|
|
Win32 Code Reversing |
|
|
|
|
|
|
Program Name: WhereOnTheWeb v1.00 Program Type: Web Utility Program Location: [ here ] Program Size: 610,816 Bytes
|
||
W32Dasm - Win'95/98 Dissasembler Softice V4.X - De-Bugger Hex-Edior - Any |
||
|
|
"If There Is A Crack There Is A Cracker, And If There Is A Cracker There Is A crack" |
Cracking A Win32 Web
Utility
Written by Bengaly
|
WhereOnTheWeb searches WHOIS databases for domains and partial domains.
About this protection |
This program is registered by selecting the 'Help' button, then
the 'About' button and finally via the 'Use
Registration Key' Button'!!.
First Name:
Last Name:
Registration Key:
HKEY_CURRENT_USER\Software\Dean Software\WhereOnTheWeb\Config\
|
Hello and welcome to my 26'th Tutorial.
This essay is not hard, and talks about Patching mostly.
Run the program, several times and take notes on how it's working, write
usefull text that
You will be able to use as a 'weak points' on our target, mostly enter
invalid registration key / name
And take notes on the message that appear and write it down.
As usual we first make a 'Dead Listing' of our target in W32Dasm.
This will give us a visual code that we can work on.
So. let us search for this string in the 'String References': Registration
Key Failed!
* Referenced by a(U)nconditional or (C)onditional Jump at Address:
0046B3D9 (C)
|
:0046B654 6A30
push 00000030
:0046B656 E8B5B7F9FF
Call user32.MessageBeep
:0046B65B B86CB84600
mov eax, 0046B86C;"Registration Key Failed!"
:0046B660 E87F80FEFF
call 004536ED
When the user name enter an Invalid registration key/name , he will
be probably end-up
In the code u see above.
While locating this place we can 'Back-Trace' to the location where
the compare was made
And we can manipulate the code for our own good.
So let use see which (U)nconditional or (C)onditional Jump brought
us here
W32dasm tell use that this jump is at address: 0046B3D9
Do a search in w32dasm "Search->Find Next"
for the address offset 46B3D9
Search for direction UP of the code (most of
the the address we search for the jump is UP)
The code we will land on is this:
:0046B3D4
E8238BF9FF
call 00403EFC ;Check your serial Number
;against the one the
;program expects you to
;have typed in the reg field
:0046B3D9
0F856F020000
jne 0046B64E ;If serial numbers are
;NOT equal, then jump to
;the 'beggar off" cracker
;routine. ("invalid serial number")
:0046B3DF 8D45D4 lea eax, dword ptr [ebp-2c]
Now, if u will enter to the call using SoftIce
and you will type 'D EAX' you will see a serial
In the data screen, but if you will try to enter
it to the registration field, you will find that
It is wrong, The program actual produce a 'Dummy
serial' which supposed to confuse
Crackers or anyone who tries to get it throw
Ascii serial.
So the only thing left to do is to explore the
routine it self to come to conclusion of the right
Serial number.
Anyway back to where we were...
so we know that we have a Call & Jne ...so
we can have several ideas to patch this place:
1. we can try Nop
the Jne
2. changing the
Jne to near Jump
3. we can change
the Jne to Je (UnConditional jump)
I tried to use the first Option - Nop it didn't
work, mabye because the
Program looks for this kind of instruction at
that address and just kill it and
Bring us a Message Box says "Access violation
at: xxxx etc...".
Also option 2 won't work from the same reason
above, so we can minimize
Our options to 2, this will 99% work on any program
that uses the same protection.
Here we go:
Method 3:
At address: 0046B3D9
we
have a Jne instruction, all we need to
Do is to change it to UnConditional Jump - Je
SEARCH FOR THE FOLLOWING BYTES:
FF0F856F020000
THEN REPLACE
HIGHLIGHTED BYTES: FF0F846F020000
The result will be like this:
:0046B3D4 E8238BF9FF
call 00403EFC
:0046B3D9 0F856F020000
je 0046B64E
:0046B3DF 8D45D4
lea eax, dword ptr [ebp-2c]
|
there aren't much to say, since it's a very easy program to patch,
|
Do I really have to remind you all that by buying and NOT stealing the software you use will ensure that these software houses will continue to produce even *better* software for us to use and more importantly, to continue offering even more challenges to breaking their often weak protection systems.
If your looking for cracks or serial numbers then your wasting your time, try searching elsewhere on the Web under Warez, Cracks and etc.
+SandMan...
|
I would like to say thank you to all who has supported me, and helped
me through my cracking days:
|
For his Great Essays And Skills |
|
For his awesome Tutorials |
|
For Help Me in Cracking & Hosting |
|
For Help Me in W32Asm |
|
For Being A Good Friend |
Have Fun :D
Essay by:
Bengaly