Visit: http://cracking.accessroot.com
|
Target |
|
|
Title |
Unpacking & Reversing trial limit |
|
Protection |
Asprotect v1.2x (according to PE Scan) & Time Limited |
|
Tools |
Olly v1.10 Step 2, Resource Hacker v3.4.079, ASPR Stripper v2.07f & PE Scan v3.31 |
|
RE Level |
Intermediate |
|
OS Requirement |
WinALL |
|
Tutorial by |
MaDMAn_H3rCuL3s/ARTeam |
|
Compiled |
15th April 2004 |
PART 1
Scanning and Unpacking DVDFab.exe
If you have not already done so install PE Scan, so we can find out what type of protection this target has to offer. I would normally take you into a step by step unpacking procedure, but this subject has been covered by many tutorials before. So we will assume you already know this. But in the weird case that you don't already know this, Head on over to here! And try searching for the answer to this topic of interest. Okay enough with the "you should manually unpack first to learn it better" stuff. Here goes the tutorial.
When you installed PE Scan it entered a registry value so can easily right click on a target and low and behold an option to scan the file appears. Well go ahead and do this. You will find out that the target is protected with Asprotect. This common packer is the bane of my existence. Not only does it screw with the file size by packing the target, it also does a little thing called "Stolen Bytes". I really hate this protection. It has turned a 30 minute Crack into a 2 hour crack. Well here is a screen shot of PE Scan at work and the results of the scan.
I hope you get the same results as me. If not you might have a newer version than me. Okay so that part is out of the way, now for the fun unpacking part. I will include pictures to better guide you on your mission to RE. So we now know what type of protection we are dealing with, go ahead and start up ASPR Stripper. You should have the version I listed (did not test on earlier versions). Your screen should look like this.
Go ahead and click on open (at the top right). You should see this.
Go ahead and click on DVDFab. And you will be brought back to the main screen. Go ahead and click on Unpacking, and this will start the unpacking process. Here's another picture of this at work.
Now all you got to do is exit the unpacker. It will save a file in the same directory DVDFab was installed to. Only it will be renamed to _DVDFab.exe. It is that simple. Now you are left with an unpacked target, ready to be reversed.
PART 2
Reversing the 14 Day Trial Period
The whole reason for this tutorial is so that you learn something. I hope you do, and will try and make sense of everything you encounter while Reversing the target.
Lets begin...... Start up Olly. And open the now unpacked target into her. You will get an error about the code being self modifying, just hit "OK". You should start at some code similar to this. Look at picture below.
Hopefully we all are on the same page here. You will notice the file name is _DVDFab. See it? Alright let us begin with a common thing do before any reversing begins (except unpacking, that doesn't count). This "Thing" is checking on the String References. This is a habit I picked up when I was an exclusive Dissembler. I was really scared of a debugger. Now that's all I do. Anyways, to check on the string ref's, right click on any part of the CPU window (where there's code), and you'll see a menu pop up, just select "Search For", then "All referenced text strings". Look at the picture below if you still don't understand.
See it's quite simple. You will see a black scroll bar go from left to right on the bottom of the screen, this is okay, it's just searching the target for references. Once that completes you will see another window pop-up. This the String Ref's page. Look at the picture below.
I hope we are all on the same page still, this really isn't too difficult, compared to what's next in store for us. I will warn you, this will probably be a long tutorial. This is good though cause you will walk away understanding the concept of RE a lot better. This is my goal by this tutorial anyways. So.... Go ahead and check out the string ref's for anything of interest. Well I wont lie to you, you won't find shit. So we must take another approach. Okay this approach was developed by a guy named Ricardo Narvajo. You can find the tutorial HERE. This method is called the Point-H method. Everyone's Point-H is different from system to system, this is why you must either know yours, or read the tutorial on it to find it. So before we proceed, go find what yours is. Go on I will give you a few minutes to read and understand it.........
Okay let us proceed now. So you have now found your Point-H. This is similar to the Hmemcpy of Win98. You will find a valid serial number by trapping it from memory, because the program must compare your number with what is real somewhere. This works for me most of the time. The other times is because the number is either RSA'ed or encrypted somehow. I am lacking in the skills of De-Cryption. Anyways, here we go......
My Point-H is 77D59303. So we will now run the target in Olly and enter in a fake serial number, but before we hit "OK" we will put a BP on the Point-H. So Start up Olly, and enter in your favorite serial number. I will use 998899. I always use 998899, it's from the days of Softice. It is converted to F3DF3 (easy to point out). So look below for some pictures. They will be in a certain order. I will label them beneath, so you can follow better. Look below.
This is when you first start the target up. Go ahead and click on "Enter Register Code".
This is the "Enter Register Code" screen. So go ahead and enter in your favorite number.
My favorite number. Now before you go and hit "Register", Go back to Olly and click on the "E" at the top. This will bring up the Executable Modules window. Look Below.
So like I did highlight the User32.dll and double click it to bring you to the user32 driver. Look below.
Okay we are almost there. Now you will want to hit Ctrl+G. This will bring up the "goto" expression box. Type in your Point-H and hit "OK". Look below.
