home
***
CD-ROM
|
disk
|
FTP
|
other
***
search
/
Reverse Code Engineering RCE CD +sandman 2000
/
ReverseCodeEngineeringRceCdsandman2000.iso
/
RCE
/
Corleone
/
Cracking_OmniPage_Web_1_0.TXT
< prev
next >
Wrap
Text File
|
2000-05-25
|
6KB
|
164 lines
Cracking OmniPage Web 1.0
'30-day trial'-protection scheme
Written by Cerberus
Introduction
I found this program on the illigal warez-cd "Twilight 33" and it asked if it could apply a
patch. Well, no of course not. Every die-hard cracker cracks everything by himself! So I
started cracking and I discovered that it is a very simple protection, cracked in 2 min!
My goal is to get more crackers in this world so that we can defeat every protection scheme
there is. To be a experienced cracker you MUST understand assembly. On the INet you can find
lots of tutorials about assembly. So read as much as you can to be part of the elite
crackers.
Tools required
These tools were used:
Hiew 6.0 (for patching)
W32Dsm 8.9 (for disassembling)
Target's URL/FTP
http://www.caere.com/
Essay
First install OmniPage Web 1.0.
Open OmniPage with W32Dsm (filename: omnipweb.exe)
Save the listing as text (if something goes wrong you only have to open the project-file.
In the project-menu choose the only option:
Open Project file...)
Open the dialog "String references" -> button [Str Ref] next to the print-button
Find the text: "This demo version of OmniPage "
Dubble-click it and close the dialog
You now see this:
* Reference To: MFC42.MFC42:NoName0149, Ord:0320h
|
:0046B29D E898E40700 Call 004E973A
:0046B2A2 B801000000 mov eax, 00000001
:0046B2A7 EB28 jmp 0046B2D1
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0046A284(C), :0046A2A1(C)
|
:0046B2A9 57 push edi
* Possible StringData Ref from Data Obj ->"Sorry!"
|
:0046B2AA 68742F5200 push 00522F74
* Possible StringData Ref from Data Obj ->"This demo version of OmniPage "
->"Web has expired."
|
:0046B2AF 68442F5200 push 00522F44
:0046B2B4 57 push edi
* Reference To: USER32.MessageBoxA, Ord:0195h
|
:0046B2B5 FF1528C34F00 Call dword ptr [004FC328]
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0046A3EC(U), :0046A452(U), :0046A479(U), :0046A65E(U), :0046A7EF(C)
|:0046A8D3(U), :0046AA7A(C), :0046AAEC(C), :0046AC14(U), :0046ACBB(U)
|:0046ADF5(U), :0046AE30(U), :0046AED7(U), :0046AF27(U), :0046AFCE(U)
|
:0046B2BB 8D4C2418 lea ecx, dword ptr [esp+18]
:0046B2BF C784248C040000FFFFFFFF mov dword ptr [esp+0000048C], FFFFFFFF
* Reference To: MFC42.MFC42:NoName0149, Ord:0320h
In assembly you have two different types of jumps. Conditional and unconditional jumps.
The difference is that the first type jumps only if a compare is made and the result
is true, otherwise the jump isn't made.
The routine of the MessageBoxA function is as follows (retrieved from the 'Win32 Developer's
References':
int MessageBox(
HWND hWnd, // handle of owner window
LPCTSTR lpText, // address of text in message box
LPCTSTR lpCaption, // address of title of message box
UINT uType // style of message box
);
First the uType is pushed on the stack, then lpCaption, then lpText and finally hWnd.
There are TWO conditional jumps to this routine:
:0046A284
:0046A2A1
Let's take a closer look at these lines:
:0046A278 E859F80700 Call 004E9AD6
:0046A27D 8B4010 mov eax, dword ptr [eax+10]
:0046A280 40 inc eax
:0046A281 83F803 cmp eax, 00000003
:0046A284 0F8F1F100000 jg 0046B2A9 <- First jump
:0046A28A 57 push edi
:0046A28B 8D4C2428 lea ecx, dword ptr [esp+28]
* Reference To: MFC42.MFC42:NoName0308, Ord:0D09h
|
:0046A28F E842F80700 Call 004E9AD6
:0046A294 8B4014 mov eax, dword ptr [eax+14]
:0046A297 056C070000 add eax, 0000076C
:0046A29C 3DCF070000 cmp eax, 000007CF
:0046A2A1 0F8F02100000 jg 0046B2A9 <- Second jump
:0046A2A7 E8E4160000 call 0046B990
:0046A2AC E83F150000 call 0046B7F0
:0046A2B1 E83A100000 call 0046B2F0
"jg" means "Jump if Greater". It jumps if eax is greater than 0x3 or greater than 0x7CF.
This jump must never been made. There are many ways to do this. I hate using 'NOP' so I did
the following:
Changed jg 0046B2A9 to jmp 46A28A (next line)
Changed jg 0046B2A9 to jmp 46A2A7 (next line)
Now the offsets in the file (these are slightly different from the ones at the left of the
listing!). Select the first jump and look at the bottom of the screen. There you'll see in
the statusbar the text: @Offset 00069684h in File:omnipweb.exe
So offset 69684h in the file is the first jump. The second one is at offset 696A1h.
Close W32Dsm.
We are now doing some changes in the file so make a backup first.
Open "omnipweb.exe" with Hiew. Press [F4] to change this weird text view to 'Decode'.
Ah, this looks better. Now we must go to the jump-offsets. Press [F5] and type the first
offset:
69684
Press [F3] to edit the file. Then switch to 'Asm' with [F2]. Now you can input instructions
and Hiew will automatically code it. Type the instruction:
jmp 6968A
Press [ESC] to return to the listing. Update the file with [F9] and go to the next location.
Again press [F3] and switch to 'Asm'. Type the instruction:
jmp 696A7
and return to the listing. Exit the program with [F10], update and run OmniPage. After running
the program for a very long period, no message will appear!!!!!
Final Notes
As I stated in the intro, it is a simple crack. But if there are any
questions/comments, then you can E-Mail me at:
Cerberus_X@hotmail.com
Greets,
Cerberus