"How to use our toolz: W32Dasm v8.9x"
This tutorial is coming from...
About the essay...
Date: 14th March 1999
Well,this is first of many others tuts on how to use our toolz.Anyway if you're an average cracker,you probably know how to use "your" toolz :),so don't even bother reading this tut ;)THIS ESSAY IS MADE FOR NEWBIES ONLY!
W32Dasm - what to say about this tool,it's GREAT!At the moment it's the best tool to disassembly files,especally for newbies.When cracking with W32Dasm, we use so called "Dead listing approach",if you haven't heard of it,go visit The Sandman's pages at: http://www.proweb.co.uk/~greenway/Main.html. and download +ORC's lessons,read them or read Sandman's lesson: "Dead listings explained".
About the protection...
Type of protection:
Of course first thing to do will be to download the W32Dasm from here: http://ReFleXZ.cjb.net Second thing to do is to install it,of course.When you're done these two thingz,fire up the proggie and take a look at it.It's nice looking,isn't it :) So,let's start off again with the sections:
SECTION 1: Opening a file ,saving a file,fixing some thingz,moving around the code.
Ok,to open a file,goto menu Disassembler>>>>>>>Open a file to disassemble... Now we're gonna choose as a file,windows Notepad,located in your windows directory.It opened in a millisecond :),that´s because it's only few kilobytes.WAIT A MINUTE, ALL I SEE IS RUBBISH?! Buy yourself a couple of glasses ;) That's because,we haven't setup font yet,and as a font is probably some Webdings or something. To setup a font goto Disassembler>>>>Font...>>>Select Font , and choose as a font any you like,I recommend: Fixedsys.Now press on Save Default Font in Disassembler>>>> Font menu.Now you can move around the code by selecting Goto >>> Code Start....
Now about saving a file.Well,you can save a disassembled file to a huge .TXT file,not TXT file but you can view it as a text file,BUT better have a good wordprocessor 'cause these files can be up to 20MB, and even more,it depends on the file size you're disassembling.So when you save it,it'll create two files.One will be .ALF and other .WPJ.The ALF is the one disassmbled text file.But .WPJ is the project file.What is project file used for?Well if you saved the file,and next time you open up a project file you wont have to wait to disassemble it,it will be already disassembled and it will load in second.This is good,'cause if you have some 2MB file,you'll have to wait it to disassemble around 10min.
SECTION 2: Thingz you'll see when you disassemble some file
+++++++++++++++++++ MENU INFORMATION ++++++++++++++++++
Number of Menus = 1 (decimal)
Save As... [ID=0002h]
Page Setup... [ID=0020h]
This shows the menus,that are available in target proggie.Sometimes W32Dasm doesn't display all of them.
+++++++++++++++++ DIALOG INFORMATION ++++++++++++++++++
Number of Dialogs = 2 (decimal)
Name: DialogID_000C, # of Controls=003, Caption:"Notepad", ClassName:""
001 - ControlID:0002, Control Class:"BUTTON" Control Text:"Cancel"
002 - ControlID:FFFF, Control Class:"STATIC" Control Text:"Now Printing"
003 - ControlID:0014, Control Class:"STATIC" Control Text:""
Name: DialogID_000E, # of Controls=028, Caption:"Page Setup", ClassName:""
001 - ControlID:0431, Control Class:"BUTTON" Control Text:"Paper"
002 - ControlID:0441, Control Class:"STATIC" Control Text:"Si&ze:"
003 - ControlID:0471, Control Class:"COMBOBOX" Control Text:""
004 - ControlID:0442, Control Class:"STATIC" Control Text:"&Source:"
005 - ControlID:0472, Control Class:"COMBOBOX" Control Text:""
006 - ControlID:0430, Control Class:"BUTTON" Control Text:"Orientation"
These are present dialogs in target program.It shows what's on dialog boxes: buttons,comboboxes,textboxes....W32Dasm in some cases doesn't display All of the dialogs.
+++++++++++++++++++ IMPORTED FUNCTIONS ++++++++++++++++++
Number of Imported Modules = 6 (decimal)
Import Module 001: SHELL32.dll
Import Module 002: KERNEL32.dll
Import Module 003: USER32.dll
Import Module 004: GDI32.dll
Import Module 005: comdlg32.dll
Import Module 006: ADVAPI32.dll
What's this?These are the dll's used by the target program.
+++++++++++++++++++ IMPORT MODULE DETAILS +++++++++++++++
Import Module 001: SHELL32.dll
Addr:7FD47579 hint(006C) Name: ShellExecuteA
Addr:7FD034A7 hint(000F) Name: DragAcceptFiles
Addr:7FD124F4 hint(006A) Name: ShellAboutA
Addr:7FCE6CA7 hint(004E) Name: SHGetSpecialFolderPathA
Addr:7FD012E6 hint(0012) Name: DragQueryFileA
Addr:7FD44B5D hint(0010) Name: DragFinish
OK,what about these?Well,these are the functions used by the above .DLL files.Of course.on these functions we set breakpoints,when using so called "live" approach= cracking with a debugger.
