November  1999
"Smart Whois v2.1"
( 'Ignoring anti ProcDump trick'  )
Win '95 PROGRAM
Win Code Reversing
 
by The Snake
 
 
Code Reversing For Beginners
 
Program Details
Program Name: sw2.zip
Program Type: www utility (IP)
Program Location: Here
Program Size: 651kb
 
 
 
Tools Used:
 Softice V4.0 - Win'95 Debugger
W32Dasm V8.93 - Win'95 Dissembler
UnAspack v1.0 - Aspack Unpacker
 
Rating
Easy (x )  Medium ()  Hard ( )  Pro ( )
 


Smart Whois v2.1
( 'Ignoring anti ProcDump trick'  )
Written by The Snake
Introductionn

The author of  Smart Who is v2.1 says :

 SmartWhois is a handy utility for obtaining information about any IP address or
 hostname in the world. Unlike standard whois utilities, it automatically delivers
 information associated with an IP address no matter where it is registered
 geographically. In just a few seconds you get all you want to know about a user:
 domain, network name, country, state or province, city. Even if the IP address
 cannot be resolved to a hostname, SmartWhois won't fail!
 
About this protection system

 This program was packed with Aspack  v1.083.  This info can be found by using
 Gettype. (you can dn-ld it from my tools page).
 This tutorial will be in 2 parts :
 part 1 - how to unpack a program packed with Aspack v1.083 - using Unaspack.
 part 2 - how to crack SmartWhois V2.1.

 You can download  "Unaspack" by "bane" from my tools  page.
 The program save it's settings in the registy file :

  HKLM\Software\Swhois2

  The program don't have any registration window... what to do ??  let see..
 
The Essay

 Usually, when i have a new tool in hand, the first thing i do, is to run it some times, to get some idea about
  weak parts of the protection routine, and to get some good hints.
  If you did it, you can see that there is no way to register this program with a registration window, and when we
  close it, we get a message "Thank you for trying this evaluation version".
  Ok, we have what to look for, time to create a dead list using W32dasm... can you find it ?  NOOO...
  There are no "String References" and no "imports/exports".....  This prog is written in VB or it is packed...
  To check it out, copy swhois2.exe to the GETTYPE directory, and under "dos" type :
  gtw.exe swhois2.exe /ze /p     we can see that the packer is Aspack  v1.083.

  At this point DON'T try to use ProcDump, this program uses an anti ProcDump trick, save your time, i had to
  brutal shut my machine and re-start it, this trick cause the system to "freeze"..

 PART ONE - how to unpack the program using Unaspack :

 The first step will be to COPY swhois2.exe to the directory of unasoack.
 Switch to DOS mode, and in Unaspack's directory type :
 unaspack.exe  swhois2.exe and "Enter". you should get this 2 lines :
 swhois2.exe - ASPack 1.08.03
 swhois2.exe - nothing found.         ignore this message.
 Now, looking at the file size, can you see that it is bigger then the original ?
 Save the original files with other names, and copy the unpacked files back to swhois directory.
 Run the program, so far, every thing looks fine. Let's go to see if something changed using w32dasm.
 We can see that the dead lists still not show us the "imports" nor "string references".
 There is one more thing to be done, fire up ProcDump (you know where to get it),
 and choose the "pe editor", and choose "swhois.exe". We're in "PE structure editor",
 so, click on "sections" button and you'll  see that all sections caracteristics (right
 column) is C0000040. Click with mouse right-click on the .text  section, end
 "edit section". At the bottom right corner, change it to "E0000020" and click "ok" 3  times.
  Now go to w32dasm again.
 Are we done ??   Yap, let's crack it.

