences containing 'Unregisterd' and 'Days past agreed Evaluation period', etc stuph !! Lame proggy eh? I procced now to check if all proggyz r calling this dll. Interestingly, only On Display does not call this dll. That was what i suspected b4, as on the Micro Angelo web syt, MicroAngelo On Display 2.0 is avail. as a seperate product, so in that package, it 'd b the only utility included. Thuz, frm a programmer's point of view, it makes sense 2 include all the protection inside the progyy itself, rather than putting it inside a dll and increasing the package size. Further, the nags etc of thiz util r different frm the other in the Angelo 5.0 pack. So, it seems that v 'll 've to crk this utility seperately :-(. Thr iz no other way out guyz. So, first lets proceed with the biggy muapp.dll ;-) . CHK #2). ======= Now i apply chk #2 (chk #1 was 2 c wether thr iz a single dll'ving all protection functions). Open the dll into Hiew, Disasm mode, and reverse any jump, or for that matter, any workin instruction into 90 (NOP for lamerz). Close Hiew, and launch any Angelo util. Boom !! A Dialog Box says that all hell has broke lose, that muapp.dll failed 2 initialize 'MuAppEntry()' or a similar shit. Nice proggy ;-) . I luv these nifty CRC Checks :-)). These r too sexy to resist. !TIP! ~~~~~ Always chk 4 CRC protection in the target app/dll. To do this, simply reverse a jump and c if the proggy runs or not. This'll really pay up in future ;-). Now, after noting this in mind that the dll has CRC protection, i proceed to apply the same procedure on an Angelo util. I open up Studio.exe in Hiew and do the same thing which i did earlier with muapp.dll . Again thr iz a Dialog box saying some similar shit. So, they have CRC-protected both the dll and the appz. Crking CRC-Chk Protection : ~~~~~~~~~~~~~~~~~~~~~~~~~' By now, my knowledge of psycology compells me to think that the author must 've kept this check in muapp.dll itself. Hey its very clear, as 'he' always made an effort to reduce coding for protection as much as he can, and further, embedding the chk inside the dll makes future upgrades/modifications easy, thr4, our lazy author must've resortd to keep these chks insyd the dll. But, anyway, I proceed to clear my doubt. So, I open up muapp.dll in Win32Dasm, and goto the program entry point (64001000). Hey, the entry point has been exported as 'MuAppEntry', thats very interesting :-). So we note this address down, and using Numega Symbol Loader, load exports of muapp.dll .Then, proceed to load any of Angelo util, say Animater.Exe via symbol loader. As it breaks, put a BPX on 'MuAppEntry'. BPX MuAppEntry, this'd succeed if u 've successfully loaded the exports of muapp.dll, but incase, and for lamerz out thr, u face a prob lyk 'No such function' or any other shit, put a BPX cs:64001000 Now press F5. Animater'd immediately break inside Muapp.dll, if it does not then delete thiz tut immedeately and go in ur mother's lap ( ;-) ). Next, once insyd Muapp.dll, press F10 till u reach 64001027. Till now, nothing 'd 've happened. At thiz location, the instruction is : 64001027 je 6400104D So, the proggy Jumps 'coz of Error to -> 6400104D Now, scroll the disasm window in SoftIce a bit locations below, and at 64001072, u'll see a refrence 2 MessageBoxA (hmm, now v r close). do a g 64001072 The proggy will break @ 64001072, press F10, and u'll b greeted with the same lame Dialog Box. So, do an 'exit' to stop Animater.Exe execution. Again load it via Symbol Loader and execute. It'd again break at MuAppEntry. Do a g 64001026 Now softice 'd display : 64001026 dec eax look in the Register's Window, eax must b having a value of 1 or so. Do a r eax=2 now eax'd b 'ving 2 as its data. Press F10 to the next instruction. Now, as after the 'dec eax', eax 'll've 1 as data, thr4, thr'll b no jump @ 64001027. The execution 'll follow up to the next instruction, i.e. 64001029 mov etc.... Press F5, and yes! the proggy executes w/o any problem at all !!! So, what r u waitin 4 now? just open up muapp.dll in Hiew, goto offset 1027 and replace bytes 7424 -> 9090 , that '->' stands for 'by' u lamer X-( Now run Animater