Win32 Code Reversing
Program Name:SolidView Lite 3.55
Program Type: 3D Utility
Program Location: [ here ]
Program Size: 3.44mb
W32Dasm - Win'95/98 Dissasembler
Softice V4.X - De-Bugger
Hex-Edior - Any
||"One who shell live only to crack, will finaly be cracked by his own weaknesses"|
Cracking A Win32 Web
('Patching The Hell Out Of It')
Written by Bengaly
SolidView allows interactive 3D Shaded or wire frame viewing of Solid Model files (in STL and other supported formats) from any angle or direction.
SolidView/Lite is the FREE player used to distribute 3D Communications to anyone.
Extensive measurement capabilities including volume, surface area and overall dimensions as well as user directed linear , radial and angular measurements are provided.
In addition, SolidView provides the ability to section and look inside an object .
|About this protection|
This program is registered by selecting the 'Help' button, then
the 'Register' button.
You fill only 9 digits of key.
Hello and welcome to my 27'th Tutorial.
This essay is not hard, and talks about Patching mostly (yes again) ;=)
Run the program, several times and take notes on how it's working, write
useful text that
You will be able to use as a 'weak points' on our target, mostly enter invalid registration key
And take notes on the message that appear and write it down.
As usual we first make a 'Dead Listing' of our target in W32Dasm , this could take some time,
So grab some Drink i prefer Petel ;=) but any one should do the work.
after disassembly we will have a visual code that we can work on.
So let us search for this string in the 'String References: '
Incorrect Key .'
There are allot of text to look for, so goto value 'I' and look at the bad message here:
"incomplete dynamic bit lengths "
"incomplete literal/length tree"
"incorrect data check"
"incorrect header check"
Ok so we found it, double click on it and W32Dasm will take us to here:
*Referenced By a (U)ncontidional or (C)onditional Jump at Address:
*Posible StringData Ref From Data Obj -> "Error"
:0062B3ED 68D6387100 push 007138D6
*Posible StringData Ref From Data Obj -> "Incorrect
:0062B3F2 68D6387100 push 007138C7
:0062B3F7 50 push eax
Not so hard...we find the ' Beggar Off ' routine, now in order to know
which caller has
Brought us here we need to look at the un/contdional jump references..
It tell us there is 1 caller to this routine and it's being done at address: 0062B3CE
Now this tut is not just "read that, do that, patch this" this is not how u learn cracking,
In order to crack anything from easy->hard apps you need alittle 'zen' and ofcourse
Cracking knowledge and some ASM.
So this tut is not like a book it's like a way of thinking..
Ok..let us think a little about this Protection and how do we go throw it!
The main System Our App work:
1.the app is telling
us that we need to enter 9 digit numbers..
2.the program takes our fake 9 digit serial and do some checking with it those are:
a: checking the length of the serial, Must be 9 digits.
b: the serial must be 'valid'
c: check our fake serial with Valid serial that produced by the program
3.if the compare was bad program will bring us 'Bad MessageBoxA', else we register the prog
Got the general Idea??
Since our app here don't produce an serial from name (or at least i think it doesn't)
So if u wish to do some 'Serial Fishing' then Use softice with "Bpx GetWindowTextA" much easier.
To break and start tracing the code!
Else we do Parching :=)
Method : Patching
Weak points we can find from the main system our beloved app use is:
1. attacking from the backdoor (using beggar_off_cracking) message box and reverse it
2. changing flag (if there is any).
* Flag is a way the program think
if it's registered / unregistered, it reads the flag (0 = bad / 1=good)
*That's in the register (mostly Eax) and decide from the algo if it's 0/1 mostly by CMP instruction.
*So a fake serial will produce flag = 0 (EAX = FFFFFFFF), else it's registered (EAX = 00000001)
In order to find which 'Weak Points' we will enter
to the referenced jump : 0062B3CE
W32Dasm will take us here:
Test eax, eax
:0062B3CE 7514 JNE 0062B3E4 ; You will land here!
:0062B3D0 6A00 Push 00000000
:0062B3D2 6A00 Push 00000000
:0062B3D4 6A00 Push 00000000
Ok now it's time you look at the "Weak Points" i mentioned earlier..
What you think will be the solution here??
Guess you right (or wrong), the weak point is method 1 the "BackDoor"
Now on this position it is very clear to us what we are going to do!
It seems that the JNE instruction is triggered if the fake serial is not matched to the real one
And every time it does not match it triggers and jump to the bad message box.
So we can reverse the instruction that no metter what / which fake serial you will be enter
The program always jump to the Good_Guy routine (Registered)!
Now be with cursor on the JNE instruction and look down at the buttom of W32Dasm,
You will see this:
"line: 931176 pg 10122 of 13284n code data @:0062B3CC @Offset 0021B9CCh in file xxx.exe"
We need only the marked in blue Hex offset!
So open up an Hex Editor (Hview here), and look for those Hex offset address, You will find your
Self in the same place as we saw in the Dissasembler.
Now just edit the JNE instruction to JE instruction.
I'll show you which bytes to search later.
Now our program except the register key just fine...no problem
Job Done so far.
Method : Hex Edit
But still when you do 'About' u will see "UnRegistered"...that's
Cuz the program think it's registered but the when loading it from the registry file, it's still
A shareware program and prints "UnRegister"...
Easy to be fooled as well...not so hard here we go..
The "Unregistered" that it's prints is just a single Bytes (hex) that are implanted in the exe un less u register It and it change it to "Register"
Load up Win Hex (much better when it's visual)...do text search for
Now just Change it to "Registered"
A few Null (" ") just to kick "Un" ;D
ReLoad the program...Cracked
First Patch Registration Key Code:
Search for those bytes: 85C07514
And replace them with: 85C07414
Second Patch : 'UnRegistered - > Registered'
Search for those bytes: 556E72656769737465726564
And replace them with: 000052656769737465726564
Not so hard..you will get it after allot of Practice!!!
Do I really have to remind you all that by buying and NOT stealing the software you use will ensure that these software houses will continue to produce even *better* software for us to use and more importantly, to continue offering even more challenges to breaking their often weak protection systems.
If your looking for cracks or serial numbers then your wasting your time, try searching elsewhere on the Web under Warez, Cracks and etc.
I would like to say thank you to all who has supported me, and helped
me through my cracking days:
||For his Great Essays And Skills|
||For his awesome Tutorials|
||For Help Me in Cracking & Hosting|
||For Help Me in W32Asm|
||For Being A Good Friend|
Have Fun :D
Essay by: Bengaly