_CbD_ Tutorial #3
Function Disabled Protections Defeated
Date 7-28-97
Target: WinScan version 2.0.06
About the Protection:
Function Disabled Protections are very comman now days and are one of
the most popular among high priced software or specialty software. But
there days of stoping us are over........ Now !!!!!!
Target:
WinScan ver 2.0.06
WinScan is an intelligent scan, trace and vector editing program designed for use with TWAIN compliant scanners and popular vector illustration packages such as CorelDRAW. This is a very handy program
if you are in the graphics industry or if you make vinyl signs with plotters (As i Do)...
Where to get it :
http://www.airmark.com/
Tools Needed:
SoftIce (SI) (Required)
W32dasm ( optional)
Hiew Hexeditor (included with Tutorial) (Required)
Borland Resource Work Shop (optional)
Pre Crack Notes:
Ok there are several different steps in this crack and there are really 3 cracks that will be done
each one of them will have several steps each. If you dont have the optional Tools above
you will only be able do complete the first 2 parts of this tutorial. (The important ones)
the Last section of the crack only removes the DEMO messages at start and in the about box.
it will change them to the registered Messages instead.. ( Big Deal i know)...
The Crack..........
Ok you should have gotten the programs you need by now so lets start the crack.
Step #1 :
Fire up your program (WinScan) and have a look at it, You should see the Big ugly blue box that
says this is a DEMO version of the program (Like we didnt know this) it is not that big of a deal
because it goes away if you click on it . But now open one of the sample .bmp files that
are in the WinScan Dir. Now try to save the file, you will get a box that says
" This Command is not Allowed Blah Blah Blah" ok so it dont want us to save, But we want to
I mean shit how can you evalutate software if you cant save the work to see its quality?
well I dont think you can so we will cure this problem :-).
Just remember that this little message came to us in the form of a message box.
Step #2:
Now we have a good idea that we are getting the nag from a message box so
if we can break at the message we can see what calls it right. or we could use
W32dasm and located the point that the message is called. well that would take
a bit longer to trace out the code that calls it so we will save that for later or for those
that want to learn a bit more about finding this type of protection calls.
so for now we are just gonna use SI (as it is all that is really needed) to break on the
message that we get when we try to save. So lets start....
First press Ctrl-D to get in SI(Softice) and lets see what we have here, Lets see if we
have any breakpoints left over from a project that you was working on before you
started this one so do this BL This will give you a listing of all breakpoints you
have set in SI. Well we dont want those to cause us problems in this crack so we
will do one of 2 things (1) Clear them with BC * (2) disable them with BD * if you
dont need the BP's (BreakPoints) you can clear them, if you will need them for
another project then just disable them for now. Ok now that we have that out of the
way( Bare in Mind i write my tut's so anyone can follow them even if they have
never cracked before) Lets set our BreakPoints that we will need for this crack
so lets Do this BPX MESSAGEBOXA <--- This will make SI break when the
call to the Messagebox is made. For now that is the only one we need so lets
Ctrl-D back to our target WinScan.
Step #3:
Ok now lets set all this in motion, So try to save this file with the [SAVE] from the menu
or the Disk Icon in the Toolbar. Boom to softice we go Now we are in SI at the
point our program is ready to show us the nag. Now lets think about what we
want to do here (1) we want to find out where this call came from (2) we want to
make it go to the real save Dlg Box and not this nag. So we will do a F11 so we
can get back to what called this function. You will pop back into WinScan where
you will see the Nag. Press Ok and you will pop back to SI Now we are not there yet
cause if you look on the Line between the Command window and the Code window
you will see MFC blah blah blah well this is the place that our message box was called
but this is not our program, Our program called this to get the box so what we will do is
press F10 (single Step) till we get back to our program so press F10 till you see
WinScan on the line between the command and code windows. when you get there
you should see somthing like the following
(note the addresses may not be the same on yours)
0137:00455AF5 CALL 0045D800 <----- This is what calls our little MessageBox
0137:00455AFA JMP 00455B1E <---- Ok we told him he cant save so lets go back
0137:00455AFC MOV ECX, [EBP-14] <---- not important.
ok now we found the call so lets scroll up a few lines and see what we can see. Should like like this
(note the addresses may not be the same on yours)
0137:00455AE0 MOV EAX,[EAX+4] <--- set demo flag
0137:00455AE3 CMP DWORD PTR [EAX + 000000C4] ,00 <-- check and see if this is a demo ver
0137:00455AEA JZ 00455B16 <---- if Zero then this is a Full ver else this is a Demo
0137:00455AEC PUSH FF <--- save some info
0137:00455AEE PUSH 10 <--- save some more info
0137:00455AF0 PUSH 0000009D <--- yup save even more info
0137:00455AF5 CALL 0045D800 <----- This is what calls our little MessageBox
0137:00455AFA JMP 00455B1E <---- Ok we told him he cant save so lets
go on working
0137:00455AFC MOV ECX, [EBP-14] <---- not important.
ok if you look real close i think you can see what we need to do now and if you cant i will
tell you:
0137:00455AEA JZ 00455B16 This jump here will send us to the real save dialog that we
want .
So we need to change the JZ to a JNZ so that the program will think that if we are a DEMO
we should jump to the real Save Dialog and not the Nag. But before we do this lets get some info
that we will need for part 2 of the crack so Do a D xxxx:00455AEA (xxxx is the address you see)
now look in your data window for something like this
0137:00455AEA 74 2A 6A FF 6A 10 68 9D - 00 00 00 E8 06 7D 00 00
^ ^ ^ ^ ^ ^ ^ ^
You will need all these number sets that have a ^ under them so right them down
(Note if you do not have a Data window just above your code window type WD and press enter
in the commad window and it should open up you should also have your Registers window
open as well and to do this type WR and press enter in the command window)
Well lets see if we are right do this
A xxxx:00455AEA and press enter (note where the xxxx is put the right address you see on
your screen)
now you should see somthing like this
A xxxx:00455AEA
xxxx:00455AEA
in your command window
you need to type in this
JNZ 00455B16
then press enter and then press enter again to get back to the command line
now lets see if this werks so press Ctrl-D and when you pop back to WinScan
try to save again WOW you can now save . Well the only thing is that you cant use the
Save As function so we need to fix that to and to do this we follow the same steps as above
but instead of pressing the Save we press Save As from the Menu
and you will break right back in the same Message that you did before
you need only to follow then same steps as above to get back to the WinScan
call and then scroll back up and find the JZ that will send us to where we want to go
if you cant seem to make it werk here is the steps for this one
Step #1:
Ok now lets set all this in motion, So try to save this file with the [SAVE AS] from the menu
Boom to softice we go Now we are back in SI at the same
point our program is ready to show us the nag. Now lets think about what we
want to do here (1) we want to find out where this call came from (2) we want to
make it go to the real save Dlg Box and not this nag. So we will do a F11 so we
can get back to what called this function. You will pop back into WinScan where
you will see the Nag. Press Ok and you will pop back to SI Now we are not there yet
cause if you look on the Line between the Command window and the Code window
you will see MFC blah blah blah well this is the place that our message box was called
but this is not our program, Our program called this to get the box so what we will do is
press F10 (single Step) till we get back to our program so press F10 till you see
WinScan on the line between the command and code windows. when you get there
you should see somthing like the following
(note the addresses may not be the same on yours)
0137:00455BD5 CALL 0045D800 <----- This is what calls our little MessageBox
0137:00455BDA JMP 00455BFE <---- Ok we told him he cant save so lets go back
0137:00455BDC MOV ECX, [EBP-14] <---- not important.
ok now we found the call so lets scroll up a few lines and see what we can see. Should like like this
(note the addresses may not be the same on yours)
0137:00455BC0 MOV EAX,[EAX+4] <--- set demo flag
0137:00455BC3 CMP DWORD PTR [EAX + 000000C4] ,00 <-- check and see if this is a demo ver
0137:00455BCA JZ 00455BF6 <---- if Zero then this is a Full ver else this is a Demo
0137:00455BCC PUSH FF <--- save some info
0137:00455BDE PUSH 10 <--- save some more info
0137:00455BD0 PUSH 0000009D <--- yup save even more info
0137:00455BD5 CALL 0045D800 <----- This is what calls our little MessageBox
0137:00455BDA JMP 00455BFE <---- Ok we told him he cant save so lets
go on working
0137:00455BDC MOV ECX, [EBP-14] <---- not important.
ok if you look real close i think you can see what we need to do now and if you cant i will
tell you:
0137:00455BCA JZ 00455BF6 This jump here will send us to the real save dialog that we
want .
So we need to change the JZ to a JNZ so that the program will think that if we are a DEMO
we should jump to the real Save Dialog and not the Nag. Well lets see if we are right
do this A xxxx:00455BCA and press enter (note where the xxxx is put the right address you see on
your screen:
now you should see somthing like this
A xxxx:00455BCA
xxxx:00455BCA
in your command window
you need to type in this
JNZ 00455BF6
then press enter and then press enter again to get back to the command line
now lets see if this werks so press Ctrl-D and when you pop back to WinScan
try to SAVE AS again WOW you can now Save As now isnt this fun
well the only thing is that this will only werk till we exit our program, When we restart it the nags
will be right back so now we need to make a real crack for our program.
so on to part 2 of this Crack
Part 2: Hex Editing our program
well lets make sure we have all the info we will need..
Remeber the things i told you to write down well i hope you did ;-)
and if not then here it is
xxxx:00455AEA 74 2A 6A FF 6A 10 68 9D
well we will need this in Hiew to search for our Jumps we need to change
(by the way you should print this file to make lie easier on you)
Lets make a backup copy of our file you can name it what ever you wish (i used
WinScan.cbd) just dont use the .bak as this is needed else where
So lets fire up Hiew to do this we will need to have the program and Hiew in the
same Directory I use a Temp dir and copy both files to it (Hiew and Winscan.cbd)
now at a dos prompt type
(the numbers in ( ) are the steps)
(1) Hiew WinScan.cbd (or what ever you named it) now you will be in the Hiew program and will see a
bunch of shit that makes no sence what so ever
(2) so press the F4 key to get the Hex View (or what ever the key is at the
bottom) now we will have to search for our command and in order to do this we will
need to have the numbers above
(3) so press F7 and then enter the numebrs above
ie ( 74 2A 6A FF 6A 10 68 9D ) AND and press enter
then you will land at the first match it found
you
(4) should press F2 to get the ASM code of the above string
(5) then press F3 to edit it
(6) You will get a box that will show you a je and a address you just need to change the
je to JNZ then press enter
(7) now press F9 to update
(8) and Press F10 to quit
now restart Hiew and do each step over again
The first one is the Save function and if you do it again you will be in the Save As function
And if you do it a third time you will be in the Save Vectors functioin(not talk about because you
must have a scanner to use it) but go ahead and crack it to ..
Well that is it after all that you will have a fully working program that will work forever
Now if you wish to get rid of the DEMO screens that you see when you start the program
and in the About Box you can continue to Part 3 of the Crack (Must have Borland Resource WorkShop)
Part 3 Removing the Demo Screens
Start BRW and locate the Bitmaps that represent the Demo Messages
239 <--- About Box BitMap
240 <---- Start up BitMap
Now lets find the ones for the Full version
102 <--- Startup BitMap
159 <--- About Box BitMap
Now all you have to do is Delete 239 and 240
then select 102 and then make a Duplicate of it (Right Click of the mouse and you will see Duplicate)
then do the same for 159 after you have done this it will rename them to something like
BitMap1 and BitMap 2 well rename the copy of 102 to 240 and the copy of 159 to 239 and that is
it you now will see the Full Version srceens when you run your program . Although this is not
Needed for the Crack to work this is just another thing you can do to remove the DEMO
nags But seeing how if you like the Program you are going to Buy it (RIGHT) you reall need not
do this part ;-)
Part 4 Yeah i Know i said 3 parts but read on
Well if you wish to make a crack that you can distribute to others then you can get
a program like gpatch or write your onw in your favorite language to do all of the
above changes .... Well that is it for this Tutorial
I Hope that you have learned something from this tutorial and i hope i have helped you to
better understand how this type of protection works. And remember this is a Shareware
program and if you intend to use it then Buy It after all they were nice enough to give us
the demo so we could Crack and Evaluate it so cintribute to them and give them the money
they ask for it is only fair........... _CbD_ [ME/C4N'97]
I want to take a few lines here to say thanks to a few ppl So thanks go to :
nIabI of [ME/C4N'97] for gpatch and all your help
Scorpoin of [ME/C4N'97] for the info on Hiew
mornings on #cracking4Newbies for testing my tuts
and anyone i forgot :-) Thanks all .............