Cracking Tutorial #73:
Popupcop 2.0.1.12
[cracked bY:] sLeEpY¿[FWA/NWA/FTPR8Z] iN 09/2002
[difficulty:] beginner/intermediate
[where:] http://www.popupcop.com/
[tOOLz:] W32dasm 8.93, Hiew, Resource Hacker, Softice 4.05


KANAL23 Tutorial

http://www.kanal23.net




Popupcop 2.0.1.12

Download it from

http://www.popupcop.com/   



Written by

sLeEpY¿

Tools

  • W32dasm 8.93 & Hiew

  • Resource Hacker & Softice 4.05

Rating

  • Easy {X}

  • Medium { }

  • Hard { }

  • Pro { }



Introduction

Hullo again, and word and all that. This tutorial is one of those NOP/JMP tuts and if you already are good at that then you wont need to read it, unless you wanna read a lil on the Softice part. Anyway it was done on request for someone who seems interested in cracking as there are patches and keygens out for this app, anyway here's his letter:


"dude ride on" <xxxxxxxxxxx@xxxxxxx.xxx>
heeey sleeepy :)
Sat, 24 Aug 2002 10:37:29 +0000

want to thank you again for the tuts you've been making ..appreciated ...i
had a long trip with friends last week so i made a printout for a couple
of your tut's to read and kill time too .. hehehehe anyways first dont get me
wrong !! am not asking for a crack Just if you have a time and feel to
release a new tut try to look at www.popupcop.com this software really
drives me nut alot of jumps and tricky shits..by the way there is a keygen
and cracks around :)
thanks again !!!! you r da best :)  <-Shameless...j/k

The Essay

Well make the usual 3 copies and disassemble the W32 backup and next run the program and it loads in IE, try to register it and for some reason it didn't take my name.

PopUpCop 2.0

The owner name and registration code you entered do not match. Please make sure that
the owner name and registration code are exactly what you received in you registration
EMail.
[OK]



We also find out that the program has a 30 day trial. Let's go digging in the String refs and pull out the goodies. I grabbed a few that look interesting here:



String Resource ID=32993: "This is an unregistered copy of PopUpCop. You may evaluate "
String Resource ID=32994: "Your 30 day evaluation period has expired. PopUpCop will di"
String Resource ID=32995: "Your 30 day evaluation and 7 day grace period have expired. "
String Resource ID=32996: "We appreciate your continued use of PopUpCop. You may evalu"
String Resource ID=32963: "Thank you for registering PopUpCop!
String Resource ID=32952: "The owner name you entered is incorrect. Owner names must be"
String Resource ID=32954: "The owner name and registration code you entered do not matc"
String Resource ID=32955: "Thank you for registering PopUpCop!"
String Resource ID=32956: "PopUpCop cannot do what you asked because your evaluation pe"
String Resource ID=33065: "Thanks again for registering PopUpCop. Use this dialog to mo"


Well first lets get this one done and over with, if you look in the about box of the program it wants is to register, once you register it will show this instead:

Thank you for registering PopUpCop!
 



* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:100012C0(C), :100012C6(C)
<-so these two places jump to our good guy, check em
|

String Resource ID=32955: "Thank you for registering PopUpCop!

:10001325 68BB800000 push 000080BB


:100012BD 83F807 cmp eax, 00000007
:100012C0 7463 je 10001325
<-jump to good happy land
:100012C2 807DFF00 cmp byte ptr [ebp-01], 00
:100012C6 755D jne 10001325
<-jump to good happy land

* Possible Reference to String Resource ID=32939: "This is an unregistered copy of PopUpCop.
You may evaluate "


Well the code always reads down so lets pick the first one (im sure either will work) and make it jump, we just have to patch this:
:100012C0 7463 je 10001325
to this:
:100012C0 EB63 jmp 10001325

Now I had to reboot because i couldnt get the dll to unload after each use so i could modify it so you make have to as well. Anyway at restart we run IE and check the about box and now it says registered.


Next let's make it register any code we decide to put in, and we can find that by looking for the goodguy "you regged me" message.

String Resource ID=32963: "Thank you for registering PopUpCop!" <-this one

Ok, now this one is a just a few jumps and nops to make. Just remember the code reads down so change it to do what you want it to do.


:10028A13 E849BBFEFF call 10014561 <-probably the serial check call
:10028A18 59 pop ecx
:10028A19 83F801 cmp eax, 00000001
:10028A1C 59 pop ecx
:10028A1D 7411 je 10028A30
<-jump to a different error message...
:10028A1F 7E61 jle 10028A82
<-this seems to be the right path, jumps both errors
:10028A21 83F805 cmp eax, 00000005
:10028A24 7F5C jg 10028A82

* Possible Reference to String Resource ID=32954: "The owner name and registration code you entered do not matc"

:10028A26 B8BA800000 mov eax, 000080BA
:10028A2B 895D0C mov dword ptr [ebp+0C], ebx
:10028A2E EB08 jmp 10028A38

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:10028A1D(C)
|

* Possible Reference to String Resource ID=32952: "The owner name you entered is incorrect. Owner names must be"

:10028A30 B8B8800000 mov eax, 000080B8
:10028A35 89750C mov dword ptr [ebp+0C], esi

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:10028A2E(U)
|
:10028A38 50 push eax
:10028A39 E8EDA8FEFF call 1001332B

* Possible Reference to String Resource ID=00100: "PopUpCop"

:
:lines of code
:
:10028A7D E95E010000 jmp 10028BE0

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:10028A1F(C), :10028A24(C)
|
:10028A82 FF75E8 push [ebp-18]
<-land here from above jump

* Reference To: KERNEL32.lstrcmpA, Ord:0392h

:10028A85 8B3528110610 mov esi, dword ptr [10061128]
:10028A8B FF75F8 push [ebp-08]
:10028A8E FFD6 call esi
:10028A90 85C0 test eax, eax
:10028A92 752C jne 10028AC0
<-any to 10028AC0 will work for us as a jump, so jump!
:10028A94 FF75E4 push [ebp-1C]
:10028A97 FF75F4 push [ebp-0C]
:10028A9A FFD6 call esi
:10028A9C 85C0 test eax, eax
:10028A9E 7520 jne 10028AC0
:10028AA0 3845FF cmp byte ptr [ebp-01], al
:10028AA3 740A je 10028AAF
:10028AA5 3845FE cmp byte ptr [ebp-02], al
:10028AA8 7416 je 10028AC0
:10028AAA 3845FD cmp byte ptr [ebp-03], al
:10028AAD 7411 je 10028AC0

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:10028AA3(C)
|
:10028AAF 0FB7450C movzx eax, word ptr [ebp+0C]
:10028AB3 50 push eax
:10028AB4 8BCF mov ecx, edi
:10028AB6 E81592FDFF call 10001CD0
:10028ABB E920010000 jmp 10028BE0
<-bad jump here...

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:10028A92(C), :10028A9E(C), :10028AA8(C), :10028AAD(C)
|
:10028AC0 FF75F4 push [ebp-0C]
<-land here from :10028A92
:10028AC3 E813C6FEFF call 100150DB
:10028AC8 FF75F8 push [ebp-08]
:10028ACB E8DCC5FEFF call 100150AC
:10028AD0 59 pop ecx
:10028AD1 59 pop ecx
:10028AD2 E86C38FFFF call 1001C343
:10028AD7 84C0 test al, al
:10028AD9 744B je 10028B26
<-our last stopper, take it out with a nop!

* Possible Reference to String Resource ID=32963: "Thank you for registering PopUpCop!
<-good happy yay and all that message

PopUpCop is disabled."

:10028ADB 68C3800000 push 000080C3


So now we know what needs modified:
Change these:
:10028AD9 744B je 10028B26
:10028A92 752C jne 10028AC0
:10028A1F 7E61 jle 10028A82
:10028A1D 7411 je 10028A30


To these:
:10028AD9 9090 NOP
:10028A92 EB2C jmp 10028AC0
:10028A1F EB61 jmp 10028A82
:10028A1D 9090 NOP


Now we can enter our name and whatever regcode and "registered"!


Now we got that stupid evaluation message:

* Referenced by a CALL at Address:
|:1001432A
<-error message is called from here, go there
|
:100142D6 55 push ebp
:100142D7 8BEC mov ebp, esp
:100142D9 56 push esi
:100142DA 57 push edi

* Possible Reference to String Resource ID=32956: "PopUpCop cannot do what you asked because your evaluation pe"

:100142DB 68BC800000 push 000080BC


* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:1001431C(C), :10014321(C)
<-hmm jumped here from two places, goto them
|
:10014327 FF7508 push [ebp+08]
:1001432A E8A7FFFFFF call 100142D6
<-call the error message...
:1001432F 59 pop ecx
:10014330 B001 mov al, 01
:10014332 5D pop ebp
:10014333 C3 ret


:10014314 E8DBFAFFFF call 10013DF4
:10014319 83F801 cmp eax, 00000001
:1001431C 7409 je 10014327
<-jump to place where the call is to the error msg
:1001431E 83F802 cmp eax, 00000002
:10014321 7404 je 10014327
<-jump to place where the call is to the error msg
:10014323 32C0 xor al, al
:10014325 5D pop ebp
:10014326 C3 ret


So the simple fix would be to change these:
:1001431C 7409 je 10014327
:10014321 7404 je 10014327


To these:
:1001431C 9090 NOP
:10014321 9090 NOP


Next in the w32dasm/hiew patching portion of this tutorial is getting rid of that 30 day trial! Check the String Refs and grab the suspicious ones:

String Resource ID=32993: "This is an unregistered copy of PopUpCop.
You may evaluate "
String Resource ID=32994: "Your 30 day evaluation period has expired.
PopUpCop will di"
String Resource ID=32995: "Your 30 day evaluation and 7 day grace period have expired. "
String Resource ID=32996: "We appreciate your continued use of PopUpCop.
You may evalu" unlimited eval

This can be fixed here...

