view with 800x600 L ZZZZZZ RRRRR SSSSS L Z R R S L aaa Z aaa R R u u S L a Z a RRRRR u u SSSSS XX L aaaa Z aaaa R R u u S XXXX L a a Z a a R R u u S XXXXXX LLLLLLL aaaaa ZZZZZZZ aaaaa R R uuuuu SSSSSS XXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXX XXXXXX XXXX proudly presents his 9.Cracking Tutorial (20.04.1999) XX PowerZip 4.51 0. Why I make this tutorial I. Tools you need for my tutorial II. Cracking with W32Dasm II.1 Looking at the target II.2 Cracking the time check II.3 Getting your name in the About Box II.4 Getting the correct serial III. BTW 0. Few days ago there was a discussion at Sandman's forum what tutorial should look like. One thing was that in the "Crack thisandthat" tutorials there is not much explained and a newbie has some problems to understand the steps the writer made. I won't start with getting the serial but with getting rid of the "Unregistered" strings and the "Day X of your evaluation period". Then we will slowly develop until we get the serial. I. Tools you need for my tutorial Win32Dasm 8.9 (get at http://Qserve.8m.com) A hex-editor, I prefer Hex Workshop 2.54 PowerZip 4.51, the target (http://www.powerzip.lco.net mail me if you don't find the version 4.51 there) II. Cracking with Win32Dasm: II.1 Looking at the target: The first thing you should always do is to have a close look at the target. This includes looking at the helpfile, at the files the program uses (File Monitor) and at the registry values (Registry Monitor). If we do so with PowerZip we don't find anything that is important. So let's disassemble the PowerZip.exe file (that means load it in W32Dasm). Now look at the strings in the disassembled file. You can do this with the second button from the right (Strn Ref) in the toolbar of W32Dasm. Luckily, not too much. Which of them can be important for us ? I suggest these: 01. "\PowerZip.reg" 02. "Name" 03. "Reg" 04. "RegNum" 05. "Thank you for registering PowerZip!" 06. "The registration number is invalid." 07. "This copy of PowerZip is registered " 08. "This is an UNREGISTERED copy of " 09. "This is an unregistered evaluation " 10. "You are on day %1!u! of your 30-day " Let's analyse them: 01. This seems to be the file where the registration information is stored. 02. That could be the name PowerZip is registered to. 03. Later 04. That could be the stored serial. 05. Obvious, isn't it ? 06. Obvious, isn't it ? 07. Seems to be the string in the About Box in the program that says PowerZip is registered. 08. ??? 09. Opposite to 07 10. Counter how long you have used the program. II.2 Cracking the time check We know there's a timecheck in the About Box (or didn't you look at this important window ?) so we should know what happens when the evaluation period has expired. Add one year to your system clock, start PowerZip (no nag-screen?, that's strange) and look at the About Box. You see "You are on day 367 of your 30-day evaluation period.". That's all ? Yes, it is. At least I didn't find any restriction. So imagine you forget PowerZip on your PC and your grandchildren find it in 60 years. Can you imagine that it is very ugly when the About Box says "...on day 21900..." (that's 60*365). So let's change that. Double-Click at the string "You are on day..." and you should see this: * Reference To: MFC42.MFC42:NoName0000, Ord:0320h | :0040C5C5 E80E540100 Call 004219D8 ;; get current date, :0040C5CA 8BCE mov ecx, esi ;; compare it with install date :0040C5CC E8BF000000 call 0040C690 ;; and calculate difference :0040C5D1 50 push eax ;; eax contains difference :0040C5D2 8D5664 lea edx, dword ptr [esi+64] * Possible StringData Ref from Data Obj ->"You are on day %1!u! of your 30-day " ->"evaluation period." | :0040C5D5 68DC1C4300 push 00431CDC :0040C5DA 52 push edx Ok, we look at the code. If we want always be on day 1 of our evaluation period we can trace into the call at :0040C5CC and change the offset where the difference is stored in EAX. But there's a easier way. Do you know how much bytes the instruction mov eax, 00000001 needs ? Don't worry I deedn't knew that, too. So I searched in W32Dasm for mov eax, 00000001. You find it (for example) at location :00417C2C. There you can see the opcode is B801000000. So we need eight bytes. Look at the call at :0040C5CC. We don't need this call and it has the same number of bytes as mov eax, 00000001. So what