Note :
~~~~~'
To read thiz fyl, open it in Notepad, Maiximyz the window, and disable
word wrap, and set font to Terminal.
Cracking MicroAngelo 5.0 and MicroAngelo OnDisplay 2.0 :
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~'
by ChoRdLesS | ChoRdLesS2k@yahoo.com
Note :
~~~~~'
This tut is 4 those who at least 've some Xperience in Assembly lang.,
and Crking. The target uses advanced protection, so read it if u feel
urself apt enough.
* MicroAngelo, The Program :
~~~~~~~~~~~~~~~~~~~~~~~~~~'
Angelo 5.0 pack, is a set of proggyz to hanldle all icon and cursor related
processing. Itz the finest among the lot, and coolest too ;-). It offers all
toolz of the trade in a neat interface. But it do lacks at someplaces (discover
for urself ;-)), lyk a strong protection ;-) .
* MicroAngelo, The Protection :
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~'
Angelo pack utilz r guarded by Nag+TymLimit+CRC-Check (as i found later).
So, all the utilz display annoyin Nags timely and on startup. The proggy givs
30-Days evaluation period, and afterwards a 14-Dayz Grace period <--- hehehe,
and then Xpires ( so, is the grace 4 the proggy itself? or 4 us mortals? )
* MicroAngelo, The Toolz Used :
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~'
What else other then the belovd Three Musketeers :
1). SoftIce (for win9x),
2). Win32Dasm, and
3). Hiew.
And b warnd that these things take tym, so 've some snacks ready ;-)
* MicroAngelo, The Approach :
~~~~~~~~~~~~~~~~~~~~~~~~~~~'
Discovering the Protection :
==========================
As soon as i successfully installed the software and ran it (any util among
the lot), I was greeted by a wonderful Nag sayin all the usu. stuph, that
caused adrenaline to rush in my crking nervs :-).
CHK #1).
=======
But wait, i m not goin to start disasm all the util exes right now. First,
lets chk all the other utils in the Angelo pack. Exec Studio, Animater,
Librarian, On Display etc. All the tym , EXCEPT in On Display ( thiz iz
interesting), same shareware nag jumped. Ok so, they r all calling similar(!?)
functions 2 display nags and chking tymlimit ? hmmm....Lets chk for other similarities.
Exec the utils again and c their About section. Strikingly similar again. This
strongly compells me to do a dll scan . . .
!Tip!
~~~~~
Most of the tym, if a software contains numerous li'l utilities, all 'ving
the same protection,nags etc. then always disasm. the dlls in the software's home dirs.
Nine out of ten tyms, all the utils 'd b calling the protection functions off
a common dll. So, if the dll is crkd, then all the utils r crkd simultaneously !!
So, i proceed 2 chk the avail dlls in the installation dir of the software.Wow!
only 1 dll iz thr . . . muapp.dll !! So, lets proceed 2 disasm this dll in
Win32Dasm. Ureka! All the string resources r filld up with sentences containing
'Unregisterd' and 'Days past agreed Evaluation period', etc stuph !! Lame proggy eh?
I procced now to check if all proggyz r calling this dll. Interestingly, only
On Display does not call this dll. That was what i suspected b4, as on the Micro
Angelo web syt, MicroAngelo On Display 2.0 is avail. as a seperate product, so
in that package, it 'd b the only utility included. Thuz, frm a programmer's point of
view, it makes sense 2 include all the protection inside the progyy itself, rather than
putting it inside a dll and increasing the package size. Further, the nags etc of
thiz util r different frm the other in the Angelo 5.0 pack. So, it seems that v 'll
've to crk this utility seperately :-(. Thr iz no other way out guyz.
So, first lets proceed with the biggy muapp.dll ;-) .
CHK #2).
=======
Now i apply chk #2 (chk #1 was 2 c wether thr iz a single dll'ving all protection
functions). Open the dll into Hiew, Disasm mode, and reverse any jump, or for that
matter, any workin instruction into 90 (NOP for lamerz). Close Hiew, and launch any
Angelo util.
