Adynt's essay
(how to crack wdasm)

by adynts


Courtesy of Reverser's page of reverse engineering
~
A good essay, adynts is a "clean cut" +cracker

Alright, you wanted to know how I cracked wdasm, so here it is :

I will crack here W32Dasm 6.4 [w32demo6.exe] which is 604 192 bytes long. 
There's two things to crack here. First, we want to do as many operations 
as we want during one session. We want also to be able to save the 
disassembly listing to a text file.

Part I : limited number of operations

This is the harder part of the crack, I did it sometime ago and I didn't 
use a very zen way. Here a much better way ( in my opinion ). We know 
that there is a counter, let's supose this counter is decremented each 
time. So there should be a dec each time you use command, so that dec 
should appear often. We have a 32bits application, so let's search in the 
disassembly listing for "dec dword ptr" whith grep. Using grep is 
important here for it allows you to see the multiples occurence of the 
same location. Here it is :


:004070E9 FF8B34674000            dec dword ptr [ebx+00406734]
:00407100 FF8B34674000            dec dword ptr [ebx+00406734]
:00407117 FF8B34674000            dec dword ptr [ebx+00406734]
:0042618F FF8B34674000            dec dword ptr [ebx+00406734]
:004261A6 FF8B34674000            dec dword ptr [ebx+00406734]
:004261BD FF8B34674000            dec dword ptr [ebx+00406734]
:004261F8 FF8BDE5E4000            dec dword ptr [ebx+00405EDE]
:00443923 FF8BAA5D4000            dec dword ptr [ebx+00405DAA]
:00443EC5 FF8BAA5D4000            dec dword ptr [ebx+00405DAA]
:00445281 FF8BAA5D4000            dec dword ptr [ebx+00405DAA]
:00445A9C FF8BAA5D4000            dec dword ptr [ebx+00405DAA]
:00445E01 FF8BAA5D4000            dec dword ptr [ebx+00405DAA]
:00446090 FF8BAA5D4000            dec dword ptr [ebx+00405DAA]
:004467F0 FF8BAA5D4000            dec dword ptr [ebx+00405DAA]
:0044695D FF8BAA5D4000            dec dword ptr [ebx+00405DAA]
:0044795D FF8BAA5D4000            dec dword ptr [ebx+00405DAA]
:00447A3A FF8BAA5D4000            dec dword ptr [ebx+00405DAA]
:00448771 FF8B6E5A4000            dec dword ptr [ebx+00405A6E]
:00448782 FF8BDAE30100            dec dword ptr [ebx+0001E3DA]
:00448ED8 FF8B9E5F4000            dec dword ptr [ebx+00405F9E]
:00452A56 FF8BAA5D4000            dec dword ptr [ebx+00405DAA]
:00452CF1 FF8B9E5F4000            dec dword ptr [ebx+00405F9E]
:004531EC FF8BDEE30100            dec dword ptr [ebx+0001E3DE]
:00458610 FF8BDAE30100            dec dword ptr [ebx+0001E3DA]
:004586CC FF8BDAE30100            dec dword ptr [ebx+0001E3DA]
:00459AFA FF88EAE30100            dec dword ptr [eax+0001E3EA]
:00459B8A FF889E5D4000            dec dword ptr [eax+00405D9E]

So [ebx+0405DAA] is the one that appears the most often, let's look at 
that location closer. There is only one initialisation of this address, 
and many comparison, that looks nice, let's change the initialisation 
value :

   :00442381 C783AA5D40002C010000 mov dword ptr [ebx+405DAA], 0000012C
to replace with :
   :00442381 C783AA5D4000FFFF0F00 mov dword ptr [ebx+405DAA], 000FFFFF
 
And everything works nice.

Ok, the first time, I used winice, set a breakpoint when the window 
saying that you had to restart wdasm was poping. Then using backtracing I 
found a first location ( I think that was ebx+405F1A but my notes are not 
very easy to read ). And usr bpr I found the interesting location : 
ebx+00405DAA. That's not zen. Anyway I think the method I've described 
earlier is valuable even if I knew the solution before starting.


Part II : Saving in a text file

The routine to save in a text file is not in w32demo6.exe, so we connot 
use this way to enable the function save to text file. But w32demo6.exe 
is nice and in any case save the disassembly into a text file named 
winsys (in the same directory as the the program your are disassembling). 
This file is deleted when you quit the program. We just have to copy this 
file somewhere else while the program is running (in the background). The 
problem is that we do not have reading access to winsys. Let's change 
that. Looking at the disassembly listing and searching for winsys, you 
will find this section of code :

* Possible StringData Ref from Data Obj ->"\winsys"
                                  |
:004517AF 68BFEB4600              push 0046EBBF
:004517B4 8D838E5A4000            lea eax, [ebx+00405A8E]
:004517BA 50                      push eax
* Reference To: _strncat, Ord:0000h in cw3220.DLL
                                  |
:004517BB E87CC00000              call 0045D83C
:004517C0 83C40C                  add esp, 0000000C
:004517C3 8D8B8E5A4000            lea ecx, [ebx+00405A8E]
:004517C9 51                      push ecx
:004517CA 8D8300A13500            lea eax, [ebx+0035A100]
:004517D0 50                      push eax
* Reference To: lstrcpyA, Ord:0000h in KERNEL32.dll
                                  |
:004517D1 E878C00000              call 0045D84E
:004517D6 6A00                    push 00000000
:004517D8 6802010000              push 00000102
:004517DD 6A02                    push 00000002
:004517DF 8D93789F3500            lea edx, [ebx+00359F78]
:004517E5 52                      push edx
:004517E6 6A00                    push 00000000   <---- fdwShareMode :004517E8 68000000C0 push C0000000 :004517ED 81C300A13500 add ebx, 0035A100 :004517F3 53 push ebx * Reference To: CreateFileA, Ord:0000h in KERNEL32.dll | :004517F4 E867C00000 call 0045D860 and the declaration of CreateFile is this one : HANDLE CreateFile( LPCTSTR lpszName, // address of name of the file DWORD fdwAccess, // access (read-write) mode DWORD fdwShareMode, // share mode LPSECURITY_ATTRIBUTES lpsa, // address of security descriptor DWORD fdwCreate, // how to create DWORD fdwAttrsAndFlags, // file attributes HANDLE hTemplateFile // handle of file with attributes to copy ); So we want to change fdwShareMode located at 004517E6. Let's do this : :004517E6 6A01 push 00000001 And our problem is solved, we can now read winsys while wdasm is running. adynts.


You are deep inside reverser's page of reverse engineering, choose your way out:

homepage links red anonymity +ORC students' essays tools cocktails
search_forms mailFraVia
Is reverse engineering illegal?