Cracking Tutorial for My PhoneBook 3.53 |
||||||||||||||
|
||||||||||||||
First of all I'd like to tell you that I will use a style that differs a bit from my other
tutorials you can find at learn2crk.cjb.net ... I try to show you how to feel your way
through the code (I don't know if it's understandable ... but at least I do hope so).
On the download page we already saw the following info about the protection:
You only get to record 6 entries per group with a maximum number of 3 groups. That's
total of 18 entries.
So our target has been somehow limited in it's functionality ... that's what we called
'crippled'. Knowing the exact protection of the target we can then go on analyzing and
cracking it. So create 6 entries in the current group. And now watch what's happening as
you try to add a 7th entry:
Only 6 entries allowed per group in the shareware version.
Please register the program.
The displayed message box looks like a standard messagebox, so a BPX MessageBoxA will
work. So set the necessary BPX and try adding an new entry again. You'll find yourself
in SoftICE:
:00456A2E FF1520944600 CALL [USER32!MessageBoxA]
:00456A34 5E POP ESI
:00456A35 C20C00 RET 000C
Ok. Now return from that CALL ... now the following code snippet is displayed:
:0040F400 E801760400 CALL 00456A06
... ... ...
:0040F413 C3 RET
This is still not the location we're interested in, so press F10 until the RET
instruction at 40F413 is executed. Then the following code snippet will be displayed:
:00457F0E EB7F JMP 00457F8F
... ... ...
:00457F8F 8BC3 MOV EAX,EBX
:00457F91 5E POP ESI
:00457F92 5B POP EBX
:00457F93 5D POP EBP
:00457F94 C21C00 RET 001C
This is still not something we're interested in, so once more press F10 until the RET
instruction at 457F94 is executed. Now the following code snippet will be displayed:
:00458096 E8F5FDFFFF CALL 00457E90
:0045809B EB02 JMP 0045809F
Looking above the code snippet there seems not to be a check how many entries have
been enterd ... so let's set a BPX to 458096 ... where the MessageBox has not been
created yet and restart the 'Entry Adding Process'. SoftICE will pop up again. Now
it's time for some tracing. So enter the CALL with F8 and trace the code till you
find suspicious instructions like CMP, JG, JB, ...
After some tracing (~ 19 F10's) you will have found the following code snippet:
:0040F226 83F806 CMP EAX,06
:0040F229 0F8DC3010000 JGE 0040F3F2
It can't be that simple ... can it? Yes. We actually found the location for our first
patch. So write down the memory address (for later use with Iczelion's awesome
Address to Offset Utility) ... or just write down the offset F229 h.
Now to patch it we simply have to change it that it doesn't matter how much entries
we have added ... so we have to disable the check. This can be done in several ways.
One of those ways is replacing
JGE 40F3F3 (0F8DC3010000)
with
INC EAX (404840484048)
DEC EAX
INC EAX
DEC EAX
INC EAX
DEC EAX
So patch this now in memory using SoftICE's 'Assemble code' command. After patching,
try if it works ... and as you might have assumed already IT DOES. So now we just have
to disable GROUP LIMITATION. You need to create 2 groups of course until you can create
a third one, which will produce the following error-message:
Only 3 groups allowed in the shareware version.
Please register the program.
Using the same method as above will lead you to the following code snippet:
:00412BF8 83BEB009000003 CMP DWORD PTR [ESI+000009B0],03
:00412BFF 0F8D05020000 JGE 00412E0A
This is the second limitation in our shareware program. After patching it in memory
you'll find out that everything works flawlessly now.
Now use a hex-editor, like Hacker's View (also known as HIEW) and patch the offset
F229h and 12BFFh. To remove the '(SHAREWARE)' text in the title bar also ... just
preform an ASCII search and replace it with 202D200000000000000000.
Another target has been Reverse Engineerd.
|
||||||||||||||
|
||||||||||||||
Copyright © 1999 by TORN@DO and The Immortal Descendants. All Rights Reserved. |