Boom !! A Dialog Box says that all hell has broke lose, that muapp.dll failed 2
initialize 'MuAppEntry()' or a similar shit. Nice proggy ;-) . I luv these nifty CRC
Checks :-)). These r too sexy to resist.
!TIP!
~~~~~
Always chk 4 CRC protection in the target app/dll. To do this, simply reverse a jump
and c if the proggy runs or not. This'll really pay up in future ;-).
Now, after noting this in mind that the dll has CRC protection, i proceed to apply the same
procedure on an Angelo util. I open up Studio.exe in Hiew and do the same thing which i did
earlier with muapp.dll . Again thr iz a Dialog box saying some similar shit. So, they have
CRC-protected both the dll and the appz.
Crking CRC-Chk Protection :
~~~~~~~~~~~~~~~~~~~~~~~~~'
By now, my knowledge of psycology compells me to think that the author must 've kept
this check in muapp.dll itself. Hey its very clear, as 'he' always made an effort to
reduce coding for protection as much as he can, and further, embedding the chk inside
the dll makes future upgrades/modifications easy, thr4, our lazy author must've resortd
to keep these chks insyd the dll. But, anyway, I proceed to clear my doubt. So, I open
up muapp.dll in Win32Dasm, and goto the program entry point (64001000). Hey, the entry
point has been exported as 'MuAppEntry', thats very interesting :-). So we note this
address down, and using Numega Symbol Loader, load exports of muapp.dll .Then, proceed
to load any of Angelo util, say Animater.Exe via symbol loader. As it breaks, put a BPX
on 'MuAppEntry'.
BPX MuAppEntry,
this'd succeed if u 've successfully loaded the exports of muapp.dll, but incase, and for
lamerz out thr, u face a prob lyk 'No such function' or any other shit, put a
BPX cs:64001000
Now press F5. Animater'd immediately break inside Muapp.dll, if it does not then
delete thiz tut immedeately and go in ur mother's lap ( ;-) ).
Next, once insyd Muapp.dll, press F10 till u reach 64001027. Till now, nothing 'd 've
happened. At thiz location, the instruction is :
64001027 je 6400104D
So, the proggy Jumps 'coz of Error to -> 6400104D
Now, scroll the disasm window in SoftIce a bit locations below, and at 64001072, u'll
see a refrence 2 MessageBoxA (hmm, now v r close). do a
g 64001072
The proggy will break @ 64001072, press F10, and u'll b greeted with the same lame Dialog
Box.
So, do an 'exit' to stop Animater.Exe execution. Again load it via Symbol Loader and
execute. It'd again break at MuAppEntry. Do a
g 64001026
Now softice 'd display :
64001026 dec eax
look in the Register's Window, eax must b having a value of 1 or so. Do a
r eax=2
now eax'd b 'ving 2 as its data.
Press F10 to the next instruction. Now, as after the 'dec eax', eax 'll've 1 as data,
thr4, thr'll b no jump @ 64001027. The execution 'll follow up to the next instruction,
i.e.
64001029 mov etc....
Press F5, and yes! the proggy executes w/o any problem at all !!!
So, what r u waitin 4 now? just open up muapp.dll in Hiew, goto offset 1027 and replace
bytes
7424 -> 9090 , that '->' stands for 'by' u lamer X-(
Now run Animater again, it'd run w/o any Dialog Box etc. Interestingly, thiz byte
replacement also patchd the CRC-Chk of the appz.
Now, if u remembr, v replaced some bytes frm muapp.dll and other appz, to chk 4 CRC
Protection in the beginning ( see CHK #2). Now is the tym to replace those changd bytes
with the original ones.
After thiz, pray take a break. But now, b relieved that the remaining part iz lame, in
comparision 2 our work till now. Use ur snacks heavily, and thats an order ;-).
Crking Nag+ Tym limit Protection :
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~'
Welcome back :-) .Now, as v discovered earlier, all the protection code is insyd muapp.dll
only, so v proceed 2 find the Nag Strings and patch the corresponding functions, so
that v dont get anymore nags etc.
First, lets 'Expire' our app ;-) . Just set your proggyz date A year Ahead, and launch
any Angelo app, say Studio.Exe. Well, it launched, and displayd the Nag, but no Xpiring !
