Reverse Engineering tutorial – How to crack Wondershare “Video Converter Ultimate 6.5.1”

As I want to keep things interesting on my blog, today I’ll approach a topic that fascinates most nerds/geeks, reverse engineering! Many people would like to understand how the “magic” is done and they can’t because the majority of the tutorials out there are outdated, which means they can’t apply those methods to today software. Fortunately I found a couple of programs where I can teach and encourage people to get their hands dirty with software. This tutorial is for educational purposes only, the program was cracked a long time ago and I think there is no problem to teach people how it was done(keep in mind that there is dozens of different ways to crack it!).

As you might imagine there are some prerequisites before you can start reading the tutorial. You should at least be familiar with Assembly language if you want to understand how the program works. There are many tutorials on the internet, a simple Google search will present you tons of it.

Enough of useless conversation, let’s start the real job.. 

Go to Wondershare site(here) and download the free trial version of the program. Run the program and install it.. Usually the program will be installed on C:\\Program Files(Program Files (x86) for 64 bit systems)\Wondershare\Video Converter Ultimate . The first step before you can reverse it is to analyze it’s behavior. On this case we already know that it is a “trial version”, so we should expect some kind of “buy” function after x days had passed. Open up the program, add a video, select the format you want on the right pane and click “Convert”. And the bad things started happening.. Here it is the image you should get on your screen: 

 


As you can see there are a couple of limitations. To remove this we have two options: Either we regist the program with a registration key and an email or we can buy the program. Before starting writting this I had trouble with the first option(registration key). I was able to bypass the “wrong key” screen but right after that the program rejected the key, telling that was a pirate key. Maybe it is still possible to work on that, but with the second option is far easier! At this point we’ll need a debugger. I’m been using Ollydbg since my first day of Assembly, but you can use the one you want. Just make sure you’re comfortable working with that. If you want to follow the steps exactly like me download it here (version 2.00). After you have downloaded the file, unzip and open the program. Click here:

 

… and load the VideoConverterUltimate.exe file that is placed on the Wondershare folder. The exe must be in the installation folder because it’ll load some DLL files.

My first guess before doing anything was to check all the strings in the program(the most ridiculous method to work on that :p) and write something that might takes us to something useful. Well, on the top of my head I can only think on “register”. On the disassembled output left click on your mouse, go to the “Search for” option, then “All referenced strings”. A new window will pop up with the strings and the respective address where they are located. Left click again(or Ctrl + F) and select “Search for text”. In the “Search direction” select “Entire block” and tick the “Ignore case” option. Then write “register” and click “OK”. You should see something similar to this:

 

Click on Ctrl + L(next match) until you get something that you think it may help us to crack the program. Well, I found “UnRegistered” on the address 0055F5D8. It may very well be a check that is done during the startup.. Double click on it. And boom, we get interesting stuff. We’re mainly interested on this:

 

CPU Disasm

Address   Hex dump          Command                                  Comments

0055F5BC  |.  E8 77C5F8FF   CALL 004EBB38

0055F5C1  |.  84C0          TEST AL,AL

0055F5C3  |.  74 10         JE SHORT 0055F5D5

0055F5C5  |.  8D45 FC       LEA EAX,[LOCAL.1]

0055F5C8  |.  8B55 E0       MOV EDX,DWORD PTR SS:[LOCAL.8]

0055F5CB  |.  8B52 08       MOV EDX,DWORD PTR DS:[EDX+8]

0055F5CE  |.  E8 3D6AEAFF   CALL 00406010

0055F5D3  |.  EB 0D         JMP SHORT 0055F5E2

0055F5D5  |>  8D45 FC       LEA EAX,[LOCAL.1]

0055F5D8  |.  BA 3CF75500   MOV EDX,0055F73C                         ; UNICODE “UnRegistered”

0055F5DD  |.  E8 A668EAFF   CALL 00405E88

0055F5E2  |>  8D55 D8       LEA EDX,[LOCAL.10]

0055F5E5  |.  33C0          XOR EAX,EAX

 

The instructions that first caught my attention were TEST AL,AL and the following. You should understand what the program is doing here..

The TEST AL,AL instruction tests the AL register against itself and if the result is zero it sets the ZF to 1, otherwise it clears it. The TEST instruction is pretty much an AND between two values. So.. Why do we have a JE instruction after a TEST? We should have it after a CMP(compare). It’s easy.. The JE(jump if equal) will check the state of the ZF flag. If ZF=1 it’ll jump for 0055F5D5, otherwise the program will continue normally. Well, let’s analyze things… If the JE is executed we’re in trouble because we jump exactly to the “UnRegistered” code. If not eventually the program will execute the JMP(jump) instruction at 0055F5D3 and it’ll jump the “UnRegistered” code. It seems like we have all the ingredients we need. Basically what we have to do is to make sure that the JE at 0055F5C3 is NOT executed. For that the ZF flag must be set to 0, in other words, the result of TEST AL, AL can’t be 0. How can all those things happen? The answer is just in the instruction above TEST AL, AL. The CALL instruction will jump to 004EBB38 and at some point you’ll find a RETN that will return the execution to 0055F5C1. Select the call instruction and press Enter. You should now get this:

