Cracking Tutorial #69:
Robs Stupid Mp3 PLayer
[cracked bY:] sLeEpY¿[FWA/NWA/FTPR8Z] iN 08/2002
[difficulty:] beginner
[where:]
http://rddone.home.att.net/index.htm
[tOOLz:] W32dasm 8.93 & Hiew


KANAL23 Tutorial

http://www.kanal23.net




Robs Stupid Mp3 PLayer

Download it from

http://rddone.home.att.net/index.htm



Written by

sLeEpY¿

Tools

  • Hiew

  • W32dasm 8.93

Rating

  • Easy {X}

  • Medium { }

  • Hard { }

  • Pro { }



Introduction

OK so I'm bored again today and decide to search for a prog to crack. Goto www.shareware.com and enter "stupid" into the search and we find some progs including this one.

Robs Stupid Mp3 PLayer.

Robs Stupid Mp3 Player does everything you need for listening to and managing your mp3 collection except ripping the files.

Version: 5.03.01
Size: 620KB
Date: November 29, 2001
License: Shareware $20
OS: Windows 95/98/NT/2000

The Essay

I guess we are going to have to pay for robs stupid mp3 player so he can make a better one? robs not-so-stupid mp3 player maybe? heh anyway thats my kinda humor, i like stupid programs, i have coded some myself. Anyway mail rob his 20 bucks and pay for what we're going to do to his program.

http://rddone.home.att.net/index.htm
http://home.att.net/~rddone/mp3main.htm

What is so great about the full version versus our version:

The full version supports up to 2000 albums, 50 songs per album, for a total of 100,000 songs.

The full version comes with a mp3 server that can be controlled with the same interface.

The full version doesn't rescan every time it starts up.


Ok so i checked it out and the shareware one we download has a limit of 50 albums, the other stuff we don't really care about, as its probably a separate dll or something.

Well first lets make the backups and check the string refs of this program.
We see this first that catches are eye, maybe triggering it will set a flag?


:0040BFFB 7416 je 0040C013 <-jump to full version

* Possible StringData Ref from Data Obj ->"SHAREWARE VERSION"
<-err..

:0040BFFD 6868DF4E00 push 004EDF68
:0040C002 8D9578FFFFFF lea edx, dword ptr [ebp+FFFFFF78]
:0040C008 52 push edx
:0040C009 E8328A0400 call 00454A40
:0040C00E 83C408 add esp, 00000008
:0040C011 EB14 jmp 0040C027

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040BFFB(U)
|

* Possible StringData Ref from Data Obj ->"FULL VERSION"

:0040C013 687CDF4E00 push 004EDF7C <-above jump lands here to full version.


So we just change this:
:0040BFFB 7416 je 0040C013
To this:
:0040BFFB EB16 jmp 0040C013

Well we fixed that little tag although the only difference it made is in the about screen. Now we are full version according to that. Next we have the problem of the 50 album limit! Check in the String refs for the error message.


:0041DFD1 753C jne 0041E00F <-make me jump for unlimited albums
:0041DFD3 6A32 push 00000032

* Possible StringData Ref from Data Obj ->"This is a shareware version. It "
                                        ->"is limited to %d albums. Click "
                                        ->"OK to proceed with the limited "
                                        ->"album set. If you really like "
                                        ->"this program you can get the full "
                                        ->"version by emailing rdone@bigfoot.com"

:0041DFD5 68340F4F00 push 004F0F34
:0041DFDA 8D95D4E1F9FF lea edx, dword ptr [ebp+FFF9E1D4]
:0041DFE0 52 push edx

* Reference To: USER32.wsprintfA, Ord:02ACh

:0041DFE1 FF15A42A8600 Call dword ptr [00862AA4]
:0041DFE7 83C40C add esp, 0000000C
:0041DFEA 6A00 push 00000000

* Possible StringData Ref from Data Obj ->"Warning"

:0041DFEC 68F80F4F00 push 004F0FF8
:0041DFF1 8D85D4E1F9FF lea eax, dword ptr [ebp+FFF9E1D4]
:0041DFF7 50 push eax
:0041DFF8 8B0D50E96900 mov ecx, dword ptr [0069E950]
:0041DFFE 51 push ecx

* Reference To: USER32.MessageBoxA, Ord:01BEh

:0041DFFF FF15902A8600 Call dword ptr [00862A90]
:0041E005 C7058400840001000000 mov dword ptr [00840084], 00000001

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041DFD1(U)
|
:0041E00F B801000000 mov eax, 00000001

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0041DC8A(U), :0041DCC9(U), :0041DD0D(U)
|
:0041E014 5E pop esi
:0041E015 8BE5 mov esp, ebp
:0041E017 5D pop ebp
:0041E018 C3 ret


So we just change this:
:0041DFD1 753C jne 0041E00F
To this:
:0041DFD1 EB3C jmp 0041E00F
 

Next we have this in the options:
Network server (registered version only)
You put in something and it never works, get the error msg and i dunno if this will fix it as i dont have any test servers to connect to however you wont get the error messages.
 


This can be changed by the following lines...

:00418149 7514 jne 0041815F <-make jump
:0041814B 6A00 push 00000000

* Possible StringData Ref from Data Obj ->"Network Error"

:0041814D 685C044F00 push 004F045C

* Possible StringData Ref from Data Obj ->"Error connecting to player server"

These locations below may not have to be modified as they look like authentic errors. I just changed em for the hell of it.


:00419415 7534 jne 0041944B <-nop(goes to network error)
:00419417 837DF401 cmp dword ptr [ebp-0C], 00000001
:0041941B 751D jne 0041943A
<-make jump
:0041941D 6A00 push 00000000

* Possible StringData Ref from Data Obj ->"Protocol Error"

:0041941F 6878054F00 push 004F0578

* Possible StringData Ref from Data Obj ->"Other Suite in in 2 Suite Mode, "
                                        ->"Change modes on other Suite first"

:00419424 6888054F00 push 004F0588



Another location:

:004230DE 7546 jne 00423126 <-make jump
:004230E0 6A00 push 00000000
:
:lines of code
:

* Possible StringData Ref from Data Obj ->"Network Error"

:0042310D 68541E4F00 push 004F1E54

* Possible StringData Ref from Data Obj ->"Error connecting to player server"

:00423112 68641E4F00 push 004F1E64
:00423117 6A00 push 00000000

* Reference To: USER32.MessageBoxA, Ord:01BEh


Change this:
:00418149 7514 jne 0041815F
To this:
:00418149 EB14 jmp 0041815F

Optionally since i can't test it you can try these:
:00419415 7534 jne 0041944B
:0041941B 751D jne 0041943A
:004230DE 7546 jne 00423126

To these:
:00419415 EB00 jmp 00419417 (EB00 just jumps to the next line, you can nop here too)
:0041941B EB1D jmp 0041943A
:004230DE EB46 jmp 00423126

Now you can put in a server address and try it.


Cracked!

Final thoughts



Laterz!


Greetings


Groups: FWA, NWA, FTPiRatEz! HAR! BEASTFXP!, KANAL23
Individuals:
MiNioN, GreycZ & his cuppy, KlutCh, KiNgEr, MidNight, Edogg, Neoman, movax4c00int21, Acid_Cool_178, All those tuts I read from everyone who writes them.

CopyLeft:
sLeEpY¿
[all rights reversed]
Boredom causes crackers and babies.
Visit http://zor.org/sleepy & http://www.bright.net/~testsubject001

Mail sleepy@linuxwaves.com


This Document is copyrighted by kanal23 and it's members. Please mail the author of this document for complaints and those things.
Kanal23 is signing out for now.

br>