|PROJECT :- EyeCU v1.1|
|DESCRIPTION:- This application has been designed to provide low-cost security for your WebCam (or any VFW input device) enabled PC. EyeCU uses your existing WebCam device to monitor your environment and records any security violations. EyeCU will even operate in a hidden and silent mode such that it is unknown to potential violators!. EyeCU will even run in SCREEN SAVER MODE!. This application has been made to be fully compatible with most input devices and is designed to be powerful, yet easy-to-use.|
|PROTECTION:- This program has NAG screens and a ten minute time limit.|
|TOOLS:- SoftICE, WDasm89, HEX Editor (your choice).|
This is my first tutorial and it would never have seen the light of day if it wasn't for my good friend LITESPEED [PGC]. The good thing about writing your own tutorial is that you can do it in whatever style you want, I have read lots of tutorials written by many people, a lot of them are very hard to understand because the people writting the tutorial either consider you to be an elite cracker or the english is bad (not that I am putting down any tutorial writers, I have the utmost respect for all crackers), I hope that this tutorial will not go over your head, I am a 'Newbie Cracker' so you should be able to understand it.
HERE WE GO...
If you are a zen cracker, you will know that the best place to start a crack is at the beginning, It has taken me a while to figure this out and with time and practice you to will be able to make wise deductions like this one :-).
First thing to do is to start the little baby up, we notice that straight off the bat we get a nice friendly message that tells us 'THIS IS NOT REGISTERED' it also tells us how long we have left to try this GREAT product and the fact that it will run out in 10 minutes. Press 'OK' and you will be faced with the ugly 'UNREGISTERED' word directly in front of you on the Caption bar.
The first thing I usually do is look at the 'ABOUT BOX' so click 'HELP' then 'ABOUT', once again you will be presented with the fact that we have not registered, I dont know about you but this 'UNREGISTERED' sign is annoying so lets do something about it. We now know what we are facing, NAG, TIMER, ABOUT BOX what do we do? The usual bpx MessageBoxA will not work on this NAG BOX, this is because its a 'Visual Basic' program.
Nowadays it is very unlikely that you will come across any VB programs that don't use either MSVBVM50.DLL or MSVBVM60.DLL (note from CrackZ, they have to use them!), we can tell which .DLL the program uses by opening it with a HEX editor, when you open it you will see the name of the .DLL at offset 240h, Im not sure if this is the same in all VB programs (its not - CrackZ) but it works for our target, when you open our target you will see that it uses the MSVBVM60.DLL. Now we have found out what .DLL it uses we must set up SoftICE to be able to break on the VB functions, this is done by adding these lines to your WINICE.DAT.
exp=c:\windows\system\msvbvm60.dll ;exp=c:\windows\system\msvbvm50.dll --- This line is not loaded by SoftICE because of the ;You will notice that the MSVBVM50.DLL has a ; before it this is because you can only have either MSVBVM50.DLL or MSVBVM60.DLL loaded at any one time, you cannot have them both, I've never tried loading them both but I`ve heard the results are not desirable.
Once you have restarted the computer with our new additions to WINICE.DAT you will be able to breakpoint the VB functions (A good idea is to get a list of the functions used by the target) you can do this by loading the target into W32Dasm, you can find the functions the target uses under MSVBVM60.DLL in the 'IMPORT FUNCTIONS' section, its at the very top before the code starts.
START OF THE CRACK...
Okay, here we go. First off we will need to know what functions to place our breakpoint on, well as I said before the first thing that our target pops ups is a NAG BOX that tells us that our target is 'NOT REGISTERED' if you look through the functions in W32Dasm you will notice that they are similar to the usual API functions, what I mean by this is that you can usually discern from their names what function they perform. With this knowledge firmly lodged in our minds we can proceed to crack this little gem.
To save a lot of time and hair loss I will tell you the functions we need for this target. There are only a few functions in this target that look useful one of them seems to stand out, this noisy function is rtcMsgBox. We now know what function to breakpoint on, the next best thing to do is to get into SoftICE. Pressing CTRL-D you can now breakpoint our noisy function we type this....
bpx rtcMsgBox [RETURN]
You have now an active breakpoint on rtcMsgBox.
