PSEdit v4.4

PSEdit v4.4
My first DOS Cracking Session
by ytc_ [tNO '99]

Target	PSEdit v4.4
URL	Not available (but target can be found in ORCPAK1.ZIP at +Greythorne's website)
Tools used	Softice v3.x (I'm using WinNT version)
	Hex editor (I used PSEdit v4.4 ;-)
	UNP v4.11
	Ralf Brown's Interrupt List (Optional)
Protection	Nag Screen
Level	Beginners/Newbies

Introduction

Nothing much to say actually. I just had nothing else to do, so I looked into +ORC's essays and noticed that +he mentioned 'Shareware version of Psedit', and found it in orcpak1.zip too. And I thought, "What the heck, lets see how good (or lame ;-) my first DOS cracking is after reading so many DOS cracking tutorials." I also assume that this is not the latest version of Psedit, but like what +ORC said in his essays, "The best way to learn cracking is by cracking OLDER softwares with OLDER protection schemes."

Essay

I will assume that you have already set up your copy of Softice and know how to use it well, including knowing what the shortcut function keys are (F8, F10, F11 and F12). If not, I suggest you read some other essays on how to set up Softice first before continuing. I will also assume that you have a fair knowledge of assembly language

Running psedit.exe, you will notice that if you open any file, you will be brought up with a nag screen, asking you to register Psedit. Pressing any key will bring you out of this nag screen immediately and loads the file you want to edit.

Here, I thought that if a nag screen waits for a key to be pressed before it goes away, it must be inside some kind of loop first and will jump out whenever I pressed a key. So, at the nag screen, Ctrl-D into Softice and trace a bit. Soon, you will come to a small loop as shown below (please take not that the addresses might be different).

0212:0B11  8B1E1A00            MOV     BX,[001A]
0212:0B15  3B1E1C00            CMP     BX,[001C]
0212:0B19  7517                JNZ     0B32
0212:0B1B  2EA1A009            MOV     AX,CS:[09A0]
0212:0B1F  2E3B06A809          CMP     AX,CS:[09A8]
0212:0B24  7307                JAE     0B2D
0212:0B26  2EFF06A409          INC     WORD PTR CS:[09A4]
0212:0B2B  EBE4                JMP     0B11
0212:0B2D  B401                MOV     AH,01
0212:0B2F  C4C4                LES     AX,SP
0212:0B31  16                  PUSH    SS
0212:0B32  58                  POP     AX
0212:0B33  C3                  RET

I don't think that anyone would need comments for this piece of code ;-). Unless your assembly really really sucks, and if it does, go read some assembly tutorials first. Here, place a breakpoint at 0212:0B32, Ctrl-D back to the program, press any key and you'll pop back into Softice, which proves that this is the 'check if key is pressed' loop. Following the ret instructions, when you get back to the main module, you will find yourself right after an 'int 16' instruction (check your interrupt list to find out what this int does).

Following a few more ret, iret and/or retf instructions, you should eventually come across to this part of code.

0E8B:6635  1F                  POP     DS
0E8B:6636  0E                  PUSH    CS
0E8B:6637  E88EB6              CALL    1CC8
0E8B:663A  833E7D3600          CMP     WORD PTR [367D],00 <== flag check!!
0E8B:663F  7504                JNZ     6645 <== conditional jump!!!
0E8B:6641  0E                  PUSH    CS
0E8B:6642  E80A9F              CALL    054F <== call Nag_Screen
0E8B:6645  33C0                XOR     AX,AX <== you land here
0E8B:6647  33D2                XOR     DX,DX

BINGO!! We've found the protection scheme!! The memory location at [367D] stores the info of our regged/unregged state. That location is compared to 00h, and jumps over the Nag_Screen procedure. A VERY TYPICAL NAG SCREEN PROTECTION SCHEME FOUND EVEN IN SOME SHAREWARES TODAY (May 1999)!! Damn lazy programmers ;-). To make sure that this is the only check, we do another search for accesses to this memory location. In Softice, type :-

: S CS:0 L FFFF 7D 36

For those who don't know anything: remember that in assembly, data/bytes are ALWAYS arranged in REVERSED ORDER. That is, if the memory location address is 367Dh, we should search for the byte pattern 7Dh, 36h.

Softice gave me two locations :-

Pattern found at 0E8B:000061AB (FFFF78FB)
Pattern found at 0E8B:0000663C (FFFF7D8C)

The second byte pattern match is where we stopped just now. Lets look at the first pattern match.

0E8B:6190  26FF7702            PUSH    WORD PTR ES:[BX+02]
0E8B:6194  26FF37              PUSH    WORD PTR ES:[BX]
0E8B:6197  68AB0A              PUSH    0AAB
0E8B:619A  1E                  PUSH    DS
0E8B:619B  684E23              PUSH    234E <== DS:234E points to string "PSEDIT"
0E8B:619E  1E                  PUSH    DS
0E8B:619F  687036              PUSH    3670 <== DS:3670 points to string "0000000000"
0E8B:61A2  0E                  PUSH    CS
0E8B:61A3  E8609E              CALL    0006 <== unknown call
0E8B:61A6  83C40E              ADD     SP,0E
0E8B:61A9  833E7D3600          CMP     WORD PTR [367D],00 <== here!!!
0E8B:61AE  751C                JNZ     61CC <== conditional jump!!!
0E8B:61B0  C45E08              LES     BX,[BP+08]
0E8B:61B3  26FF7702            PUSH    WORD PTR ES:[BX+02]
0E8B:61B7  26FF37              PUSH    WORD PTR ES:[BX]
0E8B:61BA  68AB0A              PUSH    0AAB
0E8B:61BD  1E                  PUSH    DS
0E8B:61BE  685523              PUSH    2355 <== DS:2355 points to string "BEDIT"
0E8B:61C1  1E                  PUSH    DS
0E8B:61C2  687036              PUSH    3670 <== DS:3670 points to string "0000000000"
0E8B:61C5  0E                  PUSH    CS
0E8B:61C6  E83D9E              CALL    0006 <== unknown call
0E8B:61C9  83C40E              ADD     SP,0E
0E8B:61CC  C45E08              LES     BX,[BP+08] <== conditional jump at 61AE points here
0E8B:61CF  268B5706            MOV     DX,ES:[BX+06]

At this point, I can't seem to make head or tail of this piece of code. Placing a bpx on the compare location and a bpm on memory location 367Dh doesn't help either because I can't seem to make Psedit execute this part of code. So I guessed that this section can be left alone. IF SOMEONE OUT THERE CAN POINT OUT TO ME WHERE I WENT WRONG, PLEASE INFORM ME ABOUT IT. Now let us get back to the main crack.

Open psedit.exe with a hex editor (like Psedit ;-) and search for the byte pattern 833E7D36007504. Hey!! How come there's no matching patterns?! First guess, this file is packed!! Time for UNP v4.11 to get into the scene.

>unp psedit.exe psedit1.exe

UNP 4.11 Executable file restore utility, written by Ben Castrium, 05/30/95

processing file : PSEDIT.EXE
DOS file size   : 65862
file-structure  : executable (EXE)
EXE part sizes  : header 32 bytes, image 65830 bytes, overlay 0 bytes
processed with  : LZEXE V0.91 or V1.00a
action          : decompressing... done
new file size   : 129920
writing to file : PSEDIT1.EXE

OK, time for more action! Search for the byte pattern again and you should find ONLY ONE HIT. Change the byte 75h to EBh. And for those who don't know anything again: 75h is the opcode for JNZ/JNE, 74h is for JZ/JE and EBh is for JMP.

Rerun psedit1.exe, open a file, and did the nag pop up? No!! We've cracked my first DOS proggie ;-).

Final Notes

I must say, this cracking session is pretty interesting. Firstly, it is because this is my first DOS cracking session. And secondly, I learnt something new about DOS interrupts ;-)

Greets

There's a lot of people that I know, so I'll just greet everyone, especially those in #tno, #win32asm, #cracking4newbies and #cracking at EFNet.

Email : y_t_c@usa.net
Website : http://ytc98.cjb.net