Cracking Tutorial for Quick Heal 3.14

Before we start, please read the Disclaimer section of this essay!

Target Program: Quick Heal 3.14
Description: Quick Heal is a good Virus Scanner.
If you prefer a FTP-Search, look for QH514.EXE (3807597 Bytes).
Protection: Unlock-Code
Tools needed: - SoftICE 3.2
Ob duh: Do I really have to remind you all that by BUYING and NOT stealing the software you use will ensure that these software houses will continue to produce even *better* software for us to use and more importantly, to continue offering even more challenges to breaking their often weak protection systems.
If you're looking for cracks or serial numbers from these pages then your wasting your time, try to search elsewhere on the Web under Warez, Cracks, etc.
Level: (X)Beginner ( )Intermediate ( )Advanced ( )Expert

First of all, start Quick Heal. The first thing I noticed was the info of the "Installation Number", which is partly calculated from your Win 95/98 Reg-#. The installation number looks like the following: NNNN-NNNN-NNNN and is stored in your registry. If you want to register the program a dialog box asking for an unlock code will be displayed (I've changed the Installation Number of course):

Since we want to get a valid Unlock Code for our Installation Number, we enter any number - like 111111111111. Then we enter SoftICE by pressing CTRL-D to set the necessary breakpoints. For this program we can use GetDlgItemTextA as our BPX. So set a BPX to GetDlgItemTextA and return to Quick Heal. Now press the "OK"-Button. SoftICE will pop-up at the GetDlgItemTextA-Function. Now press F11 to return to the function that called GetDlgItemTextA. You'll see the following code:

  :0041F192  FF711C               PUSH    DWORD PTR [ECX+1C]
  :0041F195  FF1564BB4400         CALL    [USER32!GetDlgItemTextA]
  :0041F19B  EB0A                 JMP     0041F1A7
  :0041F19D  8B02                 MOV     EAX,[EDX]
So after we've returned from the GetDlgItemTextA function (F11), we'll step through the code using the F10-key. We'll jump to 41F1A7. The code at 41F1A7 will look like the following:
  :0041F1A7  5D                   POP     EBP
  :0041F198  C20C00               RET     000C
Now step forward through the code. Afer you've passed the "RET 00C"-instruction, you'll get the following code:
  :0040A2F0  8D45EC               LEA     EAX,[EBP-14]
  :0040A2F3  50                   PUSH    EAX
  :0040A2F4  E80FC0FFFF           CALL    00406308
  :0040A2F9  83C404               ADD     ESP,00000004
  :0040A2FC  8D45D8               LEA     EAX,[EBP-28]
  :0040A2FF  8D4DEC               LEA     ECX,[EBP-14]
  :0040A302  50                   PUSH    EAX
  :0040A303  51                   PUSH    ECX
  :0040A304  E8B1C1FFFF           CALL    004064BA
  :0040A309  83C408               ADD     ESP,00000008
  :0040A30C  83F801               CMP     EAX,00000001
  :0040A30F  0F8580000000         JNE     0040A395

At 40A2F3 type D EAX to see what's in EAX. Then step over the call (F10). Hey, what's that? EAX has changed it's value to our Installation Number 1111-1111-1111. Ok now at 40A302 look at the value of EAX again. Now EAX contains our enterd Unlock Code and our Installation Number. If you have a look at ECX, you'll find out that it contains our Installation Number. Since there is a "CMP EAX,1"-instruction (check if Unlock-Code is valid) after the "CALL 4064BA", we have to enter this call by pressing F8; if we want to patch Quick Heal 3.14, we would have NOPed out the JNE-instruction. In Quick Heal it would work - but we want to find our Unlock Code. Inside the CALL to 4064BA, you'll find the following code:
  :004064BA  55                   PUSH     EBP
  :004064BB  8BEC                 MOV      EBP,ESP
  :004064BD  83EC20               SUB      ESP,00000020
  :004064C0  56                   PUSH     ESI
  :004064C1  8D45F4               LEA      EAX,[EBP-0C]

  :004064C4  57                   PUSH     EDI
  :004064C5  50                   PUSH     EAX
  :004064C6  E84CFDFFFF           CALL     00406217
  :004064CB  83C404               ADD      ESP,00000004
  :004064CE  8B7508               MOV      ESI,[EBP+08]
  :004064D1  6A2D                 PUSH     0000002D

