
 ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::
 ::::::::::::::::::::::::::::: CRACKiNG TUTORiAL ::::::::::::::::::::::::::::
 :::::::::::::::::::::::::::::     by Vizion     ::::::::::::::::::::::::::::
 ::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

 :::: TARGET

 TTFPlus 3.3 32-bit demo (url : www.wmsoftware.com)

 :::: TOOLS 

 W32Dasm 8.9, SoftIce for NT 3.01, UltraEdit-32 4.40b

 :::: PROTECTiON

 Internal counter. 
 The demo counts the number of times you select a font you like to see.

 :::: REMARK(s)

 Like usual, I assume you're able to use the tools mentioned above, and have
 some knwoledge about ASM.

 I think, this is the first time I crack a target that hasn't been done
 before. *CHEER*

 You will need to change winice.dat for this crack. Open winice.dat in your
 favorite text editor and add the next line,

 EXP=<drive>:\<directory>\msvbvm50.dll

 Save the file and restart your computer if SoftIce is loaded.

 :::: FiND THE COUNTER

 Like always, start with loading the target in W32Dasm. The first thing I
 noticed was that there were no String References. Pretty annoying if you
 ask me. If you take a look at the list of .dll files that are used you'll
 see only one :

  MSVBVM50.DLL aka. Microsoft Visual Basic Virtual Machine 5.0 (I think)

 Ok, this is quite new, and I haven't seen any tutorials on a VB5 program.
 Due to the lack of String References and the usage of only one .dll file
 we need a "new" approach to crack this baby, I suggest you sit down and
 start thinking about the way to crack this target...

 Well I came up with the following idea.

 Start the target and select several times a font, after 10x clicking you'll
 get the nag screen telling you... well read it :). The problem is that you
 need to restart the target if you want to use it some more.

 Back in W32Dasm, take a look at the imported functions from the .dll,

 ...

 Addr:0F0D3109 hint(0000) Name: __vbaStrBool
 Addr:0F01A5AE hint(0000) Name: __vbaExitProc
 Addr:0F0239B1 hint(0000) Name: __vbaFileCloseAll
 Addr:0F023FA0 hint(0000) Name: __vbaOnError
 Addr:0F04F618 hint(0000) Name: __vbaObjSet
 Addr:0F0CF404 hint(0253) Name: rtcMsgBox                    <--- interesting
 Addr:0F0E326C hint(0000) Name: _adj_fdiv_m16i
 Addr:0F023EA8 hint(0000) Name: __vbaObjSetAddref
 Addr:0F0E336C hint(0000) Name: _adj_fdivr_m16i
 Addr:0F0391DB hint(0256) Name: rtcDoEvents
 Addr:0F0450B1 hint(0000) Name: __vbaBoolVar
 Addr:0F0FDBB6 hint(0000) Name: __vbaBoolVarNull

 ...


 Because I didn't had any other clues what to look for, I started the target
 again and I fired SoftIce (SI) and I suggest you do that too. In SI (ctrl-d
 to enter SI) set a breakpoint on rtcMsgBox,

 type (in SI) : bpx rtcMsgBox

 If SI reports "Symbol not defined (rtcMsgBox)", read the REMARK(s) part
 again. Ok, exit SI (ctrl-d again), select 10x a font. You should be back in
 SI, press F11 to get in the code of the target. Write down the address (for
 me it was xxxx:0046A2F6).

 :::: Intermezzo :
 :::: Make sure that the target is running, before you set your breakpoints.
 :::: I noticed that SI will work properly only when the target is loaded, I
 :::: guess that's because MSVBVM50.DLL needs to be loaded when you activate
 :::: any breakpoints. Another thing, clear and create your breakpoints every
 :::: time you start the target, else SI won't work like it should.

 Ok, disable the breakpoint and exit SI.
 Get back in W32Dasm and goto the code location with the address you wrote
 down. You should see the following code,

 ...

 * Reference To: MSVBVM50.rtcMsgBox, Ord:0253h
                                  |
 :0046A2F1 E8A28AF9FF              Call 00402D98
 :0046A2F6 8D45A8                  lea eax, dword ptr [ebp-58]
 :0046A2F9 50                      push eax
 :0046A2FA 8D45B8                  lea eax, dword ptr [ebp-48]
 :0046A2FD 50                      push eax
 :0046A2FE 8D45C8                  lea eax, dword ptr [ebp-38]
 :0046A301 50                      push eax
 :0046A302 6A03                    push 00000003

 This event happens after we selected a font for the 10th time. So what we
 do now? What do we look for? Sit down and start thinking (again ;).

 No ideas?
 Well, check out any manual on the "8086 General Purpose Registers".
 I read the following in two manuals I got,

 (1) "The ax register (Accumulator) is where most arithmetic and logical
      computations take place. Although you can do ..."

