|
|
|
|
|
|
|
|
|
|
|
|
|
|
||
|
|
||
|
|
|
There is a crack, a crack in everything. That's how the light gets in. |
|
|
There must be many other ways to crack
this program, starting
from the beginning at installation when Install Shield asks for a rego
number, to other ways that the
protection may be circumvented. I only describe this (my) approach
to give others, unfamiliar with WDASM used
as a debugger, an insight of how its done! Of course some
study of the "Dead Listing" is essential but anyway follow on..
|
|
|
|
For now install it as a 60 day demo. On running it we get the usual nag and an "Upgrade" button.
Upgrade?? Lets click on this. It displays a system generated number and asks for yours. Enter any number and click ok. Up pops a messagebox with a message:
"You have entered an invalid customer number or product serial" etc
Ah HA!
The following bits are not really necessary but I used them to be thorough. Start up FILEMON, set a filter on process MAXWIN and run MAXWIN. Try to upgrade as above and we see that the code to check resides somewhere in MAXWIN.EXE 3,032,064 bytes HUGE.
Start up WDASM and decompile the file MAXWIN.EXE. Time for a coffee or cocktail and if you smoke, plenty of time for that evil puff or two. Huge file, takes ages to decompile.
OK its done. Step one is to save your file as a project so that your breakpoints which you will setup are "sticky".
Saved, so now we open the search on string references, looking for our string as above. This is the Dead listing part I mentioned. You will see different references to registering this program. The one we are interested in is here:
* Referenced
by (C)onditional Jump at Addresses
:0046AF15,
:0046AFAE, :0046AFCF(C) <-- Note these 3 locations.
:0046AFE5 8D4DD8
lea ecx, dword ptr [ebp-28]
* Reference To: MXLIB32.MXLIB32:NoName0617,
Ord:021Ch
:0046AFE8 E8970B1500
Call 005BBB84
* Possible Reference
to String Resource ID=41211: "You have entered an
invalid customer number or product seria"
:0046AFED 68FBA00000
push 0000A0FB
:0046AFF2 8D4DD8
lea ecx, dword ptr [ebp-28]
:0046AFF5 C645FC08
mov [ebp-04], 08
Notice the line above where this bit of code is called by 3 different addresses, all conditional jumps. What this means is that some compares are done and if the code entered is invalid this snippet of code is called to display the infamous messagebox.
Lets check the
first and earliest call at :0046AF15
:0046AF0D 52
push edx
:0046AF0E FFD6
call esi
:0046AF10 83C408
add esp, 00000008
:0046AF13 85C0
test eax, eax <--- set breakpoint here!!!
:0046AF15 0F84CA000000
je 0046AFE5 <-the first call to the
Msgbox!!!
* Possible Reference
to String Resource ID=34558: "SOFTWARE\Maximizer Technologies\Maximizer\CurrentVersion\Reg"
:0046AF1B 68FE860000
push 000086FE
:0046AF20 8D4DE0
lea ecx, dword ptr [ebp-20]
So we will now need to set a breakpoint as above [press F2 when line is highlighted] and check the value in eax after the call to esi at 0046AF0E.
In WDASM Select the menu option DEBUG, Load Process and click the LOAD button without entering anything as a command line parameter. The program loads and the other 2 windows open out, one the debug data window at the bottom left (hereafter called DATA) and the one at the bottom right (hereafter called CODE).
In the main debug window, the cursor highlights the first line of code. Now Select GOTO from the menu and enter our address - 0046AF15 . Since this is the actual jump, scroll the cursor to the line:
:0046AF13 85C0 test eax, eax
and when it is highlighted, press F2 so that a yellow box appears at the extreme left. This means that you have set a breakpoint on this line of code.
Now if you move the cursor you will
see that the line is highlighted in yellow
and in the DATA window to the right in the "BPts" your address will appear
with a *.
This window shows the breakpoints and
the * means they are enabled.
In the CODE window click RUN or press F9. Maximiser will start up and in the first nag screen select "Upgrade" and enter any old number in the textbox.eg. 12345678
Select OK and
wdasm will break at your first breakpoint. Now in the DATA window are displayed
the values of the registers
at the top left. We are interested in EAX as that is the one checked.
We see it is 0 and this means that
we will take the BAD jump.
So lets change the value of EAX to NOT 0 or 1. Click the MODIFY button at the bottom left of the DATA window and a window opens where we can modify the values by typing a new value.
IN the box labeled Enter Value--> enter 1 and just below that click the button with "eax" on it. As you see eax is now = 1. We need to write this to memory so Click the button MODIFY and then CLOSE.
NOW we need to continue stepping, and here is a peculiarity of WDASM.
AFTER ANY MEMORY
CHANGES, YOU MUST ALWAYS CLICK THE "STEP INTO" BUTTON IN THE CODE WINDOW
OR PRESS F7. If you press F8 or Step Over WDASM will act as though you
pressed RUN and will not
single step.
Please remember this!
OK we STEP(F7) and now GOTO the second Conditional jump :0046AFAE
Have a look at the code below and set a breakpoint as shown and RUN:
2. Set another
break here:
:0046AFA1 C645FC05
mov [ebp-04], 05
:0046AFA5 E874010000
call 0046B11E
:0046AFAA 837DCC00
cmp dword ptr [ebp-34], 00000000
:0046AFAE 7535
jne 0046AFE5 <--Set break point here!!!!
