Target: Black Widow 3.63 From: www.softbytelabs.com Size: 2.14 MB Tools: SoftIce, W32dasm, Hiew
Description:
Because I haven't written any tutorial about VB programs yet, I do it now. I've chosen this prog by accident and frankly speaking I'm not interested in it.(VB stuff sucks ;-)). But Cracking this program is different than usual VB tricks. Its big advantage is its simplicity :)
Reconnaissance:
Program cn be run in two ways - with browser or without it. In both cases conduct is the same. So lets start from running _BlackWidow.exe. We are seeing nice window with caption: 'You have ... days to evaluate BlackWidow etc.'. As we can find out if the trial period ends program informs us about it. Lets check it. Move our system date few months forward and run program again. 'Your evaluation period has now expired etc.'. Cool. Lets change the date to correct one and start working. In registration window we're writing random data and in SoftIce we're setting standard VB breakpoint:
bpx MultiByteToWideChar
And pressing OK. We're going to BlackWidow's code (F11 and F10 few times) Now let's try to find in memory addresses where our registration data are.
Newbies Note!
Visual Basic changes text into so called 'wide' that is between next bytes places 00. So '4977616e' in VB is '49 00 77 00 61 00 6E'.
We don't have to convert whole text( ('You have ... days to evaluate BlackWidow ...'), few beginning chars will be enough. So we're changing:
Y o u h a v e 59 6F 75 20 68 61 76 65 20on
59 00 6F 00 75 00 20 00 68 00 61 00 76 00 65 00 20
and we're looking for these bytes in memory:
S 30:0 L FFFFFFFF 59 00 6F 00 75 00 20 00 68 00 61 00 76 00 65 00 20
There can be many such places found. But remember to choose only these which are in BlackWidow data. U will recognize it by looking on the string between data window and registry window:- _BLACKWIDOW!.text). I've found one address only: 41CCBC(DOn't be wrong thinking about 'You have entered an invalid registration number'). Lets remember it.
We're going in such a way with the second text:
Y o u r e v alution period... 59 00 6F 00 75 00 72 00 20 00 65 00 76 00so
S 30:0 L FFFFFFFF 59 00 6F 00 75 00 72 00 20 00 65 00 76 00
This time we need only one result. At me it'is 41CC68. Remember it and leave SI(don't forget bc *). In Wdasm disassemble file _BlackWidow.exe. Then we're looking for operation on our addresses. Operation on the first address is here:
* Referenced by a (U)nconditional or (C)onditional Jump at Address: :0047AF7B(C) :0047B2E9 push 0041CCBC <- see? :0047B2EE push eax
Reference to the first window we can find here:
* Reference To: MSVBVM50.__vbaStrCopy, Ord:0000h
:0047AF81 mov edi, dword ptr [004AD570]
:0047AF87 mov edx, 0041CC68
So lets start to analyse program beginning in the second fragment of code checking what instruction directs to this one. So press UP arrow and look for interesting things(comparisons, procedures):
This fragment is interesting one:
:0047AE2E call 0047BD40 :0047AE33 xor edx, edx :0047AE35 cmp eax, 0202BFDA :0047AE3A setne dl :0047AE3D or edi, edx :0047AE3F jne 0047AE4E
The first line calls a procedure then EDX register is made zero, EAX register is compared with magic number. If they're NOT equal, dl=1 and we jump to 47AE4E. What will we find there? (Not complete fragment of listing):
:0047AE4E cmp dword ptr [004A30EC], 00000001<- is trial period ended? :0047AE55 jl 0047AF62 <- jump if yes :0047AF62 mov esi, dword ptr [004AD5EC]<- to here :0047AF68 Call dword ptr [004AD52C] :0047AF6E mov eax, dword ptr [004A30EC]<- remaining time in EAX :0047AF73 fstp dword ptr [004A30F4]<- ??? :0047AF79 cmp eax, ebx<- compare time with 0 (z EBX) :0047AF7B jg 0047B2E9<- IF time<>0 then 'You :0047AF81 mov edi, dword ptr [004AD570] have ... days' :0047AF87 mov edx, 0041CC68 <- if not, 'Your evaluation...' (...) :0047B2E9 push 0041CCBC<- remember this address? :0047B2EE push eax
Well. It's not for us. Check where it begins. Here:
:0047AE2E call 0047BD40
So lets see what hides here
* Referenced by a CALL at Addresses: :0042F62B , :00440931 , :00440999 , :0044BD2B , :0044D241 :0044D46D , :0045AB44 , :0045ABD0 , :004601E2 , :0046026E :00471BD5 , :0047AE2E , :004981BC :0047BD40 55 push ebp :0047BD41 8BEC mov ebp, esp :0047BD43 83EC18 sub esp, 00000018 :0047BD46 68165F4000 push 00405F16 ...
As we see it's one from 13 calls to this procedure. So now if we patiently check all these addresses then we see that after returning from procedure we'll always find similar fragment of code e.g:
:0042F62B call 0047BD40 :0042F630 xor edx, edx :0042F632 cmp eax, 0202BFDA :0042F637 setne dl :0042F63A or esi, edx :0042F63C test esi, esi :0042F63E je 0042F741
Probably we saw it before (0202BFDA), so we know where it leads :-(. So what to do now. It is simple - change 'setne dl' into 'sete dl'(0F95 into 0F94) after succeding calls. We can do the same thing with the second file BlackWidow.exe. So i propose not getting all offsets from Wdasm because it's rather tiring. We'd better run Hiew and change all 'setne' into 'sete' after 'cmp eax, 0202BFDA'. So after all, we're running BlackWidow, registering ourselves and looking to About... Kewl, we're there, dude! Now we can uninstall BlackWidow :-)
If U're looking for serialnumber only than U're in wrong place. Doings described above are to analise code and find out a scheme of its protection. If U're going to use this program longer tham it's allowed, buy it (it doesn't affect on M$ pRODUCTS) It will allow programmers to improve their programs, and their protections.
18-03-99 by iwan (iwy@friko.onet.pl)
17.04.99 translated by Ptasiek (dreadpl@polbox.com)