Rhinoceros 1.1 for Win9x/NT - Cracking Tutorial by Goatass ---------------------------------------------------------- BEGINNER (X) - INTERMEDIATE () - ADVANCED () - EXPERT () About this protection: ---------------------- While reading +sandman's newbie message board I came across a thread talking about Rhino 1.1 so I decided to help out and gave it a shot. After doing some tracing I found the protection and here I will explain how it works and how to reverse it. All the protection consists of is a key in the registry starting at 25 and every time you save, export, save as and the such it will decrement until it reaches zero and you are shit out of luck. Other then that the program is fully functional. What you will need: ------------------- - Rhinoceros 1.1 (http://www.rhino3d.com) - SoftIce - Hex Editor The crack: ---------- Let begin, first we run the program then we goto Save and then we get a message box saying that we only have 25 times to save. Well that kinda sucks because we want to save more since we are so talented and will be making Star Wars animations with this program so we really need that Save function. Anyhow, so first we try to BPX MessageBoxA and no luck SoftIce didn't break, ok well you can try to use all the APIs you know of until one works for you or do what I did and go into SI and type HWND this will show you all the handles of all the currently opened windows. So scroll down until you see Rhino.exe in the list under Owner and to the right of it under Class-Name you needs to say "Button" then look all the way on the left side under Window-Handle and remember that number now ESC out of the list and set a breakpoint on the window message that will result from us pressing the button. I used this: BMSG handle WM_DESTROY this will cause SI to break right after the message box is destroyed. Ok if you didn't get all of that then use BPX ShowWindow that will work aswell. Ok after SI broke F12 a few times until you are inside Rhino.EXE you should be at 00458647 33C9 XOR ECX, ECX now lets look at the code around that CALL especially before it, it looks something like this: :00458620 55 push ebp :00458621 8BEC mov ebp, esp :00458623 83EC14 sub, 00000014 :00458626 8B4508 mov eax, dword ptr [ebp+08] <-- our bitch :00458629 50 push eax :0045862A 8B4D0C mov ecx, dword ptr [ebp+0C] .... :00458638 FF1548359900 Call dword ptr [00993548] <-- CRhUseDemoSaveDlg function call .... :00458647 33C9 xor ecx, ecx <-- you are here at line 00458626 if you do a ? *(ebp+08) you will see in HEX how many tries you have left, but where did that come from ? well in our case from the registry, so lets look higher in our program code and we will see some calls to RegOpenKeyExA, RegQueryValueExA and RegCloseKey these are the calls that goto the registry and get the value that we saw in [ebp+08]. Looking at the code right below the CALL to RegQueryValueExA we see this: :004585F5 85C0 test eax, eax <-- this checks to see if the function failed or not :004585f7 7506 jne 004585FF :004585F9 8B55F0 mov edx, dword ptr [ebp-10] <-- edx is assigned how many more saves left :004585Fc 8955FC mov dword ptr [ebp-04], edx ... Passed the RegCloseKey CALL we see this code: :00458609 837DFC00 cmp dword ptr [ebp-04], 00000000 <-- did we use all 25 tries? :0045860D 7507 jne 00458616 <-- if not great :0045860F b801000000 mov eax, 00000001 <-- BAD flag :00458614 EB02 jmp 00458618 :00458616 33C0 xor eax, eax <-- GOOD flag :00458618 8BE5 mov esp, ebp :0045861A 5D pop ebp :0045861B C3 ret When we get to the patching part of this tutorial remember address 0045860D Ok now if you look before the RegOpenKeyExA you will see that the program looks in: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ModuleUsageMeter to get how many more tries you have left. Well lets go back to 00458620 and look some more especially at all the CALLS that call this code. the CALLs are: 0046423C, 00464B80, 00464C60, 0047E317, 00495843, 00496BB2, 004978B9, 0049A676, and 0049C739 All of this places are pretty much identical but they all need to be patched if we want to get rid of that stupid message box telling us how many saves we have left. So lets look at that first address of 