Results 1 to 12 of 12

Thread: It's Easy-Level... Everyone have a try...

  1. #1

    It's Easy-Level... Everyone have a try...

    Hello people

    I had a little chit chat with Kayaker lately... and well this made me come up with a little
    project... To start off: I'm sorry that it is a 5MB download... But I'm hanging at a 56K
    line too and I just received it by mail - had my fun and decided to upload it to angelfire for a
    project... As you can see I just dl'ed it and uploaded it (together 10 MB) just for you ;D

    To raise your interest:

    * The program itself is called "WinVCR" which is a recorder for movies on your TV card.
    (I don't have a TV card either - and w/o a TV card some options are greyed out, but that's
    not the point here )
    * Unfortunately the exe itself is only 260kb
    (I uploaded it too if you want to try it without the proggy)
    * You can read the file like a book
    * No unpacking
    * Funny patching

    Your expected goals are:

    --- Get rid of the 30 days time limit.
    --- Get rid of the splash / or / reduce the counter which keeps the nag alive to minimum
    --- Get rid of the Buy or Continue Dialog

    Possible Goals:

    If you don't have a TV card:
    --- Try to find the 10 minutes minimum recording time && explain why you think it's probably at that/these place(s).
    If you have a TV card..
    --- Kill the 10 minutes minimum recording time. (haven't tried that - my record button is greyed out)


    SideNotes:
    I've choosen version 2.0 because I thought we wouldn't hurt the programmer team from
    WinVCR too much this way...

    The links is: (angelfire doesn't like links being accessed from outside)
    http://www.angelfire.com/rpg/screendudes/index.html
    and click on :
    Angelfire - Free Home Pages* -> For the 5MB File which is the whole Program
    Free Web Building Help*orig* -> For the exe itself (will be harder tho)

    And I hope you don't feel underestimated

  2. #2
    JaneK
    Guest
    Hi JimmyClif,

    Thanks for this project.
    I managed to patch the program so it never expires by changing one jump (jl => jmp).
    I don't know if I should post how I found the right place to patch - I am sure other newbies are working on it.

    Cya
    janek
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  3. #3
    Hi Janek...

    No need to post the answer yet... I guess where you're at

    But before the congrats, let's do a little bit of backchecking ;D

    Try to answer these questions for task n° 1:

    * Did you find out where it saves your expiration details? (registry, file etc..)
    * Can you receive another 30 days w/o patching the target?
    * What API did you try breaking on first?
    * Is there something which could get dangerous later, regarding the timelimit?
    (pretty close to where you're at) Have a look at the flow.. any other
    conditional jumps leading to the bad boy routine?
    * What were the tools you used?

    Until later...
    JimmyC

  4. #4
    JaneK
    Guest
    Hi JimmyC

    Well, I did not have too much luck with the additional questions. Maybe you can guide me in the right direction:

    1. I am not sure where it saves expiration details - after reinstaling the proggie ( and cleaning the registry from all winvcr entries I could find) it still displays the same number of days left as before, so I guess it is probably stored somewhere in windows directory. I couldnīt find the exact place though.

    2. Maybe manually editing the place where it stores reg. data would do?

    3. I tried to brake on GetLocalTime and GetSystemTimeAsFileTime first, but sice kept on poping and I could not get to the winvcr code. Then I noticed CompareFileTime in w32dasm, checked it out in my API ref. and it looked ok so I tried this one and it worked.

    4. Something dangerous - hm, patched program works ok, the only thing is when I passed 30 days it starts to show trial days as negative numbers in the initial nag, but even if I set the time 1 year ahead it still works, just saying "you are on day -366 of your trial period" or sth like this.
    There is also a check if the system time (clock)has been tampered with, but it is activated only when you set the time back, not ahead. It can be disabled I guess, and then one may get additional days by setting the system date e.g. 30 days backwards (I have not tried this yet).

    5. My tools were: w32dasm, s-ice, hiew. I also tried regmon and filemon, but without too much success.

    If you have time I would appreciate if you can post few words about locating the place where reg. info, number of days etc. are stored.

    Thanks
    JaneK
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  5. #5
    Hi Janek.

    I'll do my best getting you on track

    1. The expiration details:

    You should always take your time looking at every String Reference you got (big hint)
    The more you should have another try with reg and filemon. Start RegMon and immediately
    start WinVCR. Once the nag displays the days, you know it had to read them somewhere,
    you can stop RegMon capturing data. Now you have a nice "hopefully" not to long list to
    browse thru... Anything looking TopSecret there ?

