|
( 'Ignoring anti ProcDump trick' ) |
Win Code Reversing |
|
|
|
|
|
|
Program Name: sw2.zip Program Type: www utility (IP) Program Location: Here Program Size: 651kb |
||
Softice V4.0 - Win'95 Debugger W32Dasm V8.93 - Win'95 Dissembler UnAspack v1.0 - Aspack Unpacker |
||
|
|
|
The author of Smart Who is v2.1 says :
SmartWhois is a
handy utility for obtaining information about any IP address or
hostname in the
world. Unlike standard whois utilities, it automatically delivers
information associated
with an IP address no matter where it is registered
geographically.
In just a few seconds you get all you want to know about a user:
domain, network
name, country, state or province, city. Even if the IP address
cannot be resolved
to a hostname, SmartWhois won't fail!
|
This program was packed with Aspack
v1.083. This info can be found by using
Gettype. (you can dn-ld it from
my tools page).
This tutorial will be in 2 parts
:
part 1 - how to unpack a program
packed with Aspack v1.083 - using Unaspack.
part 2 - how to crack SmartWhois
V2.1.
You can download "Unaspack"
by "bane" from my tools page.
The program save it's settings in
the registy file :
HKLM\Software\Swhois2
The
program don't have any registration window... what to do ?? let see..
|
Usually, when i have a new tool in
hand, the first thing i do, is to run it some times, to get some idea about
weak parts of the protection routine,
and to get some good hints.
If you did it, you can see that
there is no way to register this program with a registration window, and
when we
close it, we get a message "Thank
you for trying this evaluation version".
Ok, we have what to look for, time
to create a dead list using W32dasm... can you find it ? NOOO...
There are no "String References"
and no "imports/exports"..... This prog is written in VB or it is
packed...
To check it out, copy swhois2.exe
to the GETTYPE directory, and under "dos" type :
gtw.exe swhois2.exe /ze /p
we can see that the packer is Aspack v1.083.
At this point DON'T try to use ProcDump,
this program uses an anti ProcDump trick, save your time, i had to
brutal shut my machine and re-start
it, this trick cause the system to "freeze"..
PART ONE - how to unpack the program using Unaspack :
The first step will be to COPY swhois2.exe
to the directory of unasoack.
Switch to DOS mode, and in Unaspack's
directory type :
unaspack.exe swhois2.exe and
"Enter". you should get this 2 lines :
swhois2.exe - ASPack 1.08.03
swhois2.exe - nothing found.
ignore this message.
Now, looking at the file size, can
you see that it is bigger then the original ?
Save the original files with other
names, and copy the unpacked files back to swhois directory.
Run the program, so far, every thing
looks fine. Let's go to see if something changed using w32dasm.
We can see that the dead lists still
not show us the "imports" nor "string references".
There is one more thing to be done,
fire up ProcDump (you know where to get it),
and choose the "pe editor", and
choose "swhois.exe". We're in "PE structure editor",
so, click on "sections" button and
you'll see that all sections caracteristics (right
column) is C0000040. Click with
mouse right-click on the .text section, end
"edit section". At the bottom right
corner, change it to "E0000020" and click "ok" 3 times.
Now go to w32dasm again.
Are we done ?? Yap,
let's crack it.
PART TWO - how to crack SmartWhois v2.1
Time to run our un-packed program....
oooppps, we got this message :
"You need to re-install SmartWhois
2.1" This message comes from the program, it's not a
system
message.
To check it out, we will create
a break-point in Softice : "bpx messageboxa" and run the prog.
Softice will break immediately,
press 'F11' once to get back to the caller of the message, you get the
message, push the "ok" button and
we're in SI again :
:004017AF
FF15B4F04100
Call dword ptr [0041F0B4]
:004017B5 8BF0
mov esi, eax
:004017B7 83FEFF
cmp esi, FFFFFFFF
:004017BA 7528
jne 004017E4
:004017BC 8B0D3C4D4200
mov ecx, dword ptr [00424D3C]
:004017C2 6A10
push 00000010
:004017C4 68A4104200
push 004210A4
* Possible StringData
Ref from Data Obj ->"You need to re-install SmartWhois
"
->"2.1"
:004017C9 687C104200
push 0042107C
:004017CE 51
push ecx
:004017CF FF1544F24100
Call dword ptr [0041F244] ;
messageboxa
:004017D5 8B153C4D4200
mov edx, dword ptr [00424D3C] ; we land
here
If you take a look above this message,
you can see a "comp" followed by a conditional jump, that will take the
program to another location. To
check it, set a new "bpx 4017BA", and type "x".
Run swhois again, now SI break on
the conditional jump, to force it to jump, type "r fl z" and type "x".
Can you believe it ? There
is no need to re-install, it rocks as normal !!
We can now exit the program.
SI will break now again on the previous
messageboxa BP that we set earlier, press 'F11', and here we got
the final message : "Thank you for
trying this evaluation version". push the "ok" button and we're in
SI again :
:0040580B
FFD3
call ebx
:0040580D
A0004E4200
mov al, byte ptr [00424E00]
:00405812
C705E84E420000000000 mov dword ptr [00424EE8], 00000000
:0040581C
3C07
cmp al, 07
:0040581E
731A
jnb 0040583A
:00405820
8B942430070000 mov
edx, dword ptr [esp+00000730]
:00405827
6A40
push 00000040
:00405829
68A4104200
push 004210A4
*
Possible StringData Ref from Data Obj ->"Thank
you for trying this evaluation "
->"version"
:0040582E
680C194200
push 0042190C
:00405833
52
push edx
:00405834
FF1544F24100
Call dword ptr [0041F244] ;
messageboxa
:0040583A
A1F8184200
mov eax, dword ptr [004218F8] ; we
land here
If you take a look above this message,
you can see, again, a "comp" followed by a conditional jump, that will
take the program to another
location. To check it, set a new "bpx 40581E", and type "x".
Run the program, type "r fl z" on
the first break, you are in Smartwhois. exit the program and when SI break
again, type "r eip=40583a", and
"x". the program exits without the message.
Job done..
|
Load up fguard32.dll into your Hex-Editor ( I use hexWorkshop-32).
SEARCH FOR THE FOLLOWING BYTES
: 8BF083FEFF75288B0D
REPLACE WITH HIGHLIGHTED
BYTES : 8BF083FEFFEB288B0D
SEARCH FOR THE FOLLOWING BYTES
: 3C07731A8B942430
REPLACE WITH HIGHLIGHTED
BYTES : 3C07EB1A8B942430
REMEMBER, i'm
doing my cracks as a hobby and challenge, so please, if you
like this utility
and want to keep using it, support the author and pay for it.
|
If you take a look in the "string
references", you can see this text : "This evaluation version has expired".
i changed my computer date a few
month ahead, but nothing. If, by any chance this message pops, i
hope
you know what to do :)
Only thing left now is to use a resource
editor, to change the text showing at the about screen.
My thanks and gratitude goes
to:-
The Sandman for all what he is doing for us, newbies.
Rhayader for helping me with Reverse Code Engineering and useful tips
Alpine, Lord Soth, Volatility and Torn@do for my basic knowledge in packed programs