+++++++++++++++++++ ASSEMBLY CODE LISTING ++++++++++++++++++
//********************** Start of Code in Object .text **************
Program Entry Point = 004010CC (notepad.exe File Offset:000060CC)
This is where the program code starts in memory.This is all you need to know for now. :)
SECTION 3: Why do we use W32Dasm?What functions of it we "often" use to crack?
Search command: Finding code,text, in W32Dasm is used by Search>>>Find Text menu.We use this one almost every time we are cracking using Dead lisitng approach.It's used to find for example: You enter some serial in proggie and press OK and it brings up a message saying "Wrong code....bla bla ",now you search it in W32Dasm,and cross your fingers,and pray it will find it.
String Data References: This one is ALWAYS used when cracking....BUT sometimes there´s no help from it at all....BUT in 95% cases there is :)What for do we use it?Well,for example: Searching for the text that appeared in some message,saying this fucntion is disabled bla bla,so we try to find it and locate it in "String Data References",if we find it,double click on it,and look a bit above in the code,find the jump that led us to it,or call that led,kill it or reverse it,BUT it's always better to patch the flag that will execute that jump(explained in EXAMPLE section).Sometimes the "serial" or "code" or "username" and "serial" are hardcoded in String Data References.So better take a look AT IT CAREFULLY,'cause you might find it :)
Execute Jump and Return from Last Jump: This is used when we want to see where to some "jump" jumps to.And we can always return from it.Very useful :)
Execute Call and Return from Last Call: Same as above,but for executing calls.However you can't execute all calls,like : call edi,call esi,call dword ptr [eax+0000000A] etc...
Imports: Well in imports you'll see all imported functions/routines from .DLL files the proggie uses.You'll see somthing like this.By double clicking on one of them you can quckliy find where's that function used.
Goto code location: This one is often used.When cracking with " live" approach,with a debugger,for instance,you want to see the code in W32Dasm that you saw in Softice,then just goto menu "Goto" >>>>>>> "Goto Code Location" type the code offset you saw in Softice and it will take you there.But be careful,often you want find anything if you don't look carefully.WHY??? Some people have been asking this kind of question: "I see the code in ice,but I can´t see the same code in W32Dasm.Anyone can help?" Well,NO!!!!!!!Because,when you're looking at the code offset in Softice,you must be 99% sure that you're in the same .CODE FIle as the File in W32Dasm you're disassembling.When looking at the code in Softice,at bottom of Softice windows you'll' see something like this: NOTEPAD!CODE+000888AD So this means,that you're in Notepad code,and NOT in some .DLL file code.And so you must have Notepad disassembled in W32Dasm to view the same code.If you've have been in some .DLL code in Softice,then you of course wont find anything in Notepad disassembled file.IMPORTANT: NEVER PATCH SYSTEM .DLL FILES!!!!UNLESS YOU KNOW WHAT YOU ARE DOING! Why? Because let's say,you're in Softice and the code is: MSVBVM50!__vbaStrCmp, you cannot patch the MSVBVM50.DLL,because the other application use it as well..If U change something in it,it will mess up your whole system or the application that use it wont work anymore.
Printing: It's very useful if you want to carefully study the code.You can print the whole disassembled file,in some cases it's up to 10 000 pages,so if you have a fast printer,Hewlet Packard,or some,then it's the jobe for you ;)
SECTION 4: dEBUGGIN with W32Dasm inside built debugger.
Well,I personally don't like W32Dasm debugger,but it's very useful sometimes....It sometime does the job better than Softice...It doesn't have the functions that Softice has,but you can debugg with it...EXPERTS don't even bother looking at it... :).I MUST say it saved my ass sometimes....NOw,I wont explain how to change register flags,I'll explain the basics functions,the one most used...and you can read about advanced functions in W32Dasm's help file.Let's start!
Part 1: Opening the debugger
To open the disassembled file,mostly .EXE file is disassembled and used to debug of course...Press Ctrl+L ,hit enter,debugger first loads all .DLL used by the file and then you see a MESS! What are all these windows,there's no ROOM! Why? it's probably 'cause you're on 800 x 600 /16bit colors or more,while you must be at 1024 x 768/16bit.... Well first thing to hate a debugger... :)Well on th left you'll have a window where you can control registers,it's so messy there that you can't clearly see what functions are all there :) but...on the right side there's window from which you look at the code,and start,stop a file...Well let's see,we have "Run (F9)", "Pause","Terminate"... and so on.
