Okay, today you'll learn an alternate method of cracking I've found
very useful when it came to crack aspack 2.001, since when
disassembled (yeah and unpacked too ;), there is no string references
to "UNREGISTERED" or "Unregistered copy. Options not saved."
and yet, it is still in the exe (take yer hex editor and search it).
So you guys can guess it uses an unusual protection...
Most peepz told me it was probably using a table to redirect call
to strings, thus making them invisible when disassembled.
Don't worry I tried every standard method to get to the reg routine
but none seemed to work (haven't tried a lot).
First I gotta say that it uses unusual methods: keyfile protection,
no msgbox anywhere to tell it isn't registered, as well as others.
So I told myself that to crack unusual apps, you gotta use
unusual methods as well. Then I began to wonder how I could get
around it.
And I did found out a method, and the goal of this tut is to
explain it.
Remember that the string was found into the exe? So, the main
idea is to BPR when the string is accessed. To do this, as you
might know, you first need to know WHERE in memory it is stored
when the exe is loaded. To find it, follow this simple formula:
ImageBase + Virtual Offset of the Section where the string is +
Offset where the string is in the PE Section
To get theses, you have to do the following: Open up ProcDump
and load the exe, check it's imagebase (400000h) and dump each
Section to disk to find where exactly the string you are searching
for is. An easy guess in this case is that it is in .RSRC, since
it is a resource of the exe. My guess was right. So dump .RSRC
and search for "UNREGISTERED" as well as "Unregistered copy.
Options not saved.". In my case they were at:
"UNREGISTERED" == B26Ah
"Unregistered copy. Options not saved." == 102BAh
The .RSRC Section virtual Offset is at 4E000h. So, I have to do:
400000h + 4E000h + B26Ah == 45926Ah
400000h + 4E000h + 102BAh == 45E2BAh
Since I'm lazy, I just "BPM 45926A" and "BPM 45E2BA". And now arises
a new problem: You gotta get to the process, since to do a bpm
within aspack 2.001, you first have to break on aspack.
At first I though of modifying the Sections Flags to E0000020
and to my surprise, the SoftICE loader didn't break. (I know
I could have played with it to have it work, but I will use
another method to show you how you can get around it).
I recommend that you make a backup of the exe first, as you should
always do. Open up ProcDump another time, and get the Entry Point
of the exe (place where the code begins). I had 42B98h. Now the fun
part begins.
Modify the Entry Point for 1 less (42B97h). Then edit the Section
where the Entry Point is, in my case it's .CODE. You add 1 to VSize
(00042001h) and 1 to PSize (00042001h). Edit the RVA (Relative Virtual
Address) to remove 1 (00000999h) as well as for the Offset (00000999h).
You can always modify the Section Flags on the way (E0000020). Why
doing this? Simple, because we want to Breakpoint on aspack when it is
loaded. The idea is to add some code in it that will enable SoftICE to
Break on it. And modifying 1 to each parameters is because we add
only 1 mnemonic, which is a "INT 3" (btw, the INTerrupt 3 was made
for debugging purposes ;). To add the "INT 3", open your hex editor
and goto the new Entry Point (42B97h) and put a "CC" (the INT 3).
Now CTRL-D and type "BPINT 3", THEN you can start aspack :).
SoftICE WILL break this time, so you got plenty time to add that
BPM 45926A
and
BPM 45E2BA
to your app. Then do a "BC 0" and a "EXIT". Now you can delete
your modified aspack exe and start the new one, which will break
when loading the bad strings ;).
Enjoy!
-Marton