Looking down the barrel or a gun son of a gun son of a bitch gettin paid getting rich

Cracking Tutorial #64:
Cracking The Matrix Game 3.01
[cracked bY:] sLeEpY¿[FWA/NWA/FTPR8Z] iN 07/2002
[difficulty:] beginner
[where:] http://www.ProgramsLand.com/matrix/
[tOOLz:] W32dasm 8.93, Hiew 6.x

KANAL23 Tutorial

http://www.kanal23.net

The Matrix Game 3.01
Download it from	http://www.iulabs.com/eng/index.shtml http://www.iulabs.com/eng/iuvcr/download.shtml

Written by	sLeEpY¿

Tools	W32Dasm 8.93 Hiew 6.x

Rating	Easy {X} Medium { } Hard { } Pro { }

Introduction

The Matrix Game is an attractive, clever and interesting puzzle with fresh
idea made for you to enjoy and relax.

The Essay

Well this one was released as 0-day on 0728 of 2002 so I decided to crack it and not use the packaged one. I never play these stupid games or use half the progs, the fun part is the cracking. Who cares about the prog.

Well start the prog and we are greeted with this outragious nag, jeezus...UNREGISTERED
and a bunch of other crap. Click on register and for some reason it doesnt take our code and gives us this error msg:

You failed
to register The Matrix Game!
(OK)

So make the usual backups and disassemble in w32dasm, look in the string refs for our error message and double click it. You will be here:

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040D588(C) <-hmm go here, this is what jumped to our error msg
|
:0040D5D3 68D0070000 push 000007D0

* Reference To: KERNEL32.Sleep, Ord:0000h <-lame ass sleep, this is what makes us pause before we see the error msg

:0040D5D8 E813460700 Call 00481BF0
:0040D5DD 6A00 push 00000000

* Possible StringData Ref from Data Obj ->"You failed to register The Matrix "
->"Game!"

:0040D5DF BAAF8B4800 mov edx, 00488BAF

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040D578(C)
|
:0040D581 E8D2120000 call 0040E858
:0040D586 84C0 test al, al
:0040D588 7449 je 0040D5D3 <-jump to bad message
:0040D58A 6A00 push 00000000

* Possible StringData Ref from Data Obj ->"Thanks for registering The Matrix "
->"Game!"

Ok so change this:
:0040D588 7449 je 0040D5D3
To this:
:0040D588 9090 NopX2

Now any code will register the program, too bad it doesn't stick. The nag is back when we restart.

Ok well lets check out the String Refs for other stuff to crack out of this prog:

"http://www.ProgramsLand.com/matrix/purchase.sh" <-part of our nag screen
"This feature is enabled in the " (registered version only) <-for undo last move
"This version expires in "
"This version expires tomorrow!"
"This version has expired! Please "

Well lets attack the expiration next, double click "This version has expired! Please ":

:0040E3F5 7438 je 0040E42F <-jump past the version has expired
:0040E3F7 66C745D40800 mov [ebp-2C], 0008

* Possible StringData Ref from Data Obj ->"This version has expired! Please "
->"register!"

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040E3F5(C) <-from above jump
|
:0040E42F 53 push ebx
:0040E430 E87FFEFFFF call 0040E2B4
:0040E435 59 pop ecx
:0040E436 48 dec eax
:0040E437 0F8EAF000000 jle 0040E4EC <-jump to expire tomorrow (below)
:0040E43D 66C745D41400 mov [ebp-2C], 0014
:
:
:
:0040E465 FF45E0 inc [ebp-20]

* Possible StringData Ref from Data Obj ->"This version expires in "

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040E437(C) <-from above jle
|
:0040E4EC 66C745D42000 mov [ebp-2C], 0020

* Possible StringData Ref from Data Obj ->"This version expires tomorrow!"

SO to fix the prog so it wont expire, change this:
:0040E3F5 7438 je 0040E42F
To this:
:0040E3F5 EB38 jmp 0040E42F

Also I changed this in mine although i dont think its needed:
:0040E437 0F8EAF000000 jle 0040E4EC
To this:
:0040E437 909090909090 NopX6

So it will probably just count in the negatives of something after the trial.

