|
How to crack HTMLedPro32 2.0d
Destroy them to make them work
|
Not Assigned
|
2 February 1998
|
by
Edi
|
|
|
Courtesy of Fravia's page of
reverse engineering
|
slightly edited
by fravia+ |
|
An interesting essay about code-hardwired property values.
Edi's "Constructive Destruction Cracking" is a sound cracker's
attitude: when in doubt, just modify the code of your target and
see what happens... it's actually funny to contate how seldom
crackers 'put their hands' inside the spinning code of a target...
ok, most of the time everything explodes, so what? If you feel the
code a little, such destructive cracking methods can yearn very
interesting and high results... besides: how are you supposed to learn
all the different parameters value without just feeding some of
them to the spinning code? Blow targets to pieces! Enjoy!
|
|
|
There is a crack, a crack in everything
That's how the light gets in
| |
Rating
|
(x)Beginner (x)Intermediate ( )Advanced ( )Expert
|
|
An interesting essay in order
to see how a not-easy-to-discover protection scheme can easily be bypassed.
How to crack HTMLedPro32 2.0d
Destroy them to make them work
Written by Edi
Ever thought about modifying a program to tell you where it's protection scheme
is? Maybe, but did you think about causing an error message and bypassing a whole
portion of code (in which you could store your own routines IF YOU COULD :)? It's
not difficult, and I think this method will be applicable in many other programs.
- Soft-Ice
- Wdasm
- HIEW or any good hexeditor
ftp://ftp.cybersmith.net/pub/ist/htx32_2d.exe
Start it...
Licenced to:
Evaluation version. Evaluation period is over.
Ok, let's disassemble it with wdasm and search for 'evaluation'.
We find:
1.) 460899: "Evaluation version, [x] days left in the evaluation period."
2.) 4608F9: "Evaluation version, [x] days left in the EXTENDED evaluation period."
3.) 460959: "Evaluation version. EXTENDED evaluation period is over."
4.) 46098B: "Evaluation version. Evaluation period is over."
5.) 4609C0: Name, Company, Serial#
So there must be a check with at least 5 different jmps, we have to look
for a jumptable:
1.) Evaluation period
2.) EXTENDED evaluation period
3.) EXTENDED evaluation period over
4.) Evaluation period over
5.) Registered
Search for 460899 (or scroll up :-) and you'll see this code:
:0046085C E83B65FEFF call 00446D9C ; Look if registered/extended/whatever
:00460861 8BF8 mov edi, eax
:00460863 A120AA4A00 mov eax, dword ptr [004AAA20]
:00460868 8BB090030000 mov esi, dword ptr [eax+00000390]
:0046086E 8B465C mov eax, dword ptr [esi+5C] ;
:00460871 83F805 cmp eax, 5 ; 5=registered?
:00460874 0F87D2010000 ja 00460A4C ; Don't nag the user, let him go
:0046087A FF248581084600 jmp dword ptr [4*eax+00460881] ; This should be clear
; it's the TABLE JUMP
The_table:
:00460881 4C0A4600 DWORD 00460A4C ; don't show anything?
:00460885 BD094600 DWORD 004609BD ; show name, company, ...
:00460889 99084600 DWORD 00460899 ; Evaluation version with some days left
:0046088D F9084600 DWORD 004608F9 ; EXTENDED Evaluation version, days left
:00460891 8B094600 DWORD 0046098B ; Evaluation period over
:00460895 59094600 DWORD 00460959 ; EXTENDED Evaluation period over
Now, scroll up again until you see this:
* Referenced by a Jump at Address:0046079A(C)
:00460801 55 push ebp
* Possible StringData Ref from Code Obj ->"HTMLed Pro32"
:00460823 BA840A4600 mov edx, 00460A84
* Possible StringData Ref from Code Obj ->"Version 2.0d"
:00460833 BA9C0A4600 mov edx, 00460A9C
Here the whole thing starts, the program shows its version
number and information about when it expires.
The code is called from 46079A, so have a look at it, too:
:00460793 6F outsd "ormCreate"
:00460794 726D jb 00460803
:00460796 43 inc ebx
:00460797 7265 jb 004607FE
:00460799 61 popad
:0046079A 7465 je 00460801
:0046079C 1500280E46 adc eax, 460E2800
:004607A1 000E add byte ptr [esi], cl
:004607A3 52 push edx
:004607A4 656742 inc edx
:004607A7 7574 jne 0046081D "uttonClick[HT]TAbo"
:004607A9 746F je 0046081A
:004607AB 6E outsb
:004607AC 43 inc ebx
:004607AD 6C insb
:004607AE 69636B09544162 imul esp, dword ptr [ebx+6B], 62415409
:004607B5 6F outsd
So THIS looks really weird! outsd? popad? imul esp whatever?
I don't think this code gets ever executed, do you?
Let's look at it in HIEW: Ahah! at 460792, you'll see
"FormCreate".
In fact you have here some CODE HARDWIRED property values
Let's have some Constructive Destruction Cracking
Hm... replace the ASCII characters
"Formcreate"
with "CreateTHIS" :-)
Now let's start the target, you'll see:
"Error reading AboutBox.OnCreate: Invalid property value."
Funny, isn't it? :-)
Press OK and HTMLed Pro32 2.0d works anyway.
But I don't like this error box, so let's do a bpx messageboxa
in order to get rid of it.
Trace a little bit around and you'll come to this call:
:00425D86 A128A64A00 mov eax, dword ptr [004AA628]
:00425D8B E8481E0000 call 00427BD8 ; <---- causes the messagebox
:00425D90 E89FD6FDFF call 00403434
Replace it with
:0042518B: 50 push eax
:0042518C: 33C0 xor eax,eax
:0042518E: 48 dec eax
:0042518F: 58 pop eax
or with anything else you want to do to the dummy ax between push and pop,
this is a very useful "nopping" technique as well if you don't want to
calculate a short jump :)
Start the target... and it works!
What do we learn with this lesson?
1.) It isn't always necessary to find the protection scheme.
2.) Destruction can be good if it's done at the right time and place .
3.) A little introduction to jump tables.
3.) How to crack another program.
4.) Don't press Help - About in htmled :-)
And don't criticize my English, how should I learn it
perfectly in 14 Years?? :-)
I wont even bother explaining you
that you should BUY this target program if you intend to use it for a longer
period than the allowed one. Should you want
to STEAL this software instead, you don't need to crack its protection
scheme at all: you'll
find it on most Warez sites, complete and already regged, farewell.
You are deep inside fravia's page of reverse engineering,
choose your way out:
BAck to the Student page
homepage
links
anonymity
+ORC
students' essays
academy database
tools
javascript wars
cocktails
antismut CGI-scripts
search_forms
mail_fravia+
Is reverse engineering legal?