Introduction to Win95 Cracking - eXact /oRP

1. Introduction to Win95 Cracking
2.  
3. A few words before beginning
4.  
5. Giving credits, where credit is due ! So, i'd like to give a really
6. BIG thanks to ED!SON of United Cracking Force for his tutorial about
7. Windows 95 cracking, without it i won't be here telling you how to
8. crack a program under win 95.
9. Giving ALL the credits... all i learned about cracking is with the
10. help of great tutorials : 5 Minutes 4 a Crack /NeverOne, Amateur
11. Crackist Tutorial /Specular Vision, Cracking for Masses /FraVia, Old
12. Red Cracker Tutorials /+ORC (A Must), The Ancient Art Of Cracking &
13. Cracking 101 /Buckaroo Banzai, The Cracking Manual /Cyborg, The Uncle
14. Joe CrackBook /Uncle Joe (heh, what did you expect ?). But also with
15. 40 Hex Magazines, The Crypt Newsletters, Virus Laboratories And
16. Distribution.
17. Note : a lot of the explaination i'll give you in Introduction parts
18. are ripped from some tutorials upper, it's because i wanted to have
19. something complete you can start with. Tnx again to those who wrot'em.
20.  
21. For this tutorial you'll need :
22. ACDSee32 V2.0 Beta
23. Soft-Ice 3.00
24. HexWorkShop
25.  
26. Introduction to Cracking
27.  
28. You might be wondering what type of programming skills you need to
29. become a cracker. Knowing a higher level language such as Basic,
30. Pascal, or C++ will help you somewhat in that you will have an
31. understanding of what's involved in the process of writing a program
32. and how certain aspects of a program function. If you don't have any
33. programming skills, you have a long road ahead of you. But even if you
34. can program in a high level language, in order to crack you have to
35. know assembly... It really doesn't matter what language a program was
36. written in in order to crack it, because all programs do the same
37. thing. And that is issue commands to the microprocessor. And all
38. programs when broken down to their simplest form are nothing more than
39. a collection of 80XXX instructions and program specific data. This is
40. the level of assembly language. In assembly you have total control of
41. the system. This is also the level that the debugger operates at.
42.  
43. You don't have to become a master at assembly to crack a program, but
44. it helps. You do need to learn some rudimentary principles, and you
45. absolutely have to become familiar with the registers of the cpu and
46. how the 8088 instruction set uses them. There is no way around this.
47. How proficient you are at assembly will determine how good of a
48. cracker you become. You can get by on learning a few basic
49. instructions, how to use a debugger, and one or two simple techniques.
50. This will allow you to remove a few shareware nag screens, and maybe
51. you'll luck out and remove the copy protection from a game or two, but
52. that's it.
53.  
54. You can then dynamically interact with the program and run it one line
55. of code at a time, and see exactly what the program is doing in real
56. time as each line of code is executed. You will also be able to
57. re-assemble instructions (in memory only), edit the contents of memory
58. locations, manipulate the cpu's registers, and see the effects your
59. modifications have on the program as it's running. This is also where
60. all your system crashes will occur... There is a lot of trial and
61. error involved in cracking.
62.  
63. As you get better, you'll have to write programs that will implement
64. your patches if you decide to distribute them. The patches themselves
65. don't have to be written in assembly.
66.  
67. The sources code I included in this manual are extremely simple.
68. They're written in assembly because that's the only language I know
69. how to program in, but if you are already proficient in a higher level
70. language, it should be trivial for you to duplicate it's methods in
71. your preferred language.
72.  
73. Quick Introduction To Soft-Ice 3.0
74.  
75. Okay, okay, i already heard you : Hey exact, you've ripped the ED!SON
76. introduction. Yes, i've taken it ;) Why should i do something if
77. someone already did ? So for all of you that didn't have the chance to
78. have that intro, i've a little remixed it, and here it is...
79.  
80. Cracking a Windows program is most often more simple than a program
81. running in Dos. In Windows, it's hard to hide anything from anyone who
82. really looks for information, as long as Windows own functions are
83. used. The first (and often only) tool you need is Soft-Ice, a
84. powerfull debugger from NuMega (http://www.numega.com). Some people
85. find it hard to use, but i will tell you how to do efficient debugging
86. with it.
87.  
88. To use Sice, you must load it before windows, to do that, just add the
89. "Drive:\Path\WINICE.EXE" at the end of your "AUTOEXEC.BAT". Normally,
90. the Sice Setup should have already done it. I advise you to make a
91. multi-config in that way, you can load Sice only when you need it.
92.  
93. Example of multi-config :
94. ;--- Config.sys
95. [menu]
96. menuitem SICE,Load Soft-Ice Debugger Behind Windows
97. menuitem NORM,Normal Mode
98. menudefault NORM,5
99. [SICE]
100. [NORM]
101. [common]
102. DEVICE=C:\WIN96\HIMEM.SYS
103. DOS=HIGH
104. DEVICE=C:\cd\drivers\MTMCDAI.SYS /D:MTMIDE01
105. FILES=40
106. ;--- EOF Config.sys
107.  
108. ;--- Autoexec.bat
109. @ECHO OFF
110. SET BLASTER=A220 I5 D1 H5 P330 T6
111. SET MIDI=SYNTH:1 MAP:E
112. SET PATH=C:\WIN96;C:\WIN96\COMMAND;C:\DOS;D:\NC
113. SET TEMP=C:\TEMP
114. SET SOUND=C:\VIBRA16
115. C:\VIBRA16\DIAGNOSE /S
116. C:\VIBRA16\MIXERSET /P /Q
117. PROMPT $p$g
118. goto %config%
119. :SICE
120. C:\Progra~1\SoftIc~1\WINICE.EXE
121. goto common
122. :NORM
123. goto common
124. :common
125. ;--- EOF Autoexec.bat
126.  
127. In the config.sys the [menu] indicates that's a multiconfig, it will
128. display the two menuitem and wait for the user to select. When
129. selected, the part of the config file refering to it is runned and
130. followed by the [common] one. In the autoexec.bat there's a %config%
131. variable set to the user'selection and is used to select witch part of
132. your bat you will execute.
133.  
134. So, udpate your system files if they need so, and reboot your machine.
135. If you don't understand why these config files look like this, refer
136. to the MS-DOS Help (Type HELP at the dos prompt).
137.  
138. Now that Sice is loaded into memory, press "CTRL-D" to to pop it up.
139. Here is a little description of the windows you can see on Sice screen
140. :
141.  
142. CPU Registers
143. Window "WR" En/Disable, "R", "Alt-R" Edit.
144. FPU Registers
145. Window "WF" En/Disable.
146. Locals Windows "WL" En/Disable, "Alt-L" Focus.
147. Watch Window "WW" En/Disable, "Alt-W" Focus.
148. Data Window "WD" En/Disable, "E", "Alt-D" to Edit.
149. Code Window "WC" En/Disable, "A" Edit, "Alt-C" Focus.
150. Command Window Type Commands and read output here.
151. Help Line Get summary help on what you are typing.
152.  
153. The register window contains the general purpose and flags registers
154. of the cpu. You will notice that the general purpose registers contain
155. hexadecimal values. These values are just what happened to be in there
156. when you brought up the debugger. You will also notice that some of
157. the flags are highlighted while some are not. The highlighted flags
158. are the ones that are SET. While the ones that are not highlighted are
159. CLEARED. Generally, the register are also highlighted when they change
160. value. From this window you will be able to manipulate the contents of
161. the cpu's registers. You will change the values of the registers while
162. debugging a program in order to change the behavior of the running
163. program. Say you come across a JNZ instruction (jump if not zero),
164. that instruction makes the decision on whether or not to make the jump
165. based on the state of the (Z)ero flag. You can modify the condition of
166. the (Z)ero flag in order to alter the flow of the programs code. By
167. the same token, you can modify the general purpose registers in the
168. same manner. Say the AX register contains 0000, and the program bases
169. it's actions on that value, modifying the AX register to contain a new
170. value will also have the effect of modifing the flow of the code.
171. After you become comfortable with using Sice you'll begin to
172. appreciate just how powerful this window is, and you'll aslo discover
173. soon enough just how totally it can screw your system if you fuck up.
174.  
175. The data window will display data as it exists in memory. From this
176. window you can usually display, search, edit, fill, and clear entire
177. ranges of memory. The two most common commands for this window are
178. display and edit. The search command is also useful in cracking. Sice
179. offers you 4 data windows, you can toggle from one to another using
180. the "data" command. You can also change the type of data this window
181. is displaying using the "format" command. You can scroll into the data
182. window using ALT and arrows or PgUp/PgDn keys.
183.  
