Written by Pupp
23 March 2000
|
|
Welcome to my first Tut.
With this program, you can design your own web page, What were going to do is patch the program so we don't get our 30 day trial and the register screen will be gone.
The protection
A ID and Registration number it gives you a 30 day Trial, after the
30 day Trial is finished the try button disappears , And to use it further
you must register it.
|
|
Numega SoftIce v4.xx
W32dsm89
Hex Editor
|
|
Program Name: Hotdog Webmaster suite 5.5
|
|
First install the program when you install it a screen will come either
stand alone or Webmaster suit press webmaster suit After installing the program
run it and comes a Register screen Try or Buy if you press the register button
it will ask you to put your ID and RK number cancel and leave the program. we will
go step by step so you can get an idea on to find and patch a program
1. First lets fire up w32dsm up to make a dead listing. we will first look under
Ref to see if we see a good or bad guy if you look at the snippet below there's one
that looks good CHECKING REGISTRATION STATUS
"Check"
"CheckBox"
"CHECKED"
"checked"
"CHECKED"
"checked"
"Checking Directory Structure..."
"Checking Document..."
"Checking Documents..."
"Checking Registration Status..."<------ here
"Checking WebSite..."
"Checks"
"Choose Directory..."
"Choose File"
"Choose HomePage"
"Choose Replacement File"
"circle"
2. double click on it and we will land on 00681887 now by going up to the first
* Referenced by a (U)nconditional or (C)onitional Jump at Address: you will see
00681875and there you will see a JMP 0068187A that jump will take us to Checking
Registration Status and the first CALL at:0068188C will bring you to your Register
message but we don't want that. do we, what were going to do is Wright down the
number right before our JMP and that would be 0068186B you see that below....
good.
Now we know Where we are jump to check Registration and our reg Call How do we
know well go to step 3. below
:0068186B 648910 mov dword ptr fs:[eax], edx
:0068186E EB0A jmp 0068187A
:00681870 E90F1ED8FF jmp 00403684
:00681875 E83A21D8FF call 004039B4
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0068186E(U)
|
:0068187A A1FC756900 mov eax, dword ptr [006975FC]
:0068187F 8B00 mov eax, dword ptr [eax]
:00681881 8B80D8020000 mov eax, dword ptr [eax+000002D8]
* Possible StringData Ref from Code Obj ->"Checking Registration Status..."
|
:00681887 BA7C1B6800 mov edx, 00681B7C <--- Land Here
:0068188C E8D75BDBFF call 00437468 <-------- Register message
:00681891 A1FC756900 mov eax, dword ptr [006975FC]
:00681896 8B00 mov eax, dword ptr [eax]
:00681898 E8BF60DBFF call 0043795C
:0068189D C645FE01 mov [ebp-02], 01
:006818A1 8D45FE lea eax, dword ptr [ebp-02]
:006818A4 E8836EF2FF call 005A872C
:006818A9 8845FF mov byte ptr [ebp-01], al
:006818AC 807DFF00 cmp byte ptr [ebp-01], 00
:006818B0 0F8452020000 je 00681B08
:006818B6 A1FC756900 mov eax, dword ptr [006975FC]
:006818BB 8B00 mov eax, dword ptr [eax]
:006818BD 8B80D8020000 mov eax, dword ptr [eax+000002D8]
* Possible StringData Ref from Code Obj ->"Initializing HotDog..."
|
:006818C3 BAA41B6800 mov edx, 00681BA4
:006818C8 E89B5BDBFF call 00437468
:006818CD A1CC746900 mov eax, dword ptr [006974CC]
:006818D2 8B00 mov eax, dword ptr [eax]
:006818D4 E85351FBFF call 00636A2C
:006818D9 84C0 test al, al
:006818DB 7533 jne 00681910
3.leave w32dsm89 and and start your softice symbol loader open file, and open
Hotdog5 and load it you will get a SYMBOL TRANSLATION/LOAD ERROR and press yes
and you will come in softice now we want to set a break point BPX on the number
before the jump remember!! so it should look like this BPX 0068186B then press return
and your break point is set. now by pressing F5 one time you will land on 0068186b
right before your jump now by pressing F10 one time we will land on our jump to
check registration we don't want that, now look at all the calls there is a call with
test al,al then a jump. Lets try it ok change your jump at 0068186E to jump to
006818D4 ???? how we going to do that?? make sure your on 0068186E and clear
all break points with bc* and hit return all clear to check type BL and return
you should see no bpx`s ok good. now were going to change it by typing
a 0068186E JMP 0068187A and pressing return then you will get
JMP 0068187A HERE<---- then put--->JMP 006818D4 it should look like this
jmp 0068187A jmp 06818D4 then press return bingo your jump has been changed
ok our brake point are cleared press X and return bingo you go right in the
program cool.. but bummer we only changed it in memory. we need to make the change
with our Hex Editor,
4.Ok back to our symol loader and do the same bpx 0068186B and 1 time F10 to land on
our 0068186E JMP 0068187A now by typing d 0068186E pressing return well get our
code at the top you will see 0068186E EB 0A E9 0F 1E D8 FF E8 now do the same as
before a 0068186E JMP 0068187A press return and you will have
JMP 0068187A adding again with it JMP 006818D4 pressing return 2 times you will see
that EB 0A E9 0F 1E D8 FF E8 has changed to..
EB 64 E9 0F 1E D8 FF E8 as you see the 0A changed to 64 now we need to make
the change with our Hex Editor exit softice
5.Before you start with your Hex Editor make 2 files on your drive and copy Hotdog
EXE file to both files name the files ORG. and the other PATCH that's what I do
so you know which file is the patch file
open your Hex Editor look for EB 0A E9 0F 1E D8 FF E8 and change the 0A to 64
save it to the patch file and use any patch program and your done
|
|
I have tried to make this as easy as possible hope this will help you out
have fun..
Many Thanks to
Sandman
Snake
and all from The Newbies Forum
|
|
The information in this essay is for educational purpose only!!!!!!!!!!!!!
If you want to use this software then buy it