Cracking Vvalt
This document was extracted from T.U.G and
altered for AB4DS on the 31st/Aug/`99
T.U.G ThE Ultimate Guide to cracking for newbies by [yAtEs]
avalible for download at Http://TCRC.cjb.net within the next
2 weeks....i hope ;) news at Http://yates.cjb.net



Now we're ready to crack nags, first we need a techinque
to follow, so heres my quick 6 steps to cracking nags

1. Set Bpx Showwindow
2. When softice pops up press f12 if the start of our nag
window appears goto step 3, if not ctrl+d out of softice
and check on the next break
3. Keep pressing f12 until the nag window is fully drawn
and you are taken back to the program
4. click the ok button
5. when back in SI check the line above current for a call
if theres not a call there press f12 till there is
6. clear all breakpoints set breakpoint on this call by
double clicking it.

Ok to demostrate this download and install tut5.zip.
Once the program is installed we can find the nag by clicking
ok after entering a code, enter 123 and click ok, a big please
register window appears click ok then you get the access code invalid
message, assuming that you've already set one before.

Lets remove the nag with the steps above, first enter a number
into the valt and press Crtl+D to call softice up set the breakpoint
on showwindow with the command BPX SHOWWINDOW and exit Softice
now click the ok button and we are taken into softice press F12
and our window will begin to display, keep pressing F12 until we are
taken out of softice to the program now click ok and once again
we are back at the code...

:0042412A EBF0 jmp 0042411C
:0042412C 33C0 xor eax, eax <---
:0042412E 5A pop edx
:0042412F 59 pop ecx
:00424130 59 pop ecx

now we are looking for a call above, this would be the call we returned
from which executed the nag screen, so we see a jmp not a call
lets press f12 again to return us from this, now we see

:004241CB E969FFFFFF jmp 00424139
:004241D0 33C0 xor eax, eax <--
:004241D2 5A pop edx
:004241D3 59 pop ecx

Once again we haven't returned from the call doh..:) press F12 again
now we see

:004241EB EBF0 jmp 004241DD
:004241ED 8B45F8 mov eax, dword ptr [ebp-08] <--
:004241F0 5E pop esi
:004241F1 5B pop ebx
:004241F2 8BE5 mov esp, ebp

Now we still haven't returned from the call, once again press f12
and now we see

:0042FFA4 E8B33FFFFF call 00423F5C
:0042FFA9 B840014300 mov eax, 00430140 <--
:0042FFAE E8816BFDFF call 00406B34
:0042FFB3 84C0 test al, al
:0042FFB5 7511 jne 0042FFC8
:0042FFB7 A1641A4300 mov eax, dword ptr [00431A64]
:0042FFBC 8B00 mov eax, dword ptr [eax]

Yay =:D now we have returned from a call lets clear all breakpoints
and set one on this call, type BC * this will clear all breakpoints
, now with your mouse double click the Call 00423F5C, it will become

So now what? well we have our suspect call ready for break so once
again enter a number into the valt and click ok, now we are taken into
softice and the nag hasn't been called up yet press F10 to execute this
call, now we taken into the program and the nag has popped up, press
ok and it will disappear and we are taken straight back into softice
one line after the call, so this must be the call that we have to remove,before we patch it lets try and skip the call in softice,
enter a number in the valt again and click ok now we are taken into
softice at the line.

:0042FFA4 E8B33FFFFF call 00423F5C <-
:0042FFA9 B840014300 mov eax, 00430140

So how can we skip this line? well we are line 0042FFA4 ready to execute
it, if you remember from my asm tutorial IP is the Instruction pointer
this holds the next instruction to be executed, if you look to the
top right of the softice screen you'll see EIP=0042FFA4 if we
click up there we can alter it to EIP=0042FFA9 now press enter and exit
softice...=:D->-< yay the nag didn't display, so lets patch this out.