184. The code window is the window in which you will interact with the
185. running program. This is the most complex window, and it is where the
186. bulk of debugging occurs. The layout of the window is pretty simple,
187. the group of 12 numbers with the colon in the middle of them to the
188. far left of the window is the address:offset of that line of code.
189. Each line of code in this window is an instruction that the program
190. will issue to the microprocessor, and the parameters for that
191. instruction. The registers that contain the address for the current
192. instruction waiting to be executed are the CS:EIP registers (code
193. segment and instruction pointer). This line is highlighted, if you
194. havent it in the code window use the "." command to retrieve it. You
195. will also notice a group of hex numbers to the right of the addresses,
196. this group of numbers is the hexadecimal equivalent of the mnemonic
197. instructions. The next group of words and numbers to the right of the
198. hex numbers are the mnemonic instructions themselves. You can scroll
199. into the code window using ALT and arrows or PgUp/PgDn keys.
200.  
201. For most examples, we'll only need to have the CPU Registers Window,
202. the Data and the code one. Disable others. I'm in 60 lines mode. So if
203. all windows are disabled to have the same screen as me do (comment are
204. preceded by a semi-colon) :
205. :lines 60 ; Set 60 lines mode
206. :color f a 4f 1f e ; Set psychedelic colors (Optional)
207. :wd 22 ; Enable Data Window 22 lines long
208. :wc 25 ; Enable Code Window 25 lines long
209. :wr ; Enable Register Window
210. :code on ; Display instruction bytes
211.  
212. This can seems you strange to have to type all these commands each
213. time you'll start Sice. In fact, all these command can be done in the
214. winice.dat file (in your sice directory). Let'see what is in mine :
215.  
216. ;--- Example of Winice.dat
217. ; General Variables
218. NMI=ON
219. SIWVIDRANGE=ON
220.  
221. LOWERCASE=OFF ; Disable lowercase
222. assembly
223. MOUSE=ON ; Enable mouse
224.  
225. NOLEDS=OFF ; Disable led
226. switching
227. NOPAGE=OFF
228. PENTIUM=ON ; Pentium Op-Codes
229.  
230. THREADP=ON ; Following Thread
231. Process
232. VERBOSE=ON
233. PHYSMB=16 ; Exact Memory Size
234.  
235. SYM=256 ; Memoy allocated to
236. symbols
237.  
238. HST=16 ; Memory allocated to
239. history
240.  
241. TRA=92 ; Memory allocated to
242. back trace buffer
243. ; Startup sequence
244. INIT="lines 60;color f a 4f 1f e;wd 22;wc
245. 22;wr;code on;x;"
246. ; Function Keys
247. F5="^G;" ; Run (CTRL-D)
248.  
249. F8="^T;" ; Step into functions
250. (Trace)
251.  
252. F10="^P;" ; Step Over functions
253. (Procedure)
254. F11="^G @SS:ESP;" ; Step out of function
255. ; Export Symbols
256. EXP=c:\win96\system\kernel32.dll
257. EXP=c:\win96\system\user32.dll
258. EXP=c:\win96\system\gdi32.dll
259. ;--- EOF Winice.dat
260.  
261. Okay, i think, it speaks by itself. Just a little note for defining
262. function keys, all commands preceded by ^ are invisible, and all those
263. followed by a ; are executed (the ; indicates an ENTER). Dont forget
264. to load the Export Symbols !
265.  
266. Cracking ACDSee 32 V2.0 Beta
267.  
268. Loading ACDSee32.exe into Soft-Ice And Breaking At The Right Point.
269. Run the Symbol Loader, do "File/Open Module" or you can also click on
270. the first button on the left of the tool bar and browse until you can
271. select the file ACDSee32.exe. Now, to start debugging you must to do
272. "Module/Loads..." or click the "Load button" (next to the "Open" one).
273. Perhaps Sice poped-up, saying Break Due To Load Module, or something
274. like that, leave it by pressing "CTRL-D" or typing "X" followed by
275. "ENTER". You should disable the "Break At WinMain Option" to dont
276. pop-up Sice each time you load a module (the little lamp button).
277.  
278. OK, let's go. In ACDSee, click on "Tools/Register..." Fill up the
279. boxes with what you want. (I've filled them with Name:"Out Rage
280. Pirates" and Registration:"112233445566"). Generally programs must
281. read the content of the boxes with one of these functions :
282. 16-bit 32-bit
283. GetWindowText GetWindowTextA,
284. GetWindowTextW
285. GetDlgItemText GetDlgItemTextA,
286. GetDlgItemTextW
287.  
288. The last letter of the 32 functions tells if the function uses
289. one-byte or double-byte strings. Double-byte code is RARE. So, now we
290. gonna enter Sice pressing CTRL-D and set breakpoints on the getting
291. content of edit boxes :
292.  
293. :bpx GetWindowText
294. :bpx GetWindowTexta
295. :bpx GetWindowTextw
296. :bpx GetDlgItemText
297. :bpx GetDlgItemTexta
298. :bpx GetDlgItemTextw
299.  
300. Oki, there's no need to set BPs (BreakPointS) 0 and 3 since we know it
301. is a 32-bit application, but i've put them here to be exhaustive. If
302. you encounter problems settings these breakpoints, make sure that the
303. export symbols are loaded in Soft-Ice : edit the file winice.dat and
304. check if the semi-colons are removed from the exp= that follows the
305. "Example of export symbols that can be included for chicago" near the
306. end of file. Generally, you only need to keep kernel32.dll,
307. user32.dll, gdi32.dll. If you get an error message "No LDT", make sure
308. you dont run any other DOS application in the background,
309.  
310. It's not sure that Sice will pop-up, and not all program are calling
311. these Windows functions.
312. Continue the program ("CTRL-D"), and click the OK button. It worked,
313. we're back to Sice ! press "CTRL-D" to continue the process, back to
314. Sice again ! re-re-press "CTRL-D", no more Sice pop-up. Normal,
315. there's only two textboxes... Click OK to get back to the registration
316. window. And now, let's throw an eye into Sice, CTRL-D. There's
317. comments for the two break points :
318.  
319. Break due to BPX USER32!GetDlgItemTextA (ET=4.70 seconds)
320. Break due to BPX USER32!GetDlgItemTextA (ET=269.77 microseconds)
321.  
322. It's BP 04 let's delete other BPs :
323.  
324. :bl ; BPs list
325. 00) BPX USER!GetWindowText
326. 01) BPX USER32!GetWindowTexta
327. 02) BPX USER32!CharNextExW
328. 03) BPX USER!GetDlgItemText
329. 04) BPX USER32!GetDlgItemTextA
330. 05) BPX USER32!AppendMenuW
331. :bc 0 1 2 3 5 ; Clear BPs #0, 1, 2, 3 and 5.
332.  
333. We'll do it again. Press "CTRL-D" to leave Soft-Ice, and click the OK
334. button. Magic, we're back in it... Let's do a little focus : where are
335. we, and what's the hell now ? We are at the start of the "Get Dialog
336. Item Text A" function, and we are going to find where it is called.
337. Since we know that when we do a far call to something the next logical
338. instruction address is stored on the stack, we gonna set a BP on that
339. address and execute the program until we reach it. G command will
340. continue the program at the current CS:EIP, and set a temporary BP to
341. the address indexed (@) in SS:ESP. There's a function key that
342. automatically do it, normally, it's F11.
343.  
344. :G @SS:ESP
345.  
346. Finding Where The Registation Code Is Checked
347.  
348. Ok, we are back into Sice at the instruction following the call to
349. DlgItemTextA. We gonna take a look on what's happenning before and
350. after. Use CTRL-UP and CTRL-DOWN to move into the code window. If you
351. dont have the code window on your screen you can make it appears by
352. typing WC (WC 20 will set the code windows to be 20 lines long). You
353. should see something like following (i've added blank lines and
354. comments for clarity and future explainations) :
355.  
356. ; Get The Name Into Buffer (ESP+8)
357. 0040367B 8D442418 LEA EAX, [ESP + 18] ; Buffer(For Name) Address
358. 0040367F 6A1E PUSH 0000001E ; Max String Size
359. 00403681 8BB42408010000 MOV ESI, [ESP + 00000108]
360. 00403688 50 PUSH EAX ; Buffer Address
361. 00403689 6A6B PUSH 0000006B ; Control ID
362. 0040368B 8B3D94DA4900 MOV EDI,[USER32!GetDlgItemTextA]
363. 00403691 56 PUSH ESI ; Dialog Handle
364. 00403692 FFD7 CALL EDI ; Call GetDlgItemTextA
365.  
366. ; Get The Registration Code Into Buffer (ESP+38)
367. >00403694 8D442438 LEA EAX, [ESP + 38] ; Buffer(Registration) Addy
368. 00403698 68C8000000 PUSH 000000C8 ; Max String Size
369. 0040369D 50 PUSH EAX ; Buffer Address
370. 0040369E 6882000000 PUSH 00000082 ; Control ID
371. 004036A3 56 PUSH ESI ; Dialog Handle
372. 004036A4 FFD7 CALL EDI ; Call GetDlgItemTextA
373.  
374. ; Registration Checking
375. >004036A6 8D442438 LEA EAX, [ESP + 38] ; Registration Buffer
376. 004036AA 8D4C2418 LEA ECX, [ESP + 18] ; Name Buffer
377. 004036AE 50 PUSH EAX ; Save Datas
378. 004036AF 51 PUSH ECX
379. !004036B0 E80BF9FFFF CALL 00402FC0 ; Registration Check
380. 004036B5 83C408 ADD ESP, 00000008 ; Free Stack
381. 004036B8 85C0 TEST EAX, EAX
382. 004036BA 7E6E JLE 0040372A ; EAX=0 Means Bad Reg...
383.  
384. ; Do Something, sure... ;)
385. 004036BC 8D442438 LEA EAX, [ESP + 38]
386. 004036C0 8D4C2418 LEA ECX, [ESP + 18]
387. 004036C4 50 PUSH EAX
388. 004036C5 51 PUSH ECX
389. 004036C6 E895FAFFFF CALL 00403160
390. 004036CB 83C408 ADD ESP, 00000008
391. 004036CE 833D44F0480000 CMP DWORD PTR [0048F044], 00000000
392. 004036D5 740B JE 004036E2
393. 004036D7 A144F04800 MOV EAX, [0048F044]
394. 004036DC 8BC8 MOV ECX, EAX
395. 004036DE 8B18 MOV EBX, [EAX]
396. 004036E0 FF13 CALL DWORD PTR [EBX]
397. 004036E2 833D40F0480000 CMP DWORD PTR [0048F040], 00000000
398. 004036E9 740C JE 004036F7
399. 004036EB A140F04800 MOV EAX, [0048F040]
400. 004036F0 8BC8 MOV ECX, EAX
401. 004036F2 8B18 MOV EBX, [EAX]
402. 004036F4 FF5314 CALL [EBX+14]
403.  
404. ; Close Registration Windows, And pops : "Thanks Registering"
405. 004036F7 6A01 PUSH 00000001
406. 004036F9 56 PUSH ESI
407. 004036FA FF15F4DA4900 CALL [USER32!EndDialog]
408. 00403700 6A00 PUSH 00000000
409. 00403702 6820324000 PUSH 00403220
410. 00403707 56 PUSH ESI
411. 00403708 FF15F8DA4900 CALL [USER32!GetParent]
412. 0040370E 50 PUSH EAX
413. 0040370F 68E4000000 PUSH 000000E4
414. 00403714 A148F04800 MOV EAX, [0048F048]
415. 00403719 50 PUSH EAX
416. 0040371A FF1544DB4900 CALL [USER32!DialogBoxParamA]
417. 00403720 B801000000 MOV EAX, 00000001
418. 00403725 E92EFFFFFF JMP 00403658
419.  
420. ; Pops up a window saying : "Your name and registration code do not match."
421. 0040372A 6A00 PUSH 00000000
422. 0040372C A104F34800 MOV EAX, [0048F304]
423. 00403731 50 PUSH EAX
424. 00403732 68ACF34800 PUSH 0048F3AC
425. 00403737 56 PUSH ESI
426. 00403738 FF15E4DA4900 CALL [USER32!MessageBoxA]
427. 0040373E 6882000000 PUSH 00000082
428. 00403743 56 PUSH ESI
429. 00403744 FF15F0DA4900 CALL [USER32!GetDlgItem]
430. 0040374A 50 PUSH EAX
431. 0040374B FF1548DB4900 CALL [USER32!SetFocus]
432. 00403751 B801000000 MOV EAX, 00000001
433. 00403756 E9FDFEFFFF JMP 00403658
434.  
435. Let's do a some analysis on what we are seeing. We are at
436. 0157:00403694 (Your segment address may be different, it depends on
437. what you load, update my values with yours). The previous instruction
438. is the call to the GetDlgItmeTextA. Again, you can scroll in the code
439. windows with "CTRL-UP", "CTRL-PGUP", "CTRL-DOWN" and "CTRL-PGDOWN".
