by Drlan
(18 September 1997, slightly edited by fravia+)

---

Courtesy of Fravia's page of reverse engineering

---

Well, an interesting essay, here is Drlan's email to me:

Fravia,



Here's a short essay on a nice program I found.  It's called Enterprise 

REXX (WinREXX).  It's a pretty cool programming tool and I guess could 

be considered a "tool of our trade." 

Target Program: Enterprise REXX (WinREXX)

Protection: Nag(s), 21 day time limit, limited number of runs ("Quiver" protection)

Cracked by: drlan [Me'97/C4N]!

Location: http://www.winrexx.com/Trial/



Tools needed:

- SoftICE Win95 3.01

- Hex Editor (I like PSEdit and Hex Workshop)



Conventions used:

> denotes a SoftICE command



Download the target and run it a few times to get a feel for what's going on.

You'll notice a nice little reminder that the program will expire in 21 days

or after 126 more uses, whichever is later.  That doesn't sound like quite

enough time for a thorough evaluation, so let's see what we can do...



I am going to work through REXX.EXE in the tutorial.  The routine for the

WINREXX.EXE is almost identical and I'll explain where to patch it at the

end.



As with any crack, there are many different ways to approach this.  The first

thing I did was disassemble the file with W32Dasm 8.9.  

Hey, that's not in the above list of tools needed! 

Don't worry, this isn't how we're going to crack it...  

You could choose the dead listing approach.  You will find the strings

that refer to "expires in" and "expired."  You could then crack from there,

as usual, but let's try a different approach.



When you run either of the main executables (REXX.EXE or WINREXX.EXE), the

friendly reminder pops up to let us know when this babe is going to expire.

This box, with just an OK button on, looks a lot like a standard API call.

A couple of the routines that can put on the screen a message like this are:

MessageBox and DialogBox.  Of course this is a 32-bit app, so these functions

have an "A" on the end.  Let's try a breakpoint on MessageBoxA.  Pop over into

SoftICE with Ctrl-D and do this:



>bpx MessageBoxA



Now press Ctrl-D or F5 to get out of SoftICE and then run the program again.

sICE will pop on the MessageBoxA function.  Press F12 to RETurn.  Now click

the OK button on the message box.  You should drop back into sICE right after

the call to MessageBoxA.



Scroll up your Code Window using Ctrl-Up Arrow.  You won't need to scroll up

very far (just a few lines), until you come to this interesting bit of code:



:004079F9 837DB800      CMP DWORD PTR [ebp-48], 00      ; looks like a flag

          0F841A000000  JZ 00404C5D                     ; jump if it's zero

          6A40          PUSH 40                         ; otherwise, set up

          A1B4E04000    MOV EAX, [0040E0B4]             ; for our call to

          50            PUSH EAX                        ; the ugly nag screen

          68301B4100    PUSH 00411B30

          FF15C8534100  CALL User32!GetFocus

          50            PUSH EAX

          FF15D4534100  CALL User32!MessageBoxA         ; which happens here!



:00404C5D 8B45FC        MOV EAX, [ebp-04]

          E900000000    JMP 00404C65



:00404C65 5F            POP EDI

          5E            POP ESI

          5B            POP EBX

          C9            LEAVE

          C3            RET



So, what do we see here?  Looks like that CMP DWORD PTR [ebp-48], 00 is

comparing a flag.  I tried placing a memory write breakpoint on that location

but couldn't find where the flag was set.  It looks to me like if the flag

were 00, we would jump over the whole nag screen mess.  So, let's just make

it so!



Let's change:

          837DB800              CMP DWORD PTR [ebp-48], 00

          0F841A000000          JZ 00404C5D



into:

          C745B800000000        MOV DWORD PTR [ebp-48], 00

          EB1B                  JMP 00404C5D

          90                    NOP



We need to pad with one NOP to make it an even 10 byte for 10 byte exchange.

Now, instead of comparing the flag, we are setting the flag.  I think this

should please our master, +ORC.  Then, with the flag set, we are making an

unconditional jump (JMP) over the MessageBoxA call.



You can do this live in sICE.  First clear all existing breakpoints.



>BC *



Now place a breakpoint on the CMP DWORD PTR [ebp-48], 00 line.  You can do

this by typing BPX segment:offset or simply double click on the line.  Then

run the program.  When sICE breaks on the line, we'll assemble in our new

instructions:



>A                              ; to assemble in our new instructions

>MOV DWORD PTR [ebp-48], 00     ; let's make the flag 00

>JMP 00404C5D                   ; jump over the message box

>(press Esc)



Press Ctrl-D or F5 to continue running.  You should not see any nag screens!



Time to transfer our live crack into something more useful and longer lasting.

We need to hex edit the rexx.exe program to replace the bad old instructions

with our nice new ones.



Nag screen(s):

Search for:     837DB8000F841A000000    ; compare flag, jmp if 00

Replace with:   C745B800000000EB1B90    ; set flag to 00, jmp, nop



WinREXX.EXE uses the same code, so search and replace the same string in

there and you're all set! 



Setting the flag get's rid of ALL protection schemes inside these targets!



That's it for this lesson.  Hope this was fun and instructional.



Disclaimer: THIS ESSAY IS FOR EDUCATIONAL PURPOSES ONLY.  ANY USE, MIS-USE

OR ILLEGAL ACTIVITY IS THE SOLE RESPONSIBILITY OF THE READER.



GreetZ: Everyone in [Me'97/C4N], PC'97, UCF, {fravia+, gthorne+ and +ORC}, 

Razzia!

     



                                                        +drlan

homepage links anonymity +ORC students' essays tools cocktails
academy database antismut search_forms mail_fravia
is reverse engineering legal?