odin's_________ _______ ______ _____________
____\ /____\ /________\ /____| /_____/_______ _________
/ _____/ _____/ __ ___/ '____/ / | \ _____/___
/ | \ || | | | \ . \ | | | \__ /
\_____ \___| \____ |____ \___| \___|____| |_____ |
|_______/ <hook> `----' |_____/ |______/ |____| |_____|
tutorial v1.51
Cracking/Patching SoftArt's Deskey v1.02.010
X. TABLE OF CONTENTS
1. FOREWARDS
2. INTRODUCTION
3. TOOLS USED FOR THIS
4. THE CRACKING STARTS
5. MAKING A PATCH
6. THE URL'S
1. Forewards
Welcome. So how come you're interested in reading this tutorial?
Perhaps you think cracking is cool and seems easy, and that cracking
is a way to be famous on the internet today. Well, if you think like
this please stop reading now. Why? Mainly because most crackers don't
crack because they think it's "cool." and want to be famous. Cracking
is something they actually do because they think its a great thing to
spend their precious time on, believe it or not. Most crackers, not to
say all, also code in one or several computer languages.
On the other hand if you're very interested in how computers work
internally, and you like to program in languages like Pascal, C++ and
Assembler, then I believe this tutorial is worth reading for people
such as you, and you might even learn something from it.
If you're the third category, you've been learning cracking for some
time now and read every little article about cracking you can get,
then this tutorial also is very good to read. You can always learn
something that you didn't know before. Even I can learn things I
didn't know by listening to others and reading various text files.
To become a cracker will take several years. And to become a good
cracker will take even longer. The key to success is practice and, in
my point of view, learning and listening to other crackers.
I'll skip the most things about how SoftICE works because there are
several good tutorials out about that. One is Exact's SoftICE
tutorial, very good and recommended reading.
2. Introduction
This text files purpose is to show and hopefully learn you how to
patch away a time limit of a program. The program we will use is
SoftArt's Deskey. It isn't necessary to patch this program because you
can also enter a registration code in the registry to get the program
to work fully, but then you have to write a keymaker because the code
depends on the Windows name and company (the one you enter when you
installed Windows 95). So we're going to do it the lazy way and patch
it. There are of course other ways to do this crack.
3. Tools you will need for this
(1) SoftICE 2.0/3.0, of course, our beloved debugger.
(2) Ultra Edit or another good hex editor.
(3) A patch generator, or if you write the patch yourself as I do.
4. The cracking starts
Ok, let's begin with removing the semicolon from the user32.dll and
kernel32.dll lines in SOFTICE.DAT if you haven't done so already.
Now let's do some detective work, by checking the Deskey help file.
You'll notice that this program will stop working after 60 minutes.
This limit is what we're going to remove. There are a few possible
solutions for the programmer to obtain this limit. To check which
functions the program use, let's test the approach Qapla used in his
tutorial:
Start the explorer and press the right mouse button on the Deskey exe
file. Now choose Quick-View. You'll notice all the calls the program
uses and which dll's store the code for the calls. When you look at
them, you'll notice some interesting functions.
Import Table
...
KERNEL32.dll
Ordinal Function Name
... ...
008f FreeLibrary
0188 MultiByteToWideChar
011d GetSystemTime <----- Interesting
00e4 GetLocalTime <----- Interesting
025d lstrcmpiA
00ca GetDateFormatA
... ...
USER32.dll
Ordinal Function Name
... ...
00ec GetDlgItemTextA
007d DefWindowProcA
01fe SetTimer <----- Interesting
01a2 PostMessageA
0224 TrackPopupMenu
01b8 RemoveMenu
... ...
Ok, as you see I'm interested in 3 different calls. We can try to see
if the program uses KERNEL32!GetSystemTime(); and
KERNEL32!GetLocalTime();. Enter SoftICE and put a breakpoint on these
two. Enable them just when you're about to start the program. If you
do it before, you risc to break on these calls used by another
program. So just before you start Deskey, enable these.