again, it'd run w/o any Dialog Box etc. Interestingly, thiz byte replacement also patchd the CRC-Chk of the appz. Now, if u remembr, v replaced some bytes frm muapp.dll and other appz, to chk 4 CRC Protection in the beginning ( see CHK #2). Now is the tym to replace those changd bytes with the original ones. After thiz, pray take a break. But now, b relieved that the remaining part iz lame, in comparision 2 our work till now. Use ur snacks heavily, and thats an order ;-). Crking Nag+ Tym limit Protection : ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~' Welcome back :-) .Now, as v discovered earlier, all the protection code is insyd muapp.dll only, so v proceed 2 find the Nag Strings and patch the corresponding functions, so that v dont get anymore nags etc. First, lets 'Expire' our app ;-) . Just set your proggyz date A year Ahead, and launch any Angelo app, say Studio.Exe. Well, it launched, and displayd the Nag, but no Xpiring ! But as soon as you close the app, u get a Dialog Box sayin that the 'License is now overdue' and 'This copy of MicroAngelo has been in use . . .'etc. Lets first take this Tym Chk Out ! Disasm MuApp.dll in Win32Dasm, and look at the string resources. The most appealing one to me r alwayz of the type 'Days remaining' or similar. Here, i find 'This copy of MicroAngelo has been in use . . .' etc. On clicking this string, Win32Dasm taks me to location 64002496. Clicking on the string again takes me to two more locations of possible refrence. So, lets start from the the very first location of refrence. !Tip! ~~~~~ Win32Dasm often displays multiple 'possible locations of refrence' to resources of all kinds. Dont trust Win32Dasm always, sometyms it is correct, othertyms NOT. A direct data transfer might appeal to Win32Dasm as a refrence to a resource, if that data matches a resource id. Thats y Win32Dasm says : possible refrence ... etc :-). Browse a li'l back of 64002496. U'll c a refrence 2 'LoadResource' and still back, u'll find a 'Refrence by Unconditional etc Jump at 64002452'. So browse upto 64002452. Thr, u'll find a je 6400243f Browsing a l'il back u'll find an "Exported function 'CheckDeadbeats()'", nice name, isn't it ? But we'll put our attention to 64002452 je 6400243f So, load Animater.Exe, and muapp exports again, via Symbol Loader. As winice breaks at strting point of execution, put bd * ( to disabl other bpxs ) bpx 64002452 Press F5.After u close the app, u'll b back soon in muapp.dll ( boy,i luv thiz dll. It has taken more tym frm me than the tym that i use to spend with my gf!! Can a human marry a dll ? ) The instruction a li'l previous to this 'je' is 6400241F mov edi, dword ptr etc. . . 64002426 test edi,edi The result of this 'test' 'd 've decided the fate of our 'je' instruction. So chk the value in EDI registers. Now, as u r on the instruction 'je', winice must b tellin u that a jump is due. As soon as u follow the jump to the destination and a few F10 presses, u'll soon b facing the dreaded nag ! Trace ur way till u r back in Animater.Exe. Note down the values of all the registers just after the call to CheckDeadBeats has returned into Animater.exe. Now, do bd * // to disabl all bpxs exit // to terminate further execution Next, load Animator.Exe again via Symbol Loader, and as it breaks, put bpx 64002426 // location of test edi,edi instruction. Do F5 and u'll soon b back into muapp.dll @ test edi,edi. Check the value of edi reg. If its zero (it must b so) do r edi=1 // to set edi = 1 Now F10 till u reach that je ( @ 6400242E). This tym, the function'll not jump, instead, it will follow execution frm the next instruction, and soon u'll notice 64002423 xor eax,eax // set eax = 0 or clear eax, hmmmmm. . . Then the function will return to Animator.Exe .Write down the values of different registers again. Press F5 to resume execution. Hiya !! the proggy just exited w/o any Tym chk !! !Caution/Tip! ~~~~~~~~~~~~~ This tym v were rather lucky that things didn't go haywire! Coz proggyz usu. put register value cmp to dbl chk the successful display of Nags. Thats y i told u to note down the values of different registers, esp. eax ( i dunno