Cracking Tutorial
#75:
LinkStash - Version 1.1.0.14
[cracked bY:] sLeEpY¿[FWA/NWA/FTPR8Z] iN 09/2002
[difficulty:] beginner
[where:]
http://www.xrayz.co.uk/download/?page=linkstash
http://www.xrayz.co.uk/download/?page=default
[tOOLz:] W32dasm 8.93, Hiew, Resource Hacker
KANAL23 Tutorial
|
LinkStash 1.1.0.14 |
|
|---|---|
|
Download it from |
|
|
Written by |
sLeEpY¿ |
|---|
|
Tools |
|
|---|
|
Rating |
|
|---|
|
Introduction |
|---|
LinkStash is a nice link sorting kinda app thing
for IE or whatever browser. Yes this is a nop and jmp tutorial so probably stuff
you already know.
|
The Essay |
|---|
Ok, run the program and try to register it.
What?...
LinkStash
You must enter a valid name and license code. Please check you have entered both
correctly and that they are identical to your registration details.
[OK]
Also we notice that the app has a 30 day trial....
Now we must make this program register any code
:0041D56C FF5208 call [edx+08]
:0041D56F 85C0 test eax, eax
:0041D571 753C jne 0041D5AF
<-this jumps to below, the
good happy land!
* Possible Reference to String Resource ID=00274: "You must enter a valid name
and license code. Please check y"
<-bad crappy land
When you take the above jump you land here:
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:0041D571(C)
|
* Possible Reference to String Resource ID=00275: "Thank you for purchasing
LinkStash." <-good
happy land
:0041D5AF 6813010000 push 00000113
You also have to patch this location:
:0044EED3 7521 jne 0044EEF6
<-patch this location
to jump
:0044EED5 E88AF3FFFF call 0044E264
:0044EEDA 85C0 test eax, eax
:0044EEDC 7418 je 0044EEF6
<-this one could probably be
patched instead if you want
:0044EEDE FF74240C push [esp+0C]
:0044EEE2 FF74240C push [esp+0C]
* Possible Reference to String Resource ID=00274: "You must enter a valid name
and license code. Please check y"
<-bad crap land message
:0044EEE6 6812010000 push 00000112
:0044EEEB FF701C push [eax+1C]
* Reference To: USER32.SendMessageA, Ord:023Bh
:0044EEEE FF15C0364600 Call dword ptr [004636C0]
:0044EEF4 EB07 jmp 0044EEFD
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0044EED3(C), :0044EEDC(C)
|
:0044EEF6 8BCE mov ecx, esi
<-land here past the invalid
error msg
:0044EEF8 E8C7FDFEFF call 0043ECC4
So we just change these 2 locations:
:0041D571 753C jne 0041D5AF
:0044EED3 7521 jne 0044EEF6
Into these:
:0041D571 EB3C jmp 0041D5AF
:0044EED3 EB21 jmp 0044EEF6
Now any code you enter will register but none of
it makes any difference so on to the rest of the brutal patching. Fast forward
the date about a month or so and run the program, we get this error now.
LinkStash
The evaluation period has expired, please purchase LinkStash to continue using
it.
[OK]
What is this message talking about, we just installed this program! Well look in
the string refs and trace the message down and you will land here.
:00413C12 7518 jne 00413C2C
<-hey this could jump
past our error msg
:00413C14 8BCD mov ecx, ebp
:00413C16 E83568FFFF call 0040A450
:00413C1B 85C0 test eax, eax
:00413C1D 750D jne 00413C2C
<-hey this could jump past our
error msg too
* Possible Reference to String Resource ID=00255: "%1!d! Bookmarks, %2!d!
Sub-folders"
:00413C1F 6AFF push FFFFFFFF
:00413C21 50 push eax
* Possible Reference to String Resource ID=00278: "The evaluation period has
expired, please purchase LinkStash"
<-crappy error
:00413C22 6816010000 push 00000116
<-land here, trace up
:00413C27 E81E610300 call 00449D4A
So just change this:
:00413C12 7518 jne 00413C2C
to this:
:00413C12 EB18 jmp 00413C2C
Now this gets rid of our eval expired nag, but there is the register box that
normally pops up after the nag that wants us to enter the code, by following
down the code we can find these two places that we need to reverse so we don't
have that box popping up every time:
* Referenced by a (U)nconditional
or (C)onditional Jump at Addresses:
|:00413C12(C), :00413C1D(C)
|
:00413C2C 8B86CC000000 mov eax, dword ptr [esi+000000CC]
:00413C32 85C0 test eax, eax
:00413C34 0F85CC000000 jne 00413D06
<-reverse, this jumps to the
register box routine
:00413C3A 8BCD mov ecx, ebp
:00413C3C E80F68FFFF call 0040A450
:00413C41 8B552C mov edx, dword ptr [ebp+2C]
:00413C44 33C9 xor ecx, ecx
:00413C46 3BC2 cmp eax, edx
:00413C48 0F9EC1 setle cl
:00413C4B 8BC1 mov eax, ecx
:00413C4D 85C0 test eax, eax
:00413C4F 0F84B1000000 je 00413D06
<-reverse, this jumps to the
register box routine
:00413C55 E813EE0200 call 00442A6D
:00413C5A 85C0 test eax, eax
How do we know that it is here? Well the code
always reads down and what comes next after the popup, yup the register box, so
its only logical to be down from the code.