Now you started it and program pops up in the traybar. Nothing
happens. Oh well, then we can exclude these ones. Actually a cracker
might have excluded them from the beginning and tried some other calls
first. Why? Probably because a programmer usually uses these calls if
the program has a 30-day limit, not a 60-minutes one.
We have one left to test, USER32!SetTimer();. Exit Deskey and put a
breakpoint on SetTimer(); just before you start Deskey.
Finally, SoftICE detected the use of this function by Deskey. Press
F11. It should look something like this now:
.
.
.
0137:0040397F 833D1890400000 CMP DWORD PTR [00409018], 00
0137:00403986 7409 JZ 00403991
0137:00403988 833D1C90400000 CMP DWORD PTR [0040901C], 00
0137:0040398F 7421 JZ 004039B2
0137:00403991 6A00 PUSH 00
0137:00403993 A128904000 MOV EAX,[00409028]
0137:00403998 6880EE3600 PUSH 0036EE80
0137:0040399D 6834120000 PUSH 00001234
0137:004039A2 50 PUSH EAX
0137:004039A3 FF158CB44000 CALL [USER32!SetTimerA] <-- you're here
0137:004039A9 8BBC24AC060000 MOV EDI,[ESP+000006AC]
0137:004039B0 EB12 JMP 004039C4
0137:004039A9 8BBC24AC060000 MOV EDI,[ESP+000006AC]
0137:004039B0 EB09 JMP 004039C4
0137:004039A9 8BBC24AC060000 MOV EDI,[ESP+000006AC]
0137:004039B0 EB07 JMP 004039CB
.
.
.
Let's check the SetTimerA function in our we-cant-be-without-it API
guide:
The SetTimer function creates a timer with the specified time-out value.
UINT SetTimer(
HWND hwnd, // handle of window for timer messages
UINT idTimer, // timer identifier
UINT uTimeout, // time-out value
TIMERPROC tmprc // address of timer procedure
);
.
.
.
uTimeout
Specifies the time-out value, in milliseconds.
.
.
.
Aha, let's check on the code again:
0137:00403991 6A00 PUSH 00 <-- tmprc
0137:00403993 A128904000 MOV EAX,[00409028] <-- pushed later
0137:00403998 6880EE3600 PUSH 0036EE80 <-- uTimeout
0137:0040399D 6834120000 PUSH 00001234 <-- idTimer
0137:004039A2 50 PUSH EAX <-- HWND
0137:004039A3 FF158CB44000 CALL [USER32!SetTimerA] <-- you're here
Hmm, very interesting indeed, let's check the value 0036EE80 in the
SoftICE debugger:
:? 36ee80
0036EE80 0003600000 "6¯Ç"
An even and nice value. And if you read further in the API help file
you'll notice that the uTimeout should be in milliseconds. 1 second is
1000 milliseconds. Let's do some calculating:
3600000/1000=3600 seconds.
60 seconds*60 minutes=3600 seconds, which is 1 hour
We've found the right one! This call creates a timer which will be
checked when the program process the WM_TIMER message from Windows.
The WM_TIMER message is sent when 1 hour has past. Let's check the API
reference once more:
WM_TIMER
wTimerID = wParam; // timer identifier
tmprc = (TIMERPROC *) lParam; // address of timer callback
The WM_TIMER message is posted to the installing thread's message
queue or sent to the appropriate TimerProc callback function after
each interval specified in the SetTimer function used to install a
timer.
.
.
.
So now we know where he creates the timer. If you remove this
SetTimer(); call the WM_TIMER message will never be sent, resulting in
that the 60 minute limit will be REMOVED!! Let's take a look at this
example code below:
SetTimer(hwnd, idTimer, 0x36EE80, tmprc);
^-- hex value
WM_TIMER: { <-- this structure is reached when
PostQuitMessage(0); the hex value above reach 0. If
^-- will exit the program the timer never is set this
} structure wont be reached.
This is very simple to understand, I hope :-).