0046423C. First we scroll a bit above that and we see the RegQueryValueExA so we need to fix that JNE at 00464207 to JMP so no matter what the value in the registry say we will always continue on. After following that JMP we get to: :00464221 83BD04FEFFFF00 cmp dword ptr [ebp+FFFFFE04], 00000000 :00464228 7E28 jle 00464252 <-- we want to make that JMP so we make the above JLE a JMP that will take us to EnableWindow API call bypassing the nag screen. Now to cover our asses we gonna set the value in the registry back to 25 saves, to do that scroll down some in the disassembly until you see RegCreateKeyExA, above that at address 004649DA you will see :004649DA mov ecx, dword ptr [ebp+fffff7e4] <-- ecx now hold how many saves you have left :004649E0 mov dword ptr [ebp+fffff3e4], ecx <-- puts the value somewhere else So what we do is we change the MOV at 4649DA to hold the value 19h which is 25 in decimal, looks something like this: :004649DA B919000000 mov ecx, 00000019 :004649E4 90 nop this will put the value 19h or 25d in the registry Well this is it, now all you have to do is goto all of these calls: 0046423C, 00464B80, 00464C60, 0047E317, 00495843, 00496BB2, 004978B9, 0049A676, and 0049C739 and do the same patching as we did with the first one and you have a fully working crack. Here are the address to of where the patching needs to be done in order for the key in the registry will always have 25 uses in it even though we don't care about it anymore. Since the program keeps reducing the number then we will end up with like a -2345325235 after like a month of using the program and that's not cool :) 0047EA65, 00496111, 004972EC, 004982DE, 0049AEEA SoftSENTRY part --------------- Ok we got everything working fine, but we ran the program a bunch of times and now we get a message saying it's Expired...wtf ? Well with SoftSENTRY the program expires after 50 uses. This is what we do, remember after we fixed number of tries problem we scrolled down to find where it writes that number back to the registry? well a long the way we past by some code but we ignored it. That code is part of the SoftSENTRY protection, all it does is create a temp file decrypts code into it and then executes it and gives us the Expired message box. After some tracing I goto the call that brought the expired message which is: :004981EE ff9538e6fff call dword ptr [ebp+ffffe638] <-- the first expired message :004981F4 3d76c70000 cmp eax, 0000c776 :004981F9 7536 jne 00498231 <-- to the second expired message .... :00498224 85c0 test eax, eax :00498226 7409 je 00498231 <-- bad jump :00498228 83bd30e6ffff00 cmp dword ptr [ebp+ffffe630], 00000000 :0049822f 7347 jnb 00498278 <-- good jump so to fix this we can NOP everything from 004981EE to 004981F9 so we won't see that first expired message, then we NOP the je at 00498226, and force the jne at 0049822f. Do that for all 6 places and you will be good to go. The 6 places are: 004981EE, 0047E975, 00496021, 004971FC, 0049ADFA, and 004648EA Now it's time for some cosmetics :) open Rhino.exe in a Hex Editor and goto offset 6721C4 there you will see the string Evaluation that is what is shown on the top of the window when u run the program so erase it all together or if you are dedicating this crack to some one special put their name in there or whatever you want. Remeber to not exceed 10 characters. Now open Splash.DLL in the Hex Editor and goto offset F0D8 and change that Evaluation string again to whatever you want. Do the same thing for the Expired string to get rid of that. Now if you want to get rid of that stupid quick guide screen that shows up at start up we can do that as well. Here we go, looking at the imports of Rhino.exe we see DemoDlg.IniDialog that is what creates that start up screen we gonna get rid of. So we go there which is at address 0045892B. We need to delete that CALL so we will NOP it out but in order for that to work we will need to NOP the two PUSHes before it and the ADD ESP, 00000008 after the CALL and it will work fine. Well that's it, we completly cracked and cleaned up the program to make it look and operate like it suppose to. Great thanks go to Zip, CrackZ, and Lord Soth Peace out! Goatass