Cracking
Tutorial
#79:
Cracking Goldwave 4.26
[cracked bY:] sLeEpY¿[FWA/NWA/FTPR8Z] iN 11/2002
[difficulty:] beginner
[where:] http://www.goldwave.com/
[tOOLz:] W32dasm 8.93 & Hiew
So anyway its been a couple months mainly because i needed a break and kids are driving me crazy. Anyway one friday at work this tutorial was born. I upgraded this computer at work to XP because i cant put linux on it due to people who don't understand it so until i figure out how to run Softice on XP im just going to have some crappy patch tutorials that take no brains to do. This tut was also done cause any tut i find online about goldwave is serial fishing. So off we go. yay..
From the goldwave readme/help file:
This application is a fully functional shareware version of the GoldWave digital
audio editor. Shareware allows you to try a program before you buy it. After
you've tried GoldWave, if you decide to keep it, you are required to register
it.
Usage Limit
The toll counter in the status bar gives you a rough idea of the benefit you
have received from using GoldWave. This shareware version is limited to 150
commands each session. When the limit is reached, a toll message will appear
whenever you use a control in the Device Controls window. Exiting and restarting
GoldWave will let you use another 150 commands without interruption. By
registering, you will receive a license that removes this toll counter
completely.
So running the program we are greeted with a NAG of the help screen:
GoldWave Help <-nag at startup
Try to register it and for some reason it doesn't accept the code?!?
Register
Invalid registration. Please be sure to enter the information exactly as given
in the license.
Check the about box and we find "not registered"
crap in there.
Finally play a song and spend over a buck fifty and you get:
Shareware Toll Limit
This shareware has a $1.50 limit each time the program is started.
Please register today on www.goldwave.com to receive a personalized password to
remove all toll limits and messages.
[OK] [Cancel]
Plenty of weakness here to exploit!
Disassemble the program in W32dasm after you have backed up your EXE.
Lets check the String Refs and look for "registered". It usually never fails.
:0044639D 7438 je 004463D7 <-Nop
offset 4599d
* Possible StringData Ref from Data Obj ->"Registered!"
:0044639F 68AFF74E00 push 004EF7AF
:004463A4 8B5594 mov edx, dword ptr [ebp-6C]
:004463A7 8B0A mov ecx, dword ptr [edx]
:004463A9 8B410C mov eax, dword ptr [ecx+0C]
:004463AC 50 push eax
* Reference To: USER32.SetWindowTextA, Ord:0000h
:004463AD E860B20900 Call 004E1612
* Possible StringData Ref from Data Obj ->"Thank you for"
:more blah balh blah
Well we just need to make the simple change at offset 4599d like so:
Change this:
:0044639D 7438 je 004463D7
to this:
:0044639D 9090 NopX2
This makes the about box display registered and thanks and all that stuff.
Well next lets get rid of that crappy nag screen startup help file call. We know
that the helpfile is what pops up so look in the goldwave directory for the name
of
it: goldwave.hlp
OK, not much thought in that. Check the String Refs again and we can find this:
Startup Nag is the helpfile:
one of these locations is the startup call for this nag
* Referenced by a CALL at
Addresses:
|:004434C6 , :004440A3 , :0044415D , :0044592E , :0044641F
|:0044645A , :00446492 , :004AD572 , :004AFC2A , :004AFC62
|
:00445870 55 push ebp
:00445871 8BEC mov ebp, esp
:00445873 83C4EC add esp, FFFFFFEC
:00445876 53 push ebx
:00445877 56 push esi
:00445878 57 push edi
* Possible StringData Ref from Data Obj ->"goldwave.hlp"
<-help file
Why do we know this, because 8 places (most likely) in the program call
goldwave.hlp as we can see the 8 calls above goldwave.hlp. Now some probably
belong to "help" buttons or something similiar but one has to goto the startup
help screen. The best way is to just trial and error by nopping out each call
until you find the one that screws with the startup nag. Once you find that you
know which call it is from and then can continue on to patch it out.
and it is here-------->
:0044641F E84CF4FFFF call
00445870 <-call
goldwave.hlp
a little above it we see a conditional jump, lets make it unconditional!
:0044641B 752D jne 0044644A
(offset 45A1B) <-make
jmp
:0044641D 6A00 push 00000000
:0044641F E84CF4FFFF call 00445870
So if this jump is taken then the call to the helpfile is skipped.
So change this:
:0044641B 752D jne 0044644A
(offset 45A1B)
to this:
:0044641B EB2D jmp 0044644A
(offset 45A1B)
Start the program and hey no more startup nag screen.
While running the program we notice the stupid little toll counter.
Toll: $0.00 and once it hits a buck fifty you get
this error:
Shareware Toll Limit
This shareware has a $1.50 limit each time the program is started.
Please register today on www.goldwave.com to receive a personalized password to
remove all toll limits and messages.
[OK] [Cancel]
Ya..ok...
In the String Refs we find these:
"Shareware Toll Limit"<-go
here and scroll up and you will see the error msg
"Toll: $%ld.%02ld"
* Referenced by a CALL at
Address:
|:00444451
|
:004433FC 55 push ebp
:004433FD 8BEC mov ebp, esp
:004433FF 51 push ecx
:00443400 53 push ebx
:00443401 56 push esi
:00443402 57 push edi
:00443403 8B4508 mov eax, dword ptr [ebp+08]
:00443406 80B87407000000 cmp byte ptr [eax+00000774], 00
:0044340D 0F85D4000000 jne 004434E7
<-here we are!!!!!!!!
:00443413 81B87007000096000000 cmp dword ptr [eax+00000770], 00000096
(96h = 150d)
:0044341D 0F8CC4000000 jl 004434E7
<-or here! (jump if less then
150)
:00443423 F6807007000001 test byte ptr [eax+00000770], 01
:0044342A 0F85B7000000 jne 004434E7
<-or here!
:00443430 83784300 cmp dword ptr [eax+43], 00000000
* Possible StringData Ref from Data Obj ->"This shareware has a $1.50 limit "
->"each time the program is started."
|
:00443434 8B3D04EC4E00 mov edi, dword ptr [004EEC04]
:
:lines of code
:
:00443483 6A31 push 00000031
* Possible StringData Ref from Data Obj ->"Shareware Toll Limit"
eventually you will get here and notice that it jumps past all the error junk.
Change this:
:0044340D 0F85D4000000 jne
004434E7 <- (offset
42A0D)
to this:
:0044340D E9D500000090 jmp
004434E7
you could also trace the call back and then look a little farther up and see
this:
:0044444E 740E je 0044445E
<-make it jump instead
will crack it too
:00444450 53 push ebx
:00444451 E8A6EFFFFF call 004433FC
<-call the routine above
So making this jump seems to work:
:0044444E 740E je 0044445E
<-this would be the
jump if it were regged
Change to:
:0044444E EB0E jmp 0044445E
So we see here:
:00443413 81B87007000096000000
cmp dword ptr [eax+00000770], 00000096
(96h = 150d)
That it is comparing what we have used with 150, if its less then we are ok, if
not we
get the 1.50 error msg.
Ok so now I owe $5.05 on my toll and no error
message yet, looks good =)
Now lets trash the gay register button, open up this prog in resource hacker or
whatever resource editing program you like and delete it out.
In resource hacker it is here:
Menu
-100
-0
then look for this:
MENUITEM SEPARATOR
POPUP "&Options"
{
MENUITEM "&Colours...", 401, GRAYED
MENUITEM "&Controls...", 386, GRAYED
MENUITEM "&File...", 402, GRAYED
MENUITEM "File &types...", 403, GRAYED
MENUITEM "Tool &bar...", 405, GRAYED
MENUITEM "&Window...", 404, GRAYED
MENUITEM "&Register...", 410
}
And change it to this:
MENUITEM SEPARATOR
POPUP "&Options"
{
MENUITEM "&Colours...", 401, GRAYED
MENUITEM "&Controls...", 386, GRAYED
MENUITEM "&File...", 402, GRAYED
MENUITEM "File &types...", 403, GRAYED
MENUITEM "Tool &bar...", 405, GRAYED
MENUITEM "&Window...", 404, GRAYED
}
Cracked, if your bored you can also personalize it a bit and goto the about
dialog and change stuff there.
Final Thoughts:
As one lamp serves to dispel a thousand years of
darkness, so one flash of wisdom destroys ten thousand years of ignorance
- Hui-Neng
Greetz:
Groups:
FWA, NWA,
FTPiRatEz! HAR! BEASTFXP!, KANAL23
Individuals:
MiNioN, GreycZ
& his cuppy, KlutCh, KiNgEr, MidNight, Edogg, Neoman, movax4c00int21,
Acid_Cool_178, All those tuts I read from everyone who writes them.
CopyLeft:
sLeEpY¿
[all rights reversed]
Boredom causes crackers and babies.
Visit http://zor.org/sleepy &
http://www.bright.net/~testsubject001
Mail sleepy@linuxwaves.com