|March 1999||"Microsoft's Visual J ++ 6.0 Professional Edition"||Win '95 PROGRAM Win Code Reversing|
|by The Hobgoblin|
|Code Reversing For Beginners|
|Program Details Program Name:Visual J++ 6.0 Professional Edition Program Type: Java development program Program Location:Found it on a cover disc Program Size: unknown|
|Tools Used: Softice V3.23 - W32Dasm V8.93 - Disassembler - Borland Resource Workshop- HIEW 6.02|
|Rating||Easy ( X ) Medium ( ) Hard ( ) Pro ( )|
Microsoft's Visual J ++ 6.0 Professional Edition Written by The Hobgoblin
Greetings to all crackers out there.
I'm an absolute newbie in the art of cracking, and this is my first attempt in writing something about how to crack programs. I hesitate to call this a tutorial. That's because in my opinion a tutorial is a piece of writing where you actually can learn something new about protection systems and how to reverse/crack them. I don't think too many people out there will learn something new by reading this, except that Microsoft once again has provided us with a program that's almost unprotected and for everyone to crack Don't this company want to make any money? Well, actually (and unfortunately), that's exactly what they do. That's why I write this essay. For some strange reason I just love to crack (or more honestly, try to crack) their programs.:))
Well, let's move on to the program. I found this program on a cover disc included in the March issue of "Internet.Works". (The discs you get when you buy magazines are pure gold for a cracker like me who struggle to learn to master the art of reversed engineering. They are cheap, contains a lot of shareware of all kinds, with all kinds of various protection systems. And if you get mad and in an outburst of anger and frustration erase the target, you can just install it when the bloodpressure is back to normal again.:))
This is what the magazine writes about this program: "30
day trial version. Visual J++ is Microsoft's massive Java
development environment. It comes as a key component of Visual
Studio and is packed with everything a programmer needs.
However, there is a lot more to this than purely a programmer's
environment and if you have the urge to learn more about
programming, this is a good place to start. It has a
straightforward interface and there is plenty of onboard help at
hand. Price: Visual J++ Professional £395 + VAT "
|About this protection system|
This program has a
simple 30-day trial protection system. It's fully functional, but
after 30 days you'll get the usual nag saying: "Your trial
period is over. Please install the full retail version."
(Or something like that. I don't remember the exact wording.). And the program won't open.
This will be more like an essay on how I cracked this program, not a tutorial on how to crack programs with this kind of protection systems. That's well enough covered by far more experienced crackers.
The first thing I do after installing a program is to run it several times, just to get a feeling of it, and to observe and see if there are any signs telling me that this is a shareware program, and not fully functional, and hopefully exactly what the limitations are. When running this program I found no such signs. Everything appeared to be normal. Then I exited out of the program, and opened up the explorer to check out the files. Only a couple of readme files was found, not important for me. No clues.
I then fired up BRW (Borland Resource Workshop), and took a look at a couple of what I thought were the main .exe-files and .dll files. Still no clues. No stringreferences I could explore. Usually, I get a lot of clues by doing this. Load the main .exe and .dll files in the BRW and check out the string references. By converting the number that accompanies the strings found in BRW to hex-values, and then search for this in W32Dasm, has many times lead me straight to the protection system within the code. It's a good cracking routine. (If BRW can't be used, go on and try Symantec Resource Editor or the Restorator. If one fails, you can usually use on of the others). But in this case, no luck. So what should I do?
If there is a 30-day trial, then after that period you'll get a message that's usually tells you that the trial period is over. That's the text I, without luck, was searching for.
I then set the date on my computer 3 months time ahead, and then tried to open the program. There it was, the usual nag screen. I closed it again, and then entered Softice. My thinking was that I would try to use the getlocaltime routine to get control over the program, and then search for the part of the code that deals with the time check. When I started Visual J++ again, Softice broke and I started to trace. But I could not find anything interesting.
After some tracing I decided to try another approach.I entered a bpx messageboxa in Softice, and started Visual J++.Softice broke, I hit F11, and then pushed ok on the nagscreen that appeared. I ended up at adress :5E0E16BB.
I also noticed that I was in the file named MSENV.DLL (on my computer located in the catalog: Microsoft Visual Studio/Common/Ide/Ide98/)
I pushed F10 three times and ended up here :5E0E1777.
