Cracking With Kurapica

Using Reflector and Ildasm to Crack WinXP Manager 5.1.2

(Program can be downloaded from http://www.yamicsoft.com)

Hi, welcome to a new cracking tutor, our target today is called

WinXP manager; it's a nice collection of utilities that help
you tweak your OS.

Actually cracking targets are still rare and that's why we

don't see many tutorials on .net cracking, anyway I won't keep
you long, let's get moving.

Please make sure you have the following tools before we begin.

• Reflector : www.aisto.com/roeder/dotnet
• Ildasm : installed with Visual studio
• CFF Explorer : www.NTcore.com

1. install the target on your PC but before you open it in

Reflector you must run it to see the kind of protection
used here, first thing you will see is the nag screen
telling you that you still have 15 days left and that you
can still try the software, click "Try it" to start the
application, after the main window appears you must click
the "About" button to reach to the registration form,
Click "Buy and register" and you will be there.
 Kurapica

As you can see this is a Cinderella protection, which

means that you have a name and serial to enter, this leads
us to cracking this target in two methods, first we can
use patching or we can make a Keygen for it and I will
explain only patching and leave the Keygen for you.

2. Ok now as I said before the most important thing about

cracking .net applications and I mean executables here is
to find the entry point method so that you can start
tracing the protection scheme implemented in that target,
Open the target in Reflector and right click the WinXP
Manager assembly node and click "Go to entry point", then
Reflector will redirect you to a Class called "Load" where
you will find a method called "Main" in that class,
clearly this is the starting point for this target so
double click it to see the disassembly of its code.
3. One thing worth mentioning here is that we have no
protection for this assembly, no obfuscation, no packing,
and this is as common as a 25 years old virgin, look at
the disassembly of the method "Main" and analyze it
carefully to find where the application checks for the
license.

Nothing is interesting here until we reach this line I

surrounded with a red rectangle, this line sets a value
for "RemainDays" which is a string variable, the
"DetermineRegistered" is a string returning function which
returns one of two values, either "Registered" or
"Expired", after that line you see the software comparing
"RemainDays" with a string and if it's equal then a
variable called "IsRegistered" is set to true.
 Patching
here I will use patching, we will make sure that the
function "DetermineRegistered" always returns
"Registered", now click the "DetermineRegistered" function
to see its code.

There is a new Boolean returning function here called

"Registered" which determines the returned value from this
function, if we can make function "Registered" always
return true then this function will always return a
"Registered" string and that's what we want.

How to do that?

One of my previous tutorials discussed inverting Boolean

returning functions and that's our goal now, we will
change first two bytes of "Registered" function to make it
always return true, but first we have to find the file
offset for the function bytes, I explained that in
previous tutors too but I will do it again here.

The "Registered" function is not located in the main

program assembly, if you check Reflector you will find it
in an assembly called "PCL.dll", so this is the file we
will patch, open this file in Ildasm and find the
"Registered" function node.
Make sure you have checked the "Show bytes" option in
Ildasm and then double click this node to see its code, at
the beginning of the code listing you will see a line
telling us about the RVA offset for this function and this
is what we want to know from Ildasm.

Method begins at RVA 0x5c84

Now close Ildasm and open "PCL.dll" in CFF Explorer, we

will use the address converter in CFF Explorer to find the
file offset for this function.
 Cool! This leads to the first byte of the method body, now
move 12 bytes to bypass the header of that function and
you will be standing at the first byte of the method bytes
at offset 0x00004C90

Use CFF Explorer or your favorite hex editor to change

first 2 bytes here which are 00,28 to 17,2A and that's
all, Now open the main program again and there is no nag
screen this time, BTW I included the Keygen code with this
tutor for those interested.

THE END

Greets: UFO-PU55Y, LibX, RETEAM, SnD, ARTeam, Lz0

This tutor and all other works can be found @ www.reteam.org\board

Kurapica

Thursday, February 28, 2008