Cracking Tutorial #56:
Cracking Text Cleanup 1.0.2

[cracked bY:] sLeEpY¿[FWA/NWA/FTPR8Z] iN 07/2002
[difficulty:] beginner
[where:] http://www.comp4learn.com/cleaner/
http://www.comp4learn.com/cleaner/download.html
[tOOLz:] W32dasm 8.93, Hiew 6.x, Regmon, Resource Hacker, Softice 4.05


KANAL23 Tutorial

http://www.kanal23.net




Text Cleanup 1.0.2

Download it from

http://www.comp4learn.com/cleaner/ 



Written by

sLeEpY¿

Tools

  • W32Dasm & Hiew

  • Regmon, Resource Hacker, Softice 4.05

Rating

  • Easy {X}

  • Medium { }

  • Hard { }

  • Pro { }



Introduction

Text Cleanup (formerly Text Cleaner) is a program to clean up badly formatted
text from a variety of sources, such as:

E-mail messages containing forwarded or replied-to text. These typically have
reply marks (> symbols) and unwanted line breaks in them, sometimes making
them difficult to read. Text copied from a web browser, and pasted into other
programs, such as word processors or e-mail programs. This text often has
unwanted indentations and line breaks, along with other formatting problems.
(This is especially true for Netscape Navigator users.) Text copied from Adobe
Acrobat Reader (the program used to view PDF files from the web and other
sources). This text often has unwanted line breaks.

By using Text Cleanup, you can save a great deal of time over fixing the
formatting yourself.

The demo version of Text Cleanup is exactly like the full version except that it
expires, and stops running, 30 days after installation. After this, you may
purchase a registration code, for converting the demo into a full version,
for only $19.95.


The Essay


This prog we are gonna attack 2 ways, first the brutal crack with w32dasm, then we are
gonna serial sniff with Softice. Ok, lets make the usualy copies and disassemble the code, check the string refs and try to register, look for the error or the goodguy msg and lets
start tracing.


* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040A8A8(U)
|
:0040A8AF 33C9 xor ecx, ecx
:0040A8B1 85C0 test eax, eax
:0040A8B3 0F95C1 setne cl
:0040A8B6 84C9 test cl, cl
:0040A8B8 740F je 0040A8C9
<-jump to goodyland

* Possible StringData Ref from Data Obj ->"The information you entered is "
                                        ->"not correct. Make sure the name "
                                        ->"and company EXACTLY match the "
                                        ->"information you supplied to CFL "
                                        ->"at the time of purchase. Also "
                                        ->"make sure the registration code "
                                        ->"matches the code provided to you "
                                        ->"by CFL. Note that all information "
                                        ->"is case-sensitive."
|
:0040A8BA 685C344500 push 0045345C
:0040A8BF E8DC050000 call 0040AEA0
:0040A8C4 83C404 add esp, 00000004
:0040A8C7 EB64 jmp 0040A92D

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040A8B8(C)
|
:0040A8C9 8B5500 mov edx, dword ptr [ebp+00]
:0040A8CC B9C8864500 mov ecx, 004586C8
:0040A8D1 52 push edx

* Possible StringData Ref from Data Obj ->"r3"
<-username

:0040A8D2 6858344500 push 00453458

* Possible StringData Ref from Data Obj ->"Settings"

:0040A8D7 68302A4500 push 00452A30
:
:lines of code
:

* Possible StringData Ref from Data Obj ->"r4"
<-company

:0040A8E9 6854344500 push 00453454

* Possible StringData Ref from Data Obj ->"Settings"

:
:lines of code
:

* Possible StringData Ref from Data Obj ->"r5"
<-serial

:0040A8FB 6850344500 push 00453450

* Possible StringData Ref from Data Obj ->"Settings"

:0040A900 68302A4500 push 00452A30
:0040A905 B9C8864500 mov ecx, 004586C8
:0040A90A E8666A0200 call 00431375
:0040A90F 8B742418 mov esi, dword ptr [esp+18]
:0040A913 6A40 push 00000040

* Possible StringData Ref from Data Obj ->"Registration Complete"

:0040A915 6838344500 push 00453438

* Possible StringData Ref from Data Obj ->"Your software has been registered. "
                                        ->" Be sure to keep your registration "
                                        ->"information. You may need to "
                                        ->"enter it again if you reinstall "
                                        ->"the program."


Well easy one here, lets jump to the good land happy message.

