Sept 1998
"Basic Win95 Cracking"
Win '95 PROGRAM
Win Code Reversing
 
 
by AnDEc! '98 
 
 
Code Reversing For Beginners 
 
 
 
Program Details
Program Name: zm53inst.exe
Program Type: Windoze archiving program.
Program Location: www.sebd.com 
Program Size:  606k.
 
   
Tools Used:
W32Dasm V8.9 - Disassembler
Softice V3.23 - Debugger
A hex editor (Any will do)
 
Rating
Easy ( X )  Medium (  )  Hard (    )  Pro (    ) 
There is a crack, a crack in everything. That's how the light gets in.
 
  
 
Zip Manager 5.3.
Written by AnDEc! '98
 
 
 
Introduction
 
This program is similar to Winzip. I chose this program for this tutorial because, to my knowledge, there is no crack file available for it. That means that you have to at least follow this tutorial in order to make the crack. Don't worry though, the asm code is fully commented. 
 
About this protection system
 
This protection scheme is a simple name/serial number based scheme.
 
The Essay 
     
As I said above, this program uses a simple name/serial code protection scheme and should not present a problem to even the newest newbies.
O.k.
Let's crack.

Fire up Soft-ICE and in the loader, load ZM53INTL.EXE. Soft-ICE will do it's loading thing and
pretty soon you'll you'll break into it at the program entry point. Press F5 to continue the loading
process. The Zip Manager Shareware Evaluation License Agreement dialog box will be displayed. Click on the "I Agree" - continue button and the Registration Information dialog box will be displayed. Select the "Enter Registration" button and enter:

    Name:= Cracked
    Reg#:= 555

Before you click on O.K, press CTRL+D so that you break into softice and set a breakpoint on GetDlgItemTextA by typing getdlgitemtexta in the command window at the bottom of the softice screen. Press CTRL+D again so that you can press the O.K. button. After you have pressed O.K., you will find yourself very quickly inside softice again. Press F11 to trace back through the call. *NOTE* the addresses on the far left of my disassembly of the target program may be different on your computer. The principle remains the same though.

You should see something like:
:00413C63 68B0BB4600                push 0046BBB0                   -> Save our entered code (555) 

You can see the code that you typed in by typing d 46bbb0 in the command window. Ok. We know where the program stores our inputted code. But. the code cannot be generated until the program gets our name. So now we press F5 again. We break into softice again very quickly and at the same location! Below is the disassembly.

:00413C5A FF15E4994700   Call dword ptr [004799E4]
:00413C60 FF75FC         push [ebp-04]
:00413C63 68B0BB4600     push 0046BBB0       -> Save our entered name
:00413C68 E8479B0400     call 0045D7B4       -> Call something
:00413C6D 83C408         add esp, 00000008
:00413C70 85C0           test eax, eax       -> Test to see if EAX = 0
:00413C72 0F851F000000   jne 00413C97        -> Nope.
:00413C78 6830200000     push 00002030
:00413C7D 68E8594700     push 004759E8       -> Save message box title.
:00413C82 688C294700     push 0047298C       -> Not A Valid Registration Number! message
:00413C87 FF7508         push [ebp+08]
:00413C8A FF1594984700   Call dword ptr [00479894]   -> Display a message box.

Examine the above peice of code. We know that the PUSH statement at 0043C63 is saving the user name that we are entering. We also know that the next statement is calling some sort of sub routine. The call at the end of the code snippet is calling a message box of some sort.  This says to me that the peice of code that does the compare is somewhere inside the subroutine. Lets step into it by pressing F8 and see where it takes us.
 

:0045D7B4 55               push ebp
:0045D7B5 8BEC             mov ebp, esp
:0045D7B7 83EC28           sub esp, 00000028
:0045D7BA 53               push ebx
:0045D7BB 56               push esi
:0045D7BC 57               push edi
:0045D7BD C745F800000000   mov [ebp-08], 00000000        -> Clear old values.
:0045D7C4 C745F400000000   mov [ebp-0C], 00000000                  "
:0045D7CB C745F000000000   mov [ebp-10], 00000000                  "
:0045D7D2 C745EC00000000   mov [ebp-14], 00000000                  "
:0045D7D9 C745E800000000   mov [ebp-18], 00000000                  "
:0045D7E0 C745E438270000   mov [ebp-1C], 00002738
:0045D7E7 8B4508           mov eax, dword ptr [ebp+08]    -> Move our reg code to EAX
:0045D7EA 8945FC           mov dword ptr [ebp-04], eax
:0045D7ED 66C745D80000     mov [ebp-28], 0000             -> Zero Counter.
:0045D7F3 E904000000       jmp 0045D7FC                   -> Jump over INC instruction.

The peice of code above clears the previously failed attemps at registering the program as well as zero's the counter needed for the next peice of code.

:0045D7F8 66FF45D8          inc [ebp-28]                  -> Increment counter.
:0045D7FC 0FBF45D8          movsx eax, word ptr [ebp-28]  -> jump from 0045D7F3 lands here.
:0045D800 83F82B            cmp eax, 0000002B             -> Compare EAX with 42
:0045D803 0F8D5B000000      jnl 0045D864                  -> jump if equal
:0045D809 0FBF45D8          movsx eax, word ptr [ebp-28]  -> move user name into EAX
:0045D80D 8B4DFC            mov ecx, dword ptr [ebp-04]
:0045D810 0FBE0408          movsx eax, byte ptr [eax+ecx]
:0045D814 8945E0            mov dword ptr [ebp-20], eax
:0045D817 8B45E0            mov eax, dword ptr [ebp-20]   -> move hex value for letter
:0045D81A 69C049870100      imul eax, 00018749            -> multiply eax*eax*18748
:0045D820 0145F8            add dword ptr [ebp-08], eax   -> add eax to ebp-08
:0045D823 8B45E0            mov eax, dword ptr [ebp-20]   -> Similar to end of snippet.
:0045D826 69C061870100      imul eax, 00018761
:0045D82C 0145F4            add dword ptr [ebp-0C], eax
:0045D82F 8B45E0            mov eax, dword ptr [ebp-20]
:0045D832 69C095860100      imul eax, 00018695
:0045D838 0145F0            add dword ptr [ebp-10], eax
:0045D83B 8B45E0            mov eax, dword ptr [ebp-20]
:0045D83E 69C037870100      imul eax, 00018737
:0045D844 0145EC            add dword ptr [ebp-14], eax
:0045D847 8B45E0            mov eax, dword ptr [ebp-20]
:0045D84A 69C057870100      imul eax, 00018757
:0045D850 0145E8            add dword ptr [ebp-18], eax
:0045D853 8B45E0            mov eax, dword ptr [ebp-20]
:0045D856 69C0D9860100      imul eax, 000186D9
:0045D85C 0145E4            add dword ptr [ebp-1C], eax
:0045D85F E994FFFFFF        jmp 0045D7F8                  -> Go back and do it again.

The above peice of code is the string manipulation routine. This routine is run through a total of 43 times. The following peice of code does the addition of all the values that were computed in the above peice of code. It also converts the double word value in EAX(CDQ) into a quad word value then devides the value in ECX saving the result in EAX.

:0045D864 8B45F0             mov eax, dword ptr [ebp-10]   -> move initial value to EAX.
:0045D867 0345F4             add eax, dword ptr [ebp-0C]   -> Do addition
:0045D86A 0345F8             add eax, dword ptr [ebp-08]   ->    "
:0045D86D 0345E4             add eax, dword ptr [ebp-1C]   ->    "
:0045D870 0345E8             add eax, dword ptr [ebp-18]   ->    "
:0045D873 0345EC             add eax, dword ptr [ebp-14]   ->    "
:0045D876 B93DBB0D00         mov ecx, 000DBB3D             ->    " move reg code to ECX
:0045D87B 99                 cdq                           -> Convert into quad word
:0045D87C F7F9               idiv ecx                      -> division
:0045D87E 8D4201             lea eax, dword ptr [edx+01]   -> Save the result in EAX

See if you can guess what the importance of the following peice of code is.

:0045D881 8945DC             mov dword ptr [ebp-24], eax   -> Move EAX to ebp-24
:0045D884 8B450C             mov eax, dword ptr [ebp+0C]   -> move ebp+0c to eax
:0045D887 3945DC             cmp dword ptr [ebp-24], eax   -> **** COMPARE ****
:0045D88A 0F850F000000       jne 0045D89F                  -> not equal so bugger off cracker
:0045D890 B801000000         mov eax, 00000001             -> registered flag
:0045D895 E90C000000         jmp 0045D8A6
:0045D89A E907000000         jmp 0045D8A6

That's right. This is the compare routine. All that needs to be done now is to make a permanent crack at :0045D88A (jne 0045D89F). I would suggest that a few NOP's would not go astray here.
 
The 'Crack' 
To make this a permenant crack,
Load up zm53intl.exe into your favorite Hex-Editor ( I prefer hexWorkshop-32) but just about any Hex-Editor will do..
 
SEARCH FOR THE FOLLOWING BYTES : 3945DC0F850F000000
REPLACE WITH HIGHLIGHTED BYTES :  3945DC909090909090

Also, if you want your name in the about box, copy below and paste  into the zm53intl.ini file (at the end)
replacing, of course [ANY NAME YOU WANT] and [ANY CODE YOU WANT] with your name and any number.

--------x-------x--------x--------- Start Copy -----------x---------x----------x
[Registration]
Name=[ANY NAME YOU WANT]
Number=[ANY CODE YOU WANT]
-------x--------x------x---------- End copy ------x--------x-----------x-----x
 
Final Notes 
 
My thanks and gratitude goes to:-
 
Fravia+ for providing possibly the greatest source of Reverse Engineering
knowledge on the Web.
 
+ORC for showing me the light at the end of the tunnel.

All Newbies: Without all of you, the cracking scene would die over time.
 
Ob Duh 
 
Do I really have to remind you all that by buying and NOT stealing the software you use will ensure that these software houses will continue to  produce even *better* software for us to use and more importantly, to continue offering even more challenges to breaking their often weak protection systems.
 
If your looking for cracks or serial numbers from these pages then your wasting your time, try searching elsewhere on the Web under Warze, Cracks etc.
 


 
 
 [ Return ] 
 


Essay by: andec@tac.com.au
Page Created: 24th July 1998