How to crack W32dasm Version 8.5
(Improved protection cracking)
by +Frog's Print
Courtesy of Fravia's page of reverse engineering
Well, Frog's print seems to be even quicker than any other of us... as soon as
Peter brings out a new version of wdasm (which seems to happen a little too oft, btw) Frog cracks it stright away. Good work, as usual.
(BTW: Hey, Peter, what about
leaving the debugging
stuff to Numega and
concentrating a little more on disassembling? Somehow a shame that old WCB
still beats Wdasm at times, isn't it? :-)
Cracking W32Dasm v8.5 (*NEW protection scheme!*) - by Frog's Print -
Right after downloading this brand new version of W32Dasm ("MMX Compatible"!) I just
thought that I would crack it as usual but wait....what a surprise:
-No more 'DeletefileA'!
-No more 'dec dword ptr[ebx+xxxxxxx]!
I run it, load a file and run the good old PS.COM and...nothing! The W32DSMxx.TMP file
has been deleted!
Another (good) surprise is that now, we can select the fonts. This option was disable in
the previous versions (a lot of people seemed to have problems with the default one).
Anyway, let's have a deeper look and crack it:
1/ The counter
I cracked versions 6, 7 and 8, therefore I know that the counter's setup occurs
between the following 2 calls:
In W32Dasm80 (i.e. previous version 8.0) we had:
* Reference To: OWL50f.TFindReplaceDialog::TData::TData(ulong,int), Ord:0000h
:0044110B E830D70300 Call 0047E840
:00441110 83C40C add esp, 0000000C
:00441113 C7837958540001000000 mov dword ptr [ebx+00545879], 00000001
:0044111D C783364C540054010000 mov dword ptr [ebx+00544C36], 00000154 ; "\W32DEMO8.HLP"
:00438FA0 BE4B474800 mov esi, 0048474B
:00438FA5 8DBBE0605400 lea edi, dword ptr [ebx+60E0] ; ?? :00438FAB 8D839E5D5400 lea eax, dword ptr [ebx+5D9E] ; < ??? :00438FB1 8983584D4900 mov dword ptr [ebx+4D58], eax ; < ??? :00438FB7 C7831959540001000000 mov dword ptr [ebx+00545919], 00000001 :00438FC1 68F4010000 push 000001F4 :00438FC6 6A40 push 00000040 * Reference To: KERNEL32.GlobalAlloc, Ord:0000h :00438FC8 E8D7DA0300 Call 00476AA4 We found 3 new instructions instead of the usual mov dword ptr [ebx+xxxxxxxx],xxxxxxxx. What's going on? Let's see... With Soft Ice, load W32Dasm85 and bpx the OWL50f.@TFindReplaceDialog (don't forget to add it inside your WinIce.dat otherwise you'll get nothing). When SoftIce breaks into this function, press F11 and then put 3 Breakpoints on memory access as per follow: :BPM ebx+60E0 RW :BPM ebx+5D9E RW :BPM ebx+4D58 RW ******
BEFORE pressing CTRL-D to let W32Dasm running DISABLE them (':bd *') otherwise
you will lock-up your PC.
Open a file "to disassemble" inside wdasm and then enable the three breakpoints (':be *').
SoftIce pops out here :
:0043ADF4 55 push ebp
:0043ADF5 8BEC mov ebp, esp
:0043ADF7 8B550C mov edx, dword ptr [ebp+0C]
:0043ADFA 8B4508 mov eax, dword ptr [ebp+08]
:0043ADFD 33C9 xor ecx, ecx
:0043ADFF 89880B625400 mov dword ptr [eax+620B], ecx
:0043AE05 8B88584D4900 mov ecx, dword ptr [eax+4D58]
:0043AE0B 0FB68900040000 movzx ecx, byte ptr [ecx+00000400] ; "\w32dsm%02d.tmp" ;
You are deep inside Fravia's page of reverse engineering,
choose your way out: