Requirements :
Numega Softice 4.05
Numega SmartCheck
W32DASM
Information :
Target: ProtectX v 4.16
Author: hEYWIRE
Download : http://www.plasmateksoftware.com
About:
The purpose of this Tutorial is to offer help to anyone wishing to study the art of Reverse Code Engineering. Breaking protection systems in programs is an intellectual challenge, it should NOT be used to steal software. REMEMBER, I do my cracks/keygens as a hobby and challenge, so please, if you like the utility you crack and keep using it, support the author and pay for it! . Peace hEYWIRE
Program Info:
ProtectX is a complete hacker defence suite for personal computers running Windows (95/98/2000/Millennium). ProtectX keeps a constant watch on your PC, and if anyone tries to connect to it on the ports specified will automatically perform the necessary action to prevent the hack. It also maintains the systems integrity, keeping it free from trojan horse backdoors by monitoring areas of the system in which Trojan Horses hide themselves (such as the system registry), and if changes are detected allows you to terminate the trojan, delete the file, and remove all traces of it from the system.
Registering :
Ok run the target program. Scan it with your Favorite PE-identifier. We now know its not packed and written in Visual Basic 6.0. Ok so lets try crack this program with Smartcheck. IM hopeing you know how to use Smartcheck, going to call it SC from now on, and what to change in it. Run SC, click the Play button and it will run the target program. What’s this? A dam Messagebox!
Ok as we can see the program has a routine in it for checking if SC is running. Let’s get out the big gun SoftICE. Break in to Softice and set a break point "BPX MessageboxIndirectA" Run the program with SC again SoftICE should break, hit F11 then click the OK button. Keep pressing F12 to get into the programs code. You should land here:
|
0167:004406A3 |
PUSH |
EDX |
|
0167:004406A4 |
LEA |
EAX,[EBP-58] |
|
0167:004406A7 |
PUSH |
EAX |
|
0167:004406A8 |
LEA |
ECX,[EBP-48] |
|
0167:004406AB |
PUSH |
ECX |
|
0167:004406AC |
PUSH |
10 |
|
0167:004406AE |
LEA |
EDX,[EBP-38] |
|
0167:004406B1 |
PUSH |
EDX |
|
0167:004406B2 |
CALL |
[MSVBVM60!rtcMsgBox] ß this is the call for the messeagbox |
|
0167:004406B8 |
LEA |
EAX,[EBP-68] ß You land here |
|
0167:004406BB |
PUSH |
EAX |
|
0167:004406BC |
LEA |
ECX,[EBP-58] |
|
0167:004406BF |
PUSH |
ECX |
|
0167:004406C0 |
LEA |
EDX,[EBP-48] |
|
0167:004406C3 |
PUSH |
EDX |
|
0167:004406C4 |
LEA |
EAX,[EBP-38] |
OK scroll up and let’s find any jumps we could change. Scroll up till you get to here:
|
0167:00440630 |
MOV |
DWORD PTR [EBP-04],00000005 |
|
0167:00440637 |
MOVSX |
ECX,WORD PTR [EBP-24] |
|
0167:0044063B |
TEST |
ECX,ECX |
|
0167:0044063D |
JZ |
004406E0 ß this is our JUMP |
|
0167:00440643 |
MOV |
DWORD PTR [EBP-04],00000006 |
|
0167:0044064A |
MOV |
DWORD PTR [EBP-60],80020004 |
|
0167:00440651 |
MOV |
DWORD PTR [EBP-68],0000000A |
|
0167:00440658 |
MOV |
DWORD PTR [EBP-50],80020004 |
|
0167:0044065F |
MOV |
DWORD PTR [EBP-58],0000000A |
|
0167:00440666 |
MOV |
DWORD PTR [EBP-80],004130F4 |
|
0167:0044066D |
MOV |
DWORD PTR [EBP-0088],00000008 |
|
0167:00440677 |
LEA |
EDX,[EBP-0088] |
|
0167:0044067D |
LEA |
ECX,[EBP-48] |
The jump at code location 0044063D this is the one we have to reverse. So set a Break point above this jump in SoftICE and run SC again. You should break in SoftICE. Just reverse the jump with ‘R FL Z’ and SC should keep running. As you know how to use SC, and now know it gives us no real serial number or any info on the serial calculation. Let’s think for a bit. Ok the protection is its limited to how many times you can run it. Lest disassemble the program. IM going to use W32DSM and a patch for it. To allow us to view Visual Basic strings. The patch IM using for W32DSM is from a group called DREAD. There link is http://dread99.cjb.net . IM sure there are load of patches out there for W32DSM for you to download. When we start this program we get a messagebox telling us we have so many days to run this program. Lets look for this string in W32DSM. "You Have"Found it good.
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00447A83(C)
ß this is the call/left click here* Reference To: MSVBVM60.__vbaEnd, Ord:0000h
|
:00447A97 8B353C104000 mov esi, dword ptr [0040103C]
:00447A9D FFD6 call esi
:00447A9F FFD6 call esi
:00447AA1 681F7C4400 push 00447C1F
:00447AA6 E96A010000 jmp 00447C15
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0044794C(C)
|
:00447AAB 8D5580 lea edx, dword ptr [ebp-80]
:00447AAE 8D4DB0 lea ecx, dword ptr [ebp-50]
* Possible StringData Ref from Code Obj ->"Trial Period"
|
:00447AB1 C74588D4454100 mov [ebp-78], 004145D4
:00447AB8 C7458008000000 mov [ebp-80], 00000008
* Reference To: MSVBVM60.__vbaVarDup, Ord:0000h
|
:00447ABF FF15F4124000 Call dword ptr [004012F4]
:00447AC5 66B80B00 mov ax, 000B
* Possible StringData Ref from Code Obj ->"You have "
ß here’s our string|
:00447AC9 6878454100 push 00414578
:00447ACE 662BC6 sub ax, si
:00447AD1 0F805D010000 jo 00447C34
:00447AD7 50 push eax
Ok after left click the above call we now land here:
Ok after left click the above call we now land here:
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00447A5E(C)
|
:00447A70 8B3524B04700 mov esi, dword ptr [0047B024]
:00447A76 56 push esi
:00447A77 8B16 mov edx, dword ptr [esi]
:00447A79 FF9200070000 call dword ptr [edx+00000700]
:00447A7F 85C0 test eax, eax
:00447A81 DBE2 fclex
:00447A83 7D12 jge 00447A97
ß this is the jump to change:00447A85 6800070000 push 00000700
:00447A8A 68B4E74000 push 0040E7B4
Keep Scrolling up and following the calls and try figure out what the program is doing, even if you dont understand all of it the APIs will help you. Ok keep scrolling up till you land at the jump at code location 00447A83. It is JGE. Ok so its straight forward enough lets make this a JUMP. Done. Now run the target program no messagebox. Run it a few times just to make sure the messagebox is gone for good.
So after the author of this programing puting in a anti-SC routine, it only took changeing one byte to have a fully working program. So whats the Moral of this TUT? Theres allways a way.
Final Notes :
That’s it for this Tutorial, hope you learned something, if there is any spelling mistake or grammar errors then forgive me, IM only human. Just a short note, REMEMBER, I do my cracks/keygens as a hobby and challenge, so please, if you like the utility you crack and keep using it, support the author and pay for it! Peace hEYWIRE