Windows Power-User Series
Edit Article How to Crack Software by Modifying DLL Files. Have you ever wanted to learn how a program protects itself from being copied? With the right tools, you can examine the inner workings of a program and look at how the copy protection works.
Note: The Notepad programs in Windows™ NT/2000/XP can open any size file! Obviously, many Win 95 and 98/98SE users become a bit upset with M$ upon learning that NT users have never had to deal with a nag screen in their NOTEPAD programs! |
If you attempt to open a file with Notepad that is larger than about 64 kb, you'll see a pop-up window like this:
Well, duh! is the first reaction of most people that have to deal with this. They went through the trouble of clicking on the filename to see its contents, so why wouldn't they still want to see them even if they had to use WordPad? Well, as it turns out, if you try to open an executable (program file) in WordPad, it refuses to do so! (One reason, I assume, MS added the warning.)
Most Power Users, however, not only know the size of files they want to open but whether or not they're executables too, so why should they have to bother with this 'Nag screen' to see the contents of large text files? Furthermore, I'll also show you how to change the editor Notepad callsso you can open large executable files! Follow my instructions here (or run one of the patch programs listed below) and you'll never have to hassle with this again!
Program Operation
Buried deep inside the code of Notepad (a 32-bit Windows program) is an instruction which causes the ' Error ' window to pop-up on your screen. In Assembly language, this 32-bit instruction code would be:
Call DWORD ptr [00xxxxxx] (where the six x's stand for an actual memory location that depends upon which version of Windows you are running; more about this later.)
Instead of running some code inside its own program though, Notepad uses another Windows program called, USER32.DLL, to pop-up the window known as 'MessageBoxA' and then USER32 passes some info back to Notepad telling it which one of the two buttons you pressed. After it checks the data you entered, Notepad either keeps the file from being opened and closes itself too (because you pressed 'No'), or passes info about the file you want opened to WordPad (beaus you pressed 'Yes'). Therefore, we need to do two things: make sure the Error window never pops-up again, and cause Notepad to always use WordPad (or some other editor ! ) when a file is too large for Notepad to open.
On my Windows 95 ' B ' machine (see TABLE below for other versions), the relevant lines of code (after being placed into memory ) are:
00402D61 FF1530744000 Call dword ptr [00407430]
00402D67 83F806 cmp eax, 00000006
00402D6A 0F85A9000000 jne 00402E19
The last instruction above causes program execution to jump to a section of code which shuts-down Notepad ( it only jumps there if you pressed the 'No' button). So, this hack is actually quite easy: We'll replace the first and third instructions above with some others that essentially do nothing.
[ Note: You can NOT simply delete instructions from a program that has already been compiled into code! If you do, one of the 'Jump instructions ' will cause execution to start at the wrong location in the code and that will very likely LOCK-UP your system; requiring a cold reboot!]
There are six bytes in each of the two instructions above which must be replaced. We could use a 90 hex ('No Operation' or NOP) for each byte, but a good hack should be a bit more elegant than that. So we'll replace them with strings of push and pop and inc and dec instructions instead (see the pics below).
( If you want to see what the patch strings look like in Assembly code, or if you want to see larger sections of the code produced by a sophisticated Debugger program for both Win 95 and 98/98SE, then click here for the code lines.)
Call DWORD ptr [00xxxxxx] (where the six x's stand for an actual memory location that depends upon which version of Windows you are running; more about this later.)
Instead of running some code inside its own program though, Notepad uses another Windows program called, USER32.DLL, to pop-up the window known as 'MessageBoxA' and then USER32 passes some info back to Notepad telling it which one of the two buttons you pressed. After it checks the data you entered, Notepad either keeps the file from being opened and closes itself too (because you pressed 'No'), or passes info about the file you want opened to WordPad (beaus you pressed 'Yes'). Therefore, we need to do two things: make sure the Error window never pops-up again, and cause Notepad to always use WordPad (or some other editor ! ) when a file is too large for Notepad to open.
On my Windows 95 ' B ' machine (see TABLE below for other versions), the relevant lines of code (after being placed into memory ) are:
00402D61 FF1530744000 Call dword ptr [00407430]
00402D67 83F806 cmp eax, 00000006
00402D6A 0F85A9000000 jne 00402E19
The last instruction above causes program execution to jump to a section of code which shuts-down Notepad ( it only jumps there if you pressed the 'No' button). So, this hack is actually quite easy: We'll replace the first and third instructions above with some others that essentially do nothing.
[ Note: You can NOT simply delete instructions from a program that has already been compiled into code! If you do, one of the 'Jump instructions ' will cause execution to start at the wrong location in the code and that will very likely LOCK-UP your system; requiring a cold reboot!]
There are six bytes in each of the two instructions above which must be replaced. We could use a 90 hex ('No Operation' or NOP) for each byte, but a good hack should be a bit more elegant than that. So we'll replace them with strings of push and pop and inc and dec instructions instead (see the pics below).
( If you want to see what the patch strings look like in Assembly code, or if you want to see larger sections of the code produced by a sophisticated Debugger program for both Win 95 and 98/98SE, then click here for the code lines.)
These Patches are One Way only -- You should make a Copy of the Original File so you can refer to it if necessary (Use 'Copy' and 'Paste' to create a 'Copy of...' file in the same folder; never change the name of the original NOTEPAD files directly!!!).
Operating System | Notepad.exe Date/Time | File Size (Bytes) | Download |
Windows 95 B (OSR2) | 08-24-96 11:11a (CRC = 015444c6) | 34,304 | NP9520.ZIP (only 3.5 kb) |
Windows 98 | 05-11-98 08:01p (CRC = b4daaf81) | 53,248 | Use the Patch NP98SE.ZIP below... |
Windows 98 (SE) | 04-23-99 10:22p (CRC = e55b4071) | 53,248 | NP98SE.ZIP (only 3.5 kb) |
Windows ME | 06-08-00 05:00p (CRC = ff7887ee) | 53,248 | Apparently _not_ necessary! |
Windows ? | ? | ? | ? |
Making the changes to Notepad Yourself
If you want to hack Notepad manually, you'll need a Hex Editor. If you do not have one of your own (such as UltraEdit), you can read my review of a FREE Hex Editor here at The Starman's Realm: Frhed - Free Hex Editor. Or download 'Frhed' right now from its author at:
You should always make a backup copy of your original program. Either store a copy of NOTEPAD.EXE in a folder just for backup files, or keep a copy of the original program in the same folder using a different extension-name like .SAV for example. (You could open the C:>Windows folder in an Explorer window, find Notepad.exe and right-click on it, choose 'Copy' from the menu and then 'Paste' it into the same folder. Since it already exists, Windows will rename your copy to 'Copy of Notepad.exe' instead. Then you can rename this file to: NOTEPAD.SAV -- ready to use if anything should go wrong.)
Open Notepad.exe in your Hex Editor and go to the location listed in the TABLE below for your operating system. ( If it's NOT listed there, you can write to me using this online reply form.) If you opened Notepad in Frhed, you can use the menu ' Edit --> Go To ' (or just press CTRL + G ) to get a box like this:
( Check the TABLE below for your version of NOTEPAD and enter the hex digits listed under 'Location (Hex)' -- prefixed with an ' x ' -- and Frhed will place the cursor on the first byte of the string of digits that need to be changed.)
Operating System | Notepad.exe Date/Time | File Size (Bytes) | Location (Hex) |
Windows 95 B (OSR2) | 08-24-96 11:11a | 34,304 | 02161 |
Before:ff 15 30 74 40 00 0216a: 0f 85 a9 00 00 00 | |||
After :52 5a 53 5b 56 5e 0216a: 42 4a 43 4b 46 4e |
Windows 98 | 05-11-98 08:01p | 53,248 | 033b1 |
Before:ff 15 a8 64 40 00 033ba: 0f 85 a7 00 00 00 | |||
After :52 5a 53 5b 56 5e 033ba: 42 4a 43 4b 46 4e |
Note: Although the file above and the one below appear to be the same, about 130 of the bytes have different contents. The only way to know for sure if two files are exactly the same is to use a file comparison program (at a DOS prompt enter: fc /b file1 file2 ) or by comparing the MD5 sums of each file.
