xxxxxxxx.htm: DllShow v4.4

	DllShow v4.4 Patching to always register,	Not Assigned
2000	by +Bas
	Courtesy of Fravia's page of reverse engineering	by Fravia+
fra_00xx 98xxxx handle 1100 NA PC	A good starting essay for newbies, this protection scheme is typical.
	There is a crack, a crack in everything That's how the light gets in
Rating	(X)Beginner ( )Intermediate ( )Advanced ( )Expert

An easy crack with the use of SoftICE

DllShow v4.4
Patching to always register,
Written by +Bas

Introduction

DLL Show for Windows 95 is a small utility that displays a list of all tasks and processes currently running on your MS Windows 95 system. DLL Show is fully Y2K compliant and will work with MS Windows 98 systems as well.

Click your mouse on the name of a running process to see a list of all DLL dependencies for that task or process. DLL Show can also be used to print a complete list of the selected processes DLL dependencies.

Information about all running tasks is displayed in a simple list window. Process information includes the process name, process ID number, task priority, the number of threads associated with the running process and the physical disk location of the executable.

Information about each DLL module includes the DLL name, module ID number, the number of process references for the currently selected module, the total number of references to the module, the amount of memory used by the module and the physical disk location of the DLL module.

Version information is also available for all running processes and DLL modules. Simply double-click on the process or DLL module displayed in either list to see full version information for the selected item.

Purchasing DLL Show for Windows 95

DLL Show for Windows 95 is distributed as shareware. You may evaluate it free of charge for 30 days. After 30 days you are required to register it. If after evaluating DLL Show for 30 days you decide not to register it you are required to remove it from your computer. Registration entitles you to unlimited free updates and support via E-Mail or telephone.You may also purchase DLL Show for Windows 95 using your credit card via the Internet or by telephone.DLL Show for Windows 95 is a fully functioning program. It is not crippled in any way.

Note DLL Show for Windows 95 is designed to work with the Microsoft Windows 95/98 operating system. It will not work on computers running the Microsoft Windows NT operating system. DLL Show uses Win32 ToolHelp API functions not currently available on MS Windows NT systems.

DLL Show will remain a 95/98-only utility until such time as Microsoft adds the ToolHelp API support to their NT operating system products.

Tools required

WDasm89 - disassembler
SoftICE - debugger
hexeditor

Target's URL/FTP

DllShow v4.4

Program History

Essay

I came across this program through a friend of mine who is always playing with all these utilities and was thinking it would be nice to crack, because i think that author's of such utilities tend to write more interesting code. Well, i found something nice in it. If the first BINGO is patched, then it will always register as the author and his company. If you look a little further and patch the second BINGO, then it will always register as whatever you provided. It calculates the serial and returns it to you. The code for that is in either two calls in de routine(call 00417216 and call 00415700). Because i got confused with the listing i decided to fire up SoftICE, go to the registration window and break on GetDlgItemTextA. This is how i found that the calls to 00415770 are calls to GetDlgItemTextA.

I asume you have SoftICE running, so let's now start DllShow. From the menu choose help/Register and you will find yourself at a registrationbox asking for a name, company and serial number. Choose some easy to use values, but it's not so important in this crack. Before hitting OK, press CTRL-D to get into softice. Now type : bpx GetDlgItemTextA. Hit Enter.(Note that this is case sensitive.)

You have now set a breakpoint on this call (user32.GetDlgItemTextA)

After pressing CTRL-D to get back to Windows and hitting OK in the registerbox, SoftICE will break immediatly. Disable the breakpoint first (BD *) and then press F12 twice to get to the right place. You should land at :0040D597.From here on i just stepped (F10) and watched what's going on.

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040D57C(C)
|
:0040D58B 57 push edi
:0040D58C 6A32 push 00000032
:0040D58E 56 push esi

* Possible Reference to Dialog: DialogID_0DAC, CONTROL_ID:0065, "&Windows System Folders Only"
|
:0040D58F 6A65 push 00000065
:0040D591 55 push ebp
:0040D592 E8D9810000 call 00415770 !!!! HERE I BROKE GetDlgItemTextA FIRST TIME !!!!
:0040D597 8D7E32 lea edi, dword ptr [esi+32]
:0040D59A 6A32 push 00000032
:0040D59C 57 push edi

* Possible Reference to Dialog: DialogID_0DAC, CONTROL_ID:0066, "&All Folders on the Drives Specified Bel"
|
:0040D59D 6A66 push 00000066
:0040D59F 55 push ebp
:0040D5A0 E8CB810000 call 00415770 !!!!! SO I KNOW THIS IS A CALL TO GetDlgItemTextA !!!!
:0040D5A5 8D442430 lea eax, dword ptr [esp+30]
:0040D5A9 6800010000 push 00000100
:0040D5AE 50 push eax

