HOW TO CRACK W32dasm7

by Frog's print


whith a very interesting (and cryptic) add-on by +gthorne at the end

Courtesy of Fravia's page of reverse engineering


If you want to crack W32Dasm7 (818720 Kb - Feb, 20 1997)  you must

consider two problems:

	

- How to get rid of the limitation that does not allow us to perform as

many operations as we want per session

- How to save the disassembly listing



Fortunately we, little crackers, took our time to read +ORC tutorials

extensively. So we know two important things:

1/ -Always use a ZEN method to analyse and then crack a program.

2/ -Commercial protectionists/programmers are mostly stupid.



OK, let's go:



1/-Always use a ZEN method to analyse and then crack a program.



First, disassemble W32Dasm7.exe with....W32Dasm7.exe. (cracking W32Dasm7

using W32Dasm7 that's zen!).



We'll get rid of the counter in order to use W32Dasm7 as many times as we

want (without limitations) AND in order to find how to save the disassembled

listing to disk.



I won't spent a lot of time to explain how W32Dasm7 counter works because

Adynts did it well for W32Demo6.

here

As we know that protectionists are stupid, let's assume that they used

the same protection scheme, and the SAME COUNTER! for W32Dasm7!

So we are looking for a counter that is decremented each time you press a

command:



We search for 'dec dword ptr' in the listing and.....right!! Poor nice

Urbanik used the same counter! We find several 'dec dword ptr [ebx+ xxxxxxxx]...

The one we find the more often is : DEC DWORD PTR [EBX + 00532739].

We just now have to find the 'mov dword ptr [ebx+00532739],0000012C '.

It is located at :



:0043F7FA     C783392753002C010000      mov dword ptr [ebx + 00532739],0000012C



We just have to change it as per follow:

           

:0043F7FA     C78339275300FF0F0000      mov dword ptr [ebx + 00532739],000FFFFF

                       

Done! The counter is cracked and now, just one little more thing to do:



Saving the desassembly to text file.

We could use SoftIce 3.00 to do this but as it took about 5mn to load

W32Dasm7 to get the desassembly listing let's use W32Dasm7 features (it's

always good to know all options and features of the program you are

cracking!):



In W32Dasm7, in the Toolbar press the "Functions Imports" button.

You'll get a list of all calls to external functions located in Windows

API.



You'll see that it uses the Kernel32.DeleteFileA function.

And what does such a function???? It deletes an existing file!



We know that W32Dasm7 creates a file called WINSYS located in the

directory of the file you loaded. It has the 'Hidden Attribute' and its

size is 0 Kb (that's just because it is 'open for reading' by W32Dasm7).

As usual, if a program wants to erase a file, it must close it. This

particularity applies to DeleteFileA too otherwise it will fail.

So, when quitting W32Dasm7 it will first close WINSYS and then erase it.

We must crack right after it will close it.



Press the "Find" button and search for 'DeleteFileA'.

You'll find 3 Calls to address :0047ABCC .



Press the "Goto Location" button and enter '0047ABCC' .

You'll get:



*Reference To: KERNEL32.DeleteFileA, Ord0000h

:0047ABCC    FF251CA74900  jmp dword ptr [0049A71C]



Here it is!!

Let's change these values:



:0047ABCC    C39090909090



'C3' is a RET (Return) in Assembler and '90' is a NOP (NO Operation).

This means that instead of jumping to Kernel32.DeleteFileA function, the

program will be sent back (RET) to the caller and then will exit WITHOUT

erasing Winsys.



DONE!!! We cracked W32DASM7.EXE.





Do these change with a good Hex Editor like Hiew550 or HexWorkshop (see

+ORC tutorial chapter 9(3) if you want to crack it too!).

Then fire your brand new cracked copy of W32Dasm7, load any file and then

exit the program. You'll see that WINSYS is still inside the directory of the

 targeted program without 'Hidden Attribute', so that you can now open it with 

any word processor, copy it, or move it elsewhere.



2/ -Commercial protectionists/programmers are stupid.

+ORC was right: The commercial purposes of their work makes them BLOODY

STUPID FOOLS!

I cracked W32Dasm7.exe WITH W32Dasm7.exe AND even had SoftIce 3.01 loaded

during that time and didn't have any problem!

It took me 2 hours to crack and write a patch for W32Demo7 but only 15 mn

to do the same with W32DASM6!! They are still using the EXACT SAME

protection scheme (same counter, same DeleteFileA, same Winsys...) and I

guess they will re-use it for the next version of W32Dasm.



Can't wait for W32Dasm8 !!!!

Frog's Print (Paris)


Wdasm32 Fix for ATTRIB problems by Greythorne The Technomancer

This is meant a PART II of the wdasm33 version 7 crack by Frog Prints


Since the file was attribbed incorrectly, it became clear to me that a part of the 

crack was sorely missing from the part placed online by Frog Prints. This does 

not belittle his work in any way, just points out the need to accomplish as much 

of a crack as possible before it goes to the presses and the world sees it.



Going under an assumption, which was correct mind you, this change fixes that 

problem:



search for: 77696E737973

change to:  77732e747874



I know why it works, and I knew why it would work as i thought of it.

It is left up to you, dear reader, to use a few moments of your time to 

figure it out.

If you give it a go, you will a least see WHAT was done, even if you do not 

understand why... But a little thought on it and it may just come to you, 

even if you know nothing about cracking.



The aforementioned change should therefore work for ALL versions of wdasm 

ever made, and hopefully even in the future.



Sometimes it is common sense that solves the puzzle, not necessarily the 

book knowledge or tools which we amass in the time we have.



ADDENDUM:

Here is a little addition that will make the above crack a little more user 

friendly:



Search for this byte pattern:

5361766520746F



And at that location, insert the following whole pattern in its place 

(starting at the first byte above.. I am only skipping spaces in order 

to allow you to read it more clearly)



44697361  7373656D

626C7920  53617665

640A546F  2046696C

653A2057  532E5458

540A0A3C  3C202B67

74686F72  6E652739

37203E3E  00



I do hope you try this, it is what cracking is all about - making 

programs even better... so you WANT to use them.



Take care my friends,

 +gthorne'97



PS: For those who came in late, or somehow have not gotten 

ahold of his file, here are the necessary fixes that Frog Prints 

published. I am not about to explain them again, that is for you

to locate his file and the one for wdasm6 for adntys.

Won't be difficult, since everything is here, courtesy of fravia+ :-)



This is his fix for the time counter:



Search for:

 C783392753002C010000

Replace with:

 C78339275300FF0F0000



Frog Print's 'Fix the deleter' Function reprinted here:



Search for:

 FF251CA74900

Replace with:

 C39090909090

------------------------------

'The road goes ever, ever on.'

   - J.R.R.Tolkien

------------------------------




You are deep inside fravia's page of reverse engineering, choose your way out:

homepage links red anonymity +ORC students' essays
tools cocktails search_forms mailFraVia




surprise!

Here is (part of) the coveted map of my labyrinth: index.html links.htm private.htm cookie.htm orc.htm yamato.htm civetta.htm adynts.htm frogprin.htm