y, but its the favouryt 1 of all nag ops ). If the proggy displayz an error on reversing/noping a jmp, then u'd check what the values of regs r returnd by the modified function. If they differ, maks apt changes so that our new function still returns an ALL CLEAR msg to the proggy. If u want, then even if all seems right, still make modifications to return proper reg values. Even if this does not help, then chk the stack value modifications. Now, open muapp.dll again in Hiew, go to offset 242E and replace bytes 750F -> 9090 // no op the jump Launch Animater.Exe and other appz, try changing the Date of ur system to later yrs, and see if the nag on closing the appz appears again? It'll not ! Thus, v 've chkd the Tym Limit nag ! Crking the Start Nag : ~~~~~~~~~~~~~~~~~~~~' For this, either u can follow the traditional approach of launching Animator.exe via Symbol Loader, and tracing till u notice the relevant code of nag display, or u can follow the Heuristic Approach. I prefer the later one. My study of muapp.dll shows me an exported fn 'InitializeMuApp'. To study this fn, i load Animater.exe in Symbol Loader and as winice breaks,I put a BD * Then BPX InitializeMuApp, or BPX 64002750 (start addr. of InitializeMuApp) After pressing F5, i m back into winice soon, and at the BPX location. Now I start tracing the code. Soon, at 64002757 je 6400275E u can c the jump. Tracing further leads me to the code to display the Starting Nag! M nearing the finish !! Hurriedly, i trace the code till it returns me into Animater.Exe again. After noting the values of all the registers, i'exit' softice, to terminate Animater.exe, and again load it via Symbol Loader. As the old BPX is still activ, m again back at the entry of InitializeMuApp. This tym, after the very first instruction, ie 64002750 mov eax, etc... I do r eax=1 //set EAX = 1 thus when m at 64002757, the proggy does not jumps! Instead, it follows execution frm the next lyn, ie 64002759 xor eax,eax // clear eax !!!! hmmmm... Thiz iz followd by some clear up code and a return statement. As soon as i return into Animater.Exe, i aagain note down values of all registers. Next, in a hurry, I press F5 to see my proggy workin w/o any nag. ALAS! Animater just exited w/o sayin a word !! I launched all the Angelo utilz one after the another, following the same procedure of changing the jump but every1 behavd the same way!!! Boy, where's the prob? Matters b'came clear as i lookd at the values of the different regs which i noted down while tracing the returns of 'InitializeMuApp'. After my modification of the value of EAX to disabl the je @ 64002757, do u remembr that 64002759 xor eax,eax // clear eax So, the proggy must b uzin EAX as dbl chk 2 make sure that Nag was displayd ;-). Thus, v can't make the proggy work, if we no-op the jump at 64002757. If u want to test this, just open up muapp.dll in Hiew and goto the location 64002757, and replace 7405 -> 9090. Then launch any of the Angelo util. It'll close as quickly as it opens. What v need here iz to pass a value other than 0 of EAX back to the proggy. For thiz, we'll 've to write some short code in muapp.dll : Open Muapp.dll in Hiew. Enter into Disasm mode, then goto offset 2757, press F3(edit), then F2(assembly), and make the following Changes : 64002757 je 6400275E -> xor eax,eax ( 7405 ) ( 33C0 ) 64002757 xor eax,eax ( 2 bytes long ) -> inc eax And nop ( each 1 byte long ) ( 33C0 ) ( 40 ) ( 90 ) Then, launch any Angelo utility and yes!! no nag and other shit !! Tym for another break!! For lamerz, the Crk iz complete, but 4 quality luvrs, here's more : Making 'Custamization' : ~~~~~~~~~~~~~~~~~~~~~~' If u noticed the title bar of any of Angelo Appz, then thr iz an annoying '(Evaluation Day )' msg thr. Lets remov that nasty thing ;-). If the guyz at www.Impactsoft.com r only that smart, as i persume them, then this must b also in the b'luvd muapp.dll ;-) . Again following the traditional 'Trace it to the target', or my favouryt Heuristic approach, whichever u lyk 2 follow, u'll trace ur way into 'GetMuString' exported fn. in (what else) MuApp.dll. Its very easy 2 approach the proggy Heuristically, c