How to crack W32dasm Version 8.5
(Improved protection cracking)

by +Frog's Print


Courtesy of Fravia's page of reverse engineering
~
Well, Frog's print seems to be even quicker than any other of us... as soon as Peter brings out a new version of wdasm (which seems to happen a little too oft, btw) Frog cracks it stright away. Good work, as usual.
(BTW: Hey, Peter, what about leaving the debugging stuff to Numega and concentrating a little more on disassembling? Somehow a shame that old WCB still beats Wdasm at times, isn't it? :-)

Cracking W32Dasm v8.5 (*NEW protection scheme!*) - by Frog's Print -


Right after downloading this brand new version of W32Dasm ("MMX Compatible"!) I just
thought that I would crack it as usual but wait....what a surprise:
-No more 'DeletefileA'!
-No more 'dec dword ptr[ebx+xxxxxxx]!

I run it, load a file and run the good old PS.COM and...nothing! The W32DSMxx.TMP file
has been deleted!

Another (good) surprise is that now, we can select the fonts. This option was disable in
the previous versions (a lot of people seemed to have problems with the default one).

Anyway, let's have a deeper look and crack it:


1/ The counter

I cracked versions 6, 7 and 8, therefore I know that the counter's setup occurs 
between the following 2 calls:
-OWL50f.TFindReplaceDialog
-KERNEL32.GlobalAlloc

In W32Dasm80 (i.e. previous version 8.0) we had:

* Reference To: OWL50f.TFindReplaceDialog::TData::TData(ulong,int), Ord:0000h
:0044110B E830D70300              Call 0047E840
:00441110 83C40C                  add esp, 0000000C
:00441113 C7837958540001000000    mov dword ptr [ebx+00545879], 00000001
:0044111D C783364C540054010000    mov dword ptr [ebx+00544C36], 00000154   ; "\W32DEMO8.HLP"
:00438FA0 BE4B474800              mov esi, 0048474B
:00438FA5 8DBBE0605400            lea edi, dword ptr [ebx+60E0]          ; ***
BEFORE pressing CTRL-D to let W32Dasm running DISABLE them (':bd *') otherwise 
you will lock-up your PC.
******

Open a file "to disassemble" inside wdasm and then enable the three breakpoints (':be *').

SoftIce pops out here :

:0043ADF4 55                      push ebp
:0043ADF5 8BEC                    mov ebp, esp
:0043ADF7 8B550C                  mov edx, dword ptr [ebp+0C]
:0043ADFA 8B4508                  mov eax, dword ptr [ebp+08]
:0043ADFD 33C9                    xor ecx, ecx
:0043ADFF 89880B625400            mov dword ptr [eax+620B], ecx
:0043AE05 8B88584D4900            mov ecx, dword ptr [eax+4D58]
:0043AE0B 0FB68900040000          movzx ecx, byte ptr [ecx+00000400] ; "\w32dsm%02d.tmp"  ;