November  1998
"DLLShow v3.8"
( 'Patch For Self Registering'  )
Win '95 PROGRAM
Win Code Reversing
 
 
by The Snake
 
 
Code Reversing For Beginners 
 
 
 
Program Details
Program Name: dllshow.zip
Program Type: System Utility
Program Location: Here 
Program Size: 140K 
 
   
Tools Used:
 Softice V3.23 - Win'95 Debugger
W32Dasm V8.93 - Win'95 Dissembler
 
Rating
Easy ( X  )  Medium (   )  Hard (    )  Pro (    ) 
  
  This babe is the first one that i've *cracked* by my self

DLLShow v3.8
( 'Patch For Self Registering'  )
Written by The Snake
 
 
 
Introduction
 
The author of    Dllshow For Windows 95   says:-
 
"DLL Show for Windows 95 is a small system utility that displays a list of all running processes and their DLL dependencies. Click your mouse on a listed task or process to see the DLLs that process uses."
 
About this protection system
 
This program is a 30 day trial program, with a nag screen shown each time you run this program.

When running the program, using Regmon in the background, we can see this
3 entries in our Registry file that are not set with values :

HKCU\Software\Software By Design\DLLSow For Windows 95\Registration\Code               0x0   
HKCU\Software\Software By Design\DLLSow For Windows 95\Registration\User                  ""
HKCU\Software\Software By Design\DLLSow For Windows 95\Registration\Organization   ""

Those 3 entries will be set on successful registration.

To access the 'Registration Screen' you will need to select the 'Help' menu option then choose the 'Registration' sub menu option.

You will be asked to enter:

User Name:
Organization: (optional)
Registration:

Lets go to have a closer look at this protection routine. 
 
The Essay 
 
I will show here 2 methods for crack this program :
1 - register with the author handle and serial number.
2 - register with your real serial number.

This program using the 32 bit function GETDLGITEMTEXTA to "read" the input.
Run DLLShow, go in the Registration screen, and fill the user dedails. Remember
that the Organization in optional.

1. When you've done this fire up Softice by pressing CTL-D.

2. Type: bpx getdlgitemtexta then x to leave Softice.

3. Click on the 'OK' button.

4. Softice now breaks at the beginning of the 1st System Function GetDlgItemTexta.

5. press x  two times
    Press 'F11'
    we are in DLLShow code, after the three input calls, here is the code :
 
:0040AAF1 FFD5                    call ebp          ; last GetDlgitemTexta
:0040AAF3 8D442410                lea eax, dword ptr [esp+10] ; land here
:0040AAF7 50                      push eax          ; fake s/n (ascii)  
:0040AAF8 E8E3990000              call 004144E0 ; convert fake s/n to hex  
:0040AAFD 83C404                  add esp, 00000004
:0040AB00 8BE8                    mov ebp, eax      ; ebp = hex fake s/n
:0040AB02 56                      push esi          ; user name
:0040AB03 E898800000              call 00412BA0  ; generates basic code ! 
:0040AB08 83C404                  add esp, 00000004
:0040AB0B 3D92A71901              cmp eax, 0119A792 ; author check (1)!!
:0040AB10 7518                    jne 0040AB2A

:0040AB12 682C0C4200              push 00420C2C     ; authors name
:0040AB17 8B2D3CE54200            mov ebp, dword ptr [0042E53C]
:0040AB1D 56                      push esi
:0040AB1E FFD5                    call ebp

:0040AB20 681C0C4200              push 00420C1C     ; authors organization
:0040AB25 53                      push ebx
:0040AB26 FFD5                    call ebp
:0040AB28 EB07                    jmp 0040AB31

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040AB10(C)
|
:0040AB2A 3D3CCE5F0D              cmp eax, 0D5FCE3C ; author check (2) !!
:0040AB2F 750C                    jne 0040AB3D

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040AB28(U)
|
:0040AB31 53                      push ebx
:0040AB32 56                      push esi
:0040AB33 E8387B0000              call 00412670 ; generate/check serial (1)
:0040AB38 83C408                  add esp, 00000008
:0040AB3B 8BE8                    mov ebp, eax

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040AB2F(C)
|
:0040AB3D 53                      push ebx
:0040AB3E 56                      push esi
:0040AB3F E82C7B0000              call 00412670 ; generate/check serial (2)
:0040AB44 83C408                  add esp, 00000008
:0040AB47 3BC5                    cmp eax, ebp       ; serial ok ?
:0040AB49 741E                    je 0040AB69        ; yes, register !
:0040AB4B 68CFEA0000              push 0000EACF      ; beggar off cracker !

:0040AB50 6888130000              push 00001388
:0040AB55 57                      push edi
:0040AB56 E875C7FFFF              call 004072D0
:0040AB5B 83C40C                  add esp, 0000000C
:0040AB5E 5D                      pop ebp
:0040AB5F 5F                      pop edi
:0040AB60 5E                      pop esi
:0040AB61 5B                      pop ebx
:0040AB62 81C400010000            add esp, 00000100
:0040AB68 C3                      ret

Now, after we've seen all the code, lets give a look in the 3 different methods.