of all the exported functions of muapp.dll, only thiz 1 is the most short. And thr iz only a call , 2 'LoadStringA' (interesting ;-)) in the function. So, again, i load Animater.Exe in Symbol Loader, and as it breaks on load, i do BC * //to clear previous bpxs, they r not needed any more BPX GetMuString, or BPX 64001E40 After Pressing F5, i m soon back into muapp.dll, at the desird BPX. As i trace the fn, it appears to b passing Resource info to LoadStringA function, and then LoadStringA loads the corresponding '(Evaluation Day etc)' string into the memory. Thats it! Lets check the documentation of LoadString fn in Win32Api Help ( @ www.crackstore.com ). Its lyk : int LoadString( HINSTANCE hInstance, // handle of module containing string resource UINT uID, // resource identifier LPTSTR lpBuffer, // address of buffer for resource int nBufferMax // size of buffer ) Here, nBufferMax iz the length of the data/str in the buffer lpBuffer, so, if v simply make it of length 1 ( as the str minimally includes a NULL char '\n' ), then only the NULL , ie '\n' will b copied to the destination, instead of that '(Evaluation Day etc)' shit !! Now, nBufferMax iz the last param of the fn, thus, in asm code, it'd b pushed last into the stack. You can check thiz, by tracing the code via 'Load Process' in Win32Dasm, and tracing the call. It'll automatically break on Api calls and will display the params passed. If u want, it'll also show the result returnd via the Api fn call. Thus, tracing the code of GetMuString reveals thiz 64001E4C push eax 4D mov eax, etc... 52 push ecx 53 push edx 54 push eax <------------This must b 'vin lpBufferMax value 55 call LoadStringA For this, open muapp.dll in Hiew, set into disasm mode, goto offset 1E4D, press F3 (edit) and then F2 (asm), type mov eax, 01 Or, replace the bytes at offset 1E4D by these bytes A1ACA20064 -> B801000000 Now, run any of the Angelo app, and c, no irritational titlez !! So, our finishing iz complete. Letz mov on to MicroAngelo On Display. Crking On Display 2.0 : ~~~~~~~~~~~~~~~~~~~~~' Thiz 1 iz lame, real lame :-(. It'd not b of any worth to descryb this crk here after i have elaborated the detailz of crking a real fyn app. But anyway, just 4 the sake of completing the tut, i present it here 2 you. Tracing the Nag : ~~~~~~~~~~~~~~~' Disasm Mupanel.exe in Win32Dasm, and look the String Resources for the strings 'Evaluation day etc..', 'Licensing overdue! etc..' and other similar stuph. These r refrenced only once in the proggy, and all within a few bytes of space away frm each other. Put BPX in winice on any of these locations, and trace the code until u get a 'ret' instruction. U must b now in either location 408FF4 call 409260 , or 408FF9 call 406E60 , or 408FFE call 408D80 If u chk nearby locations of these function calls, u'll notice that thr r no stack operations done prior to the first two calls. Further, no registers r accessed/modified prior to the former two calls. This means that u can safely no-op the first two calls, which'll clear both the Nag+TymLimit protection of the proggy, and also the Title Bar message prob. (Evaluation Day etc . . .) 'll b solvd !! So, open Mupanel.exe in Hiew, and after setting asm mode, go to 8FF4 and no-op ten locations, starting at 8FF4 , to 8FFD (including 8FFD). That's it. So, now our MicroAngelo 5.0 pack is fully crkd !!! Final Words : ~~~~~~~~~~~' Hiya thr to all those who r reading this tut. Thnx very much. This is my very first tut 4 all TNT luvrs. Guyz, v, here @ TNT, r pushin ourselves 2 the limits 2 keep up with ur Xpectations and earn ur affection. This tut is a small gift frm a new TNT mmbr 2 u all. Plz send me ur comments on it. I'd lyk to dedicate this tut Xclusively 2 fellow TNT mmbrs, esp> Fat[Bit] , and Sevan ( Names in alphabetic order ) Hope u guyz lyk thiz tut, 'coz 've given 6 straight hrs to wryt it down. P.S. : ~~~~' All previous versions of MicroAngelo follow Xactly same procs. just the byte offsets might b diffrent. So, after u read this tut, i strongly'd recommend u to try ur hand at MicroAngelo 98 or earlier app. bye! ChoRdLesS. ChoRdLesS2k@yahoo.com MOV [004160F4],EBX