 (2) "AH/AL AX (EAX) or Accumulator..."

 :::: Intermezzo :
 :::: A very good and free book can be found on the internet.
 :::: <http://webster.ucr.edu/page_asm/artofassembly/artofasm.html>

 We need to look for some code that manipulates the counter of our target,
 probably using the ax register (this is just a feeling I had after reading
 some parts of the manual I refered to).

 Ok, so start scrolling up the code in W32Dasm, until I arrived at a first
 jump reference,

 ...

 :0046A1FC E82D8CF9FF              Call 00402E2E

 * Referenced by a (U)nconditional or (C)onditional Jump at Address:
 |:0046A1EE(C)
 |
 :0046A201 83A570FFFFFF00          and dword ptr [ebp+FFFFFF70], 00000000
 :0046A208 83EC10                  sub esp, 00000010
 :0046A20B C78568FFFFFF0B000000    mov dword ptr [ebp+FFFFFF68], 0000000B

 ...

 Use Goto|Goto Code Location from the menu with 0046A1EE. Continue to scroll
 up till the next jump reference, goto that code location... Repeat this 6
 times untill you get at the next code,

 ...

 * Reference To: MSVBVM50.__vbaObjSet, Ord:0000h
                                  |
 :0046A099 E8368DF9FF              Call 00402DD4
 :0046A09E 8BF0                    mov esi, eax
 :0046A0A0 8B06                    mov eax, dword ptr [esi]
 :0046A0A2 6811000080              push 80000011
 :0046A0A7 56                      push esi
 :0046A0A8 FF5064                  call [eax+64]
 :0046A0AB 85C0                    test eax, eax
 :0046A0AD 7D0E                    jge 0046A0BD       <--- you should be here
 :0046A0AF 6A64                    push 00000064
 :0046A0B1 6878E34000              push 0040E378
 :0046A0B6 56                      push esi
 :0046A0B7 50                      push eax

 ...

 Remember we need to find some code that manipulates the counter aka. ax
 register. So start scrolling up again, until you reach the following code,

 :00469F1E 89B568FFFFFF            mov dword ptr [ebp+FFFFFF68], esi
 :00469F24 89B558FFFFFF            mov dword ptr [ebp+FFFFFF58], esi
 :00469F2A 0F85DE030000            jne 0046A30E
 :00469F30 66393556904700          cmp word ptr [00479056], si
 :00469F37 0F8524060000            jne 0046A561
 :00469F3D 66A158904700            mov ax, word ptr [00479058]       (1)
 :00469F43 6640                    inc ax                            (2)
 :00469F45 0F801F060000            jo 0046A56A                 
 :00469F4B 663D0A00                cmp ax, 000A                      (3)
 :00469F4F 66A358904700            mov word ptr [00479058], ax       (4)
 :00469F55 0F8CB3030000            jl 0046A30E                       (5)
 :00469F5B 8B8314030000            mov eax, dword ptr [ebx+00000314]


 After everything I told you till now this should give you that real good
 warm feeling. We're getting very close to the solution. Let me explain the
 code above,

  (1) load something in ax from memory
  (2) increase ax by 1
  (3) compare ax with 10
  (4) store new value of ax back in memory
  (5) jump if ax is smaller then 10

 That could be it! To check if we found the right place, load the target and
 get back in SI, set a breakpoint on 00479058

 type (in SI) : bpm 479058

 Get out of SI and select a font in TTFPlus, you should be back in SI right
 at line (2), press F10. Get out of SI and repeat this several times you'll
 notice that it's here where the counter is kept and updated.

 :::: THE CRACK

 Well, I think there are several solutions here. Let me show you some, you
 could change line (1) into mov ax, 0 -OR- replace line (2) with 2 NOP (90h)
 instructions -OR-  change line (5) into jmp 0046A30E.

 All three solutions will do the job. To go on with this tutorial I will
 use the 2nd solution. Go back to W32Dasm and get the offset of line (2).
 Now load the target (make a back-up copy) in UltraEdit or any hex-editor
 and goto the offset you wrote down (for me it was : 0006:9343).

 Now you should see the following line,

 00069340h: 90 47 66 40 0F 80 1F 06 00 00 66 3D 0A 00 66
                  ^^ ^^

 change this to

 00069340h: 90 47 90 90 0F 80 1F 06 00 00 66 3D 0A 00 66
                  ^^ ^^

 This should do it. Now the counter will never reach 10, so the demo will
 never "expire". Save the file, exit, and enjoy...

 Voila, another target cracked.

 So that's all folks, I hoped you enjoyed and learned something.

 Vizion, 09/97.

.EOF.