|
Micro$oft Publisher 97
Crack it and Drop it!
|
Not Assigned
|
|
15 July
1998
|
by Mr.Salinas
|
|
|
Courtesy of Fravia's page of reverse engineering
|
|
fra_00xx
980715
Sainas
1100
NA
PC |
Well, an alternative way to Micro$oft's 97
Publisher! (see
+ORC's lesson 4.2 for an 'older' explanation: basically you changed
the call E808320000 to the faked jump E910000000). Probably Micro$oft's 'protectors' (they
don't deserve such name) went to the DEAD0001 'trick'
in a futile attempt to be smart.
Yes, it's the usual sad story: Micro$oft's protections do'nt even ATTEMPT
to sound convincing. Come to think of it, Microsoft Publisher '98 can be cracked 'on a
quickie' as well. Just search for the following subroutine (introduced
by a subesp of 234)55 push ebp
89E5 mov ebp, esp
53 push ebx
56 push esi
57 push edi
81EC34020000 sub esp, 00000234 There
you'll find the local Micro$oft's scheme flag setting, where upon return ax=0 means Ok, registered, and ax=1
means that you'r a
bad silly cracker. Just load 0 into ax and ret immediately ignoring the rest of the
routine and you'll have your own copy of Microsoft publisher
'98 (But I would not do it if I were you: Pagemaker is MUCH, MUCH better and very easy to crack too... :-)
|
|
|
There is a crack, a crack in everything That's how the light
gets in
|
|
|
Rating
|
(x)Beginner
( )Intermediate ( )Advanced ( )Expert
|
|
Yet another
Micro$oft Triumph. A very interesting combination of bytes indeed. Nice
work Micro$oft boys!
Micro$oft
Publisher 97
DEAD0001
!!
Written
by Mr.Salinas
Hello Fravia+, Hello fellow crackers :) This is my contribution to the cracking world.
This essay will not uncover anything new, but it will, however, uncover how a nice
combination of bytes can lead to a nice crack :)
SoftIce V3.X
WdasmV8.x
;; For further studying
Your favourite Text Editor
And some brains. Its useful sometimes.
URL: www.microsoft.com OR all over the Web !
Well, Micro$oft has a
long long history and a well known one as well. Anything more would be
redundant!
Ok, here we go.
Run the program. Notice the nice nag before the entry. So there, one way among the many
to pinpoint the protection scheme. Anyway, lets continue. Exit MsPub. Expire Mspub, and
run it again. A nice nag appears!! Hmmm, lets see....
> Bpx GetSystemTime
Run again MsPub, and SoftIce wakes up !
Keep tracing through the code, get a feeling of what it is doing....
Seems like MsPub Opens Mspubw40.dll in the system folder, reads some bytes (from Offset 1D950
please note!) , closes the file, and THEN it does this:
:004CBC95 817DF80100ADDE cmp dword ptr [ebp-08], DEAD0001 ;;HERE!!
:004CBC9C 0F8408010000 je 004CBDAA ;;Bad boy!
Well well well, What do we have here??????????????? Isn't that a nice combination for
an expiration flag ? eh?? You want to check it out? Open MsPubw40.Dll in your System, goto
Offset 1D950 (remember?) and Read :)
>> 01 00 AD DE .... Looks familiar ??
Now, take a look after 004CBC9C
:004CBCA2 8B45F8 mov eax, dword ptr [ebp-08]
:004CBCA5 3945F4 cmp dword ptr [ebp-0C], eax ;;Something wrong?
:004CBCA8 7248 jb 004CBCF2 ;;Check again Flag
:004CBCAA 8B45F4 mov eax, dword ptr [ebp-0C] ;;
:004CBCAD B980510100 mov ecx, 00015180 ;;Calculate how many days
:004CBCB2 2B45F8 sub eax, dword ptr [ebp-08] ;;you have been using the
:004CBCB5 2BD2 sub edx, edx ;;program.
:004CBCB7 F7F1 div ecx ;; Eax = Result
:004CBCB9 83F83C cmp eax, 0000003C ;;Hey!! 3Ch=60d !!! WOW:)
:004CBCBC 7334 jnb 004CBCF2 ;;Bad boy!Check expiration flag!
.....
:004CBCF2 817DF80100ADDE cmp dword ptr [ebp-08], DEAD0001 ;;Hehe
:004CBCF9 0F84AB000000 je 004CBDAA ;;Exit
Search for the expiration flag: "DEAD0001" in our dead listing.
3 occurrences found. Two Cmp's and one Mov ! We already found the 2 cmp's. The Third
occurrence is when the program writes the expiration bytes in MsPubw40.DLL
Here is the relevant code:
:004CBD49 6A00 push 00000000
:004CBD4B 6850D90100 push 0001D950 ;;Remember the Offset??
:004CBD50 50 push eax
* Reference To: KERNEL32.SetFilePointer, Ord:01F8h
|
:004CBD51 FF1598005D00 Call dword ptr [005D0098]
:004CBD57 83F8FF cmp eax, FFFFFFFF ;;Success?
:004CBD5A 743D je 004CBD99 ;;No!
:004CBD5C 6A00 push 00000000
:004CBD5E 8D45F0 lea eax, dword ptr [ebp-10]
:004CBD61 50 push eax
:004CBD62 8D4DE8 lea ecx, dword ptr [ebp-18]
* Possible Reference to Dialog: DialogID_01F5, CONTROL_ID:0004, "&Find File..."
|
:004CBD65 6A04 push 00000004
:004CBD67 8B55FC mov edx, dword ptr [ebp-04]
:004CBD6A C745E80100ADDE mov [ebp-18], DEAD0001 ;;Here!
:004CBD71 51 push ecx
:004CBD72 52 push edx
* Reference To: KERNEL32.WriteFile, Ord:024Fh
|
:004CBD73 FF1530015D00 Call dword ptr [005D0130] ;;and change file
....
Well, thats it! You can crack this anyway you like! An easy way is to Nop the jmp's
after the two DEAD0001 compares and ofcourse the jmp after the day comparison(004CBCB9).
Oh, one little thing left. The nice nag. You will find the CALL exactly after the
60-day-limitation check. Here is the code again:
:004CBCD1 E85C810200 call 004F3E32 ;;Call the nice nag
:004CBCD6 B801000000 mov eax, 00000001 ;; Good flag and go on
An easy way to eliminate the Nag is to NOP the Call. But again there are many ways. Its up
to you.
That was another Micro$oft accomplishment! My Regards to all Crackers(+) out there.
Xairetismata tze stin Kypro! Ok. boys time to go !
Signing off..
Mr.Salinas
Mr.Salinas@Mailcity.com
I wont even bother explaining you that you should BUY this target
program if you intend to use it for a longer period than the allowed one.
Should you want to STEAL this software instead, you don't need to crack
its protection scheme at all: you'll find it on most Warez sites, complete
and already regged, farewell.
You are deep inside Fravia's page of reverse engineering, choose
your way out:
homepage links search_forms +ORC students'
essays academy
database
reality
cracking how
to search javascript
wars
tools anonymity
academy cocktails antismut
CGI-scripts mail_Fravia
Is
reverse engineering legal?