|
Dropit
Pro 4.5
|
|
|
|
Subject: Cracking |
|
This essay is for knowledge purposes only!! Software developers spend much time in making their programs. They live from the money we give them! Please buy good software!! |
| I. Introduction |
| Hmmmmm, here I am again......had some free time so why not writing a new tut! This time I'll teach u how to crack Dropit Pro 4.5 and Maxdrop 4.2. Actually I will only explain Dropit Pro 4.5, coz Maxdrop has exactly the same "protection scheme". I really don't know what Dropit does.....and I think I don't care :) It looks primitive and the protection is bad and u certainly don't want to pay anything for it......let's start :) |
| II. About the protection |
| Nag + 30-day trial |
| III. Cracking it |
| Before we start, u have to disassemble first (W32DSM) and save the project
file. The protection: a nag and 30 day trial. Let's begin with the nag :) Open dropitp.exe in HIEW press F4.....then F2 (=hex mode). Then u have to search for the string "nag" (this string is displayed on the nag screen). So, press F7. Type in the ASCII-box n, then in the hex-box type 00, go back to the ASCII-box and type a, go back to the hex-box and type 00, go back to the ASCII-box and type g. In the ASCII-box there should be: n a g In the HEX-box there should be: 6E00610067 ********************************************************* When HIEW has found the "nag" string, go back a little with the cursor, 'til u find the following hex-code: "FF FF FF FF 82". NOP those instructions (90 in hex, if u didn't know :p). FF FF FF FF 82 is the windows instruction for drawing a window. Press F9 to save, then exit. Now when u run Dropit, the nag is gone and everything seems fine.....however there's still a 30-day trial. Just set ur clock a month later......and Dropit won't start anymore. So, open W32DSM and load your project file u previously saved. Search for "GetSystemTime". You'll have to search twice. When everything worked out right, u should see this:
-------------------------Start of partial code-------------------------------
* Referenced by a CALL at Address:
|:00412B7E <- Interesting....see below why :-)
|
:0040A3D0 81ECCC000000 sub esp, 000000CC
:0040A3D6 8D442410 lea eax, dword ptr [esp+10]
:0040A3DA 50 push eax
* Reference To: KERNEL32.GetLocalTime, Ord:00F5h
|
:0040A3DB FF1578E64200 Call dword ptr [0042E678]
:0040A3E1 8D4C2400 lea ecx, dword ptr [esp]
:0040A3E5 51 push ecx
* Reference To: KERNEL32.GetSystemTime, Ord:0135h
-------------------------End of partial code---------------------------------
Yeps, the procedure is called at :00412B7E. This is interesting as there is
no cmp or test instruction after the getlocaltime or getsystemtime.
Let's take a look where the program calls for the getsystemtime procedure!
Click "Goto" then "Code location". Fill in: 412B7E. Click OK.
Now u should see this:
-------------------------Start of partial code-------------------------------
* Referenced by a CALL at Addresses:
|:004067BA , :00406B07 <- Hmmm, again interesting :))
|
:00412B7C 6A00 push 00000000
:00412B7E E84D78FFFF call 0040A3D0
:00412B83 59 pop ecx
:00412B84 8B4C2404 mov ecx, dword ptr [esp+04]
:00412B88 8901 mov dword ptr [ecx], eax
:00412B8A 8BC1 mov eax, ecx
:00412B8C C20400 ret 0004
-------------------------End of partial code---------------------------------
As u can see, there are no important instructions here.....so again, we
have to go to the procedure that calls this procedure. As u also can see
this piece of code is called from 2 places. Let's pick out the first i.e.
goto code location 004067BA.
-------------------------Start of partial code-------------------------------
:004067BA E8BDC30000 call 00412B7C
:004067BF 6A00 push 00000000
:004067C1 8D4C2424 lea ecx, dword ptr [esp+24]
:004067C5 E8C5C30000 call 00412B8F
:004067CA 8B7010 mov esi, dword ptr [eax+10]
:004067CD 6A00 push 00000000
:004067CF 8D4C2424 lea ecx, dword ptr [esp+24]
:004067D3 46 inc esi
:004067D4 E8B6C30000 call 00412B8F
:004067D9 8B4C2424 mov ecx, dword ptr [esp+24]
:004067DD 8B780C mov edi, dword ptr [eax+0C]
:004067E0 83F901 cmp ecx, 00000001
:004067E3 0F8CFB000000 jl 004068E4 <- this jumps to "good boy"
:004067E9 83F91F cmp ecx, 0000001F
:004067EC 0F8FF2000000 jg 004068E4 <- this also jmps to "good boy"
:004067F2 3BEE cmp ebp, esi
:004067F4 8BC7 mov eax, edi
:004067F6 7410 je 00406808
-------------------------End of partial code---------------------------------
Yeah, strange enough, the "jl" instruction does not jump to "bad boy". When
I first saw this procedure I thought: "Well, let's NOP the "jl" and "jg"
instrucion". However it had no result......so I thought: "Maybe it's just
the opposite".....and I was right! How can u know?? Just let W32DSM jump
into the "jl 004068E4". When there, and u scroll up, u come the
"trial expired" across. In clear English: the "jl" instruction jumps OVER the
exit procedure :)
Last thing to do: open HIEW and change the "jl 004068E4" into "jmp 004068E4".
Job done!
Now u should be able to crack Maxdrop 4.2 for yourself, it has the same
"protection", only on different places.....good luck ;-))
|
| IV. In the end |
|
If u have any questions, comments, etc... mail me on cracking@softhome.net
BlackB
|
|
Essay written by The Blackbird © 1999-2000 This essay can be freely distributed/ published/ printed etc... as long as no modifications are made. |