December 1998 
Icon Tools for Win'95/98  
 Windows95 Cracking   
by Eisenbeiss  
Code Reversing For Beginners  
  Program Details 
Program Name: Microangelo 98 
Program Type: Win'95/98 Utility 
Program Location:  Here 
  Program Size: 1.26 MB 
Packed using: InstallShield    
   Tools Required: SoftIce (NuMega), Hex editor, Resource Grabber 
  Easy ( X )     Medium (  )     Hard (  )      Pro (   )  
There is a crack, a crack in everything. That's how the light gets in.

 The Popular Icon Utility for Win'95/98
Written by Eisenbeiss 
Microangelo by Impact Software is:

'An outstanding suite of utilities that provides tools for working with the icons, cursors and animated cursors used by the latest Windows operating systems. Microangelo 98 includes Explorer, Librarian, Studio, Animator and Engineer utilities. These components have been specifically designed to locate, manage, create and edit the smaller graphic elements used on the latest Windows desktops.'
The Essay  
  The Microangelo98 package consists of five individual programs: the icon explorer 'muexplor.exe', the librarian 'mumgr.exe', the editor 'muedit.exe', the animation tool 'muani.exe' and the engineering tool 'muengnr.exe'. As it will turn out, all programs have an identical protection mechanism that we must disable individually in each program. After installing the package and running muexplor.exe, we are confronted with a nag screen informing us about the evaluation status of the software.
We click on 'I agree' and proceed. Now we go to the 'About' menu and click. Here we meet our nag screen again - there is no option to register the program. The user is supposed to order a personalized copy that is delivered on disk. Fortunately, the evaluation copy is still fully functional. We will turn it into our own personalized copy with minimal effort.

The first thing we do is search the registry for an entry related to the evaluation status of the package. H_KEY_CURRENT_USER/Software/Impact/Microangelo 98/ contains a folder named 'evaluation'. We delete it. When we now try to run 'muexplor.exe', a beep sounds and a messagebox pops up saying that the program cannot locate the evaluation information in our registry. When we click OK, the show is over - program terminated. So it's time to fire up softice and set a 'bpx MessageBoxA'.

Upon re-running muexplor, we promptly land in softice. We press F12 to complete the function and pop out to Windows again, where we see that dreaded messagebox. A click on 'OK' brings us back to softice, right to the place from where the 'MessageBoxA' function was called. After pressing F10 a couple of times, some POP instructions herald an upcoming RET. As crackers, we draw the conclusion that the program issued a CALL to check the evaluation info in the registry. Now we follow the code by pressing F10 and let the RET take us to the location from where the CALL was issued.
0040189A  Call dword ptr [0040B2AC]
004018A0  mov dword ptr [0040E268], eax
004018A5  mov eax, dword ptr [0040E7F0]
004018AA  test eax, eax
004018AC  jne 004018C1           ; THE jump
004018AE  call 004013B0          ; the call that brought us the dreaded MessageBox
004018B3 test eax, eax             ; we land here
004018B5 jne 004018D2
004018B5 pop edi
One thing immediately catches our eye: there is a conditional jump, THE jump, avoiding the entire call that has checked the registry. We set a bpx 30:4018AC and disable the bpx hmemcpy. After pressing 'x'/return, we drop out to windows and muexplor has terminated.  On the next run of muexplor, we land in softice, precisely at the THE jump. Boldly, we type 'r eip 4018C1' /return to enforce it and 'x' /return to leave softice. Bingo! Muexplor.exe starts, does not complain about missing registry information and skips the nagscreeen.
Even the caption bar does not say 'evaluation day x of 30' anymore. With our favorite Hex editor, we now search the code location '85 C0 75 13 E8 FD FA FF FF'. The '75 13' instruction is THE jump and needs to be patched into '74 13' = je 004018C1. With this patch, our icon explorer behaves exactly like the registered copy.

Unfortunately, the other 4 programs don't. They contain their own shareware mechanisms that we have not disabled yet. This is an easy task, however, because we can apply exactly the same cracking procedure as with 'muexplor.exe'.