Windows 98 (SE) | 04-23-99 10:22p | 53,248 | 033b1 |
Before:ff 15 a8 64 40 00 033ba: 0f 85 a7 00 00 00 | |||
After :52 5a 53 5b 56 5e 033ba: 42 4a 43 4b 46 4e |
Windows ? | ? | ? | ? |
After :52 5a 53 5b 56 5e ?: 42 4a 43 4b 46 4e |
Editing Notepad.exe in Frhed
Using The GUN or PFE32
(or any other editor) instead of WordPad for opening >64kb Files
NOTE: For this to work correctly, you must place the Editor that you want to use in your C:WINDOWS folder and its filename must NOT have any non-DOS characteristics! For example, if you wanted to use an editor named 'MyEditProg.exe' you must first rename it to a DOS filename such as 'MYEDITOR.EXE' which is displayed as 'Myeditor.exe' in Explorer. If the filename was 'MyEditor.exe' (less than or equal to 8 characters plus 3 for the extension; yet having a mixed-case) I would still rename it to 'MYEDITOR.EXE' anyway to make sure it's accepted as a DOS filename. THEN: You must enter the new filename (as shown in the procedure below) into NOTEPAD using all lower-case characters. So, our example would appear as: m y e d i t o r . e x e inside of the Notepad's program file. ( I assume there's a routine in WINDOWS which swaps the case of these characters; it simply doesn't work if you try using the same case as the executable.)
Open Notepad.exe in your Hex Editor and hunt for the Unicode string ( in hex ): 0b 00 77 00 6f 00 72 00 64 00 70 00 61 00 If you are using Frhed, you can enter the following string into the ' Edit --> Find ' box like this:
(OK, to save new users a little time... Just copy the following text off the screen:Open Notepad.exe in your Hex Editor and hunt for the Unicode string ( in hex ): 0b 00 77 00 6f 00 72 00 64 00 70 00 61 00 If you are using Frhed, you can enter the following string into the ' Edit --> Find ' box like this:
<bh:0b><bh:00>w<bh:00>o<bh:00>r<bh:00>d<bh:00>p<bh:00>a<bh:00>
Or, swipe your cursor across any string of zeros in Frhed and you'll get a bunch of <bh:00> tags in the Find box when you open it.) This short string will be found only once in the program and should allow you to find this one: '0b 00 77 00 6f 00 72 00 64 00 70 00 61 00 64 00 2e 00 65 00 78 00 65 00' (or: '0b 00 w 00 o 00 r 00 p 00 a 00 d 00 . 00 e 00 x 00 e 00').
On my Win 95B machine ( OSR2 or Version 4.00.1111 ), this string (starting with the 0b 00) begins at hex location 06c72 as seen in the following pic (see the TABLE below for the '..w.o.r.d.p.a.d...e.x.e.' string locations in other versions):
The hex byte 0b at the beginning of our string tells Windows how many of the following Unicode characters are used in the filename of the program Notepad passes the file info to! So, here's an example of how you can change the filename of 'wordpad.exe' to something with only 9 characters instead of 11 by changing the 0b to 09 (and then, of course, by also changing the first 9 characters of the filename; in this example we 'lucked out' and only need to change the first 8 characters since an 'e' remains the same: from 'w o r d p a d . ' to 'p f e 3 2 . e x ' ).
For The Gun, I decided to rename that program simply to GUN.EXE on my system, so I changed what I'll refer to as the control byte, 0b, to 07 (and then changed only the first 7 characters of wordpad.exe from 'w o r d p a d ' to 'g u n . e x e ' ).
For The Gun, I decided to rename that program simply to GUN.EXE on my system, so I changed what I'll refer to as the control byte, 0b, to 07 (and then changed only the first 7 characters of wordpad.exe from 'w o r d p a d ' to 'g u n . e x e ' ).
