Cracking Tutorial #62:
Cracking Port.Checker.v1.5.0
[cracked bY:] sLeEpY¿[FWA/NWA/FTPR8Z] iN 07/2002
[difficulty:] beginner
[where:] http://www.geocities.com/mdrapps/portchk
http://www.download.com
[tOOLz:] W32dasm 8.93 w/vb sdr enabler patch, Hiew 6.x

KANAL23 Tutorial

http://www.kanal23.net



Port Checker v1.5.0

Download it from

http://www.geocities.com/mdrapps/portchk
http://www.download.com



Written by

sLeEpY¿

Tools

  • W32Dasm 8.93 w/vb sdr enabler patch

  • Hiew 6.x

Rating

  • Easy {X}

  • Medium { }

  • Hard { }

  • Pro { }



Introduction


A corporate utility that checks for port availability on devices or servers, such as the telnet port, ftp port, or any other port number. A command can be issued or an email message can be sent based upon connectivity result.

A great tool for corporate security teams to detect undesired computer port configurations within a proprietary network. Find out which servers have open ports that shouldn't be open.

Well downloaded this one and found it had a bug in it that shows a nag screen and wanting you to register. There is also a time limit on the program that only lets you use it for a limited number of days. (This is a VB 6 app)


The Essay


First make the usual backup and lets crack this thing. First check out the w32dasm String Refs for the stuff we need. I pulled a shortlist to show stuff that is most interesting:

" : ShareWare by "
"expired"
"Expired"
"Invalid Code"
"Number of trials: "
"Product License: Registered"
"Product License: Unregistered"
"Registered"
"registered"
"Registered, thank you!"
"ShareWare period has expired. "
"Sorry, wrong code. Check your "
"Trial Expired, Please Register!"

Try to register it and you get:

Invalid Code
Sorry, wrong code. Check your syntax.
[OK]

So lets look for the registered good message. Double click "Registered, thank you!"
Now you will end up here:

:00424A1E 663BFB cmp di, bx
:00424A21 894DA4 mov dword ptr [ebp-5C], ecx
:00424A24 89459C mov dword ptr [ebp-64], eax
:00424A27 894DB4 mov dword ptr [ebp-4C], ecx
:00424A2A 8945AC mov dword ptr [ebp-54], eax
:00424A2D 0F84C4000000 je 00424AF7 <-our conditional jump (jumps to "invalid code")

* Reference To: MSVBVM60.__vbaVarDup, Ord:0000h

:00424A33 8B3D1C124000 mov edi, dword ptr [0040121C]
:00424A39 8D957CFFFFFF lea edx, dword ptr [ebp+FFFFFF7C]
:00424A3F 8D4DBC lea ecx, dword ptr [ebp-44]

* Possible StringData Ref from Code Obj ->"Registered"

:00424A42 C74584BC924000 mov [ebp-7C], 004092BC
:00424A49 C7857CFFFFFF08000000 mov dword ptr [ebp+FFFFFF7C], 00000008
:00424A53 FFD7 call edi
:00424A55 8D558C lea edx, dword ptr [ebp-74]
:00424A58 8D4DCC lea ecx, dword ptr [ebp-34]

* Possible StringData Ref from Code Obj ->"Registered, thank you!"

:00424A5B C7459488924000 mov [ebp-6C], 00409288
:
:lines of code
:

* Reference To: MSVBVM60.rtcMsgBox, Ord:0253h <-VB messagebox

Change this:
:00424A2D 0F84C4000000 je 00424AF7 (24A2d)
To this:
:00424A2D 909090909090 nopX6
Now it will register with any code!
However this wont stick when you restart the program.

So lets look for "Product License: Registered"

:00425CAE 0F859A010000 jne 00425E4E <-conditional jump
:
:lines of code
:

* Reference To: MSVBVM60.__vbaObjSet, Ord:0000h <-vb6 set object

:00425CCF FF15B8104000 Call dword ptr [004010B8]
:00425CD5 898560FFFFFF mov dword ptr [ebp+FFFFFF60], eax

* Possible StringData Ref from Code Obj ->"Product License: Registered"

So change this:
:00425CAE 0F859A010000 jne 00425E4E (25CAE)
To this:
:00425CAE 909090909090 nopX6 (25CAE)

Now run the prog and shit we get the startup nag but it at least says registered now.

Well next we have this bullcrap of a popup message and no more trial after I ran this prog a 12 times. Stupid Nags...

For this area: "Trial Expired, Please Register!"

Just look for the message in the String Refs or w32dasm and lets go there:

:00425EB9 66837DDC0C cmp word ptr [ebp-24], 000C <-compare how many times you ran the program with 000Ch (12 decimal)
:00425EBE 0F8E8A000000 jle 00425F4E <-jump if less then or equal to 12 times
:00425EC4 C745FC0E000000 mov [ebp-04], 0000000E
:
:lines of code
:

* Reference To: MSVBVM60.__vbaObjSet, Ord:0000h

:00425EDF FF15B8104000 Call dword ptr [004010B8]
:00425EE5 898560FFFFFF mov dword ptr [ebp+FFFFFF60], eax

* Possible StringData Ref from Code Obj ->"Trial Expired, Please Register!" <-bad

Ok so this fixes the days shown on the nag screen, but this isnt our actual counter for the program, this is just for us to see, thank you programmer...blah...

:00425EBE 0F8E8A000000 jle 00425F4E (25EBE) <-this is just the text that replaces what day you are on, IE 5 of 12, make jump if you wanna see otherwise useless...it only counts to 13 days anyway. This appears on the nag.

Change to:
:00425EBE E98B00000090 jmp 00425F4E

We want this as it is our error msg when the prog expires....

Expired
ShareWare period has expired. Please register it to continue use.
[Close] [Register]

:0041F3F4 6683BDC4FDFFFF0D cmp word ptr [ebp+FFFFFDC4], 000D <-compare how many times run with 13, if its the 13th time run dont jump and goto bad msg box expired
(000D in hex = 13 in decimal)
:0041F3FC 0F8597010000 jne 0041F599 <-we want to jump here...
:
:lines of code
:

* Possible StringData Ref from Code Obj ->"Expired"

:lines of code

* Possible StringData Ref from Code Obj ->"ShareWare period has expired. "
                                        ->"Please register it to continue "
                                        ->"use."

:0041F3FC 0F8597010000 jne 0041F599 (1F3FC)
Change this to JE if you are over your 12 day trial and you will have unlimited uses, either that or make it jmp to location 0041F599. Then it wont matter as it jumps no matter what.

Another way is to Change this:
:0041F3F4 6683BDC4FDFFFF0D cmp word ptr [ebp+FFFFFDC4], 000D
to this:
:0041F3F4 6683BDC4FDFFFFFF cmp word ptr [ebp+FFFFFDC4], 00FF

This will make the trial 255 runs =)
I prefer the unlimited runs but to each his own...

Where is the damn startup NAG..........Lets check out some VB API's and what they mean:

__vbaNew - shows a dialogue box - same as Windows' API Dialogbox
__vbaNew2 - shows a dialogue box - same as Windows' API Dialogboxparam/a

Run W32dasm as a debugger and set a breakpoint on ever __vbaNew2 there is (this takes a little time but will find our nag. There is 83 jumps that hit a __vbaNew2, however once we start the debugger (Debug, Load Process, Load) only 2 will break. After we find the location we can then trace it back till we find where it was called from. Tracing back is easy as i explained it in a previous tutorial. You just keep setting your breakpoints at each call and jump until the nag pops up. Once you find where its located if its a jump reverse it, if its a call find a jump that passes it or sometimes you must trace into the call and follow in it to the correct location.

The one we want is this one:

:0041F626 FF97B0020000 call dword ptr [edi+000002B0] ??? <-call nag

Just Nop it out and its cheesy but it works, no more nag.

Change to:
:0041F626 909090909090 nopX6

Final thoughts


Lodi Dodi......
Laterz!


Greetings


Groups: FWA, NWA, FTPiRatEz! HAR! BEASTFXP!, KANAL23
Individuals: MiNioN, GreycZ & his cuppy, KlutCh, KiNgEr, MidNight, Edogg, Neoman, movax4c00int21, Acid_Cool_178, All those tuts I read from everyone who writes them.

CopyLeft:
sLeEpY¿
[all rights reversed]
Boredom causes crackers and babies.
Visit http://zor.org/sleepy & http://www.bright.net/~testsubject001
Mail sleepy@linuxwaves.com

This Document is copyrighted by kanal23 and it's members. Please mail the author of this document for complaints and those things.
Kanal23 is signing out for now.