;=============================================================
Author : ReaL|sty
Date : 25/12/2002
TeaM : TSRh
Program : NetCaptor v7.1.0 Beta 2;
Discription : Very Good Web Browser;
FileName : NetCaptor.exe;
FileSize : 714 240 bytes;
Program URL : http://www.netcaptor.com;
;=============================================================
Compiled from : Borland Delphi 6.0;
Pack Status : Packet with Aspack 2.12;
Protection : Nag screen + Time Limit,
Black list Serials check;
Crc check;
;=============================================================
Using Tools : W32Dasm, SoftIce, AspackDie, UltraEdit;
;=============================================================
Introduction
in this tutorial i'm going to explain how to remove the above limitations
really fast , netcaptor is packet with aspack and i'm going to use the aspack die
tool to unpack it. this will take less time then, so i'm going to skip the unpacking part
and won't explain any extra stuff like how you should Dasm the file, how you should use
Aspackdie or anything like that.if you're reading this tuto you most know already the
basic stuff about cracking.
Beggining....
let's begin... my netcaptor is always expired every time i try
to install a new version and a big nag screen appear telling me that i have to buy it
this is not good :( i don't have any credit card or any $$$ for this :/
this happend everytime i try to use the program and then closes.
netcaptor leaves some files and some registry keys on the system
to verify time limit if you desire maybe you can try to find them?
you can catch this Nag using bpx createwindowexa very good for this kind of nags
or better i'm going to catch the process ,part of the program code, which took me to the nag
and the exactly place where it closes. some good bpx to get the program when they close
are: bpx closehandle, bpx postquitmessage , bpx exitprocess ......
i assume that if you try to catch the nag you already know how to handle the Sice basic commands
:D. a little tip... for the nag take a look at the entry point of the program in this case, analyze that part
of the code. close the program if you have it opened then do : bpx findwindowa
exit sice and now re-open the program and bammmmm. Sice break on some user32 Api call
F12 many times to skip all api calls until you reach the NetCaptor Code (Call)
where the User32.dll FindWindowa is been called, it takes me to our nag!!
In Dead Code (Using W32Dasm) i got for this NetCaptor version:
* Reference To: user32.FindWindowA, Ord:0000h
|
:0052D47C E867A7EDFF Call 00407BE8 <<-- here calls the window/Nag Process
:0052D481 8BD8 mov ebx, eax
:0052D483 85DB test ebx, ebx
:0052D485 7415 je 0052D49C
:0052D487 E8F00EFCFF call 004EE37C
:0052D48C 84C0 test al, al
:0052D48E 750C jne 0052D49C
:0052D490 8BC3 mov eax, ebx
:0052D492 E8950FFCFF call 004EE42C
:0052D497 E8FC74EDFF call 00404998
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0052D485(C), :0052D48E(C)
|
:0052D49C B201 mov dl, 01
:0052D49E A140CB5200 mov eax, dword ptr [0052CB40]
:0052D4A3 E8F4F6FFFF call 0052CB9C
A little Down we have the part of the Nag + calls where check time limit and where
use the ShellExecute to take you to the site (in case you hit the Buy Buttom) where you have to buy it
or the quitprocess to exit the Nag. i got this:
:0052D4A8 A3FC355300 mov dword ptr [005335FC], eax
:0052D4AD 33C0 xor eax, eax
:0052D4AF 55 push ebp
:0052D4B0 6876D55200 push 0052D576
:0052D4B5 64FF30 push dword ptr fs:[eax]
:0052D4B8 648920 mov dword ptr fs:[eax], esp
:0052D4BB A1D4105300 mov eax, dword ptr [005310D4]
