Acid_Cool_178's Cracking tutorial for for Hellforge #1
Acid_Cool_178's Homepage can you find here
Information
Target: Acoustia v2.01
Target Location :http://members.xoom.com/faxanadurox/acous201.exe
Size: 1,42MB Unpacked
Tools used: W32Dasm 8.9x, Hiew, Regmon
Date: 15 Jan Y2K
Descriptionz and Commentz: A sound editor to create and mix sound, and i can see that the
author of this program are from Norway
Starting words
Hi I'm Acid_Cool_178 and a newbie cracker at Hellforge and FHCF, i wish to share my
cracking skills with other cracker newbies anound the world. You can find me at IRC
#cracking4newbies and my e-mail are acid_cool_178@hotmail.com
The Protection
When you are entering the program you will find a NAG screen and a regestration
box. The regestration box contains a "Name" "Company" and "Key
code"
The first NAG box are saying that "The evalution period has experied" and when
you are pressing on then you will come to the registration box where you have to write
your name, name and key code. If the code done fit in then a help file will come up on the
screen.
The registration information will be in the windows-regestry at
HKEY_CURRENT_USER\Software\Acon As\Acoustica\2.0\RegisterInfo
Introduction
Well, what can i say thet i got an e-mail from +Sadman (He's mailing list)
and here the e-mail are.
Start of E-mail
| From: "Reverse Code Engineering" <ukcracker@hotmail.com> Save Address Block Sender |
| To: List Member <acid_cool_178@hotmail.com> Save Address |
| Subject: Newbies Project VII |
| Date: 14 Jan 2000 07:27:49 -0000 |
Reverse Code Engineering - http://www.idca.com/~thesandman/index.html
Greetings Reverser's,
The Seventh Newbie Project has finally arrived, you can view the archives of the previous projects from here: http://www.idca.com/~thesandman/Forums.html
Here are the details for the present Project..
Newbie Project Forum: http://members.boardhost.com/reversing/
Program Name: Accoustica V2.01
Download from: http://members.xoom.com/faxanadurox/acous201.exe
Please read the INTRODUCTION posting by LaZaRus before you begin posting to the forum. In addition to this, I will stress the following points..
This is not a race to see who finishes first, so take your time, learn each step in your own time and don't be afraid to ask for help if you are not sure of what to do.
The primary aim of the Project Forum is all about learning the finer arts of reversing techniques & methods, the actual -crack/patch- is irrelevant, that is just the icing on the cake.
If you have any questions that are -NOT- related to this project then please my other forum: http://www.InsideTheWeb.com/mbs.cgi/mb628842
Good luck! +Sandman & LaZaRuS
End of E-mail
Well, i just had to see what it was and i didn't use tha tasks in this essay because i will take them next week..
The Cracking Process
First i did install the program (doh) and i opend acoustica.exe
in W32Dasm and went to"String Data References" and found the string "The
eval period expired.". And this code come up..
Possible StringData Ref from Data Obj ->"The evaluation period has
expired."
|
:00446E8A 680EA04900 push 0049A00E
:00446E8F 8B500C
mov
edx, dword ptr [eax+0C]
:00446E92 52
push
edx
:00446E93 8B4868
mov
ecx, dword ptr [eax+68]
:00446E96 51
push
ecx
:00446E97 E8DED90100 call 0046487A
:00446E9C 83C414
add
esp, 00000014
:00446E9F 66C78524FDFFFF3800 mov word ptr [ebp+FFFFFD24], 0038
:00446EA8 83C4FC
add
esp, FFFFFFFC
I can explain this code, i will try to have fin with it later :)
But if you scroll some uo adn then you will see this code.
Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00446E5C(C)
|
:00446E6F 57
push
edi
:00446E70 E847FDFFFF call 00446BBC
;Checking
the days
:00446E75 59
pop
ecx
:00446E76 84C0
test
al, al
;What
have to be tested ?
:00446E78 0F85A9010000 jne 00447027
;Jump if not equal
:00446E7E 8B5766
mov
edx, dword ptr [edi+66]
:00446E81 8B02
mov
eax, dword ptr [edx]
:00446E83 6A00
push
00000000
* Possible StringData Ref from Data Obj ->"Acoustica"
|:00446E85 6831A04900 push 0049A031
Hmm, first i did take a backup of acoustica.exe and the statusbar of W32Dasm you can dee
something like this
Line: xxxx Code Data@: xxxx Offset Data@:xxxx
Well i did scroll to 00446E78 and the offset are 46478 so i'd opend acoustica.exe in
hiew.exe and pressed enter two times. then i shoud be in ASM code.
My plan are to change JNE to JMP.
Press F5 and type 46478
Press F3 and F2
Change JNE to JMP
Press Enter and Esc.
Press F9 to update the file and quit.
And now when that is dont the first nag screen are gone and i can see another nag with
these options "Evalute", "Purchase" and "register". And the
NAG says that i'm on my 145143 Day of my 30 day trial :) If you are going to
"Help" and "About ..." ant there you can see unredistred, but i don't
care about that. I will remove all the NAG's in this program by patching
Lets move on, take a look at 00446E70 that call are counting how many days you have used
the program. Lets nop it, and now i wont say the offset to you. You have to find it bu
youselfh.
Open acoustica.exe in Hiew
Press entet 2 times and F5 and enter the offset you got.
Press F3 (Edit) and type 90 (NOP) 5 times. Update the file and exit Hiew.
When i now ran my program then the nag still was there but now i'm on my 0 of 30 day
evalution. Now we have to get rid of that NAG screen.
Open acoustica.exe in W32Dasm and goto 00446EC5, tell me what you can see there. Try to
NOP the JE 2 times in Hiew. The offset are 4645C. Open acoustica.exe in Hiew and press
enter 2 times.
F5 (GoTo) 4645C
F3 (Edit) and enter 90 (NOP) 2 times
F9 (Update The File)
F10 or Esc to exit.
When you now are running the program all the NAG's are in wonderland :)
Well, now i don't have anything more to write. I have removed all
the NAG's for ya.
Ending
Thanks/Greetings goes to Waj, LaZaRuS, +Sandman, Eddie Van Camper, Potsmoke
and all the others in cracking4newbies chan.
Written By Acid_Cool_178
Copyprotected by Acid_Cool_178
Legal Trademarks: Acid_cool_178