This was just a couple of F10's above a ret-command, so I scrolled upwards to check for conditional jumps that would bypass the call at :5E0E1772. I found two conditional jumps, but none of them could bypass the call. I pushed F12 to return to wherever this routine was called from, and landed at :5E0945B8. I went through the same checking and found a conditional jump at :5E094585. I entered a breakpoint at this jump in Softice, and tried to run Visual J++. Softice broke, and indicated a jump. I typed r fl z at the Softice command line to change it into no jump, then pushed F11. Nag screen again. I found three other conditional jump within this routine, but the result was the same every time. I then pushed F12 again, and when the nagscreen appeared, I pushed ok. And then I was back in softice at :5E081530
Referenced by a (U)nconditional or (C)onditional Jump at Address:
:5E081520 5F pop edi
:5E081521 5E pop esi
:5E081522 5D pop ebp
:5E081523 5B pop ebx
:5E081524 81C414020000 add esp, 00000214
:5E08152A C3 ret
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
:5E08152B E81BF0F9FF call 5E02054B
:5E081530 85C0 test eax, eax (-------------------- I landed here)
:5E081532 0F8D3FFEFFFF jnl 5E081377
:5E081538 E9C5BA0200 jmp 5E0AD002
I set a breakpoint at the call at adress :5E08152B and tried to run visual J++ again. Softice broke, and after hitting F10 once the nagscreen poped up again. Looking at the codesnippet I realized that this routine started with the call to the nagscreen. So what called this call? At this time I opened W32Dasm and loaded MSENV.DLL and went to the adress for the call. And as you can see from the code listed above, the call was a result of a conditional jump at the adress :5E081371.
This is the code at that adress:
* Reference To: KERNEL32.SetErrorMode, Ord:0213h
:5E081349 FF153812005E Call dword ptr [5E001238]
:5E08134F E8E52EF8FF call 5E004239
:5E081354 33FF xor edi, edi
:5E081356 85C0 test eax, eax
:5E081358 0F84A4BC0200 je 5E0AD002
:5E08135E FF35CCD1175E push dword ptr [5E17D1CC]
:5E081364 E888020000 call 5E0815F1
:5E081369 A124D1175E mov eax, dword ptr [5E17D124]
:5E08136E 39785C cmp dword ptr [eax+5C], edi
:5E081371 0F84B4010000 je 5E08152B (---------- this is the jump)
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
:5E081377 6A01 push 00000001
:5E081379 5E pop esi
5E08137A 893598D2175E mov dword ptr [5E17D298],
:5E081380 E878020000 call 5E0815FD
:5E081385 E8A7020000 call 5E081631
:5E08138A A140F4175E mov eax, dword ptr [5E17F440]
and so on....
So what I did was to set a breakpoint at :5E081371, and tried to run Visual J++ once more.Bam, I was back in Softice, and Softice indicated a jump. I changed that to no jump, and pushed F11. And guess what happened?.......Exactly!
Visual J++ started as normal!
Well, the rest was plain patching. I opened W32dasm again, and wrote down the offset for adress :5E081371, opened HIEW, searched for the offset and changed
(I tried to change it to an unconditional jump, but that didn't work. I got an error message, and the program crashed).
Pushed F9 to update the program, and exit HIEW.
I later on ran Visual J++ after altering the date 6 months forwards and backwards on my computer. No problems.
Program cracked, and Microsoft fooled again.:)
A couple of weeks later I found a similar Microsoft program called Microsoft Visual Interdev 6.0 on a cd-rom form the same magazine. I cracked it using exactly the same procedure. (The only difference I found between the protection systems was that the Visual Interdev 6.0 had a 90 day trial period instead of 30 days).The conditional jump we have to change was located in the same file and at the same adress. Both these programs are parts of the Microsoft Visual Studio program-suite. Besides from these two programs, it includes the Microsoft Visual C++ Professional Edition and the Microsoft Visual Basic Professional Edition.And I think there is one or more items that I don't recall as I write this.
It could be really interesting to see whether the rest of the programs in this suite have the same weak protection system, don't you think?
Maybe somebody out there have any knowledge of this?
Well, this is it. Hopefully I will come back with some other stuff some day.
Take care out there, fellow crackers! Keep the information available!
Thank you Sandman, for your website and everything else.You're an inspiration for a lot of coming crackers!
Thanks also goes to the rest of you guys who take the time and
effort to keep the information and the necessart tools available
on the net.
Finally, I totally agree with the following statement:
Do I really have to remind you all that by buying and NOT stealing the software you use will ensure that these software houses will be encouraged to producing even *better* software for us to use and enjoy.
Ripping off software through serials and cracks is for
If your looking for cracks or serial numbers from these pages then your wasting your time, try searching elsewhere on the Web under Warze, Cracks etc.