|
|
|
|
|
|
|
|
|
|
|
|
|
|
||
|
|
||
|
|
|
There is a crack, a crack in everything. That's how the light gets in. |
|
|
Protocols: FTP,
HTTP/1.0 Basic Authentication
Maximum Speed:
Approx 200 attempts per minute over a 28,800 modem
Maximum Attempts:
2,147,483,646 per session (4096 for Entry LE)
Maximum Word Length:
8 for generated words, 28 for list-supplied words "
|
|
|
|
Once you have this
program up and running get to know how it works, try all the options available
to you and especially pay attention to those that have been disabled. Make
notes on any default values associated with any menu options. For example,
in the File then
Properties 'Session
Properties screen' you'll see that the program
has already set the maximum number of 'tries' to 4096.
Now run up W32Dasm
and create a 'Dead Listing' of this babe, lets see what makes it tick shall
we.. But wait a minute, we need to work out what we're going to look for
and what we want to make the program do.. In my case I wanted to
re-enable the 'OK' button in the 'Session
Properties screen' and then have the 'About'
Screen show my Handle as the owner of this program instead of the default
message 'Unlicensed Copy'.
While there are many
approaches we can take to track down the elusive section of code that will
re-enable the 'Ok' button in the 'Session
Properties screen' such as searching for references
to EnableMenuItem
of which there is just one occurrence of this being used. I on the other
hand chose to try and back-track through the program's code from the point
where the program displays the text message:-
"Some options are
disabled in Entry LE."
A quick search in W32Dasm quickly finds this section of code:-
:00406FE0
56
push esi
:00406FE1
57
push edi
:00406FE2
8DB14C010000
lea esi, dword ptr [ecx+0000014C]
:00406FE8
8BF9
mov edi, ecx
:00406FEA
E81A130100
call 00418309
:00406FEF
6A00
push 00000000
:00406FF1
8D4F5C
lea ecx, dword ptr [edi+5C]
:00406FF4
E8834C0100
call 0041BC7C
:00406FF9
6850314300
push 00433150 ;Push value 4096
;This is our default 4096
;'tries' per session value
:00406FFE
8BCE
mov ecx, esi
:00407000
E8724B0100
call 0041BB77
:00407005
6A01
push 00000001
:00407007
8BCE
mov ecx, esi
:00407009
C7874802000001000000 mov dword ptr [edi+00000248], 00000001
:00407013
E8644C0100
call 0041BC7C
:00407018
684E040000
push 0000044E
:0040701D
8BCF
mov ecx, edi
:0040701F
E8464A0100
call 0041BA6A
*
StringData Ref from Data Obj ->"Some options
are disabled in Entry LE."
:00407024
6828314300
push 00433128
:00407029
8B401C
mov eax, dword ptr [eax+1C]
:0040702C
6A00
push 00000000
:0040702E
6A0C
push 0000000C
:00407030
50
push eax
:00407031
FF15E4AA4300
Call USER32.SendMessageA
:00407037
6A00
push 00000000
:00407039
8BCF
mov ecx, edi
:0040703B
E8FB3A0100
call 0041AB3B
:00407040
5F
pop edi
:00407041
5E
pop esi
:00407042
C20800
ret 0008
The reason why I've chosen to search for the text message "Some options are disabled in Entry Le" is because I know they are used only in the 'Session Properties screen' so it's highly likely that I will find some clues to how this screen works wherever this text message is to be found. What I will be looking for are any JN or JNZ instructions that come BEFORE the program displays this message, perhaps there other routines that I make the program jump to instead of the one that disables the 'Settings' screen?.
W32Dasm doesn't show
us any references to this routine, so we can't rely on our Dead Listing
to show us where this routine gets called from. What this means is that
somewhere within this program is an instruction that will look something
like Call [ebx+number] or call [eax] or something very similar along these
lines. Take note of this weakness in W32dasm to calculate addresses
using this format.
