At this time, every user of a computer should
have an Antivirus-Program. Although this target isn't the best, I'd like to show those
Newbees, that they can crack this target with ease. I recommen for all Cracker's to read
the Cracker's Notes, because as I explained in the last tutorials the basics are therein.
So before we begin, get the Notes and read them, so that you've got the basics ... then we
start with
Step 1
Open GUARDDOG.EXE in W32DASM and look at the String Reference for interesting
strings. I found the following interesting:
"GD32.EXE"
"GDTNB.DLL"
"VCheck32.EXE"
"VerifyTryAndBuy" |
It can't be that easy, or? I've seen this
"VerifyTryAndBuy"-function in UnInstaller 4.51 from the same company. Are they
really so stupid to put such a function into their programs? In UnInstaller 4.51 they are
stupid, but not too stupid, because they used the special character trick - but I used the
INT 3 trick to crack the target :-). So as in UnInstaller 4.51 the
VerifyTryAndBuy-function was in a file called UNITNB.DLL, so let's look at the exports of
GDTNB.DLL. I found the following interesting:
So they are even more stupid than in
UnInstaller 4.51, because they didn't use the special character trick here. So our work is
easily be done. We just have to set a breakpoint to VerifyTryAndBuy. So we'll continue
with
Step 2
Disassemble GDTNB.DLL and go to the VerifyTryAndBuy-function. You will get the
following:
| Exported fn():
VerifyTryAndBuy - Ord:0002h |
| :10001032 |
push ebp |
|
| :10001033 |
mov ebp, esp |
|
| :10001035 |
sub esp, 0000000C |
|
| :10001038 |
mov [ebp-04], 00000000 |
|
| :1000103F |
push 00000005 |
|
| :10001041 |
push 40590000 |
|
| :10001046 |
push 00000000 |
|
| :10001048 |
push 403E0000 |
|
| :1000104D |
push 00000000 |
|
| :1000104F |
call 10001340 |
; nothing important therein |
| :10001054 |
mov dword ptr [ebp-08], eax |
|
| :10001057 |
mov eax, dword ptr [ebp-08] |
|
| :1000105A |
mov dword ptr [ebp-0C], eax |
|
| :1000105D |
cmp dword ptr [ebp-0C],
00000000 |
; is this the last free day? |
| :10001061 |
je 10001071 |
; if so, jump |
| :10001063 |
cmp dword ptr [ebp-0C],
00000000 |
; is this the last free day? |
| :10001067 |
jle 100010C5 |
; if it's after that, jump |
So we can change that conditional jump at 10001061 to an unconditional one. Then
the application will run forever. So let's do that. Change the 740E (je 10001071)
to EB0E (jmp 10001071). Let's run Guard Dog. It says that there were 0 days left
in our trial period and we can exit it and then crack this NAG in
Step 3
We know that this NAG doesn't look like a standard NAG, so we set a breakpoint to
the function we know from the Cracker's Notes ... for this application it's
DialogBoxParamA (BPX DialogBoxParamA). Run Guard Dog. You were kicked back to
WinICE at the DialogBoxParamA-function. So press F11 to go back to the location, where
this function was called. The NAG-Screen should appear now. Press OK and you were kicked
back to WinICE. You see "GDTNB!VerifyTryAndBuy+005D" at the top of the code
window. You get kicked back to WinICE just after the DialogBoxParamA-call - at 10001095:
| :10001085 |
51 |
push ecx |
| |
| * Reference To:
USER32.DialogBoxParamA, Ord:008Eh |
| |
| |
|
| :1000108F |
FF15E4220110 |
Call dword ptr [100122E4] |
| |
| * Referenced by a
(U)nconditional or (C)onditional Jump at Address: |
| |:10001075(C) |
|
|
| | |
|
|
| |
| * Possible
Reference to String Resource ID=00001: "This trial version will expire in %d
day(s)." |
| |
| |
|
| :10001095 |
C745FC01000000 |
mov [ebp-04], 00000001 |
| :1000109C |
EB27 |
jmp 100010C5 |
So try to NOP out the DialogBoxParamA function. Use the INT 3 trick to go to the
location ... I can't get WinICE to break before that call (without rebooting my PC).
So just use this trick to save some time. So run your Hex-Editor and go to Offset 485h.
Change the 51 (PUSH ECX) into CC (INT 3). Now enter WinICE (CTRL-D)
and set a breakpoint to INT 3 (BPINT 3). I get kicked back to WinICE several
times. To check if you're at the right location, look at the top of the code window. There
you'll find "GDTNB!VerifyTryAndBuy+0050". When you are there, type "A"
to assemble a new command, because we don't want to execute that INT 3 at all - we want to
restore the old command. Now type "PUSH EAX" and press <ENTER> twice. Then
press F10 to step over that PUSH ECX and then type "A" to assemble a new
command, because we want to remove this silly NAG now. Type "NOP" and press
<ENTER> 6 times, because we want to change FF15E4220110 into 909090909090. I change
this to NOPs only when I'm testing if it works ... you can use instead of those 6 NOPs, 3
"INC EAX" and "DEC EAX" commands for example.. Press CTRL-D to leave
WinICE. Do you see the NAG any longer? No cool, so let's get something saved. Open your
HEX-Editor , remember to change that INT 3 at 485h into PUSH ECX and then replace that
FF15E4220110 with 404840484048. Save the file and gernerate a patch for it.
Step 4
Send the "programmers" of Guard Dog the "C++ for Dummies" book,
because they are so stupid ... |
This tutorial was written by
TORN@DO. I hope you enjoyed reading it as I enjoyed writing it - I'm always trying to
improve my writing skills.
I'd like to greet the following people (no specific order):
+ORC, Fravia, nIabI, JosephCo, Razzia, MisterE, Krazy_N, Vizion, YOSHi, Qapla, Odin
everyone in #Cracking and in #Cracking4Newbies ... and everyone else I forgot. |