BEGINNERS: NJWin 1.6 Checksum Cracking
(Good protection with file checksum and self destruction)
student 
Not Assigned 
23 April 1998 
by Kabhoet 
Courtesy of Fravia's page of reverse engineering
slightly edited by Fravia+
fra_00xx 
98xxxx 
handle 
1100 
NA 
PC
I didn't edit much this essay. The text is easy to follow, notwithstanding the many errors, and will give you, I believe, not only an idea, but the real FEELING of having many (capable) friends that come from some far far away places, like our new contributor Kabhoet, here, that will show you how to patch black and blue a 'self-destroying' protection scheme.
Enjoy!
There is a crack, a crack in everything That's how the light gets in
Rating
(x)Beginner ( )Intermediate ( )Advanced ( )Expert 

An useful essay for everyone, because I don't know the rating of this kind program protection.
Assume that everyone who read this know very basic of softice, w32dasm and of course assembly language.

Good protection,
But has a weakness
Written by Kabhoet
 

Introduction 

Actually I got this program from my friends. They said this target has a very strange habit. They put the registration number correctly but when exiting from the program and getting into it again, always got message "This is shareware version and bla...bla...bla". Hmmm, seems that the guys in NJWIN try to challenge us crackers. So....Let's play the game.

Tools required 
- Soft Ice
- W32Dasm
- HIEW(Hacker View) make a patch.

Target's URL/FTP 
NJWIN 1.6, get it now !!!!! You wont regret, because it is a very useful program. Of course you should pay for it if you really use it.

Program History 
NJWIN enables any application to view Chinese, Japanese and Korean text on web pages and email. Features: auto code detection and user friendly interface. v1.60 supports Netscape          Communicator 4.0,  Internet  Explorer 4.0, and Office 97. and bla,bla,bla.

Essay 

First thing we should know is that this program always perform checksum when we close the program. Even if only 1 char in the program changes, this target will harakiri (it means delete itself). Wow, a very clever program, isn't it? So we should perform TWO steps to defeat the program.

First Step : Disable the self destruction.
Launch the w32dasm and dissamble the file (NJWIN.EXE). Hmmm, this is seem a 16 bit program and you will get a little difficult to crack it. So we need some help from soft ice. First we should add EXP=C:\WINDOWS\SYSTEM\KERNEL32.DLL at WINICE.DAT. If not softice won't find the simbols. Now make a copy of njwin.exe eg. nj1.exe and use an hex editor to change something in nj1.exe. Launch nj1.exe and you will get njwin menu at the top. Press Ctrl+D and make breakpoint at : BPX getmodulefilename. Now choose Close from NJWIN menu and blam...... you get into soft ice. Press F11 and now you at this location. And slowly trace it using F10.

:0001.44E9 9A22370000             call KERNEL.GETMODULEFILENAME
:0001.44EE 68FD44                 push SEG ADDR of Segment 0001
:0001.44F1 688876                 push 7688
:0001.44F4 8D86EAFE               lea ax, [bp+FEEA]
:0001.44F8 16                     push ss
:0001.44F9 50                     push ax
:0001.44FA 9A56081B45             call 0001.0856
:0001.44FF 83C408                 add sp, 0008
:0001.4502 8BF0                   mov si, ax
:0001.4504 8956F4                 mov [bp-0C], dx
:0001.4507 0BD0                   or dx, ax          
:0001.4509 7503                   jne 450E            
:0001.450B E98A01                 jmp 4698
...Trace it until this line.
:0001.467A 8B46EA                 mov ax, [bp-16]
:0001.467D 8B56EC                 mov dx, [bp-14]
:0001.4680 3946EE                 cmp [bp-12], ax
:0001.4683 7505                   jne 468A
:0001.4685 3956F0                 cmp [bp-10], dx
:0001.4688 740E                   je 4698
* Referenced by a Jump at Address:0001.4683(C)
|
:0001.468A 8D86EAFE               lea ax, [bp+FEEA]
:0001.468E 16                     push ss
:0001.468F 50                     push ax
:0001.4690 9A3C2E7842             call 0001.2E3C  ; It seem this procedure
                                           !
;      ; used to self destruction.
* Referenced by a Jump at Address:0001.4678(U)
|
:0001.4695 83C404                 add sp, 0004
Why I could know this procedure ??? This time we are using nj1.exe that we have change. So it must be execute that procedure. But if we using the original one, this step have been passed and never execute that procedure. (Try it yourself).

So we know the call procedure. Now we need to patch it to fool the program so that it never enter that place. Using w32dasm, Menu Search and then find text. Type call 0001.2E3C in the dialog box and w32dasm would take you to :

First->
:0001.07F5 83C408                 add sp, 0008
:0001.07F8 8D46F2                 lea ax, [bp-0E]
:0001.07FB 16                     push ss
:0001.07FC 50                     push ax
:0001.07FD 9A3C2E7C06             call 0001.2E3C
:0001.0802 83C404                 add sp, 0004
:0001.0805 0BC0                   or ax, ax
:0001.0807 7403                   je 080C
Change add sp,0008 at 0001.07F5 using HIEW to jmp 0805.

