2. Patching:

We start out like usual.... The EP of the Program.

Now that we have that established... We need to figure out exactly what we are up against here.

So run the victim in Olly and see what kind of things the program will tell us about itself.  First thing you see is this:

K... so we need a registration code either for this new version, or from older version.  Continue to hit F9 till you reach the fully loaded program by clicking on the "DEMO" button.  You will be here soon:

K.. now lets find out what some limitations are if we dont have a serial entered into program.

(this is from Help file, which is online)

"If you haven't purchased a copy of Moho, then the program will be running in "demo" mode. While in demo mode, Moho still allows you access to all features of the program. Anything you can do in the full version you can do in the demo. Also, any files you create with the demo version of Moho will still work fine if you purchase the full version.

The demo version has just two limitations: First, when you render your animation for final output, a "DEMO" watermark will appear on top of your animation. Second, if you export to the SWF (Flash) format, your animation will appear in black & white. If you purchase a copy of Moho, the demo watermark will go away, and you will be able to export SWF files in full color."

So our limitations are:

1. "DEMO" watermark on animations

2. Animations will be Black & White if output is in SWF format.

K so now we now what we have to do.  We need to register the software.  How you say?  Well its very easy. :)

Go ahead and restart the victim and when the nag screen comes up enter inthe serial number of your choice.  I chose "998899". and you will see another nag popup, saying "we havent entered in a correct serial"

K.. good.  Now we have something to go on here.  Lets right click in Olly's main CPU window and select "Search for", then "All Referenced Text Strings"

Then once we are brought to the strings screen, scroll up to the top, and search for "Registration".

Then we need to sit and think for a minute here.....  Remember the nag at startup?  Well.. what would cause that to popup.  So our decision if "REGGED/UNREGGED" should take place there.  Do you remember anything the nag said.  It said something about entering serial, if you had old serial enter it now.  Well instead of putting a BP on every REGISTRATION string, why not look for that?  So continue to hit CTRL+L till you reach something that is almost like that, after 3 instances you do :) :

You see from above?  Lets get into this section, hit "Enter" on any of the strings.  I chose  to hit Enter on REGISTRATION. 

K... Now the idea is simple here.  Somehow we reached this section, either by JMP or by Call.  So scroll up till you reach the beginning of this section.

Now while on the PUSH -1 , you see in info box?  We are called from another area.

So to find this place, right click on the PUSH -1, then "go to" , then "CALL 00448FE8"

Once there we will determine why we were called.  Now pupils... we need to stop and really think about this (not too hard though), and figure this out.  The main purpose of this tutorial is to show you how to use memory BP's.  look below:

Our caller is highlighted in Blue.  Above it we see 2 conditional jumps.  The one of most interest to us is the TEST AL, AL

JE SHORT moho.00449013

The reason is simple.  Since this is our first chance at jumping over nag, so why is it not doing it?  Now you can see that it moves the value pointed by 0078058C to AL then tests this for a 0 or 1.  So lets see what the offset 0078058C has stored, so we do the following.. right click the instruction, then "follow in dump", then "memory address":

once there we can plainly see that it holds:

hmm... theres our problem.. it is equalto 1, so we dont jump.  W need to somehow make it equal 0.  to do this we will use memory BP's.  So we do the following... in dump  hit CTRL+G, then enter in 0078058C, then restart the victim in Olly.  Once we are ack at the EP, in dmp hit CTRL+G, then "enter" (cause offset should still be in popup in dump), then on that exact byte set a Memory BP on Write.:

Now we restart it, (in dump) hit CTRL+G, then highlight this first byte, and select "breakpoint", "memory, on write"

then we let the victim run with F9.  You should break here:

Do you see anything interesting?  hmm... The program moves a 1 to our magic pointer.  so.. what do you think we can do ? Well?  how about this:

Now we force a 0 upon this pointer.  Now go ahead and let it run with F9, and you see something that is great... well nothing (no nag I mean), go ahead and test the limitations.  it is fully working now.  Only one byte needed.

3. Saving file, Renaming:

Okay now that we know what we need to patch let us save the file, lets say we use the saved name (for example) Moho_crk.exe (which is what i do to less confuse myself)

So on the edited code we right click, then Copy to executable, all modifications.

Then click on save.

So now we have a cracked file, no limitations on it anymore.  Go ahead and have fun with it :)

But keep the lesson in mind today.. Memory Breakpoints are our friends.

References:

For further knowledge on subject refer to:

1. Shub-Nigurrath, Beginner Tutorial #8, ARTeam

and essentially all the tutorials seens around (also others on our tutorials page) which always make use of breakpoints..