Cracking Tutorial - Part 3 01/02/2000  Tutorial done by: SiFu http://blacksun.box.sk  Index  0. Introduction 1. Disclamer 2. Programs needed 3. Cracking Opera Browser 3.61: 3.1. Running the program 3.2. Disassembling the program 3.3. Understanding and locating the "cracking zone" 3.4. Cracking the program 3.5. Making a Patch 4. Conclusion ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  0. Introduction  Hi everyone. In this tutorial we'll attemp to crack OPERA BROWSER 3.61. Hopefully, we'll succeed :-). You'll also get to fiddle a little with W32dasm and HIEW. In the end, if you get lucky, we'll make a little patch for OPERA (just joking, of course we will!). "Opera is a World Wide Web client, ie. a program for retrieving information on the World Wide Web via documents created with the HyperText Markup Language (HTML)." Let's get started...  1. Disclaimer:  I created this tutorial for informational purposes only! Much of the information in this document can be used to perform illegal activities! [Don't attempt to do anything stated in this document!]? If you do attempt to do anything, you are solely and fully responsible for what you do! If you get caught and get in any kind of trouble, it's your own fault! If you intend to use this information to impress your friends, leave it and grow up! If you don't agree to this, do not read any more! If you crack a program, and either sell the crack or offer it for free, it is a crime!  2. PROGRAMS NEEDED  Before you get started, you'd better get the following programs:  WDASM and HIEW I'll assume you've already got them from previous BSRF tutorials :)...  OPERA BROWSER 3.61: can be found at: [members.xoom.com/dumpster66/opera361.zip]  RTD_PATCH Needed to make the patch!: can be found at: [members.xoom.com/dumpster66/patcher.zip]  3. CRACKING OPERA BROWSER 3.61  3.1. Running the program ------------------------ Run the program. When the program starts it pops up a nag (annoying) screen giving you 3 options: ------------------------- Evaluate Purchase Register ------------------------- Forget EVALUATE and PURCHASE for the time being, as you probably can think where they lead to :-) Let's try and see what the program says when we click on REGISTER. It pops up a registering screen! Let's try and enter some bogus information. What happens? A screen pops up saying that the information you've entered is invalid? Darn! Must of done something wrong :-)! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 3.2. Disassembling the program ------------------------------ Lets get on with fase 2 (using our beloved W32DASM!). Go to the directory where you installed OPERA to and copy the file OPERA.EXE to your desktop. Run WDASM and click on OPEN FILE TO DISASSEMBLE, choose the file you have copied to your desktop and click on OPEN. Now go for a drink because this might take a short time... ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 3.3. Understanding and locating the "cracking zone" --------------------------------------------------- Back? OK! Hopefully your computer has now finished the disassembly of OPERA.EXE. Before you continue, save this project file so that you don't have to disassemble the program every time you want to look at it source code. Remember when I asked you to click on REGISTER? Well, remember the message it gave you when you you entered that bogus information? You don't? Then run the program, click REGISTER, enter some information and write down the message it gives you (something like: THE REGISTRATION INFORMATION YOU'VE ENTERED IS INVALID...). Now lets go back to WDASM. Click on SEARCH, FIND TEXT and write "the registration information" (without the "s) and click on SEARCH (this will look for all the references that include the 3 words above). Darn! The program says "Text {the registration information} Not found". Dead end... But WAIT! Run the program... Run it again... and again... Haven't you noticed anything??? Before we enter the program a screen pops up saying: ------------------ Opera 3.61 Copyright ... Registered to: (unregistered) ------------------ Notice that little line saying "(unregistered)"? That means the program checks to see if its registered! Why don't we try to crack the program where the reg check is done instead of the place where we enter the reg info?! Get back to WDASM (where the opera.exe disassembly is) and select SEARCH, FIND TEXT and search for "(unregistered)" (without the "s). It stops a first time which means that the search string was found (we'll ignore this finding, beleave me, it leads to nowhere!). Click on FIND NEXT. Found another one? Good because this one is the one we're going to focus on... ---------------Source code of OPERA.EXE-------------------- :00495F86 68262B0000 push 00002B26 :00495F8B FF7508 push [ebp+08] :00495F8E FFD6 call esi ==>:00495F90 393D64005300 cmp dword ptr [00530064], edi ==>:00495F96 752A jne 00495FC2 :00495F98 68FF000000 push 000000FF :00495F9D 8D85C4FEFFFF lea eax, dword ptr [ebp+FFFFFEC4] :00495FA3 50 push eax * Possible Reference to String Resource ID=21428: " (unregistered)" (WE LANDED HERE!) | :00495FA4 68B4530000 push 000053B4 :00495FA9 FF3570FA5200 push dword ptr [0052FA70] :00495FAF FFD3 call ebx :00495FB1 8D85C5FEFFFF lea eax, dword ptr [ebp+FFFFFEC5] :00495FB7 50 push eax -------------------------END OF CODE------------------------ Have a look at the 2 lines that have an arrow pointing to them. Notice what the program does. It checks if the value in "dword ptr [00530064]" is the same one as in register "edi". If the values are not the same, e jumps away from the "(unregistered)" notice (and that's exactly what we want!). So what shall we do? I know! Let's try and search for the place where the program fiddles with "dword ptr [00530064]"! Press HOME (on your keyboard) so that you get back to the begining of the disassembly. Click SEARCH, FIND TEXT and search for "dword ptr [00530064]" (without the "s!!!)