Cracking Tutorial #84:
CryptEnCrypt.v1.12
[cracked bY:] sLeEpY¿[FWA/NWA/FTPR8Z] iN 12/2002
[difficulty:] beginner
[where:]  http://www.inetprom.com/softlab/  
[tOOLz:] w32dasm 8.93, Hiew 6.0

KANAL23 Tutorial

http://www.kanal23.net



CryptEnCrypt.v1.12

Download it from

http://www.inetprom.com/softlab/



Written by

sLeEpY¿

Tools

  • W32dasm 8.93

  • Hiew 6.0

Rating

  • Easy {X}

  • Medium { }

  • Hard { }

  • Pro { }



Introduction

CryptEnCrypt is available for free 10-day trial use; it requires registration fee if you want to use it after the evaluation period. You may use this evaluation version of the program for a period of 10 days. After that time you are expected to either purchase the software, or to stop using it and remove it from your computer. Paying a registration fee, you receive a license key unlocking the program into a fully functional version without limitations. The software will still allow you decrypting files after 10-day trial period is over however you will not be able to utilize encrypting capabilities.

The Essay

Well make the usual backups, I still dont have SI installed on this box so another boring patch tutorial. Disassemble the exe and let's run the program so we get an idea of what needs fixed!

Hmm, looks like we get a startup nag. Ok close the program, advance the date about a month, program expired but still runs, we just can't encrypt anything anymore.

Let's check the Strn Ref's and find the message that is in the startup nag:

* Referenced by a CALL at Address:
|
|:004024FA <-called from

:line of code

* Possible Reference to Dialog: DialogID_009C <-evil dialog box

:0040B05F 689C000000 push 0000009C

:lines and lines of code

* Possible StringData Ref from Data Obj ->"Your evaluation version has expired!"

:0040B20C 681C174700 push 0047171C <-nag message pushed

..from there we can trace back and find that the call is made from here:

:004024FA E8418B0000 call 0040B040 <-call nag routine

So let's open up this area and find a way to fix this nag bug.



|:004024C8(C), :004024F1(U)
|
:004024F5 53 push ebx
:004024F6 8D4C2454 lea ecx, dword ptr [esp+54]
:004024FA E8418B0000 call 0040B040 <-call nag routine (where we start)
:004024FF 8D542418 lea edx, dword ptr [esp+18]
:00402503 899C2450050000 mov dword ptr [esp+00000550], ebx
:0040250A 52 push edx
:0040250B 681F000200 push 0002001F
:00402510 53 push ebx

* Possible StringData Ref from Data Obj ->"Software\Crypt" <-registry key for valid code

:00402511 68F8114700 push 004711F8
:00402516 6801000080 push 80000001
:0040251B 895C2428 mov dword ptr [esp+28], ebx

* Reference To: ADVAPI32.RegOpenKeyExA, Ord:019Dh <-open the registry key above

:0040251F FF153CC04500 Call dword ptr [0045C03C]
:00402525 8D442414 lea eax, dword ptr [esp+14]
:00402529 8D8C2460010000 lea ecx, dword ptr [esp+00000160]
:00402530 50 push eax
:00402531 8B44241C mov eax, dword ptr [esp+1C]
:00402535 8D54242C lea edx, dword ptr [esp+2C]
:00402539 51 push ecx
:0040253A 52 push edx
:0040253B 53 push ebx

* Possible StringData Ref from Data Obj ->"Key" <-check "key"

:0040253C 687C124700 push 0047127C
:00402541 50 push eax

* Reference To: ADVAPI32.RegQueryValueExA, Ord:01A7h <-query key value

:00402542 FF1538C04500 Call dword ptr [0045C038]
:00402548 837C241401 cmp dword ptr [esp+14], 00000001
:0040254D 0F8366010000 jnb 004026B9 <--jump if key is valid (offset 254D)
:00402553 8D4C2450 lea ecx, dword ptr [esp+50]
:00402557 E88CD00300 call 0043F5E8
:0040255C 8B9424C4000000 mov edx, dword ptr [esp+000000C4]
:00402563 83FA01 cmp edx, 00000001
:00402566 7546 jne 004025AE <-jump to register webpage
:00402568 8D8C24CC000000 lea ecx, dword ptr [esp+000000CC]
:0040256F C784245005000002000000 mov dword ptr [esp+00000550], 00000002


Change this:
:0040254D 0F8366010000 jnb 004026B9
to this:
:0040254D E967010000 jmp 004026B9
:00402552 90 nopX1

No Mo' Nag



Ok, now we run the program and try to encrypt a file...What the hell is this?!?

