|
|
|
|
|
|
|
|
|
|
|
|
|
|
||
|
|
||
|
|
|
There is a crack, a crack in everything. That's how the light gets in. |
|
|
"EditPlus is Internet-ready 32-bit text
editor for Windows 95/98 and Windows NT 4.0 or higher. It is not
only a good replacement for Notepad, but also it has much more powerful
features for web-page authors and programmers."
|
|
User Name
:
Registration Key :
The registration code is based on what you type in for your name/handle,
it is Case sensitive, so entering The Sandman
will produce a different registration key than if you had typed in the
sandman and the resulting registration key appears to always contain
a total of 17 characters.
Once registered, the program saves the registration info within your
System Registry file, at:
HKEY_LOCAL_MACHINE\SOFTWARE\ES-Computing\EditPlus\1
Creating these two entries:-
Install 93 00 00 00
License DB
89 29 18 F6 5D 01 5E 78 9C E3 0E C9 4D
CC 33 70 B2 B0 70 73 72 31 D1 75 74 74
B4
34 71 B6 30 03 00 80 08 07 FF
Some of these bytes might be different
for you if these bytes were generated from the registration key entered
into Edit Plus.
|
|
EditPlus, while still cracked with this
technique required a little massaging of it's code to get it to work but
nothing too drastic. Since this was the first time I was faced with
this particular situation of massaging the code to make it do what I wanted
it to do it's worth explaining the process from start to finish in detail.
Right, run up EditPlus and go into the
Registration screen, via 'Help' then 'Enter Registration Key...".
Type in a name or handle and for the actual regkey just type an anything
that comes to mind but DON'T press the 'OK' button just yet.
We're going to first tell Softice to break
on any requests to use the MessageBoxA routine, so press 'CTRL-D'
then type: bpx messageboxa
Since this is a 32-bit application it
will be fair to say it will use 32-bit system functions which messageboxa
is, rather than it's 16-bit counterparts like messagebox. The difference
is the 'a' at the end of the function name, the 'a' signifies that it is
a 32-bit function.
Press x to leave Softice and now
you press the 'OK' button to have EditPlus check our registration
key. Once Softice breaks, press the F11 key once.
You should now be at this interesting piece of code:-
:00486527
8B4F1C
mov ecx, dword ptr [edi+1C]
:0048652A
8B55FC
mov edx, dword ptr [ebp-04]
:0048652D
FF750C
push [ebp+0C];Save
Messagebox parameters
:00486530
FF7278
push [edx+78];Save
Messagebox parameters
:00486533
FF7508
push [ebp+08];Save memory pointer to
;to the
beggar off message
:00486536
51
push ecx Save
Messagebox parameters
:00486537
FF15FCFD4C00
Call dword ptr [User32!MessageBoxa]
:0048653D
8BF8
mov edi, eax ;We land here
:0048653F
891E
mov dword ptr [esi], ebx
:00486541
837DF800
cmp dword ptr [ebp-08], 00000000
:00486545
740B
je 00486552
Before the 'Beggar
off cracker' message can be displayed the system function 'MessageBoxA'
requires certain information to be placed onto the 'Stack' (an
area of memory reserved for short-time passing of parameters to functions,
which in this case for our MessageboxA function) so
that it knows how to display the messagebox when it's shown on your screen.
The kind of information required before the messagebox can be shown is:-
What type of message
box to use, how many buttons (like 'ok','yes','no','cancel' it will have,
what text to display within it and what title the messagebox will have.
The order of these parameters passed onto the STACK is very important so
we must maintain this same order when we start to massage the code.
The bit we're interested
in is the text that will be displayed in this messagebox, in this case
the 'Beggar off cracker' message. But before we can start altering this
section of code we must understand how it works, so type bc
* to clear away any breakpoints we may still have in Softice then type
bpx 0048652A then x to leave softice. We are going
to get Softice to break before the program generates our message box so
we can see what information is being passed to it. Once more we're
back in the Edit Plus Registration screen. Click the 'OK' button
again and once again Softice breaks and we're back in the Edit Plus code,
only this time just before our 'Beggar off cracker' is shown.
Right, Softice stops on this line:-
Lets see what the state of some of those registers are.
EBP = 72F304 *Address will be slightly different on your puter *
For our *crack* we need to check on the ebp register, to see if our 'real' serial no is close by..
So type: d ebp
Yep, our real serial number is close by, so if all we wanted was to
grab the serial number and use it to register the program with then that
would be a lame thing to do, especially when we can do much more here.
While we are here try and work out the EXACT memory location of the beginning
of our our serial number, this is important because from this address we
can work out the displacement value for our ebp register for when the time
comes to use it.
Once you have the EXACT memory address of the serial number we now
have to work out the displacement value so that we can find this location
every time the program is run, regardless of where in memory the program
is.
Example: Here's what I mean.
On my computer the memory location of the serial number was found at:
0072F418 and the value in the ebp register was 0072F3D4. To get the
displacement value all I did was type:
? 72F418-ebp
Which gave me the answer of 44h.
The question mark tells Softice to work out the expression, in this case
a simple subtraction (serial No address) of one value from another (address
of the ebp register). Hope this makes sense?.
The next register we will look at is the ECX
register, because the program by passed the line:
:00486527 8B4F1C mov ecx, dword ptr [edi+1C]
when it jumped to this block of code.
OK, the Register ECX has been pre-loaded
with the address 00000???, the question marks represent a three digit number
that varies each time the program is run. However, it will ALWAYS point
a memory location that contains the following three bytes: 00 00 03
Lets now dissect the what happens before the MessageBoxA routine is
called:
Press F10 once, we have just executed
this instruction:- mov edx, dword ptr [ebp-04]
Register EDX
has now been given a memory address 'pointed' to by our ebp
register with a displacement of four bytes. To understand this we
can do the following:-
Type d ebp-4
Look in Softice's hex code window, can
you see the first four bytes, these four bytes
[38 20 4A 00] make up a memory address
that the MessageBoxA routine will use when it's asked to create the messagebox.
These four bytes are in stored in REVERSE ORDER, so to get
the actual memory location they represent we reverse this order so that
they read: 004A2038, don't blame me for this confusion, blame Intel!
Now press the F10 key once more..
We have just executed this instruction: push
[ebp+0C]
This instruction is now pushing onto the
STACK a memory location that the MessageBoxA function will read as a numerical
value that represents what type of Icon this messagebox will use when it
display's our messagebox. We are not concerned with what Icon is shown
so lets proceed onto the next instruction. Press the F10 key
once more..
We have just executed this instruction: push [edx+78]
We can use the same procedure as before to find out what's being saved onto the STACK by typing d edx+78 then typing D followed by (in reverse order) the first four bytes shown in the hex code window. If you've done this properly you will see the text "Edit Plus"
This will be used
for the Message Box's Title.
Now press the F10
key once more.
We have just executed
the following instruction. push [ebp+08]
Our friend the ebp
register again, only this time using a displacement value of +8 bytes.
Lets type d ebp+8 and then using
the four bytes shown in the hex code window (make sure to reverse the order)
type d ????????, replace the question marks with the four bytes
shown in the hex code window.. Example, if you see the bytes 3C A7 B8 00
then you will need to type d 00B8A73C
Bingo!, we've found the instruction that
'point's to the memory location of where our 'Beggar off cracker' text
is located. So what do we do about it.
Well what I did was to overwrite the instruction
push [ebp+08]
and replace it with:
LEA EAX,[EBP+44]
which fitted in exactly. Notice I'm using the ebp
register with our magical 44h
displacement number, which we know is where our serial number is.
If you try and run
these sequence of instructions by trying to enter a serial number into
EditPlus then NO message box will be shown!!. We can use Softice
to go over these instructions before it hits the Call User32!MessageBoxA
and everything 'looks' ok, but we're STILL missing something before our
*crack* will work.. Can you *see* what's missing?.
:00486527
8B4F1C
mov ecx, dword ptr [edi+1C]
:0048652A
8B55FC
mov edx, dword ptr [ebp-04]
:0048652D
FF750C
push [ebp+0C];Save
Messagebox parameters
:00486530
FF7278
push [edx+78];Save
Messagebox parameters
:00486533
FF7508
lea eax,[ebp+44];eax =loc of Serial No
:00486536
51
push ecx ;Save
Messagebox parameters
:00486537
FF15FCFD4C00
Call dword ptr [User32!MessageBoxa]
:0048653D
8BF8
mov edi, eax ;We land here
:0048653F
891E
mov dword ptr [esi], ebx
:00486541
837DF800
cmp dword ptr [ebp-08], 00000000
:00486545
740B
je 00486552
Yep, we haven't pushed the memory location of our serial number onto
the STACK, so the MessageBoxA function can't find it, so the MessageBoxA
function gets aborted.
What we need to do is insert a PUSH EAX instruction before the Call
[User32!MessageBoxA] and that will cure this problem, but look, there's
no room to insert this 1 byte instruction. Wish I Knew more Assembler now,
might then have found another Assembler instruction that not only gets
the memory location of our serial number but also push's this value on
the STACK in one go!.
Not wanting to give up there seemed only one more course of action left
to me, and that was to massage the code a little, so I checked what instructions
got executed after the call to the MessageBoxA routine and found
that the cmp dword
ptr [ebp-08], 00000000 instruction always
resulted in the je 00486552
being 'set' to jump. Hmm, in that case we can afford to 'lose' this instruction
and then change the je
00486552 to
jmp 00486552 instead!.
Let's now re-write
this section of code so that it will always now show the 'real' serial
number when we get it wrong:-
:0048652A
8B55FC
mov edx, dword ptr [ebp-04]
:0048652D
FF750C
push [ebp+0C]
:00486530
FF7278
push [edx+78]
:00486533
8D4544
lea eax,[ebp+44];eax =loc of Serial No
:00486536
50
push eax ;Save
it to the stack
:00486537 51
push ecx
:00486538 FF15FCFD4C00
Call dword ptr [User32!MessageBoxA]
:0048653E
8BF8
mov edi, eax ;We land here
:00486540
891E
mov dword ptr [esi], ebx
:00486542
90
Nop ;fill in empty space
:00486543
90
Nop ;fill in empty space
:00486545
EB0B
jmp 00486552
Job Done.....
|
|
00085910 83F80477 04804D0C
30E80AF5 0000B900 ...w..M.0.......
00085920 00000085 FF74038B
4F1C8B55 FCFF750C .....t..O..U..u.
00085930 FF7278FF
750851FF 15FCFD4C 008BF889 .rx.u.Q....L....
00085940 1E837DF8 00740B6A
01FF75F8 FF157400 ..}..t.j..u...t
Now REPLACE the following HIGHLIGHTED
bytes with:
00085910 83F80477 04804D0C
30E80AF5 0000B900 ...w..M.0.......
00085920 00000085 FF74038B
4F1C8B55 FCFF750C .....t..O..U..u.
00085930 FF72788D
45445051 FF15FCFD 4C008BF8 .rx.EDPQ....L...
00085940
891E9090 90EB0B6A 01FF75F8 FF157400 .......j..u...t.
|
|
Fravia+ for providing possibly the greatest
source of Reverse Engineering
knowledge on the Web.
+ORC for showing me the light at the end
of the tunnel.
|
|
| Next | Return to Essay Index | Previous |