Cracking Tutorial - Part 3    01/02/2000


Tutorial done by: SiFu
http://blacksun.box.sk


Index


0. Introduction
1. Disclamer
2. Programs needed
3. Cracking Opera Browser 3.61:

 3.1. Running the program
 3.2. Disassembling the program
 3.3. Understanding and locating the "cracking zone"
 3.4. Cracking the program
 3.5. Making a Patch

4. Conclusion


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

0. Introduction


Hi everyone. In this tutorial we'll attemp to crack OPERA BROWSER 3.61.
Hopefully, we'll succeed :-). You'll also get to fiddle a little with W32dasm
and HIEW. In the end, if you get lucky, we'll make a little patch for OPERA
(just joking, of course we will!).

"Opera is a World Wide Web client, ie. a program for retrieving information on
the World Wide Web via documents created with the HyperText Markup Language
(HTML)."

Let's get started...



1. Disclaimer:


I created this tutorial for informational purposes only!
Much of the information in this document can be used to perform illegal
activities!


[Don't attempt to do anything stated in this document!]?




If you do attempt to do anything, you are solely and fully responsible for
what you do!
If you get caught and get in any kind of trouble, it's your own fault!
If you intend to use this information to impress your friends, leave it
and grow up!
If you don't agree to this, do not read any more!
If you crack a program, and either sell the crack or offer it for free,
it is a crime!



2. PROGRAMS NEEDED


Before you get started, you'd better get the following programs:

 WDASM and HIEW I'll assume you've already got them from previous BSRF 
  tutorials :)...

 OPERA BROWSER 3.61: can be found at:
  [members.xoom.com/dumpster66/opera361.zip]

 RTD_PATCH Needed to make the patch!: can be found at:
  [members.xoom.com/dumpster66/patcher.zip]



3. CRACKING OPERA BROWSER 3.61


3.1. Running the program
------------------------

Run the program. When the program starts it pops up a nag (annoying) screen
giving you 3 options:

-------------------------
Evaluate

Purchase

Register
-------------------------

Forget EVALUATE and PURCHASE for the time being, as you probably can think
where they lead to :-)
Let's try and see what the program says when we click on REGISTER. It pops
up a registering screen! Let's try and enter some bogus information. What
happens? A screen pops up saying that the information you've entered is 
invalid? Darn! Must of done something wrong :-)!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

3.2. Disassembling the program
------------------------------

Lets get on with fase 2 (using our beloved W32DASM!). Go to the directory
where you installed OPERA to and copy the file OPERA.EXE to your desktop. Run
WDASM and click on OPEN FILE TO DISASSEMBLE, choose the file you have copied 
to your desktop and click on OPEN. Now go for a drink because this might take
a short time...

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

3.3. Understanding and locating the "cracking zone"
---------------------------------------------------

Back? OK! Hopefully your computer has now finished the disassembly of
OPERA.EXE. Before you continue, save this project file so that you don't
have to disassemble the program every time you want to look at it source code.

Remember when I asked you to click on REGISTER? Well, remember the message it
gave you when you you entered that bogus information? You don't? Then run the
program, click REGISTER, enter some information and write down the message it
gives you (something like: THE REGISTRATION INFORMATION YOU'VE ENTERED IS
INVALID...).

Now lets go back to WDASM. Click on SEARCH, FIND TEXT and write "the
registration information" (without the "s) and click on SEARCH (this will
look for all the references that include the 3 words above).

Darn! The program says "Text {the registration information} Not found". Dead
end... But WAIT! Run the program... Run it again... and again... Haven't you
noticed anything??? Before we enter the program a screen pops up saying:

------------------
Opera 3.61
Copyright ...

Registered to:
(unregistered)
------------------

Notice that little line saying "(unregistered)"? That means the program checks
to see if its registered! Why don't we try to crack the program where the reg
check is done instead of the place where we enter the reg info?!

Get back to WDASM (where the opera.exe disassembly is) and select SEARCH, FIND
TEXT and search for "(unregistered)" (without the "s). It stops a first time
which means that the search string was found (we'll ignore this finding, 
beleave me, it leads to nowhere!). Click on FIND NEXT. Found another one? Good
because this one is the one we're going to focus on...

---------------Source code of OPERA.EXE--------------------

:00495F86 68262B0000              push 00002B26
:00495F8B FF7508                  push [ebp+08]
:00495F8E FFD6                    call esi
==>:00495F90 393D64005300            cmp dword ptr [00530064], edi
==>:00495F96 752A                    jne 00495FC2
:00495F98 68FF000000              push 000000FF
:00495F9D 8D85C4FEFFFF            lea eax, dword ptr [ebp+FFFFFEC4]
:00495FA3 50                      push eax

* Possible Reference to String Resource ID=21428: " (unregistered)"
(WE LANDED HERE!)
                                  |
:00495FA4 68B4530000              push 000053B4
:00495FA9 FF3570FA5200            push dword ptr [0052FA70]
:00495FAF FFD3                    call ebx
:00495FB1 8D85C5FEFFFF            lea eax, dword ptr [ebp+FFFFFEC5]
:00495FB7 50                      push eax

-------------------------END OF CODE------------------------

Have a look at the 2 lines that have an arrow pointing to them. Notice what
the program does. It checks if the value in "dword ptr [00530064]" is the
same one as in register "edi". If the values are not the same, e jumps away
from the "(unregistered)" notice (and that's exactly what we want!). So what
shall we do? I know! Let's try and search for the place where the program
fiddles with "dword ptr [00530064]"! Press HOME (on your keyboard) so that
you get back to the begining of the disassembly. Click SEARCH, FIND TEXT and
search for "dword ptr [00530064]" (without the "s!!!)...

