dllshow1.htm REVERSING DLLSHOW, by A+heist

Snippets

REVERSING DLLSHOW
by A+heist

Courtesy of fravia's page of reverse engineering, 26 July 1998

Well, I'm sorry if you'll find this little crack too easy, it's just that I had to crack this program quickly because I needed to check which dll where called by ANOTHER target I'm working on, and since I did it, I thought, what the heck, let's prepare a small beginner essay and see if fravia will publish it.

Dllshow, version 3.2, is a small utility by Gregory Brown, that displays a list of all tasks and processes currently running on your MS Windows 95 system and has been published (for instance) on PCTeam CD PRO 35, anyway you'll find this tool all over the web.

Relatively small and useful for our dll and exe sniffing everyday activities (you don't always have to use the heavy winice artillery, do you?). This little program will give you a first opportunity to use some 'zen' feeling (it's an elementary crack for beginners only anyway).

Here you go:

1)

:0A0D7 3BC5         cmp eax, ebp  ; everything OK?

:0A0D9 741E         je 0A0F9      ; go ahead good_guy

:0A0DB 688A130000   push 0000138A ;"An invalid software registration number was detected"



Ah ah!, that jump at 0A0D9 need a fix



2)

:09925 833DCC63420000  cmp dword ptr [263CC], 0       ;d'we have FALSE flag?

:0992C B868634200      mov eax, 26368		      ;prepare good eax

:09931 7505            jne 09938                      ;and if not, go ahead gg

:09933 B834EA4100      mov eax, 1EA34                 ;else "30-Day Shareware Evaluation"

						

Ah ah!, that location [263CC] is a flag set to FALSE!



3)

:09725 3B05CC634200         cmp eax, dword ptr [263CC] ;d'we have good user?

:0972B 7414                 je 09741		       ;yes, so do not

:0972D C705CC63420000000000 mov dword ptr [263CC], 0   ; FALSE in flag_1

:09737 C705D063420001000000 mov dword ptr [263D0], 1   ; TRUE in flag_2



So, here I would suggest to change the mov at 0972D to charge a TRUE (instead of a FALSE) 

in flag 1, and since there is another flag two which is set to true in the unregistered version, 

let's set that to false for good measure.

Well, that's all, actually...