Cracking Tutorial
#55:
Cracking Freecell 2002
[cracked bY:] sLeEpY¿[FWA/NWA/FTPR8Z] iN 07/2002
[difficulty:] beginner
[where:]
http://freecell2000.tripod.com/
[tOOLz:] W32dasm 8.93 w/vbsdr enabler patch, Hiew 6.x,
Regmon
KANAL23 Tutorial
|
Freecell 2002 |
|
|---|---|
|
Download it from |
|
|
Written by |
sLeEpY¿ iN dA hOuSe |
|---|
|
Tools |
|
|---|
|
Rating |
|
|---|
|
Introduction |
|---|
Freecell 2002
File Name : fcl2002.zip
Size : 1.22 MB
Version : 3.0
OS : Win 95/98/Me/NT/2000
Type : 30 Days Evaluation
Coded in VB6
|
The Essay |
|---|
Run the program and we get a startup nag that says unregistered version then a
nag screen "Freecell 2002 Evaluation Version"
Under Help we have a place to register and the code is like this:
XXXXX XXXX XXXX XXXX
Input a bad code and this happens:
Freecell 2002
Sorry, Key is not valid. Please try again.
[OK]
Well thats nice, the program wants us to try again, so we will in a few =)
Ok so we know its a 30 day eval as well, so looking at it we have three things
to
crack, 30 day eval, nag, registration. Fun!
Well lets disassemble the file in the patched W32dasm 8.93 and check the String
References and look for suspicious stuff like.....
"Evaluation Expired"
"Registered Version"
"Sorry, Key is not valid. Please "
"Thank you for Registering Freecell "
"Your evaluation period has expired!"
Well here looks like all we need to take out the 30 day trial and the
registration.
Lets kill the registration first! Double click "Thank you for Registering
Freecell "
and you will end up in the code below.
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:004B6B59(C)
|
:004B6B70 6683BDD4FEFFFFFF cmp word ptr [ebp+FFFFFED4], FFFF
:004B6B78 0F854D010000 jne 004B6CCB
<-our conditional jump!
(offset B6B78)
:004B6B7E A174804B00 mov eax, dword ptr [004B8074]
:004B6B83 8B4DE8 mov ecx, dword ptr [ebp-18]
:004B6B86 51 push ecx
:004B6B87 50 push eax
:004B6B88 8B10 mov edx, dword ptr [eax]
:004B6B8A FF5220 call [edx+20]
:004B6B8D 3BC6 cmp eax, esi
:004B6B8F DBE2 fclex
:004B6B91 7D15 jge 004B6BA8
:004B6B93 8B1574804B00 mov edx, dword ptr [004B8074]
:004B6B99 6A20 push 00000020
:004B6B9B 68BC3F4100 push 00413FBC
:004B6BA0 52 push edx
:004B6BA1 50 push eax
* Reference To: MSVBVM60.__vbaHresultCheckObj, Ord:0000h
:004B6BA2 FF1570104000 Call dword ptr [00401070]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004B6B91(C)
|
:004B6BA8 B904000280 mov ecx, 80020004
:004B6BAD B80A000000 mov eax, 0000000A
:004B6BB2 894D90 mov dword ptr [ebp-70], ecx
:004B6BB5 894DA0 mov dword ptr [ebp-60], ecx
:004B6BB8 894DB0 mov dword ptr [ebp-50], ecx
:004B6BBB 8D9508FFFFFF lea edx, dword ptr [ebp+FFFFFF08]
:004B6BC1 8D4DB8 lea ecx, dword ptr [ebp-48]
:004B6BC4 894588 mov dword ptr [ebp-78], eax
:004B6BC7 894598 mov dword ptr [ebp-68], eax
:004B6BCA 8945A8 mov dword ptr [ebp-58], eax
* Possible StringData Ref from Code Obj ->"Thank you for Registering Freecell "
->"2002."
:004B6BCD C78510FFFFFF549E4100 mov dword ptr [ebp+FFFFFF10], 00419E54
If we take the baddy jump it lands us here:
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:004B6B78(C)
|
:004B6CCB B904000280 mov ecx, 80020004
:004B6CD0 B80A000000 mov eax, 0000000A
:004B6CD5 894D90 mov dword ptr [ebp-70], ecx
:004B6CD8 894DA0 mov dword ptr [ebp-60], ecx
:004B6CDB 894DB0 mov dword ptr [ebp-50], ecx
:004B6CDE 8D9508FFFFFF lea edx, dword ptr [ebp+FFFFFF08]
:004B6CE4 8D4DB8 lea ecx, dword ptr [ebp-48]
:004B6CE7 894588 mov dword ptr [ebp-78], eax
:004B6CEA 894598 mov dword ptr [ebp-68], eax
:004B6CED 8945A8 mov dword ptr [ebp-58], eax
* Possible StringData Ref from Code Obj ->"Sorry, Key is not valid. Please "
->"try again."
So this is simple If code = goodguy the goto good msg, else goto bad msg.
Drop the exe onto Hiew and go to decode mode and press F5, type in "B6B78",
our offset and press enter. Press F3 to modify the code and change this:
:004B6B78 0F854D010000 jne
004B6CCB
to this:
:004B6B78 0F844D010000 je
004B6CCB
Now any code but the correct code will work and register the program. Well that
nice except the program wont stay regged when you restart so lets tear it up.
Check out "Registered Version" and you will see it is in 2 places and here is
the first.
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:0047F80B(C)
|
:0047F822 66397DE4 cmp word ptr [ebp-1C], di
:0047F826 743F je 0047F867
<-conditional jump (offset
7f829)
:0047F828 8B06 mov eax, dword ptr [esi]
:0047F82A 56 push esi
:0047F82B FF9008030000 call dword ptr [eax+00000308]
:0047F831 8D4DE8 lea ecx, dword ptr [ebp-18]
:0047F834 50 push eax
:0047F835 51 push ecx
* Reference To: MSVBVM60.__vbaObjSet, Ord:0000h
:0047F836 FF15A0104000 Call dword ptr [004010A0]
:0047F83C 8BF0 mov esi, eax
* Possible StringData Ref from Code Obj ->"Registered Version"
Well remember under the about box it said
evaluation version? Check the above
code out, make sure the jump at 0047F826 is never taken and now under the
about box we have "Registered Version". Its the same concept as the first:
If prog = not registered then
jump to not registered
else continue to regged
Change this:
:0047F826 743F je 0047F867
To this:
:0047F826 9090 nopX2
Ok now the other place where we saw registered version. Yes nopping is boring
but it works. You can use other things besides nopping as well. Like useless inc
eax,
dec eax.
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:004B6FEB(C)
|
:004B7002 66395DE4 cmp word ptr [ebp-1C], bx
:004B7006 743F je 004B7047
<-conditional jump (offset
B7006)
:004B7008 8B06 mov eax, dword ptr [esi]
:004B700A 56 push esi
:004B700B FF9008030000 call dword ptr [eax+00000308]
:004B7011 8D4DE8 lea ecx, dword ptr [ebp-18]
:004B7014 50 push eax
:004B7015 51 push ecx
* Reference To: MSVBVM60.__vbaObjSet, Ord:0000h
:004B7016 FF15A0104000 Call dword ptr [004010A0]
:004B701C 8BF8 mov edi, eax
* Possible StringData Ref from Code Obj ->"Registered Version"
So same as above lets get rid of that
conditional jump...
Change this:
:004B7006 743F je 004B7047
to this:
:004B7006 9090 NOPX2
And now when we start the prog, the splash tells us "Registered Version"
Wow lets go have a smoke or a cookie, whatever man.
OK Back and lets trash the 30 day crap....First check out "Evaluation Expired"
and
go to that code location and you will find this code...
:004AA6CF 0F84F5000000 je
004AA7CA <-jump to
unlimited eval =) (AA6CF)
:
:
:lines of code
:
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004AA76F(C)
|
* Reference To: MSVBVM60.__vbaFreeObj, Ord:0000h
:004AA783 8B1D5C124000 mov ebx, dword ptr [0040125C]
:004AA789 8D4DE4 lea ecx, dword ptr [ebp-1C]
:004AA78C FFD3 call ebx
:004AA78E 8B16 mov edx, dword ptr [esi]
:004AA790 56 push esi
:004AA791 FF9214030000 call dword ptr [edx+00000314]
:004AA797 50 push eax
:004AA798 8D45E4 lea eax, dword ptr [ebp-1C]
:004AA79B 50 push eax
:004AA79C FFD7 call edi
:004AA79E 8BF0 mov esi, eax
* Possible StringData Ref from Code Obj ->"Evaluation Expired"
Just trace the code up until you find a jump
that goes past the evaluation expired
message and change that je to jae and it will always jump no matter what day it
is.
Change this:
:004AA6CF 0F84F5000000 je
004AA7CA
to this:
:004AA6CF 0F83F5000000 jae
004AA7CA
Ok now we dont have to worry about expiration unless lets check the other
message.
Double click "Your evaluation period has expired!" in the String Refs and you
will
be in the code below....
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:004AA12E(C) <-the
jump that brought us here
|
:004AA1CA B904000280 mov ecx, 80020004
:004AA1CF B80A000000 mov eax, 0000000A
:004AA1D4 894DB4 mov dword ptr [ebp-4C], ecx
:004AA1D7 894DC4 mov dword ptr [ebp-3C], ecx
:004AA1DA 894DD4 mov dword ptr [ebp-2C], ecx
:004AA1DD 8D559C lea edx, dword ptr [ebp-64]
:004AA1E0 8D4DDC lea ecx, dword ptr [ebp-24]
:004AA1E3 8945AC mov dword ptr [ebp-54], eax
:004AA1E6 8945BC mov dword ptr [ebp-44], eax
:004AA1E9 8945CC mov dword ptr [ebp-34], eax
* Possible StringData Ref from Code Obj ->"Your evaluation period has expired!"
So we know that error is called from 4AA12E so
let go take it out....Damn bugs in the
program. This messagebox is history. Now if you wanna see the msgbox before we
take it
out just change the je to jne (85) and run the prog, its a good way to make sure
you
are at the right place.
Change this:
:004AA12E 0F8496000000 je
004AA1CA (offset AA12E)
to this:
:004AA12E 909090909090 NOPX6
Now no more bad box to be called.
Ok after screwing with the clock we find this
error next so lets get rid of it, damn
tons of bugs in this program...
:004A9FEF 0F84F5000000 je
004AA0EA <-well
hmm.....(A9FEF)
:004A9FF5 B904000280 mov ecx, 80020004
:004A9FFA B80A000000 mov eax, 0000000A
* Possible StringData Ref from Code Obj ->"Freecell 2002 has detected that "
->"you've "
:004A9FFF 68F4954100 push 004195F4
* Possible StringData Ref from Code Obj ->"changed the clock backwards!"
This jump goes past the error so lets make it
always jump:
Change this:
:004A9FEF 0F84F5000000 je
004AA0EA
to this:
:004A9FEF 0F83F5000000 jae
004AA0EA
Well that worked, set the clock back a month and instead of 30 days you got
60 days and no stupid buggy message. Move the clock forward 3 months and
now ya got -30 days heh...still working...
Well this tutorial is a lot longer than i thought initially so if your bored
screw it.
Otherwise we still have to get rid of that nag screen...To do this we must use
the w32dasm built in debugger as none of the messages in the nag screen
show up in the String References.
Now first I used RegMon to find where the key is stored and if you start it up
you
will see a long list of crap but browsing through it you can see these
references:
11.81300160 Freecell OpenKey
HKCU\Software\VB and VBA Program Settings\Freecell 2002\License SUCCESS hKey:
0xC69EF8B0
11.81302720 Freecell QueryValueEx HKCU\Software\VB and VBA Program Settings\Freecell
2002\License\Data SUCCESS
11.81304240 Freecell QueryValueEx HKCU\Software\VB and VBA Program Settings\Freecell
2002\License\Data SUCCESS 0
11.81308160 Freecell QueryValueEx HKCU\Software\VB and VBA Program Settings\Freecell
2002\License\Data SUCCESS ""
11.81309760 Freecell CloseKey HKCU\Software\VB and VBA Program Settings\Freecell
2002\License SUCCESS
This tells us our key is stored in the registry here:
HKCU\Software\VB and VBA Program Settings\Freecell
2002\License\Data
You can run regedit and look for yourself to check. Well Data and License are
stored
in the string data in the deadlist of the code so double click them and
set a
breakpoint
somewhere around the area. Like this:
Make sure the deadlisted code of freecell is open and click "Debug" then
"Load
Process"
and just click "Load" and it will start with 3 windows open.
This part is a bit
harder to follow as well as explaining but check as so.
License will drop you in 2 places, one like this:
* Reference To:
MSVBVM60.rtcGetSetting, Ord:02B1h
<--hmm
and on like this:
* Reference To: MSVBVM60.rtcSaveSetting, Ord:02B2h
Now to know which one we want is easy, when we register the program it
saves our reg setting, so most likely that is the second one. We want the
first because it
is checking our settings, hence getsetting. That will be here:
:004B645F 68209E4100 push 00419E20
Now press F2 on that location and click "RUN" in the 3rd window and the
app will
run till it hits that breakpoint we just set. Now the hard part is
following the
code until the nag pops up. To do this you just set a breakpoint
at each jump or
call and stop and go and stop and go until you find the call
that is our nag. Whenever you hit a ret you can just click "step into" to
follow it so you dont loose where you are. Well after about some time of
tracing you will see the nag popup here:
Nag Location:
:004AA19A FF92B0020000 call dword ptr [edx+000002B0]
(MSVBVM60.66100C7C)
You can save time by setting a breakpoint here and you will see the nag load
right when it hits :004AA19A. Call dword ptr or Call Nag is what we will call
it.
Now we just trace the code up and up until we find a conditional jump that
decides whether we get the friggen nag or if we are regged correct.
Here is the code so it can be followed better:
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004A9EF8(C) <-well hey the whole routine is called from here...lets go
there...
|
:
:lines of code
:
:004A9FEF 0F84F5000000 je 004AA0EA
<-hey our jump we used to get past the clock
:
:
:lines of code
:
* Reference To: MSVBVM60.rtcMsgBox, Ord:0253h
<-look familiar, yes this is the
clock
change routine
:
:lines of code
:
:004AA061 7510 jne 004AA073
(not our jump)
:
:lines of code
:
:004AA0CA 7D12 jge 004AA0DE
(not our jump)
:
:lines of code
:
:004AA13B 7510 jne 004AA14D
(not our jump)
:
:lines of code
:
:004AA19A FF92B0020000 call dword ptr [edx+000002B0]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004A9ED9(C)
|
:004A9EF0 6683BD68FFFFFFFF cmp word ptr [ebp+FFFFFF68], FFFF
:004A9EF8 0F8589000000 jne 004A9F87
<-well lets reverse this one and see..
:004A9EFE A110804B00 mov eax, dword ptr [004B8010]
:004A9F03 85C0 test eax, eax
:004A9F05 7510 jne 004A9F17
Ok the above way or finding a jump and changing
it is a little bit lame but
this app is VB and im not used to all the different crap VB code is....
And here we are at the place that decides whether we get a nag or not:
:004A9EF8 0F8589000000 jne 004A9F87
Change this:
:004A9EF8 0F8589000000 jne 004A9F87
to this:
:004A9EF8 0F8489000000 je 004A9F87
and no more nag..... It doesnt jump into the whole routine and the nag is
just
bypassed
in the code.
Well that's it! Freecell Cracked. Now mail the author 12 bucks =) so he can
get a
better
protection system. The prog is fun and the author deserves it.
Laterz!
|
Final thoughts |
|---|
What a great VB6 Prog to tear apart, great for learning about
the guts of the code.
|
Greetings |
|---|
Groups:
FWA, NWA, FTPiRatEz! HAR! BEASTFXP!, KANAL23
Individuals:
MiNioN,
GreycZ & his cuppy, KlutCh, KiNgEr, MidNight, Edogg, Neoman, movax4c00int21, Acid_Cool_178, All those tuts I read
from everyone who writes them.
CopyLeft:
sLeEpY¿
[all rights reversed]
Boredom causes crackers and babies.
Visit http://zor.org/sleepy &
http://www.bright.net/~testsubject001
Mail sleepy@linuxwaves.com
This Document is copyrighted by kanal23 and it's members. Please mail the
author of this document for complaints and those things.
Kanal23
is signing out for now.