Cracking_PDF_2_Html_v1.6_By_Pompeyfan.txt

*************************************************************************************************TITLE:
Cracking tutorial for PDF2HTML v1.6 
*************************************************************************************************
BEST VIEWED:
Notepad with word wrap enabled, and in restored window mode
*************************************************************************************************
TOOLS USED:
Ollydbg v1.09d
*************************************************************************************************TARGET:
pdf2html.exe
*************************************************************************************************LOCATION OF TOOLS AND PROGRAM:
Ollydbg v1.09d http://www.grinders.withernsea.com/tools/Ollydbg/odbg109d.rar
PDF2HTML v1.6 http://www.grinders.withernsea.com/tools/pdf2htm.rar
*************************************************************************************************
CONTACT INFORMATION:
vinceandjane@hotmail.com
*************************************************************************************************
TUTORIAL WRITTEN:
15/03/2004
*************************************************************************************************
AUTHOR:
Pompeyfan
*************************************************************************************************

Okay,lets attack our target, open Olly, and if you haven't done so already, to make things easier for yourself, right click, select appearance/highlighting/jumps'n'calls, makes things so much easier to follow.

Open pdf2html.exe in Olly, and you land here:

00479BC2 >/$ 55             PUSH EBP

Press F9 run

Up comes PDF2HTML with a dialogue box, enter your email and fake serial number, I used pompeyfan@pompeyfan.com.au and all 7's, and then hit okay, and of course we guessed wrong, we get the message ""Series number error, bla, bla bla", click once on CPU screen, then F12 (pause), then Alt & K to bring up the call stack screen, and you get:

Call stack of main thread
Address    Stack      Procedure / arguments                 Called from                   Frame
0012DC30   77D43C53   Includes 7FFE0304                     USER32.77D43C51               0012DC64
0012DC34   77D4B3F2   USER32.WaitMessage                    USER32.77D4B3ED               0012DC64
0012DC68   77D4D9A0   USER32.77D4B265                       USER32.77D4D99B               0012DC64
0012DC90   77D6AE8E   USER32.77D4D8EC                       USER32.77D6AE89               0012DC8C
0012DF48   77D6A911   ? USER32.SoftModalMessageBox          USER32.77D6A90C               0012DED0
0012E090   77D6AFD5   ? USER32.77D6A7D7                     USER32.77D6AFD0               0012E018
0012E0E8   77D6B0BD   USER32.MessageBoxTimeoutW             USER32.77D6B0B8               0012E0E4
0012E11C   77D6B04A   ? USER32.MessageBoxTimeoutA           USER32.77D6B045               0012E118
0012E13C   77D6B02E   ? USER32.MessageBoxExA                USER32.77D6B029               0012E138
0012E140   000B0198     hOwner = 000B0198 ('Please registe
0012E144   004DB07C     Text = "Series number error, pleas
0012E148   00000000     Title = NULL
0012E14C   00000010     Style = MB_OK|MB_ICONHAND|MB_APPLM
0012E150   00000000     LanguageID = 0 (LANG_NEUTRAL)
0012E154   0043C24E   ? USER32.MessageBoxA                  pdf2html.0043C248
0012E158   000B0198     hOwner = 000B0198 ('Please registe
0012E15C   004DB07C     Text = "Series number error, pleas
0012E160   00000000     Title = NULL
0012E164   00000010     Style = MB_OK|MB_ICONHAND|MB_APPLM

Okay, you can see from this that the dialogue box is called from pdf2html.0043C248

So, restart the program in Olly (Ctrl & F2), then Right click/Go to expression and enter 0043C248, which is where the error message is called from, scroll up a bit, and let us have a look at the section of code as follows:

0043C217   . E8 EBF5FFFF    CALL pdf2html.0043B807                   ; \pdf2html.0043B807
0043C21C   . 83C4 04        ADD ESP,4
0043C21F   . 85C0           TEST EAX,EAX
0043C221   . 74 18          JE SHORT pdf2html.0043C23B
0043C223   . 6A 40          PUSH 40                                  ; /Style = MB_OK|MB_ICONASTERISK|MB_APPLMODAL
0043C225   . 68 40B04D00    PUSH pdf2html.004DB040                   ; |Title = "Thank you registered"
0043C22A   . 68 58B04D00    PUSH pdf2html.004DB058                   ; |Text = "Thank you registered pdf2html v1.6."
0043C22F   . 8B4D 08        MOV ECX,DWORD PTR SS:[EBP+8]             ; |
0043C232   . 51             PUSH ECX                                 ; |hOwner
0043C233   . FF15 1C554A00  CALL DWORD PTR DS:[<&USER32.MessageBoxA>>; \MessageBoxA
0043C239   . EB 30          JMP SHORT pdf2html.0043C26B
0043C23B   > 6A 10          PUSH 10                                  ; /Style = MB_OK|MB_ICONHAND|MB_APPLMODAL
0043C23D   . 6A 00          PUSH 0                                   ; |Title = NULL
0043C23F   . 68 7CB04D00    PUSH pdf2html.004DB07C                   ; |Text = "Series number error, please check it and try again."

Okay, at the start of this section of code above, you can see a call, followed by an Add ESP,4 and a TEST, then a conditional jump, which decides whether you get the good boy or bad boy message. 

You will find if you reverse the conditional jump that you will get a good boy message, but on opening the program next time you will be asked to register again, of course we have to patch it at the deepest level possible, so lets go inside the call at 0043C217, we want it to return a value for EAX which isn't zero, then it wont jump, so Right click/GO to/Expression and enter 0043B807, and you are here:

0043B807  /$ 55             PUSH EBP
0043B808  |. 8BEC           MOV EBP,ESP
0043B80A  |. 83EC 3C        SUB ESP,3C
0043B80D  |. 56             PUSH ESI
0043B80E  |. 8B45 08        MOV EAX,DWORD PTR SS:[EBP+8]
0043B811  |. 8A08           MOV CL,BYTE PTR DS:[EAX]
0043B813  |. 884D F4        MOV BYTE PTR SS:[EBP-C],CL
0043B816  |. C645 F5 00     MOV BYTE PTR SS:[EBP-B],0
0043B81A  |. 8B55 08        MOV EDX,DWORD PTR SS:[EBP+8]
0043B81D  |. 8A42 01        MOV AL,BYTE PTR DS:[EDX+1]
0043B820  |. 8845 E8        MOV BYTE PTR SS:[EBP-18],AL
0043B823  |. C645 E9 00     MOV BYTE PTR SS:[EBP-17],0
0043B827  |. 8B4D 08        MOV ECX,DWORD PTR SS:[EBP+8]
0043B82A  |. 8A51 0E        MOV DL,BYTE PTR DS:[ECX+E]
0043B82D  |. 8855 DC        MOV BYTE PTR SS:[EBP-24],DL
0043B830  |. C645 DD 00     MOV BYTE PTR SS:[EBP-23],0
0043B834  |. 8B45 08        MOV EAX,DWORD PTR SS:[EBP+8]
0043B837  |. 8A48 0F        MOV CL,BYTE PTR DS:[EAX+F]
0043B83A  |. 884D D0        MOV BYTE PTR SS:[EBP-30],CL
0043B83D  |. C645 D1 00     MOV BYTE PTR SS:[EBP-2F],0
0043B841  |. 8B55 08        MOV EDX,DWORD PTR SS:[EBP+8]
0043B844  |. 8A42 02        MOV AL,BYTE PTR DS:[EDX+2]
0043B847  |. 8845 C4        MOV BYTE PTR SS:[EBP-3C],AL
0043B84A  |. C645 C5 00     MOV BYTE PTR SS:[EBP-3B],0
0043B84E  |. 0FBE4D C4      MOVSX ECX,BYTE PTR SS:[EBP-3C]
0043B852  |. 83F9 24        CMP ECX,24
0043B855  |. 74 04          JE SHORT pdf2html.0043B85B
0043B857  |. 33C0           XOR EAX,EAX
0043B859  |. EB 67          JMP SHORT pdf2html.0043B8C2
0043B85B  |> 8D55 F4        LEA EDX,DWORD PTR SS:[EBP-C]
0043B85E  |. 52             PUSH EDX
0043B85F  |. E8 2CB40300    CALL pdf2html.00476C90
0043B864  |. 83C4 04        ADD ESP,4
0043B867  |. 8BF0           MOV ESI,EAX
0043B869  |. 8D45 D0        LEA EAX,DWORD PTR SS:[EBP-30]
0043B86C  |. 50             PUSH EAX
0043B86D  |. E8 1EB40300    CALL pdf2html.00476C90
0043B872  |. 83C4 04        ADD ESP,4
0043B875  |. 03F0           ADD ESI,EAX
0043B877  |. 83FE 0A        CMP ESI,0A
0043B87A  |. 75 23          JNZ SHORT pdf2html.0043B89F
0043B87C  |. 8D4D E8        LEA ECX,DWORD PTR SS:[EBP-18]
0043B87F  |. 51             PUSH ECX
0043B880  |. E8 0BB40300    CALL pdf2html.00476C90
0043B885  |. 83C4 04        ADD ESP,4
0043B888  |. 8BF0           MOV ESI,EAX
0043B88A  |. 8D55 DC        LEA EDX,DWORD PTR SS:[EBP-24]
0043B88D  |. 52             PUSH EDX
0043B88E  |. E8 FDB30300    CALL pdf2html.00476C90
0043B893  |. 83C4 04        ADD ESP,4
0043B896  |. 03F0           ADD ESI,EAX
0043B898  |. 83FE 0A        CMP ESI,0A
0043B89B  |. 75 02          JNZ SHORT pdf2html.0043B89F
0043B89D  |. EB 04          JMP SHORT pdf2html.0043B8A3
0043B89F  |> 33C0           XOR EAX,EAX
0043B8A1  |. EB 1F          JMP SHORT pdf2html.0043B8C2
0043B8A3  |> 8B45 08        MOV EAX,DWORD PTR SS:[EBP+8]
0043B8A6  |. 8A48 03        MOV CL,BYTE PTR DS:[EAX+3]
0043B8A9  |. 884D C4        MOV BYTE PTR SS:[EBP-3C],CL
0043B8AC  |. C645 C5 00     MOV BYTE PTR SS:[EBP-3B],0
0043B8B0  |. 0FBE55 C4      MOVSX EDX,BYTE PTR SS:[EBP-3C]
0043B8B4  |. 83FA 2F        CMP EDX,2F
0043B8B7  |. 74 04          JE SHORT pdf2html.0043B8BD
0043B8B9  |. 33C0           XOR EAX,EAX
0043B8BB  |. EB 05          JMP SHORT pdf2html.0043B8C2
0043B8BD  |> B8 01000000    MOV EAX,1
0043B8C2  |> 5E             POP ESI
0043B8C3  |. 8BE5           MOV ESP,EBP
0043B8C5  |. 5D             POP EBP
0043B8C6  \. C3             RETN

This is somewhat longer code than the other routines for other software I have cracked by this author, but actually it looks pretty easy to patch, now think about it for a moment, we want EAX to return a value other than zero once it returns from this call, and right near the end at 0043B8BD it actually moves EAX=1, so we have to ensure it gets to this line, and not jump past it, noting that you have 3 instances in the code above that have an XOR EAX,EAX followed by a jump to 0043B8C2, which will obviously return from the call with EAX=0.

So what if we patch the just before the first XOR EAX,EAX, that is line 0043B855, change JE SHORT pdf2html.0043B85B to JMP SHORT pdf2html.0043B8BD, that way it will then move EAX=1 and return with this value.

So left cl...