So just change these:
:00413C34 0F85CC000000 jne
00413D06
:00413C4F 0F84B1000000 je 00413D06
To these:
:00413C34 0F84CC000000 je
00413D06
:00413C4F 0F85B1000000 jne 00413D06
Ok run the app and no more register box, we
still have that splash screen though. It does have an option to disable it but
when we try to click it another popup.
LinkStash
You must purchase LinkStash to do this.
Would you like to purchase LinkStash now?
[Yes] [No]
Ok so once again go back to the deadlisting in w32dasm and check the String Refs
and it will put you here:
:004135DA 7553 jne 0041362F
<-This seems to jump
past the whole routine
:004135DC A1601E4800 mov eax, dword ptr [00481E60]
:004135E1 85C0 test eax, eax
:004135E3 7407 je 004135EC
:004135E5 0578020000 add eax, 00000278
:004135EA EB02 jmp 004135EE
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004135E3(C)
|
:004135EC 33C0 xor eax, eax
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004135EA(U)
|
:004135EE 6A01 push 00000001
* Possible Reference to Dialog: DialogID_0099, CONTROL_ID:0412, "S&how splash
screen"
:004135F0 6812040000 push 00000412
:004135F5 8BCE mov ecx, esi
:004135F7 C7809400000001000000 mov dword ptr [ebx+00000094], 00000001
:00413601 E8A0E70200 call 00441DA6
* Possible Reference to String Resource ID=00255: "%1!d! Bookmarks, %2!d!
Sub-folders"
:00413606 6AFF push FFFFFFFF
:00413608 6A04 push 00000004
* Possible Reference to String Resource ID=00253: "You must purchase LinkStash
to do this.
Would you like to p"
<-land here, trace up
:0041360A 68FD000000 push 000000FD
:0041360F E836670300 call 00449D4A
:00413614 83F806 cmp eax, 00000006
:00413617 7516 jne 0041362F
:00413619 8B461C mov eax, dword ptr [esi+1C]
:0041361C 6A00 push 00000000
* Possible Ref to Menu: MenuID_0080, Item: "Purchase/Register LinkStash..."
* Possible Reference to String Resource ID=32879: "Buy LinkStash"
:0041361E 686F800000 push 0000806F
* Possible Reference to String Resource ID=00273: "Evaluation period remaining :
%1!d! Days"
:00413623 6811010000 push 00000111
:00413628 50 push eax
* Reference To: USER32.SendMessageA, Ord:023Bh
:00413629 FF15C0364600 Call dword ptr [004636C0]
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004135DA(C), :00413617(C)
|
:0041362F 5E pop esi
<-take the jump above and land here, skip the routine
:00413630 C3 ret
So change this:
:004135DA 7553 jne 0041362F
to this:
:004135DA EB53 jmp 0041362F
Well now we can enter the check mark in the box
in the options without that gay popup box, but after we restart the check comes
back and the splash is still there. We are a cracker so lets just trash the
splash without even pissing with the check box, lets just disable it for good:
Now in order to find the splash screen i just ran the w32dasm debugger and set
breakpoints, the entire splash screen works like this.
The code runs down and hits this call first:
:00429C3E E8A40E0100 call
0043AAE7
Then once inside this call it trickles down to this call next, which i didnt
know where it would lead to hence why i used the debugger.
:00445A4F FF5050 call [eax+50]
<-step into this call
After going into this call we will land around here:
:00413A79 7410 je
00413A8B<-here is a place we can jump past the nag
:00413A7B 8D8EF4000000 lea ecx, dword ptr [esi+000000F4]
:00413A81 51 push ecx
:00413A82 6A00 push 00000000
:00413A84 8BC8 mov ecx, eax
:00413A86 E8D5B10000 call 0041EC60 <-call our nag screen
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00413A79(C)
|
:00413A8B C78424E8000000FFFFFFFF mov dword ptr [esp+000000E8], FFFFFFFF
<-land here, nag gone
If we continue through the calls we can see that
the nag is created and eventually we get to the api function that makes the nag
appear:
:0041ECD4 E8A4F30100 call
0043E07D <-step into
this call
:0043E111 E848000000 call 0043E15E
<-step into this call
Trace down for awhile and eventually you will get here:
* Reference To:
USER32.CreateDialogIndirectParamA, Ord:0052h
:0043E2D0 FF1590354600 Call dword ptr [00463590]
<-api function that creates
the Nag Dialog.
