Arquivos de sites
Reverse Engineering tutorial(imcomplete) – How to crack “youtube downloader pro 4.5”
First of all I’ll not show all the steps you need to do in order to crack this software. The method is almost like the one I posted in the previous tutorial(wondershare software), although this is a bit more complex.
You’ll need OllyDbg and ExeInfo PE or Lord PE to check if the program is packed or not. Here you have the ExeInfo PE download link: https://copy.com/UlsDm9ntQpnP
Open the program, load the ytd.exe file and you should see “Not packed , try disASM OllyDbg – http://www.ollydbg.de or WD32dsm89.exe – http://www.exetools.com/disassemblers.htm”, that’s good news, although this is not always true! You should always check with Olly, so do it now. Did it? See? Olly didn’t detect anything, now we’re “almost” sure that the program is not packed. Let’s jun run it and analyze how it behaves. The program should run without throwing any exception!
The first thing I checked was the “Help” menu. Clicking on “Help” you have one option saying “Your license” that launchs a window where you’re prompted to enter a serial number. Hum, maybe that’s not a good option. The other option I thought is.. If you tick “Automatically convert To” the program will launch another window with the title “Youtube PRO benefits”. On the “Convert” tab you also have a sentence that refers to the PRO version of the program. So let’s just search on Olly where those Strings are being called. Hit F7 until you get something like this:
——
772E21DC EA 66252E77 3300 JMP FAR 0033:772E2566 ; Far jump
——–
(The addresses may be different on your system)
Keep hitting F7 and you’ll get to a point where something very interesting is gonna happen. You’ll find an information similar to this:
User32.ShowWindow
ShowState = SW_SHOW
hWnd “For multiple URLs go PRO”
ShowWindow
This code was executed after a CALL to a certain address, followed by a TEST AL, AL, followed by a JE. The CALL will decide if the value of AL is 0 or 1. If after the CALL is executed AL is 0, then TEST AL, AL will also gonna be 0, which means that the ZF is set to 1, which consequently forces the JE to be executed and leading to the bad guy. Here it is the code(and my addresses, remember that yours might be different)
CPU Disasm
Address Hex dump Command Comments
00BD96D7 E8 A4200000 CALL 00BDB780 ; Decide the value of AL
00BD96DC 84C0 TEST AL,AL ; Perform a logical AND
00BD96DE 0F84 19010000 JE 00BD97FD ; If AL = 0, then jump to 00BD97FD
All we have to do is to patch the function starting in 00BDB780, so it can return 1 in AL. The function should be this:
CPU Disasm
Address Hex dump Command Comments
00BDB780 8B00 MOV EAX,DWORD PTR DS:[EAX]
00BDB782 8B50 F4 MOV EDX,DWORD PTR DS:[EAX-0C]
00BDB785 8D4A E0 LEA ECX,[EDX-20]
00BDB788 83F9 04 CMP ECX,4
00BDB78B 77 5F JA SHORT 00BDB7EC
00BDB78D 56 PUSH ESI
00BDB78E 33C9 XOR ECX,ECX
00BDB790 57 PUSH EDI
00BDB791 85D2 TEST EDX,EDX
00BDB793 7E 43 JLE SHORT 00BDB7D8
00BDB795 8BF0 MOV ESI,EAX
00BDB797 85C9 TEST ECX,ECX
00BDB799 7C 47 JL SHORT 00BDB7E2
00BDB79B 3BCA CMP ECX,EDX
00BDB79D 7F 43 JG SHORT 00BDB7E2
00BDB79F 0FB706 MOVZX EAX,WORD PTR DS:[ESI]
00BDB7A2 66:83F8 30 CMP AX,30
00BDB7A6 72 06 JB SHORT 00BDB7AE
00BDB7A8 66:83F8 39 CMP AX,39
00BDB7AC 76 22 JBE SHORT 00BDB7D0
00BDB7AE 66:83F8 41 CMP AX,41
00BDB7B2 72 06 JB SHORT 00BDB7BA
00BDB7B4 66:83F8 46 CMP AX,46
00BDB7B8 76 16 JBE SHORT 00BDB7D0
00BDB7BA 66:83F8 61 CMP AX,61
00BDB7BE 72 06 JB SHORT 00BDB7C6
00BDB7C0 66:83F8 66 CMP AX,66
00BDB7C4 76 0A JBE SHORT 00BDB7D0
00BDB7C6 BF 2D000000 MOV EDI,2D
00BDB7CB 66:3BF8 CMP DI,AX
00BDB7CE 75 0D JNE SHORT 00BDB7DD
00BDB7D0 41 INC ECX
00BDB7D1 83C6 02 ADD ESI,2
00BDB7D4 3BCA CMP ECX,EDX
00BDB7D6 ^ 7C BF JL SHORT 00BDB797
00BDB7D8 5F POP EDI
00BDB7D9 B0 01 MOV AL,1
00BDB7DB 5E POP ESI
00BDB7DC C3 RETN
00BDB7DD 5F POP EDI
00BDB7DE 32C0 XOR AL,AL
00BDB7E0 5E POP ESI
00BDB7E1 C3 RETN
00BDB7E2 68 57000780 PUSH 80070057
00BDB7E7 E8 04A8F7FF CALL 00B55FF0
00BDB7EC 32C0 XOR AL,AL
00BDB7EE C3 RETN
And now we know why AL is being set to 0. The 00BDB78B is being executed and jumps straight to 00BDB7EC(XOR AL,AL). The XOR is only true if two bytes are different. For example:
01001010
10101001
————
11100011
With this, XOR AL,AL could never be 1. We can force the function to return 1, just by editting that XOR for a MOV(mov al,1 for example) Don’t forget to also patch 00BDB7DE. Copy that to the exe and run the program. The PRO version is now working great! 🙂