Remote Bot 1.0.1
by Boba Fett

1. Introduction
2. Tools
3. Starting up
4. WDasm and ProcDump
5. Hiew
6. The final test
7. Final notes and greets


1. Introduction

Welcome to my second "real" tutorial and today we´re gonna crack a program called Remote Bot version 1.0.1 and it´s one of the more stupider programs I encountered so far and you will surely think that to after this....
Since the respons was really good for my last tut I decided to dedicate it for all the newbies and explain as much as possible.
So lets get it started then, but first make sure to have some realxing music on (I prefer trance, techno. It cools me down and makes me more focused).


2. Tools

The following programs are needed to get thru this tut:
 

Hiew (ver 6.16)
WDasm (ver 8.93)
Procdump (ver 1.62)
and of course Remote Bot 1.0.1

3. Starting up

Begin by explore the target and you´ll see that there´s a string at the top of the program saying "unregistered" and that´s something we want to avoid so try to register. If you entered a wrong serial you´ll display a box saying "The key you have entered is invalid." and thats is the string we´re gonna be looking for later. But enough now cuz we know what our goal is and we know what we´re gonna be looking for.


4. WDasm and ProcDump

Open up WDasm...but before you do that you will make a copy of WebScripter and rename it to something like "WdasmRemote". This is the file we are gonna use in Wdasm. So now we can fire up WDasm and then press the only button thats enabled, (the Open File To Disassemble) and you will have the a box showing you which file you want to disassemble. Choose the one you had made a backup of.
If you only see crap on the screen you may perhaps need to change the font WDasm is using and to do that follow the lines:

"To choose the font press "Disassembler" button and then choose "Font..", "select font". Make your choice and then save it. Sometimes when you are using WDasm for the first time it can be hard to see anything and thats only because WingDings has been set as default font. But now everything should be ok."

When WDasm is done disassembling you will see that no code was included!! This is a kind of problem since we can never find our string but there is a way and it´s here ProDump is being used, so close WDasm and start ProDump. Open up Procdump and you will see a box showing you all the active task thats currently running but ignore that for now on.
Look to the right and you can see some buttons, choose the Pe Editor. Track down your bakup file from Wdasm which is the WdasmRemote.exe file. A box came up with some info but ignore that a press the Sections button and a new box shows.
This is the sections that belongs to the exe file you got. The following I do is based on some experience so I had never used ProcDump before or had none knowledge about sections I would been lost so I will just tell you what to, and you will follow.
You will see 3 sections:

.rdata
.data
.rsrc

If you look under the "Characteristics" you´ll see that .data has the number C0000040 which means in short that the section doesn´t contain some code but we´ll edit it so it will read from that section and like it ;)
To edit, rightclick the .rdata and choose "edit section" and in the box that appears you will change the C0000040 to E0000020. Press Ok all the way out of the program to save your settings. Done!
So back to WDasm and open up WdasmRemote.exe and when it´s done, many good things have happend.
You will see that the StringDataRef button (it to the left of the print button) is enabled and it i there you will find what we were looking for so press that button.
In that box that appeared you will start looking for the string "The key you have entered is invalid." but to give you a hint you´ll find it almost in the bottom (43 lines from the bottom ;)
When you have found it, just doubleclick and you will end up 3/4 from the end at adress 00427AD3 (maybe its diffrent on your´s)
But stop now for a sec and think: "Where are we and what are we doing here?"
Ok, I can tell you this: We are where the program shows the nag about the invalid serial so if you go up a couple of lines, that mean we will probarly get to the place where the decision if it was a correct serial of not is set. Sounds good?
If not leave now ;)......but if you decide to stay, do the following
Just above you will see a jump as shown below:

:00427AC3 DD1C24                  fstp qword ptr [esp]
:00427AC6 E8D9F3FFFF              call 00426EA4        <<<<Makes the serial check>>>
:00427ACB 85C0                    test eax, eax                 <<<<Was it a good serial? >>>>
:00427ACD 6A00                    push 00000000
:00427ACF 750E                    jne 00427ADF              <<<<If not, no jump>>>>
:00427AD1 6A10                    push 00000010

* Possible StringData Ref from Data Obj ->"The key you have entered is invalid."
                                  |
:00427AD3 68F8014100              push 004101F8
 

The coments says it all I think...you will clearly see that the jump at adress 00427ACF is our goal. So all we need now is to write down the offset for this adress. To do that you will make sure the greenbar is on adress 00427ACF and then look at the bottom and you´ll see something like:
@Offset 000264CFh and thats our offset but dont include the "h" so our real offset is 264CF. Write it down til later.
As you can see at adress 00427AC6 there is a call to the regcheck, so what if we went in there just to make sure that RemoteBot doesn´t check the code anymore times besides from this call....so make the greenbar lay over adress 00427AC6 and press rightarrow and you will end up at adress 00426EA4 and it will look something like this:

* Referenced by a CALL at Address:
|:00427AC6
|
:00426EA4 55                      push ebp
:00426EA5 8BEC                    mov ebp, esp
:00426EA7 DD4508                  fld qword ptr [ebp+08]

You see that this call is only called once and thats where we came from so by changing the jump we talked about before you do the whole thing. Let try......


5. Hiew

Start up Hiew but before doing that you should have another backup of your original exe file and rename to something like "HiewRemote.exe". Now you are ready to use Hview, when the it has started press alt+F1 to choose the hardrive it located in.
Sometimes Hview takes you directly to the dir you have installed the program in (You can check that by looking which dir you currently in) If you are in the Remote dir, choose the bakup file for Hview you made. Press F4 to choose the "Decode" mode.
Now press F5 to enter which offset you wanna go to. Our sacred offset was 264CF. Type it in and you are at the place were you are gonna do the change so press F3 to go to the edit mode.
So how do want this jump to act like, cuz currently it´s gonna jump when a correct serial was given but what do you say about making it jump no matter if it´s a right one or not, you like it? Of course you do so to do that you will make sure you´re in "Edit mode" and then enter the following:
EB and then press F9 to update the changes......
"But is that it?"
Yes it´s done.....by changing the 750E to EB0E we forced the program to accept any serial as a correct one.....so to exit Hiew press F10 and feel the adrenalin....


6. The final test

So close all applications and start up your pacthed copy from Hiew and try now to register..
    "Thank you for registering your copy of our software!"

This is a easier then I thought from the beginning and even if you restart it you will see the"registered" shown at the top.


7. Final notes and greets

Hope you learned something from this tut and I hope it brings you something til the next tut which should come very soon...

Greetz to:
--***Lord Anshar**--, --***Kroma**--, --***Bug**--, and all of you I forgot in Lockless Crew!!!

--***paran0ya**--, --***Trk14**--, --***Rude Boy Lelle**--, --***C&G**--.--***Raven**-- in FCC
 

Special thankz to C&G in Fatalz for accepting me and I won´t forget you either Lord Anshar

Remember that the persons wasn´t written in any special order, so last isn´t least.....

           by [**>Boba Fett<**]/Fatalz Crack Crew /Lockless Cracking 2000