Firehand Ember by the intruder Mexelite'97 Please send your comments to devils_cave@hotmail.com I would like to thanks nIabI, JosephCo, SasbeJr, Sice_boy, Drlan and others I don't remenber now. Thanks guys! Please excuse my english! Firehand Ember is the image file manager for Windows u can get it at www.firehand.com. This proggie only allows 40 sessions and in the beginning a dialog box pops up telling u the number of the current session. U can register this one but I'll use a different approach coz I have been seing a lot of newbies that are only able to crack proggies using 'getdlgitemtext' and 'getwindowtext' and I hope this tute will give them another perspective about cracking. To crack this one u will need soft-ice, w32dasm (or other), an hex editor and Win-eXpose-Registry (this is a great tool, this baby will register every access to the registry. Get it at http://www.shetef.com/ .) So let's cut the crap and start working!!! So Ember is already installed and when u run it u can see the nag telling u "Evaluation session XX of 40". After running out of evaluation sessions the nag will tell u that your evaluation period is over and u should register, but it will be fully functional (not sure). Even if u install it again it will remenber the session number, hmm... so the proggie is keeping the number of sessions somewhere, but where? First thing to do is to check if the uninstall routine didn't left any file behind. Check c:\windows for ember32.ini or something .... nothing. So let's check the registry to see if the installation left any key with the number of sessions. Run Win-eXpose-Registry and then run Ember, WOW a lot of registry access, but all we want is ember32 registry access so choose filters and check the box 'Report only one task registry ....' and clear all registry operations except Query Key Value and Query Key Value Ex coz this will be the operations that will get the the registry value of a key. Then check out all strange keys that appeard in WineXpose, hmm... what is this? LOCAL \ SOFTWARE \ MICROSOFT \ CURRENTVERSION \ MSOFC \ SLC and LOCAL \ SOFTWARE \ MICROSOFT \ CURRENTVERSION \ MSOFC \ SC check out this two keys. Now use your registry editor (C:\WINDOWS\ Regedit.exe) open this keys and run Ember32 a couple of times. Ahh LOCAL \ SOFTWARE \ MICROSOFT \ CURRENTVERSION \ MSOFC \ SC the SC key as a value like 0xfffffffe and each time I run Ember32 the key decreases by one. So now we know wich key is being used. Now quicky disassemble Ember32.exe with your favorite disassembler . Now look for RegQueryValue and RegQueryValueEx, it's the last one that is being used. LONG RegQueryValueEx( HKEY hKey, // handle of key to query LPTSTR lpszValueName, // address of name of value to query LPDWORD lpdwReserved, // reserved LPDWORD lpdwType, // address of buffer for value type LPBYTE lpbData, // address of data buffer LPDWORD lpcbData // address of data buffer size ) So load Ember into sice and bpx RegQueryValueExA, now run it! Each time sice pops up press F11 to get out of the call then check the 5th push to check the key name, after some calls u'll find our key name 'SC', now bpx just before the call and run the proggie again now check the 2nd push and u'll get the mem location where the value is going to be stored. Now just bpr mem location and press CTRL+D then sice pops up and u'll be inside the compare routine :0040CAC3 8B442410 mov eax, [esp + 10] ;eax=SC key value :0040CAC7 F7D0 not eax ;now eax=number of runned sesssions :0040CAC9 83F801 cmp eax, 00000001 ;compare with 1 :0040CACC 7C17 jl 0040CAE5 ;jump if lower :0040CACE 8B8F58020000 mov ecx, [edi+00000258] :0040CAD4 398F5C020000 cmp [edi+0000025C], ecx :0040CADA 7C13 jl 0040CAEF :0040CADC 40 inc eax ;increment eax->session number update :0040CADD 898758020000 mov [edi+00000258], eax ;store eax for later check now let's check where mem location edi+00000258 is read , bpr mem location for reading then CTRL+D and u'll be inside the following code: :0040B3EE 8B9758020000 mov edx, [edi+00000258] ;load edx number of current session :0040B3F4 83E002 and eax, 00000002 ;trash :0040B3F7 31442434 xor [esp + 34], eax ;trash :0040B3FB 8BC1 mov eax, ecx ;trash :0040B3FD 33442434 xor eax, [esp + 34] ;trash :0040B401 83E004 and eax, 00000004 ;trash :0040B404 31442434 xor [esp + 34], eax ;trash :0040B408 39975C020000 cmp [edi+0000025C], edx ;cmp current session with [edi+0000025C]= 28h =40decimal :0040B40E 7D10 jge 0040B420 ;jump if greater got it? Let's move on just press CTRL+D and sice pops again. Here's the code: :0040B58D 8B875C020000 mov eax, [edi+0000025C] ;eax=28h=40d :0040B593 8B8F58020000 mov ecx, [edi+00000258] ;ecx=current session number :0040B599 C7878002000001000000 mov dword ptr [edi+00000280], 00000001 :0040B5A3 3BC1 cmp eax, ecx ;compare :0040B5A5 7D0C jge 0040B5B3 ;jump if greater hmm... how do we crack it? There are many ways. It seems to me that the just change the best way to crack this one is to change both jge to jmp this way no matter what session the program will always run the way u want. So change: :0040B40E 7D10 jge 0040B420 to :0040B40E EB10 jmp 0040B420 and :0040B5A5 7D0C jge 0040B5B3 to :0040B5A5 EB0C jmp 0040B5B3 ; now just use your hex edito and patch it. OK, the session counter is cracked now for the nag. First thing to do is to search for strings used in the nag in your disassembled list let's search for evaluation coz in the nag appears that horribilis 'Evaluation session XX of 40'. If found a reference to this one right here: * Possible StringData Ref from Data Obj ->"Evaluation session %ld of %ld" | :0040CEAD 68B41E4300 push 00431EB4 :0040CEB2 50 push eax * Reference To: USER32.wsprintfA, Ord:0249h | :0040CEB3 FF1590784300 Call dword ptr [00437890] :0040CEB9 8D4C2414 lea ecx, [esp + 14] :0040CEBD 8BB42498000000 mov esi, [esp + 00000098] :0040CEC4 83C410 add esp, 00000010 :0040CEC7 51 push ecx :0040CEC8 68FB030000 push 000003FB :0040CECD 56 push esi * Reference To: USER32.SetDlgItemTextA, Ord:01DEh | :0040CECE FF1598784300 Call dword ptr [00437898] :0040CED4 6A00 push 00000000 :0040CED6 56 push esi :0040CED7 E854080000 call 0040D730 :0040CEDC B801000000 mov eax, 00000001 :0040CEE1 5E pop esi :0040CEE2 81C480000000 add esp, 00000080 :0040CEE8 C21000 ret 0010 a 'ret 0010' where r we going??? Ok, load ember to soft-ice again and bpx on 40CEE8 to find out from where this routine is being called. Now soft-ice pops up and we r inside the code, just press F8 and to see where the hell u are. Damn we r inside another call. hehehe fucking win95 it's just a bunch of calls inside other calls. So just keep pressing F10 to jump through the calls until u get back to the Ember32 code (just check the line that separates the code window from the command line). When u get back to Ember32 (this is the name of the Ember32.exe module) u will be inside the following code: :0040B5BF 6870CE4000 push 0040CE70 :0040B5C4 56 push esi :0040B5C5 6A7B push 0000007B :0040B5C7 53 push ebx * Reference To: USER32.DialogBoxParamA, Ord:008Ah | :0040B5C8 FF1564774300 Call dword ptr [00437764] :0040B5CE C7878002000000000000 mov dword ptr [edi+00000280],00000000;<( ( HERE WOW if it's DialogBoxParamA. Check this out: int DialogBoxParam( HINSTANCE hInstance, // handle of application instance LPCTSTR lpTemplateName, // identifies dialog box template HWND hWndParent, // handle of owner window DLGPROC lpDialogFunc, // address of dialog box procedure LPARAM dwInitParam // initialization value ) Now how do we crack a nag? Well we'll just nop the call, right? Yeah, but don't forget that after the call the stack pointer has a different value and we don't want to cause a General Protection Fault (GPF) so the trick is to put in the stack pointer the same value that it would have after getting out of the DialogBoxParamA So just load the proggie again into soft-ice and bpx just before the call 'bpx 40b5c8' when sice pops up just write down the ESP value (mine is 67F8A0) now press F10 to run the call and write the new ESP value (my ESP=67F8B4). Now let's quickly crack it: instead of: :0040B5C8 FF1564774300 Call dword ptr [00437764 which is 6 byte long we will have: :0040B5C8 83C414 Add esp,14 ;this way we keep the final value of the stack :0040B5CB 44 Inc esp ;do nothing :0040B5CC 4C Dec esp ; :0040B5CE 90 Nop ; which is 6 byte long too. Now get in your hex editor and crack it!!! Hope u enjoyed!!!!!