  PART TWO - how to crack SmartWhois v2.1

  Time to run our un-packed program....  oooppps, we got this message :
  "You need to re-install SmartWhois 2.1"    This message comes from the program, it's not a system
  message.
  To check it out, we will create a break-point in Softice : "bpx messageboxa" and run the prog.
  Softice will break immediately, press 'F11' once to get back to the caller of the message, you get the
  message, push the "ok" button and we're in SI again :
 
  :004017AF FF15B4F04100            Call dword ptr [0041F0B4]
 :004017B5 8BF0                    mov esi, eax
 :004017B7 83FEFF                  cmp esi, FFFFFFFF
 :004017BA 7528                    jne 004017E4
 :004017BC 8B0D3C4D4200            mov ecx, dword ptr [00424D3C]
 :004017C2 6A10                    push 00000010
 :004017C4 68A4104200              push 004210A4
 * Possible StringData Ref from Data Obj ->"You need to re-install SmartWhois "
                                        ->"2.1"
 :004017C9 687C104200              push 0042107C
 :004017CE 51                      push ecx
 :004017CF FF1544F24100            Call dword ptr [0041F244]      ; messageboxa
 :004017D5 8B153C4D4200            mov edx, dword ptr [00424D3C]  ; we land here

 If you take a look above this message, you can see a "comp" followed by a conditional jump, that will take the
 program to another location. To check it, set a new "bpx 4017BA", and type "x".
 Run swhois again, now SI break on the conditional jump, to force it to jump, type "r fl z" and type "x".
 Can you believe it ?  There is no need to re-install, it rocks as normal !!
 We can now exit the program.
 SI will break now again on the previous messageboxa BP that we set earlier, press 'F11', and here we got
 the final message : "Thank you for trying this evaluation version".  push the "ok" button and we're in SI again :

  :0040580B FFD3                    call ebx
 :0040580D A0004E4200              mov al, byte ptr [00424E00]
 :00405812 C705E84E420000000000    mov dword ptr [00424EE8], 00000000
 :0040581C 3C07                    cmp al, 07
 :0040581E 731A                    jnb 0040583A
 :00405820 8B942430070000          mov edx, dword ptr [esp+00000730]
 :00405827 6A40                    push 00000040
 :00405829 68A4104200              push 004210A4
 * Possible StringData Ref from Data Obj ->"Thank you for trying this evaluation "
                                         ->"version"
 :0040582E 680C194200              push 0042190C
 :00405833 52                      push edx
 :00405834 FF1544F24100            Call dword ptr [0041F244]      ; messageboxa
 :0040583A A1F8184200              mov eax, dword ptr [004218F8]  ; we land here

 If you take a look above this message, you can see, again, a "comp" followed by a conditional jump, that will
 take the  program to another location. To check it, set a new "bpx 40581E", and type "x".
 Run the program, type "r fl z" on the first break, you are in Smartwhois. exit the program and when SI break
 again, type "r eip=40583a", and "x". the program exits without the message.

 Job done..
 
The Patches

 Load up fguard32.dll into your Hex-Editor ( I use hexWorkshop-32).

SEARCH FOR THE FOLLOWING BYTES : 8BF083FEFF75288B0D
REPLACE WITH HIGHLIGHTED BYTES : 8BF083FEFFEB288B0D

SEARCH FOR THE FOLLOWING BYTES : 3C07731A8B942430
REPLACE WITH HIGHLIGHTED BYTES : 3C07EB1A8B942430

REMEMBER, i'm doing my cracks as a hobby and challenge, so please, if you
like this utility and want to keep using it, support the author and pay for it.
 
Final Notes

 If you take a look in the "string references", you can see this text : "This evaluation version has expired".
 i changed my computer date a few month ahead, but nothing.  If, by any chance this message pops, i hope
 you know what to do :)

 Only thing left now is to use a resource editor, to change the text showing at the about screen.
 
 My thanks and gratitude goes to:-

 The Sandman for all what he is doing for us, newbies.

 Rhayader for helping me with Reverse Code Engineering and useful tips

 Alpine, Lord Soth, Volatility and Torn@do for my basic knowledge in packed programs




Essay by:   The snake
Page Created: 8th November 1999