eBook  Maker  V1.21

By +Jonathan

2002-08-21

 

When I was writing a reverse engineer essay in “.html” format, I was interested in any software that can make a eBook. When I search in the google: www.google.com, I quickly find this software, and download it from its official web site.

 

  Name: eBook V1.21

  Price:  $ 29.95

  Download: http://www.toplang.com/emsetup.exe

  Protection: It is a serial number based program. If you don’t register it, you can only try 21  

                     times. It is also protected by UPX (Ultimate Pack for eXe)

 

First of all, I use Stud_PE to analyze it. But~~ It crush!! (What a good anti protection it is!!) Therefore I test it for a few times and find out that it is packed with a newest version of UPX. Trust me, it is even better than UPX 1.7w.See the following, please ^_^:

 

Let’s unpack it. If you had seen my WinRAR & Game Wizard 1.43 essay by me, you may want to unpacked it with UPX itself right. But sorry, as I had said before, it is the Newest version!!

 

<< Manually Unpacking>>

Let find out the EP (Enter Point)  in the first place. It is on (Enter Point + Image Base) == 500F90

 

Then let us load it into SOFT-ICE by BPX MessageBoxA since there is a reminder reading UnRegister can only use 21 times” When it break, do a BC* and set BPX 500F90 and start eBook maker all over again. It will now break at here:

 

001B:00500F90  60                                 PUSHAD                                         *Start Unpacking Procedure*

001B:00500F91  BE00D04A00             MOV       ESI,004AD000

001B:00500F96  8DBE0040F5FF        LEA       EDI,[ESI+FFF54000]

 

 Ok you now see the start unpacking procedure (PUSHAD). Your purpose is to find out where it finish the procedure, and then dump it. Hence you can just scroll down (many pages) until you see a (POPAD) which means finish unpacking. Here is the POPAD:

 

001B:00501103  61                                   POPAD                                          *Finish Unpacking Procedure*

001B:00501104  E9F7FEEFFF             JMP       00401000                       *Jump to the OEP*

 

After you find the POPAD, just do a F-7 on 001B:00501103 which means step to POPAD directly!! Now step to the next line which will jump far away (100% is the OEP (Original Enter Point)). Now we have to lock on EIP 001B:00501104 since we have to dump it outside of the SOFT-ICE.  Now do the following:

A eip [enter]

Jmp eip [enter] [enter]

 

It will now lock (jump to itself) If you do not lock it and press F-5 (back to window), the program will continue running. That why we have to lock it on the OEP.

 

After you back to window, open ProcDump or LordPE do a [reflash list] and then do a [dump (full)]

 

Now you got a good dumped eBook maker, but when you run it, windows pop up a message reading:” invalid WIN32 program!!” The reason is very simple, since the IT (Import Table) and the header was broken!! You can rebuild them by press the [Rebulid PE] on above picture. Be careful that the [Option] had to do AS IS in the following (very important):

Make 100% sure that the Realign file is “un-checked”—very   important!! Otherwise it still CAN NOT run.

 

Now you can use the [Rebuild PE] button J

 

<<Crack it>>

 

The crack will be easy, since you had unpacked it. You can simply use Brute Force as following:

 

Just search Unregister” since it is on the messag box whenever it start, And that we absolutely sure that the message box will disappear after registered. So fire up W32Dasm CS:

 

:004093C9 E80284FFFF              call 004017D0

:004093CE 84C0                             test al, al                             *If it is registered, AL ≠ 0*

:004093D0 0F84A5000000            je 0040947B                      *Change this to JNE*

:004093D6 68F4010000                 push 000001F4

:004093DB E828530900                call 0049E708

:004093E0 59                                    pop ecx

:004093E1 8907                                mov dword ptr [edi], eax

:004093E3 68F4010000                  push 000001F4

:004093E8 8B0DB4E24C00           mov ecx, dword ptr [004CE2B4]

:004093EE 8B17                               mov edx, dword ptr [edi]

:004093F0 52                                     push edx

 

* Possible Reference to String Resource ID=08001: "EBook Maker"

                                                                                                                          *Here is a bitmap, not a nag-screen*

 

 

Now what happen if we jump to 0040947B? Here it is:

 

:0040947B E8A888FFFF              call 00401D28                  *Get how many times you had used it*

:00409480 83F814                           cmp eax, 00000014         *If it is less than 14h days (21 in DEC)*            

:00409483 0F8CC4000000             jl 0040954D  *Then it will jump to the place where it display nag-screen

                                                                                     , and you still can use it*

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^some more stupid code^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

* Possible Reference to String Resource ID=08008: "Sorry,you must register EBook Maker to use it right along." *You can not use it any more (over 21 times)*

 

Now everything is easy:

 

Search:   84 C0 0F 84 A5 00 00 00

Modify:  =======85========

 

 

2002 By UREF Corp