Cracking for newbies #2 - by woody^drn How to crack NoteTab Pro v4.6a at www.notetab.com Run the program to see what happens. Hmm that's wierd, it says "Sorry, the trial periode is over" .. I havn't even tried it before. Lets disassemble the program and find the "nag". But first we have to check if the file is packet or cryptet in any way. A good program for this job would be gtui (found at http://surf.to/phax). Now run gtui and let it check the file. - [NotePro.exe] ----- DOS executable file - 643072 bytes Portable executable (starting at 256 for 642816 bytes) Packer: ASPack 1.07b Calculated entrypoint: 542443 / 000846EBh (RVA: 000852EBh) Packer ASPack v1.07b .. okay well now we have to depack it, and if you read Vaczine #2 - Cracking for advanced #2 you know how to depack a file that has been packed with ASPack. But I'll be nice and tell you how to do it. I wont go into details .. Startup ProcDump and press the PE Editor button, load NotePro.exe. Now press the section button, and change the CODE Characteristics from C0000040 to E0000020. You can do that by pressing right mouse button on the CODE. Press okay until you exit procdump. Load SofticeLoader and press ctrl+o and find NotePro.exe, now load the module (Module->Load) and softice will appear. Press F10 until you come to the first PUSHAD. It would look like this: .0059E000: 60 pushad You would be here .. now just press F10 until the opposite of PUSHAD and that's POPAD. .0059E001: E800000000 call .00059E006 ---- (1) .0059E006: 5D pop ebp .0059E007: 81ED3ED94300 sub ebp,00043D93E ;" CÙ>" .0059E00D: B838D94300 mov eax,00043D938 ;" CÙ8" .0059E012: 03C5 add eax,ebp .0059E014: 2B850BDE4300 sub eax,[ebp][00043DE0B] .0059E01A: 898517DE4300 mov [ebp][00043DE17],eax .0059E020: 80BD01DE430000 cmp b,[ebp][00043DE01],000 .0059E027: 7515 jne .00059E03E ------ (2) .0059E029: FE8501DE4300 inc b,[ebp][00043DE01] .0059E02F: E81D000000 call .00059E051 ------ (3) .0059E034: E879020000 call .00059E2B2 ------ (4) .0059E039: E812030000 call .00059E350 ------ (5) .0059E03E: 8B8503DE4300 mov eax,[ebp][00043DE03] .0059E044: 038517DE4300 add eax,[ebp][00043DE17] .0059E04A: 8944241C mov [esp][0001C],eax .0059E04E: 61 popad Right here ... now the 3 calls is the "magic" of ASPack .. but who cares We just don't care about those. When you're at POPAD write down eax. You're gonna need this, cause it's the real entry point to the file we're gonna dump soon. Press F10 again. .0059E04F: FFE0 jmp eax Okay .. this was the depacking routine, but we don't want the program to do anything more. So we make a loop. When you're at JMP EAX type 'a eip' eip is the place you are .. the offset .. the opcode that has to be executed soon. When you have typed 'a eip' write 'jmp eip', now that makes the program jump to this place all the time. In pascal that would have been lab: goto lab; Now the program just loops all the time, now is a good time to dump it. Start procdump again and scroll down on the task list. Find NotePro.exe and click right mouse button, and choose Dump (Full). Now it wants you to select a name for the dumped file, I just write dump.exe. Just close the program NotePro.exe that still is in unlimited loops ;) ctrl+alt+delete and choose the program and close it .. Cewl .. now you have depacked the file and broken ASPack :) The only thing you're missing now is the right entry point, cause if you try executing the file as it is now, it will deffently hang the computer or atleast make an error .... well sometimes it's lucky and has the right entry point .. try it out ;) If it doesn't work do this: Start procdump and choose PE Editor. The new entry point is EAX-imagebase number. Write the new one and press ok. Does it work now ? yearh! Cewl .. now we can get on and find that damn nag. First make a backup of the old file that was packed, and make one for w32dasm and one if we should screw it up ;) of the new unpacket file. Now we have notepro.old, notepro.w32 notepro.exe and notepro.bac. Gosh! it take too long to load it in w32dasm .. try pressing the ALT key while it's loading .. does it go faster ?? yer .. dunno why but it does! Found this error (???) while multienvironmenting .. alt+tab .. so now you know it too :) darn 36454 calls 48404 jumps .. well it's a big file. Now you remebered to write down the nag message didn't you ?? :) Search for it in Strn Refs ... Refs->Strings .. If found it here: * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:005067F4(U), :0050683C(U), :00506874(U) | :00506879 803E01 cmp byte ptr [esi], 01 :0050687C A198BD5300 mov eax, dword ptr [0053BD98] :00506881 0F9400 sete byte ptr [eax] :00506884 803E02 cmp byte ptr [esi], 02 :00506887 0F851D010000 jne 005069AA * Possible StringData Ref from Code Obj ->"Sorry, the trial period is over." | :0050688D 68386A5000 push 00506A38 The first thing that comes to my mind is to patch those 3 unconditional jumps, but lets see what it actually does here. It checks if the char at esi is 02 and if it is, it will display the nag. So we could just make the first char at esi be 01. But if you check at 506876 it actually moves 01 into esi, so we just have to get our selfes there. okay .. lets see how we can do this. :005067EF 7508 jne 005067F9 :005067F1 C60602 mov byte ptr [esi], 02 :005067F4 E980000000 jmp 00506879 Here is the first jump, lets patch 5067EF so it doesn't put 02 into esi. * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:005067EF(C) | :005067F9 8D45FC lea eax, dword ptr [ebp-04] So now we are here ... lets trace a little further. :005067FC B901000000 mov ecx, 00000001 :00506801 BA01000000 mov edx, 00000001 :00506806 E821DBEFFF call 0040432C :0050680B 33D2 xor edx, edx :0050680D 8B45FC mov eax, dword ptr [ebp-04] :00506810 E8E3B5F7FF call 00481DF8 :00506815 8B156CC05300 mov edx, dword ptr [0053C06C] :0050681B 8902 mov dword ptr [edx], eax :0050681D A16CC05300 mov eax, dword ptr [0053C06C] :00506822 833800 cmp dword ptr [eax], 00000000 :00506825 7412 je 00506839 Here is the next je/jne .. this jumps to "mov byte ptr [esi], 02" and we don't want that. So we patch it to nops .. 90 90. :00506827 A16CC05300 mov eax, dword ptr [0053C06C] :0050682C 8B00 mov eax, dword ptr [eax] :0050682E 3B45F8 cmp eax, dword ptr [ebp-08] :00506831 740B je 0050683E :00506833 837DF8FE cmp dword ptr [ebp-08], FFFFFFFE :00506837 7405 je 0050683E Here it will jump near the "mov byte ptr [esi], 01" so lets jump it. :0050683E E8413FF0FF call 0040A784 So we land here .. close :) all we have to do now is to get to 50686F cause that's where it puts 01 into esi. :00506843 E830C4EFFF call 00402C78 :00506848 A354BB5300 mov dword ptr [0053BB54], eax :0050684D A16CC05300 mov eax, dword ptr [0053C06C] :00506852 8B00 mov eax, dword ptr [eax] :00506854 2B0554BB5300 sub eax, dword ptr [0053BB54] :0050685A A334BB5300 mov dword ptr [0053BB34], eax :0050685F 833D34BB530020 cmp dword ptr [0053BB34], 00000020 :00506866 7F09 jg 00506871 Hmmm don't wanna goto that one .. it puts 02 into esi .. nop it. :00506868 833D34BB530001 cmp dword ptr [0053BB34], 00000001 :0050686F 7D05 jge 00506876 And we're finally there .. jump this and it will goto mov esi,01. Hope you're with me here ;) All we're doing now is finding the first jump to the "bad" code, where it displays the "sorry, the trial periode is over". It will only display the nag screen if [esi] is 02, but if it isn't 02 it wont display it. That's why we try not to make [esi] to be 02. :00506876 C60601 mov byte ptr [esi], 01 * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:005067F4(U), :0050683C(U), :00506874(U) | :00506879 803E01 cmp byte ptr [esi], 01 :0050687C A198BD5300 mov eax, dword ptr [0053BD98] :00506881 0F9400 sete byte ptr [eax] :00506884 803E02 cmp byte ptr [esi], 02 :00506887 0F851D010000 jne 005069AA * Possible StringData Ref from Code Obj ->"Sorry, the trial period is over." See ? .. it moves 01 into [esi], then it checks if [esi] is 02, and it isn't cause we just changed it into 01. so now it won't display it. Okay .. that was the first section. Now we have to make sure that it doesn't put 02 into [esi]. We *know* that it will jump to 5069AA because [esi] isn't 02. So lets check what's there: :005069AA 837DF800 cmp dword ptr [ebp-08], 00000000 :005069AE 7416 je 005069C6 :005069B0 803E02 cmp byte ptr [esi], 02 :005069B3 7511 jne 005069C6 Okay it checks again .. jump if [esi] is not equal to 02, and it should be 01. So lets make it jump at 5069B3. :005069C6 837DF8FE cmp dword ptr [ebp-08], FFFFFFFE :005069CA 7512 jne 005069DE :005069CC 803E01 cmp byte ptr [esi], 01 :005069CF 750D jne 005069DE Now it checks if [esi] is 01. We want it to be 01. It says if [esi] is not equal jump to 5069DE. So lets nop those two jne's. :005069D1 8B156CC05300 mov edx, dword ptr [0053C06C] :005069D7 33C0 xor eax, eax :005069D9 E8E6F9FFFF call 005063C4 This should be it. A rather hard way of doing it, but it's easier to use the programs code itself than make up your own ;) -wOODY^dRN