Ok, after finishing the setup, let take a look at out traget and let it run. a nasty Message box pops up, telling us that we are running a shreware version of the program (like we didn't know it) and that we should send the registration fee to the company if we decide to keep using it... We have two buttons : 'YES' and 'NO'. If we press 'NO' we are immediately thrown out of the program and if we choose YES, we are rewarded with another message box (disclaimer) and again we have two buttons (Yes/No), the result is the same as before, No, throws us out, and Yes, lets us to continue...
So let get rid of this messageboxes first:
Fire up your SoftICE and set a breakpoints on eg. MessageBoxA and DialogBoxParamA and some others you usually do....
Press [Ctrl-D] to get out from SoftIce and start TransMac
You are immediately thrown back into SoftICe (yes, our nag is responsible for this! :)) so we press [F12] to land back in the TransMac's code and we land here...
.
.
Some Memory filling with nag screen text (encoded for now)
.
.
:00411C08 8D85D8FCFFFF lea eax, dword ptr [ebp+FFFFFCD8] <- eax points to the start of this text
:00411C0E 50 push eax <- store eax
:00411C0F 8D85D8FCFFFF lea eax, dword ptr [ebp+FFFFFCD8] <- point again
:00411C15 50 push eax <- and store again
:00411C16 E8754D0000 call 00416990 <- this call decodes the nag text
:00411C1B 83C408 add esp, 00000008
:00411C1E 6A04 push 00000004
* Possible StringData Ref from Data Obj ->"TransMac"
|
:00411C20 6810864200 push 00428610
:00411C25 8D85D8FCFFFF lea eax, dword ptr [ebp+FFFFFCD8] <- address of nag text in eax...
:00411C2B 50 push eax
:00411C2C 6A00 push 00000000
* Reference To: USER32.MessageBoxA, Ord:0188h ****** HERE ******
|
:00411C2E FF1530844300 Call dword ptr [00438430] <- call 1st message box
:00411C34 83F807 cmp eax, 00000007 <- did user pres yes?
:00411C37 0F8505000000 jne 00411C42 <- ok, let him in
:00411C3D E950130000 jmp 00412F92 <- NO?! throw him out!!!
Press [F5] to return to TransMac and after SoftIce pops up again press [F12] to go out of the Messageboxa routine...
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00411C37(C)
|
:00411C42 8D85DCFAFFFF lea eax, dword ptr [ebp+FFFFFADC] <-- Here is all this
:00411C48 50 push eax <-- happening again,
:00411C49 8D85DCFAFFFF lea eax, dword ptr [ebp+FFFFFADC] <-- exactly the same
:00411C4F 50 push eax <-- just for the 2nd
:00411C50 E83B4D0000 call 00416990 <-- message box
:00411C55 83C408 add esp, 00000008
:00411C58 6A04 push 00000004
* Possible StringData Ref from Data Obj ->"TransMac Disclaimer"
|
:00411C5A 68FC854200 push 004285FC
:00411C5F 8D85DCFAFFFF lea eax, dword ptr [ebp+FFFFFADC]
:00411C65 50 push eax
:00411C66 6A00 push 00000000
* Reference To: USER32.MessageBoxA, Ord:0188h *** WE LAND HERE ***
|
:00411C68 FF1530844300 Call dword ptr [00438430] <-- call 2st message box
:00411C6E 83F807 cmp eax, 00000007 <-- AGREE?!
:00411C71 0F8505000000 jne 00411C7C <-- ok, let him pass
:00411C77 E916130000 jmp 00412F92 <-- DISAGREE?? go out!
But look at the next piece of code, just following the code where we landed....
* Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00411C71(C) | :00411C7C C7055481420000000000 mov dword ptr [00428154], 00000000 <- !!! set the shareware flag :00411C86 A154814200 mov eax, dword ptr [00428154] <- and copy it :00411C8B A350814200 mov dword ptr [00428150], eax <- to some :00411C90 A150814200 mov eax, dword ptr [00428150] <- other :00411C95 A34C814200 mov dword ptr [0042814C], eax <- locations :00411C9A B801000000 mov eax, 00000001 <- Eax=1 so we can continue :00411C9F E9F9150000 jmp 0041329D <- Go to the program...
So the crack is obvious isn't it?
We could jump (instead calling the string decoding routine - CALL 00416990) over the Messageboxes..
