Looking down the barrel or a gun son of a gun son of a bitch gettin paid getting rich

Cracking Tutorial #63:
Cracking iuVCR: 4.0.0.230 (07/10/2002)
[cracked bY:] sLeEpY¿[FWA/NWA/FTPR8Z] iN 07/2002
[difficulty:] beginner
[where:] http://www.iulabs.com/eng/index.shtml
http://www.iulabs.com/eng/iuvcr/download.shtml
[tOOLz:] W32dasm 8.93, Hiew 6.x

KANAL23 Tutorial

http://www.kanal23.net

iuVCR 4.0.0.230 (7/10/02)
Download it from	http://www.iulabs.com/eng/index.shtml http://www.iulabs.com/eng/iuvcr/download.shtml

Written by	sLeEpY¿

Tools	W32Dasm 8.93 Hiew 6.x

Rating	Easy {X} Medium { } Hard { } Pro { }

Introduction

iuVCR: 4.0.0.230 (07/10/2002)
EXE file (1146 KB) download
ZIP file (1116 KB) download

iuVCR is a Windows 2000/XP intended video recording program. Have a TV tuner or a video capture card installed on your Windows 2000 or XP system? Now you can easily record your favorite TV programs and videos in *.AVI or *.WMV format. iuVCR has got a simple and plain interface, allows to capture video of any format, resolution and duration, can automatically start when scheduled and has a number of other useful features.

Ok so i cracked an earlier version of this prog and someone requested that i crack this one, but i normally dont do requests just maybe this time.

The Essay

Well I'm Mike D and i'm back from the dead.....
Jammin some Beastie Boyz Old SKOOL.

Start the prog and we are greeted with the same nag as the prior version.

Register
This program is distributed as
shareware and requires registration.

Your evaluation will expire in
30 days

Purchasing a licensing key will
disable this reminder.
[Close] [Register Now]

And the close button has a 4 second wait.

So we see we have a stratup nag and a shutdown nag, same as on the earlier version. Also there the program says it will expire in 30 days so we will see =)

Make the 3 copies and disassemble the prog in w32dasm.
Look in the String Refs for Register (the title of our nag) and double click it, we land here:

* Referenced by a CALL at Addresses:
|:00434439 , :00439C58 <-our whole routine is called from 2 places, (2 nags, 2 places) lets check em out...
|
:0045AC00 55 push ebp
:0045AC01 8BEC mov ebp, esp
:0045AC03 83C4D0 add esp, FFFFFFD0
:0045AC06 53 push ebx
:0045AC07 56 push esi
:0045AC08 C745D86CB75100 mov [ebp-28], 0051B76C
:0045AC0F 8BD8 mov ebx, eax
:0045AC11 B8C34F4D00 mov eax, 004D4FC3
:0045AC16 8965DC mov dword ptr [ebp-24], esp
:0045AC19 8945D4 mov dword ptr [ebp-2C], eax
:0045AC1C 66C745E00000 mov [ebp-20], 0000
:0045AC22 8BF2 mov esi, edx
:0045AC24 33D2 xor edx, edx
:0045AC26 8955EC mov dword ptr [ebp-14], edx
:0045AC29 648B0D00000000 mov ecx, dword ptr fs:[00000000]
:0045AC30 894DD0 mov dword ptr [ebp-30], ecx
:0045AC33 8D45D0 lea eax, dword ptr [ebp-30]
:0045AC36 64A300000000 mov dword ptr fs:[00000000], eax
:0045AC3C 85F6 test esi, esi
:0045AC3E 7D48 jge 0045AC88 <-making this jump will give us unlimited evaluation....
:0045AC40 8B93EC020000 mov edx, dword ptr [ebx+000002EC]
:0045AC46 8B4258 mov eax, dword ptr [edx+58]
:0045AC49 BAFF000000 mov edx, 000000FF
:0045AC4E E8911B0300 call 0048C7E4
:0045AC53 66C745E00800 mov [ebp-20], 0008

* Possible StringData Ref from Data Obj ->"Your evalution period has expired" <-hey we can kill this while we are here
|
:0045AC59 BA70B65100 mov edx, 0051B670
:0045AC5E 8D45FC lea eax, dword ptr [ebp-04]
:0045AC61 E8C2480800 call 004DF528
:0045AC66 FF45EC inc [ebp-14]
:0045AC69 8B10 mov edx, dword ptr [eax]
:0045AC6B 8B83EC020000 mov eax, dword ptr [ebx+000002EC]
:0045AC71 E86E310400 call 0049DDE4
:0045AC76 FF4DEC dec [ebp-14]
:0045AC79 8D45FC lea eax, dword ptr [ebp-04]
:0045AC7C BA02000000 mov edx, 00000002
:0045AC81 E8424C0800 call 004DF8C8
:0045AC86 EB52 jmp 0045ACDA <-jump to nag below

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0045AC3E(C)
|
:0045AC88 66C745E02000 mov [ebp-20], 0020
:0045AC8E BA18B25100 mov edx, 0051B218
:0045AC93 8D45F8 lea eax, dword ptr [ebp-08]
:0045AC96 E88D480800 call 004DF528
:0045AC9B FF45EC inc [ebp-14]
:0045AC9E 8D4DF8 lea ecx, dword ptr [ebp-08]
:0045ACA1 66C745E01400 mov [ebp-20], 0014
:0045ACA7 56 push esi

* Possible StringData Ref from Data Obj ->"Your evaluation period will expire "
->"in %d days"
|
:0045ACA8 6892B65100 push 0051B692
:0045ACAD 51 push ecx
:0045ACAE E8D94D0800 call 004DFA8C
:0045ACB3 83C40C add esp, 0000000C
:0045ACB6 8B55F8 mov edx, dword ptr [ebp-08]
:0045ACB9 8B83EC020000 mov eax, dword ptr [ebx+000002EC]
:0045ACBF E820310400 call 0049DDE4
:0045ACC4 FF4DEC dec [ebp-14]
:0045ACC7 8D45F8 lea eax, dword ptr [ebp-08]
:0045ACCA BA02000000 mov edx, 00000002
:0045ACCF E8F44B0800 call 004DF8C8
:0045ACD4 66C745E00000 mov [ebp-20], 0000

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0045AC86(U) <-unconditional jump, lets go there...
|
:0045ACDA 33D2 xor edx, edx
:0045ACDC 8B83D8020000 mov eax, dword ptr [ebx+000002D8]
:0045ACE2 8B08 mov ecx, dword ptr [eax]
:0045ACE4 FF515C call [ecx+5C]
:0045ACE7 8B83F0020000 mov eax, dword ptr [ebx+000002F0]
:0045ACED 33D2 xor edx, edx
:0045ACEF 89500C mov dword ptr [eax+0C], edx
:0045ACF2 33D2 xor edx, edx
:0045ACF4 8BC3 mov eax, ebx
:0045ACF6 E859000000 call 0045AD54
:0045ACFB B201 mov dl, 01
:0045ACFD 8B83F0020000 mov eax, dword ptr [ebx+000002F0]
:0045AD03 E8E4BD0300 call 00496AEC
:0045AD08 66C745E02C00 mov [ebp-20], 002C

* Possible StringData Ref from Data Obj ->"Register" <-Nag Title
|
:0045AD0E BAC0B65100 mov edx, 0051B6C0 <-start here

From the two calls above here is location 1:

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004343A7(C)
|
:004343F6 F605A5B04F0002 test byte ptr [004FB0A5], 02
:004343FD 740D je 0043440C <-jump down to nag routine area....
:004343FF F605A4B04F0040 test byte ptr [004FB0A4], 40
:00434406 0F858C000000 jne 00434498 <-jump past call to nag routine, are goody land happy guy!

