DATE: 1-11-1998
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%% How To Use Bug for Cracking %%
%% by MuadDib %%
%% with Abyss 2.00.14 and Abyss 2.01 %%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Introduction:
~~~~~~~~~~~~~
Abyss, a great soft for diving, but it's really expansive (495$ is to much for this...i think) for me and for my
friends, so i decide to made it more User-Friendly and to cut the bug call "Protection Feature" :).
Hum, Aby (more lovely) uses a 3e part protection from CodeLock (I'm don't remeber exactly :), so i think)
[ crp32dll.dll, crp9516a.dll, Cryp95a.dll ]...
Not a piece of cake this protection, hum... a front big bad door with big bad reg code...don't like this...
So, maybe Aby have a nice little back-door ? hum, let's have a look :)
Tools used:
~~~~~~~~~~~
-Aenima from Tool, great MuSiC :)
-SoftIce 3.2x
-Windasm 8.9
-A brain (just a little)
Rem:
~~~~
All the code and adr from Abyss 2.01, but the prot. (and code) is the same in Abyss 2.00.14,
just other offset :).
When bpx Windoze routine, after softice come, press F11 to access the caller code :).
Sorry, but my english is poor [ like me ]..
Where to find the soft:
~~~~~~~~~~~~~~~~~~~~~~~
http://www.abysmal.com
Part One: The Registration party
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Install, run, and go to the reg. windows.
Yep, the Registration Number is unique, no twice the same
(made by the directory and other scrap), you must choose the reg. level and
enter the right code...So bpx GetWindowTextA and enter some stuff, press register...
Boum, you're in a dll, don't care all the shit right away, MFC uses some code
to take the input, press a couple time F12 [don't forget to disable all bp (bd *)]
(to next ret) and stop to 00425FD2. Ok, we call 0045FCD to have the text, must do
other call to prepare our input...look a little the code, we made a lots of call,
but no test..but at 00426009, we test if eax is equal to 0...hum, smell like a
security :), ok, bpx 00426009, the test, run the soft [x].
Slang, we are at the test, have a try and change eax to 0 ( r eax 0 )..
disable bp and run... It say 'unregistred'.
And so ? no, i'm not stupid, look all the menu, now you can access
all of them, it's a bug in the soft, Aby don't understand unregistred :).
Under Win95 the time limits is fucked up too :)...Hum, just a goooood bug no ?
Are you sure is a bug ? Yep, 'cause it part time 'Demo','unregistred' or
even 'Mixed Gaz', but the soft write some info to gain a unknow user level and
leave all option on...
[original version]
:00425FE5 E8B6220300 Call 004582A0
:00425FEA 8B4004 mov eax, dword ptr [eax+04]
:00425FED 8D5670 lea edx, dword ptr [esi+70]
:00425FF0 52 push edx
:00425FF1 8BC8 mov ecx, eax
:00425FF3 E8C8C2FDFF call 004022C0
:00425FF8 8B467C mov eax, dword ptr [esi+7C]
:00425FFB 50 push eax
:00425FFC E87FB90100 call 00441980
:00426001 83C404 add esp, 00000004
:00426004 E8B7B90100 call 004419C0 // CALL THE PROTECTION TO SEE IF YOU'RE A GOOD BOY
:00426009 85C0 test eax, eax // Good boy ?
:0042600B 0F85E4000000 jne 004260F5 // If jump, you're not :)
:00426011 E8CABD0100 call 00441DE0
:00426016 E822A30200 call 0045033D
:0042601B 50 push eax
:0042601C 8D4E74 lea ecx, dword ptr [esi+74]
[cracked version]
:00426004 E8B7B90100 call 004419C0 // CALL TO PROT.
:00426009 B800000000 mov eax, 00000000 // put eax=1,
:0042600E 85C0 test eax, eax // or 2 nop
:00426010 90 nop // keep the same size :)
:00426011 E8CABD0100 call 00441DE0
:00426016 E822A30200 call 0045033D
:0042601B 50 push eax
:0042601C 8D4E74 lea ecx, dword ptr [esi+74]
Part Two: 100 ft limits...
~~~~~~~~~~~~~~~~~~~~~~~~~~
Now the reg window is ok, open a new doc...
Try to dive more than 100ft...bling, a msg box..and go to hell...
So, I want to go more...just bpx MessageBoxA..run, enter more than 100 ft..
You are in a MFC app, so if you call a Msg box in you C++ code, you will ask
the MFC to do the work, press F12...
Ok, we are in Abyss now, at 0040EE5E. So, if you code this kind of stuff in c++,
you will test in you're function if the user can go deeper than 100ft, if not, you
will put a msg box and return...So he must have put some test before...
Look up the code, some 'call', no test above the msg box except one :), at 0040EDED,
we comp. dword ptr ebx with 0, and if ok we jump after the code of the msgbox, bingo :)
In order to go deeper, just made a jmp 0040EE81.. Easy :)
[original version]
:0040EDD0 64A100000000 mov eax, dword ptr fs:[00000000]
:0040EDD6 6AFF push FFFFFFFF
:0040EDD8 68E8AC4500 push 0045ACE8
:0040EDDD 50 push eax
:0040EDDE 64892500000000 mov dword ptr fs:[00000000], esp
:0040EDE5 83EC40 sub esp, 00000040
:0040EDE8 53 push ebx
:0040EDE9 8B5C2454 mov ebx, dword ptr [esp+54]
:0040EDED 833B00 cmp dword ptr [ebx], 00000000 // Can go deeper ?
:0040EDF0 0F848B000000 je 0040EE81 // equal 0 yep
:0040EDF6 57 push edi // nope, msg user
:0040EDF7 56 push esi
:0040EDF8 8D4C245C lea ecx, dword ptr [esp+5C]
[cracked version]
:0040EDD0 64A100000000 mov eax, dword ptr fs:[00000000]
:0040EDD6 6AFF push FFFFFFFF
:0040EDD8 68E8AC4500 push 0045ACE8
:0040EDDD 50 push eax
:0040EDDE 64892500000000 mov dword ptr fs:[00000000], esp
:0040EDE5 83EC40 sub esp, 00000040
:0040EDE8 53 push ebx
:0040EDE9 8B5C2454 mov ebx, dword ptr [esp+54]
:0040EDED 833B00 cmp dword ptr [ebx], 00000000 // Can go deeper ?
:0040EDF0 E98C000000 jmp 0040EE81 // of course :)
:0040EDF5 90 nop // To keep same size :)
:0040EDF6 57 push edi
:0040EDF7 56 push esi
:0040EDF8 8D4C245C lea ecx, dword ptr [esp+5C]
Part Three: Time limit
~~~~~~~~~~~~~~~~~~~~~~
Yes, i say in part one thats we have unlocked the time too with the bug, but in fact,
not really..Under 95, no prob, the soft run after 30 days..
But i install Abyss under Nt, cause the protection dll are different,
just to test the eff. of the crack [Yep, maybe other call, other procedure]
In fact, everything works, the bug too, but the time limits is on :(. Hum, Nt is kwel :)..
More fun, the install of Nt run under 95 and have time limits [ in fact, i have other
version of CodeLock on my system dir...who works :), abyss install his own version in his dir ].
So i load Aby with symb loader and run, to start at the beg. of the soft...(i was tired...)
And i test all call : i bpx after a couple of call to det who made the time test :), I go love this
kind of trivia, stupid but works :)...
Finally i found some test interesting after 00441C54...If the jne is made, bing reg window...
Disable this jump and no more time limits :)
[original version]
:00441C46 F6C302 test bl, 02
:00441C49 0F845C010000 je 00441DAB
:00441C4F E81CFFFFFF call 00441B70
:00441C54 85C0 test eax, eax
:00441C56 7519 jne 00441C71 //expired ?
:00441C58 C705C887470001000000 mov dword ptr [004787C8], 00000001
[cracked version]
:00441C46 F6C302 test bl, 02
:00441C49 0F845C010000 je 00441DAB
:00441C4F E81CFFFFFF call 00441B70
:00441C54 85C0 test eax, eax
:00441C56 90 nop //expired ?, never :)
:00441C57 90 nop
:00441C58 C705C887470001000000 mov dword ptr [004787C8], 00000001
CONCLUSION:
~~~~~~~~~~~
Hum, I hope more kind of sweet thing like this :)
Enjoy :).
If you use really...think of buying...it feed the makers :)
MuadDib,