 

CPU Disasm

Address   Hex dump          Command                                  Comments

004EBB38  /$  53            PUSH EBX

004EBB39  |.  56            PUSH ESI

004EBB3A  |.  8BF0          MOV ESI,EAX

004EBB3C  |.  837E 0C 00    CMP DWORD PTR DS:[ESI+0C],0

004EBB40  |.  74 3B         JE SHORT 004EBB7D

004EBB42  |.  8B46 08       MOV EAX,DWORD PTR DS:[ESI+8]

004EBB45  |.  E8 9E9FF1FF   CALL 00405AE8

004EBB4A  |.  50            PUSH EAX                                 ; /Arg3

004EBB4B  |.  8B46 48       MOV EAX,DWORD PTR DS:[ESI+48]            ; |

004EBB4E  |.  E8 959FF1FF   CALL 00405AE8                            ; |

004EBB53  |.  50            PUSH EAX                                 ; |Arg2

004EBB54  |.  68 84BB4E00   PUSH 004EBB84                            ; |Arg1 = VideoConverterUltimate.4EBB84

004EBB59  |.  8B46 0C       MOV EAX,DWORD PTR DS:[ESI+0C]            ; |

004EBB5C  |.  E8 879FF1FF   CALL 00405AE8                            ; |

004EBB61  |.  8BC8          MOV ECX,EAX                              ; |

004EBB63  |.  8B56 20       MOV EDX,DWORD PTR DS:[ESI+20]            ; |

004EBB66  |.  8B46 1C       MOV EAX,DWORD PTR DS:[ESI+1C]            ; |

004EBB69  |.  E8 CAF8FFFF   CALL 004EB438                            ; \VideoConverterUltimate.004EB438

004EBB6E  |.  8BD8          MOV EBX,EAX

004EBB70  |.  84DB          TEST BL,BL

004EBB72  |.  75 0B         JNE SHORT 004EBB7F

004EBB74  |.  8BC6          MOV EAX,ESI

004EBB76  |.  E8 39FDFFFF   CALL 004EB8B4                            ; [VideoConverterUltimate.004EB8B4

004EBB7B  |.  EB 02         JMP SHORT 004EBB7F

004EBB7D  |>  33DB          XOR EBX,EBX

004EBB7F  |>  8BC3          MOV EAX,EBX

004EBB81  |.  5E            POP ESI

004EBB82  |.  5B            POP EBX

004EBB83  \.  C3            RETN

 

There you have a RETN at 004EBB8. The program starts by pushing the EBX and ESI registers into the stack.You should know that usually we do this when we want to run a inner loop for example. When we want to proccess information in the outer loop we POP those registers. The interesting part is at 004EBB40, another JE instruction. If the JE is executed it jumps to 004EBB7D. XOR EBX,EBX sets the EBX register to 0. Then the value of EBX is copied to EAX and that value is returned(0). That is EXACLY what we don’t want(the value is returned in EAX). You probably already know how to fix this. We just need to force the JE instruction to be executed. For that we can simply replace the JE by a JMP. Select the JE instruction and press enter. Replace JE by JMP and click Enter. The instruction should turn red, meaning it was editted. The program will now jump to 004EBB7D. Now the last part.. If we let the program execute XOR EBX, EBX the function will return 0. We must place a different value into EBX. For doing that you can simply replace XOR EBX, EBX by MOV BL,1 or other number you want. With this EBX is 1 and the program will copy 1 to EAX, forcing the JE not to be executed. Select all this piece of code, left click, edit, copy to executable. A new window will pop up.. Left click again on that window and save file(with a different name). Open that exe file and voila! The program is assuming that you bought it! Now you can convert unlimited videos without any limitations 🙂 Two instructions that can save you 60$. In the next days I’ll write other posts showing you how to crack other programs(and probably some games to).

Anúncios

Posted on 21 de Agosto de 2013, in Sem categoria. Bookmark the permalink. Deixe um comentário.

Deixe uma Resposta

Preencha os seus detalhes abaixo ou clique num ícone para iniciar sessão:

Logótipo da WordPress.com

Está a comentar usando a sua conta WordPress.com Terminar Sessão / Alterar )

Imagem do Twitter

Está a comentar usando a sua conta Twitter Terminar Sessão / Alterar )

Facebook photo

Está a comentar usando a sua conta Facebook Terminar Sessão / Alterar )

Google+ photo

Está a comentar usando a sua conta Google+ Terminar Sessão / Alterar )

Connecting to %s

%d bloggers like this: