Most stupid
Most stupid protections
Well, hope Sanity will agree with the small modifications I made, both to improve the readibility of this essay AND to take off the precise "identity" of the target. Anyone capable of using a search engine and interested enough to follow the reversing advices by Sanity will quickly be able to individuate the target, yet all the zombies looking for the "quick stealing crack" will have an hard time getting this particular prey.
Sanity's approach is a classical one (combining filemonitor and dead listing) and surely the fact that the programmers of this target used a routine named "_VerifyTryAndBuy" helps a lot (duh :-)
I would have welcomed a little more explanations about the reasons for the advice that Sanity gives us at the beginning and at the end of his essay: "Never but never ever patch a program unless its *the only way* to crack it!", actually patches are used all the time, when studying and reversing code and protection schemes. I would personally reverse Sanity's advice :-) "Never but never ever write a keygen for a program unless its *the only way* to crack it!"
==============================================================================
         *  CRACKING AN UNINSTALLER (BY SANITY) *
==============================================================================

                  CONTENTS:
                  ---------
       1) Intro.
       2) Crack Reqs.
       3) Cracking our target.
         3.1) Farewell Timetrial.
         3.2) G'bye Nag-Screens.
       4) Closing Words.


=============================================================================
     * PART 1: Intro. *
=============================================================================
                  
Our Uninstaller target is a package of 9 different service applications 
(Such as: Registry/Junk Files cleaning,Installation Monitor and more)
that let you maintain your system in a better,easier,faster way.
As mentioned in its package, this Uninstaller comes fully-functional 
but with a 14 day time-trial and some annoying nag screens.

Now,before we start I would to CLEAR something:
NEVER BUT NEVER EVER PATCH A PROGRAM UNLESS ITS *THE ONLY WAY* TO CRACK IT!

Ok,so let's start...


=============================================================================
     * PART 2: Crack Reqs. *

=============================================================================

For this cracking session you will need the following tools:
------------------------------------------------------------

.%. Our Uninstaller target
.%. W32Dasm v8.9 (everywhere on the web, either as regged tool or as "reggable" demo)
.%. Hacker's View v5.84 or any other *GOOD* hex-editor. [<a href="www.zencrack.org">www.zencrack.org</a>]
.%. a File Monitor (FileMon,WinExpose I/O,Monitor/RA..) [<a href="www.zencrack.org">www.zencrack.org</a>]
.%. a Brain. (Search for one on ALTAVISTA =)

NOTE: there is no use of S-ICE in this tut but it could be useful in 
      tracing the target.


=============================================================================
                   * PART 3: Cracking our target. *
=============================================================================
                  
Ok,after we're all set let's launch the program,try running some of the 
advanced features of Uninstaller and that lovely(? :) nag saying -
"Uninstaller blah blah NOT REGISTERED blah blah XX DAYS LEFT" appears.
at this point what I first check is if there a Register Box or anything but I 
could'nt find any. So I terminated Uninstaller's session and launched
FileMon and ran Uninstaller again... and the following line just popped
in front of me:

2710  Uni   FindNext    C:\WINDOWS\SYSTEM\*.*       SUCCESS   WPUIVIE.DRV

Using our editor to view WPUIVIE.DRV inside \WINDOWS\SYSTEM shows that this
file contains all the info: when we installed Uninstaller, last time used,
etc..
This means that dead-listing the program and finding a ref. to WPUIVIE.DRV
would lead us straight into the "NAG+TIME-TRIAL" routine.

                   3.1) Farewell Timetrial:
                   -------------------------
    You should remember that the nag only appears on advanced features,
    this means you won't have to disassemble the main app. but only one
    of the advanced features app. (coz the nag routine is probably being
    called from a file which all the "advanced features" apps. will use!)
    To be sure of what I was doing I disassembled all of the adv. features
    apps. although i hav'nt found a ref. to WPUIVIE.DRV I've found that 
    every single one of them uses a DLL named UNITNB.DLL (weird filename?
    hmm.. does this stands for "UNINSTALLER TRY&BUY".. who knows? :)
    I was sure it contains the protection after I've found this:

    * Possible StringData Ref from Data Obj ->"UNITNB.DLL"
           |
    :00401030 6804F14000              push 0040F104  ;this pushes UNITNB on stack
    :00401035 FFD5		      call ebp       ;this call links the UNITNB lib.
    :00401037 85C0		      test eax, eax  ;check if successfully linked UNITNB.
    :00401039 0F844C020000            je 0040128B    ;failed to link - get out the func.

    * Possible StringData Ref from Data Obj ->"_VerifyTryAndBuy@4" ; huh? Nice name... 
           |
    :0040103F 68F0F04000              	push 0040F0F0;push on stack
    :00401044 50  			push eax;^^

    * Reference To: KERNEL32.GetProcAddress, Ord:0116h
           |
    :00401045 FF154C944100      Call dword ptr [0041944C]  ;call _VerifyTryAndBuy from UNITNB
    :0040104B 85C0		test eax, eax              ;check for success
    :0040104D 0F8438020000      je 0040128B                ;if we fail goto 40128b.