Method 1 : register with the author handle and serial number.

After SI breakes in the code, keep press th 'f10'  until landing on location
xxxxxx:0040ab10 :

 ---------   snip  snip  --------
 
:0040AB03 E898800000              call 00412BA0   ; generates basic code ! 
:0040AB08 83C404                  add esp, 00000004
:0040AB0B 3D92A71901              cmp eax, 0119A792 ; author check (1)!!
:0040AB10 7518                    jne 0040AB2A      ; <-- we are here

:0040AB12 682C0C4200              push 00420C2C     ; authors name
:0040AB17 8B2D3CE54200            mov ebp, dword ptr [0042E53C]
:0040AB1D 56                      push esi
:0040AB1E FFD5                    call ebp

:0040AB20 681C0C4200              push 00420C1C     ; authors organization
:0040AB25 53                      push ebx
:0040AB26 FFD5                    call ebp
:0040AB28 EB07                    jmp 0040AB31

At this point, the JNE takes control. if we will type in SI r eip=0040ab12, that going to tell the program to ignore the jne and continue on the next instraction.

When the programer test this utility, he probobly created this code to check if the Code get generated the way he wants. i have no idea waht User name he was typing in, but when he checked it, the program register with :

Code : the real code for this handle
User : Gregory Braun
Organization : Software Design

so, now type x in SI,
program registered.

Method 2 : register with your real serial number.

After SI breakes in the code, keep press th 'f10'  until landing on location
xxxxxx:0040ab2f :

---------   snip  snip  --------

:0040AB03 E898800000              call 00412BA0     ; generates the code ! 
:0040AB08 83C404                  add esp, 00000004
:0040AB0B 3D92A71901              cmp eax, 0119A792 ; author check (1)!!
:0040AB10 7518                    jne 0040AB2A

---------   snip  snip  --------

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040AB10(C)
|
:0040AB2A 3D3CCE5F0D              cmp eax, 0D5FCE3C ; author check (2) !!
:0040AB2F 750C                    jne 0040AB3D      ; <-- we are here

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040AB28(U)
|
:0040AB31 53                      push ebx
:0040AB32 56                      push esi
:0040AB33 E8387B0000              call 00412670 ; generate/check serial (1)
:0040AB38 83C408                  add esp, 00000008
:0040AB3B 8BE8                    mov ebp, eax

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040AB2F(C)
|
:0040AB3D 53                      push ebx
:0040AB3E 56                      push esi
:0040AB3F E82C7B0000              call 00412670 ; generate/check serial (2)
:0040AB44 83C408                  add esp, 00000008
:0040AB47 3BC5                    cmp eax, ebp       ; serial ok ?
:0040AB49 741E                    je 0040AB69        ; yes, register !
:0040AB4B 68CFEA0000              push 0000EACF      ; beggar off cracker !

:0040AB50 6888130000              push 00001388
:0040AB55 57                      push edi
:0040AB56 E875C7FFFF              call 004072D0
:0040AB5B 83C40C                  add esp, 0000000C
:0040AB5E 5D                      pop ebp
:0040AB5F 5F                      pop edi
:0040AB60 5E                      pop esi
:0040AB61 5B                      pop ebx
:0040AB62 81C400010000            add esp, 00000100
:0040AB68 C3                      ret

After the program failed for the aothur check(1) the code take us to location :

:0040AB2F 750C                    jne 0040AB3D

This jne skips the first part of generating the real "full" real code, that on location
0040ab3, as so, our try to register will fail. the only way to cheat the program to do
both of the checks is to ignore this jne.
Type in SI r eip=0040ab31, and type x.
The program registered, and it is with the real code, not the *fake* you've entered.

 
 
The Patches 
  
Load up DLLShow.exe into your Hex-Editor ( I use hexWorkshop-32).

For method no. 1 :
 
SEARCH FOR THE FOLLOWING BYTES : 3D92A719017518
REPLACE WITH HIGHLIGHTED BYTES : 3D92A719019090
     
For method no. 2 :
 
SEARCH FOR THE FOLLOWING BYTES : 3D3CCE5F0D750C
REPLACE WITH HIGHLIGHTED BYTES : 3D3CCE5F0D9090
 

REMEMBER, i'm doing my cracks as a hobby and challenge, so please, if you like
this utility and want to keep using it, support the author and pay for it.
 
 
 
Final Notes
 
As i was diving into the code, i saw the author name and company, it looks to me
that this is not the time or place to "push" them for show on the good cracker or the bad cracker. Nopin the first jne gave me the answer for that !

I'm very satisfied that on my first crack i can show 2 methods for doing it.
 

My thanks and gratitude goes to:-
 
The Sandman for all what he is doing for us, newbies.
 
Rhayader for helping me with Reverse Code Engineering and
useful tips
 


 
  Return 
  

Essay by:            The snake
Page Created: 1st December 1998