Register Modfying - a must read for every cracking newbie.


My personal advice to you - don't read this off your computer screen! Use your printer.

Index

0. Disclamer
1. Introduction
2. What you need
3. Analising the program
4. Disassembling the program
5. Cracking the program
6. Conclusion

0. Disclaimer:

I created this tutorial for informational purposes only! Much of the information in this document can be used to perform illegal activities! Don't attempt to do anything stated in this document! If you do attempt to do anything, you are solely and fully responsible for what you do! If you get caught and get in any kind of trouble, it's your own fault! If you intend to use this information to impress your friends, leave it and grow up! If you don't agree to this, do not read any more! If you crack a program, and either sell the crack or offer it for free, it is a crime!

1. INTRODUCTION:

Hi everyone! I'm back! Ready for another Cracking tut? Hope so...

Today we're going to learn a new skill - it's called "register modifing". To learn this new technique we're going to crack a program we all know: NOTEPAD! Yes Notepad, yes the one from Windowz, yeah that's the one. You're probably thinking what the hell has Notepad to crack. Nothing better than to keep on reading this tutorial!

C ya in the next section.

2. WHAT YOU NEED:

  • WDasm disassembler (I'll assume you've got it from the previous tutorials)
  • Hiew (I'll assume you've got it from previous tutorials)
  • My version of Notepad, so that we're all cracking the same program
    (can be found at: members.xoom.com/dumpster66/notepad.exe) if the link does not work, use your own notepad.exe

3. ANALISING THE PROGRAM:

Before you change the program you'd better make a backup of it.

Well, lets think... Know when we open those big text files (bigger than let's say, 100kb)? Have you tried it yet? Well notepad delivers us a message saying:


~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This file is too large for Notepad to open
Would you like to use WordPad to read this file?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

What we're going to do is to eliminate this messagebox and make it go directly to WordPad. To do this we'll learn that new technique I've talked to you about: Register Modifying.

4. DISASSEMBLING THE PROGRAM:

Let's get started. Copy "my" NOTEPAD.EXE to your Windows directory (possibly C:\WINDOWS). Open a big text file (bigger than 100kb). See that message I've been talking about? Write it down.

Now let's open Wdasm and disassemble NOTEPAD.EXE. Done? That was quick :)! Let's search in the program's String Data References. Go to the menu "Refs" and choose "String Data References". This lets us know all the messages that are displayed by the program. Search through all those strings... Found something? I knew you would! Yes that's it:

String Resource ID=00052: "This file is too large for Notepad to open. Would you like t"

Double click on it to go to its location.

--------------------------- NOTEPAD.EXE -----------------------------

* Referenced by a (U)nconditional or (C)onditional Jump at Address:

|:004024C5(C)  
|  
* Possible Reference to String Resource ID=00052: "This file is too large for Notepad to open Would you like t"
  |
:004024DF 6A34 push 00000034

--------------------------- NOTEPAD.EXE -----------------------------

This is where you should've landed. Now let's think a bit. If we were to modify that Conditional Jump at adress: 004024C5, we'd probably make Notepad think that the file we opened was under 100kb. That isn't what we want to do. That could probably interfer with Windows's memory and it already runs bad enough by itself, it doesn't need any help :).

What we'll do is to find the messagebox that Notepad displays and just make the program run without the message. So let's get to work!

Go to the "Functions" menu and choose "Imports". What the hell! What are these things? These are just functions that Windows has and that Notepad imports to make the prog run. Now go half way down in the list until you reach the functions that start with "USER32". Found them? Good. Now scroll down the list and you'll find a functions that has the following name: "USER32.MessageBoxA".

"USER32.MessageBoxA" is a very well know Windows function. It's one of the most important functions for crackers. It basically responsible for calling messageboxes where messages are displayed. This is the type of window that Notepad called for our message. Double click on it.

Now you're probably asking why the hell did we first go and find the message and then go to look for the message box? It's quite simple. Notepad calls lots of messageboxes so we couldn't just go looking at all of them! We had to find first the place where the message was loaded and then we double clicked on "USER32.MessageBoxA" to go to the next location where a messagebox was called. That way we're certain that we've got the right messagebox!

--------------------------- NOTEPAD.EXE -----------------------------

* Reference To: USER32.MessageBoxA, Ord:0176h
  |
:00402D61 FF1530744000 Call dword ptr [00407430] (We landed here!)
:00402D67 83F806 cmp eax, 00000006
:00402D6A 0F85A9000000 jne 00402E19
:00402D70 6804010000 push 00000104
:00402D75 8D85B8FEFFFF lea eax, dword ptr [ebp+FFFFFEB8]
:00402D7B 50 push eax

--------------------------- NOTEPAD.EXE -----------------------------

Now let's take a look at this code snippet. This is the location where the program calls the messagebox and runs WordPad or Exits, depending on our choise.

Take a good look. First, at adress "00402D61", the program calls the messagebox, then at adress "00402D6A" it jumps and exits if "EAX" isn't "00000006". So what we'll do is remove the messagebox calling at "00402D61" and remove that jump at "00402D6A" so that the program will always call WordPad. We'll remove using the new technique called register modifying :).

Highlight the "Call" at adress "00402D61" and take note of the offset location (its that number on the bottom of your screen after "@Offset..."). Now do the same thing for the "jne" at adress "00402D6A". You have now 2 numbers written down. You can now close Wdasm.

Now for the cracking... :))))

5. CRACKING THE PROGRAM:

Open NOTEPAD.EXE in Hiew. Press "F4" and choose "Decode", Press "F5" (to Go to location...), and write: "2161" (the first offset location you took note of). Press "F3" to Edit and write: "404840484048" (I'll explain later in the Conclusion why...). Press "F9" to Update. You've eliminated the messagebox, now all you need to do is to get rid of that "jne" instruction.

Press "F5" and write: "216A" (the second offset location you took note of). Press "F3" to Edit and write: "404840484048". Press "F9" to update. You've finished cracking Notepad!

Try and open a big text file (bigger than 100kb). What? I goes directly to WordPad? Great! We've done it :)!

Now read the Conclusion to know about all those 40's and 48's...

6. CONCLUSION:

We finally finished cracking Notepad. You must be certainly asking why all this trouble just to crack a program that didn't need cracking in the first hand? Here's the explanation.

Let's learn a little bit of HEX language:

40 (in HEX) ----stands for----> "inc eax"
48 (in HEX) ----stands for----> "dec eax"
90 (in HEX) ----stands for----> "nop" (nothing happens when 90 is written)

So what we did to remove those two instructions (the "CALL" and the "JNE") was to increase by 1 register "EAX" and, right after, decrease it by 1. In the end everything was the same (put 1, take 1, put 1, take 1, etc...). This made it possible to remove the "CALL" and the "JNE" instruction.

But why the hell go through all that trouble if you could simply write "90"s to remove those 2 instructions? Well, the reason is that there are some programs that look inside theirselfs checking to see if there are 90's (nop instructions) inside them and, if there are any they just won't work. This is a nice work around that checking. Just in case your curious, Notepad doesn't make this check. Conclusion: never use the "NOP" instruction; just if you really need to...

By the way, I didn't do any patch for this because I don't think it's of any use but, in case you want to, feel free to do one (consult my prevous tutorial in order to learn how to use the patch engine).


C ya !

Credits


written by SiFu (contact by email)
version 1.0, 15/03/2000