_CbD_ Tutorial #3 Function Disabled Protections Defeated Date 7-28-97 Target: WinScan version 2.0.06 About the Protection: Function Disabled Protections are very comman now days and are one of the most popular among high priced software or specialty software. But there days of stoping us are over........ Now !!!!!! Target: WinScan ver 2.0.06 WinScan is an intelligent scan, trace and vector editing program designed for use with TWAIN compliant scanners and popular vector illustration packages such as CorelDRAW. This is a very handy program if you are in the graphics industry or if you make vinyl signs with plotters (As i Do)... Where to get it : http://www.airmark.com/ Tools Needed: SoftIce (SI) (Required) W32dasm ( optional) Hiew Hexeditor (included with Tutorial) (Required) Borland Resource Work Shop (optional) Pre Crack Notes: Ok there are several different steps in this crack and there are really 3 cracks that will be done each one of them will have several steps each. If you dont have the optional Tools above you will only be able do complete the first 2 parts of this tutorial. (The important ones) the Last section of the crack only removes the DEMO messages at start and in the about box. it will change them to the registered Messages instead.. ( Big Deal i know)... The Crack.......... Ok you should have gotten the programs you need by now so lets start the crack. Step #1 : Fire up your program (WinScan) and have a look at it, You should see the Big ugly blue box that says this is a DEMO version of the program (Like we didnt know this) it is not that big of a deal because it goes away if you click on it . But now open one of the sample .bmp files that are in the WinScan Dir. Now try to save the file, you will get a box that says " This Command is not Allowed Blah Blah Blah" ok so it dont want us to save, But we want to I mean shit how can you evalutate software if you cant save the work to see its quality? well I dont think you can so we will cure this problem :-). Just remember that this little message came to us in the form of a message box. Step #2: Now we have a good idea that we are getting the nag from a message box so if we can break at the message we can see what calls it right. or we could use W32dasm and located the point that the message is called. well that would take a bit longer to trace out the code that calls it so we will save that for later or for those that want to learn a bit more about finding this type of protection calls. so for now we are just gonna use SI (as it is all that is really needed) to break on the message that we get when we try to save. So lets start.... First press Ctrl-D to get in SI(Softice) and lets see what we have here, Lets see if we have any breakpoints left over from a project that you was working on before you started this one so do this BL This will give you a listing of all breakpoints you have set in SI. Well we dont want those to cause us problems in this crack so we will do one of 2 things (1) Clear them with BC * (2) disable them with BD * if you dont need the BP's (BreakPoints) you can clear them, if you will need them for another project then just disable them for now. Ok now that we have that out of the way( Bare in Mind i write my tut's so anyone can follow them even if they have never cracked before) Lets set our BreakPoints that we will need for this crack so lets Do this BPX MESSAGEBOXA <--- This will make SI break when the call to the Messagebox is made. For now that is the only one we need so lets Ctrl-D back to our target WinScan. Step #3: Ok now lets set all this in motion, So try to save this file with the [SAVE] from the menu or the Disk Icon in the Toolbar. Boom to softice we go Now we are in SI at the point our program is ready to show us the nag. Now lets think about what we want to do here (1) we want to find out where this call came from (2) we want to make it go to the real save Dlg Box and not this nag. So we will do a F11 so we can get back to what called this function. You will pop back into WinScan where you will see the Nag. Press Ok and you will pop back to SI Now we are not there yet cause if you look on the Line between the Command window and the Code window you will see MFC blah blah blah well this is the place that our message box was called but this is not our program, Our program called this to get the box so what we will do is press F10 (single Step) till we get back to our program so press F10 till you see WinScan on the line between the command and code windows. when you get there you should see somthing like the following (note the addresses may not be the same on yours) 0137:00455AF5 CALL 0045D800 <----- This is what calls our little MessageBox 0137:00455AFA JMP 00455B1E <---- Ok we told him he cant save so lets go