1. Introduction
2. Tools
3. Starting up
4. WDasm and ProcDump
5. Hiew
6. The final test
7. Final notes and greets
1. Introduction
Welcome to my second "real" tutorial and today we´re
gonna crack a program called Remote
Bot version 1.0.1 and it´s one of the more stupider programs
I encountered so far and you will surely think that to after this....
Since the respons was really good for my last tut I decided
to dedicate it for all the newbies and explain as much as possible.
So lets get it started then, but first make sure to have
some realxing music on (I prefer trance, techno. It cools me down and makes
me more focused).
2. Tools
The following programs are needed to get thru this tut:
Hiew (ver 6.16)
WDasm (ver 8.93)
Procdump (ver 1.62)
and of course Remote
Bot 1.0.1
3. Starting up
Begin by explore the target and you´ll see that
there´s a string at the top of the program saying "unregistered"
and that´s something we want to avoid so try to register. If you
entered a wrong serial you´ll display a box saying "The key you have
entered is invalid." and thats is the string we´re gonna be looking
for later. But enough now cuz we know what our goal is and we know what
we´re gonna be looking for.
4. WDasm and ProcDump
Open up WDasm...but before you do that you will make a
copy of WebScripter and rename it to something like "WdasmRemote". This
is the file we are gonna use in Wdasm. So now we can fire up WDasm and
then press the only button thats enabled, (the Open File To Disassemble)
and you will have the a box showing you which file you want to disassemble.
Choose the one you had made a backup of.
If you only see crap on the screen you may perhaps need
to change the font WDasm is using and to do that follow the lines:
"To choose the font press "Disassembler" button and then choose "Font..", "select font". Make your choice and then save it. Sometimes when you are using WDasm for the first time it can be hard to see anything and thats only because WingDings has been set as default font. But now everything should be ok."
When WDasm is done disassembling you will see that no
code was included!! This is a kind of problem since we can never find our
string but there is a way and it´s here ProDump is being used, so
close WDasm and start ProDump. Open up Procdump and you will see a box
showing you all the active task thats currently running but ignore that
for now on.
Look to the right and you can see some buttons, choose
the Pe Editor. Track down your bakup file from Wdasm which is the WdasmRemote.exe
file. A box came up with some info but ignore that a press the Sections
button and a new box shows.
This is the sections that belongs to the exe file you
got. The following I do is based on some experience so I had never used
ProcDump before or had none knowledge about sections I would been lost
so I will just tell you what to, and you will follow.
You will see 3 sections:
.rdata
.data
.rsrc
If you look under the "Characteristics" you´ll see
that .data has the number C0000040 which means in short that the section
doesn´t contain some code but we´ll edit it so it will read
from that section and like it ;)
To edit, rightclick the .rdata and choose "edit section"
and in the box that appears you will change the C0000040 to E0000020. Press
Ok all the way out of the program to save your settings. Done!
So back to WDasm and open up WdasmRemote.exe and when
it´s done, many good things have happend.
You will see that the StringDataRef button (it to the
left of the print button) is enabled and it i there you will find what
we were looking for so press that button.
In that box that appeared you will start looking for
the string "The key you have entered is invalid." but to give you a hint
you´ll find it almost in the bottom (43 lines from the bottom ;)
When you have found it, just doubleclick and you will
end up 3/4 from the end at adress 00427AD3 (maybe its diffrent on your´s)
But stop now for a sec and think: "Where are we and what
are we doing here?"
Ok, I can tell you this: We are where the program shows
the nag about the invalid serial so if you go up a couple of lines, that
mean we will probarly get to the place where the decision if it was a correct
serial of not is set. Sounds good?
If not leave now ;)......but if you decide to stay, do
the following
Just above you will see a jump as shown below:
:00427AC3 DD1C24
fstp qword ptr [esp]
:00427AC6 E8D9F3FFFF
call 00426EA4 <<<<Makes
the serial check>>>
:00427ACB 85C0
test eax, eax
<<<<Was it a good serial? >>>>
:00427ACD 6A00
push 00000000
:00427ACF 750E
jne 00427ADF
<<<<If not, no jump>>>>
:00427AD1 6A10
push 00000010
* Possible StringData Ref from Data Obj ->"The key you
have entered is invalid."
|
:00427AD3 68F8014100
push 004101F8
The coments says it all I think...you will clearly see
that the jump at adress 00427ACF is our goal. So all we need now is to
write down the offset for this adress. To do that you will make sure the
greenbar is on adress 00427ACF and then look at the bottom and you´ll
see something like:
@Offset 000264CFh and thats our offset but dont include
the "h" so our real offset is 264CF. Write it down til later.
As you can see at adress 00427AC6 there is a call to
the regcheck, so what if we went in there just to make sure that RemoteBot
doesn´t check the code anymore times besides from this call....so
make the greenbar lay over adress 00427AC6 and press rightarrow and you
will end up at adress 00426EA4 and it will look something like this:
* Referenced by a CALL at Address:
|:00427AC6
|
:00426EA4 55
push ebp
:00426EA5 8BEC
mov ebp, esp
:00426EA7 DD4508
fld qword ptr [ebp+08]
You see that this call is only called once and thats where
we came from so by changing the jump we talked about before you do the
whole thing. Let try......
5. Hiew
Start up Hiew but before doing that you should have another
backup of your original exe file and rename to something like "HiewRemote.exe".
Now you are ready to use Hview, when the it has started press alt+F1 to
choose the hardrive it located in.
Sometimes Hview takes you directly to the dir you have
installed the program in (You can check that by looking which dir you currently
in) If you are in the Remote dir, choose the bakup file for Hview you made.
Press F4 to choose the "Decode" mode.
Now press F5 to enter which offset you wanna go to. Our
sacred offset was 264CF. Type it in and you are at the place were you are
gonna do the change so press F3 to go to the edit mode.
So how do want this jump to act like, cuz currently it´s
gonna jump when a correct serial was given but what do you say about making
it jump no matter if it´s a right one or not, you like it? Of course
you do so to do that you will make sure you´re in "Edit mode" and
then enter the following:
EB and then press F9 to update the changes......
"But is that it?"
Yes it´s done.....by changing the 750E to EB0E
we forced the program to accept any serial as a correct one.....so to exit
Hiew press F10 and feel the adrenalin....
6. The final test
So close all applications and start up your pacthed copy
from Hiew and try now to register..
"Thank you for registering your copy
of our software!"
This is a easier then I thought from the beginning and
even if you restart it you will see the"registered" shown at the top.
7. Final notes and greets
Hope you learned something from this tut and I hope it brings you something til the next tut which should come very soon...
Greetz to:
--***Lord Anshar**--, --***Kroma**--, --***Bug**--, and
all of you I forgot in Lockless Crew!!!
--***paran0ya**--, --***Trk14**--, --***Rude Boy Lelle**--,
--***C&G**--.--***Raven**-- in FCC
Special thankz to C&G in Fatalz for accepting me and I won´t forget you either Lord Anshar
Remember that the persons wasn´t written in any special order, so last isn´t least.....
by [**>Boba Fett<**]/Fatalz Crack Crew
/Lockless Cracking 2000