Just change this:
:00413A79 7410 je 00413A8B
to this:
:00413A79 EB10 jmp 00413A8B
Well this is all that is needed for a cracked
copy!
Now we want to clean up the app a little so we can make it look less cracked,
like the eval days remaining everywhere. But in the String Refs the days
remaining appears in so many places. So instead of looking for that in the
String Refs lets look for what would be there instead, like say: "licensed to"
and here we go.
:0041D356 7434 je 0041D38C
<-jumps to 41D38C, the
eval days remaining msg.
:0041D358 8D542404 lea edx, dword ptr [esp+04]
:0041D35C 52 push edx
:0041D35D E87E000000 call 0041D3E0
:0041D362 8B00 mov eax, dword ptr [eax]
:0041D364 8D4C2400 lea ecx, dword ptr [esp]
:0041D368 50 push eax
* Possible Reference to String Resource ID=00272: "Licensed to %1"
<-what we want
:0041D369 6810010000 push 00000110
:0041D36E 51 push ecx
:0041D36F C644242002 mov [esp+20], 02
:0041D374 E851DE0100 call 0043B1CA
:0041D379 83C40C add esp, 0000000C
:0041D37C 8D4C2404 lea ecx, dword ptr [esp+04]
:0041D380 C644241401 mov [esp+14], 01
:0041D385 E8EC500200 call 00442476
:0041D38A EB18 jmp 0041D3A4
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041D356(C)
|
:0041D38C E8BFD0FEFF call 0040A450
:0041D391 50 push eax
:0041D392 8D542404 lea edx, dword ptr [esp+04]
* Possible Reference to String Resource ID=00273: "Evaluation period remaining :
%1!d! Days"
So just change this:
:0041D356 7434 je 0041D38C
to this:
:0041D356 9090 NopX2
Now it says licensed to in the windows instead
of eval days left, Now you can use regmon and see that the license info is
stored here: (Start Regmon then start the app, after the app loads, pause
regmon)
HKEY_CURRENT_USER\Software\XRayz\LinkStash\License
Code
Name
However it deletes the values we put in the registry and it stumped me because i
got rid of all the regdeletevalue and regdeletekey api functions, so it must be
something else, or in one of the other files, but we dont have anymore time to
waste on this when it can be solved in a much easier way.
[THE API FUNCTIONS FOR DELETING REGISTRY VALUES]
* Reference To: ADVAPI32.RegDeleteValueA, Ord:01D1h
* Reference To: ADVAPI32.RegDeleteKeyA, Ord:01CFh
So hell with it, lets open up resource hacker and go to this location:
String
-18
-2057
STRINGTABLE
LANGUAGE LANG_ENGLISH, SUBLANG_ENGLISH_UK
{
272, "Licensed to %1"
273, "Evaluation period remaining : %1!d! Days"
274, "You must enter a valid name and license code. Please check you have
entered both correctly and that they are identical to your registration
details."
275, "Thank you for purchasing LinkStash."
277, "http://www.xrayz.co.uk/purchase/linkstash.html"
278, "The evaluation period has expired, please purchase LinkStash to continue
using it."
280, "You will now need to specify the Opera Hotlist file that you want to
import."
281, "Find"
282, "The end of the file has been reached, start the search from the
beginning?"
}
OK so we just change this:
272, "Licensed to %1"
To this:
272, "Licensed to:
sLeEpY¿[Cracked iN 2002]"
Compile and save, and the program is cracked =) Whenever you goto the place
where it said Licensed to it will now be "Licensed to: sLeEpY¿[Cracked iN
2002]".
|
Final thoughts |
|---|
Time for a smoke.
|
Greetings |
|---|
Groups:
FWA, NWA, FTPiRatEz! HAR! BEASTFXP!, KANAL23
Individuals:
MiNioN,
GreycZ & his cuppy, KlutCh, KiNgEr, MidNight, Edogg, Neoman, movax4c00int21, Acid_Cool_178, All those tuts I read
from everyone who writes them.
CopyLeft:
sLeEpY¿
[all rights reversed]
Boredom causes crackers and babies.
Visit http://zor.org/sleepy &
http://www.bright.net/~testsubject001
Mail sleepy@linuxwaves.com
This Document is copyrighted by kanal23 and it's members. Please mail the
author of this document for complaints and those things.
Kanal23
is signing out for now.