Target Program: Enterprise REXX (WinREXX) Protection: Nag(s), 21 day time limit, limited number of runs Cracked by: drlan [Me'97/C4N]! Location: http://www.winrexx.com/Trial/ Tools needed: - SoftICE Win95 3.01 - Hex Editor (I like PSEdit and Hex Workshop) Conventions used: > denotes a SoftICE command Download the target and run it a few times to get a feel for what's going on. You'll notice a nice little reminder that the program will expire in 21 days or after 126 more uses, whichever is later. That doesn't sound like quite enough time for a thorough evaluation, so let's see what we can do... I am going to work through REXX.EXE in the tutorial. The routine for the WINREXX.EXE is almost identical and I'll explain where to patch it at the end. As with any crack, there are many different ways to approach this. The first thing I did was disassemble the file with W32Dasm 8.9. Hey, that's not in the list of tools needed! Don't worry, this isn't how we're going to crack it... You could choose the dead listing approach. You will find the strings that refer to "expires in" and "expired." You could then crack from there, but let's try a different approach. When you run either of the main executables (REXX.EXE or WINREXX.EXE), the friendly reminder pops up to let us know when this babe is going to expire. With just an OK button on this box, it looks a lot like a standard API call. A few of the routines that can put a message on the screen like this are: MessageBox and DialogBox. Of course this is a 32-bit app so these functions have an A on the end. Let's try a breakpoint on MessageBoxA. Pop over into SoftICE with Ctrl-D and do this: >bpx MessageBoxA Now press Ctrl-D or F5 to get out of SoftICE and then run the program again. sICE will pop on the MessageBoxA function. Press F12 to RETurn. Now click the OK button on the message box. You should drop back into sICE right after the call to MessageBoxA. Scroll up your Code Window using Ctrl-Up Arrow. You won't need to scroll up very far (just a few lines), until you come to this interesting bit of code: :004079F9 837DB800 CMP DWORD PTR [ebp-48], 00 ; looks like a flag 0F841A000000 JZ 00404C5D ; jump if it's zero 6A40 PUSH 40 ; otherwise, set up A1B4E04000 MOV EAX, [0040E0B4] ; for our call to 50 PUSH EAX ; the ugly nag screen 68301B4100 PUSH 00411B30 FF15C8534100 CALL User32!GetFocus 50 PUSH EAX FF15D4534100 CALL User32!MessageBoxA ; which happens here! :00404C5D 8B45FC MOV EAX, [ebp-04] E900000000 JMP 00404C65 :00404C65 5F POP EDI 5E POP ESI 5B POP EBX C9 LEAVE C3 RET So, what do we see here? Looks like that CMP DWORD PTR [ebp-48], 00 is comparing a flag. I tried placing a memory write breakpoint on that location but couldn't find where the flag was set. It looks to me like if the flag were 00, we would jump over the whole nag screen mess. So, let's just make it so! Let's change: 837DB800 CMP DWORD PTR [ebp-48], 00 0F841A000000 JZ 00404C5D into: C745B800000000 MOV DWORD PTR [ebp-48], 00 EB1B JMP 00404C5D 90 NOP We need to pad with one NOP to make it an even 10 byte for 10 byte exchange. Now, instead of comparing the flag, we are setting the flag. I think this should please our master, +ORC. Then, with the flag set, we are making an unconditional jump (JMP) over the MessageBoxA call. You can do this live in sICE. First clear all existing breakpoints. >BC * Now place a breakpoint on the CMP DWORD PTR [ebp-48], 00 line. You can do this by typing BPX segment:offset or simply double click on the line. Then run the program. When sICE breaks on the line, we'll assemble in our new instructions: >A ; to assemble in our new instructions >MOV DWORD PTR [ebp-48], 00 ; let's make the flag 00 >JMP 00404C5D ; jump over the message box >(press Esc) Press Ctrl-D or F5 to continue running. You should not see any nag screens! Time to transfer our live crack into something more useful and longer lasting. We need to hex edit the rexx.exe program to replace the bad old instructions with our nice new ones. Nag screen(s): Search for: 837DB8000F841A000000 ; compare flag, jmp if 00 Replace with: C745B800000000EB1B90 ; set flag to 00, jmp, nop WinREXX.EXE uses the same code, so search and replace the same string in there and you're all set! That's it for this lesson. Hope this was fun and instructional. Disclaimer: THIS ESSAY IS FOR EDUCATIONAL PURPOSES ONLY. ANY USE, MIS-USE OR ILLEGAL ACTIVITY IS THE SOLE RESPONSIBILITY OF THE READER. GreetZ: Everyone in [Me'97/C4N], PC'97, UCF, fravia and +ORC, Razzia! drlan