Cr@ck Tutorial (CheckPop 1.1 for Windoze95/98/NT4 by Nevis Systems)



				OR



		   <01" rulez!]------->



----==================-<[by VucoeT in 4/98]>-===================----



-URL:		http://netaddress.usa.net/tpl/Attachment/

 ===		INVESHKU/ckpop11.exe?Q=mx03-cDwuXO0901&O=853

		(copy and paste it! ... thanx for upping!)

			

-Rating:     	Beginner 

 ======         (that knows, how to turn on the machine ;])



-The program:	POP-email-checker, dunno details ;]

 ===========



-Protection: 	Time Trial;Serial to register

 ==========



-Tools you will need:	

 ===================



SOFTICE for Win95 3.22+ (Debugger)



W32DASM 8.9+ (almost any version will do, this is the one I use)

---> get them at Lord Caligo's Fantastic World of Cracking.

     (http://cracking.ml.org)



HEX-EDITOR (Exlpained here is HexWorkshop, but any will do)

---> get it at http://www.ursoft.com.



-Best read with: Windows NOTEPAD.EXE, one of the best M$-Products!

 ==============  or even better printed on some sheets of cellulose.



====================================================================



BEHAVIOR OF THE TARGET

======================

(after installed in Win95)



OK, let's start getting an overview of the target and its behavior.

When we start it, there is a weird NAG, telling us, that this Version

is Shareware and when the LEGAL-use-time is over. And the good news

(for us ;] ) is, that the stupid nag won't appear, once we are a re-

gistered user. 

By changing the system time we know, that the time trial takes the 

actual time to compare it with the day Checkpop has been installed on 

your system. But that's just a side comment (another approach).

OK, at the same time a help screen is opened, which tells us about

the (VERY interesting;]) registration details.

Errr ... both screens we don't seem to like ... but don't worry, you

are not gonna see them for a long time ;].



BASICS

======



As you might know, there are functions installed in library files of

Windows(DLLs; like USER(32).DLL,GDI32.DLL,...) that are uni-

versal and that can be called by programs in order to use them, 

instead of using own functions, that have to be coded first 

(which is additional work). Coders are lazy, as we all are ;]. So 

most of the time they will use windows-own functions.

The program just PUSHes the nescessary values for the function it

will call, before it is executed. You could say, parameters are 

given from the program to (a) Windows (-function) to use Windows-own

set of functions.

This is good for us;], because, if we know the effect of those 

functions, we can easily break into the running program and stop

it at the point, where a certain function is called.



You may ask:"How to do that???". This is the job of the Debugger, in

our case SoftIce. Ir runs in background and kind of "examines" all

activities, of (in our case) Windows. The code, which runs thru

(Softice and) the processor is the so called machine-code or Assembly

language, which is the only language the processor can handle.

Every high-leveled language will translate the code into assembly in

order to make it understandable for the (Intel-)processor. That's why

you maybe should bite yourself into assembly, cos it is essential.



PREPARE SETTING THE BREAK

=========================



OK now it gets interesting. After Checkpop is launched, we press the 

right button on the taskbar symbol of CheckPop and select [ABOUT]. 

In the window appears a button [REGISTER]. Hehehe <-THE-> button, 

so to speak. When you are cracking and using this kind of approach, 

then you have to first examine your target program to find the place, 

where you can enter your SERIAL- number. We found it here! (the re-

gister-box at the beginning [NAG] is the same BTW.).

Press the [REGISTER] button and the program wants you to enter a 

VALID serial-number. So we must think of something, because most of

us won't have this VALID number (others, please stop here ;]). Unless

you don't have a lucky guess the program won't accept your entry ;].

Note: It doesn't tell you, if your entered number was correct, but

just goes on unregistered.



We are about to break into the function, that 

is usually used to get a text from a dialog-window, such as our 

serial. There are 2 functions, that do (quite) the same. 



Functions for getting a text (string) from a Dialog-Window

==========================================================



The first:

GetDlgItemTextA, GetDlgItemText



The second:

GetWindowTextA, GetWindowText



the "A" is used to call the 32bit function, while the other one 

(without the "A" behind) is for 16bit appz. Since our target runs

in WindowsNT too, we can already guess, that it is a 32bit program.

If you are not sure, just set breaks on both. 



So this Window gets out entered serial-number and later there will 

some sort of check, if it was the right one. Our aim is to find the

location in the program, that checks, if it should go on saying:

"Thanks soo much for registering" or "Get away silly gambler!" ;],

of course the expression used in applications will be different ...