    2. When you found the data... imagine this ;D
    IF Key==Present
    ...Call LocalTime
    ...Compare Time with Time in Registry
    ......IF LocalTime>=RegistryTime+30
    ........display "DOH"
    ......ELSE
    ........go on as usual
    ......ENDIF
    ELSE ;(Key!=Present)
    ...Assume it is the first time he started
    ENDIF

    3. Yup... it's always good to check out the Imported Addresses

    4. Yes, you found the place I spotted as "dangerous"; well.. the "normal" User probably never gets to this jump, but I kinda lived already weeks in 2002 as sometimes I forget to set my sytem time back again *g* Imagine you just installed it... and then you realize that your time is wrong.. you set it correctly and "doh" you can't ever use that prog again...
    (And besides that: Patching is fun, so why not close every possible door?)

    5. Good choice in tools... I went for the 'double whopper' IDA & Wdasm analizis, If you downloaded IDA already somewhere take a look at the same part of code where you patched the time check. This will get you a pleasant surprise... ( talking about a book ;D )

    Once you got yourself familiar with reg and filemon... and a little bit of IDA... we can go on to the splash screen...

    JimmyC

  6. #6
    BTW: I just went to Angelfire and saw that there were 31 visitors...
    Let's take away me 3 times... Twice for checking if the links worked and once now.

    Who else did download WinVCR? Any lurkers around?

  7. #7
    JaneK
    Guest
    Hi JimmyC,

    I had another look at the registry with regmon and this time I found the topsecret place

    I also looked at both nags and I think I found the calls creating each of them, updating the first one with version number and numbers of days left etc.

    Is it possible just to nop them? (it is crashing the prog as I do it).

    JaneK
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  8. #8
    Hi Janek...

    Great you found the two spots for them... I assume the call you mean is at 0041A324.
    This is actually only the call to display it... but if you see the code afterwards... there
    is still a lot happening with it... Nop-ing this one out results in a crash

    Ergo,

    I don't see no easy solution for the first nag... at least not without opening the
    "JimmyClif's Infamous WinAPI Surprise Box". (I'll surpise you later )

    That's why I primarly decided only to reduce the minimum time shown... and then we get "rid"
    of it ... To make this easier we divide the Splash-Nag and the DialogBox into Task 1 and
    Task 2..

    Task 1:
    Try to find the place where it keeps the nag alive using a counter.

    One solution to get there is:
    UpdateWindow and ShowWindow are some of the more known breakpoints and then you
    would start tracing. (Some counters are created using GetTickCount too)
    Another one (my favorite) is:
    You wait until the nag is displayed but before the Dialog shows and hit CTRL-D.
    Then you need to find your way back to the code and find the suspicious place where
    it keeps counting.

    Task 2:
    Try to find the call which has entirely to do with the dialog. ( i guess you found this one)

    Alright, once you got them write their Offsets (maybe a code snippet too) here...
    so that I'll see where you're at =) and then we go for the action.

    Happy F8'ing ;D
    JimmyClif

  9. #9
    Heya Janek...

    I haven't heard anything from you in quite awhile, so I guess you might be stuck || bored with WinVCR.. who knows ?
    Anyway... Here's the solution for the remaining tasks:

    The Splash Nag:

    First I started WinVCR and before the Purchase Dialog poped up but while it was displaying the Splash I hit CTRL-D. A few F12's were leading me back into it's code and I got to this point:

    0041A4D1 call esi ; timeGetTime ; Get system time, in milliseconds
    0041A4D3 sub eax, ebx
    0041A4D5 cmp eax, 0BB8h
    0041A4DA jb short loc_41A4D1

    Pretty self-explanatory what to do at this point... We nop out the jump and the Splash pops up and we see immediately the Purchase Box...

    So.. but how to get rid of the Splash for good?

    I then had another go with it and put a breakpoint at "UpdateWindow"...
    Which brought me upon this point:

    0041A30F push 92h
    0041A314 push 0D4h
    0041A319 mov ecx, edi
    0041A31B call sub_401540
    0041A320 push 1 ; <- 1 == Visible // 0 == Invisible
    0041A322 mov ecx, edi
    0041A324 call j_?ShowWindow@CWnd@@QAEHH@Z ; CWnd::ShowWindow(int)
    0041A329 mov ecx, [edi+20h]
    0041A32C push ecx
    0041A32D call ds:UpdateWindow
    0041A333 mov edx, [edi+20h] <-I landed here

    Being in SoftIce I set a breakpoint a few calls above to find out where the nag got generated... Here it's clear to see that it will be the call @ 0041324 (ShowWindow)

    This made me get out my Win32API reference to have a look at ShowWindow:

    BOOL ShowWindow(
    HWND hWnd, // handle of window
    int nCmdShow // show state of window
    );

    So, well.. no hwnd push? MFC's way are strange...So I assumed the push 1 would be the push for the Show State of the Splash.. I replaced this with a push 0 then. And voila.. God bless the API Guide... The Splash is gone.. (Basically it's still there but at least we won't see it anymore..)

