Name : VirusScan Version : 4.0.3 Editor : McAfee Target : Navw32.exe Tools : W32Dasm 8.93 Hiew 6.16 Brain Cracker : LW2000 Tutorial : No.15 ftp://ftp.nai.com/pub/antivirus/win95/ --- DISCLAIMER For educational purposes only! I hold no responsibility of the mis-used of this material! --- Please excuse my poor english, its not my mother language.... 1. McAfee Virus has no option, to enter a kind of registration code, but we see in the aboutbox "About McAfee VirusScan Evaluation Copy". Write it down. Load W32Dasm with Virusscan and got to the String Data Reference. Doubleclick on "About McAfee VirusScan Evaluation Copy" and close the SDR Window. * Possible Reference to Dialog: DialogID_0067, CONTROL_ID:0452, "McAfee VirusScan" | :004014CD 6852040000 push 00000452 :004014D2 55 push ebp :004014D3 FFD6 call esi :004014D5 50 push eax :004014D6 FFD7 call edi :004014D8 8D842470010000 lea eax, dword ptr [esp+00000170] :004014DF 6804010000 push 00000104 :004014E4 50 push eax :004014E5 E8F6E30000 call 0040F8E0 :004014EA 83C408 add esp, 00000008 :004014ED 85C0 test eax, eax :004014EF 7411 je 00401502 <---- First Test!!! :004014F1 8D4C246C lea ecx, dword ptr [esp+6C] :004014F5 6804010000 push 00000104 :004014FA 51 push ecx * Possible Reference to String Resource ID=40120: "About McAfee VirusScan OEM Edition" | :004014FB 68B89C0000 push 00009CB8 :00401500 EB27 jmp 00401529 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004014EF(C) | :00401502 8B842488040000 mov eax, dword ptr [esp+00000488] :00401509 6804010000 push 00000104 :0040150E 83F801 cmp eax, 00000001 :00401511 750C jne 0040151F <--- jumps to Evaluation Version :00401513 8D542470 lea edx, dword ptr [esp+70] :00401517 52 push edx * Possible Reference to String Resource ID=40102: "About McAfee VirusScan" | :00401518 68A69C0000 push 00009CA6 :0040151D EB0A jmp 00401529 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00401511(C) | :0040151F 8D442470 lea eax, dword ptr [esp+70] :00401523 50 push eax * Possible Reference to String Resource ID=40103: "About McAfee VirusScan Evaluation Copy" 2. By Adress 4014EF we see a first check. If this check fails the proggy jumps to the oem version. Hey, that's not what we want.. *G* Let's Fix it. I think you know what to do... (... note the offset, start hiew, goto offset, change je to jmp, save...) But there is still a second test in line 401511. Let's fix it, too. Nope it! (... note the offset, start hiew, goto offset, change 750C (jne) to 9090 (2x NOP), save...) 3. Looks fine, but after a 30 day trail the proggy shows a msg, and exits. Note the Msg and click on the SDR window. Doubleclick on our message. Close the SDR window. This is what we've got: * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0040F55F(C) | * Possible StringData Ref from Data Obj ->"ECLicenseFunction" | :0040F56E 68C4794300 push 004379C4 :0040F573 53 push ebx * Reference To: KERNEL32.GetProcAddress, Ord:0116h | :0040F574 FF1578E84300 Call dword ptr [0043E878] :0040F57A 8BD8 mov ebx, eax :0040F57C 85DB test ebx, ebx :0040F57E 0F84BE000000 je 0040F642 :0040F584 E8B7020000 call 0040F840 :0040F589 85C0 test eax, eax :0040F58B 7510 jne 0040F59D :0040F58D 8B842428020000 mov eax, dword ptr [esp+00000228] :0040F594 85C0 test eax, eax * Possible Reference to String Resource ID=00002: "In Folder" | :0040F596 B802000000 mov eax, 00000002 :0040F59B 7405 je 0040F5A2 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0040F58B(C) | * Possible Reference to String Resource ID=00005: "&Clean File" | :0040F59D B805000000 mov eax, 00000005 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0040F59B(C) | :0040F5A2 8D4C2470 lea ecx, dword ptr [esp+70] :0040F5A6 8D542418 lea edx, dword ptr [esp+18] :0040F5AA 51 push ecx :0040F5AB 52 push edx :0040F5AC 8D8C2488000000 lea ecx, dword ptr [esp+00000088] :0040F5B3 6814BF4300 push 0043BF14 :0040F5B8 51 push ecx :0040F5B9 56 push esi :0040F5BA 50 push eax :0040F5BB FFD3 call ebx :0040F5BD 8B44242C mov eax, dword ptr [esp+2C] :0040F5C1 83C418 add esp, 00000018 :0040F5C4 85C0 test eax, eax :0040F5C6 7410 je 0040F5D8 :0040F5C8 837C247803 cmp dword ptr [esp+78], 00000003 :0040F5CD 7509 jne 0040F5D8 * Possible Reference to String Resource ID=00100: "YES" | :0040F5CF C7400864000000 mov [eax+08], 00000064 :0040F5D6 EB6A jmp 0040F642 * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:0040F5C6(C), :0040F5CD(C) | :0040F5D8 837C247001 cmp dword ptr [esp+70], 00000001 :0040F5DD 7563 jne 0040F642 :0040F5DF 8D942420010000 lea edx, dword ptr [esp+00000120] :0040F5E6 6800010000 push 00000100 :0040F5EB 52 push edx * Possible Reference to String Resource ID=03145: "The program license has expired. You must purchase to conti" We scroll up, to see, where the MSG is called and see two references. Two Jumps, first by 40F5C6 and the second by 40F5CD. Then we see 0040F5D6 jmp 0040F642, this is the jump to the program start. Scroll a bit more up to see a reference to adress 0040F59B. From there we jump to the piece of code, that pops up the messagebox. At 40F58B is another check. We'll put here our jump to the program start (jmp 0040F642). By doing this, we knock out the msg box and the proggy can be used over the trail time. Congratulation! You have cracked McAfee Virusscan. FINISH! Easy, or? cu LW2000 Any comments? Mail me LW2000@gmx.net !!! ---- tKC, thx for your tutors! I started with tutor 1 and i still read them... they are the best!