But as soon as you close the app, u get a Dialog Box sayin that the 'License is now overdue'
and 'This copy of MicroAngelo has been in use . . .'etc. Lets first take this Tym Chk Out !
Disasm MuApp.dll in Win32Dasm, and look at the string resources. The most appealing one
to me r alwayz of the type 'Days remaining' or similar. Here, i find 'This copy of
MicroAngelo has been in use . . .' etc. On clicking this string, Win32Dasm taks me to
location 64002496. Clicking on the string again takes me to two more locations of
possible refrence. So, lets start from the the very first location of refrence.
!Tip!
~~~~~
Win32Dasm often displays multiple 'possible locations of refrence' to resources of all
kinds. Dont trust Win32Dasm always, sometyms it is correct, othertyms NOT. A direct
data transfer might appeal to Win32Dasm as a refrence to a resource, if that data matches
a resource id. Thats y Win32Dasm says : possible refrence ... etc :-).
Browse a li'l back of 64002496. U'll c a refrence 2 'LoadResource' and still back, u'll
find a 'Refrence by Unconditional etc Jump at 64002452'. So browse upto 64002452. Thr,
u'll find a
je 6400243f
Browsing a l'il back u'll find an "Exported function 'CheckDeadbeats()'", nice name, isn't
it ? But we'll put our attention to
64002452 je 6400243f
So, load Animater.Exe, and muapp exports again, via Symbol Loader. As winice breaks at
strting point of execution, put
bd * ( to disabl other bpxs )
bpx 64002452
Press F5.After u close the app, u'll b back soon in muapp.dll ( boy,i luv thiz dll. It has
taken more tym frm me than the tym that i use to spend with my gf!! Can a human marry
a dll ? )
The instruction a li'l previous to this 'je' is
6400241F mov edi, dword ptr etc. . .
64002426 test edi,edi
The result of this 'test' 'd 've decided the fate of our 'je' instruction. So chk the
value in EDI registers. Now, as u r on the instruction 'je', winice must b tellin u that
a jump is due. As soon as u follow the jump to the destination and a few F10 presses, u'll
soon b facing the dreaded nag ! Trace ur way till u r back in Animater.Exe. Note down the
values of all the registers just after the call to CheckDeadBeats has returned into Animater.exe.
Now, do
bd * // to disabl all bpxs
exit // to terminate further execution
Next, load Animator.Exe again via Symbol Loader, and as it breaks, put
bpx 64002426 // location of test edi,edi instruction.
Do F5 and u'll soon b back into muapp.dll @ test edi,edi.
Check the value of edi reg. If its zero (it must b so) do
r edi=1 // to set edi = 1
Now F10 till u reach that je ( @ 6400242E). This tym, the function'll not jump, instead,
it will follow execution frm the next instruction, and soon u'll notice
64002423 xor eax,eax // set eax = 0 or clear eax, hmmmmm. . .
Then the function will return to Animator.Exe .Write down the values of different
registers again.
Press F5 to resume execution. Hiya !! the proggy just exited w/o any Tym chk !!
!Caution/Tip!
~~~~~~~~~~~~~
This tym v were rather lucky that things didn't go haywire! Coz proggyz usu. put register
value cmp to dbl chk the successful display of Nags. Thats y i told u to note down the
values of different registers, esp. eax ( i dunno y, but its the favouryt 1 of all nag
ops ). If the proggy displayz an error on reversing/noping a jmp, then u'd check what the
values of regs r returnd by the modified function. If they differ, maks apt changes so that
our new function still returns an ALL CLEAR msg to the proggy. If u want, then even if all
seems right, still make modifications to return proper reg values. Even if this does
not help, then chk the stack value modifications.
Now, open muapp.dll again in Hiew, go to offset 242E and replace bytes
750F -> 9090 // no op the jump
Launch Animater.Exe and other appz, try changing the Date of ur system to later yrs, and
see if the nag on closing the appz appears again? It'll not ! Thus, v 've chkd the Tym
Limit nag !
Crking the Start Nag :
~~~~~~~~~~~~~~~~~~~~'
For this, either u can follow the traditional approach of launching Animator.exe via
Symbol Loader, and tracing till u notice the relevant code of nag display, or u can
follow the Heuristic Approach. I prefer the later one. My study of muapp.dll shows me
an exported fn 'InitializeMuApp'. To study this fn, i load Animater.exe in Symbol Loader
and as winice breaks,I put a
BD *
Then
BPX InitializeMuApp, or
BPX 64002750 (start addr. of InitializeMuApp)
After pressing F5, i m back into winice soon, and at the BPX location.
Now I start tracing the code. Soon, at
64002757 je 6400275E
u can c the jump. Tracing further leads me to the code to display the Starting Nag!
M nearing the finish !! Hurriedly, i trace the code till it returns me into Animater.Exe
again. After noting the values of all the registers, i'exit' softice, to terminate
Animater.exe, and again load it via Symbol Loader. As the old BPX is still activ, m again
back at the entry of InitializeMuApp. This tym, after the very first instruction, ie
64002750 mov eax, etc...
I do
r eax=1 //set EAX = 1
thus when m at 64002757, the proggy does not jumps! Instead, it follows execution frm the
next lyn, ie
64002759 xor eax,eax // clear eax !!!! hmmmm...
Thiz iz followd by some clear up code and a return statement. As soon as i return into
Animater.Exe, i aagain note down values of all registers.
Next, in a hurry, I press F5 to see my proggy workin w/o any nag. ALAS! Animater just
exited w/o sayin a word !!
I launched all the Angelo utilz one after the another, following the same procedure
of changing the jump but every1 behavd the same way!!! Boy, where's the prob?
Matters b'came clear as i lookd at the values of the different regs which i noted down
while tracing the returns of 'InitializeMuApp'. After my modification of the value of EAX
to disabl the je @ 64002757, do u remembr that
64002759 xor eax,eax // clear eax
So, the proggy must b uzin EAX as dbl chk 2 make sure that Nag was displayd ;-). Thus, v
can't make the proggy work, if we no-op the jump at 64002757. If u want to test this, just
open up muapp.dll in Hiew and goto the location 64002757, and replace 7405 -> 9090. Then
launch any of the Angelo util. It'll close as quickly as it opens.
What v need here iz to pass a value other than 0 of EAX back to the proggy. For thiz, we'll
've to write some short code in muapp.dll :
Open Muapp.dll in Hiew. Enter into Disasm mode, then goto offset 2757, press F3(edit), then
F2(assembly), and make the following Changes :
64002757 je 6400275E -> xor eax,eax
( 7405 ) ( 33C0 )
64002757 xor eax,eax ( 2 bytes long ) -> inc eax And nop ( each 1 byte long )
( 33C0 ) ( 40 ) ( 90 )
Then, launch any Angelo utility and yes!! no nag and other shit !!
Tym for another break!!
For lamerz, the Crk iz complete, but 4 quality luvrs, here's more :
Making 'Custamization' :
~~~~~~~~~~~~~~~~~~~~~~'
If u noticed the title bar of any of Angelo Appz, then thr iz an annoying '(Evaluation Day )'
msg thr. Lets remov that nasty thing ;-).
If the guyz at www.Impactsoft.com r only that smart, as i persume them, then this must b
also in the b'luvd muapp.dll ;-) .
Again following the traditional 'Trace it to the target', or my favouryt Heuristic approach,
whichever u lyk 2 follow, u'll trace ur way into 'GetMuString' exported fn. in (what else)
MuApp.dll. Its very easy 2 approach the proggy Heuristically, c of all the exported functions
of muapp.dll, only thiz 1 is the most short. And thr iz only a call , 2 'LoadStringA'
(interesting ;-)) in the function.
So, again, i load Animater.Exe in Symbol Loader, and as it breaks on load, i do
BC * //to clear previous bpxs, they r not needed any more
BPX GetMuString, or
BPX 64001E40
After Pressing F5, i m soon back into muapp.dll, at the desird BPX. As i trace the fn, it
appears to b passing Resource info to LoadStringA function, and then LoadStringA loads the
corresponding '(Evaluation Day etc)' string into the memory. Thats it! Lets check the
documentation of LoadString fn in Win32Api Help ( @ www.crackstore.com ). Its lyk :
int LoadString(
HINSTANCE hInstance, // handle of module containing string resource
UINT uID, // resource identifier
LPTSTR lpBuffer, // address of buffer for resource
int nBufferMax // size of buffer
)
Here, nBufferMax iz the length of the data/str in the buffer lpBuffer, so, if v simply
make it of length 1 ( as the str minimally includes a NULL char '\n' ), then only the
NULL , ie '\n' will b copied to the destination, instead of that '(Evaluation Day etc)'
shit !!
Now, nBufferMax iz the last param of the fn, thus, in asm code, it'd b pushed last into
the stack. You can check thiz, by tracing the code via 'Load Process' in Win32Dasm, and
tracing the call. It'll automatically break on Api calls and will display the params
passed. If u want, it'll also show the result returnd via the Api fn call. Thus, tracing
the code of GetMuString reveals thiz
64001E4C push eax
4D mov eax, etc...
52 push ecx
53 push edx
54 push eax <------------This must b 'vin lpBufferMax value
55 call LoadStringA
For this, open muapp.dll in Hiew, set into disasm mode, goto offset 1E4D, press F3 (edit)
and then F2 (asm), type
mov eax, 01
Or, replace the bytes at offset 1E4D by these bytes
A1ACA20064 -> B801000000
Now, run any of the Angelo app, and c, no irritational titlez !!
So, our finishing iz complete. Letz mov on to MicroAngelo On Display.
Crking On Display 2.0 :
~~~~~~~~~~~~~~~~~~~~~'
Thiz 1 iz lame, real lame :-(. It'd not b of any worth to descryb this crk here after i have
elaborated the detailz of crking a real fyn app. But anyway, just 4 the sake of completing
the tut, i present it here 2 you.
Tracing the Nag :
~~~~~~~~~~~~~~~'
Disasm Mupanel.exe in Win32Dasm, and look the String Resources for the strings 'Evaluation
day etc..', 'Licensing overdue! etc..' and other similar stuph. These r refrenced only once
in the proggy, and all within a few bytes of space away frm each other. Put BPX in winice
on any of these locations, and trace the code until u get a 'ret' instruction. U must b
now in either location
408FF4 call 409260 , or
408FF9 call 406E60 , or
408FFE call 408D80
If u chk nearby locations of these function calls, u'll notice that thr r no stack
operations done prior to the first two calls. Further, no registers r accessed/modified
prior to the former two calls. This means that u can safely no-op the first two calls,
which'll clear both the Nag+TymLimit protection of the proggy, and also the Title Bar
message prob. (Evaluation Day etc . . .) 'll b solvd !!
So, open Mupanel.exe in Hiew, and after setting asm mode, go to 8FF4 and no-op ten
locations, starting at 8FF4 , to 8FFD (including 8FFD).
That's it. So, now our MicroAngelo 5.0 pack is fully crkd !!!
Final Words :
~~~~~~~~~~~'
Hiya thr to all those who r reading this tut. Thnx very much. This is my very first tut
4 all TNT luvrs. Guyz, v, here @ TNT, r pushin ourselves 2 the limits 2 keep up with ur
Xpectations and earn ur affection. This tut is a small gift frm a new TNT mmbr 2 u all.
Plz send me ur comments on it.
I'd lyk to dedicate this tut Xclusively 2 fellow TNT mmbrs, esp>
Fat[Bit] , and
Sevan
( Names in alphabetic order )
Hope u guyz lyk thiz tut, 'coz 've given 6 straight hrs to wryt it down.
P.S. :
~~~~'
All previous versions of MicroAngelo follow Xactly same procs. just the byte offsets
might b diffrent. So, after u read this tut, i strongly'd recommend u to try ur hand
at MicroAngelo 98 or earlier app.
bye!
ChoRdLesS.
ChoRdLesS2k@yahoo.com MOV [004160F4],EBX