_ _ _ _ _ _ _ / \_____/ \______ / \____ / \___________/ \ / \_______/ \____ \ \ \ \ \_ \ \ \ \ \ \ _____/ . \ . \/ /\ \ / . \ . \________\ . \ /_ _____ | / /_ / /_ /_ / \ \ /_ / \_ /_ / / \ _/ \_ | | / / \_/ \ \_/ \ \__/ \ / \_/ \ \_/ \ / / / \ | |__\ \ / \ / / \ / . \___/ \_ / /__| \ / / / \ / / \ / \ \____/ / \____ /\____/ /___\__ \\____ /\____/\ / \______/ \_____ / \_/ \____/ \_/ \_/ \__/ \_/ - t h e h o m e o f p o l i s h c r a c k e r s - proudly presents: `~*¤§[ a tutorial:.Opera 3.50..................................................]§¤*~` `~*¤§[ written by:.Iwan .......................................................]§¤*~` `~*¤§[ date:.......1999.02.11..................................................]§¤*~` `~*¤§[ translator:.Zomo........................................................]§¤*~` _____________________________________________________________________________________ Target: Opera 3. 50 Where: http: //www. operasoftware. com/ Size: 1, 2 MB Tools: Wdasm, Hiew -------------------------------------------------------------------------------------- Intro: Opera is an alernative for M$ Internet Explorer and Netscape Navigator. Is however from them smaller , quicker and more cofiguralbe. Registration procedure is standard - will demand registration code. This time we won't use Softice, to get 'correct' serial number ( this was described in my tut's #1 and 2). So let's localize protection in code of programme(using Wdasm) and modify it( Hiew): -) This tutorial, besides oneself analysises Opera, contains aslo main aims to use Wdasm and Hiew. If you haven't ever used those tools, you even can handle this tut.:))) Kewl, let's go! -------------------------------------------------------------------------------------- Description: --------------------------- Newbies Note! Work with programme you should start from initial diagnosis of target, ie. how it registers, any effects( announcements, sounds) this comrade, when and where appears th information about registration. --------------------------- OK, to skylights registration- we can come on two manners: - soon after starting appears window; From option Evalute/Purchase/Register we choose this last;), - from menu Help -> Register Opera... Write some strings now and press OK. Appears nice;) announcement: ' The registation information you have entered is invalid. Please make sure that you have entered your name and registration code correctly'. If we would want to use Softice, in this moment crammed by us trap should work and we would start analisis programme step after step. In chance Wdasm we will make this otherwise - on the ground one of announcements which appears in programme, in dead listing od programme we will find some starting point and we will begin analisis code' on dry' . --------------------------- Newbies Note! Dead listing is clean code of programme in assembly language. To get him use Wdasm. In this of aim from menu Disassembler we choose' Open File to Disassemble...' and we open desired file. --------------------------- Close Opere and ignite Wdasm. Do a disassembly of opera. exe. This could take some time:( --------------------------- Newbies Note! If you use Wdasm for first once, for sure you'll see a lot strange signs. No problem, will suffice to change font( menu Disassembler -> Font... -> Select Font) on favourite, to avoid this in future use( menu Disassembler -> Font... -> Save Default Font). It is proper to save disassembly, because if you won't do this you woud have to wait for dissasembling every time ( menu Disassembler -> Save Disassembly Text File and Create Project File). --------------------------- Good, we have dead listing of Opera. Quite a lot? Some has to work really hard to make it works, maybe he deserves payment? Let's try find in code df Opera find text( or his part), which appears after input of incorrect data. You can do in this way: - from menu Search -> Find Text( or third icon), - from menu Refs -> String Date References( or last but one icon). I used second method. Between all text we seek our, that one begins from' The registration information...'. We seek and nothing. For what reason i' wrinting about this? Because that's efficient method, i do start from using it. She easly permits piece of code of programme referenced to protections. But at this time we will make this otherwise, rule is identical. What to do, when announcement cannot be found in String Date References? Let us look around, what other can we find there. Between many interesting things something is focusing, it's"( unregistered)"( String Resource ID=21428). Think for a moment, where such thing appears sie in programme( if you don't remember fire Opera and seek;)). I found "unregistered" in dwoch places: - in name of window of programme( Opera 3. 50( unregistered)), - in first window, which appears before window from Evaluate/Purchase/Register; we see there something like that: Registered to: ( unregistered). How can you imagine, after correct registering of programme, here appears user name. OK, we return to Wdasm, to found by us( unregistered) in String Date References. --------------------------- Newbies Note! Doubleclick of selected announcement in String Date References allows finding him in code of programme. If announcement appears in code of programme more than once, following doubleclicks allows finding his following locations. --------------------------- ( unregistered) we find in two places in code of Opera. does not stay us nothing other, how to analysis them:)). Let us begin from first call. We find there such code: * Referenced and CALL at Addresses: |: 0045BF4A,: 004850C6 | : 0045F872 803D9055500000 cmp byte ptr [00505590], 00 : 0045F879 56 push esi : 0045F87A 57 push edi : 0045F87B 8BF9 mov edi, ecx : 0045F87D BE90555000 mov esi, 00505590 : 0045F882 7532 jne 0045F8B6 : 0045F884 6A40 push 00000040 : 0045F886 56 push esi * Possible Reference this {then} String Resource ID=21110:" Opera 3. 50" | : 0045F887 6876520000 push 00005276 : 0045F88C E8400B0000 call 004603D1 : 0045F891 56 push esi : 0045F892 E8F9CA0700 call 004DC390 : 0045F897 59 pop ecx : 0045F898 A344555000 mov dword ptr [00505544], eax : 0045F89D 6A40 push 00000040 : 0045F89F 59 pop ecx : 0045F8A0 2BC8 sub ecx, eax : 0045F8A2 8D8090555000 lea eax, dword ptr [eax+00505590] : 0045F8A8 51 push ecx : 0045F8A9 50 push eax (!!! HERE WE ARE!!!) * Possible Reference this {then} String Resource ID=21428:"( unregistered)" | : 0045F8AA 68B4530000 push 000053B4 : 0045F8AF 8BCF mov ecx, edi : 0045F8B1 E81B0B0000 call 004603D1 --------------------------- Newbies Note! Following stage of analysis of code in Wdasm is(could be;)) finding of suitable jump(a) before select call, that answers to possible decisions registered/notregistered and changing him( them) on opposite( use Hiew to modify files). --------------------------- From once I will say, in this fragment we will not interfere in code, does not refer interesting us windows( but rather tile of Opera window). How did i came to this conclusion? For first if we would change jne 0045F8B6 in line: 0045F882 on opposite jump( je), then won't appear"( unregistered)", nor " Opera 3. 50". Jump would move us to line 0045F8B6, behind" Opera 3. 50" and"( unregistered)". In window would be nothing. For second... to explain, necessary is the second fragment of code, contains ( unregistered). We return to String Date References, click( unregistered) and find this code. * Possible Reference this {then} String Resource ID=21110:" Opera 3. 50" | : 00491E84 6876520000 push 00005276 : 00491E89 FF3528595000 push dword ptr [00505928] : 00491E8F FFD7 call edi * Reference This {then}: USER32. SetDlgItemTextA, Of hordes: 022Ch | : 00491E91 8B35A4C44E00 mov esi, dword ptr [004EC4A4] : 00491E97 8D85C4FEFFFF lea eax, dword ptr [ebp+FFFFFEC4] : 00491E9D 50 push eax : 00491E9E 53 push ebx : 00491E9F FF7508 push [ebp+08] : 00491EA2 FFD6 call esi : 00491EA4 8D8540FBFFFF lea eax, dword ptr [ebp+FFFFFB40] : 00491EAA 83C3FE add ebx, FFFFFFFE : 00491EAD 50 push eax : 00491EAE 53 push ebx : 00491EAF FF7508 push [ebp+08] : 00491EB2 FFD6 call esi : 00491EB4 8D856CFCFFFF lea eax, dword ptr [ebp+FFFFFC6C] : 00491EBA 50 push eax * Possible Reference this {then} Dialogue: SPLASH, CONTROL_ID: 2B26," Text" | : 00491EBB 68262B0000 push 00002B26 : 00491EC0 FF7508 push [ebp+08] : 00491EC3 FFD6 call esi : 00491EC5 833DB45D500000 cmp dword ptr [00505DB4], 00000000 : 00491ECC 7526 jne 00491EF4 : 00491ECE 8D85C4FEFFFF lea eax, dword ptr [ebp+FFFFFEC4] : 00491ED4 68FF000000 push 000000FF : 00491ED9 50 push eax (!!! HERE WE COME!!!) * Possible Reference this {then} String Resource ID=21428:"( unregistered)" | : 00491EDA 68B4530000 push 000053B4 : 00491EDF FF3528595000 push dword ptr [00505928] : 00491EE5 FFD7 call edi : 00491EE7 8D85C5FEFFFF lea eax, dword ptr [ebp+FFFFFEC5] : 00491EED 50 push eax : 00491EEE 53 push ebx : 00491EEF FF7508 push [ebp+08] : 00491EF2 FFD6 call esi Let's back now to second reason, why this, and not preceding piece of code should us interest. It's easy to see,that in window, to which we want to get in, of boundary strip" Opera 3. 50" and"( unregistered)" finds somthing more, what after registration will not change ->" Copyright 1995-1998 Opera Software".Try find in Wdasm ( menu Search -> Find Text) string Copyright 1995-1998 We find him once. On begining of line, is such thing ControlID: 2B28 Look now on above piece of code. Of boundary strip cast" Opera 3. 50" and"( unregistered)" we find" Text". If you can see, what precedes him( CONTROL_ID: 2B26), quickly quickly you'll guess, from will appear sie" Copyright...". Kewl. We know now, that this is it. Time to dig in. In first fragment of code, that we analysed is jump over"( unregistered)", and" Opera 3. 50". It was found that, from this is rather illoglcal. Let begin to look on second piece from line "( unregistered)" to up. Four lines above we find first jump and one line upper, comparision: : 00491EC5 833DB45D500000 cmp dword ptr [00505DB4], 00000000 : 00491ECC 7526 jne 00491EF4 Looks well, isn't it? And preforms our requirements - permits on diplay of" Opera 3. 50" and" Copyright 1995-1998 Opera Software" and if precendecing him comparision is not real( eqal), jumps to 00491EF4, that is to say avoids"( unregistered)". Think what we get, when jne will become executed.' Jne' is "jump if not equal. We can see, what is under [00505DB4] can't be zero - then jump will become executed, and this what we want. OK, would nice to change this jump on opposite( jne->je, that is to say 75->74 in hex). Try by yourself.( Btw,if you don't know how to do, contiune reading)."( unregistered)" in window really does not show, programme however still shows window Evaluate/Purchase/Register, and name of main window of programme is still" Opera 3. 50( unregistered)".To be said .... And as yet we go farther :) Under [00505DB4] there's no zero. And what there is? Let;s try to find. Ifi cmp dword ptr [00505DB4] reads something, then first this has to be written there, most likely in consequence of commands mov dword ptr [00505DB4]. Let us verify our speculation in Wdasm and simply try find such string in code of Opera. Wdasm -> Search -> Find Text -> mov dword ptr [00505DB4]. Is: : 00491D5F A3B45D5000 mov dword ptr [00505DB4], eax We see, under [00505DB4] placed remains value of EAX. How to find what is value of Eax? Look two lines above: : 00491D58 E8DE1A0200 call 004B383B Would be nice to look under indicated address( 004B383B);). We can see: * Referenced and CALL at Addresses: |: 0045BF21,: 00491D58 | : 004B383B 8D8138010000 lea eax, dword ptr [ecx+00000138] : 004B3841 85C0 test eax, eax : 004B3843 741A je 004B385F : 004B3845 803800 cmp byte ptr [eax], 00 : 004B3848 7415 je 004B385F : 004B384A 81C190030000 add ecx, 00000390 : 004B3850 51 push ecx : 004B3851 E82FA5FDFF call 0048DD85 : 004B3856 85C0 test eax, eax : 004B3858 59 pop ecx : 004B3859 7404 je 004B385F : 004B385B 6A01 push 00000001 : 004B385D 58 pop eax : 004B385E C3 ret * Referenced and( C) nconditional or( C) onditional Jag at Addresses: |: 004B3843( C),: 004B3848( C),: 004B3859( C) | : 004B385F 33C0 xor eax, eax : 004B3861 C3 ret --------------------------- Newbies Note! Line: * Referenced and CALL at Addresses: : adres1: adres2 Informs, that below procedure was called in code at address1 an 2 CALL znajdujaca sie under address1 and address2. --------------------------- As it can be easly seen, piece of code, that soon we will analyse( and which is place of our modification:)) becomes called not only by CALL, that allowedl us to get here(: 00491D58 call 004B383B), but also by CALL from line: 0045BF21. Because straight change jne in line: 00491ECC won't work. However analisis this second CALL I leave inquiring. We let us occupy above one with fragment of code. As you remember, we want that after return from this procedures( ret) in EAX won't be zero. In this fragment we find three identical jumps je 004B385F, everyone points one place: : 004B385F xor eax, eax Anything XOR anything is ALWAYS zero. --------------------------- Newbies Note! If you still don't undrstand look at Mnich FAQ (thanx Mnich):. Xor table: And | b | c ========== 1 | 1 | 0 0 | 1 | 1 1 | 0 | 1 0 | 0 | 0 a XOR b = c so a XOR a = 0 --------------------------- If any execution condition's of three jmps can't be preformed, till: : 004B385B 6A01 push 00000001 : 004B385D 58 pop eax : 004B385E C3 ret so: - push a 1 on heap, - take 1 from heap to EAX, - return from CALL' and from EAX=00000001, what at last will lead to this, from programme would think that is registered:)) Kewl. You can do: - remove all three jumps je 004B385F( change 741A, 7415 and 7404 on 9090), - or remove xor eax, eax in line: 004B385F(change 33C0 on 9090), - or redirect first from three jumps directly to line from push 00000001(change 741A on EB16). All three solutions are correct. Last is a quickest one from point of view optimization of code of programme. Try to test all of them. OK, but how to do these changes in opera.exe? I use to this of aim Hiew. Before firing it we have to know the CORRECT offset in a file. Example: : 004B3843 741A je 004B385F In Wdasm You have to put bar on this line, and look on bottom of Wdasm window. Line: 39587 Pg 4768 of 6299 Code Date @: 004B3843h @Offset 000B3843h in File: Opera. exe ^^^^^^ This is what we need. Check all offsets: - offset B3848 for second jump, - offset B3859 for third jump, - offset B385F for xor eax, eax. Now turn off Wdasm, we don't need him anymore. Really short, how to make changes. --------------------------- Newbies Note! 1. Make copies of everything!!! 2. You can't change anything in running programme. --------------------------- Close Opera and fire Hiew, choose opera.exe. Wow, what a mess, can normal human read this stuff? No, so press F4 and Decode. F5 is search, press and input offset to change (ie for removing xor eax, eax B385F) and enter. Than F3 to edit data. Type in 9090 (change from 33C0) an F9 to save changes. Quit. Run Opera.You made it, congrats!!!! ---------------------------------------------------------------------- ---------------- Jezeli you seek here only seriali, this is wrong tut. Movments described above has to help you to analyse code and understand of schemas. So thinking ALWAYS helps :) If you are going to use this soft, buy it they deserve help(except M$). This will help to make better programs and protections -------------------------------------------------------------------------------------- 11-02-99 iwan( iwy@friko.onet.pl) ______ ______ ______ ______ / \ / \ / \ / \ _________________________________________________/ . // / // / // / / | \__/ /_\__ /_\__ /_\__ /| |[CP!]: http://www.hyperreal.art.pl/cypher/crkpl / // / // / // / / | |________________________________________________/ // / // / // / /__| \___/ \_______\\_______\\_______\