My first DOS Cracking Session
by ytc_ [tNO '99]
|URL||Not available (but target can be found in ORCPAK1.ZIP at +Greythorne's website)|
|Tools used||Softice v3.x (I'm using WinNT version)|
|Hex editor (I used PSEdit v4.4 ;-)|
|Ralf Brown's Interrupt List (Optional)|
Nothing much to say actually. I just had nothing else to do, so I looked into +ORC's essays and noticed that +he mentioned 'Shareware version of Psedit', and found it in orcpak1.zip too. And I thought, "What the heck, lets see how good (or lame ;-) my first DOS cracking is after reading so many DOS cracking tutorials." I also assume that this is not the latest version of Psedit, but like what +ORC said in his essays, "The best way to learn cracking is by cracking OLDER softwares with OLDER protection schemes."
I will assume that you have already set up your copy of Softice and know how to use it well, including knowing what the shortcut function keys are (F8, F10, F11 and F12). If not, I suggest you read some other essays on how to set up Softice first before continuing. I will also assume that you have a fair knowledge of assembly language
Running psedit.exe, you will notice that if you open any file, you will be brought up with a nag screen, asking you to register Psedit. Pressing any key will bring you out of this nag screen immediately and loads the file you want to edit.
Here, I thought that if a nag screen waits for a key to be pressed before it goes away, it must be inside some kind of loop first and will jump out whenever I pressed a key. So, at the nag screen, Ctrl-D into Softice and trace a bit. Soon, you will come to a small loop as shown below (please take not that the addresses might be different).
0212:0B11 8B1E1A00 MOV BX,[001A] 0212:0B15 3B1E1C00 CMP BX,[001C] 0212:0B19 7517 JNZ 0B32 0212:0B1B 2EA1A009 MOV AX,CS:[09A0] 0212:0B1F 2E3B06A809 CMP AX,CS:[09A8] 0212:0B24 7307 JAE 0B2D 0212:0B26 2EFF06A409 INC WORD PTR CS:[09A4] 0212:0B2B EBE4 JMP 0B11 0212:0B2D B401 MOV AH,01 0212:0B2F C4C4 LES AX,SP 0212:0B31 16 PUSH SS 0212:0B32 58 POP AX 0212:0B33 C3 RET
I don't think that anyone would need comments for this piece of code ;-). Unless your assembly really really sucks, and if it does, go read some assembly tutorials first. Here, place a breakpoint at 0212:0B32, Ctrl-D back to the program, press any key and you'll pop back into Softice, which proves that this is the 'check if key is pressed' loop. Following the ret instructions, when you get back to the main module, you will find yourself right after an 'int 16' instruction (check your interrupt list to find out what this int does).
Following a few more ret, iret and/or retf instructions, you should eventually come across to this part of code.
0E8B:6635 1F POP DS 0E8B:6636 0E PUSH CS 0E8B:6637 E88EB6 CALL 1CC8 0E8B:663A 833E7D3600 CMP WORD PTR [367D],00 <== flag check!! 0E8B:663F 7504 JNZ 6645 <== conditional jump!!! 0E8B:6641 0E PUSH CS 0E8B:6642 E80A9F CALL 054F <== call Nag_Screen 0E8B:6645 33C0 XOR AX,AX <== you land here 0E8B:6647 33D2 XOR DX,DX
BINGO!! We've found the protection scheme!! The memory location at [367D] stores the info of our regged/unregged state. That location is compared to 00h, and jumps over the Nag_Screen procedure. A VERY TYPICAL NAG SCREEN PROTECTION SCHEME FOUND EVEN IN SOME SHAREWARES TODAY (May 1999)!! Damn lazy programmers ;-). To make sure that this is the only check, we do another search for accesses to this memory location. In Softice, type :-
: S CS:0 L FFFF 7D 36
For those who don't know anything: remember that in assembly, data/bytes are ALWAYS arranged in REVERSED ORDER. That is, if the memory location address is 367Dh, we should search for the byte pattern 7Dh, 36h.
Softice gave me two locations :-
Pattern found at 0E8B:000061AB (FFFF78FB) Pattern found at 0E8B:0000663C (FFFF7D8C)
The second byte pattern match is where we stopped just now. Lets look at the first pattern match.
0E8B:6190 26FF7702 PUSH WORD PTR ES:[BX+02] 0E8B:6194 26FF37 PUSH WORD PTR ES:[BX] 0E8B:6197 68AB0A PUSH 0AAB 0E8B:619A 1E PUSH DS 0E8B:619B 684E23 PUSH 234E <== DS:234E points to string "PSEDIT" 0E8B:619E 1E PUSH DS 0E8B:619F 687036 PUSH 3670 <== DS:3670 points to string "0000000000" 0E8B:61A2 0E PUSH CS 0E8B:61A3 E8609E CALL 0006 <== unknown call 0E8B:61A6 83C40E ADD SP,0E 0E8B:61A9 833E7D3600 CMP WORD PTR [367D],00 <== here!!! 0E8B:61AE 751C JNZ 61CC <== conditional jump!!! 0E8B:61B0 C45E08 LES BX,[BP+08] 0E8B:61B3 26FF7702 PUSH WORD PTR ES:[BX+02] 0E8B:61B7 26FF37 PUSH WORD PTR ES:[BX] 0E8B:61BA 68AB0A PUSH 0AAB 0E8B:61BD 1E PUSH DS 0E8B:61BE 685523 PUSH 2355 <== DS:2355 points to string "BEDIT" 0E8B:61C1 1E PUSH DS 0E8B:61C2 687036 PUSH 3670 <== DS:3670 points to string "0000000000" 0E8B:61C5 0E PUSH CS 0E8B:61C6 E83D9E CALL 0006 <== unknown call 0E8B:61C9 83C40E ADD SP,0E 0E8B:61CC C45E08 LES BX,[BP+08] <== conditional jump at 61AE points here 0E8B:61CF 268B5706 MOV DX,ES:[BX+06]
At this point, I can't seem to make head or tail of this piece of code. Placing a bpx on the compare location and a bpm on memory location 367Dh doesn't help either because I can't seem to make Psedit execute this part of code. So I guessed that this section can be left alone. IF SOMEONE OUT THERE CAN POINT OUT TO ME WHERE I WENT WRONG, PLEASE INFORM ME ABOUT IT. Now let us get back to the main crack.
Open psedit.exe with a hex editor (like Psedit ;-) and search for the byte pattern 833E7D36007504. Hey!! How come there's no matching patterns?! First guess, this file is packed!! Time for UNP v4.11 to get into the scene.
>unp psedit.exe psedit1.exe UNP 4.11 Executable file restore utility, written by Ben Castrium, 05/30/95 processing file : PSEDIT.EXE DOS file size : 65862 file-structure : executable (EXE) EXE part sizes : header 32 bytes, image 65830 bytes, overlay 0 bytes processed with : LZEXE V0.91 or V1.00a action : decompressing... done new file size : 129920 writing to file : PSEDIT1.EXE
OK, time for more action! Search for the byte pattern again and you should find ONLY ONE HIT. Change the byte 75h to EBh. And for those who don't know anything again: 75h is the opcode for JNZ/JNE, 74h is for JZ/JE and EBh is for JMP.
open a file, and did the nag pop up? No!! We've cracked my first DOS proggie
I must say, this cracking session is pretty interesting. Firstly, it is because this is my first DOS cracking session. And secondly, I learnt something new about DOS interrupts ;-)
There's a lot of people that I know, so I'll just greet everyone, especially those in #tno, #win32asm, #cracking4newbies and #cracking at EFNet.
Website : http://ytc98.cjb.net