So perhaps you think, "hey, let's NOP away the whole structure"
(for those of you not familiar with NOP: it means NO OPERATION
and are very commonly used when patching. The computer will do
nothing when it executes this instruction.)
Nono stop! Don't NOP away the whole call. Well first of all a good
rule when patching is that, never alter the code more then you
actually need. It looks nice (who'll notice anyway), and it decreases
the chance of program crash due to doing something stupid. So how
should we do instead? Well let's check that code once more:
.
.
.
0137:0040397F 833D1890400000 CMP DWORD PTR [00409018], 00
0137:00403986 7409 JZ 00403991
0137:00403988 833D1C90400000 CMP DWORD PTR [0040901C], 00
0137:0040398F 7421 JZ 004039B2
0137:00403991 6A00 PUSH 00
0137:00403993 A128904000 MOV EAX,[00409028]
0137:00403998 6880EE3600 PUSH 0036EE80
0137:0040399D 6834120000 PUSH 00001234
0137:004039A2 50 PUSH EAX
0137:004039A3 FF158CB44000 CALL [USER32!SetTimerA] <-- you're here
0137:004039A9 8BBC24AC060000 MOV EDI,[ESP+000006AC]
0137:004039B0 EB12 JMP 004039C4
0137:004039A9 8BBC24AC060000 MOV EDI,[ESP+000006AC]
0137:004039B0 EB09 JMP 004039C4
0137:004039A9 8BBC24AC060000 MOV EDI,[ESP+000006AC]
0137:004039B0 EB07 JMP 004039CB
.
.
.
The CMP (compare) instructions above seems very interesting.
As you might notice, the one at 00403986 will jump to 00403991 and
start the timer. If you check the JZ at 0040398F it will go to
004039B2 and therefor jump over the timer, resulting in that there
will be no time limit. So to solve this simple problem just change the
JZ 00403991 at 00403986 to JMP 004039B2 instead. Like this:
0137:00403986 7409 JZ 00403991
---> to --->
0137:00403986 EB2A JMP 004039B2
Now let's apply the patch to the exe file. Load up your favorite hex
editor. In this case I'll use Ultra Edit. Now load the exe file.
Choose search and enter the following bytes: 68 80 EE 36 00.
So why do we search after these? Well that's very easy. Check the code
once again:
0137:00403993 A128904000 MOV EAX,[00409028]
0137:00403998 6880EE3600 PUSH 0036EE80 <--- this one
0137:0040399D 6834120000 PUSH 00001234
As you see these bytes stands for the instruction PUSH 0036EE80.
"Uhu, I don't have those cryptic numbers to the left of my
instructions!!". Well that's easy to fix. Just write 'code on' and
you'll see these cryptic numbers, also known as OPerand codes.
"Why didn't you search 83 3D 18 90 40 00 00 for example?". Well that's
because I know the ones we searched for only exists one time in the
exe file. The one mentioned above (83 3D...) exists several times, so
you cannot actually know which of those to use, if you don't check the
surrounding bytes that is. Always do "search next" so you are sure
that that byte combination doesn't exist somewhere else in the file.
Now let's change the bytes needed. Some bytes above '68 80 EE 36 00'
you will find '74 09' which is the JZ 00403991 instruction. This is
the two bytes we want to change. So how do you know which numbers to
actually change to? That's also easy. In the debugger when you're
looking at the code just use the 'a' command. Like This:
0137:0040397F 833D1890400000 CMP DWORD PTR [00409018], 00
0137:00403986 7409 JZ 00403991
0137:00403988 833D1C90400000 CMP DWORD PTR [0040901C], 00
----------------------------------------^ code window ^ -----
:a 00403986 JMP 004039B2
----------------------------------------^ prompt ^-----------
This will change the instruction at 00403986 and a new code will pop
up, EB2A. So this is the code you want to change for the 7409 one.
Remember, that if you use the 'a' command it will not change the code
permanently, only temporary. That's why we have to use a hex editor.
So go to the '74 09' bytes and change it to 'EB 2A'.
Now save the exe file, voila! That's it. Now start the program up and
test if it works. If SoftICE doesn't break on SetTimer(); it probably
worked. If it does, read this all again :-).
One thing has to be said also. If you for example want to change a
instruction with the opcode 'C1 E1 10' (3 bytes) to a instruction that
only has a 2 byte opcode, for example '0B D1', you have to NOP away
the last byte. NOP has the hex value 90.
Like this:
C1 E1 10 becomes ---> 0B D1 90
SHL ECX, 10 becomes ---> OR EDX, ECX <- 0B D1
NOP <- 90
As you see I change the F3 to 90 and therefore put the instruction NOP
there. If you didn't do this the chance of a program crash would be
98%.
That's all. To patch is very simple, but to find the bytes to change
is harder. Remember that the byte combination can exist somewhere else
so check the surrounding bytes.
5. Making the patch
Now it's time to make this patch available to the public. To write
something like "uhu change the bytes at blabla to blabla" doesn't look
that good, does it? So now it's time to make a exe file that changes
those bytes asap so the user don't have to use Ultra Edit every time.
I've included a program in Pascal done for this task. There are also
several good patch generators.
One for Windows 95, that I strongly recommend, is Qapla's PatchIt '97.
It's fast and nice interface (happy now Qapla :-)
To convert this program to C++ should be easy. You have to know one
more thing to make a patch, where the bytes are located in the file.
This is called "offset.", to check the offset just go to the bytes you
changed, and look at the status bar in Ultra Edit, it should say the
offset (pos) in hex.
I did the patch in Turbo Pascal 7, most would probably do it in Asm
:). Anyway, here is the patch:
---------------------------------------------------------------------
---------------------------------------------------------------------
Program Patcher;
Uses Crt;
Const offset : Longint = $2D86; { $ means a hex value }
bytes : Byte = 2;
len : Longint = 51200; { file length }
orgbytes : Array[1..2] Of Byte = ($74, $09);
newbytes : Array[1..2] Of Byte = ($EB, $2A);
{---------------------------------------------------------}
filename : String[12] = 'DESKEY.EXE';
errnof : String[43] = ' ERROR: File DESKEY.EXE was not found.';
errver : String[36] = ' ERROR: File size is not correct.';
errpch : String[36] = ' ERROR: File seems to be patched.';
msgdon : String[21] = ' Patch successful!';
ask : String[26] = ' Continue anyway? (Y/N)';
Procedure message(message : String);
Begin
WriteLn;
WriteLn(message);
Halt;
End;
Procedure patchfile;
Var fil : File Of Byte;
teck : Byte;
n : Byte;
ch : Char;
Begin
Assign(fil, filename);
{$I-}
Reset(fil);
{$I+}
If (Not(IOResult=0)) Then message(errnof);
If (Not(FileSize(fil)=len)) Then
Begin
WriteLn;
WriteLn(errver);
WriteLn(ask);
Repeat Until Keypressed;
ch:=ReadKey;
If Upcase(ch)='N' Then Halt;
End;
Seek(fil, offset);
For n:=1 To bytes Do
Begin
Read(fil, teck);
If (Not(teck=orgbytes[n])) Then message(errpch);
End;
Seek(fil, offset);
For n:=1 To bytes Do Write(fil, newbytes[n]);
Close(fil);
WriteLn;
WriteLn(msgdon);
Halt;
End;
Begin
WriteLn;
WriteLn(' SoftArts Deskey v1.02.010 Patch');
WriteLn(' By ODIN / RBS^TFT^PIE in 1997');
patchfile;
End.
---------------------------------------------------------------------
---------------------------------------------------------------------
Some final words.
Take some programs and play with patching them in various ways. This
gives you experience, and hopefully you'll become a better cracker.
Thanks to Qapla, kOUGER, Hook and Tgunner for help while making this
tutorial.
A special greeting goes to ED!SON.
6. THE URL'S
My E-Mail : cracking@usa.net
SoftArts Deskey v1.02.010 : http://www.spiresoft.com
Ultra Edit vX : http://www.windows95.com/apps/