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004343FD(C)
|
:0043440C 8B8D44FEFFFF mov ecx, dword ptr [ebp+FFFFFE44] <-start nag routine
:00434412 B201 mov dl, 01

* Possible StringData Ref from Data Obj ->"8JJ"
|
:00434414 A108B85100 mov eax, dword ptr [0051B808]
:00434419 E86A670200 call 0045AB88
:0043441E 89852CFEFFFF mov dword ptr [ebp+FFFFFE2C], eax
:00434424 8B15B8B04F00 mov edx, dword ptr [004FB0B8]
:0043442A 66C78558FEFFFF7001 mov word ptr [ebp+FFFFFE58], 0170
:00434433 8B852CFEFFFF mov eax, dword ptr [ebp+FFFFFE2C]
:00434439 E8C2670200 call 0045AC00 <-call our eval time routine and nags...

From the two calls above here is location 2:

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00439C00(C), :00439C09(C)
|
:00439C29 A1A4B04F00 mov eax, dword ptr [004FB0A4]
:00439C2E F6C402 test ah, 02
:00439C31 7404 je 00439C37 <-jump down to nag routine area....
:00439C33 A840 test al, 40
:00439C35 755C jne 00439C93 <-jump past call to nag routine, are goody land happy guy!

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00439C31(C)
|
:00439C37 8B4D9C mov ecx, dword ptr [ebp-64] <-start nag routine
:00439C3A B201 mov dl, 01

* Possible StringData Ref from Data Obj ->"8JJ"
|
:00439C3C A108B85100 mov eax, dword ptr [0051B808]
:00439C41 E8420F0200 call 0045AB88
:00439C46 894598 mov dword ptr [ebp-68], eax
:00439C49 8B15B8B04F00 mov edx, dword ptr [004FB0B8]
:00439C4F 66C745B09800 mov [ebp-50], 0098
:00439C55 8B4598 mov eax, dword ptr [ebp-68]
:00439C58 E8A30F0200 call 0045AC00 <-call our eval time routine and nags...

Some things never change, the same routine as in the previous version, just make these changes:

Change this:
:00439C31 7404 je 00439C37 (Offset 39231)
To this:
:00439C31 9090 nopX2

Change this:
:00439C35 755C jne 00439C93 (Offset 39235)
To this:
:00439C35 EB5C jmp 00439C93

Change this:
:004343FD 740D je 0043440C (Offset 339FD)
To this:
:004343FD 9090 nopX2

Change this:
:00434406 0F858C000000 jne 00434498 (Offset 33A06)
To this:
:00434406 E98D000000 jmp 00434498
:0043440B 90 nop

Ok both nags are now patched and will never show, and the 30 day trial is wiped out as well!

So lets get rid of the "Unregisterd Trial Copy" in the about box..

Start Resource Hacker and open this prog in it, look for this location:

object Label8: TLabel
Left = 4
Top = 54
Width = 135
Height = 16
Align = alTop
Caption = 'Unregistered trial copy'
Font.Charset = DEFAULT_CHARSET
Font.Color = clWindowText
Font.Height = -13
Font.Name = 'MS Sans Serif'
Font.Style = []
ParentFont = False
ShowAccelChar = False

It is here:
-RCDATA
-TFVCR
-0

Change this line:
Caption = 'Unregistered trial copy'
to this:
Caption = 'Registered to sLeEpY¿'

Ok prog is cracked!
Laterz!

Final thoughts

You be iLLiN'......

Greetings

Groups: FWA, NWA, FTPiRatEz! HAR! BEASTFXP!, KANAL23
Individuals: MiNioN, GreycZ & his cuppy, KlutCh, KiNgEr, MidNight, Edogg, Neoman, movax4c00int21, Acid_Cool_178, All those tuts I read from everyone who writes them.

CopyLeft:
sLeEpY¿
[all rights reversed]
Boredom causes crackers and babies.
Visit http://zor.org/sleepy & http://www.bright.net/~testsubject001
Mail sleepy@linuxwaves.com

This Document is copyrighted by kanal23 and it's members. Please mail the author of this document for complaints and those things.
Kanal23 is signing out for now.