L                ZZZZZZ         RRRRR           SSSSS
                     L                    Z          R    R         S
                     L          aaa      Z      aaa  R    R  u   u  S
                     L            a     Z         a  RRRRR   u   u  SSSSS
               XX    L         aaaa    Z       aaaa  R    R  u   u       S
              XXXX   L        a   a   Z       a   a  R    R  u   u       S
             XXXXXX  LLLLLLL  aaaaa  ZZZZZZZ  aaaaa  R    R  uuuuu  SSSSSS
             XXXXXX       
        XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
       XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
        XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
             XXXXXX
             XXXXXX
              XXXX        proudly presents his 11.Cracking Tutorial (26.04.1999)
               XX                       F-Secure Antivirus 4.02

I.   Tools you need for my tutorial
II.  Cracking with W32Dasm
III. BTW

I.   Tools you need for my tutorial
     Win32Dasm 8.9  (get at http://Qserve.8m.com)


II.  Cracking with Win32Dasm:
     Lately I saw a message at Sandman's Forum about the CIH virus posted by McCodEMaN 
     (greetings, guy :). So I decided to scan my harddrive once again. Luckily no CIH, but a
     virus called G2.Empire.434 in the strange file c:c:\recycled\dc427.obj (Which doesn't even
     seem to exist). Only the AVP part of the program found it, so I think it was a false alert.
     The reason why I write this tutorial is because the crack can be made with *some* amount of
     Zen cracking. The problem with F-Secure is a nagscreen and a time limit (which can be easily
     eliminated by just setting time back :) At first I tried the standard approaches: 
     BPXing in SICE on GetCurrentTime/MessageBox/ShowWindow. They did all break, but I was fastly
     lost in "the dark codewoods". So I thought: "Come on dumbster, not trial-and-error, but ZEN
     is the only way to make a good crack. So I started disassembling F-Prot.exe, but didn't find
     anything interesting (especially not the text of the nag-screen:(. So I searched all files
     for the string "expired". Use the standard Windows file search and choose under options 
     (little problem with translation now) "Text that can be found in file" (really bad 
     translation, I know). Search the F-Secure directory and you find the follwing files:
     Tl16v20.dll, Tl32v20.dll, Trial.dat, Dvp95_0.exe, dvpeng.dll, Fpwm32.dll, F-agnt95.exe.
     Don't you think the name Trial.dat is somehow strange. Have a look at the file. It looks 
     like this.

     <trial> Trial Version of F-Secure Anti-Virus
     This is a free trial version of F-Secure Anti-Virus for Windows.
     This software will expire in %d days.  You can easily acquire a full
     licence by contacting your local dealer or Data Fellows Ltd.

         Data Fellows Ltd.
         Paivantaite 8
         FIN-02210 ESPOO
         tel: +358-9-478 444
         fax: +358-9-4784 4599
         email: F-PROT-Sales@DataFellows.com
         WWW: http://www.DataFellows.com
     </trial>


     <expired> Trial Version of F-Secure Anti-Virus
     This is a free trial version of F-Secure Anti-Virus for Windows.
     The trial period for this software has expired.  You can easily acquire
     a full licence by contacting your local dealer or Data Fellows Ltd.

         Data Fellows Ltd.
         Paivantaite 8
         FIN-02210 ESPOO
         tel: +358-9-478 444
         fax: +358-9-4784 4599
         email: F-PROT-Sales@DataFellows.com
         WWW: http://www.DataFellows.com
     </expired>

     These are the strings that appear in the "evaluation period" and "expired" messageboxes. 
     They are in some kind of wannabe-HTML-tags. Let's hope these tags are called from a DLL or
     EXE. So search again with Windows file search. Now search for "<expired>". Only three files
     to come. Trial.dat (obvious), Dvp95_0.exe, Fpwm32.dll. I don't think that the file 
     F-Prot.exe gets the calls from Dvp95_0.exe, so let's disassemble Fpwm32.dll. There search
     for "<expired>". We see this:

     :00414C71 837B0403                cmp dword ptr [ebx+04], 00000003 ;;expired ?
     :00414C75 751C                    jne 00414C93                     ;;no, then jump
     :00414C77 8D45BC                  lea eax, dword ptr [ebp-44]      ;;fire up "expired"-msg
     :00414C7A 50                      push eax
     :00414C7B 53                      push ebx

     * Possible StringData Ref from Data Obj ->"</expired>"
                                       |
     :00414C7C 6830154800              push 00481530

     * Possible StringData Ref from Data Obj ->"<expired>"
                                       |
     :00414C81 6826154800              push 00481526
     :00414C86 57                      push edi
     :00414C87 E8D5FDFFFF              call 00414A61
     :00414C8C 83C414                  add esp, 00000014
     :00414C8F 8BF0                    mov esi, eax
     :00414C91 EB1A                    jmp 00414CAD                     ;;leave program

     * Referenced by a (U)nconditional or (C)onditional Jump at Address:
     |:00414C75(C)
     |
     :00414C93 8D45BC                  lea eax, dword ptr [ebp-44]     ;;fire up "evaluation"-msg
     :00414C96 50                      push eax
     :00414C97 53                      push ebx

     * Possible StringData Ref from Data Obj ->"</trial>"
                                       |
     :00414C98 681D154800              push 0048151D
 
     * Possible StringData Ref from Data Obj ->"<trial>"
                                       |
     :00414C9D 6815154800              push 00481515
     :00414CA2 57                      push edi
     :00414CA3 E8B9FDFFFF              call 00414A61
     :00414CA8 83C414                  add esp, 00000014
     :00414CAB 8BF0                    mov esi, eax
     :00414CAD 85F6                    test esi, esi
     :00414CAF 7518                    jne 00414CC9                  ;;jump if Trial.dat is valid
     :00414CB1 6A30                    push 00000030
     :00414CB3 6A00                    push 00000000

     * Possible StringData Ref from Data Obj ->"Missing or invalid TRIAL.DAT"

     If we follow the call at :00414CAF (we have a valid .dat-file) we come to this one:

     :00414CC9 68F6154800              push 004815F6
     :00414CCE 53                      push ebx

     * Possible StringData Ref from Data Obj ->"</options>"   ;; kind of wannebe-HTML (strange)
                                       |
     :00414CCF 6862154800              push 00481562
 
     * Possible StringData Ref from Data Obj ->"<options>"    ;; see above
                                  |
     - snip -

     :00414CED 837B0403                cmp dword ptr [ebx+04], 00000003  ;; expired ?
     :00414CF1 751B                    jne 00414D0E                      ;; no, then jump

     * Possible StringData Ref from Data Obj ->"expiredmsg=0"            ;; strange !
                                       |
     :00414CF3 6878154800              push 00481578
     :00414CF8 57                      push edi

     - snip -

     * Referenced by a (U)nconditional or (C)onditional Jump at Address:
     |:00414CF1(C)
     |

     * Possible StringData Ref from Data Obj ->"trialmsg=0"              ;; strange
                                       |
     :00414D0E 686D154800              push 0048156D
     :00414D13 57                      push edi

     Don't say you wouldn't try to create an area in Trial.dat that looks like this:

     <options>
     trialmsg=0
     epiredmsg=0
     </options

     I tried and what happened ? The program didn't show the messageboxes :), but it terminated
     immediately after start :(. OK, first victory. One battle is won, the victory of the hole 
     war is still to come.

     I cannot remember the second part of the crack perfectly, but I try to explain it as good
     as possible. OK, we have to find a place where the program terminates. So I went through
     every line in the W32Dasm-Debugger until I found one. It was called when the RET at 
     :00442255 is taken. Then the procedure cw3215._exit is called. So I just bypassed this one
     
     :00441AF7 85FF                    test edi, edi
     :00441AF9 7409                    je 00441B04
     :00441AFB 83BDE0FEFFFF03          cmp dword ptr [ebp+FFFFFEE0], 00000003  ;; expired ?
     :00441B02 7517                    jne 00441B1B                            ;; no? then jump

     I now changed the jne (7517) to jmp (EB17) and had a F-Secure without time limit and nag.
     Why I just took this one ? A little hope, a little luck and (most important) the compare if
     the program is expired is nearly the same as in the code snippets above. What should I say:
     Fortuna was on my side and the crack was done. Sorry for the second part which I wasn't able
     to remember good, If you find a better reason why to take this jmp mail me.

III. BTW
     Hope my tutorial was helpful for you and see you again in my next tutorial. 
     
     Greets to: Fravia+, tKC, ED!SON, Moral Insanity, The Sandman, Eternal Bliss, DaVinci and 
     all [hf] members


All Tutorials by LaZaRuS [hf]

 #|  date  |   name           |version|W32Dasm|Soft-Ice|kind of crack            |
--|--------|------------------|-------|-------|--------|-------------------------|
01|20.01.99|Jaylock           |1,0,0,1|  (X)  |   (X)  |serial#                  |
02|31.01.99|Goldwave          |4.02   |  (X)  |   (X)  |serial#,nag-screens      |
03|28.03.99|AxMan             |3.00   |  (X)  |   (X)  |serial#,remove date-limit|
  |        |                  |       |       |        |nag-screen, key generator|
04|29.03.99|C++Builder Strings|       |  (X)  |   (X)  |how to find strings in   |
  |        |                  |       |       |        |C++ Builder that are not |
  |        |                  |       |       |        |hardcoded                |
05|29.03.99|Better Protection |       |       |        |How to protect shareware |
  |        |                  |       |       |        |better against crackers  |
06|04.04.99|Start Clean       |1.2    |  (X)  |   (X)  |nag-screen/serial/keygen |
07|06.04.99|MP3 TO EXE        |1.02   |  (X)  |   (X)  |nag-screen/serial        |
08|06.04.99|HexDecCharEditor  |1.02   |  (X)  |        |make it registered       |
09|20.04.99|PowerZip          |4.51   |  (X)  |        |serial/time-check/...    |
10|24.04.99|eKH CrackMe       |1.0    |  (X)  |        |serial                   |
10|25.04.99|F-Secure          |4.02   |  (X)  |        |time limit/nag           |

     
LaZaRuS [hf]
Visit Hellforge at http://come.to/hellforge for more tutorials and high quality cracking links.
If you want to mail me: lazarus666@gnwmail.com