Second->
:0001.35A2 8D86CEFE               lea ax, [bp+FECE]
:0001.35A6 16                     push ss
:0001.35A7 50                     push ax
:0001.35A8 9A3C2EFFFF             call 0001.2E3C
:0001.35AD 83C404                 add sp, 0004
:0001.35B0 8B46EC                 mov ax, [bp-14]
:0001.35B3 EB04                   jmp 35B9
Change lea ax,[bp+FECE] at 0001.35A2 using HIEW to jmp 35AD.

Third->
:0001.468A 8D86EAFE               lea ax, [bp+FEEA]
:0001.468E 16                     push ss
:0001.468F 50                     push ax
:0001.4690 9A3C2E7842             call 0001.2E3C
:0001.4695 83C404                 add sp, 0004
Change lea ax, [bp+FEEA] at 0001.468A using HIEW to jmp 4695.
Ok.... Now we have completely disabled the self destruction part of our target's protection scheme and now we can patch the registration.

Second Step : Make it Registered.
Even if we know the registration number, and we try to register, it is useless because this program seems to have been made just in order to fool the crackers.
Patch me and you'll loose me. But even inside a good protection there must be a weakness, as +ORC teached us.
Now we need softice to breakpoint cleverly. Press Ctrl+D and then 
:BPX GetPrivateProfileString
Why we should break at that point ??? Simple to answer, it is because NJWIN store their registration data into C:\WINDOWS\NJWIN.INI and read it from there. So we should break it at the time program want to get information from that .ini file.
After that, try to launch the program and blam....you get into soft ice. Press F11 and trace it with F10. You will see the listing at the below ...
 

:0001.3B83 9AB93B0000             call KERNEL.GETPRIVATEPROFILESTRING
:0001.3B88 80BEF6FD3F             cmp byte ptr [bp+FDF6], 3F
:0001.3B8D 752E                   jne 3BBD
:0001.3B8F FF36DC05               push word ptr [05DC]
:0001.3B93 FF36DA05               push word ptr [05DA]
:0001.3B97 FF36E005               push word ptr [05E0]
:0001.3B9B FF36DE05               push word ptr [05DE]
:0001.3B9F FFB6ECFB               push word ptr [bp+FBEC]
:0001.3BA3 FFB6EAFB               push word ptr [bp+FBEA]
:0001.3BA7 8D86F6FD               lea ax, [bp+FDF6]

Try to trace it until here......

:0001.3C8A 83C404                 add sp, 0004
:0001.3C8D 52                     push dx
:0001.3C8E 50                     push ax
:0001.3C8F 8D86F6FC               lea ax, [bp+FCF6]
:0001.3C93 16                     push ss
:0001.3C94 50                     push ax
:0001.3C95 8D86F6FD               lea ax, [bp+FDF6]
:0001.3C99 16                     push ss
:0001.3C9A 50                     push ax
:0001.3C9B 9AC26ADA3C             call 0001.6AC2
:0001.3CA0 83C40C                 add sp, 000C
:0001.3CA3 48                     dec ax
:0001.3CA4 7505                   jne 3CAB     ; If wrong then unregistered
:0001.3CA6 C6061A0601             mov byte ptr [061A], 01 ; else good boy..
Aha... Now we know that if "good boy" then the target assign value to [061A] with 01. Now we should use w32dasm to find text : mov byte ptr [061A] and blizzz.....we got into ...
:0001.3D35 32C0                   xor al , al 
:0001.3D37 A21A06                 mov byte ptr [061A], al
:0001.3D3A A21B06                 mov byte ptr [061B], al
:0001.3D3D EB0D                   jmp 3D4C
It seem the default value for [061A] is 00. So we patch it using HIEW. Change xor al,al AT 0001.3D35 to mov al,1   and the program will always think this that the cracker is a registered user and finish merriuly.

I'm sorry if my English is little bit messed because I'm not ..... guy.
Final Notes 

So....Goodbye....And if you want to contact me feel free to mail kabhoet@yahoo.com and may be could sharing our knowledge about cracking method and other protection. Thank you.

Ob Duh 

I wont even bother explaining you that you should BUY this target program if you intend to use it for a longer period than the allowed one. Should you want to STEAL this software instead, you don't need to crack its protection scheme at all: you'll find it on most Warez sites, complete and already regged, farewell.

You are deep inside Fravia's page of reverse engineering, choose your way out:
redhomepage redlinks redsearch_forms red+ORC redstudents' essays redacademy database
redreality cracking redhow to search redjavascript wars
redtools redanonymity academy redcocktails redantismut CGI-scripts redmail_Fravia
redIs reverse engineering legal?