... Look! we found a place where the program messes around with "dword ptr [00530064]" : ---------------Source code of OPERA.EXE-------------------- :00495DFE FF150C045100 Call dword ptr [0051040C] :00495E04 50 push eax :00495E05 56 push esi :00495E06 E80ACCF8FF call 00422A15 :00495E0B 83C414 add esp, 00000014 :00495E0E 8D8DE8F2FFFF lea ecx, dword ptr [ebp+FFFFF2E8] :00495E14 E85D650200 call 004BC376 :00495E19 8D8DE8F2FFFF lea ecx, dword ptr [ebp+FFFFF2E8] ==>:00495E1F E8C3630200 call 004BC1E7 :00495E24 3BC7 cmp eax, edi ==>:00495E26 A364005300 mov dword ptr [00530064], eax :00495E2B 68BC040000 push 000004BC :00495E30 7415 je 00495E47 :00495E32 8D85E8F2FFFF lea eax, dword ptr [ebp+FFFFF2E8] :00495E38 50 push eax :00495E39 8D8508FAFFFF lea eax, dword ptr [ebp+FFFFFA08] :00495E3F 50 push eax :00495E40 E8DB470500 call 004EA620 :00495E45 EB0D jmp 00495E54 -------------------------END OF CODE------------------------ I can feel it! Where on the right track :-) ! Have a look at the 2 lines I put the arrows pointing to. The 2nd one is where the program inserts a value inside "dword ptr [00530064]" but right before that a very suspicious CALL is made... Highlight the line of "call 004BC1E7" and click EXECUTE CALL. Whow! We're inside the protection HQ! Let's have a look at what we have here: ---------------Source code of OPERA.EXE-------------------- * Referenced by a CALL at Addresses: |:0045C202 , :00495E1F | :004BC1E7 8D8138010000 lea eax, dword ptr [ecx+00000138] :004BC1ED 85C0 test eax, eax ==>:004BC1EF 741A je 004BC20B :004BC1F1 803800 cmp byte ptr [eax], 00 ==>:004BC1F4 7415 je 004BC20B :004BC1F6 81C190030000 add ecx, 00000390 :004BC1FC 51 push ecx :004BC1FD E8A647FDFF call 004909A8 :004BC202 85C0 test eax, eax :004BC204 59 pop ecx ==>:004BC205 7404 je 004BC20B ==>:004BC207 6A01 push 00000001 :004BC209 58 pop eax :004BC20A C3 ret -------------------------END OF CODE------------------------ The first 3 arrows point to 3 Condicional Jumps. If one of these jumps is executed, the program will assume it's unregistered (So we'd better not let the program do that!). The 4th arrow points to "push 00000001" which will put a value inside register EAX and, eventually, inside "dword ptr [00530064]". This would mean that if the program gets to the PUSH action, it will assume that it's registered! So lets make it do it! Let's change the "je 004BC20B" action at adress ":004BC1EF" to a jump that will go directly to the PUSH action. Highlight the first jump at adress ":004BC1EF" and look at the bottom part of your screen. See that "@Offset 000BC1EFh" ? Write that number down. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 3.4. Cracking the Program ------------------------- With HIEW, Open the OPERA.EXE file (the one located in the directory to where you installed Opera, not the one copied to your desktop). Press F4 and choose "decode". Now press F5 and write the offset location - "000BC1EF" (without the "s and forget about the "h" on the end, because it just stands for HEX). Press ENTER to get to the location. Bingo! Press F3 (to edit) and F2 (to give instructions in ASM). A nice little window should pop up! Delete the crap written there and write the line below pressing ENTER right after: "jmp 000BC207" (without the "s and where "000BC207" is the offset location for the PUSH action) Press ESC. Press F9 to update and F10 to quit HIEW. Let's give Opera a test run, just in case we actually cracked it :-). Voilą! We cracked it! It thinks it registered! Good! Now we won't want to go through all this trouble everytime we want this prog registered, do we? So why not make a PATCH? Read on to find how... ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 3.5. Making a patch ------------------- First of all you'd better copy the original OPERA.EXE to C:\. It will make things easier for the patch. Run DOS COMMAND LINE in Windows and turn to the directory to where you installed RTD_PATCH to. Now write down the following line: ----------------------------------------------------------------- RTD_PATC "location of original EXE" "location of cracked EXE" /X ----------------------------------------------------------------- Follow the on-screen instructions and there you are! You've got a PATCH for Opera 3.61! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~  4. Conclusion  In this tutorial we learned a diferent way to approach the program we want to crack. Remember that cracking is all about being versatile and you should keep your eyes wide open looking at the protections "weak spots". Also, if you plan on continue using Opera Browser, please register it, because it's the best browser out there, and its' programmers deserve being rewarded with your money. C ya! SiFu ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~