Cracking Tutorial #81:
BrainWave Generator v 3.1.8
[cracked bY:] sLeEpY┐[FWA/NWA/FTPR8Z] iN 12/2002
[difficulty:] beginner
[where:]  http://www.bwgen.com
[tOOLz:] W32dasm 8.93 +W32dasm debugger & Hiew


KANAL23 Tutorial

http://www.kanal23.net




BrainWave Generator v 3.1.8

Download it from

http://www.bwgen.com/     



Written by

sLeEpY┐

Tools

  • W32dasm 8.93

  • Hiew

Rating

  • Easy {X}

  • Medium { }

  • Hard { }

  • Pro { }



Introduction

Found this program....was bored.

The Essay

Run BrainWave Generator 3.1.8 and let's look for what needs cracked/fixed.
1. About screen shows on startup wanting you to register..
2. Importing is not available ....
3. Big "UNREGISTERED EVALUATION COPY" in the title bar
4. Help, about, has unregistered
5. 30 day expiration, about screen on startup says "EXPIRED UNREGISTERED EVALUATION COPY", however the program still runs but you have to wait 10 seconds on the nag.

(try to import)
BrainWave Generator
Importing presets is not available in the shareware version of BrainWave Generator. For instructions on how to register BrainWave Generator, select About from the Help menu.
[OK]


(fast forward time 30 days:)
BrainWave Generator
Your evaluation copy of BrainWave Generator has expired. You must wait 10 seconds before you can close this dialog. Please take that time to consider registeration.
[OK]



What to attack first, make the 3 copies and disassemble the one you gave the W32 extension and lets check the Strn Ref's

Look till you find this:

String Resource ID=00101: "BrainWave Generator - Registered to %s"

Double click and you land here (1 of 3 places):



:0043B1DF 85C0 test eax, eax
:0043B1E1 A3E4994600 mov dword ptr [004699E4], eax
:0043B1E6 7563 jne 0043B24B
<-hmmmm

* Possible Reference to String Resource ID=00101: "BrainWave Generator - Registered to %s"

:0043B1E8 BE65000000 mov esi, 00000065




Change this:
:0043B1E6 7563 jne 0043B24B (offset 3B1E6)
To this:
:0043B1E6 40 inc eax
:0043B1E7 48 dec eax


Next place (2 of 3):



:00409871 7439 je 004098AC <-let's make this one jump always
:00409873 48 dec eax
:00409874 741C je 00409892
<-jump to unregged =(
:lines of code
:0040988A 52 push edx

* Possible Reference to String Resource ID=00103: "BrainWave Generator - EXPIRED UNREGISTERED EVALUATION COPY"

:0040988B 6A67 push 00000067
:lines of code
:004098A4 51 push ecx

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00409874(C)
|
:00409892 8B1560A34600 mov edx, dword ptr [0046A360]
:lines of code

* Possible Reference to Dialog: DialogID_0029, CONTROL_ID:0066, ""

* Possible Reference to String Resource ID=00102: "BrainWave Generator - UNREGISTERED EVALUATION COPY"

:004098A5 6A66 push 00000066
:004098A7 52 push edx
:004098A8 FFD7 call edi
:004098AA EB2F jmp 004098DB

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00409871(C)
<-the conditional jump we need to goto
|
:004098AC 8B0D60A34600 mov ecx, dword ptr [0046A360]
<-land from conditional jump
:004098B2 8D442428 lea eax, dword ptr [esp+28]
:004098B6 6800010000 push 00000100
:004098BB 50 push eax

* Possible Reference to String Resource ID=00101: "BrainWave Generator - Registered to %s"




Change this:
:00409871 7439 je 004098AC (offset 9871)
To this:
:00409871 EB39 jmp 004098AC


Next place (3 of 3):



:00409B06 743A je 00409B42 <-jump to regged! Let's change this one!
:00409B08 48 dec eax
:00409B09 741D je 00409B28
<-jump to unregged
:00409B0B 48 dec eax
:00409B0C 7562 jne 00409B70
:00409B0E 8B1560A34600 mov edx, dword ptr [0046A360]
:00409B14 8D8C242C010000 lea ecx, dword ptr [esp+0000012C]
:00409B1B 6800010000 push 00000100
:00409B20 51 push ecx

* Possible Reference to String Resource ID=00103: "BrainWave Generator - EXPIRED UNREGISTERED EVALUATION COPY"

:00409B21 6A67 push 00000067
:lines of code

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00409B09(C)
|
:00409B28 8B0D60A34600 mov ecx, dword ptr [0046A360]
:00409B2E 8D84242C010000 lea eax, dword ptr [esp+0000012C]
:00409B35 6800010000 push 00000100
:00409B3A 50 push eax

* Possible Reference to Dialog: DialogID_0029, CONTROL_ID:0066, ""

* Possible Reference to String Resource ID=00102: "BrainWave Generator - UNREGISTERED EVALUATION COPY"

:lines of code

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00409B06(C)
<-the conditional jump we need, goto it
|
:00409B42 A160A34600 mov eax, dword ptr [0046A360]
:00409B47 8D54242C lea edx, dword ptr [esp+2C]
:00409B4B 6800010000 push 00000100
:00409B50 52 push edx

* Possible Reference to String Resource ID=00101: "BrainWave Generator - Registered to %s"



Change this:
:00409B06 743A je 00409B42 (offset 9B06)
To this:
:00409B06 EB3A jmp 00409B42

This fixes the registered to on the title bar, target 3 has been accomplished. From double checking i think you only need to do the last 2 of the 3 to crack it, at least on xp, but might as well be thorough.

There is still one in the help, about dialog box.
Check the Strn Ref's again and look for this:

String Resource ID=00154: "REGISTERED TO: %s" <-all caps
Double click it and you should land here:



* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041F703(C)
<-a conditional jump from this location, go there (below)
|
:0041F797 8B1560A34600 mov edx, dword ptr [0046A360]
:0041F79D 8D4C2410 lea ecx, dword ptr [esp+10]
:0041F7A1 6800010000 push 00000100
:0041F7A6 51 push ecx

* Possible Reference to String Resource ID=00154: "REGISTERED TO: %s"

:0041F7A7 689A000000 push 0000009A
:0041F7AC 52 push edx




:0041F703 0F848E000000 je 0041F797 <-here we are, let's just force this one
:0041F709 48 dec eax
:0041F70A 7445 je 0041F751
:0041F70C 48 dec eax
:0041F70D 0F8510010000 jne 0041F823
:0041F713 8B1560A34600 mov edx, dword ptr [0046A360]
:0041F719 8D4C2410 lea ecx, dword ptr [esp+10]
:0041F71D 6800010000 push 00000100
:0041F722 51 push ecx

* Possible Reference to String Resource ID=00155: "EXPIRED UNREGISTERED EVALUATION COPY"




Change this:
:0041F703 0F848E000000 je 0041F797 (offset 1F703)
To this:
:0041F703 E98F000000 jmp 0041F797
:0041F708 90 nopX1


Well what a good bunch of changes these has been, Target 4 and 5 have been accomplished here. The about, help box says Registered To: (blank) and the startup nag is still there but you don't have to wait the 10 seconds anymore as it shows regged, also the time limit is null now as this popup doesn't show:

BrainWave Generator
Your evaluation copy of BrainWave Generator has expired. You must wait 10 seconds before you can close this dialog. Please take that time to consider registration.
[OK]





Well as easy as this has been, this next part should be no problem. When trying to import you get the following error/bug:

BrainWave Generator
Importing presets is not available in the shareware version of BrainWave Generator. For instructions on how to register BrainWave Generator, select About from the Help menu.
[OK]


Check the Strn Ref's:

Double click: (2 places)
String Resource ID=01313: "Importing presets is not available in the shareware version "



:0041BB2C 741C je 0041BB4A <-hmm good jump, goes past error, lets make it jmp
:0041BB2E 83FEFF cmp esi, FFFFFFFF
:0041BB31 7407 je 0041BB3A
<-bad jump
:0041BB33 56 push esi

* Reference To: KERNEL32.CloseHandle, Ord:001Bh

:0041BB34 FF15E0914400 Call dword ptr [004491E0]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041BB31(C)
<-this jump takes us to it, check above
|
:0041BB3A 5F pop edi
:0041BB3B 5E pop esi
:0041BB3C 5D pop ebp

* Possible Reference to String Resource ID=01313: "Importing presets is not available in the shareware version "
<-our crappy error message

:0041BB3D B821050000 mov eax, 00000521
:0041BB42 5B pop ebx
:0041BB43 81C4C0080000 add esp, 000008C0
:0041BB49 C3 ret




Change this:
:0041BB2C 741C je 0041BB4A (offset 1bb2c)
To this:
:0041BB2C EB1C jmp 0041BB4A



* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041BCF3(C)
<-jumped from here! Find it! Then Nop it or something so the jump isnt made.
|
:0041BE0F 8B442410 mov eax, dword ptr [esp+10]
:0041BE13 83F8FF cmp eax, FFFFFFFF
:0041BE16 7407 je 0041BE1F
<-jump to error, trace farther back
:0041BE18 50 push eax

* Reference To: KERNEL32.CloseHandle, Ord:001Bh

:0041BE19 FF15E0914400 Call dword ptr [004491E0]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041BE16(C)
<-jumped from here
|
:0041BE1F 5F pop edi
:0041BE20 5E pop esi
:0041BE21 5D pop ebp

* Possible Reference to String Resource ID=01313: "Importing presets is not available in the shareware version "
<-our error message

:0041BE22 B821050000 mov eax, 00000521
:0041BE27 5B pop ebx
:0041BE28 81C4C0080000 add esp, 000008C0
:0041BE2E C3 ret




Change this:
:0041BCF3 0F8516010000 jne 0041BE0F nop 1bcf3
To this:
:0041BCF3 404840484048 (inc eax 3 times, dec eax 3 times)



Make these 2 changes and we can now import, target 2 has been accomplished, all that is left is the nag. Check near the top of w32dasm and look for this:

Name: DialogID_0028, # of Controls=017, Caption:"About BrainWave Generator", ClassName:""

Now we know our dialog ID, lets check the DLG REF's and look for it. Should be right at the top, just double click it a few times.

5 places it shows up:
:00403028
:004084ED
:00408A63
:00408A8B
:0041545B


Well since there is only 5 we can pretty much trial and error it out, either that or use the debugger and set breakpoints on those locations and see which one it hits.

I like to use the w32dasm built-in debugger.
Click Debug, Load Process, Load (it will automatically use the current program disassembled). You will see 2 more windows but all we are concerned with is which location the nag is at, so take the 5 places:
:00403028
:004084ED
:00408A63
:00408A8B
:0041545B


Now click on Goto, code location, and type the first number in, 403028, and click OK, now you will be at that location. Next press F2, this will toggle a breakpoint here. Now do the same thing with all 5 locations. After that is finished press RUN on the window to the right. It will run till it hits one of those 5 breakpoints we set. Note where it broke and click run again. We see that it only broke in two places for the nag.

:00403028 <-1st break but the nag didn't show
:004084ED
:00408A63
:00408A8B
<-break 2, nag pops up on this one!
:0041545B


So we narrowed it down to 2 possible places where the nag loads. Ok lets examine each one, I tried the first one and if you bypass this one and the app wont load... So lets check the second where we saw the nag loading.



* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00408A25(C)
|
:00408A68 391D00AC4600 cmp dword ptr [0046AC00], ebx
:00408A6E 7426 je 00408A96
<-well? a way past the nag?
:00408A70 391D18564500 cmp dword ptr [00455618], ebx
:00408A76 752A jne 00408AA2
:00408A78 8B0D10A14600 mov ecx, dword ptr [0046A110]
:00408A7E 8B1560A34600 mov edx, dword ptr [0046A360]
:00408A84 53 push ebx
:00408A85 68C0F54100 push 0041F5C0
:00408A8A 51 push ecx

* Possible Reference to Dialog: DialogID_0028
<-help/nag

* Possible Reference to String Resource ID=00040: "(Parameters frozen) Time %s
"

:00408A8B 6A28 push 00000028
:00408A8D 52 push edx




So just make this location jump:
:00408A6E 7426 je 00408A96
And it takes us past the nag!
:00408A6E EB26 jmp 00408A96

Run the app, no more nag. Target one accomplished. Program cracked!




Final thoughts

When you are deluded and full of doubt, even a thousand books of scripture are not enough.
When you have realized understanding, even one word is too much.
- Fen-Yang.


Greetings


Groups: FWA, NWA, FTPiRatEz! HAR! BEASTFXP!, KANAL23
Individuals:
MiNioN, GreycZ & his cuppy, KlutCh, KiNgEr, MidNight, Edogg, Neoman, movax4c00int21, Acid_Cool_178, All those tuts I read from everyone who writes them.

CopyLeft:
sLeEpY
[all rights reversed]
Boredom causes crackers and babies.
Visit http://zor.org/sleepy & http://www.bright.net/~testsubject001

Mail sleepy@linuxwaves.com


This Document is copyrighted by kanal23 and it's members. Please mail the author of this document for complaints and those things.
Kanal23 is signing out for now.

quot;", 226, EDIT, ES_LEFT | ES_AUTOHSCROLL | ES_READONLY | WS_CHILD |