============================================================================== * CRACKING AN UNINSTALLER (BY SANITY) * ============================================================================== CONTENTS: --------- 1) Intro. 2) Crack Reqs. 3) Cracking our target. 3.1) Farewell Timetrial. 3.2) G'bye Nag-Screens. 4) Closing Words. ============================================================================= * PART 1: Intro. * ============================================================================= Our Uninstaller target is a package of 9 different service applications (Such as: Registry/Junk Files cleaning,Installation Monitor and more) that let you maintain your system in a better,easier,faster way. As mentioned in its package, this Uninstaller comes fully-functional but with a 14 day time-trial and some annoying nag screens. Now,before we start I would to CLEAR something: NEVER BUT NEVER EVER PATCH A PROGRAM UNLESS ITS *THE ONLY WAY* TO CRACK IT! Ok,so let's start... ============================================================================= * PART 2: Crack Reqs. * ============================================================================= For this cracking session you will need the following tools: ------------------------------------------------------------ .%. Our Uninstaller target .%. W32Dasm v8.9 (everywhere on the web, either as regged tool or as "reggable" demo) .%. Hacker's View v5.84 or any other *GOOD* hex-editor. [<a href="www.zencrack.org">www.zencrack.org</a>] .%. a File Monitor (FileMon,WinExpose I/O,Monitor/RA..) [<a href="www.zencrack.org">www.zencrack.org</a>] .%. a Brain. (Search for one on ALTAVISTA =) NOTE: there is no use of S-ICE in this tut but it could be useful in tracing the target. ============================================================================= * PART 3: Cracking our target. * ============================================================================= Ok,after we're all set let's launch the program,try running some of the advanced features of Uninstaller and that lovely(? :) nag saying - "Uninstaller blah blah NOT REGISTERED blah blah XX DAYS LEFT" appears. at this point what I first check is if there a Register Box or anything but I could'nt find any. So I terminated Uninstaller's session and launched FileMon and ran Uninstaller again... and the following line just popped in front of me: 2710 Uni FindNext C:\WINDOWS\SYSTEM\*.* SUCCESS WPUIVIE.DRV Using our editor to view WPUIVIE.DRV inside \WINDOWS\SYSTEM shows that this file contains all the info: when we installed Uninstaller, last time used, etc.. This means that dead-listing the program and finding a ref. to WPUIVIE.DRV would lead us straight into the "NAG+TIME-TRIAL" routine. 3.1) Farewell Timetrial: ------------------------- You should remember that the nag only appears on advanced features, this means you won't have to disassemble the main app. but only one of the advanced features app. (coz the nag routine is probably being called from a file which all the "advanced features" apps. will use!) To be sure of what I was doing I disassembled all of the adv. features apps. although i hav'nt found a ref. to WPUIVIE.DRV I've found that every single one of them uses a DLL named UNITNB.DLL (weird filename? hmm.. does this stands for "UNINSTALLER TRY&BUY".. who knows? :) I was sure it contains the protection after I've found this: * Possible StringData Ref from Data Obj ->"UNITNB.DLL" | :00401030 6804F14000 push 0040F104 ;this pushes UNITNB on stack :00401035 FFD5 call ebp ;this call links the UNITNB lib. :00401037 85C0 test eax, eax ;check if successfully linked UNITNB. :00401039 0F844C020000 je 0040128B ;failed to link - get out the func. * Possible StringData Ref from Data Obj ->"_VerifyTryAndBuy@4" ; huh? Nice