back 0137:00455AFC MOV ECX, [EBP-14] <---- not important. ok now we found the call so lets scroll up a few lines and see what we can see. Should like like this (note the addresses may not be the same on yours) 0137:00455AE0 MOV EAX,[EAX+4] <--- set demo flag 0137:00455AE3 CMP DWORD PTR [EAX + 000000C4] ,00 <-- check and see if this is a demo ver 0137:00455AEA JZ 00455B16 <---- if Zero then this is a Full ver else this is a Demo 0137:00455AEC PUSH FF <--- save some info 0137:00455AEE PUSH 10 <--- save some more info 0137:00455AF0 PUSH 0000009D <--- yup save even more info 0137:00455AF5 CALL 0045D800 <----- This is what calls our little MessageBox 0137:00455AFA JMP 00455B1E <---- Ok we told him he cant save so lets go on working 0137:00455AFC MOV ECX, [EBP-14] <---- not important. ok if you look real close i think you can see what we need to do now and if you cant i will tell you: 0137:00455AEA JZ 00455B16 This jump here will send us to the real save dialog that we want . So we need to change the JZ to a JNZ so that the program will think that if we are a DEMO we should jump to the real Save Dialog and not the Nag. But before we do this lets get some info that we will need for part 2 of the crack so Do a D xxxx:00455AEA (xxxx is the address you see) now look in your data window for something like this 0137:00455AEA 74 2A 6A FF 6A 10 68 9D - 00 00 00 E8 06 7D 00 00 ^ ^ ^ ^ ^ ^ ^ ^ You will need all these number sets that have a ^ under them so right them down (Note if you do not have a Data window just above your code window type WD and press enter in the commad window and it should open up you should also have your Registers window open as well and to do this type WR and press enter in the command window) Well lets see if we are right do this A xxxx:00455AEA and press enter (note where the xxxx is put the right address you see on your screen) now you should see somthing like this A xxxx:00455AEA xxxx:00455AEA in your command window you need to type in this JNZ 00455B16 then press enter and then press enter again to get back to the command line now lets see if this werks so press Ctrl-D and when you pop back to WinScan try to save again WOW you can now save . Well the only thing is that you cant use the Save As function so we need to fix that to and to do this we follow the same steps as above but instead of pressing the Save we press Save As from the Menu and you will break right back in the same Message that you did before you need only to follow then same steps as above to get back to the WinScan call and then scroll back up and find the JZ that will send us to where we want to go if you cant seem to make it werk here is the steps for this one Step #1: Ok now lets set all this in motion, So try to save this file with the [SAVE AS] from the menu Boom to softice we go Now we are back in SI at the same point our program is ready to show us the nag. Now lets think about what we want to do here (1) we want to find out where this call came from (2) we want to make it go to the real save Dlg Box and not this nag. So we will do a F11 so we can get back to what called this function. You will pop back into WinScan where you will see the Nag. Press Ok and you will pop back to SI Now we are not there yet cause if you look on the Line between the Command window and the Code window you will see MFC blah blah blah well this is the place that our message box was called but this is not our program, Our program called this to get the box so what we will do is press F10 (single Step) till we get back to our program so press F10 till you see WinScan on the line between the command and code windows. when you get there you should see somthing like the following (note the addresses may not be the same on yours) 0137:00455BD5 CALL 0045D800 <----- This is what calls our little MessageBox 0137:00455BDA JMP 00455BFE <---- Ok we told him he cant save so lets go back 0137:00455BDC MOV ECX, [EBP-14] <---- not important. ok now we found the call so lets scroll up a few lines and see what we can see. Should like like this (note the addresses may not be the same on yours) 0137:00455BC0 MOV EAX,[EAX+4] <--- set demo flag 0137:00455BC3 CMP DWORD PTR [EAX + 000000C4] ,00 <-- check and see if this is a demo ver 0137:00455BCA JZ 00455BF6 <---- if Zero then this is a Full ver else this is a Demo 0137:00455BCC PUSH FF <--- save some info 0137:00455BDE PUSH 10 <--- save some more info 0137:00455BD0 PUSH 0000009D <--- yup save even more info 0137:00455BD5 CALL 0045D800 <----- This is what calls our little MessageBox 0137:00455BDA JMP 00455BFE <---- Ok we told him he cant save so lets go on working 0137:00455BDC MOV ECX, [EBP-14] <---- not important. ok if you look real close i think you can see what we need to do now and if you cant i will tell you: 0137:00455BCA JZ 00455BF6 This jump here will send us to the real save dialog that we want . So we need to change the JZ to a JNZ so that the program will think that if we are a DEMO we should jump to the real Save Dialog and not the Nag. Well lets see if we are right do this A xxxx:00455BCA and press enter (note where the xxxx is put the right address you see on your screen: now you should see somthing like this A xxxx:00455BCA xxxx:00455BCA in your command window you need to type in this JNZ 00455BF6 then press enter and then press enter again to get back to the command line now lets see if this werks so press Ctrl-D and when you pop back to WinScan try to SAVE AS again WOW you can now Save As now isnt this fun well the only thing is that this will only werk till we exit our program, When we restart it the nags will be right back so now we need to make a real crack for our program. so on to part 2 of this Crack Part 2: Hex Editing our program well lets make sure we have all the info we will need.. Remeber the things i told you to write down well i hope you did ;-) and if not then here it is xxxx:00455AEA 74 2A 6A FF 6A 10 68 9D well we will need this in Hiew to search for our Jumps we need to change (by the way you should print this file to make lie easier on you) Lets make a backup copy of our file you can name it what ever you wish (i used WinScan.cbd) just dont use the .bak as this is needed else where So lets fire up Hiew to do this we will need to have the program and Hiew in the same Directory I use a Temp dir and copy both files to it (Hiew and Winscan.cbd) now at a dos prompt type (the numbers in ( ) are the steps) (1) Hiew WinScan.cbd (or what ever you named it) now you will be in the Hiew program and will see a bunch of shit that makes no sence what so ever (2) so press the F4 key to get the Hex View (or what ever the key is at the bottom) now we will have to search for our command and in order to do this we will need to have the numbers above (3) so press F7 and then enter the numebrs above ie ( 74 2A 6A FF 6A 10 68 9D ) AND and press enter then you will land at the first match it found you (4) should press F2 to get the ASM code of the above string (5) then press F3 to edit it (6) You will get a box that will show you a je and a address you just need to change the je to JNZ then press enter (7) now press F9 to update (8) and Press F10 to quit now restart Hiew and do each step over again The first one is the Save function and if you do it again you will be in the Save As function And if you do it a third time you will be in the Save Vectors functioin(not talk about because you must have a scanner to use it) but go ahead and crack it to .. Well that is it after all that you will have a fully working program that will work forever Now if you wish to get rid of the DEMO screens that you see when you start the program and in the About Box you can continue to Part 3 of the Crack (Must have Borland Resource WorkShop) Part 3 Removing the Demo Screens Start BRW and locate the Bitmaps that represent the Demo Messages 239 <--- About Box BitMap 240 <---- Start up BitMap Now lets find the ones for the Full version 102 <--- Startup BitMap 159 <--- About Box BitMap Now all you have to do is Delete 239 and 240 then select 102 and then make a Duplicate of it (Right Click of the mouse and you will see Duplicate) then do the same for 159 after you have done this it will rename them to something like BitMap1 and BitMap 2 well rename the copy of 102 to 240 and the copy of 159 to 239 and that is it you now will see the Full Version srceens when you run your program . Although this is not Needed for the Crack to work this is just another thing you can do to remove the DEMO nags But seeing how if you like the Program you are going to Buy it (RIGHT) you reall need not do this part ;-) Part 4 Yeah i Know i said 3 parts but read on Well if you wish to make a crack that you can distribute to others then you can get a program like gpatch or write your onw in your favorite language to do all of the above changes .... Well that is it for this Tutorial I Hope that you have learned something from this tutorial and i hope i have helped you to better understand how this type of protection works. And remember this is a Shareware program and if you intend to use it then Buy It after all they were nice enough to give us the demo so we could Crack and Evaluate it so cintribute to them and give them the money they ask for it is only fair........... _CbD_ [ME/C4N'97] I want to take a few lines here to say thanks to a few ppl So thanks go to : nIabI of [ME/C4N'97] for gpatch and all your help Scorpoin of [ME/C4N'97] for the info on Hiew mornings on #cracking4Newbies for testing my tuts and anyone i forgot :-) Thanks all .............