98xxxx
handle
1100
NA
PC
Enjoy!
|
|
|
|
|
|
|
|
|
|
|
|
| fra_00xx
98xxxx handle 1100 NA PC |
Enjoy! |
|
| There is a crack, a crack in everything That's how the light gets in | ||
|
|
|
|
|
|
|
|
|
|
|
|
|
First Step : Disable the self destruction.
Launch the w32dasm and dissamble the file (NJWIN.EXE). Hmmm, this
is seem a 16 bit program and you will get a little difficult to crack it.
So we need some help from soft ice. First we should add EXP=C:\WINDOWS\SYSTEM\KERNEL32.DLL
at WINICE.DAT. If not softice won't find the simbols. Now make a copy
of njwin.exe eg. nj1.exe and use an hex editor to change something in nj1.exe.
Launch nj1.exe and you will get njwin menu at the top. Press Ctrl+D and
make breakpoint at : BPX getmodulefilename. Now choose Close from NJWIN
menu and blam...... you get into soft ice. Press F11 and now you at this
location. And slowly trace it using F10.
:0001.44E9 9A22370000 call KERNEL.GETMODULEFILENAME :0001.44EE 68FD44 push SEG ADDR of Segment 0001 :0001.44F1 688876 push 7688 :0001.44F4 8D86EAFE lea ax, [bp+FEEA] :0001.44F8 16 push ss :0001.44F9 50 push ax :0001.44FA 9A56081B45 call 0001.0856 :0001.44FF 83C408 add sp, 0008 :0001.4502 8BF0 mov si, ax :0001.4504 8956F4 mov [bp-0C], dx :0001.4507 0BD0 or dx, ax :0001.4509 7503 jne 450E :0001.450B E98A01 jmp 4698...Trace it until this line.
:0001.467A 8B46EA mov ax, [bp-16] :0001.467D 8B56EC mov dx, [bp-14] :0001.4680 3946EE cmp [bp-12], ax :0001.4683 7505 jne 468A :0001.4685 3956F0 cmp [bp-10], dx :0001.4688 740E je 4698
* Referenced by a Jump at Address:0001.4683(C) | :0001.468A 8D86EAFE lea ax, [bp+FEEA] :0001.468E 16 push ss :0001.468F 50 push ax :0001.4690 9A3C2E7842 call 0001.2E3C ; It seem this procedure ! ; ; used to self destruction.
* Referenced by a Jump at Address:0001.4678(U) | :0001.4695 83C404 add sp, 0004Why I could know this procedure ??? This time we are using nj1.exe that we have change. So it must be execute that procedure. But if we using the original one, this step have been passed and never execute that procedure. (Try it yourself).
So we know the call procedure. Now we need to patch it to fool the program so that it never enter that place. Using w32dasm, Menu Search and then find text. Type call 0001.2E3C in the dialog box and w32dasm would take you to :
First-> :0001.07F5 83C408 add sp, 0008 :0001.07F8 8D46F2 lea ax, [bp-0E] :0001.07FB 16 push ss :0001.07FC 50 push ax :0001.07FD 9A3C2E7C06 call 0001.2E3C :0001.0802 83C404 add sp, 0004 :0001.0805 0BC0 or ax, ax :0001.0807 7403 je 080C Change add sp,0008 at 0001.07F5 using HIEW to jmp 0805. Second-> :0001.35A2 8D86CEFE lea ax, [bp+FECE] :0001.35A6 16 push ss :0001.35A7 50 push ax :0001.35A8 9A3C2EFFFF call 0001.2E3C :0001.35AD 83C404 add sp, 0004 :0001.35B0 8B46EC mov ax, [bp-14] :0001.35B3 EB04 jmp 35B9 Change lea ax,[bp+FECE] at 0001.35A2 using HIEW to jmp 35AD. Third-> :0001.468A 8D86EAFE lea ax, [bp+FEEA] :0001.468E 16 push ss :0001.468F 50 push ax :0001.4690 9A3C2E7842 call 0001.2E3C :0001.4695 83C404 add sp, 0004 Change lea ax, [bp+FEEA] at 0001.468A using HIEW to jmp 4695.Ok.... Now we have completely disabled the self destruction part of our target's protection scheme and now we can patch the registration.
Second Step : Make it Registered.
Even if we know the registration number, and we try to register, it is
useless because this program seems to have been made just in order to
fool the crackers.
Patch me and you'll loose me. But even inside a good protection there must be a
weakness, as +ORC teached us.
Now we need softice to breakpoint cleverly. Press Ctrl+D and then
:BPX GetPrivateProfileString
Why we should break at that point ??? Simple to answer, it is because
NJWIN store their registration data into C:\WINDOWS\NJWIN.INI and read
it from there. So we should break it at the time program want to get information
from that .ini file.
After that, try to launch the program and blam....you get into soft
ice. Press F11 and trace it with F10. You will see the listing at the below
...
:0001.3B83 9AB93B0000 call KERNEL.GETPRIVATEPROFILESTRING :0001.3B88 80BEF6FD3F cmp byte ptr [bp+FDF6], 3F :0001.3B8D 752E jne 3BBD :0001.3B8F FF36DC05 push word ptr [05DC] :0001.3B93 FF36DA05 push word ptr [05DA] :0001.3B97 FF36E005 push word ptr [05E0] :0001.3B9B FF36DE05 push word ptr [05DE] :0001.3B9F FFB6ECFB push word ptr [bp+FBEC] :0001.3BA3 FFB6EAFB push word ptr [bp+FBEA] :0001.3BA7 8D86F6FD lea ax, [bp+FDF6] Try to trace it until here...... :0001.3C8A 83C404 add sp, 0004 :0001.3C8D 52 push dx :0001.3C8E 50 push ax :0001.3C8F 8D86F6FC lea ax, [bp+FCF6] :0001.3C93 16 push ss :0001.3C94 50 push ax :0001.3C95 8D86F6FD lea ax, [bp+FDF6] :0001.3C99 16 push ss :0001.3C9A 50 push ax :0001.3C9B 9AC26ADA3C call 0001.6AC2 :0001.3CA0 83C40C add sp, 000C :0001.3CA3 48 dec ax :0001.3CA4 7505 jne 3CAB ; If wrong then unregistered :0001.3CA6 C6061A0601 mov byte ptr [061A], 01 ; else good boy..Aha... Now we know that if "good boy" then the target assign value to [061A] with 01. Now we should use w32dasm to find text : mov byte ptr [061A] and blizzz.....we got into ...
:0001.3D35 32C0 xor al , al :0001.3D37 A21A06 mov byte ptr [061A], al :0001.3D3A A21B06 mov byte ptr [061B], al :0001.3D3D EB0D jmp 3D4CIt seem the default value for [061A] is 00. So we patch it using HIEW. Change xor al,al AT 0001.3D35 to mov al,1 and the program will always think this that the cracker is a registered user and finish merriuly.
I'm sorry if my English is little bit messed because I'm not ..... guy.
|
|
|
|
homepage links search_forms +ORC students'
essays academy
databasereality
cracking how
to search javascript
warstools anonymity
academy cocktails antismut
CGI-scripts mail_fravia+Is
reverse engineering legal?