PhotoVista v1.0 crack Step-by-Step
A "smearing" protection reverse engineered
by Nop
(27 August 1997)
Courtesy of fravia's page
of reverse engineering
Well, step by step essays are always
very useful for newbyes and old hands alike... here is one by a new
+HCU contributor that I'm happy to host on my site: Nop
Another interesting
thing in this target, is that it is one of those annoying "smearing"
protection schemes... i.e. the program prints on all the samples made
with an unregistered copy an annoying "banner". Smearing protection
schemes are, of course, even more crackbar than the "simple" protection
schemes, since they have necessarily even more routines that "unveil"
the protection.
PhotoVista v1.0 crack Step-by-Step by Nop
(look for the Pc_VISTA.ZIP for the .COM)
Note that this is a brutal-20minutes-crack-Pepsi-included
All the address are indicatives.
I use a ">" to indicate SoftIce commands
When i say ...trace... this is for the P key (skipping calls,...) not
the T key (trace all) !
When you have a good crack, think to take the Hex of the modification
(use CODE ON to see the hex)
You can find PhotoVista at http://www.livepicture.com
------------------------
1) Install the prog
Choose full install
(to see which composents need to be cracked)
2) Launch the .EXE (not the main) to see if the others prog need to
be cracked
3) Launch the PVISTA.EXE (coz other are ok)
4) The prog begin with a screen, where we can enter a serial
choose the command "Run as Trial"
5) The prog is loading ...
6) Trying a sample ("Created with PhotoVista" appear on the sample i
made)
quit the prog
7) Take a 7up (or a sprite).
I decided that today is'nt a good day for serial so i only search
a crack
I press Ctrl-D to call my friend Soft-Ice...always here
-= PART I: ATTACKING THE SERIAL =-
9) launch the prog
The screen "Enter Serial Number" appears
i fill all the query with recognizable text
i click on "Run"
and obtain "Sorry, this serial... ...invalid"
ok, i see.
Ctrl-D
> HWND
...
01F8(1) 197F 32 PVISTA #32770 (Dialog) ...
08CC(2) 197F 32 PVISTA Static
04FC(2) 197F 32 PVISTA Edit
0DC0(2) 197F 32 PVISTA Static
0970(2) 197F 32 PVISTA Edit
023C(2) 197F 32 PVISTA Static
0218(2) 197F 32 PVISTA Edit
0230(2) 197F 32 PVISTA Static
0B0C(2) 197F 32 PVISTA Edit
0968(2) 197F 32 PVISTA Button
...
i locate the 4 Edit that are in the Form (in the screen)
i put a breakpoint on the 4FC (the first edit)
> BMSG 4FC 0D
(it's a breakpoint on a windows message (BMSG) on handle 4FC,
breakpoint waiting the prog get the text, 0D is the code of
WM_GETTEXT)
i click on "Run"
Soft-Ice come back with the Breakpoint i can read the typical
"USER!BOZOLIVEHERE"
> X (to return to prog)
Soft-Ice come back again with the Breakpoint
> X
"Sorry, this serial... ...invalid" appear. Ok.
The prog decided that the serial is bad with only TWO edit
i click again on "Run"
Soft-Ice Again
> X
Soft-Ice Again
This time i press P
...trace...
a RETF
(USER!BEAR498+14D)
...trace...
a RETF
(USER!GLOBATGETATOMNAME) (usual)
...trace...
a RET
(another USER!GLOBATGETATOMNAME)
...trace...
a RETF
(USER!GETWINDOWTEXT)
...trace...
a RETF
JMP 0137:BFF72964
...trace...
JMP [EBP-24] (usual also)
so, we enter really in the prog
i trace
ret
...
jmp 00479878
...
ret
...
CALL 00458ED0
TEST EAX,EAX this is the first test we meet
JNZ 00416228
9) just put a breakpoint on the TEST EAX, EAX (my shortcut is F2)
(BPX 0001:00015185 BPX=BreakPoint on eXecution)
EAX=5 so we do a jump to 00416228
we have:
137:00416228 XOR EAX,EAX
TEST EAX,EAX
JZ 00416245
put another breakpoint on the TEST EAX, EAX
...trace...
because of the XOR EAX we jump on 00416245
137:00416245 PUSH 30
...
CALL
"Sorry, this serial... ...invalid" appear. Ok.
...
CALL
...
