Paint Shop Pro v5.0 - Tutorial Basic regmonitoring techniques	Not Assigned
26 July 1999	by Santa Clawz
	Courtesy of Fravia's page of reverse engineering	slightly edited by Crackz :-)
fra_00xx 98xxxx handle 1100 NA PC	I have received this essay, formatted on my muster, only to-day but fortunately I knew that this had been already published on crackz's very good site towards the beginning of the year, with Crackz's good comments, that I (Fravia) will therefore simply reproduce here. This essay is a 'must' read for any newbie still confused by the registry, who would have thought that the outstanding author of PSP (Bob Black) would use such a lousy scheme. I commend the methodical approach used by Santa Clawz here, as he shows YOU his thought processes. Protectionists must now surely realise that storing your most precious asset inside a few registry keys is very dumb. Enjoy this great tutorial and btw I have myself purchased this very good graphics program. Crackz
	There is a crack, a crack in everything That's how the light gets in
Rating	(x)Beginner ( )Intermediate ( )Advanced ( )Expert

By now you probably have at least one copy of Paint Shop Pro on a CD in your 
mass of cover CD's. However, dig around your collection that dates between July 
and December 98 and you will probably find version 5 - this is our target 
program. Paint Shop Pro is essentially the most popular graphics package found 
on most cover CD's of most computer magazines and is almost definitely available 
on the web :-).
 
This tutorial is really set out to be a good lesson in cracking time 
restricted programs from one newbie to others and to encourage all 
newbies to study their target's protection (or lack of it! :-) as 
closely as possible before diving into the deep end!.


Jasc (the authors of PSP) give no opportunity to register their program 
directly from the interface, so they are not silly in that respect. 
However, they stress that this fully functional program is for 
evaluation purposes only and limit it to be used for 30 days (it 
will automatically terminate after 60) before asking you to beggar 
off and buy the full version. 

However, we will destroy the code that tells the program to check somewhere 
for the limit. Of course if you wish to use this program for ever go and 
buy it!.

OK, now that you have installed the proggie load it up and you will get a 
message on a nag_screen

What a welcoming screen! click on start and have a play for a bit and then come back 
to this tutorial! Now next time you load it up, before so execute RegMon 
(remembering to put "regmon;explorer" in the Processes exclude line in the 
filter) and watch all the calls to and from the registry that PSP makes 
(watch it! There are hundreds!). 

Hmm, did you want to get any sleep? Didn't think so! Well, we are only 
concerned with the ones made earlier (upon entry rather than exit) where the 
program will check the registry for it's installation date and number of
times it has been run. However, the programmers here were not stupid enough to 
put these values in the usual installation or program key of: 

HKEY_CURRENT_USER\Software\JASC\Paint Shop Pro 5 

Oh no! They put it somewhere were you wouldn't really think of going! I hope 
you haven't closed RegMon yet - you still need it open (but close PSP5). 
Search for {84124FF1-5D04-11D1-A575-00A0C96F2B0D} within RegMon and bang! 
"What?" I hear you say. Well, double click on it and you find out. Firstly 
though, I will just tell you why and how I discovered this holds our key to 
freedom. 

I simply searched through all the calls for a while making a mental note of all the ones 
that would seem too obvious to hold a special value. When I came across the 
ridiculous looking {84124FF1-5D04-11D1-A575-00A0C96F2B0D} I thought to myself hmm. 
I wonder... so I double clicked on the same line you should have done by now 
and the registry opened at the right place. 

Now back to the registry (don't worry the last paragraph will continue to be 
explained in this section). You should now collapse this key to reveal a number 
of other subkeys: AuxUserType; DefaultIcon; InprocHandler32; Insertable; 
LocalServer32; ProgID; MiscStatus; MS; Verb. If you look through any of them 
you will find they all have something to do with PSP (funny that!). The one we 
are concerned with though is MS. Now close RegMon but keep Regedit open at
HKEY_CLASSES_ROOT\CLSID\{84124FF1-5D04-11D1-A575-00A0C96F2B0D}\MS (you should 
be looking at this anyway) and run Paint Shop Pro again.

After you have clicked "Yes" on the nag screen and close PSP go back to Regedit 
and refresh the display you will see that the two DWORD values iPID50t and iPID50u 
have changed. The second value of iPID50u has been incremented by 1 and will be 
each time you run PSP (try it and watch the number increase). The first value 
of iPID50t holds the important info of when your period is meant to expire (it 
doesn't matter how many times you run it within this time). So if you delete these two 
values your PSP program will go back to day one and run times of 0. However, the clock 
is still ticking. 

Well, we've done the simple bit of finding in the registry where our program 
looks for the date check :-) and now it is time to get into the nitty gritty 
of byte manipulation and ASM code cracking - the fun part! So load up first of 
all W32Dasm and create your deadlisting making sure you have at least 40Mb space 
for the file (it will be this big!) and in the mean time depending on what time 
it is mix yourself a good drink because it will take about 15 to 20 mins to 
disassemble! I recommend, if it is morning a strong coffee, afternoon a cup of 
tea or if it is evening/late night :-) either a good beer (bitter) or a Vodka 
Martini!.

OK, so your back with your all important rations and ready for the trek ahead. 
If you do a String reference search you won't find much on registering the 
product although you will find the two DWORD values from the registry I spoke 
of earlier; iPID50t and iPID50u, how interesting! This does mean that the PSP 
program accesses the registry around this point. Lets have a look at the 
disassembled code... 


* StringData Ref from Data Obj ->"MS"; Here we can see the last subkey of 
|                                      the registry key opened.
:00585B22 PUSH 0062ECF4
:00585B27 LEA ECX, DWORD PTR [ESP+14]

* Reference To: MFC42.MFC42:NoName0848, Ord:03ADh
|
:00585B2B CALL 005DB7D6

* Possible Reference to Menu: MenuID_0004 
|
:00585B30 MOV EAX, 00000004
:00585B35 MOV DWORD PTR [ESP+18], EBX
:00585B39 MOV DWORD PTR [ESP+44], EAX
:00585B3D MOV DWORD PTR [ESP+48], EAX
:00585B41 MOV EAX, DWORD PTR [ESP+10]
:00585B45 MOV DWORD PTR [ESP+2C], EBX
:00585B49 PUSH EAX
:00585B4A PUSH 00020019
:00585B4F PUSH 80000000
:00585B54 CALL 004040B1
:00585B5C CMP EAX,EBX
:00585B5E MOV DWORD PTR [ESP+28], EAX
:00585B62 JZ 00585BDB
:00585B64 LEA ECX, DWORD PTR [ESP+48]

* Reference To: ADVAPI32.RegQueryValueExA, Ord:0136h; Registry call 
|				           to query key value.
:00585B68 MOV ESI, DWORD PTR [0063AF30]
:00585B6E PUSH ECX
:00585B6F LEA EDX, DWORD PTR [ESP+30]
:00585B73 LEA ECX, DWORD PTR [ESP+48]
:00585B77 PUSH EDX
:00585B78 PUSH ECX
:00585B79 PUSH EBX

* Possible StringData Ref from Data Obj ->"iPID50t"; Our first value.
|
:00585B7A PUSH 0062ECE8
:00585B7F PUSH EAX
:00585B80 CALL ESI
:00585B82 TEST EAX,EAX
:00585B84 JNZ 00585B94
:00585B86 MOV EDX, DWORD PTR [ESP+2C]
:00585B8A MOV EDI, DWORD PTR [ESP+24]
:00585B8E MOV DWORD PTR [ESP+18], EDX
:00585B92 JMP 00585B99

* Referenced by a  Jump at Address:00585B84(C)
|
:00585B94 MOV EDI, 00000001

* Referenced by a Jump at Address:00585B92(U)
|
:00585B99 LEA EAX, DWORD PTR [ESP+48]
:00585B9D LEA ECX, DWORD PTR [ESP+2C]
:00585BA1 PUSH EAX
:00585BA2 MOV EAX, DWORD PTR [ESP+2C]
:00585BA6 LEA EDX, DWORD PTR [ESP+48]
:00585BAA PUSH ECX
:00585BAB PUSH EDX
:00585BAC PUSH EBX