Since only the first 9 unicode characters (18 bytes) are used ( pfe32.exe ), it doesn't really matter what you do with the last 2 characters (4 bytes) of the original 11 unicode characters. You can simply leave them as they are (as in the pic above).
Don't forget to rename a copy of the editor you choose in the WINDOWS folder.
Posted: July 16, 2000 (Revised: December 21, 2000.
A few 'typo' errors corrected: 7 April 2003.)
A few 'typo' errors corrected: 7 April 2003.)
Microsoft is a registered trademark, and the Microsoft Windows logos and screens are trademarks of Microsoft. The phrases 'Windows 95,' 'Windows 98,' 'Windows NT,' etc. may also be trademarks of Microsoft. All other logos or trademarks are owned or are property of their respective owner or owners.
Although I do try to help those in need when time permits, I am not responsible for any damage which may be caused by any software or information that you view or download from this web site, nor for any information obtained from or regarding the personal descriptions or opinions of others on pages that may be accessible from this page.
Although I do try to help those in need when time permits, I am not responsible for any damage which may be caused by any software or information that you view or download from this web site, nor for any information obtained from or regarding the personal descriptions or opinions of others on pages that may be accessible from this page.
Hi folks, its been a long time since I have posted some thing technical, so I will be writing about the challenge I got at NIT KU, where I cracked WinRAR 3.80 using a disassembler and will tell you the same here. You can crack any version of WinRAR using this method and need not to pay for the registration fee and you can do this all by your self, easily. Furthermore, major software are cracked using the same way,but just get a bit complex in the methodology. This tutorial is intended for those who are new to cracking and disassembling.
Disclaimer – By Reading this tutorial You agree that this tutorial is intended for educational purposes only and the author can not be held liable for any kind of damages done whatsoever to your machine, or damages caused by some other, creative application of this tutorial.
In any case you disagree with the above statement, stop here.
The Tools
To perform this hack you will be needing –
- Any De-assembler (I use Hackers Disassembler and Hview )
- Resource Hacker
- A patch Creator ( Use Universal Patch Creator or Code fusion)
You will be able to get them by googling or you can download my set of tools provided.
How to Crack ?
You need to have a bit knowledge of assembly language,and in case you don’t have it,just cram the steps and it will work anytime,every time. Download the latest version of WinRAR from their website and install it.
I will be cracking Winrar 3.80 here (cuz I already have it:P ). This is basically a 2 step process ( 4 step ,if you want to do things with a professional touch,period) .
I will be cracking Winrar 3.80 here (cuz I already have it:P ). This is basically a 2 step process ( 4 step ,if you want to do things with a professional touch,period) .
Now copy the WinRAR.exe file to desktop. Make a copy of it there.
Step 1 – Hunting for Memory Address
Now load Hackers Disasembler and load the copy in it.
The Disassembler will disassemble the executable in assembly code. Now you need to search for strings that are used in WinRAR program. Press Ctrl + F and type “evaluation” without quotes and search in the assembly code. Hit enter…
After you have reached this block of code by searching, just look at the block of code above it. There you will find that some assembly values are being compared and then code is jumped to some other function. Now see carefully, the “evaluation copy” function must be invoked after some specific condition is met. We need to look for it at the code and the make certain changes to the condition so that the program doesn’t checks for the condition.
In the above code you can see this code –
This is the code responsible for validating you as a legal user :) . Just note down the memory address that leads to jump (JNE) at some memory location. In this case, note down 00444B71.
Note : For any WinRAR version, this code and memory address might be different,but the JNE will be same. Just note down the respective memory address that checks.
Now you need to search for the code that brings that ugly nag screen “Please purchase WinRAR license” after your trial period of 40 days is over. For this,look over your toolbar and click on “D” which stands for looking for Dialog references.
Now in the dialog box that opens,search for “please” and you will get the reference as –
ID-REMINDER, “Please purchase WinRAR license”
ID-REMINDER, “Please purchase WinRAR license”
Double click on it and you will reach the subsequent code.
The code will be something like
Just note the memory address that invokes the REMINDER dialog. In this case its 0048731A. Note it down.
Note : For any WinRAR version, this code and memory address might be different.But the Reminder Memory address code will always PUSH something. Just note down the respective memory address that PUSH ‘s.
Note : For any WinRAR version, this code and memory address might be different.But the Reminder Memory address code will always PUSH something. Just note down the respective memory address that PUSH ‘s.
Step 2 – Fixing and Patching
Now in this step we will be patching up values of memory addresses we noted earlier. I will be doing this using HVIEW.
Now load the copy you disassembled in Hacker’s Disassembler in Hview.
Now load the copy you disassembled in Hacker’s Disassembler in Hview.
After you have loaded it, you will see the code is unreadable. Its just like opening an EXE file in notepad. You need to decode it. To do that, just press F4 and yoiu will get an option to decode it. Hit DECODE and you will be able to see code in the form of assembly code and memory addresses.
After you have done that, you need to search for memory addresses you noted down earlier. Just hit F5 and a search box will be there. Now you need to enter the memory address. To do that, enter a “.” and the type memory address neglecting the earlier “00” . The “.” will suffice for “00”. ie –
Type .444B71 in place of 00444B71
Type .444B71 in place of 00444B71
and search in the code.
After you have reached the respective code, you need to make changes to it. Press F3 and you will be able to edit the code.Now make the following changes –
After you have done it, save it by pressing F9.
Now search for next memory location by pressing F5 and entering it. Reach there and make the following changes by pressing F3 –
Now search for next memory location by pressing F5 and entering it. Reach there and make the following changes by pressing F3 –
Save the changes by pressing F9 and exit HVIEW by pressing F10.
Congrats…You have cracked WinRAR :) Replace the original WinRAR.exe with this copyofwinrar.exe by renaming it. It will work 100% fine :P
Congrats…You have cracked WinRAR :) Replace the original WinRAR.exe with this copyofwinrar.exe by renaming it. It will work 100% fine :P
Step 3 – Spicing up the EXE
Now U have a 100% working version of EXE, you might want to change your registration information in WinRAR. TO do this, you can use Resource hacker.
Launch Resource Hacker, load the copyofwinrar.exe in it
Now go to DIALOG –> Expand tree –> ABOUTRARDLG and click it. Now Find Trial copy line and replace it with your favorite one :P
and click on Compile Script button.
Now save the file with any name on your desktop or any location what so ever.
Now you have a fully patched WinRAR.exe file :)) you can either use it, or also can distribute it like a real cracker. If you want to learn that, move on to next step.
Step 4 – Creating a working Patch (or giving Professional touch :P )
I will be using diablo2oo2’s Universal Patcher (UPE) for creating the patch. The patch will work like any authentic one for that WinRAR version. Just like the one U downloaded at anytime of your life from any Crack and Keygen website.
Launch Patch Creator and click on add new project. Enter project Information and click on save.
Launch Patch Creator and click on add new project. Enter project Information and click on save.
Click on Add – > Offset patch
After you have done that, double click on offset patch and then
- Give path of original winrar.exe
- Give path of unmodified Winrar.exe (again)
- Give path for fully patched Winrar.exe (ie Cracked Winrar.exe in this case)
- Click on compare and it will show difference between both files
- Click on save.
Now in the next window, click on Create Patch and save it. The Patch will be created. Now copy it in WinRAR installation directory and hit on patch, it WILL
Congrats you have created a patch of your own and have learned to crack WinRAR :)
You can crack other software in the same way…just practice, debug and disassemble and you will get the way :)
[PS: The above is the long way to do it, I will be telling you the shortest way to crack WinRAR in just 1 step, the main aim of this tutorial was to introduce you to disassemblers and tools, and do some dirty work with your hand. ]
Cheers
Rishabh Dangwal is a freelance security consultant, technoblogger and a student pursuing engineering. His tastes include fiddling with every possible piece of computers and technology he could get his hands on and sharing them to the world.