Part 2: Debuggin'
TO start debuggin' we press "Run" or just hit F9,the proggie starts,now you'll see the code,and the code you wish to patch,you can patch it by pressing "Patch Code" button.Here's what it say in W32Dasm help about patching:
"To Modify Instructions to any other Code, use the Code Patch Button located on the Lower Right Hand Debugger Window. This will open the Code Patcher Dialog Box.The address of the code location/s to patch is determined by the highlighted location in the Lower Right Hand Debugger Window. You can change the address by (1.) Single Stepping the program, (2.) Use the Goto Address button or (3.) Use the up/down scroll bars on the Lower Right Hand Window Code Listing Display. Once you have the code address you want to change, you can type instructions in the List Box titled Enter New Instruction Below. When you hit the Enter key, the new instruction will be listed in the Code Patch Listing display. If the instruction is invalid or improperly formatted, it will not be entered. As a general guideline for proper format, look at the main disassembly listing for examples. Some instructions require that a size (ie: dword ptr or byte ptr) be used. All numerical values are to be in HEX notation. Leading zeros are not required. To clear the entire patch lisying, press the Clear Patch button. To erase only the last line in the listing, press the Remove Last Line button.When modifing code, you need to be sure that instructions being replaced are covered by the same number of bytes by the new code. Use the NOP instructions to fill in bytes that are not used by the new instruction.When the Code Patch has been composed, you may modify the program code by pressing the Apply Patch button. You will get a Message Box confirming your action. If you decide Yes the program code will be modified."
Example of using "Step Into Function": When you don't find any Data References or search for text that was displayed by the message in the target proggie you're trying to crack,then we use Step Into function.So you load up the proggie into the debugger press F9 to run it,goto the registration option,enter something,press OK,and message pops up,and now you hit the MAGIC button "Step Into" .Now press the "Terminate" button,which will terminate the debugging.Now you'll find yourself in W32Dasm,where the message was called.You can scroll up a bit and FEEL the code.Just find the jump/call that led to the message,examine the code and crack the target.
The other functions of debugger are detalied in W32Dasm help file.
Let's crack some proggie,to get you in start.OK here's what we need:
First of cuorse,disassemble the proggie(the main .EXE file),once disassembled:
Approach 1: Locating a user/serial in Data References.
Of course you all know,that sometimes we might find the correct serial and username in the Data References.Now goto menu "Refs"------->"String Data References",and just look a the some references.After a quick look you should find:
"Applet Button Factory- UNREGISTERED"
NOw double click on that "mk67z",and you'll be here:
* Possible StringData Ref from Code Obj ->"mk67z"
:0046F100 BAF0F14600 mov edx, 0046F1F0 <-------EDX=mk67z
:0046F105 E89A9CF9FF call 00408DA4 <-----check if our user name is "mk67z"
:0046F10A 85C0 test eax, eax <--------TEST EAX
:0046F10C 0F85B0000000 jne 0046F1C2 <-------jump if not same
:0046F112 8D55FC lea edx, dword ptr [ebp-04]<----------else go on
:0046F115 8B8318030000 mov eax, dword ptr [ebx+00000318]<-------to check the serial
:0046F11B E8D019FCFF call 00430AF0
:0046F120 8B45FC mov eax, dword ptr [ebp-04]
:0046F123 E8404EF9FF call 00403F68
* Possible StringData Ref from Code Obj ->"trs98z"
:0046F128 BAF8F14600 mov edx, 0046F1F8 <-------EDX=trs98z
:0046F12D E8729CF9FF call 00408DA4<----------check if EDX=code/serial we entered
:0046F132 85C0 test eax, eax
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
:0046F134 0F8588000000 jne 0046F1C2<--------jump if not same
:0046F13A A15C3B4A00 mov eax, dword ptr [004A3B5C]<------else go on
:0046F13F 8B00 mov eax, dword ptr [eax]<---------prepare for registering
:0046F180 668B0D30F24600 mov cx, word ptr [0046F230]
:0046F187 B203 mov dl, 03
* Possible StringData Ref from Code Obj ->"Registration is complete. Thanks "
->"for purchasing the Button Factory! "
->"Would you like to print the codes "
->"for future reference?"
:0046F189 B83CF24600 mov eax, 0046F23C
:0046F18E E8AD3AFEFF call 00452C40<---------display thank you message
See we found the username and serial and now we can freely register.NOTICE that we couldn't have searched for "Registered" string in Data References.
Approach 2: Using Data References to find message we received when we entered wrong username/code
When you enter wrong username or code,you'll receive message saying "Incorrect username and password".Now goto String Data References and look for "Incorrect.....",when you find it double click on it and you will be here:
* Possible StringData Ref from Code Obj ->"Incorrect username and password."
:0046F1C2 B8C0F24600 mov eax, 0046F2C0
:0046F1C7 E86C3BFEFF call 00452D38
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
:0046F1CC 33C0 xor eax, eax
Scroll up and you'll get to the :0046F189 which is "Registration is complete...", scroll up a bit more and you'll find the correct serial and username.
Well,that´s all for now.Maybe I'll update this tut someday,add some more thingz to it,'cause there's always some new shit coming,so 'til next time.....
Greetz and thanks goes to: Jeff for starting the job :) McCodEMaN,The Sandman, ^InFeRnO^,Tres2000,ID...
This tutorial is written for EDUCATIONAL purposes only.
Copyright © 1999 by ReFleXZ '99
All rights reserved