Next, we press CTRL-D again to exit SoftICE load up our target and hey presto! we break, press F11 to let the rtcMsgBox function do its job, the NAG BOX will now be on the screen press 'OK' SoftICE will pop up again and you should see this :-
:00462180 CALL DWORD PTR [0040109C] <------- Call the NAG BOX. :00462186 LEA EAX, DWORD PTR [EBP-24] <------- After you press F11 you will be here. :00462189 LEA ECX, DWORD PTR [EBP-20] :0046218C PUSH EAX
We now know the address of the NAG BOX, we can now clear our rtcMsgBox breakpoint because we have found what we are looking for, we do this by typing...
This will clear all breakpoints. We now have to breakpoint our newly found NAG BOX, you can either double click on 00462180 or you can type...
bpx 462180 [RETURN]
This will place a breakpoint on the NAG BOX). Its always a good idea to take notes through your cracks, we will start here by noting down the address of the NAG. Once you have done this we start our 'TRACKING' we know that there must be a check before this so that the program can discern between NICE registered users and NASTY TRIALS.
Anyways, the way to find this check is to push the [arrow up key] and look for a conditional jump (jnz or jz etc.) that jumps over the address of our NAG that we have written down. Obviously the first check that jumps over our NAG BOX may not be the right one but for our target it is. You dont need to go very far before you get to this piece of code...
:004620C2 CALL 00461450 <----------- Procedure that checks to see if we are good guys. :004620C7 TEST AX, AX <----------- Check ax for 'REGISTERED USER'. :004620CA JNZ 00462207 <----------- Jump if 'REGISTERED'.To be rid of that nastyNAG BOX the code at :004620CA is the what we need to modify, BUT, yes there is a BUT in every protection scheme. If we modify the code at :004620CA and change the [JNZ 00462207] to [JZ 00462207] the NAG BOX will be no more, it will even get rid of the UNREGISTERED word on the caption bar however, this check will NOT register the product, you can see this by looking at the 'ABOUT BOX' again, it still says its UNREGISTERED. It seems we have to track through some more code to find the other checks but not so, we already have all we need to crack the entire protection.
You see, programmers that write these 'PROTECTION SCHEMES' are very lazy and as a result make our job very easy, if you look at the code at location [:004620C2 CALL 00461450] this CALL is used to work out whether we are REGISTERED USERS or not and this helps us no end. Lazy bastard programmers use the same CALL 00461450 for all there checks, we can take FULL advantage of this. We need to place a breakpoint at :004620C2 we do this by typing...
bpx 4620C2 [RETURN]
We now need to restart the program. SoftICE pops up at our CALL, all we need to do is trace into it so press F8 and you will be here...
:00461450 PUSH EBP <----------- You will be here. :00461451 MOV EBP, ESP :00461453 SUB ESP, 00000008 :00461456 PUSH 00402026We are now inside the 'PROTECTION SCHEME' our reason for being in here is to trap all code that uses this routine because anything that uses this CALL is a part of the 'PROTECTION SCHEME'. We will set our trap by placing a breakpoint at location [:00461450 PUSH EBP] this way anything calling this routine will pop SoftICE.
Now all we have to do is press F11 and we will be here...
:004620C2 CALL 00461450 <----------- Checks to see if we are good guys. :004620C7 TEST AX, AX <----------- Check AX for 'REGISTERED USER'. :004620CA JNZ 00462207 <----------- Jump if 'REGISTERED'.Now we can patch the first part of the protection, as we discussed before, this will knock out the NAG BOX and also the UNREGISTERED sign on the caption bar. This is how we patch it. If you look to the left of the program code you will see a lot of hexadecimal numbers these are called 'OPCODES' don't get them confused with the Addresses, this will help.
:004620C2 E889F3FFFF CALL 00461450 :004620C7 6685C0 TEST AX, AX :004620CA 0F8537010000 JNZ 00462207The first column is the address, the second column are the OPCODES, the third are the program instructions. If you don't have a second column of numbers like above then you need to type 'code on'. You should now have a display like the above. We now have to write down the 'OPCODE' of the instructions we are going to patch so write down 0F,85,37,01,00,00 these are the OPCODEs for [JNZ 462207], it is a good idea to write the next lot of OPCODES down as well, this will make sure we patch the right place when using the HEX EDITOR.
You should now have 0F,85,37,01,00,00,66,89,1D,40,50,46,00 written down. Now press F10 so you are on [:004620CA JNZ 00462207] now press A [RETURN] (this will let you insert an assembly instruction) now type this...
JZ 462207 [RETURN TWICE] --- This will
make the program jump if 'BAD GUY'
Notice that the OPCODES have now changed slightly (this is what we want to insert with the HEX EDITOR) now write down the new OPCODES under the ones you already have, you will see this...
0F,85,37,01,00,00,66,89,1D,40,50,46,00 <--- Original 'OPCODES'. 0F,84,37,01,00,00,66,89,1D,40,50,46,00 <--- Our New 'OPCODES'.As you can see only one byte has changed [0F,85,37 has changed to 0F,84,37] thats it, one little byte gets rid of that NAG BOX. Okay, keep the OPCODES you have written down on a seperate piece of paper and write next to it (Patch 1 - Nag removal).
We will now move on to the next stage. Press CTRL-D to exit SoftICE, the NAG BOX will not be displayed because we patched it you will also notice the caption bar is free of any UNREGISTERED signs. We now start our 'TRAPPING' we know that the 'ABOUT BOX' also shows the UNREGISTERED signs so lets have a look at it, press 'HELP' 'ABOUT ' and SoftICE pops. We seem to have trapped ourselves a big fat 'PROTECTION CHECK'.
Press F11 so that the protection can do its job. You will end up here...
:0045DC0E E83D380000 CALL 00461450 <--- BIG PROTECTION CHECK (we got him). :0045DC13 6685C0 TEST AX, AX <--- Are we good?. :0045DC16 0F85C3000000 JNZ 0045DCDF <--- Jump good!.Once again all we need to do is change the [JNZ 0045DCDF] at location :0045DC1C to [JZ 0045DCDF] so repeat the same process as before, once again you can see that its just one little byte [85 is changed to 84] that will give us a 'REGISTERED VERSION' 'ABOUT BOX'. Next to the OPCODES you have just written down, write (Patch 2 About Box REG).
We are nearly at the end of our hunt, I can hear what you are saying, 'HOW DO WE REMOVE THE 10 MINUTE TIME LIMIT' well, if you just sit there and wait for about 60 seconds...SoftICE will pop up all on its own once again press F11 and you will be here...
:0044E9EA E8612A0100 CALL 00461450 <--- BIG FAT PROTECTION CHECK. :0044E9EF 663DFFFF CMP AX, FFFF <--- Are we are good?. :0044E9F3 7546 JNZ 0044EA3B <--- Jump if bad!.We are at the end of our hunt, we have captured all the nasty 'PROTECTION CHECKS' all we need to do is repeat the process of writing down the 'OPCODES' yet again. Write down the new opcodes and you should have this...
75,46,66,A3,40,50 <--- Original OPCODES. 74,46,66,A3,40,50 <--- Changed OPCODES.PATCHING THE TARGET...
Okay, we have done all the hard stuff, I hope you stuck with me and understood everything.
1. Load Up Your HEX EDITOR.
2. Goto the 'FIND' function on your HEX EDITOR (make sure you have the find HEX not ASCii).
3. Type in the first original OPCODE sequence from the (Patch 1 Nag removal).
4. Press Find and it will find the code sequence in the program.
5. We now need to change the 'ORIGINAL OPCODE' to our 'PATCHED OPCODE' as we know there is only 1 byte that has changed we change the 0F,85,37,01.... to 0F,84,37,01...
6. Repeat the same for the other 2 patches 'Find and substitute' all 'ORIGINAL OPCODES' with our 'PATCHED OPCODES'
7. Save the program out, run it and you will have a fully cracked EyeCU.
There are hundreds of ways you can crack a protection scheme, the way I have shown you here I like to call the 'TRACKER HUNTER' method, for obvious reasons. This method can take a long time with complicated routines but if nothing else you will get a feel for the internal workings of programs. I hope that you have managed to keep up with me, remember this is only my first tutorial and its harder than it looks.
Please send me your thoughts ... I look forward to them...