To patch it we must find the bytes to patch, so again... enter a number
in the vault and press ok, when the program breaks on the call line
type CODE ON this enables the hex bytes, note down the bytes for the
call and the next line


now make a backup copy of your Vvalt.exe and rename it to cracked.exe
right click the file and select Hex Edit(presumming you have Hex Edit with its shell extentsion installed) now goto the edit menu and click
find, select the Hex radio but and type in E8B33FFFFFB840 and click
find...once its found the string of bytes press F3 to check there is
no more copies, if there were we would have the enter some more bytes.
Now we have found the bytes in the hex ed change
E8B33FFFFF to 9090909090 and save, now when we run the cracked.exe
we find the nag is gone!! Weeeeee =:D->-<

WTF did i just do?

To understand we must view the structure of a program

Vvault Code+<br>
Main Code<br>
1234: lalalal<br>
1235: lalal<br>
1236: Call Nag ---->--- 8765: lala<br>
1237: lalal <------ ---| 8766: lala<br>
| 8767: call sub routine --->-- 345: lala <br>
| 8768: lala <-| 346: Showwindow<br>
|-8769: ret | 376: lalla<br>
|--------------<-378: ret<br>

$#$#!$ why can i never get anything to look right in HTML
anyway i'll suplliy a file with this with the structure looking correct in
a txt file


Hmm that should be somethink like the program was coded but
in this program we had some think like 3 sub calls
as you can see our main aim was to find the Call in the main
code, and one of the ways to do this was to break on showwindow
which was deep inside the procedure of seting up the nag screen
we used F12 to return our self from each call until we were back at
the main code...hopefully that will that make sense in what we did
today :)

I'd just like to explain another way to get nags :), instead of
breaking deep inside the call we could break in the main code and
keep tracing with F10 until we hit the call, this way can be very good
if you have too many calls to showwindow and stuff like that ;),
So to do this we would set BPX HMEMCPY then run the program and
on the last break before the nag press F12 about eight times to get
back to the code and keep pressing F10 until we hit the call..
This way doesn't work on this program but its what i do in most cases,
...thats all just thought i might share that with you. :)

gREETz tO:- AB4DS, ACiD_BuRN, Appbusta, Axion, Bjanes, ByteBurn, Craftyhac, Carpathia, Dezm, ^InFeRnO^, medivh, Nitrus, NeutralN, Smaegle, _tARG0N, thorny, The_Corpse, Tornado, Zoltan, _y and all other dUDes i know :)

og box. That makes it a resource ie a bitmap. You can try to bpx on messageboxA or dialogbox and softice will not break. So let's try a bpx on loadbitmapA. Softice will break inside LoadbitmapA so step out of it (F11) and look at the stack. There's only two PSP references and they are both at the bottom (since they were the last adresses pushed on the "Call stack").

PSP!.text+0029F15 at 0137:0042AF15
PSP!.text+5546 at 0137:406546

Lets look what that code looks like:
U 42af15

:0042AF10 E83BB5FDFF call 00406450
:0042AF15 83C404 add esp, 00000004

Put a breakpoint on 0137:0042AF10. Notice that there is no nag until you execute this call at 42AF10. So that means that we have found the nag caller. Now what. Lets nop the bastard out. Five nop's instead of call 00406450.

Sad but true, you can see the screen for a second and then it exits. Leaving us to our desktop. Hmmn What now? We need to find what went wrong (no kidding) to do that we trace the code until we find something useful. It's now time for you to experience the fat overbloated MFC42.DLL. Nop the call out and continue tracing.