name... | :0040103F 68F0F04000 push 0040F0F0;push on stack :00401044 50 push eax;^^ * Reference To: KERNEL32.GetProcAddress, Ord:0116h | :00401045 FF154C944100 Call dword ptr [0041944C] ;call _VerifyTryAndBuy from UNITNB :0040104B 85C0 test eax, eax ;check for success :0040104D 0F8438020000 je 0040128B ;if we fail goto 40128b. Ok,so all there's left is to disassemble UNITNB.DLL and nuke the timetrial * Possible StringData Ref from Data Obj ->"\" | :10001308 684CD00010 push 1000D04C :1000130D 51 push ecx :1000130E FFD6 call esi :10001310 8D542410 lea edx, dword ptr [esp+10] * Possible StringData Ref from Data Obj ->"system\wpuivie.drv" | :10001314 6838D00010 push 1000D038 :10001319 52 push edx :1000131A FFD6 call esi :1000131C 8A442410 mov al, byte ptr [esp+10] :10001320 84C0 test al, al :10001322 750E jne 10001332 :10001324 83C8FF or eax, FFFFFFFF :10001327 5F pop edi :10001328 5E pop esi :10001329 5D pop ebp :1000132A 5B pop ebx :1000132B 81C48C010000 add esp, 0000018C :10001331 C3 ret jumping to 10001332 and tracing a bit down gives us a time trial routine. * Reference To: KERNEL32.OpenFile, Ord:01AFh | :1000135E FF15C8310110 Call dword ptr [100131C8] ;open file :10001364 33F6 mov esi, eax ;eax contains the num of days left. :10001366 83FEFF cmp esi, FFFFFFFF ;if esi==-1 then it expired! :10001369 7417 je 10001382 ;give us the right msg. hmm... mov esi,eax and then cmp esi,FFFFFFFF? Hey I can change mov esi,eax to xor esi,esi and, once I have done it, esi will contain a permanent value of ZERO! Ok,I patched the dll (at offset 766h) and ran Uninstaller and Voila the time-trial counter remains STUCK on 0.. :) after this all that remains is to nuke the nags... 3.2) G'bye Nag-Screens: ------------------------ Notice that the nag-screens contain an Uninstaller logo this means that I should look for DialogBoxParamA in UNITNB.DLL searching for it gets the cursor inside an interesting function called "_VerifyTryAndBuy" (Remember?) . Exported fn(): _VerifyTryAndBuy@4 - Ord:0004h ; note the silly name :10001873 6A05 push 00000005 :10001875 6800005940 push 40590000 :1000187A 56 push esi :1000187B 6800002E40 push 402E0000 :10001880 56 push esi :10001881 E88AF7FFFF call 10001010 :10001886 85C0 test eax, eax :10001888 7427 je 100018B1 ; jump to "will expire" :1000188A 7E48 jle 100018D4 ; get out :1000188C 83F803 cmp eax, 00000003; :1000188F 7F43 jg 100018D4 ; get out :10001891 8B442408 mov eax, dword ptr [esp+08] :10001895 8B0D08090110 mov ecx, dword ptr  :1000189B 56 push esi :1000189C 68401A0010 push 10001A40 :100018A1 50 push eax * Possible Reference to Dialog: DialogID_0066 ; "has expired!" | :100018A2 6A66 push 00000066 :100018A4 51 push ecx * Reference To: USER32.DialogBoxParamA, Ord:008Eh ; <-put the nag on!. | :100018A5 FF15E0320110 Call dword ptr [100132E0] :100018AB 8BC6 mov eax, esi :100018AD 5E pop esi :100018AE C20400 ret 0004 after examining this function for about 5 min. I got to the conclusion that the only reasonable thing to do is just to "ret 0004" at the beginning of this function. back to our editor,and patching at offset c70 will give us the full nag-screens-free-no-time-trial version!.. ============================================================================= * PART 4: Closing Words. * ============================================================================= Well, I would like to apologize for bad english,grammar,etc.. I can be contacted on EFnet IRC on #cracking4newbies,or just mail me - san337y(at)biosys(dot)net. Before I go,I would like to repeat what I've said earlier in this tut. "NEVER BUT NEVER EVER PATCH A PROGRAM UNLESS ITS *THE ONLY WAY* TO CRACK IT!"
links anonymity +ORC tools counter
students' essays cocktails search_forms antismut mail_reverser
Is reverse engineering legal?