First i would like to thanks fravia, gthorne, the_owl, niabi, razzi, josephco and all of you guys that i can't remember now. This is my small contribution for the war against our beloved bill and Micro$oft, i hope you enjoy this tute.
Tools needed:
-Softice (I'm using v3.2)
-Wdasm
-Hex editor
Blackwindow v3.21
Blackwidow is an off-line browser and I find it pretty kewl (get
it at Tucows or any other shareware archive), but has some limitations.
This is a VB5 proggie, the exe is about 400 kb and has lots
of calls to the the big, fat C.
First i will crack the _blackwidow.exe (no browser) and _bwds.exe (this
exe is called to download the selected files), since this program as two
more exe files (the others, blackwidow.exe and bwds.exe, allow you to browse
through the downloaded files.
Now run the proggie a couple of times and check the protection type,
have u checked?
Ok there is stupid nag window that tells you how many days you have
left to evaluate ("You have XX days left
")**, and you can download
a maximum of 50 files each time (this really pisses me off), why can't
they let us evaluate the full working proggie, grrrrrrrrr, but we have
the possibility to register the proggie if we want to, it's a S/N protection.
Now change the date, say one month forward, now run the proggie again,
can u see the nag that tells u that your evaluation is over ("Your evaluation
period has expired
..")***? And if u try to explore any site , the same
nag will pop up and ask you to register.
How do we crack this one?
You can use razzi's techniques of hmemcpy and MultiBytetoWidechar
but you will get in some huge encryption and checksum routines,
damn there must be another way!!!
I lost a couple of days trying to crack the S/N and finally I decided
to try another approach.
I'll use a different approach that i've never seen in any tute. Remember,
that in vb4 proggies and vb5 as well, strings are in wide format. Let's
crack! First thing is to get a disassembled list of _blackwidow.exe. Have
u got it? Good let's go on. Can you see the huge amount of calls? (damn
VB programmers). Now check the imports
hmm
interesting name rtcMsgBox,
__vbalenBstr,
.etc., since we are going to use softice don't forget to
load Msvbvm50.dll exports into softice. Ok now run blackwidow, can u see
the nag? now we will set a breakpoint on blackwidow code, press Ctrl+D
to get into softice and type bpx __vbalenBstr (you can try bpx on
other function, but this one will work for sure), now Ctrl+D to get out
of softice and just try to register the proggie (just press the OK button)
and Softice will pop up at the beginning of __vbalenBstr, press F11 to
get out of the call and you will be inside blackwidow code. Now here's
the approach, we are going to search for the message in the nag, remember
- "You have XX days left
", but don't forget that the string is in wide
format. So we will search for "You have
"
| Character | ASCII |
| Y | 59 |
| o | 6f |
| u | 75 |
| (space) | 20 |
| h | 68 |
| a | 61 |
| v | 76 |
| e | 65 |
softice will probably find some memory locations with this string but only one will be inside blackwidow data, check the line that separates the data window from the window above if something like this appears:
-------------------_BLACKWIDOW!.text+1010C---------------------------------byte---------------------------------
then you found your string!!!!!!
Now just write down them mem location, mine is 411C0C, now disable
the breakpoint you set and go to your disassembled list and search for
'411C0C' (ATTENTION: ignore the code line with the offset '411C0C' we are
looking for the code where data offset '411C0C' is used, not code offset)
.....there is only one place where this address is used, look at the code:
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0044486B(C)
|
:00444BCA 680C1C4100
push 00411C0C ;<----here 'You have % days left.....'
:00444BCF 50
push eax
Hmm...interesting isn't it? Let's go on now we will search for the string
that appears in the message when the evaluation period is over. We will
use the same method we used to find the first string, enable the breakpoint
and repeat the same procedure, when you're inside blackwidow code just
search for the string in the nag. So we will search for "Your evaluation
period has now expired
"
| Character | ASCII |
| Y | 59 |
| o | 6f |
| u | 75 |
| r | 72 |
| (space) | 20 |
| e | 65 |
| v | 76 |
| a | 61 |
| l | 6c |
Let's search.....in softice type - s 0 lffffffff 59 00 6f 00 75 00 72 00 20 00 65 00 76 00 61 00 6c
search until you find the string we are looking for inside blackwidow
data, check the line that separates the data window from the window above.
Write down the adress and search for it inside the disassembled list, once
again it will only appear once:
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00444850(U)
|
* Reference To: MSVBVM50.rtcGetTimer, Ord:0217h
|
:00444858 FF1590444600
Call dword ptr [00464490]
:0044485E A128E04500
mov eax, dword ptr [0045E028] ;eax=days left
:00444863 D91D30E04500
fstp dword ptr [0045E030]
;doesn't matter
:00444869 3BC3
cmp eax, ebx
;cmp eax with ebx, ebx=0
:0044486B 0F8F59030000
jg 00444BCA
;jmp if any days left, this jump will lead you to the nag
with "You have % days left.."