* Possible Ref to Menu: MenuID_03E8, Item: "Properties"
|

* Possible Reference to Dialog: DialogID_0DAC, CONTROL_ID:0067, ""
|

* Possible Reference to String Resource ID=00103: "Show information about the currently selected process"
|
:0040D5AF 6A67 push 00000067
:0040D5B1 55 push ebp
:0040D5B2 E8B9810000 call 00415770 !!!! The value is pushed somewhere before !!!!!
As you can see it does the call to GetDlgItemTextA (:00415770) exactly three times. That is name, company and number.If we look ahead we can see that there is a cmp eax, 0119A792 at line :0040D5CC with a jne right behind it. Now after the compare, when we are at the jne at :0040D5D1 we see that it wants to jump. Now to see the effect of not jumping we simply type r fl z and hit enter to toggle the zero flag. It won't jump now, but instead go ahead with pushing the name and company of the author, calling lstrcpyA and then jumps out of it with a jmp

So lets step ahead, change the flag to NOT make the jump and CTRL-D back to Windows. A "You have registered succesfully" box appears with the authors name, company and a real serial number in it. But That's not all.
:0040D5B7 8D4C2440 lea ecx, dword ptr [esp+40]
:0040D5BB 51 push ecx
:0040D5BC E8559C0000 call 00417216
:0040D5C1 56 push esi
:0040D5C2 8BD8 mov ebx, eax
:0040D5C4 E837810000 call 00415700
:0040D5C9 83C438 add esp, 00000038
:0040D5CC 3D92A71901 cmp eax, 0119A792 !!!!!!BINGO for Greg Braun!!!!!
:0040D5D1 7518 jne 0040D5EB

* Reference To: KERNEL32.lstrcpyA, Ord:0302h
|
:0040D5D3 8B1D28F14100 mov ebx, dword ptr [0041F128]

* Possible StringData Ref from Data Obj ->"Gregory Braun"
|
:0040D5D9 68D42E4200 push 00422ED4
:0040D5DE 56 push esi
:0040D5DF FFD3 call ebx

* Possible StringData Ref from Data Obj ->"Software Design"
|
:0040D5E1 68C42E4200 push 00422EC4
:0040D5E6 57 push edi
:0040D5E7 FFD3 call ebx
:0040D5E9 EB07 jmp 0040D5F2

Bij looking at the listing you can also see that if you do make the jump, you get to a second cmp, eax .. at line :00405EB. Notice this is exactly where the jne from the previous compare takes us to. If we leave the first jne alone and instead make sure that this one does NOT jump, we get registered by our own name and get the right serial for it. The program stores the registration codes in the Windows registry. So to practice you can delete them and start with an unregistered program again. I found that the cmp eax, adress are only there once in the program, it's an easy patch.

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040D5D1(C)
|
:0040D5EB 3D3CCE5F0D cmp eax, 0D5FCE3C !!!!!BINGO for own !!!!
:0040D5F0 750C jne 0040D5FE

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040D5E9(U)
|
:0040D5F2 57 push edi
:0040D5F3 56 push esi
:0040D5F4 E8A77B0000 call 004151A0
:0040D5F9 83C408 add esp, 00000008
:0040D5FC 8BD8 mov ebx, eax

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040D5F0(C)
|
:0040D5FE 57 push edi
:0040D5FF 56 push esi
:0040D600 E89B7B0000 call 004151A0
:0040D605 83C408 add esp, 00000008
:0040D608 3BD8 cmp ebx, eax
:0040D60A 5F pop edi
:0040D60B 741D je 0040D62A
:0040D60D 68CFEA0000 push 0000EACF

* Possible Reference to String Resource ID=05000: " Register DLL Show for Windows 95"
|
:0040D612 6888130000 push 00001388
:0040D617 55 push ebp
:0040D618 E8A3C8FFFF call 00409EC0
:0040D61D 83C40C add esp, 0000000C
:0040D620 5E pop esi
:0040D621 5D pop ebp
:0040D622 5B pop ebx
:0040D623 81C400010000 add esp, 00000100
:0040D629 C3 ret

Final Notes

It's a shame a good looking program such as this is so easily 'repaired', anyone I'm sure could 'repair' this program if they wanted to. The startup nag screen get's disabled when registered so it was an easy, clean crack. What would be nicer is to take the two calls call 00417216 , call 00415700 at line :0040D5BC resp. :0040D5C4 and make a serial generator if possible. I started to study them in de listing, but it's to hard for me to tell exactly what's on. The second one does the magic, i think. I noticed they get called about 5 times throughout the program. Don't have the time to seek it out with my debugger, but maybe someone will.

My thanks and gratitude goes to:

Fravia+ for providing possibly the greatest source of Reverse Engineering
knowledge on the Web.

+ORC for showing me the light at the end of the tunnel.

Ob Duh

I wont even bother explaining you that you should BUY this target program if you intend to use it for a longer period than the allowed one. Should you want to STEAL this software instead, you don't need to crack its protection scheme at all: you'll find it on most Warez sites, complete and already regged, farewell, don't come back.

You are deep inside Fravia's page of reverse engineering, choose your way out:

links

+ORC

tools

mail_Fravia

Is reverse engineering legal?