*****************************************************************************
*Subject: Cracking							    *
*Target: Partit v2.01   		    				    *
*Author: BlackB								    *
*Date: 1999-08-05							    *
*Tools used: W32DSM89, Hex Workshop, SoftIce 			 	    *
*Difficulty (scale 1-5): 1						    *
*Requirements: Basic knowledge of cracking				    *
*****************************************************************************

 1. Intro
 ~~~~~~~~
Hi there!! This is my first tutor especially and exclusively written for the
EVC-group. A miracle coz i've got a lot of work in august :-/ Nevertheless
i enjoyed writing this tutor...spreading more cracking knowledge! :-)

 2. Tha Program: Partit v2.01
 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Nice looking interface...but i still don't know why i'd use a file splitter,
as all compression programs can split their files to fit on 1,44 MB disks.
However, that's not why i wrote this tutor...
Tha protection: Nagscreen, 30 day trial, and some limitations....e.a.
the sharewareprogram just sux big time!

 3. Cracking Partit v2.01
 ~~~~~~~~~~~~~~~~~~~~~~~~
Aha, the most important part of this essay ;)
Load our favorite Softice Symbol Loader (however...use Sice v3.24 or lower,
since the newer versions crash like hell!)
Press CTRL-D and let the program run...nag screen appears...and you get 
several options. Choose "Enter keycode". Fill in a bogus key, fill in your
name and company. Go back to Softice en set a breakpoint on GetDlgItemtextA
(bpx GetdlgitemtextA). You see this: (Remark! The code presented below is
quite a lot. Important steps are explained. Remember that you can only explain
those steps by tracing through the code and trying to understand what they do)

-------------------------Start of partial code-------------------------------
* Reference To: USER32.GetDlgItemTextA, Ord:0000h
                                  |
:00402610 E8D5AC0400              Call 0044D2EA

* Possible Reference to String Resource ID=00080: "Operation Aborted!

Drive %.2s is not available on your syst"
                                  |
:00402615 6A50                    push 00000050
:00402617 8D8560FFFFFF            lea eax, dword ptr [ebp+FFFFFF60]
:0040261D 50                      push eax
:0040261E 6A65                    push 00000065
:00402620 8B16                    mov edx, dword ptr [esi]
:00402622 8B4A0C                  mov ecx, dword ptr [edx+0C]
:00402625 51                      push ecx

* Reference To: USER32.GetDlgItemTextA, Ord:0000h
                                  |
:00402626 E8BFAC0400              Call 0044D2EA

* Possible Reference to String Resource ID=00080: "Operation Aborted!

Drive %.2s is not available on your syst"
                                  |
:0040262B 6A50                    push 00000050
:0040262D 8D8510FFFFFF            lea eax, dword ptr [ebp+FFFFFF10]
:00402633 50                      push eax
:00402634 6A66                    push 00000066
:00402636 8B16                    mov edx, dword ptr [esi]
:00402638 8B4A0C                  mov ecx, dword ptr [edx+0C]
:0040263B 51                      push ecx

* Reference To: USER32.GetDlgItemTextA, Ord:0000h
                                  |
:0040263C E8A9AC0400              Call 0044D2EA
:00402641 8D45B0                  lea eax, dword ptr [ebp-50]
:00402644 50                      push eax

* Reference To: KERNEL32.lstrlenA, Ord:0000h
                                  |
:00402645 E868A90400              Call 0044CFB2	[<- Gets length of keycode]
:0040264A 8BD8                    mov ebx, eax
:0040264C 8D8560FFFFFF            lea eax, dword ptr [ebp+FFFFFF60]
:00402652 50                      push eax

* Reference To: KERNEL32.lstrlenA, Ord:0000h
                                  |
:00402653 E85AA90400              Call 0044CFB2
:00402658 83FB05                  cmp ebx, 00000005 [<- Keycode must be longer than 5 chars]
:0040265B 0F8EE9000000            jle 0040274A
:00402661 83F804                  cmp eax, 00000004 [<- Username must be longer than 4 chars]
:00402664 0F8EE0000000            jle 0040274A

* Reference To: KERNEL32.GetTickCount, Ord:0000h [<- Guess sort of anti-debugging]
                                  |
:0040266A E8E1A70400              Call 0044CE50
:0040266F 2BC7                    sub eax, edi
:00402671 83F801                  cmp eax, 00000001
:00402674 7607                    jbe 0040267D [<- With Sice loaded, it will always jump...]
					       [   So be sure if you trace through the code...]
					       [   it does NOT jump!]	
:00402676 33DB                    xor ebx, ebx
:00402678 E9CF000000              jmp 0040274C