* Possible StringData Ref from Data Obj ->"iPID50u"; Our second value.
|
:00585BAD PUSH 0062ECDC
:00585BB2 PUSH EAX
:00585BB3 CALL ESI
:00585BB5 TEST EAX,EAX
:00585BB7 JNZ 00585BC4
:00585BB9 MOV ECX, DWORD PTR [ESP+2C]
:00585BBD INC EAX
:00585BBE MOV DWORD PTR [ESP+1C], ECX
:00585BC2 JMP 00585BD0


We can see from this section of the disassembly that the ADVAPI32.dll opens 
the keys mentioned previously 
(HKEY_CLASSES_ROOT\CLSID\{84124FF1-5D04-11D1-A575-00A0C96F2B0D}\MS) 
this snippet shows the last subkey "MS" being opened. Further down the code the 
string references show the two values we also found using RegMon. So far so 
good, nothing to get lost in :). There is a real goldmine of code here in this
listing and I hope you can spot it! Yup, thats it! Underneath the "iPID50t" and 
"iPID50u" strings the ASM code for each reference is pretty much the same! Let's 
take a closer look... 


* Possible StringData Ref from Data Obj ->"iPID50t"; This one checks the 
|                                          date/time and limit.
:00585B7A PUSH 0062ECE8
:00585B7F PUSH EAX; Saves the data in the eax register.
:00585B80 CALL ESI
:00585B82 TEST EAX,EAX; Checks the EAX register for 0.
:00585B84 JNZ 00585B94; And the conditional jump.

* Possible StringData Ref from Data Obj ->"iPID50u"; This one checks how 
|                                          many times the program has been run.
:00585BAD PUSH 0062ECDC
:00585BB2 PUSH EAX
:00585BB3 CALL ESI
:00585BB5 TEST EAX,EAX
:00585BB7 JNZ 00585BC4
:00585BB9 MOV ECX, DWORD PTR [ESP+2C] ;Copies the dword (iPID50u) into the ECX register
:00585BBD INC ECX ;Increments ECX (adding 1 to the times the program has been run)
:00585BBE MOV DWORD PTR [ESP+1C], ECX ;Store it back to ESP+1C.
:00585BC2 JMP 00585BD0


OK, there are two ways you could go from here in *cracking* the program 
(I have done both and both work). However, one is better than the other. 

The Crack
Right now you need your Hex editor, I prefer Hex Workshop :) but as usual 
any will do that you know how to use! Load it up and be ready to 
manipulate the bytes. Before we go any further I will explain the two 
ways of cracking this program. The first way (the way I discovered first) 
is to delete the two DWORD values in the registry first and then change 
the exe file in a Hex editor. In Hex Workshop I zeroed the two values 
i.e. changed "69504944353074" and "69504944353075" (these are iPID50t 
and iPID50u in hexadecimal) both to "00000000000000". This would then 
clear the registry of the data PSP looks for (Note: these values will 
never show up in the registry now).

Then secondly (the actual crack) change a JE to JMP. This can be found at 
:00585B62 7477 JZ 00585BDB in your deadlisting. That is it - I will not 
go any further with that because I feel the next way is better.

Take two! If you study the last code snippet you will notice 2 conditional 
jumps (jne) one in each string reference procedure. All we need to do 
here is to change them to unconditional jumps. So load up your Hex 
editor and search for the bytes 750E8B54242C.

The only byte we want to change in this string of numbers is 75 (the 
others are simply there to narrow the search down), this is the opcode 
for jne. As we want to change this to jmp we shall change it to EB 
this is the hex byte (opcode) for this particular ASM code.

Now search for the bytes 750B8B4C242, the only byte we want to change 
in this string of numbers is 75 again. As before change it to EB. 
BEFORE YOU SAVE ANY FILE MAKE A BACKUP OF IT JUST INCASE. Now save 
the file (psp.exe) and run it.
** Enough said ** 

Well, I hope you understood it all and more than anything I hope it works (I 
know it does so don't worry!). This was written by a newbie as I said earlier 
and is meant to help the next generation of crackers become more knowledgeable 
about the thought behind reversing code not to rip off good software. 
If for any reason should you want to contact me click on the image below to 
E-mail me. 

Santa_ClawZ(at)hotbot(point)com

homepage links search_forms +ORC how to protect academy database
reality cracking how to search javascript wars
tools anonymity academy cocktails antismut CGI-scripts mail_Fravia
Is reverse engineering legal?