...when I wanted to send this tutorial to you I realized that somebody 
(The_Rude_Boy) already published an essay on the same target (rudeboy.htm).
Well at first I thought "Now my tut is worthless!". Yet, when I was done 
reading Rudeboy's tut I realized that my tut could be quite good and interesting 
after all... (sorry Rude_Boy)... Especially (but not only) for beginners... 
You better read it to believe it... 

rezel
ronnrezel@hotmail.com


-------------------------------------------------------------------
A correction/addition to RudeBoy's essay
How to Crack PolyView V2.9.0 (and any other version as well)
By ReZeL
-------------------------------------------------------------------

1) Introduction;
   Well, first of all I would like to thank +0RC, fravia+, Lordcaligo, 
   Ed!son, +Natzgul and all of you guys that wrote great tutorials. 
   Please keep up the good work!

2) What's needed for this cracking session;
   Target Program: Polyview V2.9.0 (http://www.polybytes.com)
   This program is an image viewer and coversion tool for windoze95 and NT.
   Tools  : 1) Our beloved Softice (I used V3.2 for windoze95)
               - This is the best debugger so far (Thanks NuMega!)
            2) W32dsm diassembler (I used W32dsm V8.9)
               - This is IMO the best windows disassembler so far 
            3) Hexworkshop or any other hexeditor
               - Which one doesn't matter, as long as you can hexedit the 
                 file for "permanent" cracking... if you wish.

3) The Main Part
   Now let the fun begin...

   Step 1:
   Run the program (polyview) and you'll see the pretty pictre of a parrot
   with the "UNREGISTERED" string written onto it. I assume you already
   know how to use softice (if not than go get it and read Ed!son excellent
   manual on windoze95 cracking).

   Step 2:
   Go to registration and license registration. Enter the name and license #
   mine goes like this . Licensee: ReZeL   License number: 1122334455 (this
   is my lucky number :).

   Step 3:
   Enter softice (Ctrl-D), now you are into softice. There are a lot of
   ways to fish the proctection scheme. you can bpx on hmemcpy for example, or
   getdlgitemtexta,getwindowtexta and so on (Get +Orc and Ed!son tutorials
   to learn how to do a good protection scheme fishing). OK! I save you the
   work bpx getwindowtext will do the job.
   Strange as it may seems, though this application is for window 95 yet the
   bpx getwindowtextA (32 bit app won't work here)

   Step 4:
   Press Ctrl-D to get back to the application. Press "OK" and you'll be
   back into Softice. Press F12 until you get to the caller of this function.
   You and scroll up (Ctrl- arrow) will see some code as belows:
           .
           .
      014f:004988909    50             push eax
      014f:0049890a     ff7508         push dword ptr [ebp+08]
      014f:0049890d     ff157c9e4e00   Call [user32!getwindowtexta]
      014f:00498913     3bc6           cmp eax,esi
      014f:00498913     7514           jnz 0049892b
           .
           .
    Note: The segment (014f may not be the same on your system hence
    remember your real segment as it will be used later on..

   You can step through the function if you want! bu I prefer using our
   second tool now!!!!

   Step 5:
   do bd 0 to disable the bpx we set before and proceed with Ctrl-D , you
   will get the window with "registration unsuccessful. please bla bla bla....
   don't be so bad you will crack that in a minute or two. Well, we'll
   see..

   Step 6:
   Fire up w32dsm89 now and open the polyview.exe file. Save that file as
   project so you won't lost precious time again to disassemble it in
   future.
   Look at all string references. Search for Register unsuccesful, double click
   on it will bring the cursor to the possible reference. Scroll up and look
   who brought you there and you'll se reference to the conditional jump at
   00434d79.
       
   Check 00434d79 and a little bit above (we want to know what's going
   on before the code do the jump at 00434d79 don't we?). You'll se the code
   as follows:
                              .
                              .
      00434d65  8b0f            move ecx,dword ptr [esi+00000168],eax
      00434d67  50              push eax  <===== Your fake key here
      00434d68  51              push ecx  <===== Your handle here
      00434d69  898668010000    mov dword ptr [esi+00000168],eax
      00434d6f  e83c0bffff      call 004258b0 <==== We want to trace this call
      00434d74  83c408          add esp,00000008
      00434d77                  test eax,eax
      00434d79                  je 00434e1c      <==== This is the reference
      00434d7f  3beb            cmp ebp,ebx            to the "Register
                                                       unsuccesful" string
   well now, you see before that conditional jump there is a call to 00425b0
   yess... something fishy is going on. But if you just change the je to jne
   you need to deal with the other conditional jump before you reach the
   "register successful" string (refer to disassembler). Hence it is not an 
   effective way to crack (which I didn't do :) at least before i proceed with
   inspection of the suspicious caller.

