Icon Tools for Win'95/98
Code Reversing For Beginners
Program Name: Microangelo 98
Program Type: Win'95/98 Utility
Program Location: Here
Size: 1.26 MB
Packed using: InstallShield
SoftIce (NuMega), Hex
editor, Resource Grabber
Easy ( X ) Medium ( )
Hard ( ) Pro ( )
is a crack, a crack in everything. That's how the light gets in.
The Popular Icon
Utility for Win'95/98
Written by Eisenbeiss
Microangelo by Impact Software is:
'An outstanding suite of utilities
that provides tools for working with the icons, cursors and animated cursors
used by the latest Windows operating systems. Microangelo 98 includes Explorer,
Librarian, Studio, Animator and Engineer utilities. These components have
been specifically designed to locate, manage, create and edit the smaller
graphic elements used on the latest Windows desktops.'
The Microangelo98 package consists of five individual
programs: the icon explorer 'muexplor.exe',
the librarian 'mumgr.exe', the editor 'muedit.exe',
the animation tool 'muani.exe' and the engineering
tool 'muengnr.exe'. As it will turn out, all
programs have an identical protection mechanism that we must disable individually
in each program. After installing the package and running muexplor.exe,
we are confronted with a nag screen informing us about the evaluation status
of the software.
We click on 'I agree' and proceed. Now we go to
the 'About' menu and click. Here we meet our nag screen again - there is
no option to register the program. The user is supposed to order a personalized
copy that is delivered on disk. Fortunately, the evaluation copy is still
fully functional. We will turn it into our own personalized copy with minimal
The first thing we do is search the registry for
an entry related to the evaluation status of the package. H_KEY_CURRENT_USER/Software/Impact/Microangelo
98/ contains a folder named 'evaluation'. We delete it. When we
now try to run 'muexplor.exe', a beep sounds
and a messagebox pops up saying that the program cannot locate the evaluation
information in our registry. When we click OK, the show is over - program
terminated. So it's time to fire up softice and set a 'bpx
Upon re-running muexplor, we promptly land in softice.
We press F12 to complete the function and pop out to Windows again, where
we see that dreaded messagebox. A click on 'OK' brings us back to softice,
right to the place from where the 'MessageBoxA' function was called. After
pressing F10 a couple of times, some POP instructions herald an upcoming
RET. As crackers, we draw the conclusion that the program issued a CALL
to check the evaluation info in the registry. Now we follow the code by
pressing F10 and let the RET take us to the location from where the CALL
||Call dword ptr [0040B2AC]
||mov dword ptr [0040E268], eax
||mov eax, dword ptr [0040E7F0]
||test eax, eax
; THE jump
; the call that brought us the dreaded MessageBox
||test eax, eax
; we land here
One thing immediately catches our eye: there is
a conditional jump, THE jump, avoiding the
entire call that has checked the registry. We set a bpx
30:4018AC and disable the bpx hmemcpy. After pressing 'x'/return,
we drop out to windows and muexplor has terminated. On the next run
of muexplor, we land in softice, precisely at the THE
jump. Boldly, we type 'r eip 4018C1'
/return to enforce it and 'x' /return to leave softice. Bingo! Muexplor.exe
starts, does not complain about missing registry information and skips
Even the caption bar does not say 'evaluation day
x of 30' anymore. With our favorite Hex editor, we now search the code
location '85 C0 75 13 E8 FD FA FF FF'. The '75 13' instruction is THE
jump and needs to be patched into '74 13' = je
004018C1. With this patch, our icon explorer behaves exactly like the registered
Unfortunately, the other 4 programs don't. They contain
their own shareware mechanisms that we have not disabled yet. This is an
easy task, however, because we can apply exactly the same cracking procedure
as with 'muexplor.exe'.
If we just wanted to rip off Microangelo, we might
stop here, since the program suite is deprotected and can be used without
limitation. As true reversers, however, we are not satisfied with the 'About'
menue. Not only does it persistently say 'Evaluation Copy', but we are
even forced to view the 'Order Now!' screen afterwards. Two 'About' screens
are one to many. Let's get rid of one. First, we must determine the origin
of the box.
From its appearance, it is evidently a bitmap. Thus,
it's useless to search for a text string 'Evaluation Copy'. Since bitmaps
are large, while the individual applications of Microangelo are rather
small, the 'About' bitmaps are likely to be stored in one central copy.
The largest file in the 'Microangelo 98' directory is 'muapp.dll'.
This is our candidate. Opening the file in the Hex editor quickly convinces
us that indeed bitmaps are stored here. Before we deal with them, however,
we will disable the second part of the 'About' dialogue.
To that end, we switch to softice and set a bpx
LoadBitmapA. We run the icon explorer and click on the 'About' item
in the menu. Immediately, we are transferred to softice again. We disable
the breakpoint and press F12 to complete the call. We end up in the code
of 'muapp.dll'. After pressing F10 a couple of times, we arrive at a RET
instruction that takes us straight to Kernel code. A quick 'F4' informes
us that there's no trace yet of any messagebox, so we hit F12 several times
until we pop out of softice and see the dialog. Clicking on its 'Next'
button brings us back to softice, to the following location:
||mov eax, dword ptr [1000908c]
;we land here
||test eax, eax
;another magic jump
||mov edi, dword ptr [100091AC]
Evidently, we have a repeating pattern here. Edi
is CALLed twice, in accordance with the fact that we have two messageboxes.
The registered version presumably has only one, so a conditional jump exists
to avoid the second. This magic jump is
labelled in the code snippet above and needs to be patched from jne
to je, just like we did it before with the
five applications. After this is done, we are rewarded by only one 'About'
box remaining, but it still says 'Evaluation', and its button reads 'Next',
even though we don't get another box by pressing it.
Now we must patch the bitmap. The easiest way of
doing so is to use 'Resource Grabber', a shareware utility by R. Fellner.
It is found here. We
can rip the bitmaps from the muapp.dll and save them as bmp files. There
are five of them. After inspection by paint, we find that one is a symbol
bar, and the others are 'About' or 'Order' screens. We can take one of
the bitmaps and edit it to our needs with paint. After saving it, the Hex
editor is used to simultaneously open our bitmap and 'muapp.dll'. We will
now copy our bitmap and paste it to the bitmaps in the dll file. A bmp
file has a file header of 14 bytes and an info header of 40 bytes. The
bitmaps inside 'muapp.dll' lack the file header.
The info header always starts with four bytes containing
the length of the info header, i.e. 28h 00h 00h 00h. Then follows the image
with (4 bytes), height (4 bytes) etc. So we are looking for an area inside
'muapp.dll' that looks like our saved bitmaps and starts with 28 00 00
00. The first area that meets these criteria begins at offset 9CE0. After
that, others follow. Since we do not know which bitmap to patch, we patch
them all with our own creation. Of course, we must not paste the bmp file
headrer into the dll file. We copy from 28 00 00 00, leaving out the first
14 bytes. A run of 'muexplor' shows our success. When we click 'About',
we see our own bitmap. The only thing missing is the patch for the button
caption, which still is 'Next'. A text search for 'Next' from the Hex editor
quickly shows us the way. So by entering 'OK' in the Hex editor, we finish
our work on Microangelo 98.
A patch application program can easily
be written by the interested reader.
Inspection of the application files as
well as of 'muapp.dll' reveals messages like 'Microangelo licensing mechanism
has been tampered with or is corrupted. Execution halted' within the files.
So the software is supposed to be protected from patching. As it turned
out, however, this protection is not effective. The cracking approach taken
by us in the above example is straight forward and does not encounter any
Do I really have to remind you
all that by buying and NOT stealing the software you use will ensure that
these software houses will continue to produce even *better* software
for us to use and more importantly, to continue offering even more challenges
to breaking their often weak protection systems
Ripping off software through serials
and cracks is for lamers.
If you are looking for cracks or serial
numbers from these pages then your wasting your time, try searching elsewhere
on the Web under Warez, Cracks etc.
Page Created: 12th December