440. You can also make the Focus to the code window by pressing "Alt-C" and
441. use the UP, DOWN, PGUP, PGDOWN to scroll it.
442.  
443. In C, the call to the GetDlgItemTextA should look like this :
444.  
445. int GetWindowText (int windowhandle, char *buffer, int maxlen);
446.  
447. So the push eax is the buffer address, let's have a look :
448.  
449. :d esp+18 ; You can also use "db esp+18" for byte display
450.  
451. We've got it, it's our name ! We saw that in few intructions, there
452. will be second call to the GetDlgItemTextA, the CALL EDI at
453. 0157:004036A4. We dont want Sice to break, so we will disable it :
454.  
455. :bd 4 ; Disable BP 4
456.  
457. After that second call, there's another one followed by a test on the
458. eax value... humm suspicious, is there any check inside that routine ?
459. That's what we gonna determine fastly. We gonna trace the code
460. stepping over function calls. Press P (Procedure trace) then ENTER
461. (normally it's F10 key). Press it several times.
462.  
463. After you've reached 0157:004036A6 (the second call) our registration
464. code appears in the data window (if it is big enought, else you can
465. scroll it down using Alt-DOWN) our predictions were right ;). You are
466. now reaching the TEST AX,AX intruction (0157:004036BA), then there's a
467. branch to another routine (0157:0040372A), the program will follow it
468. and soon you will get a message saying that your registration code is
469. wrong... (0157:00403738).
470.  
471. So now we are sure that the call before the test was done to check the
472. data we've enterred, and that the branch choose the direction to the
473. Registration Not Match message. What if we change the direction the
474. program took?
475.  
476. Let's go, enable BP 4.
477.  
478. :be 4 ; Enable BP 4
479.  
480. Leave Sice (CTRL-D), click on OK to get back to the registration
481. window, and click on OK again to pop-up into Sice. Press CTRL-D
482. another time to go to the second GetDlgItemTextA call and press F11 to
483. go out of that function call. Now step to the branch (F10 until you
484. reach 0157:004036BA). And change the zero flag value to disable it:
485.  
486. :r fl z ; Toggle Zero Register FLag
487.  
488. Then leave the proggy to himself (CTRL-D). We've done it ! The
489. beautifull message appears : thanks for supporting our products, etc,
490. etc...
491.  
492. Hu Oh, Hey, what's that stupid program ? If i click on the little eye
493. (the about button in the toolbar), it's telling me it is not
494. registered !!!? Fucking damn thing, we gonna gotcha !
495.  
496. Oki, let's think two seconds... what's the matter ? Well everything
497. seems like if ACDSee checks the name and the registration at every
498. times it shows them. So, to avoid this problem, we've got to give him
499. the answer he wait each times he call the registration checker.
500. First of all, we must verify our affirmations, we must know if the
501. routine wich is called by the about button is effectively the piece of
502. code into this call. Go into Soft-Ice using the BP we've set on the
503. GetDlgItemTexta (go to the registration window and press enter), and
504. press F11. Now, we're going to put another BP into the call.
505.  
506. :bpx 0157:00402FC0 ; Change the address in regard to yours
507.  
508. Now we gonna try, leave Soft-Ice (it will pop-up two times because BP
509. 4 is still enabled, we're not interrested into these breaks), close
510. the registration window by clicking cancel and finally click on the
511. about button... Yep! back in Sice, we were right !!! So everything
512. we've got to do now is to send back a satisfying answer to the calling
513. code...
514.  
515. Patching ACDSee
516.  
517. Actually in your code window, you should have something like the
518. following piece of code. All we've got to do is to leave this routine
519. with EAX different from 0...
520.  
521. ; Check Name Lenght
522. >00402FC0 56 PUSH ESI
523. 00402FC1 8B742408 MOV ESI, [ESP + 08]
524. 00402FC5 56 PUSH ESI
525. 00402FC6 E835000000 CALL 00403000 ; check name length (1st)
526. 00402FCB 83C404 ADD ESP, 00000004
527. !00402FCE 85C0 TEST EAX, EAX
528. !00402FD0 7504 JNE 00402FD6 ; branch is followed
529. !00402FD2 33C0 XOR EAX, EAX ; Set EAX to 0 (BAD!)
530. 00402FD4 5E POP ESI
531. 00402FD5 C3 RET ; Exit 1
532.  
533. ; Check Registration Code
534. :00402FD6 8B44240C MOV EAX, [ESP + 0C]
535. :00402FDA 50 PUSH EAX
536. :00402FDB 56 PUSH ESI
537. :00402FDC 6848F34800 PUSH 0048F348 ; "-294378973"
538. :00402FE1 E86AE70100 CALL 00421750 ; The key is herein (2nd)
539. :00402FE6 83C40C ADD ESP, 0000000C
540. :00402FE9 83F801 CMP EAX, 00000001
541. :00402FEC 1BC0 SBB EAX, EAX
542. :00402FEE 5E POP ESI
543. :00402FEF 40 INC EAX
544. :00402FF0 C3 RET ; Exit 2
545.  
546. So what we gonna do is erase the three instructions that works on EAX
547. with our own code. Dont forget to change the address in regard to
548. your.
549. Erasing the branch will assure us that only our code will be followed.
550. There's thousand of way to modify this code, i choosed the following :
551.  
552. :a 0157:00402FCE ; Assemble
553. 0157:00402FCE mov eax,1
554. 0157:00402FD3 nop
555. 0157:00402FD3 ; Press escape to stop assembling
556. :bc 0 ; Clear BP on 0157:00402FC0
557.  
558. And now let's check our work ! Press CTRL-D, welldone, the thanks for
559. registering message appears... Okay, now click on the about button...
560. (suspens) !!!YES!!! we've registered it.
561.  
562. Oki let's do our work, now we've only got to make the patch...
563. What we need to know is where are these instructions in the
564. ACDSee32.exe file. I've use HexWorkShop for win95 and found them
565. making a search for 85C0750433C0 (the instructions Opcodes, if Sice
566. doesnt show the type "CODE ON") the one interesting us are at offset
567. 23CE. Now we must make a little proggy to replace these bytes with our
568. code. Here it is :
569.  
570. ;--- ORP-A32B.ASM
571. Title Patch For ACDSee 32 2.0 Beta
572. .Model Huge
573. .386
574. .Stack 100h
575.  
576. .Code
577. mov ax,cs
578. mov ds,ax
579. mov es,ax
580.  
581. mov ax,3d02h
582. mov dx,offset cs:fname ; DX=*FileName
583. int 21h ; DOS/FileOpen
584. jc errorlbl ; Jump On Errors
585.  
586. mov word ptr [offset cs:fname],ax ; BX=Handle
587. mov bx,ax
588.  
589. mov ax,4200h
590. xor cx,cx ; Segment
591. mov dx,23ceh ; Offset
592. int 21h ; DOS/FileSeekSet
593. jc errorlbl ; Error !
594.  
595. mov ax,4000h
596. mov bx,word ptr [offset fname] ; BX=Handle
597. mov cx,6 ; Lenght
598. mov dx,offset patch ; Buffer
599. int 21h ; DOS/WriteFile
600. jc errorlbl
601.  
602. mov ax,3e00h
603. mov bx,word ptr [offset fname] ; BX=Handle
604. int 21h ; DOS/CloseFile
605. jc errorlbl
606.  
607. mov dx,offset cs:text2
608. jmp getout
609.  
610. errorlbl:
611. mov dx,offset cs:text1 ; Print
612. getout: mov ah,9
613. int 21h
614.  
615. mov ah,4ch ; Get Out Of Here !
616. int 21h
617.  
618. patch db 0B8H,001H,000H,000H,000H,090H ; MOV EAX,00000001 - NOP
619. fname db 'ACDSEE32.EXE',0
620. text1 db 0ah,0dh,'Error Handling File'
621. text2 db 0ah,0dh,'Patch By Exact /oRP',0ah,0dh,'$'
622. end;--- EOF ORP-A32B.ASM
623.  
624. You can compile it with tasm 3.1 and tlink 5.1 (they can be found on
625. my home page) in that manner :
626.  
627. TASM /m9 /n /q orp-a32b
628. TLINK /3 /x orp-a32b
629.  
630. I think there is not so much comment to add at the source, anyway if
631. you have any problems understanding what happening in there, you must
632. find a book about programming (you can also try to get Helppc).
633.  
634. Final Note
635.  
636. Ok, this is the End...
637. A really BIG thanks is going to ACP of UCF for sending me W32DASM !
638.  
639. Have Fun With This Stuff !
640. eXact /oRP
641. aka sice_boy