:0046AFB0 8D45E8
lea eax, dword ptr [ebp-18]
:0046AFB3 8B4DF0
mov ecx, dword ptr [ebp-10]
:0046AFB6 50
push eax
* Possible Reference
to Dialog: DialogID_0191, CONTROL_ID:03E8, ""
:0046AFB7 68E8030000
push 000003E8
We break as shown above. The following line has already been executed:-
:0046AFAA 837DCC00 cmp dword ptr [ebp-34], 00000000
Lets check:
[ebp-34] - :0046AFAA 837DCC00 cmp dword ptr [ebp-34], 00000000
In the DATA window to the right of the
Register Values Window is the memory address display.
With buttons for eip,eax,ebx,ecx etc. Click
the button for ebp, 8 from the top and scroll till the
window displays the value for ebp-34.
We see it is NOT 0 and we will be forced
to take the BAD jump.
[ebp-34] is not 000 but we care not.
Just patch the file to NOP the jump:
:0046AFAE 7535 jne 0046AFE5 to 4048
To patch code in memory is simple. Remember we have not yet executed the BAD jump. Click the button PATCH CODE in the CODE window (bottom right) and a patch code window appears - W32Dasm Code Patcher.
In the box below "Enter New Instructions Below" we can enter our new assembly instructions. We can either NOP the 2 bytes of the JNE or as +ORC taught be smart and enter
inc eax (press
Enter)
dec eax (press
enter)
In the box below we see our instructions as well as the HEX codes. Above our entry, we see the EIP and the code for that instruction. This is important as sometimes when patching code we may only use 4 of the 5 bytes and will need to NOP the extra byte to maintain code integrity or your program WILL crash.
We can see that EIP now points to this line :0046AFB0 8D45E8 lea eax, dword ptr [ebp-18] so our patch is of the correct length. Now click APPLY PATCH and OK on the confirmation WDASM presents.
Click close to close the Patch window. If you look at the CODE window you will see that the code there no longer resembles the code in the MAIN window but has instead your 2 patch instructions
inc eax
dec eax
PRESS F7 OR "STEP INTO" for the same reasons as mentioned above. We see EAX incremented and decremented! So keep pressing F7 to continue for a couple of instructions.
3.Now on to our
third conditional jump at :0046AFCF
Set a break point here as DESCRIBED
above at the location as shown below.
RUN and when we break check EAX. If
it is 0 then we jump to the BAD location. So if EAX is 0 change it to 1
as above. If NOT 0 then leave well alone.
We are almost there.
We see from the code below that there
is a call to 005C0598 which returns a value to be checked in
EAX. Now after this call and stack fixing at :0046AFD5 and :0046AFDA, EAX
is checked. IF the value
is 0 then the code following is executed which is BAD. SO WE NEED TO FORCE
THE JUMP at :0046AFC to actually
jump past the BAD location to location :0046B065.
"MODIFY" the value of eax to NON 0
or 1 as described above to force the jump.
We see below this bit of code with
a bad jump and the conditional GOOD jump:
Also check out the names of the function calls the programmer has used
MxGetSet.IsValidPSN and later MxGetSet.IsValidUID. Dead giveaways. Could MxGetSet.IsValidUID refer to "Is it a valid pin" and IsValidUID mean "Is it a valid USer ID". Dumb I tell you!
:0046AFC4 50 push eax
* Reference To: MxGetSet.IsValidPSN,
Ord:0008h
:0046AFC5 E8C8551500
Call 005C0592
:0046AFCA 83C404
add esp, 00000004
:0046AFCD 85C0
test eax, eax<------ BREAK POINT 3 HERE!!!!!!
:0046AFCF 7414
je 0046AFE5<---------bad jump here
:0046AFD1 8B45E8
mov eax, dword ptr [ebp-18]
:0046AFD4 50
push eax
* Reference To: MxGetSet.IsValidUID,
Ord:0009h
:0046AFD5 E8BE551500
Call 005C0598
:0046AFDA 83C404
add esp, 00000004
:0046AFDD 85C0
test eax, eax
:0046AFDF 0F8580000000
jne 0046B065 <- TAKE THIS JUMP!!!
* Referenced by a
(C)onditional Jump at Addresses:
:0046AF15(C), :0046AFAE(C),
:0046AFCF(C)
:0046AFE5 8D4DD8
lea ecx, dword ptr [ebp-28]
* Reference To: MXLIB32.MXLIB32:NoName0617,
Ord:021Ch
:0046AFE8 E8970B1500
Call 005BBB84
* Possible Reference
to String Resource ID=41211: "You have entered an invalid customer number
or product seria"
:0046AFED 68FBA00000
push 0000A0FB
These jumps lead to the message that
the code is bad etc. DO NOT TAKE IT.
Change if needed the value in EAX so
we skip the first jump je 0046AFE5 and TAKE THE SECOND!
jne 0046B065
We are DONE!!!!!
Proudly hit F9 or RUN and watch as MAXIMIZER upgrades itself to the FULL WORKING VERSION even though you had entered the bullshit serial number.
QUIT the program and run again. NO NAG. NO NOTHING. We ARE REGISTERED.60 days?? Forget it.
Maximiser has self upgraded and we are
registered!!!!!
|
|
|
|
|
|
| Back to Students Essay's |