************************************************************
Cracking
Vvalt
*****************************************************
This
document was extracted from T.U.G and
altered for AB4DS on the 31st/Aug/`99
T.U.G ThE Ultimate Guide to cracking for newbies by [yAtEs]
avalible for download at Http://TCRC.cjb.net within the next
2 weeks....i hope ;) news at Http://yates.cjb.net
*****************************************************
CRACKiNG NAGS
=============
Now we're ready to crack nags, first we need a techinque
to follow, so heres my quick 6 steps to cracking nags
1. Set Bpx Showwindow
2. When softice pops up press f12 if the start of our nag
window appears goto step 3, if not ctrl+d out of softice
and check on the next break
3. Keep pressing f12 until the nag window is fully drawn
and you are taken back to the program
4. click the ok button
5. when back in SI check the line above current for a call
if theres not a call there press f12 till there is
6. clear all breakpoints set breakpoint on this call by
double clicking it.
Ok to demostrate this download and install tut5.zip.
Once the program is installed we can find the nag by clicking
ok after entering a code, enter 123 and click ok, a big please
register window appears click ok then you get the access code
invalid
message, assuming that you've already set one before.
Lets remove the nag with the steps above, first enter a number
into the valt and press Crtl+D to call softice up set the
breakpoint
on showwindow with the command BPX SHOWWINDOW and exit Softice
now click the ok button and we are taken into softice press F12
and our window will begin to display, keep pressing F12 until we
are
taken out of softice to the program now click ok and once again
we are back at the code...
:0042412A EBF0 jmp 0042411C
:0042412C 33C0 xor eax, eax <---
:0042412E 5A pop edx
:0042412F 59 pop ecx
:00424130 59 pop ecx
now we are looking for a call above, this would be the call we
returned
from which executed the nag screen, so we see a jmp not a call
lets press f12 again to return us from this, now we see
:004241CB E969FFFFFF jmp 00424139
:004241D0 33C0 xor eax, eax <--
:004241D2 5A pop edx
:004241D3 59 pop ecx
Once again we haven't returned from the call doh..:) press F12
again
now we see
:004241EB EBF0 jmp 004241DD
:004241ED 8B45F8 mov eax, dword ptr [ebp-08] <--
:004241F0 5E pop esi
:004241F1 5B pop ebx
:004241F2 8BE5 mov esp, ebp
Now we still haven't returned from the call, once again press f12
and now we see
:0042FFA4 E8B33FFFFF call 00423F5C
:0042FFA9 B840014300 mov eax, 00430140 <--
:0042FFAE E8816BFDFF call 00406B34
:0042FFB3 84C0 test al, al
:0042FFB5 7511 jne 0042FFC8
:0042FFB7 A1641A4300 mov eax, dword ptr [00431A64]
:0042FFBC 8B00 mov eax, dword ptr [eax]
Yay =:D now we have returned from a call lets clear all
breakpoints
and set one on this call, type BC * this will clear all
breakpoints
, now with your mouse double click the Call 00423F5C, it will
become
highlighted.
So now what? well we have our suspect call ready for break so
once
again enter a number into the valt and click ok, now we are taken
into
softice and the nag hasn't been called up yet press F10 to
execute this
call, now we taken into the program and the nag has popped up,
press
ok and it will disappear and we are taken straight back into
softice
one line after the call, so this must be the call that we have to
remove,before we patch it lets try and skip the call in softice,
enter a number in the valt again and click ok now we are taken
into
softice at the line.
:0042FFA4 E8B33FFFFF call 00423F5C <-
:0042FFA9 B840014300 mov eax, 00430140
So how can we skip this line? well we are line 0042FFA4 ready to
execute
it, if you remember from my asm tutorial IP is the Instruction
pointer
this holds the next instruction to be executed, if you look to
the
top right of the softice screen you'll see EIP=0042FFA4 if we
click up there we can alter it to EIP=0042FFA9 now press enter
and exit
softice...=:D->-< yay the nag didn't display, so lets patch
this out.
To patch it we must find the bytes to patch, so again... enter a
number
in the vault and press ok, when the program breaks on the call
line
type CODE ON this enables the hex bytes, note down the bytes for
the
call and the next line
E8B33FFFFF
B840014300
now make a backup copy of your Vvalt.exe and rename it to cracked.exe
right click the file and select Hex Edit(presumming you have Hex
Edit with its shell extentsion installed) now goto the edit menu
and click
find, select the Hex radio but and type in E8B33FFFFFB840 and
click
find...once its found the string of bytes press F3 to check there
is
no more copies, if there were we would have the enter some more
bytes.
Now we have found the bytes in the hex ed change
E8B33FFFFF to 9090909090 and save, now when we run the cracked.exe
we find the nag is gone!! Weeeeee =:D->-<
WTF did i just do?
==================
To understand we must view the structure of a program
Vvault Code+<br>
Main Code<br>
1234: lalalal<br>
1235: lalal<br>
1236: Call Nag ---->--- 8765: lala<br>
1237: lalal <------ ---| 8766: lala<br>
| 8767: call sub routine --->-- 345: lala <br>
| 8768: lala <-| 346: Showwindow<br>
|-8769: ret | 376: lalla<br>
|--------------<-378: ret<br>