CryptEncrypt
Your 10-day software trial has expired!
[OK]

Then loads the webpage to register and we see that the address is:
http://www.inetprom.com/softlab/order.html

...and the price for the bugfix is 49.95? sheeeeeesh



:0040316D 742E je 0040319D <-looks like our solution, make it jmp (offset316D)
:0040316F 8BCD mov ecx, ebp
:00403171 E85CC70300 call 0043F8D2
:00403176 6A00 push 00000000
:00403178 6A00 push 00000000

* Possible StringData Ref from Data Obj ->"Your 10-day software trial has " <-expired nag
->"expired!"

:0040317A 6854134700 push 00471354
:0040317F E8FE320400 call 00446482
:00403184 6A03 push 00000003
:00403186 6A00 push 00000000
:00403188 6A00 push 00000000

* Possible StringData Ref from Data Obj ->"http://www.inetprom.com/softlab/order.html" <-webpage, hmm just like the one we saw

:0040318A 6850124700 push 00471250

* Possible StringData Ref from Data Obj ->"open" <-open the webpage

:0040318F 6848124700 push 00471248
:00403194 6A00 push 00000000
:00403196 FFD3 call ebx
:00403198 E95B030000 jmp 004034F8

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040316D(C)
|
:0040319D 57 push edi <-land here past the nag
:0040319E 8BCD mov ecx, ebp
:004031A0 E88F980300 call 0043CA34
:004031A5 8B85A4000000 mov eax, dword ptr [ebp+000000A4]
:004031AB 6800614700 push 00476100
:004031B0 50 push eax
:004031B1 E8AC4C0200 call 00427E62
:004031B6 83C408 add esp, 00000008
:004031B9 85C0 test eax, eax <-is a password entered to encrypt? (useless info)
:004031BB 7513 jne 004031D0 <-jump if yes
:004031BD 50 push eax
:004031BE 50 push eax

* Possible StringData Ref from Data Obj ->"Enter a password"



Change this:
:0040316D 742E je 0040319D
To this:
:0040316D EB2E jmp 0040319D



Now while checking out the other files in the directory you can disassemble this one:
crpthndl.dll

and see that it has about the same routine as above:



:1000228A 7429 je 100022B5 <-lets make this one jump (offset 228A)
:1000228C 8BCE mov ecx, esi

* Reference To: MFC42.Ordinal:12F5, Ord:12F5h

:1000228E E8C9210000 Call 1000445C
:10002293 53 push ebx
:10002294 53 push ebx

* Possible StringData Ref from Data Obj ->"Your 10-day software trial has " <-nag
->"expired!"

:10002295 683C920010 push 1000923C

* Reference To: MFC42.Ordinal:04B0, Ord:04B0h

:1000229A E8891F0000 Call 10004228
:1000229F 6A03 push 00000003
:100022A1 53 push ebx
:100022A2 53 push ebx

* Possible StringData Ref from Data Obj ->"http://www.inetprom.com/softlab/order.html" <-webpage



Change this:
:1000228A 7429 je 100022B5
To this:
:1000228A EB29 jmp 100022B5

The second part dealing with the 10 day software trial has expired message might be for a
different OS version, just by looking unless it's from a previous version, but with XP all that needs cracked is the 1st part, at least for me.


Cracked!




Final thoughts

"ZEN IS TO LIFE WHAT THE ZERO IS TO MATHEMATICS."
-Zen Saying

Greetings


Groups: FWA, NWA, FTPiRatEz! HAR! BEASTFXP!, KANAL23
Individuals: MiNioN, GreycZ & his cuppy, KlutCh, KiNgEr, MidNight, Edogg, Neoman, movax4c00int21, Acid_Cool_178, All those tuts I read from everyone who writes them.

CopyLeft:
sLeEpY¿
[all rights reversed]
Boredom causes crackers and babies.
Visit http://zor.org/sleepy & http://www.bright.net/~testsubject001
Mail sleepy@linuxwaves.com

This Document is copyrighted by kanal23 and it's members. Please mail the author of this document for complaints and those things.
Kanal23 is signing out for now.

lor="#00FFFF">:0041BCF3 404840484048