* Reference To: MSVBVM50.__vbaStrCopy, Ord:0000h
|
:00444871 8B3DD0444600
mov edi, dword ptr [004644D0]
:00444877 BAB81B4100
mov edx, 00411BB8
;<------here
:0044487C 8D4DEC
lea ecx, dword ptr [ebp-14]
We found the place where the program decides which nag should
pop up, now let's take a look of the code just before this this call to
rtcGetTimer:
:0044471A 1BFF
sbb edi, edi
:0044471C F7DF
neg edi
:0044471E E8DD6A0100
call 0045B200
;<---what is this??
:00444723 33D2
xor edx, edx
;edx=0
:00444725 3DDABF0202
cmp eax, 0202BFDA
;cmp eax with some checksum
:0044472A 0F95C2
setne dl
;set dl=1 if not equal
:0044472D 0BFA
or edi, edx
;
:0044472F 750D
jne 0044473E
;jmp unregistered user---------------------------
:00444731 66391D78E04500 cmp word ptr [0045E078],
bx ;
|
:00444738 0F8403040000
je 00444B41
|
|
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|
|:0044472F(C)
|
|
|
:0044473E 833D28E0450001 cmp dword ptr [0045E028],
00000001 ;compare days left <------------------
:00444745 0F8C07010000 jl
00444852
;jmp if 0 days left
:0044474B 8D4598
lea eax, dword ptr [ebp-68]
:0044474E 50
push eax
* Reference To: MSVBVM50.rtcGetDateVar, Ord:0262h
|
:0044474F FF1508454600 Call
dword ptr [00464508]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00444745(C)
|
* Reference To: MSVBVM50.__vbaStrMove, Ord:0000h
|
:00444852 8B3544454600
mov esi, dword ptr [00464544]; <--- here,
if 0 days left
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00444850(U)
|
* Reference To: MSVBVM50.rtcGetTimer, Ord:0217h
|
:00444858 FF1590444600
Call dword ptr [00464490]
:0044485E A128E04500
mov eax, dword ptr [0045E028] ;eax=days left
:00444863 D91D30E04500
fstp dword ptr [0045E030]
;doesn't matter
:00444869 3BC3
cmp eax, ebx
;cmp eax with ebx, ebx=0
:0044486B 0F8F59030000
jg 00444BCA
;jmp if any days left,
this jump will lead you to the nag
;with "You have % days left.."
* Reference To: MSVBVM50.__vbaStrCopy, Ord:0000h
|
:00444871 8B3DD0444600
mov edi, dword ptr [004644D0]
:00444877 BAB81B4100
mov edx, 00411BB8
;<------"Your evaluation period..."
:0044487C 8D4DEC
lea ecx, dword ptr [ebp-14]
.
.
.
.
.
.
.
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0044486B(C)
|
:00444BCA 680C1C4100
push 00411C0C ;<----here
'You have % days left.....'
:00444BCF 50
push eax
As you can see after this strange call
the value in EAX is compared and DL is set to 1 if eax different of 0202BFDA
if you are a registered user just go on, else check how many days are
left , there are 2 checks for this, the first one will check if you can
still use blackwidow and set it up, and the second one will decide which
nag should pop up. The mem location that stores the number of days left
(in my computer) is 45E028. So let's crack.... permanently, remember the
strange call just before the registered user check? Now check that address
(45b200 in my computer) and you'll see 9 calls to this routine, now write
down those 9 addresses and check each one of these 9 locations. Can u see
that after any of these call eax is compared with 202BFDA and that after
that there is a 'setne dl'. Look
0044471E E8DD6A0100
call 0045B200
:00444723 33D2
xor edx, edx
:00444725 3DDABF0202
cmp eax, 0202BFDA
:0044472A 0F95C2
setne dl
so to permanently crack this one you'll just need to change all 'setne
<reg>' that appear after the call to 'sete <reg>'.
The 'sete <reg>' opcode is OF94XX". It's done. Now let's check _bwds.exe,
this is the executable that _blackwidow.exe uses to download the files,
and this exe also checks for the registered user (if you aren't a registered
user you'll only be able to download a maximum of 50 files) and uses the
same routine to do it, so just search for the value that is compared
with eax after each call (0202BFDA), open your eax editor and search for
'DABF0202' and you will find two occurrences now just change the 0F95 bytes
to 0F94. And you will be able to download as many files as you want.
It's CRACKED, now just register with some fake serial.
I've tried this 'live string search' approach in some others VB5 proggies
and worked fine. Currently i'm doing a reference for Msvbvm50.dll functions
(i'll try to release it in a couple of weeks) so if you have reversed any
of those i would apreciate you could send it to me, to devils_cave@hotmail.com.