    -----------------------------------------------------------------------------------------
    Getting rid of the Purchase Dialog:

    We know that immediately after the Splash the Dialog pops up.. so we can just continue tracing using F10 until that Dialog pops up.. And this will happen at this call:

    0041A519 mov ecx, esi
    0041A51B mov [esp+7DCh+var_5C], 2
    0041A523 call dword ptr [edx+0C0h] <-- HERE
    0041A529 cmp eax, 1
    0041A52C jnz short loc_41A57E

    Lucky we are.. We stepped over the call using F10.. SoftIce made a little rest to let us push the Continue button and we land exactly a line after the call on cmp eax,1

    Checking our registers tells us that only eax got changed after this call. (Well eip too, but that's another story )

    Eax has as value 2 now... Instead of nop-ing out the call (which is not always the way top go because of the pushes which may preceede a call (every push needs a pop) - but here there are no pushes before.. that's good) So.. instead of nop-ing out the call we can replace the whole call with a mov eax,2 (which is the correct value upon return and it will jump to the right place... You'll see the bytes fit exactly in

    So.. that's been it.. You found already the Time Check... no more need to tell this..
    Finally I can delete this useless tool from my HD... (or should I go and buy a TV card?)

    JimmyClif

    & How do these bloody <pre> tags work?

  10. #10
    JaneK
    Guest
    Hi JimmyC,

    I am still interested and still have plans to look more into this prog. I am so loaded with work I just did not have any time to sit down in peace and investigate further on. When I'm done, I'll post something here (or shall I mail you?) and hope to have your comments, so don't delete winvcr yet!!!

    JaneK
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  11. #11
    JaneK
    Guest
    Hi JimmyC,

    All clear now!
    I also, same as you, tried to get rid of the 1st nag by modifying the pushes before the call at 41a324, however I have wrongly assumed it's CreateWindowExA (I used w32dasm so I could not see it is ShowWindow). CreateWindowExA also seemed to be a nicely working bpx so I was also mislead by this.

    The "purchase" nag (at 41a523) - this one I just noped and it works fine. Changing "call xxxxxxxx" to "nop" would crash the prog, but substituting call's hex notation by 909090909090 solves the problem.

    For me it was an interesting project - thanks for your time.

    Cya
    JaneK

    P.S. Now you can delete this crap from your disk
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  12. #12
    Heya JaneK,

    Sorry for pushing you a bit with the Project.. I'm just traveling pretty soon and I was in fear of not being able to finish it and to help you with any questions, while I'm sunbathing at +/- 90 °F *hehehe*

    I hope you saw the difference between IDA and Wdasm... It's simply incredible what IDA can do... Even tho that I prefer the way Wdasm handles the String References. That's why I always go for the double whopper

    For the Call xxxxxx to a single nop ? Oh Lord, You learned that you need to replace all the bytes (as you nicely said "substituing the hex notation" ) If you use Hiew you could have tried replacing the call xxxxxx with mov eax,2 and you would have seen how it fit in there.

    Oh well... T'was a pleasure... Take care and don't give up on it...

    JimmyClif

    PS :So.. you think it's a crappy prog too? *hehehe* I love to hear this

Similar Threads

  1. Key Level & Key Options
    By ironman in forum The Newbie Forum
    Replies: 10
    Last Post: March 15th, 2014, 08:59
  2. Very Easy CrackMe
    By harmor in forum Mini Project Area
    Replies: 21
    Last Post: July 19th, 2009, 19:04
  3. Easy KeygenMe !!
    By kami13x in forum Mini Project Area
    Replies: 17
    Last Post: March 7th, 2006, 20:54
  4. Easy RSA
    By mrcrackbrain in forum RCE Cryptographics
    Replies: 9
    Last Post: February 23rd, 2002, 13:43
  5. Rather Very Easy VB Challenge...
    By Nick in forum Mini Project Area
    Replies: 6
    Last Post: January 7th, 2002, 18:25

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •