Hi all today's target is Universal CAD converter Ver. 3.0. This nice program can convert between DWG, DXF, PDF, DWF and various image formats without the need of AutoCAD. Supported DWG DXF version ranges from AutoCAD 2.5 to 2005. You can convert DWG to PDF, DWG to various image formats BMP, JPG, TIF, PNG, GIF, TGA, PCX, EMF, WMF. And you can convert DWG to DWF, or DXF to DWF to protect your DWG or DXF files from being modified. Universal CAD Converter also enables you to convert between any versions of DWG and DXF files. Universal CAD Converter is Shareware, and you may download a 15-day trial version for evaluation purpose. This product is reasonably priced, compared with other products but if you think to use more than over this time read this tutorial ;-)

There are following sections in the remaining of this tutorial:

1. What we can do (brief explanation about the patching).
2. Executable file analysis after installation.
3. Debugging and cracking the trial time limit and keep the program registered.
4. Redirection of the purchasing link to the ARTeam web site.

When the installation process terminates you have to check for first if the target program is encrypted/packed or if it's uncompressed. In order to do this we can use PEiD, see figure 1 for detail:

Fig. 1 PEiD file scanner detail.

Well, program isn't packed, next step is searching (if there are some) about integrity checks like CRC or similar, to do this you can use the crypto analyser (KANAL v2.7) feature. We have:

Fig. 2 Crypto signature.

nothing crypto signatures then cracking step can be quite simple.

As usual now is time to know more about the target, this means execute it and look its behaviour; when you've run the executable there is a nag screen which tells us about trial evaluation residual days (this is a 15 day evaluation version), to unlock the program you've to register it.

Fig. 3 Nag screen on the startup program.

you've to wait few second before to see the Continue button enabled, now press this button:

Fig. 4 Conversion type select form.

Well, restart the program and make a referenced string search (right click):

Fig. 5 Referenced text string search option.

a new input dialog opening, write your text string, in our case a suitable text can be "for evaluation" (remember the evaluation day text string on the startup nag screen, see figure 3):

Fig. 6 Write the string to search.

well there are some entry, place a breakpoint on it and double click on the 0045BF81 address (the first one):

Fig. 7 Text string searching results.

look on the code, with step execution (F8) you can understand how the program works, our interesting is about CALL 0045BF6F (after this call EAX is equal to the total evaluation day remainder):

Fig. 8 Code about evaluation day.

now take a look on the previous call, step through the code until you're able to reach this place:

Fig. 9 Code for day calculation.

Now set your PC clock to year 2005 (this to be sure your trial time is exipired) and restart OllyDbg (CTRL+F2), check this code on 004089ED you've pushed -1 in [EBP-4] and the next instruction move this value into the EAX register. Well change this value with the total trial time (then 0x0E) and save this patch:

Fig. 10 Elapsed trial days fixed to zero.

Now run again the application (hit CTRL+F2) trial time is definitely defeated and program work as registered.

Fig. 11 Restart the program after the patching...

program isn't in trial mode, then you can think about it in full mode (PC clock date has nothing effect on correct program behaviour).

Fig. 12 Select the drawing format (DWG and DXF) and target format.

push OK button and select a directory with some CAD file or just select one file to convert and choose a target directory where PDF converted file will be save (remember for late use, a new program will be called and OllyDbg tell us about program termination):

Fig. 13 Main screen.

to start the conversion simply press the Convert Now button.

Fig. 14 End conversion dialog box.

Well mate this is the end, have a good conversion!
Next step is mainly for funny but can be useful because show how manage some API function which can be used to call URL.

Take a look on bottom end of figure 13, there are one interesting link, our goal is change this link and defeat all the CRC check.
When you've load the target in OllyDbg and choose your source/target file format the main task terminate and a new application is called. To find where this application reside just start OllyDbg and attach it on our new target, this program reside on \Window\inf hidden directory with name oem4097.exe.

Fig. 15 PEiD file scanner detail.

Well, program isn't packed, next step is searching (if there are some) about integrity checks like CRC or similar, to do this you can use the crypto analyser (KANAL v2.7) feature. We have:

Fig. 16 Crypto signature.

there are some integrity check, but all can be defeated in easily way.
Now load the target in OllyDbg and perform a search about ShellExecuteA API function (press CTRL+N), this function is widely used to open a browser window to some URL:

Fig. 17 Search about ShellExecuteA API function.

press the Enter key on the selected row in order to perform the entry search for this API:

Fig. 18 All entry about ShellExecuteA API function.

now place a breakpoint in each entry, right click and then select the Set breakpoint on every command option:

Fig. 19 Set breakpoint on each API calling.

then:

Fig. 20

Now press F9 to run the program and select our link, OllyDbg stop on 00418D11:

Fig. 21 ShellExecuteA API function.

our link address is on EDX register:

Fig. 22 Registers

In order to change this URL you've some option, first is change the string resource but this can result in CRC error and subsequent exception handling, another option can be change the EDX pointer with another one which is related to our link, stored in some free space inside the code area. Our way is the second one then we have to search a safe place on the file where we store the new URL (http://cracking.accessroot.com) in ASCII mode and code some instruction to move this address into the EDX register, this is necessary to do because there are no more space on 00418D00. Some free space can be found from section end on 008489A5, the first change is:

Fig. 23

Now you've to save in EDX the address of our URL and restore the PUSH 1 instruction, then return to the main flow on the 00418D05 address:

Fig. 24 Copy the pointer to our URL into EDX and restore original code.

and have also to save the ARTeam URL (in ASCII mode) from 0084895C:

Fig. 25 Text about ARTeam website.

Save this patch, work done!

Using OllyDbg, some API functions and make some crack to relax your brain.

Remember, if you plan to use this software you should purchase the product to support the authors to develop other good software.

Any suggest, correction or criticism is welcome, if you need help about this tutorial or other stuff you can reach me on ARTeam forum.

[MAIN TEAM]
[Nilrem][MaDMAn_H3rCuL3s][Ferrari][EJ12N][Kruger]
[Shub-Nigurrath][Teerayoot][R@dier]
[JDOG45][Eggi][ThunderPwr]

[Support]
[Bone Enterprise]

[Groupz]
[TSRh][SnD][LUCiD]