TORN@DO's Cracking Tutorial for Guard Dog 1.1

TORN@DO's Cracking Tutorial for Guard Dog 1.1

Before we start, please read the Disclaimer section of this essay!

Date:	25/07/1998
Target Program:	Guard Dog
Protection:	Time Limit, NAG-Screen
Rating:	Easy
Solution:	Patch
Cracked by:	TORN@DO
Location:	http://www.cybermedia.com
Tools needed:	- SoftICE 3.2
	- W32DASM 8.9
	- Hex Editor (I like Hacker's View)
Level:	(x) Beginner ( ) Intermediate ( ) Expert

Notes:	I'm not sure if there's already a new trial out, but I think you can use the same method. Maybe the addresses were changed. I'm using Trial 1.1.0014.

At this time, every user of a computer should have an Antivirus-Program. Although this target isn't the best, I'd like to show those Newbees, that they can crack this target with ease. I recommen for all Cracker's to read the Cracker's Notes, because as I explained in the last tutorials the basics are therein. So before we begin, get the Notes and read them, so that you've got the basics ... then we start with

Step 1
Open GUARDDOG.EXE in W32DASM and look at the String Reference for interesting strings. I found the following interesting:

"GD32.EXE"
"GDTNB.DLL"
"VCheck32.EXE"
"VerifyTryAndBuy"

It can't be that easy, or? I've seen this "VerifyTryAndBuy"-function in UnInstaller 4.51 from the same company. Are they really so stupid to put such a function into their programs? In UnInstaller 4.51 they are stupid, but not too stupid, because they used the special character trick - but I used the INT 3 trick to crack the target :-). So as in UnInstaller 4.51 the VerifyTryAndBuy-function was in a file called UNITNB.DLL, so let's look at the exports of GDTNB.DLL. I found the following interesting:

VerifyTryAndBuy

So they are even more stupid than in UnInstaller 4.51, because they didn't use the special character trick here. So our work is easily be done. We just have to set a breakpoint to VerifyTryAndBuy. So we'll continue with

Step 2
Disassemble GDTNB.DLL and go to the VerifyTryAndBuy-function. You will get the following:

Exported fn(): VerifyTryAndBuy - Ord:0002h
:10001032	push ebp
:10001033	mov ebp, esp
:10001035	sub esp, 0000000C
:10001038	mov [ebp-04], 00000000
:1000103F	push 00000005
:10001041	push 40590000
:10001046	push 00000000
:10001048	push 403E0000
:1000104D	push 00000000
:1000104F	call 10001340	; nothing important therein
:10001054	mov dword ptr [ebp-08], eax
:10001057	mov eax, dword ptr [ebp-08]
:1000105A	mov dword ptr [ebp-0C], eax
:1000105D	cmp dword ptr [ebp-0C], 00000000	; is this the last free day?
:10001061	je 10001071	; if so, jump
:10001063	cmp dword ptr [ebp-0C], 00000000	; is this the last free day?
:10001067	jle 100010C5	; if it's after that, jump

So we can change that conditional jump at 10001061 to an unconditional one. Then the application will run forever. So let's do that. Change the 740E (je 10001071) to EB0E (jmp 10001071). Let's run Guard Dog. It says that there were 0 days left in our trial period and we can exit it and then crack this NAG in

Step 3
We know that this NAG doesn't look like a standard NAG, so we set a breakpoint to the function we know from the Cracker's Notes ... for this application it's DialogBoxParamA (BPX DialogBoxParamA). Run Guard Dog. You were kicked back to WinICE at the DialogBoxParamA-function. So press F11 to go back to the location, where this function was called. The NAG-Screen should appear now. Press OK and you were kicked back to WinICE. You see "GDTNB!VerifyTryAndBuy+005D" at the top of the code window. You get kicked back to WinICE just after the DialogBoxParamA-call - at 10001095:

:10001085	51	push ecx

* Reference To: USER32.DialogBoxParamA, Ord:008Eh
	\|
:1000108F	FF15E4220110	Call dword ptr [100122E4]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
\|:10001075(C)
\|

* Possible Reference to String Resource ID=00001: "This trial version will expire in %d day(s)."
	\|
:10001095	C745FC01000000	mov [ebp-04], 00000001
:1000109C	EB27	jmp 100010C5

So try to NOP out the DialogBoxParamA function. Use the INT 3 trick to go to the location ... I can't get WinICE to break before that call (without rebooting my PC). So just use this trick to save some time. So run your Hex-Editor and go to Offset 485h. Change the 51 (PUSH ECX) into CC (INT 3). Now enter WinICE (CTRL-D) and set a breakpoint to INT 3 (BPINT 3). I get kicked back to WinICE several times. To check if you're at the right location, look at the top of the code window. There you'll find "GDTNB!VerifyTryAndBuy+0050". When you are there, type "A" to assemble a new command, because we don't want to execute that INT 3 at all - we want to restore the old command. Now type "PUSH EAX" and press <ENTER> twice. Then press F10 to step over that PUSH ECX and then type "A" to assemble a new command, because we want to remove this silly NAG now. Type "NOP" and press <ENTER> 6 times, because we want to change FF15E4220110 into 909090909090. I change this to NOPs only when I'm testing if it works ... you can use instead of those 6 NOPs, 3 "INC EAX" and "DEC EAX" commands for example.. Press CTRL-D to leave WinICE. Do you see the NAG any longer? No cool, so let's get something saved. Open your HEX-Editor , remember to change that INT 3 at 485h into PUSH ECX and then replace that FF15E4220110 with 404840484048. Save the file and gernerate a patch for it.

Step 4
Send the "programmers" of Guard Dog the "C++ for Dummies" book, because they are so stupid ...

Disclaimer: This essay is for educational purposes only. Any use, mis-use or illegal activity is the sole responsibility of the reader! I take no responsibility of the usage of this information!

This tutorial was written by TORN@DO. I hope you enjoyed reading it as I enjoyed writing it - I'm always trying to improve my writing skills.

I'd like to greet the following people (no specific order):
+ORC, Fravia, nIabI, JosephCo, Razzia, MisterE, Krazy_N, Vizion, YOSHi, Qapla, Odin
everyone in #Cracking and in #Cracking4Newbies ... and everyone else I forgot.

Back to Students Essay's