    Ok,so all there's left is to disassemble UNITNB.DLL and nuke the timetrial
     
     * Possible StringData Ref from Data Obj ->"\"
           |
     :10001308 684CD00010              	push 1000D04C
     :1000130D 51  			push ecx
     :1000130E FFD6			call esi
     :10001310 8D542410                	lea edx, dword ptr [esp+10]

     * Possible StringData Ref from Data Obj ->"system\wpuivie.drv"
           |
     :10001314 6838D00010              	push 1000D038
     :10001319 52  			push edx
     :1000131A FFD6			call esi
     :1000131C 8A442410                	mov al, byte ptr [esp+10]
     :10001320 84C0		       	test al, al
     :10001322 750E			jne 10001332
     :10001324 83C8FF                  	or eax, FFFFFFFF
     :10001327 5F  			pop edi
     :10001328 5E  			pop esi
     :10001329 5D  			pop ebp
     :1000132A 5B  			pop ebx
     :1000132B 81C48C010000            	add esp, 0000018C
     :10001331 C3  			ret

     jumping to 10001332 and tracing a bit down gives us a time trial routine.


     * Reference To: KERNEL32.OpenFile, Ord:01AFh
           |
     :1000135E FF15C8310110     Call dword ptr [100131C8] ;open file
     :10001364 33F6		mov esi, eax              ;eax contains the num of days left.
     :10001366 83FEFF           cmp esi, FFFFFFFF         ;if esi==-1 then it expired!
     :10001369 7417		je 10001382               ;give us the right msg.

     hmm... mov esi,eax and then cmp esi,FFFFFFFF? Hey I can change mov esi,eax to
     xor esi,esi and, once I have done it, esi will contain a permanent value of ZERO!

     Ok,I patched the dll (at offset 766h) and ran Uninstaller and Voila the time-trial
     counter remains STUCK on 0.. :)
     after this all that remains is to nuke the nags...

                   3.2) G'bye Nag-Screens:
                   ------------------------
     Notice that the nag-screens contain an Uninstaller logo this
     means that I should look for DialogBoxParamA in UNITNB.DLL
     searching for it gets the cursor inside an interesting function
     called "_VerifyTryAndBuy" (Remember?) .

     Exported fn(): _VerifyTryAndBuy@4 - Ord:0004h	; note the silly name
     :10001873 6A05			push 00000005
     :10001875 6800005940               push 40590000
     :1000187A 56  			push esi
     :1000187B 6800002E40               push 402E0000
     :10001880 56  			push esi
     :10001881 E88AF7FFFF               call 10001010
     :10001886 85C0			test eax, eax
     :10001888 7427			je 100018B1	; jump to "will expire"
     :1000188A 7E48			jle 100018D4	; get out
     :1000188C 83F803                   cmp eax, 00000003;
     :1000188F 7F43			jg 100018D4	; get out
     :10001891 8B442408                	mov eax, dword ptr [esp+08]
     :10001895 8B0D08090110            	mov ecx, dword ptr [10010908]
     :1000189B 56  			push esi
     :1000189C 68401A0010              	push 10001A40
     :100018A1 50  			push eax

     * Possible Reference to Dialog: DialogID_0066 	; "has expired!"
           |
     :100018A2 6A66			push 00000066
     :100018A4 51  			push ecx
     
     * Reference To: USER32.DialogBoxParamA, Ord:008Eh	; <-put the nag on!.
           |
     :100018A5 FF15E0320110            	Call dword ptr [100132E0]
     :100018AB 8BC6			mov eax, esi
     :100018AD 5E  			pop esi
     :100018AE C20400                  	ret 0004

     after examining this function for about 5 min. I got to the conclusion
     that the only reasonable thing to do is just to "ret 0004" at the
     beginning of this function.

     back to our editor,and patching at offset c70 will give us the
     full nag-screens-free-no-time-trial version!.. 


=============================================================================
 * PART 4: Closing Words. *

=============================================================================   

     Well, I would like to apologize for bad english,grammar,etc..
     I can be contacted on EFnet IRC on #cracking4newbies,or just
     mail me - san337y(at)biosys(dot)net.

     Before I go,I would like to repeat what I've said earlier in this
     tut.

"NEVER BUT NEVER EVER PATCH A PROGRAM UNLESS ITS *THE ONLY WAY* TO CRACK IT!"

You'r deep inside reverser's pages of reverse engineering, choose your way out
Most stupid
Most stupid protections

homepage links redanonymity +ORC tools counter measures
students' essays cocktails search_forms antismut mail_reverser
Is reverse engineering legal?