Cracking 4 Newbies
Lesson 3: Cracking Regview v1.21a with dead listing approach
In this third lesson I'll teach you the basics of a dead listing cracking approach....which I use quite often, mostly in combination with Softice, but in this lesson we 'll crack the program purely with W32DSM and a hex editor. The target program is Regview v1.21a . I wrote a tutorial on this program quite some time ago and I used it in this lesson, BUT....specially adapted for you 100 % newbie! Let's go...
Well, obviously RegView is a prog for viewing the Windows registery file. I always use it when cracking, and therefore it is an indispensable tool. It's "protected" with a 30-uses limit. When the 30 uses are exceeded, RegView displays the following message: "Maximum number of trials has been reached! To continue use...." etc. Before loading regview.exe into W32DSM, we'll first make a copy of it and disassemble the copy of it and NOT the .exe itself. Why? Because if the original .EXE is disassembled and you should try to hex-edit the file (to patch the program) it 'd give a "Readonly error". So make a copy of regview.exe. I always use the extension .DSM, so our copy would be regview.dsm
Now fire up W32DSM and disassemble the .DSM file (remember: do not disassemble the .EXE !!) You disassemble a file by clicking on "Disassembler" then on "Open File to disassemble" then select regview.dsm and click on open. Now THAT's easy huh?
Give the program some time to disassemble....on bigger files that can take quite some time! When the program is disassembled, click on "Disassembler" then on "Save disassembly textfile" then just save it. Next time you can open the "dead listing" by clicking on "Project" then on "Open project file". Btw, I won't explain how to do things anymore in W32DSM because it's just too simple...you can also use the buttons...and if you don't know what each button represents, just stand a few seconds still on them....a little yellow box 'll explain what it'll do!

Okay...you remember the string "Maximum number of trials has been reached! To continue use...." ? You can search for it in the dead listing. Do that NOW......you should see the following asm code:

---------------------------Start-of-partial-code----------------------------

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0048D830(C) <- That's where u can find a jump to this "beggar off"
|
:0048D856 6A00                    push 00000000
:0048D858 668B0DBCDB4800          mov cx, word ptr [0048DBBC]
:0048D85F B202                    mov dl, 02 

* Possible StringData Ref from Code Obj ->"Maximum number of trials has been "
                                        ->"reached! To continue use of this "
                                        ->"program, you need to register "
                                        ->"now!"
----------------------------End-of-partial-code-----------------------------
Okay, maybe this looks somewhat confusing to you. Don't worry you'll understand very soon as long as you know some basic assembler! Now try to follow my reasoning:
If the program is registered, it never executes the code I just showed you. So! It's quite logic we have to change the program in THAT way it DOES NOT EXECUTE THIS CODE! How can we do that? Well, we can see that there's a conditional jump at adress 0048D830. The trick now is to go to that adress and change the jump in that way it does not jump to the code above anymore :) Sounds confusing? Don't worry. Let's take a look at code location 0048D830 where the program jumps to the "You have to register" message. 

---------------------------Start-of-partial-code----------------------------
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0048D806(C) <- There's a jump at 48D806 that jumps to this "beggar off" 
|
:0048D816 8D55F0                  lea edx, dword ptr [ebp-10]
:0048D819 B801000000              mov eax, 00000001
:0048D81E E8BD51F7FF              call 004029E0
:0048D823 8B45F0                  mov eax, dword ptr [ebp-10]

* Possible StringData Ref from Code Obj ->"try"
                                  |
:0048D826 BAB8DB4800              mov edx, 0048DBB8
:0048D82B E83066F7FF              call 00403E60
:0048D830 7524                    jne 0048D856 <- Here is the jump
:0048D832 B90CFFFFFF              mov ecx, FFFFFF0C

----------------------------End-of-partial-code-----------------------------
Okay, so now you say: "Let's change the jne 0048D856 in that way it doesn't jump....well that's a good beginning of your cracking feeling, but....if you'd try it wouldn't work. So, if you want the program to be cracked the code above also cannot be executed! So we do the same thing as before: go the the conditional jump that jumps to this code e.a. goto code location 0048D806 (btw, shortcut in W32DSM for "Goto code location" is shift+F12.
---------------------------Start-of-partial-code----------------------------
* Possible StringData Ref from Code Obj ->"CLSID"
                                  |
:0048D7C4 BAA8DB4800              mov edx, 0048DBA8
:0048D7C9 8B45F8                  mov eax, dword ptr [ebp-08]
:0048D7CC E85B9CFCFF              call 0045742C
:0048D7D1 8B1550D34900            mov edx, dword ptr [0049D350]
:0048D7D7 8902                    mov dword ptr [edx], eax
:0048D7D9 A150D34900              mov eax, dword ptr [0049D350]
:0048D7DE 81280BFFFFFF            sub dword ptr [eax], FFFFFF0B
:0048D7E4 A150D34900              mov eax, dword ptr [0049D350]
:0048D7E9 81387CF8FFFF            cmp dword ptr [eax], FFFFF87C

:0048D7EF 750D                    jne 0048D7FE <- if registration code in
	registery is false then check trial uses
				  
:0048D7F1 A104D34900              mov eax, dword ptr [0049D304]
:0048D7F6 C60001                  mov byte ptr [eax], 01 <- set registered
					flag!!		
:0048D7F9 E987020000              jmp 0048DA85

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0048D7EF(C) 
|
:0048D7FE A150D34900              mov eax, dword ptr [0049D350]
:0048D803 83381E                  cmp dword ptr [eax], 0000001E <- compares
		the amount of uses to the maximum amount of
		uses. (1E is the hex value for 30!!)
					
:0048D806 7F0E                    jg 0048D816 <- if exceeded the 30 trial 
		uses then "beggar off"	
----------------------------End-of-partial-code-----------------------------
So, the only thing there's left is to change the "jne 0048D7FE" at 0048D7EF in two NOP (=do nothing) instructions, so it 'll never jump to the beggar off routine! 
  Before cracking:
  ---------------
  
  :0048D7EF 750D          jne 0048D7FE
  
  After cracking:
  ---------------
  
  :0048D7EF 90            NOP
  :0048D7E1 90            NOP
I'll give for this ONE time a detailed explanation on how to patch the program with a hexeditor! I 'll use HIEW to do that. Follow me:
  • Goto code location 0048D7EF
  • Note the offset address in the bottom right corner of W32DSM
  • Open up HIEW and open REGVIEW.EXE
  • Press F4 then F3
  • Press F5 (goto location) and type in the offset adress you noted
  • Press F3 (change code)
  • Type "90" twice, of course withouth the quotes
  • Press F9 (=save changes)
  • Press Escape if you made a mistake

    The program is cracked!! To make a leet crack for it...download RTD-patcher here. Please read the docs on how to do it!! The syntax for getting the assembler file is "RTD_PT20.EXE [original file] [patched file] /A". Then you can change it your way and compile it afterwards. You have to do this! If you won't, your crack will try to patch the dead listing copy you made for W32DSM!!!


    • [ GO BACK TO MAIN PAGE ]
    Cracking 4 Newbies by the Blackbird © 1999