Reverse Engineering tutorial(imcomplete) – How to crack “youtube downloader pro 4.5”

First of all I’ll not show all the steps you need to do in order to crack this software. The method is almost like the one I posted in the previous tutorial(wondershare software), although this is a bit more complex.

You’ll need OllyDbg and ExeInfo PE or Lord PE to check if the program is packed or not. Here you have the ExeInfo PE download link: https://copy.com/UlsDm9ntQpnP

Open the program, load the ytd.exe file and you should see “Not packed , try disASM OllyDbg – http://www.ollydbg.de or  WD32dsm89.exe – http://www.exetools.com/disassemblers.htm”, that’s good news, although this is not always true! You should always check with Olly, so do it now. Did it? See? Olly didn’t detect anything, now we’re “almost” sure that the program is not packed. Let’s jun run it and analyze how it behaves. The program should run without throwing any exception!

The first thing I checked was the “Help” menu. Clicking on “Help” you have one option saying “Your license” that launchs a window where you’re prompted to enter a serial number. Hum, maybe that’s not a good option. The other option I thought is.. If you tick “Automatically convert To” the program will launch another window with the title “Youtube PRO benefits”. On the “Convert” tab you also have a sentence that refers to the PRO version of the program. So let’s just search on Olly where those Strings are being called. Hit F7 until you get something like this:

——

772E21DC   EA 66252E77 3300 JMP FAR 0033:772E2566                    ; Far jump

——–

(The addresses may be different on your system)

Keep hitting F7 and you’ll get to a point where something very interesting is gonna happen. You’ll find an information similar to this:

User32.ShowWindow

ShowState = SW_SHOW

hWnd “For multiple URLs go PRO”

ShowWindow


This code was executed after a CALL to a certain address, followed by a TEST AL, AL, followed by a JE. The CALL will decide if the value of AL is 0 or 1. If after the CALL is executed AL is 0, then TEST AL, AL will also gonna be 0, which means that the ZF is set to 1, which consequently forces the JE to be executed and leading to the bad guy. Here it is the code(and my addresses, remember that yours might be different)

CPU Disasm

Address   Hex dump          Command                                  Comments

00BD96D7    E8 A4200000     CALL 00BDB780             ; Decide the value of AL

00BD96DC    84C0            TEST AL,AL                          ; Perform a logical AND

00BD96DE    0F84 19010000   JE 00BD97FD                 ; If AL = 0, then jump to 00BD97FD

All we have to do is to patch the function starting in 00BDB780, so it can return 1 in AL. The function should be this:

CPU Disasm

Address   Hex dump          Command                                  Comments

00BDB780    8B00            MOV EAX,DWORD PTR DS:[EAX]

00BDB782    8B50 F4         MOV EDX,DWORD PTR DS:[EAX-0C]

00BDB785    8D4A E0         LEA ECX,[EDX-20]

00BDB788    83F9 04         CMP ECX,4

00BDB78B    77 5F           JA SHORT 00BDB7EC

00BDB78D    56              PUSH ESI

00BDB78E    33C9            XOR ECX,ECX

00BDB790    57              PUSH EDI

00BDB791    85D2            TEST EDX,EDX

00BDB793    7E 43           JLE SHORT 00BDB7D8

00BDB795    8BF0            MOV ESI,EAX

00BDB797    85C9            TEST ECX,ECX

00BDB799    7C 47           JL SHORT 00BDB7E2

00BDB79B    3BCA            CMP ECX,EDX

00BDB79D    7F 43           JG SHORT 00BDB7E2

00BDB79F    0FB706          MOVZX EAX,WORD PTR DS:[ESI]

00BDB7A2    66:83F8 30      CMP AX,30

00BDB7A6    72 06           JB SHORT 00BDB7AE

00BDB7A8    66:83F8 39      CMP AX,39

00BDB7AC    76 22           JBE SHORT 00BDB7D0

00BDB7AE    66:83F8 41      CMP AX,41

00BDB7B2    72 06           JB SHORT 00BDB7BA

00BDB7B4    66:83F8 46      CMP AX,46

00BDB7B8    76 16           JBE SHORT 00BDB7D0

00BDB7BA    66:83F8 61      CMP AX,61

00BDB7BE    72 06           JB SHORT 00BDB7C6

00BDB7C0    66:83F8 66      CMP AX,66

00BDB7C4    76 0A           JBE SHORT 00BDB7D0

00BDB7C6    BF 2D000000     MOV EDI,2D

00BDB7CB    66:3BF8         CMP DI,AX

00BDB7CE    75 0D           JNE SHORT 00BDB7DD

00BDB7D0    41              INC ECX

00BDB7D1    83C6 02         ADD ESI,2

00BDB7D4    3BCA            CMP ECX,EDX

00BDB7D6  ^ 7C BF           JL SHORT 00BDB797

00BDB7D8    5F              POP EDI

00BDB7D9    B0 01           MOV AL,1

00BDB7DB    5E              POP ESI

00BDB7DC    C3              RETN

00BDB7DD    5F              POP EDI

00BDB7DE    32C0            XOR AL,AL

00BDB7E0    5E              POP ESI

00BDB7E1    C3              RETN

00BDB7E2    68 57000780     PUSH 80070057

00BDB7E7    E8 04A8F7FF     CALL 00B55FF0

00BDB7EC    32C0            XOR AL,AL

00BDB7EE    C3              RETN

And now we know why AL is being set to 0. The 00BDB78B is being executed and jumps straight to 00BDB7EC(XOR AL,AL). The XOR is only true if two bytes are different. For example:

01001010

10101001

————

11100011

With this, XOR AL,AL could never be 1. We can force the function to return 1, just by editting that XOR for a MOV(mov al,1 for example) Don’t forget to also patch 00BDB7DE. Copy that to the exe and run the program. The PRO version is now working great! 🙂

Anúncios

Posted on 21 de Agosto de 2013, in Sem categoria and tagged , , , , . Bookmark the permalink. Deixe um comentário.

Deixe uma Resposta

Preencha os seus detalhes abaixo ou clique num ícone para iniciar sessão:

Logótipo da WordPress.com

Está a comentar usando a sua conta WordPress.com Terminar Sessão / Alterar )

Imagem do Twitter

Está a comentar usando a sua conta Twitter Terminar Sessão / Alterar )

Facebook photo

Está a comentar usando a sua conta Facebook Terminar Sessão / Alterar )

Google+ photo

Está a comentar usando a sua conta Google+ Terminar Sessão / Alterar )

Connecting to %s

%d bloggers like this: