Cracking Ading FontManager v1.25, Made by ufk. updated in 03/06/99
------------------------------------------------------------------
First of all i wanna say a big thank you to Iczlion (iczelion.cjb.net).
cause he teached me how to crack it and without him i wouldn't be
making this tutorial.
and of course to ytc who filled some holes that iczelion left.
you both kick ass!
i'm sure that this tutorial will work for every version of fontmanager
but the numbers and stuff will be different :)
Secondly.. it's my first tutorial! so bare with me here :D
if you want to comment feel free to e-mail me at ufk@hotmail.com.
what's edit font? edit font is a program to make fonts out of bmps
(as far as i know). you can get it in http://members.xoom.com/AD_ing/
the protection of Ading font doesn't look so biggie. when you run
the program in options there is a text window disabled. the text
inside says "UNREGISTERED VERSION". so when you go to "installed fonts"
the example text is "UNREGISTERED VERSION". it's annoying and i wanna
make that window enabled. how can we do that?
for that you need several progs. SoftICE, ProcDump32, Hackers View and
Costumizer that you can find them all in iczlion's tools link.
and a win32 API reference guide that you can find it in his page
on "Assembly Language Programming" -> References. of course you don't
need it if you already have a book or a very good memory.
first of all we'll use costumiser. why do you ask? with costumiser
you can enable/disable windows (you can do alot more but that's what
we want right now). so i wanna enable the text window and to check
if it works and there isn't any other protection. ok so run costumiser.
press on Edit Window. after that on enable and on ON. (of course before
that you need your Ading font program to run and the options section
to be on. now if you have alot of windows in the backgroup it's a drag.
cause when a program is minimized it's actually just hidden. now go
with your pointer to our text window and when you'll see that it marks
it press on your mouse. after that go to the OFF button in the costumiser
and press on it. now what do you say! we can write some other things!
now go to installed fonts and see if it's working. yep! it is!
ok now we wanna know what the programmer used to build this program.
you can use the windows Quick View to find some dlls and stuff but
trust me... you won't see anything new. means he didn't use visual
basic. now let me teach you some new stuff... or old :)
if most of the classes names in the program starts with a T then
it was made by delphi. and when you run the costumiser and you choose
what window you wanna change you get to see thier classes names.
try that. our text window Class name is TEdit and it's parent is
TGroupBox. yay! it was made by delphi.
now a tip i learned about delphi..
it puts a routine in your exe file to create windows and it uses the same
routine each time to create any kind of window. that's nice ah?
now.. to Create windows you have 2 win32API commands. CreateWindow
and CreateWindowEx. now if you add A to it so it's a 32bit function.
without it it's a 16 bit. ok so to make it easier for you delphi
uses CreateWindowExa. you can just set breakpoints in softice on both
but.. i wanna save time :) now if you'll break point on CreateWindowExa
when the program starts you'll never end with it.. too many
breakpoints. so wait for the program to load, it doesn't load the
options windows anyways. ok the program is running? good boy :)
now breakpoint on CreateWindowExa. now how we will know which one
is our window? look at the win32 Programmer's interface.
in assembler to use an WIN32API command you push them. each variable
is a 32 bit number. it pushes them from the order of right to left.
(means the first parameter of the function get pushed last).
so as we know or don't know the window's name that is the 3rd parameter
is the text that actually displayed. ok now after you set the break
point go to options. BOOM it breaks! :) now press F11 and search for
the 3rd push from the last. you see it? now disable the CreateWindowExa
breakpoint and set breakpoint on this one cause we wanna know when
this parameter is a pointer to "UNREGISTERED VERSION" string.
now wait a sec.. we're breaking on part of the program now right?
but as i told you delphi uses the same routine for each window it
creates. now to save us all time the 6th break is what we need.
means we need to press 5 times F5 or x :)
now how do we know that's the one? the line is
41ED7E 50 PUSH EAX
now copy all of the bytes of this section so you'll be able to find
it afterwards with an hex editor.
8B 43 04 MOV EAX, [EBX+04]
50 PUSH EAX
8B 03 MOV EAX, [EBX]
50 PUSH EAX
so press "d eax" on softice and you'll see "UNREGISTERED VERSION".
yay! next.
now the window is disabled when it's created means that the style
(which is the 4th parameter) has the WS_DISABLED bit on.
WS_DISABLED Creates a window that is initially disabled.
A disabled window cannot receive input from the user.
ok so the WS_DISABLED bit is 0000 1000 0000 0000 0000 0000 0000 0000b.
this one! :D you can find it in C headers and such.
now what we need to do is to AND all the style parameter
with 1111 0111 1111 1111 1111 1111 1111 1111b (and eax,f7ffffff).
why? so in that case whenever it will try to create a window
the WS_DISABLED bit will always be off. i don't see any other option
that uses it anyways. so how can we do that?
welp.. first we need to search if there is some free space
in the code section. what? where? i'll explane :)
ok now you need to run ProcDump for that. run it.. i'm waiting..
la la la la la.. ok. now exactly on what procdump do and stuff..
i donno yet! :D i'll be sure to update this tutorial when i'll cover
this section. ok now press on PE editor. PE is a windows executable file.
now go to our nice little program and press on fm.exe.
ok now you see lots of stuff.. what are does? who knows? who cares? :D
now press on "Sections" button. now look on the CODE section.
Name Virtual_Size Virtual_Offset Raw_Size Raw_offset Characteristics
CODE 00076560 00001000 00076600 00000400 60000020
virtual offset is the one in memory
raw offset is the physical one in the file
now if a virtual offset starts at 1000 how come in softice and stuff
with see 400000 and long numbers like that? well good thing you asked!
welp the answer is that there's an image base too,
and that is a PREFERRED loading address for the program to be
mapped in the address space. remember, PREFERRED, meaning that it can
change under certain circumstances.
ok now.. the Raw_Size is the bytes that the code segment takes.
the virtual size is how much bytes in it are for code.
means that there is some free space in the code segment!
76600-76560=A0h means 240 bytes.
why there is free space?? i don't know yet :D hehe
ok but who cares.. we have free space. and we know the code segment
starts at 400h (raw_offset). so raw_offset+virtual_size gives us
where there is free space and we can place our code :D
400+76560=76960
now i'm using Hacker's View to crack that damn thing :D so run
Hackers View on that exe file. (of course you can use another hex editor).
ok so now jmp with F5 to 76960h. and walla! a bunch of zeros. if you'll
go a few bytes up you'll see the code :) cause yep.. this is when the code
segment ends. now remember! we wanna and eax with F7FFFFFFh.
so we need to do that the program will jmp here, do the AND
and jmp back. now search for the hex values of the push section..
ahm.. you know..
8B 43 04 MOV EAX, [EBX+04]
50 PUSH EAX
8B 03 MOV EAX, [EBX]
50 PUSH EAX
now search foR 8B,43,04,50,8B,03,50.
you'll get several matches so keep going till you'll see the address
41ED7E. this is our push address. now we need to find the push
of the window style, it's right before our PUSH of the "UNREGISTERED VERSION"
1E17B 50 PUSH EAX
so we wanna change that line to JMP 76960h
0001E17B E9 E0 87 05 00 JMP 000076960
write down the bytes that we're going to change and their commands.
means.
41E17B 50 PUSH EAX
41E17C 8B 03 MOV EAX, [EBX]
41ED7E 50 PUSH EAX
41ED7F 8D 43 4C LEA EAX, [EBX+4C]
it's more then 5 bytes but the 5th byte is in the middle of an asm
command so we write the entire command as well.
now we need to remember that after the things that we will change it needs
to jump back to 1E182h. cause well this is the next command :)
0001E182 43 push EAX
of course don't you forget to add 2 nops. cause we're breaking a command
and it will be a mass. we're changing "LEA EAX, [EBX+4C]". we're taking
one byte from it. we have 2 left. so nop them with 90h. "NOP" command
in asm means do nothing.
ok now that we've got all of the info and we changed some commands
to the jmp i wanted jump with hiew to 76960h.
now add in there
25 FF FF FF F7 AND EAX, 0F7FFFFFF
50 PUSH EAX
8B 03 MOV EAX, [EBX]
50 PUSH EAX
8D 43 4C LEA EAX, [EBX+4C]
E9 11 78 FA FF JMP 00001E182
save it and voila!
of course if you wanna change the UNREGISTERED VERSION string that
appears at first just do a binary search and change it :)
if you have any questions or suggestions so e-mail me at ufk@hotmail.com
or ICQ: 1416041. i'm in the army so i won't be home much but i'll
try to answer as quick as i can.