All is not lost, at
the bottom of the above routine is a nice ret 0008 instruction, which if
we follow it using Softice will bring us exactly to where this routine
was originally called from so lets find out shall we..
Right, before starting
up Entry Le press Ctrl-D
to fire up Softice and type:
bpx getwindowtexta
which will tell Softice we wish to have it break on any calls to the system
function GetWindowTextA system function. Now type
X to exit Softice.
Now run Entry Le and it will almost straight away break on a getwindowtexta call made by the program. At this point press the 'F11' key once.
We're now in Entry Le's program code. It doesn't matter where we are just so long as we are in the program's code. OK, now we want to clear away the breakpoint getwindowtexta because we no longer need it. So now type: bc *
Right, now type: u 0040703B which will display the last few instructions of the routine shown above. Now type: bpx 0040703B which now sets a new Softice breakpoint.
OK, re-run Entry Le and try and access the 'Session Properties screen'...
Wham, Softice breaks on our one and only breakpoint at: :0040703B.
Now from here press the 'F10' key FOUR TIMES..
We should now have RETurned from our original routine that we saw 'sets' the default number of tries the program is able to make to 4096 and now we should be here.
:0041975A
FF7510
push [ebp+10]
:0041975D
FF750C
push [ebp+0C]
:00419760
8BCB
mov ecx, ebx
:00419762
FF55F0
call [ebp-10] ;Disable 'Settings' screen
:00419765
E90F030000
jmp 00419A79 ;contiune on.
A quick look at this
small section of code and the surrounding code makes little sense to us..
From the many jmp instructions to be seen and no W32Dasm references to
where these 'mini' routines are called from we can see that we've landed
in some pretty hostile and unfriendly code. There's a lot of values being
saved onto the STACK followed by Call's to memory locations based on the
values assigned to particular registers with offset values. Now we
can see why W32Dasm was unable to supply us with the calling address of
our original routine.
One thing we are sure
of, the Call [ebp-10] will send the program to the routine we've just left,
where we know that the default value of 4096 will be assigned to one of
the options in our 'Session Properties screen'.
So why not prevent this sequence of events from happening by making the
program 'skip' over this call [ebp-10] instruction and instead go directly
to the jmp 00419A79 instead!.
This is what I did.
My now changed routine now looked like this:-
:0041975A
EB09
jmp 00419765 >---:
:0041975C
90
nop
:
:0041975D
FF750C
push [ebp+0C] :
:00419760
8BCB
mov ecx, ebx :
:00419762
FF55F0
call [ebp-10] :
:00419765
E90F030000
jmp 00419A79 <---:
OK, so far so good.
After testing this temporary 'patch' out the 'OK'
button in our 'Session Properties screen'
is now enabled and the default value assigned to the number of tries we
can make is now empty, allowing us to specify the No of tries we want the
program to make...:) Checking the 'About'
screen now shows no shareware text messages, they are all now gone.
Instead of showing 'Unlicensed Copy' where the registration info normal
goes there is just emptiness, no User Name, nothing..:)
Job Done.
|
|
Load up EntryLe.exe into your favorite Hex-Editor.
* PATCH 1 * This patch
will enable all the disabled options.
Search for the following bytes: FF7510FF750C8BCB
Replace with
following bytes : EB0990FF750C8BCB.
* PATCH 2 * This patch will allow you 9,999,999 attempts to use this program in one session instead of the default 4096 tries.
Search for the TEXT
4096 - In Hex WorkShop change to ASCII mode.
Now OVERWRITE "4096"
with 3939393939393900
|
|
My thanks and gratitude goes to:-
Fravia+ for providing possibly the greatest
source of Reverse Engineering
knowledge on the Web.
+ORC for showing me the light at the end
of the tunnel.
|
|
Ripping off software through serials and
cracks is for lamers..
If your looking for cracks or serial
numbers from these pages then your wasting your time, try searching elsewhere
on the Web under Warze, Cracks etc.
| Next | Return to Essay Index | Previous |