Sept 1998
Maximizer97i
How to debug with W32Dasm 8.9
Win '95 PROGRAM
Win Code Reversing
 
 
by VisualBB 
 
 
Code Reversing For Beginners 
 
 
 
Program Details
Program Name: Maximizer97i
Program Type: Contact Management
Program Location:  http://www.maximizer.com  
Program Size: Pretty Big
 
   
Tools Used:
W32Dasm V8.9 - Disassembler
and W32DASM 8.9 ONLY 
 
Rating
Easy ( X )  Medium (  )  Hard (    )  Pro (    ) 
There is a crack, a crack in everything. That's how the light gets in.
 
  
 
Maximizer97i
Written by VisualBB
 
 
 
Introduction
 
This is a contact management program of massive proportions.

There must be many other ways to crack this program,  starting from the beginning at installation when Install Shield asks for a rego number, to other ways that the protection may be circumvented. I only describe this (my) approach to give others, unfamiliar with WDASM used as a debugger, an insight of how its done! Of course  some study of the "Dead Listing" is essential but anyway follow on..
 
About this protection system
 
Registration Number check or will install as a 60 day trial!!
 
The Essay 
     
OK. Install the program and a window comes up asking for a rego or else the install will be a 60 day DEMO!

For now install it as a 60 day demo. On running it we get the usual nag and an "Upgrade" button.

Upgrade?? Lets click on this. It displays a system generated number and asks for yours.  Enter any number and click ok. Up pops a messagebox with a message:

"You have entered an invalid customer number or product serial" etc

Ah HA!

The following bits are not really necessary but I used them to be thorough. Start up FILEMON,  set a filter on process MAXWIN and run MAXWIN. Try to upgrade as above and we see that the code to  check resides somewhere in MAXWIN.EXE 3,032,064 bytes HUGE.

Start up WDASM and  decompile the file MAXWIN.EXE. Time for a coffee or cocktail and if you smoke, plenty of time for that evil puff or two. Huge file, takes ages to decompile.

OK its done. Step one is to save your file as a project so that your breakpoints which you will  setup are "sticky".

Saved, so now we open the search on string references, looking for our string as above. This is  the Dead listing part I mentioned. You will see different references to registering this program. The one we are interested in is here:

* Referenced by  (C)onditional Jump at Addresses
:0046AF15, :0046AFAE, :0046AFCF(C) <-- Note these 3 locations.
 
:0046AFE5 8D4DD8                  lea ecx, dword ptr [ebp-28]

* Reference To: MXLIB32.MXLIB32:NoName0617, Ord:021Ch
 
:0046AFE8 E8970B1500              Call 005BBB84

* Possible Reference to String Resource ID=41211: "You have entered an invalid customer number or product seria"
 
:0046AFED 68FBA00000              push 0000A0FB
:0046AFF2 8D4DD8                  lea ecx, dword ptr [ebp-28]
:0046AFF5 C645FC08                mov [ebp-04], 08
 

Notice the line above where this bit of code is called by 3 different addresses, all conditional jumps. What this means is that some compares are done and if the code entered is invalid this snippet of code is called to display the infamous messagebox.

Lets check the first and earliest call at :0046AF15
 

:0046AF0D 52               push edx
:0046AF0E FFD6             call esi
:0046AF10 83C408           add esp, 00000008
:0046AF13 85C0             test eax, eax <--- set breakpoint here!!!
:0046AF15 0F84CA000000     je 0046AFE5   <-the first call to the Msgbox!!!

* Possible Reference to String Resource ID=34558: "SOFTWARE\Maximizer Technologies\Maximizer\CurrentVersion\Reg"
                                                 
:0046AF1B 68FE860000       push 000086FE
:0046AF20 8D4DE0           lea ecx, dword ptr [ebp-20]

So we will now need to set a breakpoint as above [press F2 when line is highlighted] and check the value in eax after the call to esi at 0046AF0E.

In WDASM Select the menu option DEBUG, Load Process and click the LOAD button without entering anything as a command line parameter. The program loads and the other 2 windows open out, one the debug data window at the bottom left (hereafter called DATA) and the one at the bottom  right (hereafter called CODE).