SOFTICE CONFIGURATION

=====================



I already assume you have been working a bit with softice, installed

it propperly and are ready to set the break. If not see 

HTTP://FRAVIA.ORG for tuts on installing Softice. Don't forget to

make softice load the DLLs, which contain the functions, we want to 

break on. Do this by eding the WINICE.DAT file in your softice dir

and remove the ";" in front of the Exports (DLLs):



--------------------------------------------------------------------

EXP=c:\win95\system\kernel32.dll

EXP=c:\win95\system\user32.dll         ;Library file of our function

EXP=c:\win95\system\gdi32.dll



(your pathnames may differ ... EXP=C:\windows\...)

--------------------------------------------------------------------

(near the end of WINICE.DAT, this is how it should look)



SETTING THE BREAK

=================



OK now, remember, that we are still on our registration window, with

Softice running. Enter some Serial, but dont confirm it yet. 

Activate Softice by pressing F5 or CTRL-D. OK, this is the debugger.

Just enter:



"bpx getdlgitemtexta" 



You have to guess, which of the two functions discussed b4 it is, 

but I prefer trying this one first and it is the right one here.

It can be, that any of it will break, too. After setting this break-

point go back to the Serial-Entry (again CTRL-D). Enter something 

and confirm your entry by hitting [OK] ...



BOOM! ;]

========



OK, what you see now is: Softice has detected, that a program wants

to call the function, we set a breakpoint on before. We are now in-

side the DLL, at the beginning of that function (indicated by a 

seperator looking like this:------------USER32!.TEXT...).

We want to go to the location in our program, where it was called 

from. By pressing [F11] we can. Look at the piece of code below.

(normally you should write down the location of the break here to

 find it later in W32DASM, but I did that for you, as I am a nice

 person ;])



--------------------------------------------------------------------

* Reference To: USER32.GetDlgItemTextA, Ord:00F5h

                                  |

:0040C2F4 FF15D0344200     Call dword ptr [004234D0]  ;the call!

:0040C2FA 8D542408         lea edx, dword ptr [esp+08];

:0040C2FE B968144200       mov ecx, 00421468          ;

:0040C303 52               push edx                   ;

:0040C304 E8C7A6FFFF       call 004069D0       ;Hmmm ...

:0040C309 E8F2000000       call 0040C400       ;Is-the-serial-valid?

						Read on to see why!

:0040C30E 6A01             push 00000001       ;

:0040C310 56               push esi            ;



* Reference To: USER32.EndDialog, Ord:00B4h    ;End Dialog!

                                  |

:0040C311 FF15B0344200      Call dword ptr [004234B0]

:0040C317 E9BE000000        jmp 0040C3DA



(after ";" its my comments)

--------------------------------------------------------------------

(WDASM Disassembly piece of the code. Easier for me to paste here!;])





So here we are! This is the piece of code, where our serial is

read. After that we can see two calls ... (Hmmm?). Later we find 

USER32.EndDialog, which as you might guess ends the dialog ... ;]. 

So most likely the determination, whether the serial we entered was 

the right or wrong one will be in one of those 2 calls. 

Can you follow?

OK, the job of Softice is done for now. To prevent it from

popping up again, enter "BC*", which means "Clear all breakpoints".



DISASSEMBLE WITH W32DASM

=======================



Now that we know the location, we can open W32DASM and disassemble

the file checkpop.exe (disassemble -> get the assembler code).

Since it is not too big, it will be done quickly. So now search for

the location in W32DASM, that we got B4 on the break. I think you

will be able to find it easily and then see the piece of code above.

The key must be in those 2 CALLs ... (usually a routine is done, 

which checks, if the entered code is valid).



OK, what is always done, when you want to crack a program to make it

registered is, you try fishing for strings, that W32DASM fortunately

seperates (Refs-String Data Reference). What strings could that be? 

Of course some which appear to have a clear connection with a (hidden) 

routine, that checks, if the program is registered or not. The only

text we find is "Registered", which as we might guess will show up

somewhere, after we entered the valid serial.

Go, where this string is used in the assembled listing, by double

clicking on it. Sometimes there is more than one occurence of a

string, so always try to double click it more than once ...



If we do so we land here: 

--------------------------------------------------------------------

* Reference To: USER32.SetWindowTextA, Ord:0221h

                                  |

:004011A5 FF15A8344200    Call dword ptr [004234A8]

:004011AB E850B20000      call 0040C400 ;Is-the-serial-valid?

					;In our case, whatever

					;happenes in the call

					;it will at least move 

					;something into EAX,

					;which is NOT 01, since

					;we entered a wrong serial.

					;What it is, is not really

					;interesting here.



:004011B0 83F801          cmp eax, 00000001

:004011B3 7522            jne 004011D7  ; Jump, if 1 not equals eax

				        ; the BAD jump, which will

				        ; override our "Registered"

				        ; to go the way of the wrong

				        ; entered serial. BTW here

				        ; there is no Window telling

				        ; us, that we have entered

				        ; a wrong number ...



* Possible StringData Ref from Data Obj ->"Registered"

                                  |

:004011B5 6850C04100              push 0041C050

--------------------------------------------------------------------



OK, do you remember the call 0040C400 (Is-the-serial-valid?). You al-

ready seen it before. When? Well after we broke in with Softice. One

of those calls we saw, seeing the code after the break. This

is confirmed thou (this CALL (routine) is the check, if the program

is registered). If you wanted to find out, how the real number is

calculated then take a look at this call. But this is more advanced.



Let's take a resumÈe. What will happen, if we enter the wrong serial

is, that the "Is-the-serial-valid?"-CALL will return something

different than "01" to EAX. If the returned value inequals 01, then

it will jump away from our beloved "Registered", otherwise it will go

on. So whats our aim? We want the prog not to take the BAD jump and

the way, where the program is gonna go is set in this routine, by 

making EAX "00" or "01".



WHAT TO CHANGE?

===============



So the returned value must be "01" in order to make the program think

we are registered users. What we will do is the following: We go to

the beginning of the CALL. We already found out, that it will GOOD-

jump later, if the returned value is "01". So we just use the be-

ginning of the called function to apply our code to move "01" into

EAX. 



The following will move "01" into EAX and then return. The "01" is 

the only thing we need from this CALL ... =) ... the Assembly-

commands for this are:



- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

PUSH 00000001   ; put "01" into the stack

POP EAX         ; put the stack value into EAX (EAX=01)

RET             ; Return to where it was called from



in HEX (with what we will overwrite later) it is: "640158C3"

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -



OK, so far so good. You may ask, why we didnt just disable the jump

somehow (NOP). Well the "01" is the sign here (and maybe elsewhere,

which is very important!!!) for registered version. And this sign

maybe used elsewhere too and it is, as you know. 



Just check inside the CALL.



WDASM32 shows you, which addresses called this function:

--------------------------------------------------------------------

* Referenced by a CALL at Addresses:

|:004011AB   , :004050A0   , :0040BF41   , :0040C309 ; 3 more!

|

:0040C400 64A100000000            mov eax, dword ptr fs:[00000000]

--------------------------------------------------------------------

:LOCATION HEX-CODE OF THIS -----> ASM COMMAND

--------------------------------------------------------------------



So what we can say now is, that 2 other locations (beside our 

004011AB and 0040C309) check this routine, if the program is 

registered.



CHANGE OF "CHECKPOP.EXE"

========================



To change it in "checkpop.exe" first make a backup-copy of it. Then

open it with your hex-editor and find the offset-address of the code 

we see in the status-bar of W32DASM before (Offset XXXXXXX in file:

checkpop.exe) Found the code? Search for it or scroll, whatever you

prefer. The location should be B800h ("h" means HEX). Now overwrite 

the "64A10000" with "6A0158C3". Changes done? Save the file and 

launch it to see, what is the effect of the changes!



- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Note:If you cannot save the file in the Hexeditor, then be sure to

     have checkpop closed, while applying the changes. You cannot

     save to the file, if it is running!

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -





AFTER THE FIRST CHANGE

======================



OK, well we start it, the help-screen still pops up. Ergh! We think:

All for nothing! But continuing to the about-window, the program

tells us, that we are a registered user (and unable to enter a 

serial now). Thats good! Even if we change the System time to one

month later, it still works, without showing the "EXPIRED ... "-

screen (just play around with the ORIGINAL file, too). We even know

(now), where our search-string "registered" is located. It is the

Name of the button, we cannot press ...



So to get to the point. The program behaves like an registered one

now, but there is still this help screen, which of course won't show

up telling us registration details, if we had the REAL registered

version running. Hmmm ... 



- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

NOTE:

If you take a look at the registry in :



HKEY_CURRENT_USER/SOFTRARE/Nevis Systems/Checkpop/1.1/



It stores the time it was installed first there, too. So if you are

desperate and don't want to crack it, you can also just delete the 

registry-entry "Nevis Systems" or just "1.1". You will have 14 more 

days of use ... but that's of course NOT our aim.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -



FINDING THE HELP SCREEN

=======================



We don't want this help screen !!! Maybe there is a check before 

the help screen, that checks somewhere, if we are registered users.

So we need to break or get to the CALL of this Help-nag-screen. 



There are 2 possibilities: 



Since it is most likely (just a feeling ;]), that it will be the 

first call for winhelp in this .exe file, we can just search in 

W32DASM for "winhelp" (16bit) or again "winhelpa" (32bit). Both 

will lead you to the right spot.

Just go to the start of the disassembly listing in W32DASM and do

a search for "winhelp" or "winhelpa". It will first break on the

imported function list, which is of course not, what we are looking

for. But the next break is BINGO!.



Another possibility of course is, to set a breakpoint in Softice

for "winhelpa" (bpx winhelpa), after it breaks F11, then note the 

address of the CALL and find it again in W32DASM.



Both will lead you to this:



--------------------------------------------------------------------

* Referenced by a (U)nconditional or (C)onditional Jump at Address:

|:00405003(C)

|

:0040500A B968144200              mov ecx, 00421468



:0040500F E84C1C0000              call 00406C60 ;in there the value

						 of EAX is set (ob-

						 viously)



:00405014 85C0                    test eax, eax ;if EAX equals 0 

						 then don't jump 

						 (which means: 

						 execute the

						 winhelp-call)



:00405016 0F8584000000            jne  004050A0

:0040501C 68B0040000              push 000004B0

:00405021 6A01                    push 00000001



* Possible StringData Ref from Data Obj ->"checkpop.hlp"

                                  |

:00405023 6828CB4100              push 0041CB28

:00405028 53                      push ebx



* Reference To: USER32.WinHelpA, Ord:025Eh      ;THIS IS THE BREAK!

                                  |

:00405029 FF1528354200            Call dword ptr [00423528] ; BAD!!!

:0040502F 53                      push ebx

:00405030 53                      push ebx

--------------------------------------------------------------------



Most interesting for us is again another call, which seems to de-

termine the value of EAX, since it is TESTed right after the call 

and the result of this TEST is responsible for it overriding the 

winhelp- CALL or executing it (TEST just sets a flag depending on the

value of EAX; for a deeper inside in Assembly either read more tuts

about it or buy a book (the bigger the better ;])).



THE 2ND (LAST) CHANGE

=====================



The solution is again the same. Best is to change the CALL, so that

the returned EAX-value is (again) "01". So everything we have to do

again, is get to the start inside the call and change it, that it

just puts 01 into EAX and then RETURNS. It will be the same code

as in the first change we made.

So again we start our HEX-Editor, search for the offset (status bar

in W32DASM;6060h) and change it to "6A0158C3", like before.

And now launch -[Checkpop 100% Cracked]- by you! ;]



ABOUT THE CALL

==============



Actually the CALL before the HELP-screen reads something out of the

registry which makes the program show the help-screen. What that is 

is not important for the crack. We ask ourselfes, how to make the 

consequences look like, as if it read the VALID things out of the 

registry. So the CALL just gives back an "Valid" or an "Invalid",

here its either a "01" or a "00". You might say a good value or a 

bad value.

Don't ask me, what is happening inside the CALL. It is not really 

important for cracking this target.

If you are interested what happens inside, just follow the

CALLS and see what they are doing ... ;]





LAST WORDS

==========



I hope this tutorial helped at least a bit to understand the way

you have to approach a target showing similar signs of protection.

This is my first tut, so if you have questions, comments or of

course if you have something to critizise, then join ...



"#cracking4newbies"-Channel on IRC (EFNET)



and tell me your sorrows. I will be glad to change things in here,

that you think are wrong or difficult to understand (if I think

that too ;]). Hope you had fun reading and cr@cking and watch out 

for more to come!

Of course this is for EDUCATIONAL purpose only. To help under-

standing, what the difference between registered and unregistered

version is. As you saw, not much ... "01" rulez here ...

and besides 14 days are too short to evaluate ... ;]



GREETZ & THANKZ(no order)

=========================



CoRN2, Vizion(some Beer?;]), ___mP(!), Wink,|caligo|, _masta_, sauron,

^pain^, sentinel^, Ghostrdr, Skater, Technoid, Slashing, Kurnitoz,

LordVader and the whole [RTA], _random, axxess, |Fresh|, _ryder_,

Intruder, i_magnus, Quantico, Raimi, RaimIO!, Raytrace, Bulldozer,

Tin, _RudeBoy_, teraphy, fravia+, +ORC (tutes) and the whole MEX!



the whole #cracking4newbies! Be there or don't!



--------------------------<[-VucoeT98-]>----------------------------