If we just wanted to rip off Microangelo, we might stop here, since the program suite is deprotected and can be used without limitation. As true reversers, however, we are not satisfied with the 'About' menue. Not only does it persistently say 'Evaluation Copy', but we are even forced to view the 'Order Now!' screen afterwards. Two 'About' screens are one to many. Let's get rid of one. First, we must determine the origin of the box.
From its appearance, it is evidently a bitmap. Thus, it's useless to search for a text string 'Evaluation Copy'. Since bitmaps are large, while the individual applications of Microangelo are rather small, the 'About' bitmaps are likely to be stored in one central copy. The largest file in the 'Microangelo 98' directory is 'muapp.dll'. This is our candidate. Opening the file in the Hex editor quickly convinces us that indeed bitmaps are stored here. Before we deal with them, however, we will disable the second part of the 'About' dialogue.
To that end, we switch to softice and set a bpx  LoadBitmapA. We run the icon explorer and click on the 'About' item in the menu. Immediately, we are transferred to softice again. We disable the breakpoint and press F12 to complete the call. We end up in the code of 'muapp.dll'. After pressing F10 a couple of times, we arrive at a RET instruction that takes us straight to Kernel code. A quick 'F4' informes us that there's no trace yet of any messagebox, so we hit F12 several times until we pop out of softice and see the dialog. Clicking on its 'Next' button brings us back to softice, to the following location:
10001799 push 00000384
1000179E push ecx
1000179F call edi
100017A1 mov eax, dword ptr [1000908c]                    ;we land here
100017A6 test eax, eax 
100017A8 jne 100017C0                                                 ;another magic jump
100017AA mov edi, dword ptr [100091AC]
100017B0 push 00000000
100017B2 push 10001510
100017B7 push esi
---------------------------------------------------------;the pattern repeats
100017B8 push 00000386
100017BD push edx
100017BE call edi
Evidently, we have a repeating pattern here. Edi is CALLed twice, in accordance with the fact that we have two messageboxes. The registered version presumably has only one, so a conditional jump exists to avoid the second. This magic jump is  labelled in the code snippet above and needs to be patched from jne to je, just like we did it before with the five applications. After this is done, we are rewarded by only one 'About' box remaining, but it still says 'Evaluation', and its button reads 'Next', even though we don't get another box by pressing it.

Now we must patch the bitmap. The easiest way of doing so is to use 'Resource Grabber', a shareware utility by R. Fellner. It is found here. We can rip the bitmaps from the muapp.dll and save them as bmp files. There are five of them. After inspection by paint, we find that one is a symbol bar, and the others are 'About' or 'Order' screens. We can take one of the bitmaps and edit it to our needs with paint. After saving it, the Hex editor is used to simultaneously open our bitmap and 'muapp.dll'. We will now copy our bitmap and paste it to the bitmaps in the dll file. A bmp file has a file header of 14 bytes and an info header of 40 bytes. The bitmaps inside 'muapp.dll' lack the file header.
The info header always starts with four bytes containing the length of the info header, i.e. 28h 00h 00h 00h. Then follows the image with (4 bytes), height (4 bytes) etc. So we are looking for an area inside 'muapp.dll' that looks like our saved bitmaps and starts with 28 00 00 00. The first area that meets these criteria begins at offset 9CE0. After that, others follow. Since we do not know which bitmap to patch, we patch them all with our own creation. Of course, we must not paste the bmp file headrer into the dll file. We copy from 28 00 00 00, leaving out the first 14 bytes. A run of 'muexplor' shows our success. When we click 'About', we see our own bitmap. The only thing missing is the patch for the button caption, which still is 'Next'. A text search for 'Next' from the Hex editor quickly shows us the way. So by entering 'OK' in the Hex editor, we finish our work on Microangelo 98.
Crack Loader  
A patch application program can easily be written by the interested reader.  
Final Notes  
Inspection of the application files as well as of 'muapp.dll' reveals messages like 'Microangelo licensing mechanism has been tampered with or is corrupted. Execution halted' within the files. So the software is supposed to be protected from patching. As it turned out, however, this protection is not effective. The cracking approach taken by us in the above example is straight forward and does not encounter any problems.   
Ob Duh  
 Do I really have to remind you all that by buying and NOT stealing the software you use will ensure that these software houses will continue to  produce even *better* software for us to use and more importantly, to continue offering even more challenges to breaking their often weak protection systems

Ripping off software through serials and cracks is for lamers.

If you are looking for cracks or serial numbers from these pages then your wasting your time, try searching elsewhere on the Web under Warez, Cracks etc.


Essay by:          eisenbeis
Page Created: 12th December 1998