File Pulverizer   V4.1

By +Jonathan

2002-8-24

 

   You know what, I strongly recommend you to get some new tryout software at here Since all the software out there use the most stupidest protection and that you, without mush experience, can easy reverse all of them  ^_^

 

  Today we will crack on of their product. This software can let you delete some file that will never be discovered again by, for example, some go back software.

 

  Name:  File Pulverizer  

  Price:   $ 29.95

  Protection:  UPX (Ultimate Pack for eXe)

  Download:  http://www.toplang.com/fpsetup.exe   (502 KB)

 

 If you don’s enter a Serial Number, you can only use it to delete files for 20 times!! Ok let’s buy it.~~~~ Noooooo

I am a poor High School Student. How many 30 dollars do I have???? Let’s crack it. Mmmmm, let’s right.

 

You can unpack it by learning my other tutorial named: “eBook maker” They come from the same company, and protected by the same protection—UPX !!

 

 As for right, I assume you had unpack the UPX protection. Let us load it into W32Dasm ^0^

 

 First enter 12345678 as a register code, and this is what you see:

So search “Cant’t register” in String Data. You will land here:

 

* Referenced by a (U)nconditional or (C)onditional Jump at Address:

|:00407809(C)

 

:00407936 68F4010000                push 000001F4

:0040793B E88C8B0500              call 004604CC

:00407940 59                                  pop ecx

:00407941 8907                             mov dword ptr [edi], eax

:00407943 68F4010000                push 000001F4

:00407948 8B0DA4654800          mov ecx, dword ptr [004865A4]

:0040794E 8B17                             mov edx, dword ptr [edi]

:00407950 52                                  push edx

 

* Possible Reference to String Resource ID=08010: "Can't register,please check your Register Code."

                                  

:00407951 684A1F0000                push 00001F4A

:00407956 8B01                             mov eax, dword ptr [ecx]

 

Now back trace it by go to 00407809 (the reference jump) and here you are:

 

:00407801 E88AAFFFFF              call 00402790                            * Checking-SN procedure call*

:00407806 59                                  pop ecx                                          

:00407807 84C0                             test al, al                                      * test the flag *

:00407809 0F8427010000            je 00407936                               * You are here *

:0040780F 68F4010000                push 000001F4

:00407814 E8B38C0500               call 004604CC

:00407819 59                                  pop ecx

:0040781A 8907                             mov dword ptr [edi], eax

:0040781C 68F4010000                push 000001F4

:00407821 8B15A4654800           mov edx, dword ptr [004865A4]

:00407827 8B07                             mov eax, dword ptr [edi]

:00407829 50                                  push eax

 

* Possible Reference to String Resource ID=08009: "Register successful,please terminate and launch it again to "

                                  |

:0040782A 68491F0000               push 00001F49

:0040782F 8B02                            mov eax, dword ptr [edx]

 

  ####  SEE if you do not jump, you will be landed to the “register successful” Can we just simply change the “je” into “jne” ???  No since many programs have a lot of places to test flag. If you just change here, you will end up with you have to type 12345678 EACH time you use it in order to use fully functional. Whenever the program starts up, it has to check if you register it or not. Hence there is another place to check flag (Of course not here). Luckily, almost all the programmer use the same procedure to check the flag. (they do not want to write the serial number formula two times) They will CALL it J  

 

But here does not have a “reference call”, man!!! Yes brother, let Find It Out by step into the:

00407801 E88AAFFFFF              call 00402790

You will be here:

* Referenced by a CALL at Address:

|:00407801  

 

:00402790 55                                  push ebp                         * you are here *

:00402791 8BEC                            mov ebp, esp

:00402793 83C494                         add esp, FFFFFF94

:00402796 B8ECF94700               mov eax, 0047F9EC

 

But remember that wee have to find a place where it havs more than ONE “reference call”

Press F-8 to “step over” until you see the following:

 

:00402853 E878780600              call 0046A0D0                  * sub-checking procedure *

:00402858 59                                pop ecx                                *pop ecx*   

:00402859 85C9                           test ecx, ecx                        * Test the ECX flag *

:0040285B 7504                           jne 00402861                    * Jump if not the same *

:0040285D 33C0                           xor eax, eax                       * AL flag == 0

:0040285F EB05                           jmp 00402866                   * Finish *

 

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:

|:004027FD(C), :0040285B(C)

 

:00402861 B801000000                mov eax, 00000001          * AL Flag == 1 *

 

Now get into the sub-procedure, you will be here (about 10 line down it):

 

 

:0046A0F4 E8FF61FFFF              call 004602F8                      *the third embedded checking procedure*

:0046A0F9 59                                 pop ecx                                  *Once again, pop ECX as above *

 

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:

|:0046A0DF(C), :0046A0EF(C)

 

:0046A0FA 5E                                pop esi

:0046A0FB 5B                                pop ebx

:0046A0FC 59                                 pop ecx

:0046A0FD 5D                                pop ebp

:0046A0FE C3                                 ret

 

   Notice that you will not break when you start the program all over again if you set a break point at 0046A0F4

. It is because here is part of the register procedure NOT the checking procedure when it start up. So go inside the third embedded procedure. Here it is:

 

:004602F8 55                      push ebp

:004602F9 8BEC                mov ebp, esp

:004602FB 8B4508            mov eax, dword ptr [ebp+08]

:004602FE 50                      push eax

:004602FF E818080000    call 00460B1C                  The 4th embedded procedure

:00460304 59                       pop ecx                              *Once again, pop ECX as above two procedure*

:00460305 5D                      pop ebp

:00460306 C3                      ret

                  

  Let step into the 4th procedure. Here is the snip:

 

* Referenced by a CALL at Addresses:

|:004602FF   , :00462491   , :0046262A   , :00462B68   , :00462B8C  

|:00462C72   , :00465191   , :0046519E   , :004653C2   , :004655E6  

|:004656AE   , :004656E2   , :004656F2   , :0046583C   , :00466096  

|:0046613D   , :0046614B   , :00466159   , :00466167   , :00466175  

|:00466183   , :00466191   , :0046619F   , :004661AA   , :004667C3  

|

:00460B1C 55                          push ebp

:00460B1D 8BEC                    mov ebp, esp

:00460B1F 8B4508                 mov eax, dword ptr [ebp+08]

:00460B22 50                           push eax

:00460B23 FF15F0294800    call dword ptr [004829F0]    *the Call [address] is the last place W32Dasm can go*

:00460B29 59                           pop ecx                           *Once again, pop ECX as above two procedure*

:00460B2A 5D                          pop ebp

:00460B2B C3                          ret

 

  See, lots of the reference calls, and one of them is where it calls from the Start-Up. If you break point on it, you will break when you start the program all over again. Now do a “Auto-Step-over” (F-6), you will be stopped here:

 

:00405010 807DD700          cmp byte ptr [ebp-29], 00       * Dose the person have pay $29.95 to by the SN ??

:00405014 7405                     je 0040501B                          * Yes, then jump *  

:00405016 E83E570600       call 0046A759                       * you stop here *

 

* Referenced by a (U)nconditional or (C)onditional Jump at Address:

|:00405014(U)

 

:0040501B 5B                       pop ebx

:0040501C 8BE5                  mov esp, ebp

:0040501E 5D                       pop ebp

:0040501F C3                        ret

 

 Therefore, we can just simply change the “JE” into “EB”, and you are done:

 

                                            Search :  80 7D D7 00 74 05 E8 3E 57

                                            Modify:  ========= EB ========