Purpose : After getting so very much positive feedback from my essays
on self modifying code, I decided to write this tutorial.
Although I won't be using self modifying code, this will be an interesting
crack.
Approach : This program is a demo, it has a 30 day time limit, a nag
when exiting the program, and it says unregistered all over
the place. We will be removing the time limit, the nag, and cosmetically
enhancing the program by hexing out the
unregistered messages.
Tools : SoftICE, W32Dasm, Hiew, and eXeScope
First we should get familiar with our program. Just run the program and see what happens. Everything starts fine, except for that "Trial Version" in the title bar. Now lets check the help menu and see what we have. An online registration option. But we don't want to press this, it just opens up your browser and try to connect the the authors web site. We'll have to disable this option to prevent it from accidentally being pressed during our "extended evaluation". Now select the About option. It looks all right except for it saying Unregistered Trial Version in its title bar. Now exit the about window and exit the program. Ewwww there's a nasty nag that pops up and makes you press an extra button to exit the program. This bug will most definitely have to be fixed. Next lets set the date on our computer to about a couple months ahead. And restart the program. Now we get a messagebox come up saying our evaluation has expired. Hit the register later button and we get a bit of a delay as a progress bar moves across the message box. The program then loads up as normal, except the title bar now says Evaluation period expired xxx days ago. Now we have an idea for everything that needs to be cracked and we are ready to get to work.
As far as I know Egis of Core was the first person to crack this version
of this program, kudos go out to him. In the release nfo he mentions that
there is a registration form inside the exe, but he couldn't enable it.
As far as I can tell, its similar to a normal registration routine. It
stores the reg info in a keyfile named cat.key. The fact of the matter
is, it cannot be reenabled without a LOT of code adding, which in my opinion
is not necessary because we can make the program function as if its registered
using much simpler methods. But if someone does figure out a way to enable
this code, please let me know. Since we know that this part of the code
is not going to ever be used by the program, it would be a perfect spot
to add our own code.
Lets get down to the nitty gritty and kill the time limit first. Open
the program up in w32dasm. The .exe is 1.32megs so this is gonna take a
little while. A good time for a smoke or restroom break. Once the file
is done disassembling, click the string references button. You only need
to scroll down a couple of lines until you come to this string:
* Possible StringData Ref from Code Obj ->" days ago)"
We know we are in the right area if you can remember what the title
bar of the program looked like after the evaluation period expired. We
scroll up a little bit and we come across this string:
* Possible StringData Ref from Code Obj ->"SuperCat 4.0 (Trial Version)"
Ok, now we know the check is located in between these two strings.
Lets scroll down, and keep our eyes open for any conditional jumps between
these strings we don't have to look very long and we see this line:
:004E5414 0F83B3000000
jnb 004E54CD
This is our jump. So lets load the program up in hiew and patch this
to an unconditional jump. We do this by changing the opcodes from 0F83B3000000
to E9B4000000 but we are left with an extra byte. Lets make this extra
byte a nop by making it 90. Exit out of hiew and start the program back
up. YES, we have killed the time limit.
2) Killing the nag
Now we will focus our attention to killing that annoying nag when exiting
the program. Lets find out where the nag is initially created, we do this
by setting softice to break on the api: ShowWindow. Lets load the program
up and before exiting the program Ctrl + D into softice and type:
bpx showwindow
Ctrl + D out of softice and proceed with exiting the program. Wham
you're back into softice. Press F11 to get back to our programs code and
we land at this piece of code:
:0044D3A6 E8D1A4FBFF
Call 0040787C <---- this calls a piece of code where the ShowWindow
api is initialized
:0044D3AB E905010000
jmp 0044D4B5 <---- this is where we land after softice breaks
While we're here, we should also make note of the value of the register
EBX which is 4E2A78. In my last essay Crackz made a special comment as
to why I chose to use the value of EBX. The truth is, there is no special
reason. I just chose to use EBX because the value is different for each
different time ShowWindow is called. So by knowing the value of EBX, I
know exactly why the program is calling ShowWindow, and I also know when
to manipulate this API.
