PhotoVista v1.0 crack Step-by-Step

A "smearing" protection reverse engineered

by Nop

(27 August 1997)

Courtesy of fravia's page of reverse engineering

Well, step by step essays are always very useful for newbyes and old hands alike... here is one by a new +HCU contributor that I'm happy to host on my site: Nop

Another interesting thing in this target, is that it is one of those annoying "smearing" protection schemes... i.e. the program prints on all the samples made with an unregistered copy an annoying "banner". Smearing protection schemes are, of course, even more crackbar than the "simple" protection schemes, since they have necessarily even more routines that "unveil" the protection.

 PhotoVista v1.0 crack Step-by-Step by Nop
(look for the Pc_VISTA.ZIP for the .COM) Note that this is a brutal-20minutes-crack-Pepsi-included All the address are indicatives. I use a ">" to indicate SoftIce commands When i say ...trace... this is for the P key (skipping calls,...) not the T key (trace all) ! When you have a good crack, think to take the Hex of the modification (use CODE ON to see the hex) You can find PhotoVista at ------------------------ 1) Install the prog Choose full install (to see which composents need to be cracked) 2) Launch the .EXE (not the main) to see if the others prog need to be cracked 3) Launch the PVISTA.EXE (coz other are ok) 4) The prog begin with a screen, where we can enter a serial choose the command "Run as Trial" 5) The prog is loading ... 6) Trying a sample ("Created with PhotoVista" appear on the sample i made) quit the prog 7) Take a 7up (or a sprite). I decided that today is'nt a good day for serial so i only search a crack I press Ctrl-D to call my friend Soft-Ice...always here -= PART I: ATTACKING THE SERIAL =- 9) launch the prog The screen "Enter Serial Number" appears i fill all the query with recognizable text i click on "Run" and obtain "Sorry, this serial... ...invalid" ok, i see. Ctrl-D > HWND ... 01F8(1) 197F 32 PVISTA #32770 (Dialog) ... 08CC(2) 197F 32 PVISTA Static 04FC(2) 197F 32 PVISTA Edit 0DC0(2) 197F 32 PVISTA Static 0970(2) 197F 32 PVISTA Edit 023C(2) 197F 32 PVISTA Static 0218(2) 197F 32 PVISTA Edit 0230(2) 197F 32 PVISTA Static 0B0C(2) 197F 32 PVISTA Edit 0968(2) 197F 32 PVISTA Button ... i locate the 4 Edit that are in the Form (in the screen) i put a breakpoint on the 4FC (the first edit) > BMSG 4FC 0D (it's a breakpoint on a windows message (BMSG) on handle 4FC, breakpoint waiting the prog get the text, 0D is the code of WM_GETTEXT) i click on "Run" Soft-Ice come back with the Breakpoint i can read the typical "USER!BOZOLIVEHERE" > X (to return to prog) Soft-Ice come back again with the Breakpoint > X "Sorry, this serial... ...invalid" appear. Ok. The prog decided that the serial is bad with only TWO edit i click again on "Run" Soft-Ice Again > X Soft-Ice Again This time i press P ...trace... a RETF (USER!BEAR498+14D) ...trace... a RETF (USER!GLOBATGETATOMNAME) (usual) ...trace... a RET (another USER!GLOBATGETATOMNAME) ...trace... a RETF (USER!GETWINDOWTEXT) ...trace... a RETF JMP 0137:BFF72964 ...trace... JMP [EBP-24] (usual also) so, we enter really in the prog i trace ret ... jmp 00479878 ... ret ... CALL 00458ED0 TEST EAX,EAX this is the first test we meet JNZ 00416228 9) just put a breakpoint on the TEST EAX, EAX (my shortcut is F2) (BPX 0001:00015185 BPX=BreakPoint on eXecution) EAX=5 so we do a jump to 00416228 we have: 137:00416228 XOR EAX,EAX TEST EAX,EAX JZ 00416245 put another breakpoint on the TEST EAX, EAX ...trace... because of the XOR EAX we jump on 00416245 137:00416245 PUSH 30 ... CALL "Sorry, this serial... ...invalid" appear. Ok. ... CALL ... ... ret So, now we know where the prog make it choice, so, we deactivate the breakpoint on Edits with BD 0 (use BL to see the list of the breakpoint used, and deactivate "BMSG 04FC WM_GETTEXT" if this isn't the first (0)) 10) Look at the window, how ! a nice girl ! Be concentrated ! Be concentrated ! Now it's important to think to what we have. We can simply replace the last JZ 00416245 with 0x90, but, in this case, don't use the code between this jump and the previous (JNZ 00416228) So we need more infos, coz, if the CALL 00458ED0 is a serial-tester we must send a good response, and not jump at 00416228) 11) Click on "Run" At the first Breakpoint, put a breakpoint on the CALL 00458ED0 ... Launch the prog again Stop on the Call Now press T to enter in the CALL Some CMP... trace... oh a CMP [EBX+ECX], DL so what contain [EBX+ECX] ? > d ebx+ecx what we see, the seventh character of the Activation key ! and what contain DL ? 0x2D the hex of the "-" character ! So this CMP compare this character with a "-" (if i was looking for a good serial, i had to look in the CALL found in this routine) trace ... we have to quit this CALL (it's quick coz my activation key don't contain the "-") 12) So this is really the Serial-tester in this CALL We now have to modify the prog CALL 00458ED0 TEST EAX,EAX X The prog stop on the other TEST EAX,EAX 137:00416228 XOR EAX,EAX TEST EAX,EAX JZ 00416245 this time we put XOR EAX, EAX INC EAX NOP NOP NOP (this is the same number of instructions) 14) We launch the prog with the 2 cracks (put with Soft-Ice, not already with an hex-editor) Click on "Run" Prog launch NetBrowser launch and "Thanks you for registering appear" 15) Verify the crack, launch the same sample than before (see (6)) The text "Created with PhotoVista" doesn't appear any more. 16) All is working... ...But... This crack was asked by Jenn on irc (#PC97 !) and she want to destroy the ask of the serial So... -= PART II: EXPLODE THE NAG-SCREEN =- 17) Launch SoftIce Loader click on File/Open Module select PVISTA.EXE click on Module/load > BD * (disable all breakpoints) 18) ...trace... the nag-screen appear just after you skip a call (key P) click on "Cancel" soft-Ice appear again put a BPX on this CALL (CALL 0047368A for me) launch the prog ...enter this call... (key T) ...trace... There is a CALL [EBX+58] who launch the nag-screen Breakpoint it Disable all the previous breakpoint launch the prog ...enter this call... 4 CALL... TEST... 8 CALL... CMP EAX, EDI 9 CALL... TEST EAX, EAX JNZ... (we jump) we arrive here: XOR EAX, EAX TEST EAX, EAX JNZ 00414F63 (NO JUMP) CALL... nag-screen appear ... so, i decided to make it quick, and disable all the previous BPX and put one on the TEST EAX, EAX launch the prog modify the EAX EAX=00000000 -> EAX=00000001 what appears ? nag-screen doesn't appear any more ! return to Soft-Ice and modify the code XOR EAX, EAX TEST EAX, EAX -> INC EAX NOP JNZ 00414F63 -> JMP 00414F63 19) (I hope you have wrote the hex crack...) We have: search 85C00F859D000000 replace with 33C0909090909090 search 33C085C07417C746 replace with ----40909090---- (- used when bytes don't change) search 85C00F85F4000000 replace with 4090E9F500----90 now use your hex editor (i have made mine), like hex Workshop apply the crack 20) LAUNCH the prog again ! you must verify that there isn't a Checksum on the file by trying again the sample. work's done (i have used my own prog to make a .COM) when your .COM it done, verify again, in case of some joke ;) write the .NFO make a .ZIP send it... THE END (?) ------------------------ SOME INFOS: ============ I u want to know, for example, why there is a XOR EAX, EAX TEST EAX, EAX ... see in the prog. (there is a jump before) REAL SECRET !!!! in fact, real cracker don't make so many try, they simply use a serial-generator made by others crackers. (no no it's a joke, don't strike me...Argghhh) See you soon on iRC Nop
(c) Nop 1997. All rights reserved
You are deep inside fravia's page of reverse engineering, choose your way out:

homepage links red anonymity +ORC students' essays academy database
tools cocktails antismut CGI-scripts search_forms mail_fravia
Is reverse engineering illegal?