adynts

Adynt's essay
(how to crack wdasm)

by adynts

Courtesy of Fravia's page of reverse engineering
~
A good essay, adynts is a "clean cut" +cracker

Alright, you wanted to know how I cracked wdasm, so here it is :



I will crack here W32Dasm 6.4 [w32demo6.exe] which is 604 192 bytes long. 

There's two things to crack here. First, we want to do as many operations 

as we want during one session. We want also to be able to save the 

disassembly listing to a text file.



Part I : limited number of operations



This is the harder part of the crack, I did it sometime ago and I didn't 

use a very zen way. Here a much better way ( in my opinion ). We know 

that there is a counter, let's supose this counter is decremented each 

time. So there should be a dec each time you use command, so that dec 

should appear often. We have a 32bits application, so let's search in the 

disassembly listing for "dec dword ptr" whith grep. Using grep is 

important here for it allows you to see the multiples occurence of the 

same location. Here it is :





:004070E9 FF8B34674000            dec dword ptr [ebx+00406734]

:00407100 FF8B34674000            dec dword ptr [ebx+00406734]

:00407117 FF8B34674000            dec dword ptr [ebx+00406734]

:0042618F FF8B34674000            dec dword ptr [ebx+00406734]

:004261A6 FF8B34674000            dec dword ptr [ebx+00406734]

:004261BD FF8B34674000            dec dword ptr [ebx+00406734]

:004261F8 FF8BDE5E4000            dec dword ptr [ebx+00405EDE]

:00443923 FF8BAA5D4000            dec dword ptr [ebx+00405DAA]

:00443EC5 FF8BAA5D4000            dec dword ptr [ebx+00405DAA]

:00445281 FF8BAA5D4000            dec dword ptr [ebx+00405DAA]

:00445A9C FF8BAA5D4000            dec dword ptr [ebx+00405DAA]

:00445E01 FF8BAA5D4000            dec dword ptr [ebx+00405DAA]

:00446090 FF8BAA5D4000            dec dword ptr [ebx+00405DAA]

:004467F0 FF8BAA5D4000            dec dword ptr [ebx+00405DAA]

:0044695D FF8BAA5D4000            dec dword ptr [ebx+00405DAA]

:0044795D FF8BAA5D4000            dec dword ptr [ebx+00405DAA]

:00447A3A FF8BAA5D4000            dec dword ptr [ebx+00405DAA]

:00448771 FF8B6E5A4000            dec dword ptr [ebx+00405A6E]

:00448782 FF8BDAE30100            dec dword ptr [ebx+0001E3DA]

:00448ED8 FF8B9E5F4000            dec dword ptr [ebx+00405F9E]

:00452A56 FF8BAA5D4000            dec dword ptr [ebx+00405DAA]

:00452CF1 FF8B9E5F4000            dec dword ptr [ebx+00405F9E]

:004531EC FF8BDEE30100            dec dword ptr [ebx+0001E3DE]

:00458610 FF8BDAE30100            dec dword ptr [ebx+0001E3DA]

:004586CC FF8BDAE30100            dec dword ptr [ebx+0001E3DA]

:00459AFA FF88EAE30100            dec dword ptr [eax+0001E3EA]

:00459B8A FF889E5D4000            dec dword ptr [eax+00405D9E]



So [ebx+0405DAA] is the one that appears the most often, let's look at 

that location closer. There is only one initialisation of this address, 

and many comparison, that looks nice, let's change the initialisation 

value :



   :00442381 C783AA5D40002C010000 mov dword ptr [ebx+405DAA], 0000012C

to replace with :

   :00442381 C783AA5D4000FFFF0F00 mov dword ptr [ebx+405DAA], 000FFFFF

 

And everything works nice.



Ok, the first time, I used winice, set a breakpoint when the window 

saying that you had to restart wdasm was poping. Then using backtracing I 

found a first location ( I think that was ebx+405F1A but my notes are not 

very easy to read ). And usr bpr I found the interesting location : 

ebx+00405DAA. That's not zen. Anyway I think the method I've described 

earlier is valuable even if I knew the solution before starting.





Part II : Saving in a text file



The routine to save in a text file is not in w32demo6.exe, so we connot 

use this way to enable the function save to text file. But w32demo6.exe 

is nice and in any case save the disassembly into a text file named 

winsys (in the same directory as the the program your are disassembling). 

This file is deleted when you quit the program. We just have to copy this 

file somewhere else while the program is running (in the background). The 

problem is that we do not have reading access to winsys. Let's change 

that. Looking at the disassembly listing and searching for winsys, you 

will find this section of code :



* Possible StringData Ref from Data Obj ->"\winsys"

                                  |

:004517AF 68BFEB4600              push 0046EBBF

:004517B4 8D838E5A4000            lea eax, [ebx+00405A8E]

:004517BA 50                      push eax

* Reference To: _strncat, Ord:0000h in cw3220.DLL

                                  |

:004517BB E87CC00000              call 0045D83C

:004517C0 83C40C                  add esp, 0000000C

:004517C3 8D8B8E5A4000            lea ecx, [ebx+00405A8E]

:004517C9 51                      push ecx

:004517CA 8D8300A13500            lea eax, [ebx+0035A100]

:004517D0 50                      push eax

* Reference To: lstrcpyA, Ord:0000h in KERNEL32.dll

                                  |

:004517D1 E878C00000              call 0045D84E

:004517D6 6A00                    push 00000000

:004517D8 6802010000              push 00000102

:004517DD 6A02                    push 00000002

:004517DF 8D93789F3500            lea edx, [ebx+00359F78]

:004517E5 52                      push edx

:004517E6 6A00                    push 00000000   






You are deep inside fravia's page of reverse engineering,  

choose your way out:




 homepage 

 links 



 anonymity 

 +ORC



 students' essays

 tools cocktails




 search_forms



 mailFraVia






 Is reverse engineering illegal?
Adynt's essay (how to crack wdasm)

by adynts

Adynt's essay
(how to crack wdasm)