In the introduction, I talked about a disabled part of the programs
code that handles registration details. We are going to need to add a bit
of code to kill this nag, this is the perfect location to do so, since
you don't have to worry about the program trying to use this section of
code. To find this section of code, look in the string references window
of W32Dasm. Scroll down and find a string that says Registered. Double
click it to goto its location. Once there scroll up a bit, just to make
it easier for us when adding our code. I choose to add my code at 4D97B2
but it doesn't really mater, you can add your code pretty much anywhere
within this general vicinity. Since we don't want ShowWindow to be called
yet, lets change the call at 44D3A6 to a jmp to 4D97B2 (where we'll be
adding our code). We do this by changing the opcodes from E8D1A4FBFF to
E907C40800.
Ok, now the program will jump to our part of the code. Once we're at
our part of the code, we need to make sure that it is being accessed during
the creation of the nag screen. We do that right off the bat by adding
a:
cmp ebx, 4E2A78
The opcodes for this line are: 81FB782A4E00
Now if its just a normal part of the programs routine and not when
the nag is created, the zero flag will not be set. But if it is when the
nag is created, then the zero flag will be set. So now we know how to configure
a conditional jump. But what do we do after that? Lets put a jz after that
cmp but we will add that in a few. We know that the jz will not be a far
jump, so we can just leave 2 bytes to add it, just set these next two bytes
aside by adding two nops. Since we will be adding a jz, right underneath
it, we will place a call to showwindow, so we don't mess up the programs
regular routine. We can do this by adding a call to 40787C. The opcodes
for this line are: E8BDE0F2FF. After that call is followed, we will want
the program to jump back to its normal code routine, we accomplish this
by adding a jmp 44D4B5. The opcodes for this jump are: E9F13CF7FF. Are
we done yet? of course the answer is no. What should we add below this
jmp? We know that we want the program to exit, if ebx = 4E2A78. If you
are familiar with your API's, you'd know about ExitProcess. Lets open up
the imports window of w32dasm and look for ExitProcess. When we find it,
double click it to take you to where that API is being initialized. Which
is at the address: 4012B4. We want to place a call to this location following
the final jmp we just added. We do this by adding the opcodes E8EB7AF2FF.
Ok, now we are *almost* done. We just need the jz I described above to
jump to this call if
ebx = 4E2A78. We take the two nops that we had previously prepared
and replace their opcodes with 740A. Now we can exit out of hiew and try
running the program. The program loads allright and functions correctly.
So lets try exiting it. YES no more nag. The nag is officially dead, may
it RIP.
3) Cosmetic enhancements
Although this last step isn't necessary, I'm going to show you how to do it anyway. The first thing we will do is remove the trial version from the title bar of main program. We do this by opening the program in hiew and switching to hex mode. We do an ascii search for the word "Trial" by pressing F7 and typing in Trial. The first time it finds a match, is not what we're looking for, so press the down arrow key on the keyboard and press F7 again. This match is the title bar of the about window. The caption of the title bar is SuperCat (Unregistered Trial Version). To simply get rid of the (Unregistered Trial Version) we only need to change one byte of data. The space between the t of SuperCat and the "(" has a hex value of 20. Just simply change this 20 to 00. That takes care of the title bar on the about window, but how about the title bar of the main window? Just search for the word "Trial" again with F7 and the next match you find, is the one we're looking for. The caption for this title bar is SuperCat v4.0 (Trial Version). To remove the (Trial Version), we will do the same thing we did for the about window's title bar. Just replace the space's hex value of 20 with 00. Now exit out of hiew and run the program. YES, we successfully removed all those Trial reminders.
The last cosmetic step is to disable the menu item "Online Registration".
We do this with an unbelievably useful program called eXeScope. Open the
program up in eXeScope, and goto Resource\RCData\TMainForm. Once the right
frame is displaying the data for TMainForm, goto search and do a search
for Online Registration. You'll land on this line:
Caption = 'Online Registration'
Right below that line you'll see the following line:
OnClick = MenuItem_OnlineRegistrationClick
We will replace this line with the following line:
Enabled = False
Now select SaveUpdate and exit eXeScope and restart SuperCat. Yes Online
Registration is now grayed out and completely disabled, so we won't have
to worry about accidentally selecting it. SuperCat is now fully cracked
and ready to be fully evaluated.
Greets (so many friends, please don't get mad if I left you out) :-)
AB4DS, Torn@do, Kwai_Lo, Killer_3k, Crackz, N0-B0dy, Azir, Darkie, Data_, Bud-, Thesmurf, Muad`Dib, ManKind, Crudd, and all the guys in #cracking4newbies
Essay by Kathras. 02/13/00.