   Step 7:

   Run the polyview again and repeat step 1 to step 4, now you are ready to
   debug the application again. After step 4, this is what you need to do

   bd 0 (disable the breakpoint) and do G 014f:434d65 (You did remember the
   offset did you?) and you'll break at just exactly before the calling function.
   Now what we gonna do is tracing the "Caller" so do f10 until you step on the
   call 004258b0 and do T to trace it....

   Now this is what you'll see in the call code:

       014f:004258b6  6aff            push ff
       014f:004258b8  6868364b00      push 004b3660
       014f:004258bd  50              push eax
       014f:004258be  64892500000000  mov FS: [00000000],esp     ;fs:000000=0105f9fc
       014f:004258c5  83ec08          sub esp,08
       014f:004258c8  53              push ebx
       014f:004258c9  55              push ebp
       014f:004258ca  56              push esi
       014f:004258cb  57              push edi
       014f:004258cc  8b7c2428        mov edi,[esp+28]
       014f:004258d0  6890284e00      push 004e2890
       014f:004258d5  57              push edi
       014f:004258d6  e8c5000000      call 004259a0
       014f:004258db  8b5c2434        mov ebx,[esp+34]
       014f:004258df  83c408          add esp,08
       014f:004258e2  3bc3            cpm ebx,eax
       014f:004258e4  7518            jnz 004258fe

   now you see that the last jump (jnz 004258fe) is the one who say that
   you key are good or bad. How to know the good key? well, you just need to do
   ?ebx and you'll see the number string (this is the real key). To confirm
   this you do ?eax and you'll see in my case '1122334455' string which is
   my fake key. Yess!!! that picture of parrot no more will have the
   unregistered string on it.........
        For me the key will be 302477010 (if ?eax  give you leading zeros
   just ignore it , i,e: ?ebx you get 0302477010 then the key will be 302477010
   also please ignore the negative number if any)

   Now, if you want to make the 'keymaker' simply trace the code "of.class" tppabs="http://fravia.org/of.class" the first
   caller (4258b0) until the comparison which is i'm pretty sure the real
   key generator given your name as reference.

   Step 8:

   Now you want to crack this application for good isn't it? What you
   should do?
   Hexeditor come in handy to patch the jump from jnz to jz (now anything you
   enter EXCEPT the real key will register the application) . So search the
   string in hexworkshop for 83c4083bc37518 and before you change 75 byte to 74 byte
   please do search again to make sure there is only one place in the app which
   same as your search string.
   what you need to do is patch 83c4083bc37518 to 83c4083bc37418. Now your patch
   is done.
    Enjoy!
4) Reading Suggestion;

   Cracking Manuals:
         * +Orc cracking tutorial (all of them) go and grab it!
         * Ed!son cracking manual for Windoze95
         * Uncle Joe handbook
         * +Orc student's essays (quite a lot!)
         * CBD tutorial
         * and all other tutorials (too many too list)
   Assembly Manual:
         * Assembly tutorial from Guadalajara and Yale university
         * Others (there is a lot of information you can get for free on
           the net)
   Tools Manual:
         * Softice Manual by NuMega


5)Outro
   Greet goes to (in no particular order):
         
+Orc, fravia+, Lordcaligo, Ed!son, +Natzgul, Odin, Razzia, +X0anon, +Greythorne
st0ne, TKC, CBD, ^pain^, the rest of the +Crackers and all other nice and clever 
crackers who realease their tutorials to the scene.
          Knowledge is power.....Only when we use it!! 

   Note: 1. The real key won't be obsolete and can be used for all future
         versions (as polybyte claims in the help file)
         2. The software can be unregistered by re-register it with false
         key so you can try to register it with other name to prove that's it
         is working
	 3. Do not STEAL this target! If you use it other than for cracking and 
	 protection studying purposes, register it. If you want to steal this program, 
         this is a long (and useless) way to do it: just download it, already regged, 
	 from a stupid warez site and beggar off.

   That's it guys...
   sign off in peace
   ReZeL
   

homepage links search_forms +ORC students' essays academy database
reality cracking how to search javascript wars
tools anonymity academy cocktails antismut CGI-scripts mail_fravia+
Is reverse engineering legal?