In the main debug window, the cursor highlights the first line of code. Now Select GOTO from the menu and enter our address - 0046AF15 . Since this is the actual jump, scroll the cursor to the line:

:0046AF13 85C0            test eax, eax

and when it is highlighted, press F2 so that a yellow box appears at the extreme left. This means that you have set a breakpoint on this line of code.

Now if you move the cursor you will see that the line is highlighted in  yellow and in the DATA window to the right in the "BPts" your address will appear with a *.
 
This window shows the breakpoints and the * means they are enabled.

In the CODE window click RUN or press F9. Maximiser will start up and in the first nag screen select "Upgrade" and enter any old number in the textbox.eg. 12345678

Select OK and wdasm will break at your first breakpoint. Now in the DATA window are displayed the values of the registers at the top left. We are interested in EAX as that is the one checked.
 
We see it is 0 and this means that we will take the BAD jump.

So lets change the value of EAX to NOT 0 or 1. Click the MODIFY button at the bottom left of  the DATA window and a window opens where we can modify the values by typing a new value.

IN the box labeled Enter Value--> enter 1 and just below that click the button with "eax" on it.  As you see eax is now = 1. We need to write this to memory so Click the button MODIFY and then CLOSE.

NOW we need to continue stepping, and here is a peculiarity of WDASM.

AFTER ANY MEMORY CHANGES, YOU MUST ALWAYS CLICK THE "STEP INTO" BUTTON IN THE CODE WINDOW OR PRESS F7. If you press F8 or Step Over WDASM will act as though you pressed RUN and will not
single step. Please remember this!

OK we STEP(F7) and now GOTO the second Conditional jump :0046AFAE

Have a look at the code below and set a breakpoint as shown and RUN:

2. Set another break here:
 
:0046AFA1 C645FC05                mov [ebp-04], 05
:0046AFA5 E874010000              call 0046B11E
:0046AFAA 837DCC00                cmp dword ptr [ebp-34], 00000000
:0046AFAE 7535                    jne 0046AFE5 <--Set break point here!!!!
:0046AFB0 8D45E8                  lea eax, dword ptr [ebp-18]
:0046AFB3 8B4DF0                  mov ecx, dword ptr [ebp-10]
:0046AFB6 50                      push eax

* Possible Reference to Dialog: DialogID_0191, CONTROL_ID:03E8, ""
   
:0046AFB7 68E8030000              push 000003E8

We break as shown above. The following line has already been executed:-

:0046AFAA 837DCC00                cmp dword ptr [ebp-34], 00000000

Lets check:

[ebp-34] - :0046AFAA 837DCC00                cmp dword ptr [ebp-34], 00000000

In the DATA window to the right of the Register Values Window is the memory address display.  With buttons for eip,eax,ebx,ecx etc. Click the button for ebp, 8 from the top and scroll till the  window displays the value for ebp-34.  We see it is NOT 0 and we will be forced to take the BAD jump.
 
[ebp-34] is not 000 but we care not. Just patch the file to NOP the jump:

:0046AFAE 7535    jne 0046AFE5 to 4048

To patch code in memory is simple. Remember we have not yet executed the BAD jump. Click the button PATCH CODE in the CODE window (bottom right) and a patch code window appears -  W32Dasm Code Patcher.

In the box below "Enter New Instructions Below" we can enter our new assembly instructions. We can either NOP the 2 bytes of the JNE or as +ORC taught be smart and enter

inc eax   (press Enter)
dec eax   (press enter)

In the box below we see our instructions as well as the HEX codes. Above our entry, we see the EIP and the code for that instruction. This is important as sometimes when patching code we may only use 4 of the 5 bytes and will need to NOP the extra byte to maintain code integrity or your program WILL crash.

We can see that EIP now points to this line :0046AFB0 8D45E8   lea eax, dword ptr [ebp-18] so our patch is of the correct length. Now click APPLY PATCH and OK on the confirmation WDASM  presents.

