Web
: http://mxb.cjb.net
Contact Me : [email protected] or [email protected]
Flash 5.0
Type : Animation Program
Protection : RSAgent
Tech : Patching & Redirection of CRC Check
Crack : RSAgent changed its registration algorithm in new release..
like in Flash 5.0
Let us see how to crack this baby.
Go to the folder where you have installed the program.
Example : C:\Program Files\Macromedia\Flash 5
Rename the file : FLASHPOP.TTY ==>> FLASHPOP.EXE
Now run this file i.e. double click it...what will you
see ...
First we will see a window with animation telling something like
"PLEASE WAIT WHILE YOUR SOFTWARE IS BEINGING PREPARED"
After this you will get a warning messagebox like ..
"YOU CAN'T RUN THIS APPLICATION AT THIS TIME......"
What is the secret behind this FLASHPOP.EXE ??? :)
FLASHPOP.EXE actually looks for a file named "LICENSE.951396" and
if it
is not found it will warn us ,other wise if it found a file and checked
its virginity and make sure that it is real ,then this program will
unpack the original file and we get a full version of desired program :)
So our attack point is to reach the point where it opens the LICENSE file :)
For this we will do a simple trick ; before running the program FLASHPOP.EXE
in SICE
BPX CREATEWINDOWEXA
Now run the file FLASHPOP.EXE
When we break in to SICE
BPX CREATEFILEA
And continue ...
And trace ...till we reach ...
Note : This place can also be reached in just single BPX i.e. BPX MESSAGEBOXA
0x401869 JNE 0x4018AF >> GOOD BOY
.....................
0x4018A9 CALL EDI >> WARNING ERROR DIALOG BOX
0x4018AB PUSH 00
0x4018AD CALL EBX
0x4018AF CALL 0x4016A0 >> SET FLAG
0x4018B4 CMP ESI,01 >> MAKE ESI = 1 TO CRACK THIS BABY
0x4018B7 JNZ 0x4019D6 >> BAD BOY | 0F 85 19 01 00 00
After this the program will automaticaly unpack and we get a full version :)
Patching :
Why don't we patch the file so that :
0x401869 JMP 0x4018AF | EB 44 OFFSET = 1869
.....................
0x4018B7 - 0x4018BC => FILL WITH NOP | 90 OFFSET = 0x18B7 - 0x18BC
Ok after patching FLASHPOP.EXE just try to run this file :
Opps we get a divide error : So it is using CRC checking : )
Defeating CRC Check :
The program opens the file from the disk itself and does CRC checking.
Suppose we just try to redirect this check to a original and virgin
copy of this file i.e FLASHPOP.TTY,then we will be able to pass this
check.The program will check FLASHPOP.TTY instead of our file FLASHPOP.EXE
So the attack point is to find where the program is trying to open file
FLASHPOP.EXE.
So in SICE BPX GETMODULEFILENAMEA
We can see that at three places if we redirect or change the file name i.e
FLASHPOP.EXE ==> FLASHPOP.TTY
our program will work without divide error :)
0x4010B5 CALL [GETMODULEFILENAMEA]
0x4010BB LEA ECX,[ESP+00] >> FULL PATH OF THE FLIE NAME
C:\PROGRAM FILES\MACROMEDIA\FLASH 5\FLASHPOP.EXE
.........................
0x4010C2 CALL 0x419970 >> AFTER THIS CALL EAX POINTS TO '\FLASHPOP.EXE'
Same sequence is found at :
(i) 0x401221 CALL [GETMODULEFILENAMEA]
0x401227 LEA EDX,[ESP+5C]
.........................
0x40122E CALL 0x419970
(ii)0x403F5A CALL [GETMODULEFILENAMEA]
0x403F60 LEA ECX,[ESP+00]
.........................
0x403F67 CALL 0x419970
Suppose we change the file name after CALL 0x419970 then we can pass this check
:)
i.e MOV DWORD PTR[EAX+9],5954542E | C740092E545459
i.e FLASHPOP.EXE ==> FLASHPOP.TTY | .TTY = '2E545459'
So we should find a place to write our code.We can see that above
CALL [GETMODULEFILENAMEA] there is sufficient place :)
So our code :
(1) 0x401084 MOV DWORD PTR[EAX+9],5954542E | C7 40 09 2E 54 54 59 OFFSET = 0x1084
0x40108B JMP 0x4010CE | EB 41
.....................
0x4010B5 CALL [GETMODULEFILENAMEA]
..................................
0x4010C2 CALL 0x419970
0x4010C7 ADD ESP,08
0x4010CA TEST EAX,EAX
0x4010CC JMP 0x401084 | EB B6 OFFSET = 0x10CC
0X4010CE CONTINUE ....
(2) 0x401206 MOV DWORD PTR[EAX+9],5954542E | C7 40 09 2E 54 54 59 OFFSET = 0x1206
0x40120D JMP 0x401246 | EB 37
.....................
0x401221 CALL [GETMODULEFILENAMEA]
..................................
0x40122E CALL 0x419970
0x401233 ADD ESP,08
0x401236 TEST EAX,EAX
0x401238 JMP 0x401206 | EB CC OFFSET = 0x1238
(3) 0x403F33 MOV DWORD PTR[EAX+9],5954542E | C7 40 09 2E 54 54 59 OFFSET =0x3F33
0x403F3A JMP 0x403F73 | EB 37
.....................
0x403F5A CALL [GETMODULEFILENAMEA]
..................................
0x403F67 CALL 0x419970
0x403F6C ADD ESP,08
0x403F6F TEST EAX,EAX
0x403F71 JMP 0x403F33 | EB C0 OFFSET = 0x3F71