prevents us from changing the bytes E8BF000000 to B801000000? I tell you: NOTHING! If we do that with a hex-editor the About Box always says "... on day 1...". Isn't that nice ? To get the offset we have to change, highlight the line :0040C5CC in W32Dasm and move the cursor into the W32Dasm window. Now you see the line: Line: 25042 Pg 501 and 502 of 1605 Code Data @:0040C5CC @Offset: 0000C5CC in File:... Now we can see that we have to change 5 bytes starting at offset C5CC. If you don't know how to do that read the HexWorkshop manual. II.3 Getting your name in the About Box Ok, that was the first step. Now the next one. We want to see our name in the About Box instead "...unregistered...". So we have to find where our name is stored. Double click at "Name" at the string reference in W32Dasm. Now something VERY important. There can be several locations where a string can appear, so double click several times. You see that there are several locations "Name" appears. Let's start with the first one. Little insertion: To know that the program is registered it has to read out the stored name and the serial. It has to calculate them and set a "Registered" flag. That's a little variable that indicates that the program is registered. Then the program needn't check it again if the program is registered, but needs only check the flag. So we just give the flag the "correct" value and it will believe it is registered. We see: :0040C370 8D4C2414 lea ecx, dword ptr [esp+14] * Possible StringData Ref from Data Obj ->"\PowerZip.reg" | :0040C374 68681E4300 push 00431E68 --- SNIP SNIP --- :0040C38D 51 push ecx :0040C38E 68E8030000 push 000003E8 :0040C393 52 push edx :0040C394 68383A4300 push 00433A38 * Possible StringData Ref from Data Obj ->"Name" | :0040C399 68601E4300 push 00431E60 * Possible StringData Ref from Data Obj ->"Reg" | :0040C39E 685C1E4300 push 00431E5C * Reference To: KERNEL32.GetPrivateProfileStringA, Ord:013Ah We can get very much from this code snippet. We see that the important file is PowerZip.reg, it is a standard INI file as we can see because it is accessed with the function GetPrivateProfileStringA. This function reads out a string of a standard INI file. Insertion: How is a INI file structured ? A INI file looks like this: [Section] Entry1=XXX Entry2=YYY You can access the entrys with a function that uses the name of the section and the name of the entry. The function gives back the value of the entry. End of insertion We can see that the section is "Name" and the entry is "Reg". No, No, No. The parameters are given to the funtion in reverse order. So we have a inifile like: [Reg] Name= RegNum= (look some lines below in W32Dasm) Ok, create such a file and enter any values for name and regnum. Now we have to find the "Registered" flag. Scroll down until you meet a conditional jump. The first one that appears is: :0040C3FC 81FD14513035 cmp ebp, 35305114 ;;Ok, ok that is the valid serial ;;for students (hex-value) :0040C402 0F8582000000 jne 0040C48A ;;is not students serial then jmp :0040C408 8D542424 lea edx, dword ptr [esp+24] ;; the next lines print the :0040C40C 8D4C241C lea ecx, dword ptr [esp+1C] ;; following string to the :0040C410 52 push edx ;; About Box * Reference To: MFC42.MFC42:NoName0035, Ord:0219h | :0040C411 E888560100 Call 00421A9E :0040C416 8BF8 mov edi, eax * Possible StringData Ref from Data Obj ->"This copy of PowerZip is registered " ->"to the following school, university " ->"or college student:" We don't want to have the students license, so we take the jump. We land where the RegNum is compared with the serial for "Non-profit organizations". But we want a single-user license. So we take the jump at :0040C490 and land here: * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0040C490(C) | :0040C518 3BE8 cmp ebp, eax ;; one of them is the flag :0040C51A 757F jne 0040C59B ;; if both are not the same jmp :0040C51C 8D442424 lea eax, dword ptr [esp+24];; the next few lines print the :0040C520 8D4C2418 lea ecx, dword ptr [esp+18];; next string to the About Box :0040C524 50 push eax ;; ... * Reference To: MFC42.MFC42:NoName0035, Ord:0219h | :0040C525 E874550100 Call 00421A9E :0040C52A 8BF8 mov edi, eax * Possible StringData Ref from Data Obj ->"This copy of PowerZip is registered " ->"to" So we can just get rid of the jump at :0040C51A. This can be done with NO-OPing the jump. Change the bytes at C15Ah and C15Bh to 90 (that's the opcode for NO-OP). No Op means No operation which means DO NOTHING. If you made everything correct you see your name in the messagebox and the "...day X of your..." string has disappeared, too. II.4 Getting the correct serial If you enter an serial in the "Register PowerZip" window you get an error message saying "The registration number is invalid". So search for that string and you should see: * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:0041212E(U), :00412135(C) | 1.:0041213C 8B4F64 mov ecx, dword ptr [edi+64] ;; ecx=entered # (hex) 2.:0041213F 81F914513035 cmp ecx, 35305114 ;; ecx = 35305114 ? 3.:00412145 741C je 00412163 ;; if equal, then jump 4.:00412147 81F98883FF1F cmp ecx, 1FFF8388 ;; ecx = 1FFF8388 ? 5.:0041214D 7414 je 00412163 ;; if equal, then jump 6.:0041214F 3BC8 cmp ecx, eax ;; ecx = eax ? 7.:00412151 7410 je 00412163 ;; if equal, then jump :00412153 6A00 push 00000000 ;; the next few lines make :00412155 6A10 push 00000010 ;; the "Invalid" message ;; appear * Possible StringData Ref from Data Obj ->"The registration number is invalid." Explaination: 1. The hex-value of the serial we entered is moved to ecx. In my case (I entered 666999) it is AD277. 2. You remember the value 35305114 ? We saw it when we patched away the "Unregistered" string. It was the hex-value of the serial for students, which get a free registration. Convert is to decimal and you can register it for a student's license. 3. If you register it with a student's license then jump to "Thank you..." 4. You remember the value 1FFF8388 ? We saw it when we patched away the "Unregistered" string. It was the hex-value of the serial for "Non-profit organizations", which get a free registration. Convert is to decimal and you can register it with this license. 5. If you register it with a non-profit organization's license then jump to "Thank you..." 6. Here the correct serial that was calculated somewhere before is compared with the serial we entered. Convert the contents of eax to decimal and you have the correct serial for the name you entered. Ok, how can we get the contents of eax ? Choose Debug/Load Process from the W32Dasm menu and start it without parameters. If the windows appear, choose Goto/Goto Code location from the W32Dasm menu and enter 412151. Then you are at the well known jump (see above). Push F2 to create a breakpoint and try to register PowerZip in the registration box. Enter a name and a serial (it's better you know the hex-value of it). Push the OK button and W32Dasm should break at the breakpoint you placed. Then look at value to the left that contains the values of the different registers. In my case it looked: EIP=00412151 ;; who cares ? EAX=0AD635F6 ;; hex value of the correct serial EBX=0CB002D6 ;; who cares ? ECX=000A2D77 ;; hex value of the serial you entered EDX=00000000 ;; who cares ? ESI=0087F480 ;; who cares ? EDI=0087F420 ;; who cares ? EBP=0087EFE0 ;; who cares ? ESP=0087EF4C ;; who cares ? So convert the value of eax to decimal and register PowerZip. Note: You have to use the same name you used when you found the serial. III. BTW Hope my tutorial was helpful for you and see you again in my next tutorial. Greets to: tKC, ED!SON, M.I., The Sandman, DaVinci and all [hf] members All Tutorials by LaZaRuS [hf] #| date | name |version|W32Dasm|Soft-Ice|kind of crack | --|--------|------------------|-------|-------|--------|-------------------------| 01|20.01.99|Jaylock |1,0,0,1| (X) | (X) |serial# | 02|31.01.99|Goldwave |4.02 | (X) | (X) |serial#,nag-screens | 03|28.03.99|AxMan |3.00 | (X) | (X) |serial#,remove date-limit| | | | | | |nag-screen, key generator| 04|29.03.99|C++Builder Strings| | (X) | (X) |how to find strings in | | | | | | |C++ Builder that are not | | | | | | |hardcoded | 05|29.03.99|Better Protection | | | |How to protect shareware | | | | | | |better against crackers | 06|04.04.99|Start Clean |1.2 | (X) | (X) |nag-screen/serial/keygen | 07|06.04.99|MP3 TO EXE |1.02 | (X) | (X) |nag-screen/serial | 08|06.04.99|HexDecCharEditor |1.02 | (X) | |make it registered | 09|20.04.99|PowerZip |4.51 | (X) | |serial/time-check/... | LaZaRuS [hf] Visit Hellforge at http://members.xoom.com/hell_crack (currently down) for more tutorials and high quality cracking links. If you want to mail me: lazarus666@gnwmail.com