...
ret
So, now we know where the prog make it choice, so, we deactivate the
breakpoint on Edits with
BD 0 (use BL to see the list of the breakpoint used, and
deactivate "BMSG 04FC WM_GETTEXT" if this isn't the first (0))
10) Look at the window, how ! a nice girl !
Be concentrated ! Be concentrated !
Now it's important to think to what we have.
We can simply replace the last JZ 00416245 with 0x90, but, in this
case, don't use the code between this jump and the previous
(JNZ 00416228)
So we need more infos, coz, if the CALL 00458ED0 is a serial-tester
we must send a good response, and not jump at 00416228)
11) Click on "Run"
At the first Breakpoint, put a breakpoint on the CALL 00458ED0
...
Launch the prog again
Stop on the Call
Now press T to enter in the CALL
Some CMP...
trace...
oh a CMP [EBX+ECX], DL
so what contain [EBX+ECX] ?
> d ebx+ecx
what we see, the seventh character of the Activation key !
and what contain DL ? 0x2D the hex of the "-" character !
So this CMP compare this character with a "-"
(if i was looking for a good serial, i had to look in the CALL
found in this routine)
trace ...
we have to quit this CALL
(it's quick coz my activation key don't contain the "-")
12) So this is really the Serial-tester in this CALL
We now have to modify the prog
CALL 00458ED0
TEST EAX,EAX X
The prog stop on the other TEST EAX,EAX
137:00416228 XOR EAX,EAX
TEST EAX,EAX
JZ 00416245
this time we put
XOR EAX, EAX
INC EAX
NOP
NOP
NOP (this is the same number of instructions)
14) We launch the prog with the 2 cracks (put with Soft-Ice, not already
with an hex-editor)
Click on "Run"
Prog launch
NetBrowser launch and "Thanks you for registering appear"
15) Verify the crack, launch the same sample than before (see (6))
The text "Created with PhotoVista" doesn't appear any more.
16) All is working...
...But...
This crack was asked by Jenn on irc (#PC97 !) and she want to
destroy the ask of the serial
So...
-= PART II: EXPLODE THE NAG-SCREEN =-
17) Launch SoftIce Loader
click on File/Open Module
select PVISTA.EXE
click on Module/load
> BD *
(disable all breakpoints)
18) ...trace...
the nag-screen appear just after you skip a call (key P)
click on "Cancel"
soft-Ice appear again
put a BPX on this CALL (CALL 0047368A for me)
launch the prog
...enter this call... (key T)
...trace...
There is a CALL [EBX+58] who launch the nag-screen
Breakpoint it
Disable all the previous breakpoint
launch the prog
...enter this call...
4 CALL...
TEST...
8 CALL...
CMP EAX, EDI
9 CALL...
TEST EAX, EAX
JNZ... (we jump)
we arrive here:
XOR EAX, EAX
TEST EAX, EAX
JNZ 00414F63 (NO JUMP)
CALL...
nag-screen appear
...
so, i decided to make it quick, and disable all the previous BPX
and put one on the TEST EAX, EAX
launch the prog
modify the EAX EAX=00000000 -> EAX=00000001
what appears ?
nag-screen doesn't appear any more !
return to Soft-Ice and modify the code
XOR EAX, EAX
TEST EAX, EAX -> INC EAX
NOP
JNZ 00414F63 -> JMP 00414F63
19) (I hope you have wrote the hex crack...)
We have:
search 85C00F859D000000
replace with 33C0909090909090
search 33C085C07417C746
replace with ----40909090---- (- used when bytes don't change)
search 85C00F85F4000000
replace with 4090E9F500----90
now use your hex editor (i have made mine), like hex Workshop
apply the crack
20) LAUNCH the prog again !
you must verify that there isn't a Checksum on the file by trying
again the sample.
...it work
...it's done
(i have used my own prog to make a .COM)
when your .COM it done, verify again, in case of some joke ;)
write the .NFO
make a .ZIP
send it...
THE END (?)
------------------------
SOME INFOS:
============
I u want to know, for example, why there is a
XOR EAX, EAX
TEST EAX, EAX
...
see in the prog. (there is a jump before)
REAL SECRET !!!!
in fact, real cracker don't make so many try, they simply use
a serial-generator made by others crackers. (no no it's a joke, don't
strike me...Argghhh)
See you soon on iRC
Nop
(c) Nop 1997. All rights reserved
You are deep inside fravia's page of reverse engineering,
choose your way out:
homepage
links
anonymity
+ORC
students' essays
academy database
tools
cocktails
antismut CGI-scripts
search_forms
mail_fravia
Is reverse engineering illegal?