:00411C16 E8754D0000 CALL 00416990 <--- change it to: JMP 00411C42 :00411C50 E83B4D0000 CALL 00416990 <---- change it to: JMP 00311C86We could also patch the code to:
:00411C16 E8754D0000 CALL 00416990 to JMP 00311C86 so we would jump over 2 message boxes at once...But why are we jumping to 00411C86 instead to 00411C7C ? Well, (as you probably guessed) just to bypass setting the 'Shareware' flag
So after we do all this, we run the program and there are no Message boxes at the startup and we can copy sub directories and also the files which all together exceed the size of 1.4 Mb, BUT (well i was surprised when i notice this) we can't copy a single file, which is greater than 1.474.560 bytes....
Hmmm....
Let's think for a while...
If the program don't check the size of the all files together we want to copy then it just compare the size of every single file with the 1.4 Mb So somewhere in the program it must be a compare (actually there are two).
so let bpx again on DialogBoxParamA and fire TransMac once again...
Select the file to copy and press the 'Copy Files' icon and we are thrown into SoftICE again.. Press [F12] and the copy dialog pops up... Now, press OK and we are back in SofICE..,
Here we land if we choose to copy from PC to MAC
* Reference To: USER32.DialogBoxParamA, Ord:008Ah
|
:00413455 FF15A4844300 Call dword ptr [004384A4]
:0041345B 8945EC mov dword ptr [ebp-14], eax
:0041345E 837DEC00 cmp dword ptr [ebp-14], 00000000
:00413462 0F8507000000 jne 0041346F
:00413468 33C0 xor eax, eax
:0041346A E993050000 jmp 00413A02
and here we land if we choose to copy from MAC to PC
* Reference To: USER32.DialogBoxParamA, Ord:008Ah
|
:00413E95 FF15A4844300 Call dword ptr [004384A4]
:00413E9B 8945EC mov dword ptr [ebp-14], eax
:00413E9E 837DEC00 cmp dword ptr [ebp-14], 00000000
:00413EA2 0F8507000000 jne 00413EAF
:00413EA8 33C0 xor eax, eax
:00413EAA E948070000 jmp 004145F7
COPY PC to MAC:
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:0041353F(C), :0041354E(C), :004135A6(C) | :004135B1 A152AD4200 mov eax, dword ptr [0042AD52] :004135B6 8B4DE4 mov ecx, dword ptr [ebp-1C] :004135B9 8B0488 mov eax, dword ptr [eax+4*ecx] :004135BC 813800801600 cmp dword ptr [eax], 00168000 *** HERE *** ($168000 = 1474560) :004135C2 0F8644000000 jbe 0041360C if the file is larger - begger off! :004135C8 8B45E4 mov eax, dword ptr [ebp-1C] :004135CB 50 push eax :004135CC 6A00 push 00000000 :004135CE 6885010000 push 00000185 :004135D3 8B45F4 mov eax, dword ptr [ebp-0C] :004135D6 50 push eax COPY MAC to PC: * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:00413F69(C), :00414010(C), :00414072(C) | :0041407D A13CAD4200 mov eax, dword ptr [0042AD3C] :00414082 8B4D94 mov ecx, dword ptr [ebp-6C] :00414085 8B0488 mov eax, dword ptr [eax+4*ecx] :00414088 8B4004 mov eax, dword ptr [eax+04] :0041408B 8B0D3CAD4200 mov ecx, dword ptr [0042AD3C] :00414091 8B5594 mov edx, dword ptr [ebp-6C] :00414094 8B0C91 mov ecx, dword ptr [ecx+4*edx] :00414097 034108 add eax, dword ptr [ecx+08] :0041409A 3D00801600 cmp eax, 00168000 *** HERE!!! *** :0041409F 0F8644000000 jbe 004140E9 begger off, if filesize > 1.4 Mb :004140A5 8B4594 mov eax, dword ptr [ebp-6C] :004140A8 50 push eax :004140A9 6A00 push 00000000 :004140AB 6885010000 push 00000185 :004140B0 8B45F4 mov eax, dword ptr [ebp-0C] :004140B3 50 push eax
So that's all....
I didn't spend much time to explain how to crack this, because it's very very easy and the way i did it isn't qute a 'clean crack' like +ORC taught us, so experiment and do it YOUR WAY!
Back to tutorial page.
Copyright © MiB 1997. All rights reversed.