Cracking With Kurapica

Using Reflector and Ildasm to Crack WinXP Manager 5.1.2 (Program can be downloaded from http://www.yamicsoft.com) Hi, welcome to a new cracking tutor, our target today is called WinXP manager; it's a nice collection of utilities that help you tweak your OS. Actually cracking targets are still rare and that's why we don't see many tutorials on .net cracking, anyway I won't keep you long, let's get moving.

Please make sure you have the following tools before we begin. • Reflector : : • Ildasm • CFF Explorer : www.aisto.com/roeder/dotnet installed with Visual studio www.NTcore.com

1. install the target on your PC but before you open it in Reflector you must run it to see the kind of protection used here, first thing you will see is the nag screen telling you that you still have 15 days left and that you can still try the software, click "Try it" to start the application, after the main window appears you must click the "About" button to reach to the registration form, Click "Buy and register" and you will be there.

Kurapica

As you can see this is a Cinderella protection, which means that you have a name and serial to enter, this leads us to cracking this target in two methods, first we can use patching or we can make a Keygen for it and I will explain only patching and leave the Keygen for you. 2. Ok now as I said before the most important thing about cracking .net applications and I mean executables here is to find the entry point method so that you can start tracing the protection scheme implemented in that target, Open the target in Reflector and right click the WinXP Manager assembly node and click "Go to entry point", then Reflector will redirect you to a Class called "Load" where you will find a method called "Main" in that class, clearly this is the starting point for this target so double click it to see the disassembly of its code.

3. One thing worth mentioning here is that we have no protection for this assembly, no obfuscation, no packing, and this is as common as a 25 years old virgin, look at the disassembly of the method "Main" and analyze it carefully to find where the application checks for the license.

Nothing is interesting here until we reach this line I surrounded with a red rectangle, this line sets a value for "RemainDays" which is a string variable, the "DetermineRegistered" is a string returning function which returns one of two values, either "Registered" or "Expired", after that line you see the software comparing "RemainDays" with a string and if it's equal then a variable called "IsRegistered" is set to true.

Patching
here I will use patching, we will make sure that the function "DetermineRegistered" always returns "Registered", now click the "DetermineRegistered" function to see its code.

There is a new Boolean returning function here called "Registered" which determines the returned value from this function, if we can make function "Registered" always return true then this function will always return a "Registered" string and that's what we want. How to do that? One of my previous tutorials discussed inverting Boolean returning functions and that's our goal now, we will change first two bytes of "Registered" function to make it always return true, but first we have to find the file offset for the function bytes, I explained that in previous tutors too but I will do it again here. The "Registered" function is not located program assembly, if you check Reflector in an assembly called "PCL.dll", so this will patch, open this file in Ildasm and "Registered" function node. in the main you will find it is the file we find the

Make sure you have checked the "Show bytes" option in Ildasm and then double click this node to see its code, at the beginning of the code listing you will see a line telling us about the RVA offset for this function and this is what we want to know from Ildasm. Method begins at RVA 0x5c84 Now close Ildasm and open "PCL.dll" in CFF Explorer, we will use the address converter in CFF Explorer to find the file offset for this function.

Cool! This leads to the first byte of the method body, now move 12 bytes to bypass the header of that function and you will be standing at the first byte of the method bytes at offset 0x00004C90 Use CFF Explorer or your favorite hex editor to change first 2 bytes here which are 00,28 to 17,2A and that's all, Now open the main program again and there is no nag screen this time, BTW I included the Keygen code with this tutor for those interested.

THE END
Greets: UFO-PU55Y, LibX, RETEAM, SnD, ARTeam, Lz0 This tutor and all other works can be found @ www.reteam.org\board

Kurapica
Thursday, February 28, 2008