Change this:
:10047358 7513 jne 1004736D
To this:
:10047358 EB13 jmp 1004736D

Move the date ahead and it is still regged ok, but one thing we notice is that the Enable/Disable button does not work anymore. This one was a little tricky to crack and required Softice for me.

Ok so think like the program, how would I know what the time was so I could decide whether to disable this button or not?

Set a BPX on getsystemtime and click the button, Softice will break, F12 to where it was called from, and what i did was follow the path of the code writing down when jumps were taken and when they weren't. Next BC * to clear breakpoints and shut down IE. Now move your date ahead a couple months and start IE again and set the BPX on getsystemtime again. Now follow the path again and find where the changes are in the code.

I found the following when softice broke and an F12 returned us here:


:10050994 55 push ebp
:10050995 8BEC mov ebp, esp
:10050997 81ECCC000000 sub esp, 000000CC
:1005099D 8D45F0 lea eax, dword ptr [ebp-10]
:100509A0 50 push eax

* Reference To: KERNEL32.GetLocalTime, Ord:015Ch

:100509A1 FF152C120610 Call dword ptr [1006122C]
:100509A7 8D45E0 lea eax, dword ptr [ebp-20]
:100509AA 50 push eax

* Reference To: KERNEL32.GetSystemTime, Ord:01AAh
<-check system time

:100509AB FF1530120610 Call dword ptr [10061230]
<-Softice returns us here
:100509B1 668B45EA mov ax, word ptr [ebp-16]
:
:lines of code
:
* Reference To: KERNEL32.GetTimeZoneInformation, Ord:01C1h
:
:lines of code
:
:10050A6E C9 leave
:10050A6F C3 ret
<-F10 till you get to the return, press F10 once and you will land below!


* Referenced by a CALL at Addresses:
|:100012B4 , :10001315 , :10014314 , :1003AAE3 , :1003B56C
|:1003BDD5 , :1003C6D3 , :1003DEAD , :1003FAA9 , :1003FF2C
|:10046A8F
|
:10013DF4 833D00F0071000 cmp dword ptr [1007F000], 00000000
:10013DFB 53 push ebx
:10013DFC 56 push esi
:10013DFD 57 push edi
:10013DFE 0F85EF000000 jne 10013EF3
:10013E04 6A00 push 00000000
:10013E06 E889CB0300 call 10050994
<-call to "getlocaltime" (above)
:10013E0B 59 pop ecx
<-after you hit the return above land here!
:10013E0C 8BF0 mov esi, eax
:10013E0E E8CDFDFFFF call 10013BE0
:10013E13 85C0 test eax, eax
:10013E15 745B je 10013E72
:10013E17 83F805 cmp eax, 00000005
:10013E1A 755A jne 10013E76
<-this jump is taken always


* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:10013E1A(C)
|
:10013E76 56 push esi
<-land here from above!
:10013E77 E8E7FDFFFF call 10013C63
:10013E7C 8BF8 mov edi, eax
:10013E7E 6A00 push 00000000
:10013E80 688C1E0610 push 10061E8C
:10013E85 8D9F008D2700 lea ebx, dword ptr [edi+00278D00]
:10013E8B E890E1FFFF call 10012020
:10013E90 8D8F80C73000 lea ecx, dword ptr [edi+0030C780]
:10013E96 83C40C add esp, 0000000C
:10013E99 3BF1 cmp esi, ecx
:10013E9B 7E16 jle 10013EB3
<-our place!, notice that it is not taken when we move the month ahead but it is taken when we are still in trial.


So lets force the jump so it is always taken.
Change this:
:10013E9B 7E16 jle 10013EB3
To this:
:10013E9B EB16 jmp 10013EB3

Now set the clock ahead to any date you want and we can access the enable/disable button without a problem. The above JLE is probably 30 days or less or something similar, this just proves a bad point that you don't have to fully understand the code to crack it.

