|
January 1999 |
"Newsferret v0.9500 beta" (Resurrecting a dead program) |
Win '95/'98 PROGRAM Win Code Reversing
|
|
|
by Punisher |
|
|
|
Cracking 4 Newbies |
|
|
Program Details Program Name: Newsferr.exe Program Type: News Finder Program Location: http://www.softseek.com/ Program Size: 588 KB |
||
|
Tools Used: Soft-Ice -- Debugger Hacker's View - HexEditor |
||
|
Rating |
Easy ( X ) Medium ( ) Hard ( ) Pro ( ) |
There is a crack, a crack in everything. That's how the light gets in. |
News Ferret v0.9500 Beta
(Ressurecting a dead program)
Written by Punisher
|
Introduction |
" NewsFerret is the easiest way to locate and download the Usenet articles you want on the Internet. NewsFerret automatically queries the news servers which store these articles to quickly and efficiently find Usenet posts on the subject(s) you are looking for. It has the ability to utilize any of these news servers and to search all and any combination of the news groups available. Once the articles are found NewsFerret returns the results in a neat readable format which can be easily manipulated and utilized, allowing you to view the contents of the article. "
|
About this protection system |
This program is disabled on a preset date. There is no registrtion for this program. It is a beta version and stops working on the 15th March 1997.
|
THE ESSAY |
I decided to get a usenet news reader program because the one I had (microsoft intershit mail) was freezing up at crucial times. I went to one of my favourite shopping plazas, Softseek.com and downloaded a couple of proggies, One of them News Ferret and proceeded to install it.
Up pops a nasty nag screen telling me that Newsferret had expired on the 15th of March 1997 and that it was a beta version. Clicking the ok button on the nagscreen hoping that the installation will continue I was not surprised to see the program terminated. So I decided to try a crack the program and see what it had to offer.
I ran the installation again and had a look at the nag screen. Seeing only the OK button a messagebox icon and the nag text I came to the conclusion that it was a messagebox.
So I fired up my ICE (sorry, Soft-Ice that is) and set a breakpoint on GetLocalTime. I use GetLocalTime instead of MessageBoxA to get where the program checks the time to know if the time had expired. If it is expired then the messagebox is called. So I will look for the jump that calls the messagebox. If it is not expired then installation will continue.
Enter Soft-Ice by pressing ctrl-d. Set a breakpoint on GetLocalTime. eg:-
>>> BPX GETLOCALTIME
Leave Soft-Ice by pressing ctrl-d. Start the Installation of NewsFerret. Soft-Ice breaks in at GetLocalTime. We will ignore the first break. Press x and hit the [ENTER] key. Soft-Ice breaks again in GetLocalTime. Press F11 to return to the function that called the GetLocalTime. You are now in NewsFerr code immediately after the GetLocalTime code. We will single step using F10 to get out of that function. After passing the ret instrction you will be in the call that calls the messagebox.
We will look for the call to the messagebox. Hold down the [CTRL] key and press [PGDN] until you see the messagebox call. A little before the messagebox call you will see the following piece of code:-
0137:0040356C 3BF0 CMP ESI, EAX
0137:0040356E 7E2A JLE 0040359A ; jumps past the messageobx.
0137:00403570 53 PUSH EBX
0137:00403571 680A094100 PUSH 0041090A
Look at JLE 0040359A you will see that this instruction jumps past the call to the messagbox. This is the instrcuction we will have to change in order for the program to bypass the messagebox and install News Ferret.
Step using F10 until you get to the JLE 0040359A instruction. We are going to change the JLE to JA. JLE means Jump if Less or Equal. JA means Jump if Above.
At the JLE instruction type A and press [ENTER]. You will see the address at JLE. Type JA 0040359A and press [ENTER]. now press [ESC]. The JLE is now a JA and the program is set to jump past the Messagebox.
We will now disable all breakpoints and let the program run. Do this by typing x and pressing the [ENTER] key.
The installation program screen will come up. Follow the instructions and install News Ferret.
Now run News Ferret. We are hit with the same nagscreen as in the installation. Pressingthe OK button terminates the program. We are going to use GetLocalTime again to ferret {pardon the pun}out the call to this call to the messagebox and crack the program 4 life.
Set a breakpoint on GetLocalTime and run the program Soft-Ice breaks at GetLocalTime. There are two calls to GetLocalTime before the one we want so we are going to bypass these two by typing x and pressing enter. This is doen twice.
At the third call to GetLocalTime press F12 and you are now in the code of Newsferr. Step usising F10 Until you come to this code.
0137:00488E89 3BF0 CMP ESI, EAX
0137:00488E8B 0F8E79010000 JLE 0048900A ; bad jump
0137:00488E91 8D5588 LEA EDX, [EBP-78]
0137:00488E94 52 PUSH EDX
Step until you get to JLE 0048900A. look at this instruction, it jumps past the messagebox and runs the program. We will have to change this jump from JLE to JA so that the program will always start.
Write down hexadecimal instructions from the compare to the LEA EDX, [EBP-78]. They are found just before the assembly instructions. You should write this:-
>>> 3BF00F8E790100008D5588
This is wahat we will search for in Hacker's View.
At JLE press A to assemble that line. You are shown the address at JLE. Now type:-
>>> JA 0048900A
Press [ENTER] and then [ESC]. The JLE jump is now changed to JA. Write down the hex instructions from the CMP to the LEA instruction. You should write this:--
>>> 3BF00F87790100008D5588
This is what we will replace in Hacker's View.
If you look lower down you will see the call to the messagebox. By changing the JLE to JA the call is bypassed and the program loads.
Now disable all breakpoints and run the program. News Ferret will start and you can evaluate it.
To make your changes permanent you will have to make the changes to NewsFerret.exe using hackers few. To do this start Hiew and load NewsFerret.exe. Press F4, Then F3 to get a listing of the program in assembly language.
Press F7 to search and type in the first set of hex opcodes you wrote down. and press enter. Hiew will search and bring up the bytes you searched for.
Now press F3 to edit the file and replace the E with 7 that is in its position in the second set of hex codes.
3BF00F8E790100008D5588 <-- E is replaced with 7
|
3BF00F87790100008D5588
Now save the file by pressing F9 and exit using F10.
Run NewsFerret and you will never see that messagebox again.
So here we have a program that should have been dead since 15th March 1997 running for eternity.
I will like to say thanks to +Fravia, Sandman, CrackZ, Cruehead, Iczelion and all the others out there who help by providing the knowledge to make this possible.