Look! we found a place where the program messes around with "dword ptr
[00530064]" :

---------------Source code of OPERA.EXE--------------------

:00495DFE FF150C045100            Call dword ptr [0051040C]
:00495E04 50                      push eax
:00495E05 56                      push esi
:00495E06 E80ACCF8FF              call 00422A15
:00495E0B 83C414                  add esp, 00000014
:00495E0E 8D8DE8F2FFFF            lea ecx, dword ptr [ebp+FFFFF2E8]
:00495E14 E85D650200              call 004BC376
:00495E19 8D8DE8F2FFFF            lea ecx, dword ptr [ebp+FFFFF2E8]
==>:00495E1F E8C3630200              call 004BC1E7
:00495E24 3BC7                    cmp eax, edi
==>:00495E26 A364005300              mov dword ptr [00530064], eax
:00495E2B 68BC040000              push 000004BC
:00495E30 7415                    je 00495E47
:00495E32 8D85E8F2FFFF            lea eax, dword ptr [ebp+FFFFF2E8]
:00495E38 50                      push eax
:00495E39 8D8508FAFFFF            lea eax, dword ptr [ebp+FFFFFA08]
:00495E3F 50                      push eax
:00495E40 E8DB470500              call 004EA620
:00495E45 EB0D                    jmp 00495E54

-------------------------END OF CODE------------------------

I can feel it! Where on the right track :-) ! Have a look at the 2 lines I put
the arrows pointing to. The 2nd one is where the program inserts a value
inside "dword ptr [00530064]" but right before that a very suspicious CALL is
made... Highlight the line of "call 004BC1E7" and click EXECUTE CALL.

Whow! We're inside the protection HQ! Let's have a look at what we have here:

---------------Source code of OPERA.EXE--------------------

* Referenced by a CALL at Addresses:
|:0045C202   , :00495E1F   
|
:004BC1E7 8D8138010000            lea eax, dword ptr [ecx+00000138]
:004BC1ED 85C0                    test eax, eax
==>:004BC1EF 741A                    je 004BC20B
:004BC1F1 803800                  cmp byte ptr [eax], 00
==>:004BC1F4 7415                    je 004BC20B
:004BC1F6 81C190030000            add ecx, 00000390
:004BC1FC 51                      push ecx
:004BC1FD E8A647FDFF              call 004909A8
:004BC202 85C0                    test eax, eax
:004BC204 59                      pop ecx
==>:004BC205 7404                    je 004BC20B
==>:004BC207 6A01                    push 00000001
:004BC209 58                      pop eax
:004BC20A C3                      ret

-------------------------END OF CODE------------------------

The first 3 arrows point to 3 Condicional Jumps. If one of these jumps is
executed, the program will assume it's unregistered (So we'd better not let
the program do that!). The 4th arrow points to "push 00000001" which will put
a value inside register EAX and, eventually, inside "dword ptr [00530064]".
This would mean that if the program gets to the PUSH action, it will assume
that it's registered! So lets make it do it! Let's change the "je 004BC20B"
action at adress ":004BC1EF" to a jump that will go directly to the PUSH
action. Highlight the first jump at adress ":004BC1EF" and look at the bottom
part of your screen. See that "@Offset 000BC1EFh" ? Write that number down.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

3.4. Cracking the Program
-------------------------

With HIEW, Open the OPERA.EXE file (the one located in the directory to where
you installed Opera, not the one copied to your desktop). Press F4 and choose
"decode". Now press F5 and write the offset location - "000BC1EF" (without
the "s and forget about the "h" on the end, because it just stands for HEX).
Press ENTER to get to the location. Bingo! Press F3 (to edit) and F2 (to give
instructions in ASM). A nice little window should pop up! Delete the crap
written there and write the line below pressing ENTER right after:

"jmp 000BC207" (without the "s and where "000BC207" is the offset location
		for the PUSH action)

Press ESC.
Press F9 to update and F10 to quit HIEW.

Let's give Opera a test run, just in case we actually cracked it :-). VoilĂ !
We cracked it! It thinks it registered!

Good! Now we won't want to go through all this trouble everytime we want this
prog registered, do we? So why not make a PATCH? Read on to find how...

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

3.5. Making a patch
-------------------

First of all you'd better copy the original OPERA.EXE to C:\. It will make
things easier for the patch.

Run DOS COMMAND LINE in Windows and turn to the directory to where you
installed RTD_PATCH to. Now write down the following line:

-----------------------------------------------------------------
RTD_PATC "location of original EXE" "location of cracked EXE" /X
-----------------------------------------------------------------

Follow the on-screen instructions and there you are! You've got a PATCH for
Opera 3.61!

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

4. Conclusion


In this tutorial we learned a diferent way to approach the program we want to
crack. Remember that cracking is all about being versatile and you should keep
your eyes wide open looking at the protections "weak spots". 

Also, if you plan on continue using Opera Browser, please register it, because
it's the best browser out there, and its' programmers deserve being rewarded
with your money.

C ya!

SiFu

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~