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00402674(C)
|
:0040267D 6A00                    push 00000000
:0040267F 8D850CFEFFFF            lea eax, dword ptr [ebp+FFFFFE0C]
:00402685 50                      push eax
:00402686 E87DEAFFFF              call 00401108
:0040268B 83C408                  add esp, 00000008
:0040268E 8D9560FFFFFF            lea edx, dword ptr [ebp+FFFFFF60]
:00402694 8D4DB0                  lea ecx, dword ptr [ebp-50]
:00402697 8D850CFEFFFF            lea eax, dword ptr [ebp+FFFFFE0C]
:0040269D 52                      push edx
:0040269E 51                      push ecx
:0040269F 50                      push eax
:004026A0 E893EFFFFF              call 00401638 [<- Validates your serial]
:004026A5 83C40C                  add esp, 0000000C
:004026A8 8BD8                    mov ebx, eax [<- Mov registered-or-not-flag in ebx]
:004026AA 84DB                    test bl, bl  [<- Register program?]
:004026AC 0F849A000000            je 0040274C  [<- Jump if invalid serial...otherwize stay]
:004026B2 33C0                    xor eax, eax
:004026B4 C6057C19460001          mov byte ptr [0046197C], 01 [<- SET REGISTERED FLAG!!]
:004026BB 56                      push esi
:004026BC C6057D19460000          mov byte ptr [0046197D], 00 [<- Of no importance]
-------------------------End of partial code---------------------------------

What do ya say? Nopping the "je 0040274C" ?? Nopes :p It will set the 
registered flag, but somehow the program won't be registered. BUT.....!! We 
now know that memory location [0046197C] contains the registered-flag! :-)

We could now disassemble the .EXE and search for every 
"cmp byte ptr [0046197C], 00" and nop out all the conditional jumps....but 
that would be a lot of work...and finally you would see that the program 
has a second check...when you start the program.

Close Partit, reload it in Sice Symbol Loader and type "bpm 0046177C".
(= set a breakpoint on all instructions that read or write from/to address
0046177C). Press CTRL-D to let the program run. Keep pressing CTRL-D until
you see this:

-------------------------Start of partial code-------------------------------
:0040150C E827010000              call 00401638 [<- Validate serial!]
:00401511 83C40C                  add esp, 0000000C
:00401514 888700010000            mov byte ptr [edi+00000100], al [<- Mov registered-or-not-]
								  [   flag in edi+100!!!]

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00401461(C), :0040146B(C)
|
:0040151A 68FDE14300              push 0043E1FD
:0040151F 6A01                    push 00000001
:00401521 6A03                    push 00000003
:00401523 6A18                    push 00000018
:00401525 8D55A4                  lea edx, dword ptr [ebp-5C]
:00401528 52                      push edx
:00401529 E8C67D0400              call 004492F4
:0040152E 83C414                  add esp, 00000014

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401409(C)
|
:00401531 80BF0001000000          cmp byte ptr [edi+00000100], 00 [<- Check if registered]
:00401538 752E                    jne 00401568			  [<- Jump if registered]
-------------------------End of partial code---------------------------------

You could make the program ALWAYS jump, but....again....then you would have to 
search for ALL cmp edi+100 's AND cmp [46197C] 's ....too much work :-)

So let us (try and) think logic:
  -Our serial is checked when "call 00401638" is executed.
  -The result is stored in AL
  -Then AL is put in edi+100 or bl or 0046197C
  
Then there was one good and short solution for me: NOP the "call 00401638" at 
:0040150C and use those NOP's to move 1 into AL.....don't understand?
Look at this:


[Before cracking] :
:0040150C  call 00401638
:00401511  add esp, 0000000C
 
[After cracking] :
:0040150C  mov al, 01
:0040150E  nop
:0040150F  nop
:00401510  nop
:00401511  add esp, 0000000C

Use HIEW to do this...hope you know how...otherwize: mail me :)
The offset address is 0B0C.

So....that's it! :-)

 4. Outtro
 ~~~~~~~~~

All greets go to the EVC-members: Magic Mike, sn00pee, Incredible Fighter, 
SiGMA, r!sc and otherz i forgot :)
Do I have to remind you that you should buy the program? Hehe, i just did :p
Visit my anti-virus hp (no cracking page) at http://myplace.to.be/blackb
I'm searching for a websiteprovider that allows cracking contents to put my 
cracking site on...if anyone can help me...thx :-)

BlackB
[EVC] 1999



