Make your own free website on Tripod.com
 
July 2001
"SolidView Lite v3.55"
Win32 Program
Win32 Code Reversing
 
by Bengaly
 
 
Code Reversing For Beginners 
Program Details
Program Name:SolidView Lite 3.55
Program Type: 3D Utility
Program Location: [ here ]
Program Size: 3.44mb

 

Tools Required:
W32Dasm  - Win'95/98 Dissasembler
Softice V4.X -  De-Bugger 
Hex-Edior - Any 
Level
Easy ( X )  Medium (   )  Hard (   )  Pro (   )
"One who shell live only to crack, will finaly be cracked by his own weaknesses"


 Cracking A Win32 Web Utility
('Patching The Hell Out Of It')

Written by Bengaly


Introduction

SolidView allows interactive 3D Shaded or wire frame viewing of Solid Model files (in STL and  other supported formats) from any angle or direction.
SolidView/Lite  is the FREE player used to distribute 3D Communications to anyone.
Extensive  measurement capabilities  including  volume, surface area and overall dimensions  as  well as user directed  linear ,  radial  and  angular  measurements are provided.
In addition, SolidView provides the ability to section and  look inside an object .
                                                                 About this protection

This program is registered by selecting the 'Help' button, then the 'Register' button.
You fill only 9 digits of key.
:
Registration Key:
 
The Essay

Hello and welcome to my 27'th Tutorial.
This essay is not hard, and talks about Patching mostly (yes again) ;=)

Run the program, several times and take notes on how it's working, write useful text that
You will be able to use as a 'weak points' on our target, mostly enter invalid registration key
And take notes on the message that appear and write it down.
As usual we first make a 'Dead Listing' of our target in W32Dasm , this could take some time,
So grab some Drink i prefer Petel ;=) but any one should do the work.
after disassembly we will have a visual code that we can work on.

So let us search for this string in the 'String References: ' Incorrect Key .'
There are allot of text to look for, so goto value 'I' and look at the bad message here:

"inch"
"inches"
"incomplete dynamic bit lengths "
"incomplete literal/length tree"
"incorrect data check"
"incorrect header check"
"Incorrect Key."
"index.htm"
"-INF"

Ok so we found it, double click on it and W32Dasm will take us to here:

*Referenced By a (U)ncontidional or (C)onditional Jump at  Address: 0062B3CE
............................Snip.................

*Posible StringData Ref From Data Obj -> "Error"
                                                            |
:0062B3ED   68D6387100             push 007138D6

*Posible StringData Ref From Data Obj -> "Incorrect Key"
                                                            |
:0062B3F2   68D6387100             push 007138C7
:0062B3F7   50                                push eax

....................Snip.............

Not so hard...we find the ' Beggar Off ' routine, now in order to know which caller has
Brought us here we need to look at the un/contdional jump references..
It tell us there is 1 caller to this routine and it's being done at address: 0062B3CE
Now this tut is not just "read that, do that, patch this" this is not how u learn cracking,
In order to crack anything from easy->hard apps you need alittle 'zen' and ofcourse
Cracking knowledge and some ASM.
So this tut is not like a book it's like a way of thinking..
Ok..let us think a little about this Protection and how do we go throw it!

                                            The main System Our App work:

1.the app is telling us that we need to enter 9 digit numbers..
2.the program takes our fake 9 digit serial and do some checking with it those are:
a: checking the length of the serial, Must be 9 digits.
b: the serial must be 'valid'
c: check our fake serial with Valid serial that produced by the program
3.if the compare was bad program will bring us 'Bad MessageBoxA', else we register the prog

Got the general Idea??
Since our app here don't produce an serial from name (or at least i think it doesn't)
So if u wish to do some 'Serial Fishing' then Use softice with "Bpx GetWindowTextA" much easier.
To break and start tracing the code!
Else we do Parching :=)

Method : Patching

Weak Points:

Weak points we can find from the main system our beloved app use is:
1. attacking from the backdoor (using beggar_off_cracking) message box and reverse it
2. changing flag (if there is any).

* Flag is a way the program think if it's registered / unregistered, it reads the flag (0 = bad / 1=good)
*That's in the register (mostly Eax) and decide from the algo if it's 0/1 mostly by CMP instruction.
*So a fake serial will produce flag = 0 (EAX = FFFFFFFF), else it's registered (EAX = 00000001)

In order to find which 'Weak Points' we will enter to the referenced jump : 0062B3CE
W32Dasm will take us here:

....................Snip.............

:0062B3CC   85C0      Test  eax, eax
:0062B3CE   7514       JNE 0062B3E4     ; You will land here!
:0062B3D0   6A00       Push 00000000
:0062B3D2   6A00       Push 00000000
:0062B3D4   6A00       Push 00000000

..............Snip.........................

Ok now it's time you look at the "Weak Points" i mentioned earlier..
What you think will be the solution here??
Guess you right (or wrong), the weak point is method 1 the "BackDoor"

Now on this position it is very clear to us what we are going to do!
It seems that the JNE instruction is triggered if the fake serial is not matched to the real one
And every time it does not match it triggers and jump to the bad message box.
So we can reverse the instruction that no metter what / which fake serial you will be enter
The program always jump to the Good_Guy routine (Registered)!
Now be with cursor on the JNE instruction and look down at the buttom of W32Dasm,
You will see this:

"line: 931176 pg 10122 of 13284n code data @:0062B3CC @Offset 0021B9CCh in file xxx.exe"

We need only the marked in blue Hex offset!
So open up an Hex Editor (Hview here), and look for those Hex offset address, You will find your
Self in the same place as we saw in the Dissasembler.
Now just edit the JNE instruction to JE instruction.
I'll show you which bytes to search later.
Now our program except the register key just fine...no problem

Job Done so far.

                                                                        Method : Hex Edit

But still when you do 'About' u will see "UnRegistered"...that's not good..
Cuz the program think it's registered but the when loading it from the registry file, it's still
A shareware program and prints "UnRegister"...
Easy to be fooled as well...not so hard here we go..
The "Unregistered" that it's prints is just a single Bytes (hex) that are implanted in the exe un less u register It and it change it to "Register"

Load up Win Hex (much better when it's visual)...do text search for "unregistered"
Now just Change it to "Registered"
A few Null (" ") just to kick "Un" ;D
Save File...
ReLoad the program...Cracked

Job Done!
 
 
Patches

First Patch Registration Key Code:

Search for those bytes: 85C07514
And replace them with: 85C07414

Second Patch : 'UnRegistered - > Registered'

Search for those bytes:   556E72656769737465726564
And replace them with:   000052656769737465726564

Not so hard..you will get it after allot of Practice!!!
 
 
Oh And..

Do I really have to remind you all that by buying and NOT stealing the software you use will ensure that these software houses will continue to produce even *better* software for us to use and more importantly, to continue offering even more challenges to breaking their often weak protection systems.

If your looking for cracks or serial numbers then your wasting your time, try searching elsewhere on the Web under Warez, Cracks and etc.

+SandMan...
 
Greetings

I would like to say thank you to all who has supported me, and helped me through my cracking days:
 
 
 +OR
For his Great Essays And Skills
+SandMan
For his awesome Tutorials
CoDe_InSiDe
For Help Me in Cracking & Hosting
FusS
For Help Me in W32Asm
BLAcKgH0sT
For Being A Good Friend