July 2001
"WhereOnTheWeb v1.00"
Win32 Program
Win32 Code Reversing
 
by Bengaly
  
 
Code Reversing For Beginners 
Program Details
Program Name: WhereOnTheWeb v1.00
Program Type: Web Utility
Program Location: [ here ]
Program Size: 610,816 Bytes

 
Tools Required:
W32Dasm  - Win'95/98 Dissasembler
Softice V4.X -  De-Bugger 
Hex-Edior - Any 
Level
Easy ( X )  Medium (   )  Hard (   )  Pro (   )
 "If There Is A Crack There Is A Cracker, And If There Is A Cracker There Is A crack"

 Cracking A Win32 Web Utility
Written by Bengaly


Introduction

 WhereOnTheWeb searches WHOIS databases for domains and partial domains.
                                                                   About this protection

This program is registered by selecting the 'Help' button, then the 'About' button and finally via the 'Use
Registration Key' Button'!!.

First Name:
Last Name:
Registration Key:

HKEY_CURRENT_USER\Software\Dean Software\WhereOnTheWeb\Config\
 
The Essay

Hello and welcome to my 26'th Tutorial.
This essay is not hard, and talks about Patching mostly.

Run the program, several times and take notes on how it's working, write usefull text that
You will be able to use as a 'weak points' on our target, mostly enter invalid registration key / name
And take notes on the message that appear and write it down.
As usual we first make a 'Dead Listing' of our target in W32Dasm.
This will give us a visual code that we can work on.

So. let us search for this string in the 'String References': Registration Key Failed!
 

* Referenced by a(U)nconditional or  (C)onditional Jump at Address: 0046B3D9 (C)
|
:0046B654 6A30                               push 00000030
:0046B656 E8B5B7F9FF               Call user32.MessageBeep
:0046B65B B86CB84600                mov eax, 0046B86C;"Registration Key Failed!"
:0046B660 E87F80FEFF                call 004536ED

When the user name enter an Invalid registration key/name , he will be probably end-up
In the code u see above.
While locating this place we can 'Back-Trace' to the location where the compare was made
And we can manipulate the code for our own good.
So let use see which (U)nconditional or  (C)onditional Jump brought us here
W32dasm tell use that this jump is at address: 0046B3D9
Do a search in w32dasm "Search->Find Next" for the address offset 46B3D9
Search for direction UP of the code (most of the the address we search for the jump is UP)
The code we will land on is this:

:0046B3D4  E8238BF9FF              call 00403EFC ;Check your serial Number
                                                                                           ;against the one the
                                                                                           ;program expects you to
                                                                                           ;have typed in the reg field

:0046B3D9  0F856F020000            jne 0046B64E  ;If serial numbers are
                                                                                            ;NOT equal, then jump to
                                                                                            ;the 'beggar off" cracker
                                                                                            ;routine.  ("invalid serial number")

:0046B3DF     8D45D4                          lea eax, dword ptr [ebp-2c]

Now, if u will enter to the call using SoftIce and you will type 'D EAX' you will see a serial
In the data screen, but if you will try to enter it to the registration field, you will find that
It is wrong, The program actual produce a 'Dummy serial' which supposed to confuse
Crackers or anyone who tries to get it throw Ascii serial.
So the only thing left to do is to explore the routine it self to come to conclusion of the right
Serial number.
Anyway back to where we were...
so we know that we have a Call & Jne ...so we can have several ideas to patch this place:

1. we can try Nop the Jne
2. changing the Jne to near Jump
3. we can change the Jne to Je (UnConditional jump)

I tried to use the first Option - Nop it didn't work, mabye because the
Program looks for this kind of instruction at that address and just kill it and
Bring us a Message Box says "Access violation at: xxxx etc...".
Also option 2 won't work from the same reason above,  so we can minimize
Our options to 2, this will 99% work on any program that  uses the same protection.
Here we go:

                                                                                    Method 3:

At  address: 0046B3D9 we have a Jne instruction, all we need to
Do is to change it to UnConditional Jump - Je

SEARCH FOR THE FOLLOWING BYTES:  FF0F856F020000
THEN REPLACE HIGHLIGHTED BYTES:  FF0F846F020000

The result will be like this:

:0046B3D4  E8238BF9FF                 call 00403EFC
:0046B3D9  0F856F020000            je 0046B64E
:0046B3DF  8D45D4                          lea eax, dword ptr [ebp-2c]
 
 
 
Final Notes

there aren't much to say, since it's a very easy program to patch,
 
Oh And..

Do I really have to remind you all that by buying and NOT stealing the software you use will ensure that these software houses will continue to produce even *better* software for us to use and more importantly, to continue offering even more challenges to breaking their often weak protection systems.

If your looking for cracks or serial numbers then your wasting your time, try searching elsewhere on the Web under Warez, Cracks and etc.

+SandMan...
 
Greetings

I would like to say thank you to all who has supported me, and helped me through my cracking days:
 
 
 +OR
 For his Great Essays And Skills
+SandMan
 For his awesome Tutorials
CoDe_InSiDe
 For Help Me in Cracking & Hosting
fusS
 For Help Me in W32Asm
BLAcKgH0sT
 For Being A Good Friend


All my Corrent tutorials can be found on this Url: Here

Have Fun :D

Essay by:     Bengaly