  :004064D3  56                   PUSH     ESI
  :004064D4  E8675B0000           CALL     0040C040

At 4064D1 ESI contains our Installation Number. Step over the CALL 0040C040 by pressing F10. You'll see the following code:
  :004064D9  83C408               ADD      ESP,00000008
  :004064DC  8D7801               LEA      EDI,[EAX+01]
  :004064DF  8D45F4               LEA      EAX,[EBP-0C]
At 4064E2, EDI contains the H-part of the following part of our Installation Number: NNNN-HHNN-NNNN. EAX contains the G-part of the following part of our Installation Number: NNNN-GGGG-GGGG (inclusive the dash).
Since we know this, we can trace forward through the following code:
  :004064E2  6A02                 PUSH     00000002
  :004064E4  57                   PUSH     EDI
  :004064E5  50                   PUSH     EAX
  :004064E6  E865650000           CALL     0040CA50
  :004064EB  83C40C               ADD      ESP,0000000C
  :004064EE  85C0                 TEST     EAX,EAX
  :004064F0  7404                 JE       004064F6
  :004064F2  33C0                 XOR      EAX,EAX
  :004064F4  EB54                 JMP      0040654A
As you already know, we can change the Installation Number, which is stored in the registry. The coders from Quick Heal, probably know that a cracker will 'try' to do this and so the check if the Installation Number is valid or if it's invalid. This is done in the CALL 40CA50. The call 40CA50 will use "NOT ECX" (which means, ECX = -1) and "MOV EAX,ECX" if your Installation Number is invalid. So the check at 4064EE will be failed - and you won't jump to 4064F6 - and EAX will then be XORed (4064F2) and then the check at 40A30C will be failed, because when you XOR EAX,EAX then EAX is 0 - and not the needed 1 to pass the test at 40A30C.
So if your Installation Number is valid, you'll see the following code:
  :004064F6  8D45F4               LEA      EAX,[EBP-0C]
  :004064F9  50                   PUSH     EAX
  :004064FA  56                   PUSH     ESI
  :004064FB  E87CFDFFFF           CALL     0040627C
At, 4064F9 EAX will contain the H-part of the following part of our Installation Number: NNNN-HHNN-NNNN. And at 4064FA, ESI will contain our complete Installation Number. Now step over the CALL by pressing F10 and you'll see the following code:
  :00406500  83C408               ADD      ESP,00000008
  :00406503  6A2D                 PUSH     0000002D
  :00406505  57                   PUSH     EDI
  :00406506  E8355B0000           CALL     0040C040

  :0040650B  83C408               ADD      ESP,00000008
  :0040650E  40                   INC      EAX
  :0040650F  8D4DF1               LEA      ECX,[EBP-0C]
  :00406512  6A04                 PUSH     00000004
  :00406514  50                   PUSH     EAX
  :00406515  51                   PUSH     ECX
  :00406516  E835650000           CALL     0040CA50
  :0040651B  83C40C               ADD      ESP,0000000C

  :0040651E  85C0                 TEST     EAX,EAX
  :00406520  B800000000           MOV      EAX,00000000
  :00406525  7523                 JNE      0040654A
At 406505, EDI contains the G-part of the following Installation Number: NNNN-GGGG-GGGG (inclusive the dash). Then there's a (not important) CALL. EAX contains at 40650E the L-part of the following Installation Number: NNNN-NNNN-LLLL (inclusive the dash before the first L). Since the dash is unimportant, it is removed by the "INC EAX"-instruction at 40650E. ECX contains at 406512 the L-part of our Installation Number (without the dash). Then it is checked (in the CALL) if EAX and ECX are different. If they are different, the call 40CA50 will use "NOT ECX" (which means, ECX = -1) and "MOV EAX,ECX" - and then you'll fail the check at 40651E. If they aren't different, Quick Heal will continue checking you Unlock Code against the real Unlock Code. So you'll see the following code:
  :00406527  8D45E0               LEA      EAX,[EBP-20]
  :0040652A  50                   PUSH     EAX
  :0040652B  56                   PUSH     ESI

  :0040652C  E81CFEFFFF           CALL     0040634D
At 40652B, ESI will be the complete Installation Number.
  :00406531  83C408               ADD      ESP,00000008
  :00406534  8D45E0               LEA      EAX,[EBP-20]
  :00406537  FF750C               PUSH     [EBP+0C]
  :0040653A  50                   PUSH     EAX
  :0040653B  E870590000           CALL     0040BEB0
At 406537, EAX will be the real Unlock Code. It looks like NNNN-NNNNNNNN. Write this code down. If you do a D EBP+0C you'll see the Unlock Code you've enterd. So simply press CTRL-D to return to Quick Heal. Now enter the unlock code you've written down. The Unlock Code for the Installation Number 1111-1111-1111 is 3333-11119999. Now Quick Heal is cracked.
If you're USING Quick Heal BEYOND it's FREE TRIAL PERIOD, then please BUY IT.

Disclaimer: This essay is for EDUCATIONAL purposes only, if you wish to use the program/game then please BUY IT.

Info: Brand and product names are trademarks or registered trademarks of their respective holders.

Copyright 1998 by TORN@DO and The Immortal Descendants. All Rights Reserved.