|
My personal advice to you - don't read this off your
computer screen! Use your printer.
Index
0. Disclamer
1. Introduction
2. What you need
3. Analising the program
4. Disassembling the program
5. Cracking the program
6. Conclusion
0.
Disclaimer:
I created this tutorial for informational purposes only!
Much of the information in this document can be used to
perform illegal activities! Don't attempt to do anything
stated in this document! If you do attempt to do anything,
you are solely and fully responsible for what you do!
If you
get caught and get in any kind of trouble, it's your own
fault! If you intend to use this information to impress your
friends, leave it and grow up! If you don't agree to this,
do not read any more! If you crack a program, and either
sell the crack or offer it for free, it is a crime!
1.
INTRODUCTION:
Hi everyone! I'm back! Ready for another Cracking tut? Hope
so...
Today we're going to learn a new skill - it's called
"register modifing". To learn this new technique we're going
to crack a program we all know: NOTEPAD! Yes Notepad, yes
the one from Windowz, yeah that's the one. You're probably
thinking what the hell has Notepad to crack. Nothing better
than to keep on reading this tutorial!
C ya in the next section.
2.
WHAT YOU NEED:
WDasm disassembler (I'll assume you've got it from the
previous tutorials)
Hiew (I'll assume you've got it from previous tutorials)
My version of Notepad, so that we're all cracking the same
program
(can be found at: members.xoom.com/dumpster66/notepad.exe)
if the link does not work, use your own notepad.exe
3.
ANALISING THE PROGRAM:
Before you change the program you'd better make a backup of
it.
Well, lets think... Know when we open those big text files
(bigger than let's say, 100kb)? Have you tried it yet? Well
notepad delivers us a message saying:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This file is too large for Notepad to open
Would you like to use WordPad to read this file?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
What we're going to do is to eliminate this messagebox and
make it go directly to WordPad. To do this we'll learn that
new technique I've talked to you about: Register Modifying.
4.
DISASSEMBLING THE PROGRAM:
Let's get started. Copy "my" NOTEPAD.EXE to your Windows
directory (possibly C:\WINDOWS). Open a big text file
(bigger than 100kb). See that message I've been talking
about? Write it down.
Now let's open Wdasm and disassemble NOTEPAD.EXE. Done?
That was quick :)! Let's search in the program's String Data
References. Go to the menu "Refs" and choose "String Data
References". This lets us know all the messages that are
displayed by the program. Search through all those
strings... Found something? I knew you would! Yes that's it:
String Resource ID=00052: "This file is too large for
Notepad to open. Would you like t"
Double click on it to go to its location.
--------------------------- NOTEPAD.EXE
-----------------------------
* Referenced by a (U)nconditional or (C)onditional Jump at
Address:
|:004024C5(C)
|
* Possible Reference to String Resource ID=00052: "This
file is too large for Notepad to open Would you like t"
|
:004024DF 6A34 push 00000034
--------------------------- NOTEPAD.EXE
-----------------------------
This is where you should've landed. Now let's think a bit.
If we were to modify that Conditional Jump at adress:
004024C5, we'd probably make Notepad think that the file we
opened was under 100kb. That isn't what we want to do. That
could probably interfer with Windows's memory and it already
runs bad enough by itself, it doesn't need any help :).
What we'll do is to find the messagebox that Notepad
displays and just make the program run without the message.
So let's get to work!
Go to the "Functions" menu and choose "Imports". What the
hell! What are these things? These are just functions that
Windows has and that Notepad imports to make the prog run.
Now go half way down in the list until you reach the
functions that start with "USER32". Found them? Good. Now
scroll down the list and you'll find a functions that has
the following name: "USER32.MessageBoxA".
"USER32.MessageBoxA" is a very well know Windows function.
It's one of the most important functions for crackers. It
basically responsible for calling messageboxes where
messages are displayed. This is the type of window that
Notepad called for our message. Double click on it.
Now you're probably asking why the hell did we first go and
find the message and then go to look for the message box?
It's quite simple. Notepad calls lots of messageboxes so we
couldn't just go looking at all of them! We had to find
first the place where the message was loaded and then we
double clicked on "USER32.MessageBoxA" to go to the next
location where a messagebox was called. That way we're
certain that we've got the right messagebox!
--------------------------- NOTEPAD.EXE
-----------------------------
* Reference To: USER32.MessageBoxA, Ord:0176h
|
:00402D61 FF1530744000 Call dword ptr [00407430] (We landed
here!)
:00402D67 83F806 cmp eax, 00000006
:00402D6A 0F85A9000000 jne 00402E19
:00402D70 6804010000 push 00000104
:00402D75 8D85B8FEFFFF lea eax, dword ptr [ebp+FFFFFEB8]
:00402D7B 50 push eax
--------------------------- NOTEPAD.EXE
-----------------------------
Now let's take a look at this code snippet. This is the
location where the program calls the messagebox and runs
WordPad or Exits, depending on our choise.
Take a good look. First, at adress "00402D61", the program
calls the messagebox, then at adress "00402D6A" it jumps and
exits if "EAX" isn't "00000006". So what we'll do is remove
the messagebox calling at "00402D61" and remove that jump at
"00402D6A" so that the program will always call WordPad.
We'll remove using the new technique called register
modifying :).
Highlight the "Call" at adress "00402D61" and take note of
the offset location (its that number on the bottom of your
screen after "@Offset..."). Now do the same thing for the
"jne" at adress "00402D6A". You have now 2 numbers written
down. You can now close Wdasm.
Now for the cracking... :))))
5.
CRACKING THE PROGRAM:
Open NOTEPAD.EXE in Hiew. Press "F4" and choose "Decode",
Press "F5" (to Go to location...), and write: "2161" (the
first offset location you took note of). Press "F3" to Edit
and write: "404840484048" (I'll explain later in the
Conclusion why...). Press "F9" to Update. You've eliminated
the messagebox, now all you need to do is to get rid of that
"jne" instruction.
Press "F5" and write: "216A" (the second offset location
you took note of). Press "F3" to Edit and write:
"404840484048". Press "F9" to update. You've finished
cracking Notepad!
Try and open a big text file (bigger than 100kb). What? I
goes directly to WordPad? Great! We've done it :)!
Now read the Conclusion to know about all those 40's and
48's...
6.
CONCLUSION:
We finally finished cracking Notepad. You must be certainly
asking why all this trouble just to crack a program that
didn't need cracking in the first hand? Here's the
explanation.
Let's learn a little bit of HEX language:
40 (in HEX) ----stands for----> "inc eax"
48 (in HEX) ----stands for----> "dec eax"
90 (in HEX) ----stands for----> "nop" (nothing happens when
90 is written)
So what we did to remove those two instructions (the "CALL"
and the "JNE") was to increase by 1 register "EAX" and,
right after, decrease it by 1. In the end everything was the
same (put 1, take 1, put 1, take 1, etc...). This made it
possible to remove the "CALL" and the "JNE" instruction.
But why the hell go through all that trouble if you could
simply write "90"s to remove those 2 instructions? Well, the
reason is that there are some programs that look inside
theirselfs checking to see if there are 90's (nop
instructions) inside them and, if there are any they just
won't work. This is a nice work around that checking. Just
in case your curious, Notepad doesn't make this check.
Conclusion: never use the "NOP" instruction; just if you
really need to...
By the way, I didn't do any patch for this because I don't
think it's of any use but, in case you want to, feel free to
do one (consult my prevous tutorial in order to learn how to
use the patch engine).
C ya !
Credits
written by SiFu (contact by email)
version 1.0, 15/03/2000 |