Next the prog has an undo button, but when you click it you get some bullshit about,
"Only available in registered version"

So double click that error message and you will land here:

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040368A(C) <-what jumped us to this error msg, check it
|
:004036E7 6A00 push 00000000

* Possible StringData Ref from Data Obj ->"This feature is enabled in the "
->"registered version only!"

:004036E9 BACB394800 mov edx, 004839CB

:0040368A 745B je 004036E7 <-what jumps to error above
:
:lines of code
:
:004036C4 8B8324030000 mov eax, dword ptr [ebx+00000324]
* Reference To: Matrix.Ovalbtn::TOvalButton::SetDown(())

:004036CA E839DC0000 call 00411308
:004036CF 6A03 push 00000003
:004036D1 6A00 push 00000000

* Possible StringData Ref from Data Obj ->"Sounds/Undo.wav" <-load sound for button

:004036D3 6832364800 push 00483632

* Reference To: WINMM.PlaySoundA, Ord:0000h <-play sound on click

So if the jmp isn't taken then it loads undo.wav and plays the sound, looks like our button would be valid again with no error. So..........

Change this:
:0040368A 745B je 004036E7
To this:
:0040368A 9090 NopX2

Lastly we have the Nag Screen, we notice it has this in it:
"http://www.ProgramsLand.com/matrix/purchase.sh"

So double click it and we land here (I cut out a lot of code and just left refs:

* Referenced by a CALL at Addresses:
|:00403132 , :0040356A <-finally our calls to the nag screen/register screen
|
:0040D4BC 55 push ebp
:0040D4C8 7E05 jle 0040D4CF
:0040D4CA E8C9440700 call 00481998

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040D4C8(C)
|
:
:lines of code
:

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040D508(C)
|
:0040D50F 5B pop ebx
:

* Reference To: SHELL32.ShellExecuteA, Ord:0000h <-open default mail client for email

:

* Possible StringData Ref from Data Obj ->"mailto:support@ProgramsLand.com?Subject=The "

:

* Possible StringData Ref from Data Obj ->"OPEN"

:

* Reference To: SHELL32.ShellExecuteA, Ord:0000h <-our command to open website with default browser

:

* Possible StringData Ref from Data Obj->"http://www.ProgramsLand.com/matrix/purchase.sh"
->"tml"

:0040D54A 68558B4800 push 00488B55

Well we know we are in the right area cause the nag has all those links...
Lets go check out the call at 403132:

:00403113 0F84A5000000 je 004031BE <-jump past nag call routine
:00403119 C6832C03000000 mov byte ptr [ebx+0000032C], 00
:00403120 E833B70000 call 0040E858
:00403125 84C0 test al, al
:00403127 7568 jne 00403191 <-jump past nag call routine
:00403129 8BCB mov ecx, ebx
:0040312B B201 mov dl, 01
:0040312D A198954800 mov eax, dword ptr [00489598]
:00403132 E885A30000 call 0040D4BC <-call nag routine

So it obvious to change this:
:00403127 7568 jne 00403191
To this:
:00403127 EB68 jmp 00403191

Changing the code at location 403113 to jump also works but when you click the register button in the program it crashes.

Well another prog cracked on another boring ass day.

Laterz!

Final thoughts

Its fun to read Zen.

Greetings

Groups: FWA, NWA, FTPiRatEz! HAR! BEASTFXP!, KANAL23
Individuals: MiNioN, GreycZ & his cuppy, KlutCh, KiNgEr, MidNight, Edogg, Neoman, movax4c00int21, Acid_Cool_178, All those tuts I read from everyone who writes them.

CopyLeft:
sLeEpY¿
[all rights reversed]
Boredom causes crackers and babies.
Visit http://zor.org/sleepy & http://www.bright.net/~testsubject001
Mail sleepy@linuxwaves.com

This Document is copyrighted by kanal23 and it's members. Please mail the author of this document for complaints and those things.
Kanal23 is signing out for now.