This is before I hit "OK".
And after I hit "OK". Now you will want to: Right Click, Breakpoint, Memory on Access. Look below.
Now bring the target back to the front, and hit "Register". You should break here. Look below.
Now take a look at your ESI register. See it? That's your serial. What this set of code is gonna do is transfer your serial from ESI to EDI. Look below for the ESI register.
When your serial number finally goes from ESI to EDI, you will put another BP on memory there. I am sure you read the tutorial on it from Ricardo so I will not get too into it. If you look below this is where you will eventually end up by putting a BP on memory. Look below.
You can trace and trace but I was unable to De-Crypt the Registration number. This is too advanced for me now at this stage. So we will continue on with another approach I have up my sleeve.
This next method I will show you was taught to me by Satyricon (sorry if spelled wrong). This is the Call Stack method. This is a highly useful tool. Remember this one. Ready??????? Lets go.
Minimize the string ref's, if you have not already done so, and go ahead and either hit F9 or click on the play looking button to start up the program. You should be greeted with a nice little pop-up box that now says either register or exit. Used to say Register or continue. Piece of shit huh? Well now that pop-up is there, why not hit F12 (pauses app) and then hit Alt+K (brings up Call Stack). A new window appears. Should look like this below.
We are gonna take a special interest to the ? <JMP.&mfc42.#2514>, since this is an MFC app. These you will find to be easier than normal apps. So double click on the above mention offset. You should be brought to a spot like this. Look below.
Now that you are here your first instinct is to put a BP on this JMP. But wait....... Before you go doing that, think about this one through. If you put a BP here it will break before the pop-up appears, but you are not deep enough into the code to make a difference. You will need to put a BP on all the callers to this JMP. Make sense? So to do this, with the line still highlighted, like above, hit Ctrl+K. This will bring up all the callers to this JMP. Look below for a picture of it.
Now you will need to put a BP on all of these calls. So hit F2, and scroll down the list using the down arrow on your keyboard. Once that is done you can restart the app by either pressing Ctrl+F2 or hit the Rewind looking button. Now hit F9 or the Play looking button to make the app run. You should break at this spot. Look below.
This call is setting the MFC that calls the pop-up. You are doing a great job so far. Just bare with me for a little bit longer. Take a look at the Test EAX,EAX above where you broke. Do you see a (C)Jump? JNZ...by chance? Well this looks interesting. Why don't we put a BP on the 00403060 MOV ECX,EAX. Now we will restart the app again, and run it once more to see what this app is telling us. Go ahead and restart it. Now Run it again. You should look like below.
Now start hitting F8 to run through the code. You will notice that the app never jumps. So it always calls the Bad pop-up. Lets try to make it jump so it will never call this pop-up. So change these two offsets from:
00403067 TEST EAX,EAX
00403069 JNZ SHORT _DVDFab.004030A5
TO:
00403067 XOR EAX,EAX
00403069 JE SHORT _DVDFab.004030A5
This will ensure it always jumps no matter what the case. So your change should look like this in Olly. Look below.
Now Hit F9 to let the program finish running itself through (You may need to hit it more than once, depending on if you cleared the other BP's).
Well what do you know. Do you see this as well? Look below.
Well it looks like you did it cracker. We now have a fully functional app. Now you will need to restart it and change those addresses again. But that's okay right? Go ahead and do that now. Save it. Now lets check out our cracked app. You can check out it's functionality. I already did. It works 100%. You will notice we ran into one small problem though. If you click on the icon second from the left at the top right, an about box appears. Take note of the registered user. It says "This copy is licensed to: Trial User". Look below for a picture.
Although the app is cracked now, you can't very well release this to the public without your name being there. This is sort of a "I cracked this", or marking your territory thing. So now you can try to find a reference to this in the string ref's. But I already did this and did not find anything. So we must use an outside source. For this I will call upon the help of Resource Hacker. I hope you got this tool handy. If not search around on the net for it. So now I will assume you have it. Start up Resource Hacker and open the "Partially cracked" app. It should look like this. Look below.
Now click on the View Tab at the top and search for "Trial User". You should land here. Look Below.
So simply just change the "Trial User" to what your moniker is. Make sure you keep the quotes around your name or it will shit on itself. After you change the name to yours, Compile the Script, and "Save As" be sure to rename it to something other than what is already in your directory, also put the ".exe" after the filename or it won't keep the same file attributes. We are trying to make this as original as possible here. So after you do that just open up the now "Fully Cracked" app, and check the about box. Look below for what I entered.
Well I hope you enjoyed this tutorial. I tried to make this as easy as possible for you. Remember if you like the program you should really consider buying it.
Greets:
ARTeam
Rachael
The Hive
Rhodium
*Note1: the following was for informational purposes only. Do not engage in any type of Reverse Engineer or "Cracking".
*Note2:The bee's seen at the header of the tutorial were taken from The Hive Website.
I thank you for your time, and hope you really learned something from this tutorial. You are now one step closer to being a great Reverse Engineer. I am MaDMAn_H3rCuL3s, and I am out.
For the latest and greatest tutorials on Olly please visit:
http://cracking.accessroot.com