From 42AF10:
You'll return to 5F4018C6 in MFC42.dll
After tracing that for some time you'll get to Kernel!_FREQASM. Keep on and you'll get to Kernel, user and FINALLY back to PSP at adress 4363XX. In this procedure there is some calls that sets up PSP's screen. At 4364CD there is a call to "updatewindow". You better place a breakpoint on 4364CD or any nearby adress so you don't have to trace on next time. Anyway executing Updatewindow and you'll see PSP's screen.
Here is the path we take:

:004364CD FF1560324C00 Call dword ptr [004C3260]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
:004364D3 8B4DE8                  mov ecx, dword ptr [ebp-18]
:004364D6 E8754AFFFF call 0042AF50
:004364DB 85C0 test eax, eax
:004364DD 7576 jne 00436555 we have eax=0
:004364DF C645FC00 mov [ebp-04], 00
:004364E3 E83B020000 call 00436723
:004364E8 E99AFAFFFF jmp 00435F87 therefore we jump here

We have 0 in eax and therefore we will jump at :004364E8 to 435F87 and we will then end up at :

:00435F87 C745FCFFFFFFFF          mov [ebp-04], FFFFFFFF
:00435F8E E8AA070000 call 0043673D
:00435F93 33C0 xor eax, eax
:00435F95 8B4DF4 mov ecx, dword ptr [ebp-0C]
:00435F98 5F pop edi
:00435F99 64890D00000000 mov dword ptr fs:[00000000], ecx
:00435FA0 5E pop esi
:00435FA1 5B pop ebx
:00435FA2 8BE5 mov esp, ebp
:00435FA4 5D pop ebp
:00435FA5 C3 ret

The ret will take us to a nasty place in MFC42.dll

:5F407EAB 85C0                    test eax, eax
:5F407EAD 7415 je 5F407EC4
:5F407EAF 8B06 mov eax, dword ptr [esi]
:5F407EB1 8BCE mov ecx, esi
:5F407EB3 FF505C call [eax+5C]
:5F407EB6 8BF8 mov edi, eax
:5F407EB8 E81D990000 call 5F4117DA
:5F407EBD 8BC7 mov eax, edi
:5F407EBF 5F pop edi
:5F407EC0 5E pop esi
:5F407EC1 C21000 ret 0010


:5F407EC4 8B4E20 mov ecx, dword ptr [esi+20]
:5F407EC7 85C9 test ecx, ecx
:5F407EC9 0F8575440100 jne 5F41C344 Here we jump

:5F41C344 8B01 mov eax, dword ptr [ecx]
:5F41C346 FF5060 call [eax+60]
:5F41C349 E981BBFEFF jmp 5F407ECF
:5F407ECF 8B06 mov eax, dword ptr [esi]
:5F407ED1 8BCE mov ecx, esi
:5F407ED3 FF5070 call [eax+70] killer!!!!
:5F407ED6 EBDE jmp 5F407EB6

The call to [eax+70] kills the window, how rude of them to exit before we even had the chance to draw a single pixel.

You, dear reader have of course already spotted the jump that needs to be changed and you may be wondering why I included all this MFC code. However there's a reason why I'm showing you all this code of MFC42.dll and that's because there is a good chance that you'll miss the *important* code among the overbloated MFC dlls. And if you do so you'll end up patching the MFC42 code instead of your targets call.

Where where where is the important code, well if you change al from 0 to 1 at :004364DB 85C0 test eax, eax The whole bazar will start. But as I said before should you miss this spot you'll end up changing:

:5F407EAB 85C0 test eax, eax
:5F407EAD 7415 je 5F407EC4
Inside MFC42.dll wich IS NOT a good idea, since other programs may use this particular function.

This will be the last essay on selfexpainary cracks. I want to move on to more complex cracks. What I mean by that is that only protections that donot use the common API calls will be written down and that goes for any contributor too. I'm well aware of the prideness one feel when one has succeed in cracking by oneself for the first time, but there's too many essay's on the web explaining the same sort of protections. What I wont to cover is:

They don't have to be tough or hard to crack, the important thing is that they offer some new schemes like this PSP essay who deals with a nagscreen that is a bitmaps.


(Saddle all the horses far on the indian trail, 'til it's time to change key and jump into a different scale)