December 1998	"File Shredder v2.7" (Finding the compare)	Win '95/'98 PROGRAM Win Code Reversing
	by Punisher
	Cracking 4 Newbies
	Program Details Program Name: Shredder.zip Program Type: File Shredding Utility Program Location: http://www.softseek.com/ Program Size: 98.4 KB
	Tools Used: Soft-Ice -- Debugger
Rating	Easy ( X )  Medium (   )  Hard (    )  Pro (    )	There is a crack, a crack in everything. That's how the light gets in.

 

File Shredder v2.7

( Finding the Compare )

Written by Punisher

  

Introduction

 
The author(s) of this program can be found at: http://www.execpc.com/~sbd
 
The author says:

" File Shredder for Windows 95/NT is a small utility that will completely erase the contents of sensitive files and entire folders that you specify. Normal file deletion only removes a file’s directory entry, but leaves the data contained in the file on your disk drive. File Shredder completely overwrites the contents of a file and then deletes it.

File Shredder for Windows 95/NT is fully Y2K compliant and will work with MS Windows 98 as well as 95/NT systems."

 

About this protection system

 

This program uses your Name and Organization to calculate your registration key. Registration is via the Register tab on the main program window.You have to enter information for:-

User Name :

Organization :

Registration :

 

    

     

      

       THE ESSAY
    
   

Install File Shredder and run it. Your are instantly bombarded with a nasty splash/nagscreen telling you this is 30-day Evaluation copy. The program then goes into the main screen. You will notice that this program is made up of one main window with a number of tab windows on it. There are four tabs.

Click on the Register tab and you will get a tabbed dialog to register the software. Enter your name, Organization and a fake regcode.

Go into Soft-Ice by pressing ctrl-d and set a breakpoint on GetDlgItemTextA. This is done like this.

>>> BPX GetDlgItemTextA

Now leave Soft-Ice by pressing ctrl-d. You are now back in the main Register tab. Click the OK button.

Soft-Ice breaks at GetDlgItemTextA. Since program has to get three pieces of information from the dialogbox it will call GetDlgItemTextA three times so we are going to bypass the first two calls. To do this type x and press the [ENTER] key. Do it a second time. Each time Soft-Ice breaks in GetDlgItemTextA.

Now Press F11 to return to the caller. You are now in File Shredder Code.

Do a search for you fake regcode. I use 45454545 as my fake regcode. eg:-

>>> s 0 lffffffff '45454545'

Soft-Ice will find an echo of you fake regcode in memory and display that address for you. Note the addres and set a breakpoint on that memory range with read and write access for the amount of characters you entered for you fake code. I usually use eight for mine. eg:-

>>> bpr 0030:0056F54C 0030:0065F54C + 8 RW

Type x and let the program run. Soft-Ice will break at this piece of code.

:004088D8   mov ecx, dword ptr [00417660]

:004088DE   mov dl, byte ptr [esi]  <- Soft-ice breaks here                                 

:004088E0   xor eax, eax

:004088E2   mov ax, word ptr [ecx+2*edx]

:004088E6   and eax, 00000008

At address :004088DE our fake regcode is put in dl. This is the start of the calculations for for a valid regcode. We won't go into the details of how it is calculated.

From here single step through the code using F10. You will have to do a lot of single stepping because the protection scheme calculates the valid regcode by first taking you fake regcode a character at a time. After it finishes with you fake regcode it does the same on your Organization. Single stepping takes quite a while.

Single step until you com to this piece of code.

:004014C1   call 00403500

:004014C6   add esp, 00000008

:004014C9   cmp eax, esi         <-- fake regcode compared with real regcode

:004014CB   je 004014EB          <-- bad_cracker_jump

:004014CD   push 0000EACF

After doing its calculations compares the real regcode with our fake regcode. The real regcode is in eax. Have a look at the eax register holds and you will get the real regcode. This is done like this:-

>>> ? eax

You will see at the bottom of soft-ice screen (the command line) the Hex value, the Decimal value and the ascii value of the contents of eax. In this case you real regcode will be the Decimal value. eg:-

Write down the Decimal value because it is the correct regcode. Now clear all breakpoints. eg:-

>>> bc *

Let the program run by type x and pressing the [ENTER] key.

The usual Registration failed messagebox will pop up. Clear clear and Enter the real regcode and your program is registered.

I will like to say thanks to +Fravia, Sandman, CrackZ, Cruehead, Iczelion and all the others out there who help by providing the knowledge to make this possible.