Another approach to that would be to check out EnableMenuItem api, I original tried this route but only succeeded in enabling the button, although when i clicked it it wouldnt work. If you would like to see that make this adjustment before you do the above. (Cheesy Fact of the day!: EnableMenuItem will enable or disable a menu item)

This:
:1003BE09 7520 jne 1003BE2B
To this:
:1003BE09 EB20 jmp 1003BE2B

OK, now for all those who registered the program as above don't goto enable it now as the popup box will say or you will get this:

http://www.popupcop.com/registered.html?version=2.0.1.12&src=Cnet&ownername=sleepy&regcode=245234523

Local copy[popupcop_bad.htm - MISSING]

Chop off the code however to see the goodguy online, although neither one will affect your program so dont worry bout it.


http://www.popupcop.com/registered.html?version=2.0.1.12

Local copy[popupcop_good.htm - MISSING]

Chopped the end off to see the good crap heh


Ok this final part is optional, mainly we just use it to clean up the cracked app a lil bit so it doesn't look so un-professional, since I'm too lazy to crack out useless words and buttons hehe. Just instead delete them with resource hacker.

dialog, 105, 1033

{
CONTROL "", 270, BUTTON, BS_OWNERDRAW | BS_FLAT | WS_CHILD | WS_VISIBLE | WS_TABSTOP, 51, 5, 148, 29
CONTROL "PopUpCop Internet Irritation Inhibitor (tm)", 300, STATIC, SS_CENTER | WS_CHILD | WS_VISIBLE | WS_GROUP, 2, 46, 248, 16
CONTROL "Copyright ©2001, 2002 EdenSoft (tm) all rights reserved", 301, STATIC, SS_CENTER | WS_CHILD | WS_VISIBLE | WS_GROUP, 1, 64, 248, 8
CONTROL "&Owner name", 281, STATIC, SS_LEFT | WS_CHILD | WS_VISIBLE | WS_GROUP, 14, 176, 57, 8
CONTROL "", 226, EDIT, ES_LEFT | ES_AUTOHSCROLL | ES_READONLY | WS_CHILD | WS_VISIBLE | WS_BORDER, 78, 173, 158, 14
CONTROL "&Registration code", 282, STATIC, SS_LEFT | WS_CHILD | WS_VISIBLE | WS_GROUP, 14, 196, 57, 8
CONTROL "", 224, EDIT, ES_LEFT | ES_AUTOHSCROLL | ES_READONLY | WS_CHILD | WS_VISIBLE | WS_BORDER, 78, 193, 158, 14
CONTROL "Buy PopUpCop...", 277, BUTTON, BS_PUSHBUTTON | WS_CHILD | WS_VISIBLE | WS_TABSTOP, 70, 194, 111, 14
CONTROL "", 241, STATIC, SS_CENTER | WS_CHILD | WS_VISIBLE | WS_GROUP, 1, 77, 248, 8
CONTROL "", 263, STATIC, SS_CENTER | WS_CHILD | WS_VISIBLE | WS_GROUP, 0, 94, 248, 24
CONTROL "", 284, STATIC, SS_CENTER | WS_CHILD | WS_VISIBLE | WS_GROUP, 0, 125, 248, 33
CONTROL "Close", 1, BUTTON, BS_DEFPUSHBUTTON | WS_CHILD | WS_VISIBLE | WS_TABSTOP, 100, 220, 50, 14
CONTROL "Credits....", 285, BUTTON, BS_PUSHBUTTON | WS_CHILD | WS_VISIBLE | WS_TABSTOP, 186, 220, 50, 14
CONTROL "Click below to buy PopUpCop!", 283, STATIC, SS_CENTER | WS_CHILD | WS_VISIBLE | WS_GROUP, 0, 169, 251, 15
}



delete out these two lines:

CONTROL "Click below to buy PopUpCop!", 283, STATIC, SS_CENTER | WS_CHILD | WS_VISIBLE | WS_GROUP, 0, 169, 251, 15

CONTROL "Buy PopUpCop...", 277, BUTTON, BS_PUSHBUTTON | WS_CHILD | WS_VISIBLE | WS_TABSTOP, 70, 194, 111, 14

Compile and save...

Final thoughts

Well the program is cracked and email me if ya get bored.
Laterz!


Greetings


Groups: FWA, NWA, FTPiRatEz! HAR! BEASTFXP!, KANAL23
Individuals:
MiNioN, GreycZ & his cuppy, KlutCh, KiNgEr, MidNight, Edogg, Neoman, movax4c00int21, Acid_Cool_178, All those tuts I read from everyone who writes them.

CopyLeft:
sLeEpY¿
[all rights reversed]
Boredom causes crackers and babies.
Visit http://zor.org/sleepy & http://www.bright.net/~testsubject001

Mail sleepy@linuxwaves.com


This Document is copyrighted by kanal23 and it's members. Please mail the author of this document for complaints and those things.
Kanal23 is signing out for now.