Click close to close the Patch window. If you look at the CODE window you will see that the code there no longer resembles the code in the MAIN window but has instead your 2 patch instructions

inc eax
dec eax

PRESS F7 OR "STEP INTO" for the same reasons as mentioned above. We see EAX incremented and  decremented! So keep pressing F7 to continue for a couple of instructions.

3.Now on to our third conditional jump at :0046AFCF
 
Set a break point here as DESCRIBED above at the location as shown below.
RUN and when we break check EAX. If it is 0 then we jump to the BAD location. So if EAX is 0 change it to 1 as above. If NOT 0 then leave well alone. We are almost there.

We see from the code below that there is a call to 005C0598 which returns a value to be checked in EAX. Now after this call and stack fixing at :0046AFD5 and :0046AFDA, EAX is checked.  IF the value is 0 then the code following is executed which is BAD. SO WE NEED TO FORCE THE JUMP at :0046AFC to actually jump past the BAD location to location :0046B065.
 
"MODIFY" the value of eax to NON 0 or 1 as described above to force the jump.
 
We see below this bit of code with a bad jump and the conditional GOOD jump:

Also check out the names of the function calls the programmer has used

MxGetSet.IsValidPSN and later MxGetSet.IsValidUID. Dead giveaways. Could MxGetSet.IsValidUID  refer to "Is it a valid pin" and IsValidUID mean "Is it a valid USer ID". Dumb I tell you!

:0046AFC4 50               push eax

* Reference To: MxGetSet.IsValidPSN, Ord:0008h
 
:0046AFC5 E8C8551500       Call 005C0592
:0046AFCA 83C404           add esp, 00000004
:0046AFCD 85C0             test eax, eax<------ BREAK POINT 3 HERE!!!!!!
:0046AFCF 7414             je 0046AFE5<---------bad jump here
:0046AFD1 8B45E8           mov eax, dword ptr [ebp-18]
:0046AFD4 50               push eax

* Reference To: MxGetSet.IsValidUID, Ord:0009h
  
:0046AFD5 E8BE551500       Call 005C0598
:0046AFDA 83C404           add esp, 00000004
:0046AFDD 85C0             test eax, eax
:0046AFDF 0F8580000000     jne 0046B065 <- TAKE THIS JUMP!!!

* Referenced by a (C)onditional Jump at Addresses:
:0046AF15(C), :0046AFAE(C), :0046AFCF(C)

 
:0046AFE5 8D4DD8           lea ecx, dword ptr [ebp-28]

* Reference To: MXLIB32.MXLIB32:NoName0617, Ord:021Ch
 
:0046AFE8 E8970B1500       Call 005BBB84

* Possible Reference to String Resource ID=41211: "You have entered an invalid customer number or product seria"
 
:0046AFED 68FBA00000       push 0000A0FB

These jumps lead to the message that the code is bad etc. DO NOT TAKE IT.
Change if needed the value in EAX so we skip the first jump je 0046AFE5 and TAKE THE SECOND!

jne 0046B065

We are DONE!!!!!

Proudly hit F9 or RUN and watch as MAXIMIZER upgrades itself to the FULL WORKING VERSION  even though you had entered the bullshit serial number.

QUIT the program and run again. NO NAG. NO NOTHING. We ARE REGISTERED.60 days??  Forget it.

Maximiser has self upgraded and we are registered!!!!!
 
The 'Crack' 
 
There is no crack needed as the program self upgrades you if you follow the steps as outlined above.
 
 
Final Notes 
 
Greets to The author of that great cracking tool W32DASM!
 
Ob Duh 
 
Do I really have to remind you all that by buying and NOT stealing the software you use will ensure that these software houses will continue to  produce even *better* software for us to use and more importantly, to continue offering even more challenges to breaking their often weak protection systems.
 
If your looking for cracks or serial numbers from these pages then your wasting your time, try searching elsewhere on the Web under Warze, Cracks etc.
 


 
 
 [ Return ] 
 


Essay by: VisualBB
Page Created: 24th July 1998