||There is a crack, a crack in everything. That's how the light gets in.|
Fire up Soft-ICE and in the loader, load
ZM53INTL.EXE. Soft-ICE will do it's loading
pretty soon you'll you'll break into it at the program entry point. Press F5 to continue the loading
process. The Zip Manager Shareware Evaluation License Agreement dialog box will be displayed. Click on the "I Agree" - continue button and the Registration Information dialog box will be displayed. Select the "Enter Registration" button and enter:
Before you click on O.K, press CTRL+D so that you break into softice and set a breakpoint on GetDlgItemTextA by typing getdlgitemtexta in the command window at the bottom of the softice screen. Press CTRL+D again so that you can press the O.K. button. After you have pressed O.K., you will find yourself very quickly inside softice again. Press F11 to trace back through the call. *NOTE* the addresses on the far left of my disassembly of the target program may be different on your computer. The principle remains the same though.
You should see something
:00413C63 68B0BB4600 push 0046BBB0 -> Save our entered code (555)
You can see the code that you typed in by typing d 46bbb0 in the command window. Ok. We know where the program stores our inputted code. But. the code cannot be generated until the program gets our name. So now we press F5 again. We break into softice again very quickly and at the same location! Below is the disassembly.
Call dword ptr [004799E4]
:00413C60 FF75FC push [ebp-04]
:00413C63 68B0BB4600 push 0046BBB0 -> Save our entered name
:00413C68 E8479B0400 call 0045D7B4 -> Call something
:00413C6D 83C408 add esp, 00000008
:00413C70 85C0 test eax, eax -> Test to see if EAX = 0
:00413C72 0F851F000000 jne 00413C97 -> Nope.
:00413C78 6830200000 push 00002030
:00413C7D 68E8594700 push 004759E8 -> Save message box title.
:00413C82 688C294700 push 0047298C -> Not A Valid Registration Number! message
:00413C87 FF7508 push [ebp+08]
:00413C8A FF1594984700 Call dword ptr  -> Display a message box.
Examine the above peice of code. We know
that the PUSH statement at 0043C63
is saving the user name that we are entering. We also know that the next
statement is calling some sort of sub routine. The call at the end of the
code snippet is calling a message box of some sort. This says to
me that the peice of code that does the compare is somewhere inside the
subroutine. Lets step into it by pressing F8
and see where it takes us.
:0045D7B5 8BEC mov ebp, esp
:0045D7B7 83EC28 sub esp, 00000028
:0045D7BA 53 push ebx
:0045D7BB 56 push esi
:0045D7BC 57 push edi
:0045D7BD C745F800000000 mov [ebp-08], 00000000 -> Clear old values.
:0045D7C4 C745F400000000 mov [ebp-0C], 00000000 "
:0045D7CB C745F000000000 mov [ebp-10], 00000000 "
:0045D7D2 C745EC00000000 mov [ebp-14], 00000000 "
:0045D7D9 C745E800000000 mov [ebp-18], 00000000 "
:0045D7E0 C745E438270000 mov [ebp-1C], 00002738
:0045D7E7 8B4508 mov eax, dword ptr [ebp+08] -> Move our reg code to EAX
:0045D7EA 8945FC mov dword ptr [ebp-04], eax
:0045D7ED 66C745D80000 mov [ebp-28], 0000 -> Zero Counter.
:0045D7F3 E904000000 jmp 0045D7FC -> Jump over INC instruction.
The peice of code above clears the previously failed attemps at registering the program as well as zero's the counter needed for the next peice of code.
66FF45D8 inc [ebp-28]
-> Increment counter.
:0045D7FC 0FBF45D8 movsx eax, word ptr [ebp-28] -> jump from 0045D7F3 lands here.
:0045D800 83F82B cmp eax, 0000002B -> Compare EAX with 42
:0045D803 0F8D5B000000 jnl 0045D864 -> jump if equal
:0045D809 0FBF45D8 movsx eax, word ptr [ebp-28] -> move user name into EAX
:0045D80D 8B4DFC mov ecx, dword ptr [ebp-04]
:0045D810 0FBE0408 movsx eax, byte ptr [eax+ecx]
:0045D814 8945E0 mov dword ptr [ebp-20], eax
:0045D817 8B45E0 mov eax, dword ptr [ebp-20] -> move hex value for letter
:0045D81A 69C049870100 imul eax, 00018749 -> multiply eax*eax*18748
:0045D820 0145F8 add dword ptr [ebp-08], eax -> add eax to ebp-08
:0045D823 8B45E0 mov eax, dword ptr [ebp-20] -> Similar to end of snippet.
:0045D826 69C061870100 imul eax, 00018761
:0045D82C 0145F4 add dword ptr [ebp-0C], eax
:0045D82F 8B45E0 mov eax, dword ptr [ebp-20]
:0045D832 69C095860100 imul eax, 00018695
:0045D838 0145F0 add dword ptr [ebp-10], eax
:0045D83B 8B45E0 mov eax, dword ptr [ebp-20]
:0045D83E 69C037870100 imul eax, 00018737
:0045D844 0145EC add dword ptr [ebp-14], eax
:0045D847 8B45E0 mov eax, dword ptr [ebp-20]
:0045D84A 69C057870100 imul eax, 00018757
:0045D850 0145E8 add dword ptr [ebp-18], eax
:0045D853 8B45E0 mov eax, dword ptr [ebp-20]
:0045D856 69C0D9860100 imul eax, 000186D9
:0045D85C 0145E4 add dword ptr [ebp-1C], eax
:0045D85F E994FFFFFF jmp 0045D7F8 -> Go back and do it again.
The above peice of code is the string manipulation routine. This routine is run through a total of 43 times. The following peice of code does the addition of all the values that were computed in the above peice of code. It also converts the double word value in EAX(CDQ) into a quad word value then devides the value in ECX saving the result in EAX.
mov eax, dword ptr [ebp-10] -> move initial value to EAX.
:0045D867 0345F4 add eax, dword ptr [ebp-0C] -> Do addition
:0045D86A 0345F8 add eax, dword ptr [ebp-08] -> "
:0045D86D 0345E4 add eax, dword ptr [ebp-1C] -> "
:0045D870 0345E8 add eax, dword ptr [ebp-18] -> "
:0045D873 0345EC add eax, dword ptr [ebp-14] -> "
:0045D876 B93DBB0D00 mov ecx, 000DBB3D -> " move reg code to ECX
:0045D87B 99 cdq -> Convert into quad word
:0045D87C F7F9 idiv ecx -> division
:0045D87E 8D4201 lea eax, dword ptr [edx+01] -> Save the result in EAX
See if you can guess what the importance of the following peice of code is.
mov dword ptr [ebp-24], eax -> Move EAX to ebp-24
:0045D884 8B450C mov eax, dword ptr [ebp+0C] -> move ebp+0c to eax
:0045D887 3945DC cmp dword ptr [ebp-24], eax -> **** COMPARE ****
:0045D88A 0F850F000000 jne 0045D89F -> not equal so bugger off cracker
:0045D890 B801000000 mov eax, 00000001 -> registered flag
:0045D895 E90C000000 jmp 0045D8A6
:0045D89A E907000000 jmp 0045D8A6
That's right. This is the compare routine.
All that needs to be done now is to make a permanent crack at :0045D88A
would suggest that a few NOP's would not go astray here.
Also, if you want
your name in the about box, copy below and paste into the zm53intl.ini
file (at the end)
replacing, of course [ANY NAME YOU WANT] and [ANY CODE YOU WANT] with your name and any number.
Start Copy -----------x---------x----------x
Name=[ANY NAME YOU WANT]
Number=[ANY CODE YOU WANT]
-------x--------x------x---------- End copy ------x--------x-----------x-----x
All Newbies: Without all of you, the cracking
scene would die over time.
|[ Return ]|