:0052D4C0 8B00 mov eax, dword ptr [eax]
:0052D4C2 C6401C00 mov [eax+1C], 00
:0052D4C6 E8E1F1FFFF call 0052C6AC
:0052D4CB 33C0 xor eax, eax
:0052D4CD 55 push ebp
:0052D4CE 6857D55200 push 0052D557
:0052D4D3 64FF30 push dword ptr fs:[eax]
:0052D4D6 648920 mov dword ptr fs:[eax], esp
:0052D4D9 E8820BFCFF call 004EE060
:0052D4DE 84C0 test al, al <<-- this is interesting for me
:0052D4E0 7462 je 0052D544 <<-- and this! above we got a test for al been 84 and je (74)
:0052D4E2 A1C80E5300 mov eax, dword ptr [00530EC8]
:0052D4E7 8B00 mov eax, dword ptr [eax]
:0052D4E9 33D2 xor edx, edx
:0052D4EB E878ABF2FF call 00458068
:0052D4F0 A1C80E5300 mov eax, dword ptr [00530EC8]
:0052D4F5 8B00 mov eax, dword ptr [eax]
:0052D4F7 83C050 add eax, 00000050
:0052D4FA E82D76EDFF call 00404B2C
:0052D4FF E8080BFCFF call 004EE00C
:0052D504 A110105300 mov eax, dword ptr [00531010]
:0052D509 803800 cmp byte ptr [eax], 00
:0052D50C 7512 jne 0052D520
:0052D50E 6A11 push 00000011
* Reference To: user32.GetKeyState, Ord:0000h
|
:0052D510 E86BA7EDFF Call 00407C80
:0052D515 6685C0 test ax, ax
:0052D518 A110105300 mov eax, dword ptr [00531010]
:0052D51D 0F9C00 setl byte ptr [eax]
something you should know is that the call on 0052D47C is calling/making the window process
and then the Nag comes. that is not the call where the nag comes from,actually if you nop
that call the program don't crash but nothing will load neither the real Nag Screen
and if you make on 0052D485 74 for EB and nop the call the program will load but
you'll see the real nag screen again :)
on address : 0052D4D9 E8820BFCFF call 004EE060
is where call the nagging process and also there's the site where you're supposed to buy it
you can find this call/nag easily searching the string references on dasm. this one:
"http://go.netcaptor.com/go/?buy=1" without the " " of course :P
if we make je(74) for jne(75) on address: 0052D4E0 i have tell the program that we still have
days left. and we're going on the good way ;) you'll note that progam will load and says
xxx days left of 15 days trial.- check the about box for this -. still we got the Nag showing up
to finally remove the Nag nop the call on: 0052D4D9 or make Push(55) for a Short Retry (C3) on: 004EE060
use your favorite hex editor for this. i used UltraEdit.
all the other Part of the code is not important or interesting for me!
-----------------------Removing the Checks (Time Limit + Crc + Black List)--------------------------------
this is really cool now i have the program clean, working without time limit or without Nag Screen
. i was surfing for a while and then something Surprise me...shit!!!!! i got some boxmessage
telling me about an error that the exe was modified/damaged , i click ok and Netcaptor closes.. :(
this is not good!! so let's remove this because i can't use the program with that shit bothering and closing
netcaptor. if you look on dasm you won't see any references about this ;) so i recomend you
to be sure of yourself to face program with strings/parts encrypted or maybe without
any string references or sometimes without any IT (Import Table) you'll see many program
without the string references that you need to crack, in that case be sure which exactly bytes
you have to crack. so is time to use your head! + our Best tool SICE!
now open Netcaptor again, note that you don't have to be surfing for this. the boxmessage error
will come after a while of netcaptor been opened.
as soon as you opened, Ctrl+D then do bpx Postquitmessage , Ctrl+D again and let's way......
and... Bammmmmmmm we got the message box in front our eyes. press ok and Bammmmm again
because SICe has catch our bpx :) you'll land over some Api (User32) call, skip it, so hit once
F12 to get in the NetCaptor Code and you'll see the Api Call inside Netcaptor: User32 Postquitmessage
Do F12 again to see which Process/call called the Postquitmessage and for this crc check i got
004EABC5 let's go there to see what we got...in Dead code i got this:
:004EABB0 6A00 push 00000000
:004EABB2 6A00 push 00000000
* Possible StringData Ref from Code Obj ->"NetCaptor" <<=== umhhhh looks like the caption text of the messagebox :)
|
:004EABB4 B908AC4E00 mov ecx, 004EAC08
:004EABB9 8B5368 mov edx, dword ptr [ebx+68]
:004EABBC 8BC3 mov eax, ebx
:004EABBE E8D1260100 call 004FD294
:004EABC3 8BC3 mov eax, ebx
:004EABC5 E866A2F6FF call 00454E30 <<--- here call the postquitmessage process
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses: <<---- this is interesting
|:004EAB67(C), :004EAB71(C)
|
:004EABCA 33C0 xor eax, eax
:004EABCC 5A pop edx
:004EABCD 59 pop ecx
:004EABCE 59 pop ecx
:004EABCF 648910 mov dword ptr fs:[eax], edx
:004EABD2 68ECAB4E00 push 004EABEC
Note that the quitmessage process where happends on:
004EABC5 E866A2F6FF call 00454E30
you see it calls to address: 00454E30 on that address there's not postquitmessage
over there there's another call where goes exactly to User32.PostQuitmessage, the one you saw on SICE
and then the program closes after you pressed OK
if you nop the call to the postquitmessage you'll note that the program won't close
but you will see the messagebox error coming, you press ok and dissapear.but will be showing again and again
let's look this:
:004EABC5 E866A2F6FF call 00454E30 <<--- here call the postquitmessage process
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004EAB67(C), :004EAB71(C)
|
:004EABCA 33C0 xor eax, eax <<--- i'm going to make it jump right here
and we won't neither see the messagebox and the program won't close! isn't funny this? ;)
i'm going to go the last unconditional or conditional jump of next part of the code where should continue
running and working ok. let's see what we got on: 004EAB71 and i got this:
:004EAB62 3D00350C00 cmp eax, 000C3500
:004EAB67 7E61 jle 004EABCA
:004EAB69 A1B80D5300 mov eax, dword ptr [00530DB8]
:004EAB6E 803800 cmp byte ptr [eax], 00
:004EAB71 7557 jne 004EABCA <<--- here i am
on address 004EAB62 and 004EAB6E compares if the program byte's was modified or not
if good boy jumps if bad boy continue until the message error (Crc check)
on address 004EAB71 make 75 EB(jmp) so even if it checks bad boy it will jump
directly to the next piece of code "The good continue"
ok.. takes your favorite hex editor and do the changes.. now let's open netcaptor
and leave it open for a while to see which other surprise it gives :)
another crc check, now i pressed ok and open IE to takes me to:
http://go.netcaptor.com/go/?buy=1&d=29
this is not good!!
use the same method as above to get where it comes from and i got rva:
004ED56B let's go there....
:004ED53C 6A00 push 00000000
:004ED53E 6A00 push 00000000
* Possible StringData Ref from Code Obj ->"NetCaptor"
|
:004ED540 B9ACD54E00 mov ecx, 004ED5AC
:004ED545 8B5368 mov edx, dword ptr [ebx+68]
:004ED548 8BC3 mov eax, ebx
:004ED54A E845FD0000 call 004FD294 <<--- here call the Messagebox
:004ED54F 8D55EC lea edx, dword ptr [ebp-14]
* Possible StringData Ref from Code Obj ->"http://go.netcaptor.com/go/?buy=1"
|
:004ED552 B8C0D54E00 mov eax, 004ED5C0
:004ED557 E8E03D0100 call 0050133C
:004ED55C 8B45EC mov eax, dword ptr [ebp-14]
:004ED55F BA01000000 mov edx, 00000001
:004ED564 E8074E0100 call 00502370
:004ED569 8BC3 mov eax, ebx
:004ED56B E8C078F6FF call 00454E30 <<--- the postquitmessage is here
:004ED570 33C0 xor eax, eax
:004ED572 5A pop edx
:004ED573 59 pop ecx
:004ED574 59 pop ecx
:004ED575 648910 mov dword ptr fs:[eax], edx
:004ED578 6892D54E00 push 004ED592
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004ED590(U) <<--- at this address there's a loop
|
:004ED57D 8D45EC lea eax, dword ptr [ebp-14]
:004ED580 BA04000000 mov edx, 00000004
:004ED585 E8C675F1FF call 00404B50
:004ED58A C3 ret
on this piece of code i don't see any jump or cmp where i could skip this part of the code
and we won't see or have the message+quitmessage. you can nop the message that comes from one of those
calls and nop the call of the quitprocess and all is done. also at the beggining of this code you'll see
a Push (55) if you change it for C3 all is done! you can make C3 here 004ED53C or here 004ED4F3
and is ok. the call you can nop are: 004ED56B and: 004ED54A and will be ok too
finally the crc check is gone!
let's try again.......i know something is coming so i already made bpx postquitmessage and i got another
error messagebox telling me that the program was expired please register... that's not good!!!
i did the same method that you already should know and took me to address: 004EADCD
let's go there.....uhhhhmmmmm the same stuff the only different is that i got on:
004EAD3E a little jump that we could reverse and make it from 85 to 84 and all done!
this will make it jump even if test was good or not
here it is:
:004EAD8E 6A00 push 00000000
:004EAD90 6A00 push 00000000
* Possible StringData Ref from Code Obj ->"NetCaptor" <<--- good string to search to get these checks ;)
| have you tried with ahex editor? ;))
:004EAD92 B910AE4E00 mov ecx, 004EAE10
:004EAD97 8B5368 mov edx, dword ptr [ebx+68]
:004EAD9A 8BC3 mov eax, ebx
:004EAD9C E8F3240100 call 004FD294 <<---- here call the messagebox nag
:004EADA1 A1E80D5300 mov eax, dword ptr [00530DE8]
:004EADA6 8B00 mov eax, dword ptr [eax]
:004EADA8 33C9 xor ecx, ecx
:004EADAA B206 mov dl, 06
:004EADAC E8DB52F9FF call 0048008C
:004EADB1 8D55DC lea edx, dword ptr [ebp-24]
* Possible StringData Ref from Code Obj ->"http://go.netcaptor.com/go/?buy=1" <<-- takes me here after pressing OK
|
:004EADB4 B854AE4E00 mov eax, 004EAE54
:004EADB9 E87E650100 call 0050133C
:004EADBE 8B45DC mov eax, dword ptr [ebp-24]
:004EADC1 BA01000000 mov edx, 00000001
:004EADC6 E8A5750100 call 00502370
:004EADCB 8BC3 mov eax, ebx
:004EADCD E85EA0F6FF call 00454E30 <<---- the quitprocess is here
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses: <<--- go to one of those jumps,reverse and make
|:004EAC73(U), :004EAC86(C), :004EACA6(C), :004EACB0(C), :004EAD37(U) it jump here to skip these check
|:004EAD3E(C), :004EAD4B(C)
i took the one from 004EAD3E and made from 85 to 84 i took that one because is good to take one
of the latest jumps after any test or cmp to make sure it will jump and skip the part we don't want the program to read/ejecute :)
ok boys and girls this part is over.. now i want to use any old serial or blacklisted one to register
actually the program accepts any of them but after a while it gives me a nag message same as the previous ones
like: this serial is wrong or something like that please register to receive avalid code.... let's do it
but first undo the bytes we reversed at the beggining of this tuto .. the one for time limit and the
one for the nag screen. this is to make sure the program will become fully registered done by
registering with the serial. i undo the bytes and took the old serial released by my Partner Geo4ce ;)
great program is fully registered now i don't see that says xxx days left.. let's wait for a while
and bammmmmmmmm Nag nag!!!! ugrrrrrrrr! lol :))
i used the same previous method to get the call that took me into the nag + quit process and i got
RVA: 004EB7B1 let's go there to see what we have....
:004EB79C 6A00 push 00000000
:004EB79E 6A00 push 00000000
* Possible StringData Ref from Code Obj ->"NetCaptor"
|
:004EB7A0 B9FCB74E00 mov ecx, 004EB7FC
:004EB7A5 8B5368 mov edx, dword ptr [ebx+68]
:004EB7A8 8BC3 mov eax, ebx
:004EB7AA E8E51A0100 call 004FD294 <<--- call nag message here
:004EB7AF 8BC3 mov eax, ebx
:004EB7B1 E87A96F6FF call 00454E30 <<--- and the quit process is here
* Referenced by a (U)nconditional or (C)onditional Jump at Address: <<-- go to this jump
|:004EB707(C)
|
:004EB7B6 33C0 xor eax, eax
:004EB7B8 5A pop edx
:004EB7B9 59 pop ecx
:004EB7BA 59 pop ecx
:004EB7BB 648910 mov dword ptr fs:[eax], edx
:004EB7BE 68E0B74E00 push 004EB7E0
go to the jump i mention and from 84 make it 83 to make sure will jump and the job is done.
i finish here hoping everyone liked this tuto :D if desire you can pack again the exe file
using a good packer like UPX.
i'm a litle exhauste and is time to sleep.. good bye! zzzzzzzz.
End!
------------------------------------------------------------------------------