Change this:
:0040A8B8 740F je 0040A8C9 (offset 9CB8)
to this:
:0040A8B8 EB0F jmp 0040A8C9

or

Change this:
:0040A8B3 0F95C1 setne cl
to this:
:0040A8B3 0F94C1 sete cl


But as usual on restart the registration is gone =( so lets go figure out why.
Run Regmon and it shows this:

3. 75829520 Text cle QueryValueEx HKCU\Software\Computers for Learning\Text Cleaner\Settings\r3 SUCCESS ""
3. 75846960 Text cle QueryValueEx HKCU\Software\Computers for Learning\Text Cleaner\Settings\r4 SUCCESS ""



R3 is name
R4 is company
R5 is serial but it didnt show up in regmon......

So lets go back to the deadlisted code and check out R5 in the String References.

:0040DF46 6850344500 push 00453450
:0040E017 6850344500 push 00453450
:0040A8FB 6850344500 push 00453450
<-when we registered above

So three places for the regcode.
Now we check out the first area and see this:


:0040DF36 0F95C1 setne cl (D336)
:0040DF39 84C9 test cl, cl
:0040DF3B 0F8424010000 je 0040E065
<-conditional jump we want
:0040DF41 68A0864500 push 004586A0

* Possible StringData Ref from Data Obj ->"r5"

:0040DF46 6850344500 push 00453450


Change this:
:0040DF36 0F95C1 setne cl
to this:
:0040DF36 0F94C1 sete cl
or fix the jump at 40DF3B, whatever is easiest.
Check the about box and we see that our reg info stays in the box now although we still get the nag =) So it looks like it will be the same routine.

Lets goto that 2nd location:
Well I will save some time here as this is useless area.

Anyway key point so far is R5 in the deadlist represents our serial, R4 and R3 represent our name and company. So continuing on we are going to leave the regged part alone for a sec to get rid of 2 annoying messages, Clock Change and Demo Expiration. They follow down the line and lead to our next area anyway. If you mess with the clock you get the clock changes and past the 30 days you get the demo expiration msg. These are simple as you just have to make the jump before the message go. Easy here we go.....


:0040E075 0F8339020000 jnb 0040E2B4 <-make this jump (offset D475)

* Possible StringData Ref from Data Obj ->"Clock change detected."

:
:lines of code
:
* Possible StringData Ref from Data Obj ->"Change in Clock Detected"


Change this:
:0040E075 0F8339020000 jnb 0040E2B4
to this:
:0040E075 E93A02000090 jmp 0040E2B4

Dont worry about it not being equal as nothing after the jump will be executed because we are taking it everytime. I just added a 90 on the end of my code to make things better.


:0040E2C4 0F8665020000 jbe 0040E52F <-make this jump (offset D6C4)

* Possible StringData Ref from Data Obj ->"Demo Expiration Detected"

:
;lines of code
:

* Possible StringData Ref from Data Obj ->"Demo Expiration Detected"

:
:lines of code
:

* Possible StringData Ref from Data Obj ->"The Text Cleanup demo has expired, "
                                        ->"and can no longer be run unless "
                                        ->"you purchase a copy."


Same crap here:
:0040E2C4 0F8665020000 jbe 0040E52F
to this:
:0040E2C4 E93A020000 jmp 0040E52F


After the ret you end up here:
(If you ever wanna follow a ret in w32dasm use w32dasm debugger and set a breakpoint on the ret, the click the "step into" button. It comes in handy a lot.)

Now if we dont take the jump at 40C36B the you will see the magic R#'s

:0040C365 3BC3 cmp eax, ebx
:0040C367 8944241C mov dword ptr [esp+1C], eax
:0040C36B 0F850B010000 jne 0040C47C
<-jumps to nag (offset B76B) (below)
:0040C371 68A0864500 push 004586A0

* Possible StringData Ref from Data Obj ->"r3"
<-our regged name

:lines of blah code

* Possible StringData Ref from Data Obj ->"Settings"

:lines of blah code

* Possible StringData Ref from Data Obj ->"r4"
<-our regged company

:lines of blah code

* Possible StringData Ref from Data Obj ->"Settings"

:lines of blah code

* Possible StringData Ref from Data Obj ->"About Text Cleanup"

:lines of blah code

* Possible StringData Ref from Data Obj ->"This software is registered to:"
<-hmm


This is the nag jump if you wanna see it:

:0040C47C 8BCD mov ecx, ebp
:
:lines of code
:
* Possible StringData Ref from Data Obj ->"About Text Cleanup"
<-nag title

:0040C4A1 6848394500 push 00453948
:
:

* Possible StringData Ref from Data Obj ->"%m/%d/%Y"

:blah blah blah
:lines of code

* Possible StringData Ref from Data Obj ->"This is an unregistered demonstration "
                                        ->"copy, which will expire on "
<-bad msg


So just change this:
:0040C36B 0F850B010000 jne 0040C47C
to this
:0040C36B 909090909090 nopX6

Now when we start the program the startup box tells us we are registered to whatever you want.


Ok so when we clear out the registered data we still see unregistered in the about box after the program is ran, no big deal at all because as soon as you register it adds the info and keeps it but lets make it say registered to blank just to be a jerk hehe...So its registered before you register it ?!? huh ok

:0040CEB2 7442 je 0040CEF6 (C2B2) <-make jump to goody

:lines of boring code

* Possible StringData Ref from Data Obj ->"About Text Cleanup"

:lines of boring code

* Possible StringData Ref from Data Obj ->"This is an unregistered demonstration "
                                        ->"copy."


If we take the jump at 0040CEB2 then we land here:

:0040CEF6 68A0864500 push 004586A0

* Possible StringData Ref from Data Obj ->"r4"
<-magic company name =)

:0040CEFB 6854344500 push 00453454
:0040CF00 8D54241C lea edx, dword ptr [esp+1C]

* Possible StringData Ref from Data Obj ->"Settings"

:
:lines of code
:

* Possible StringData Ref from Data Obj ->"About Text Cleanup"
<-hmm

:
:lines of code
:

* Possible StringData Ref from Data Obj ->"This software is registered to:"
<-yup


Well this is almost as thorough as a crack can be just one thing that is bugging me is the
register button is still there. Lets trash it from the menu but leave the one under the about screen so we can still reg and re-reg all day long. This is easy to do by cheating with a resource editor, like Resource Hacker. Drop the exe onto resource hacker and navigate to here:

-Menu
    -128
        -1033


Scroll down till you see this:

POPUP "&Help"
{
MENUITEM "Getting Started", 32786
MENUITEM "&Help Topics", 57667
MENUITEM "Context-Sensitive Help", 57669
MENUITEM SEPARATOR
MENUITEM "&About Text Cleanup...", 57664
MENUITEM "&Register...", 32785
}
}


Delete out register, easy...Should look like this now.

POPUP "&Help"
{
MENUITEM "Getting Started", 32786
MENUITEM "&Help Topics", 57667
MENUITEM "Context-Sensitive Help", 57669
MENUITEM SEPARATOR
MENUITEM "&About Text Cleanup...", 57664
}
}


Click Compile Script button at the top and save it.

CRACKED!!!!!!!!

Whoosh what a lot of work...well now that its cracked how bout some serial fishing with Softice!

Copy back an un-cracked backup of the program and click the register button, fill in you info, mine was like so:

Name: sleepy
Company: None
Registration Code: 666777888

Now I'll assume basic softice here so Ctrl+D into softice and set a Breakpoint on GetWindowTextA.
BPX GetWindowTextA

Ctrl+D out of softice and click the register button. Softice breaks, press Ctrl+d, SI breaks, push Ctrl+d. SI breaks for the third time then you get the error msg. So click OK, now we know to let Softice break and on the 3rd break we trace our code.

Once in SI on the third break just press F10 until you get into TEXT CLEANUP!.text+00030155 and we are in the code we want. Dropped into the registration routine keep going until you get to this location:

017F:0040A85B 51 PUSH ECX <-ECX holds valid serial D ECX
017F:0040A85C 6898354500 PUSH 00453598
017F:0040A861 52 PUSH EDX


D ECX gives us dfbb9796
So go back and enter that into the program and we are registered.

Heres another:
Name: sLeEpY¿
Company: [CraCkEd iN 2002]
Reg: 9f7413b7

Time for a smoke.
Laterz!

Final thoughts


Word....and stuff.


Greetings


Groups: FWA, NWA, FTPiRatEz! HAR! BEASTFXP!, KANAL23
Individuals:
MiNioN, GreycZ & his cuppy, KlutCh, KiNgEr, MidNight, Edogg, Neoman, movax4c00int21, Acid_Cool_178, All those tuts I read from everyone who writes them.

CopyLeft:
sLeEpY¿
[all rights reversed]
Boredom causes crackers and babies.
Visit http://zor.org/sleepy & http://www.bright.net/~testsubject001

Mail sleepy@linuxwaves.com


This Document is copyrighted by kanal23 and it's members. Please mail the author of this document for complaints and those things.
Kanal23 is signing out for now.