Tutorial Number 1 Written by Etenal Bliss Email: Eternal_Bliss@hotmail.com Date written: 1st Jan 1999 Program Details: Name: McAfee AntiVirus Ver 4.02 Type: Virus Scanner Location: ftp://ftp.nai.com/pub/antivirus/win95/v98i402e.zip Size: 8.1MB Tools Used: W32DASM (Disassembler) Hex Workshop (Hex Editor) Cracking Method: Patching the program Viewing Method: Use Notepad with Word Wrap switched on Screen Area set to 800 X 600 pixels (Optional) __________________________________________________________________________ Introduction The authors (Network Associates) of McAfee VirusScan says: "The Dr Solomon's virus scanning engine is at the heart of VirusScan 4.0.2. Backed by the world's largest antivirus research organization, it delivers outstanding virus detection and cleaning rates. The new engine also detects viruses in nearly all of the popular compressed file formats." My comments: "It is not as good as it says it is..." Installation: I've only installed the virus scanner(scan32.exe) and vshield(vshwin32.exe) so my crack will only be based on these 2 files. __________________________________________________________________________ About this protection system The protection systems employed within McAfee VirusScan consist of the following:- 1. Deep within your System Registry it uses the following branch to store the User Registration information. HKEY_LOCAL_MACHINE\Software\Network Associates\ECare 2. It's a 30 day, time limited program that will 'expire' after 30 days of being installed. 3. When expired, there will be a nag screen telling you the time is up and you have to register. If you don't, it will exit. Changing the clock back will not re-activate the virus scanner but will allow vshield to continue working. 4. A self-check is done when the program starts to see if there is any changes to it's codes. When first run, an entry is placed in HKEY_LOCAL_MACHINE\Software\Network Associates\ECare\LM\FDX5-KAA This is what the program uses to calculate when the expiry date is. There are two ways (more if you want to look into it) that I went about cracking the program. 1) I realise that by deleting the value in HKEY_LOCAL_MACHINE\Software\Network Associates\ECare\LM\FDX5-KAA I can restart the 30 days countdown. So, that is a easy way of doing it. You will then be given another 30 days to try out the program. 2) The other way involves patching the program so that both scan32.exe and vshwin32.exe will not expire even after 30 days. __________________________________________________________________________ The Essay As this is a tutorial for newbies, I'll go into details about how I go about patching the program. I suggest that you leave this tutorial in front of you while patching the program with W32Dasm and the Hex editor. Try to replicate every step I do at the same time. When you have completed the tutorial with the 2 files patched, close the tutorial and try to re-do everything you did. Then, the knowledge will be in you. 8) First of all, run the scanner for a few times and observe the details of it. Look at the "About" box as well. Then, set the clock 30 days ahead. Run the program again... You will get a message box saying that your trial period has expired and will be asked to purchase the program. If you click on "Purchase", you will be asked to fill in your particulars and so on. If you click on "Cancel", you will get a message box saying that the program won't run anymore. Now, before you continue your next step, set your clock back. And go to the registry to delete the value in HKEY_LOCAL_MACHINE\Software\Network Associates\ECare\LM\FDX5-KAA If you have any problems with doing this, you can leave this part or contact me. If you can't delete that, then you just have to bare in mind that the program will not run anymore since it has expired. Also, make another copy of scan32.exe and vshwin32.exe for your Hex editor. This will be the two files you run to test the effect while patching. __________________________________________________________________________ In my dead listing I always go straight into the String Data Resources of the target program, we can gain a lot of valuable info just by noting down what we see and what looks interesting... **Dead listing means a disassembled program showing the assembly codes, offsets and so on. **String Data Resources shows the "words" that the program uses. Sometimes, you don't get any at all in a program. But in this case, you will see a lot of them... To get the String Data Resources, look for the last icon in W32Dasm. That should be the printer icon. The one to the left of it is the String Data Resources icon. To get something like this below, double click on the line of interest and W32Dasm will bring you to the code where this String is used. Mem Location String ------------------------------------------------------------- 0040F95C "The program license has expired. You must purchase to conti" 004014FB "About McAfee VirusScan OEM Edition" 00401518 "About McAfee VirusScan" 00401524 "About McAfee VirusScan Evaluation Copy" 0042A9F9 "The validation code for %s does not match. Please reinstall " **Mem Location is the leftmost column with digits starting with a ":". For example, * Possible Reference to String Resource ID=03145: "The program license has expired. You must purchase to conti" :0040F95C 68490C0000 push 00000C49 There are many other interesting strings but these will do for us. These are the places that I did patches on for the scan32.exe file. OK, lets start our tutorial... Go to our String Data Resources, locate "The validation code for %s does not match. Please reinstall " and double-click on it... Scroll up and down a bit... You should see this code fragment... * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0042AA18(C) | :0042A9A0 83FD01 cmp ebp, 00000001 :0042A9A3 7575 jne 0042AA1A -->Jump if Self-Check is valid :0042A9A5 8D4C2424 lea ecx, dword ptr [esp+24] ---------snip----------- * Reference To: MCKRNL32.Ordinal:0015, Ord:0015h | :0042A9DB E8A0460000 Call 0042F080 :0042A9E0 85C0 test eax, eax :0042A9E2 742C je 0042AA10 -->Go to the Self-Check :0042A9E4 8D442424 lea eax, dword ptr [esp+24] :0042A9E8 50 push eax * Reference To: MCUTIL32.Ordinal:009D, Ord:009Dh | :0042A9E9 E890480000 Call 0042F27E :0042A9EE 85C0 test eax, eax :0042A9F0 741E je 0042AA10 -->Go to the Self-Check :0042A9F2 8B0E mov ecx, dword ptr [esi] :0042A9F4 8D542410 lea edx, dword ptr [esp+10] :0042A9F8 52 push edx * Possible Reference to String Resource ID=40151: "The validation code for %s does not match. Please reinstall " | :0042A9F9 C7442420D79C0000 mov [esp+20], 00009CD7 --> This is where you will land :0042AA01 894C241C mov dword ptr [esp+1C], ecx :0042AA05 897C2424 mov dword ptr [esp+24], edi :0042AA09 E85277FEFF call 00412160 :0042AA0E 33ED xor ebp, ebp * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:0042A9E2(C), :0042A9F0(C) | :0042AA10 8B4604 mov eax, dword ptr [esi+04] :0042AA13 83C604 add esi, 00000004 :0042AA16 3BC3 cmp eax, ebx :0042AA18 7586 jne 0042A9A0 --> Go to the start the code fragment Try to understand the code before you move on. I've add some comments to it. Just try to follow the conditional jumps and see if you can understand what the program is doing. Bare in mind that after you patch the program, the program will show the message that it has been changed. There are two locations which you can do the patch: 1) :0042A9A3 7575 jne 0042AA1A 2) :0042AA18 7586 jne 0042A9A0 To patch the program, you have to use a Hex editor. First, double click on the line in W32dasm that you want to alter. On the status bar of W32Dasm, you will see this (for the 2nd conditional jump)... Line:92582 Pg 1187 of 1547 Code Data @:0042AA18 @Offset 00029E18h in File:scan32.exe Look at the offset (in this case, it is 00029E18h). So go to your Hex editor, get to the offset of 00029E18. You will see 75 86. Replace the "75 86" with "90 90". **jne(75) means jump if not equal. Since we have altered the program, we will always be taking this jump unless we can somehow get rid of this instruction. So, one way of doing it is to replace the code with some other codes that will not affect the running of the program. I use NOP(90) to replace the 7586 and since it is two bytes, you will have to use two 90. NOP means "No OPeration". I did the patch on the 2nd conditional jump. So, by changing "jne 0042A9A0" (7586) at :0042AA18 to "NOP NOP" (9090), I have disabled the self-check. After you have disabled the self-check, you will be able to run the patched program without having any error messages. __________________________________________________________________________ In the "About" box, you will see "Evaluation Copy" on the title. So in our String Data Resources locate "About McAfee VirusScan Evaluation Copy" and double-click on it... Scroll up a bit... You should see this code fragment... :004014E5 E866E70000 call 0040FC50 :004014EA 83C408 add esp, 00000008 :004014ED 85C0 test eax, eax :004014EF 7411 je 00401502 -->Jump over the "OEM version" :004014F1 8D4C246C lea ecx, dword ptr [esp+6C] :004014F5 6804010000 push 00000104 :004014FA 51 push ecx * Possible Reference to String Resource ID=40120: "About McAfee VirusScan OEM Edition" | :004014FB 68B89C0000 push 00009CB8 :00401500 EB27 jmp 00401529 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004014EF(C) | :00401502 8B842488040000 mov eax, dword ptr [esp+00000488] :00401509 6804010000 push 00000104 :0040150E 83F801 cmp eax, 00000001 :00401511 750C jne 0040151F -->Jump to the "Evaluation version" :00401513 8D542470 lea edx, dword ptr [esp+70] :00401517 52 push edx * Possible Reference to String Resource ID=40102: "About McAfee VirusScan" | :00401518 68A69C0000 push 00009CA6 :0040151D EB0A jmp 00401529 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00401511(C) | :0040151F 8D442470 lea eax, dword ptr [esp+70] :00401523 50 push eax * Possible Reference to String Resource ID=40103: "About McAfee VirusScan Evaluation Copy" | :00401524 68A79C0000 push 00009CA7 -->This is where you will land Try to understand the code before you move on. I've add some comments to it. 1) At :004014EF if we change "je 00401502" (7411) to "jmp 00401502" (EB11), we will jump over the "OEM version". Use the same method to get the offset as above and replace "74" with "EB" 2) At :00401511 if we change "jne 0040151F" (750C) to prevent the jump, then we will not go to the "Evaluation version". Do the same and replace "75 0C" with "90 90". **You have just changed the "About" box to get rid of the "Evaluation Copy" on the titlebar. 8) __________________________________________________________________________ The next part involves patching the program so that it won't exit nor show the nag splash when 30 days is up. It is a bit more tricky and I must apologise first if my explanation is not comprehensive. When 30 days is up, you will see the nag "The program license has expired. You must purchase to continue... blah blah". So in our String Data Resources locate this string and double-click on it.. You should see this code fragment... * Possible StringData Ref from Data Obj ->"ECLicenseFunction" | :0040F8DE 68D4794300 push 004379D4 :0040F8E3 53 push ebx * Reference To: KERNEL32.GetProcAddress, Ord:0116h | :0040F8E4 FF1578E84300 Call dword ptr [0043E878] :0040F8EA 8BD8 mov ebx, eax :0040F8EC 85DB test ebx, ebx :0040F8EE 0F84BE000000 je 0040F9B2 -->Tried changing but did not work :0040F8F4 E8B7020000 call 0040FBB0 :0040F8F9 85C0 test eax, eax :0040F8FB 7510 jne 0040F90D -->Patch here :0040F8FD 8B842428020000 mov eax, dword ptr [esp+00000228] :0040F904 85C0 test eax, eax * Possible Reference to String Resource ID=00002: "In Folder" | :0040F906 B802000000 mov eax, 00000002 :0040F90B 7405 je 0040F912 -->Tried changing to jne and the program exits when it is WITHIN 30 days. This will be skipped when the jump above is patched. * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0040F8FB(C) | * Possible Reference to String Resource ID=00005: "&Clean File" | :0040F90D B805000000 mov eax, 00000005 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0040F90B(C) | :0040F912 8D4C2470 lea ecx, dword ptr [esp+70] ---------snip----------- :0040F92B FFD3 call ebx :0040F92D 8B44242C mov eax, dword ptr [esp+2C] :0040F931 83C418 add esp, 00000018 :0040F934 85C0 test eax, eax :0040F936 7410 je 0040F948 -->Jump to Expired notice :0040F938 837C247803 cmp dword ptr [esp+78], 00000003 :0040F93D 7509 jne 0040F948 -->Jump to Expired notice * Possible Reference to String Resource ID=00100: "YES" | :0040F93F C7400864000000 mov [eax+08], 00000064 :0040F946 EB6A jmp 0040F9B2 * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:0040F936(C), :0040F93D(C) -->Take note of these two locations | :0040F948 837C247001 cmp dword ptr [esp+70], 00000001 :0040F94D 7563 jne 0040F9B2 :0040F94F 8D942420010000 lea edx, dword ptr [esp+00000120] :0040F956 6800010000 push 00000100 :0040F95B 52 push edx * Possible Reference to String Resource ID=03145: "The program license has expired. You must purchase to conti" | :0040F95C 68490C0000 push 00000C49 -->This is where you will land Try to understand the code before you move on. I've add some comments to it. In this part of the code, the program will see if your trial period has ended. There are a lot of conditional jumps in it. Since we are not using Softice to trace the program, I've used another method which is slightly more tedious. **With my UNregistered status in mind, I know that I will take the jump pointing to the "expired" message. Starting from :0040F8EE (the first unconditional jump), I replace the "je 0040F9B2" with NOPs. My theory is that if we are to take this jump in our UNregistered status, changing it will have an effect on the program. I then, change it back to it's original code and tried out the next conditional jump. I did this for the next few conditional jumps. And this is what I found out about the code fragment: 1) At :0040F8FB, the program checks to see if 30 days is up 2) At :0040F90B, the program checks to see if it is still within 30 days. **Take note of the locations they jump to 3) At :0040F936 and :0040F93D, two more checks are done. 1) and 2) have something to do with the program exiting 3) will show the expiration notice To get rid of the notice(number 3), simply "NOP" the two lines. Remember to replace the exact amount of bytes. I observe that :0040F90B jumps to location 0040F912 if it is still within 30 days. While :0040F8FB jumps to 0040F90D if 30 days is up. Between them, there is an extra instruction: :0040F90D B805000000 mov eax, 00000005 That means that the program will skip the line above if we are still in our trial period. So, I decided to change :0040F8FB to mimic the actions of :0040F90B ie. to jump to location 0040F912 but this time, it will jump regardless of the "test" result above it. I counted the number of bytes to jump and change that to Hex. I have to jump 15 bytes in Hex. Therefore, at :0040F8FB, I change "jne 0040F90D" (7510) to jmp 0040F912 (EB15) That prevents the program from exiting when expired and at the same time, I've jumped over the 2nd jump. __________________________________________________________________________ The next part of the crack is for the vshield program (vshwin32.exe). In the dead listing, you will see Mem Location String ------------------------------------------------------------- 00407F64 "McAfee VirusScan's license has expired. To continue using th" Double click on the line and you will see the following code... * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0040617A(C) | :00406210 E8BB1C0000 call 00407ED0 :00406215 85C0 test eax, eax :00406217 740E je 00406227 -->Jump if within 30 days. :00406219 56 push esi :0040621A E8111D0000 call 00407F30 -->call to show expire message :0040621F 83C404 add esp, 00000004 :00406222 E97F010000 jmp 004063A6 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00406217(C) | :00406227 8B0DCC3C4100 mov ecx, dword ptr [00413CCC] ---------snip----------- * Referenced by a CALL at Address: |:0040621A -->Take note of location | :00407F30 81EC08020000 sub esp, 00000208 :00407F36 8D442400 lea eax, dword ptr [esp] :00407F3A 56 push esi ---------snip----------- * Possible Reference to String Resource ID=01088: "McAfee VirusScan's license has expired. To continue using th" | :00407F64 6840040000 push 00000440 -->This is where you land. Try to understand the code before you move on. I've add some comments to it. At location :00406217 je 00406227 (740E), if we change it so that it will always jump regardless of the time period, we will never see the expire nag. So, change 740E to EB0E. (EB means jmp) **This means that the program will always go to the "within 30 days". I have tried changing the je to NOP and vshield will always expire even within 30 days. Job Done. __________________________________________________________________________ The Crack Total of 6 patches for scan32.exe and 1 patch for vshwin32.exe to be done as listed above. __________________________________________________________________________ Final Notes This tutorial is dedicated to all the newbies like me. I've tried to explain everything in details. My thanks and gratitude goes to:- The Sandman All the writers of Cracks tutorials __________________________________________________________________________ Ob Duh Do I really have to remind you all that by buying and NOT stealing the software you use will ensure that these software houses will be encouraged to producing even *better* software for us to use and enjoy. Ripping off software through serials and cracks is for lamers.. If your looking for cracks or serial numbers from these pages then your wasting your time, try searching elsewhere on the Web under Warze, Cracks etc.