Legion2000 Security Research iqlord writes: Hi there buddy! Have you ever wondered how those mysterious cracks are made? Well I am going to give you a very simple demonstration... There have been som talking about VMware the last few days so, why break the trend. Let's take it to the next level! I'll give you a little tutorial in cracking. So todays gonna-be-cracked winner is ....... VMware 4.0! (congratulations!) You can download and try VMware for free in 30 days. All you have to do is give them an email, so that they can send you a serialnumber that will work for exactly 30 days. So if you feel like using VMware for longer then 30 days you are going to have to either buy the software or crack it. I choosed the second alternative. I'll rather spend my money on alcohol! Humm ... crack the software you say ... Well this can be done in many different ways... You could break out a working serial, skip the serial check, or ignore the datelookup check...and so on... This crack will simply ignore the datelookup routin. But we will need a working serial of some kind, and luckily the VMware software crew gave us a 30 day trial serial for free. How nice of them! I received this s/n: 60539-EKC1L-9GJ86-431UW It should work for you, too! Below you will see some of the disassembled VMware code. This is from the file vmware-vmx.exe located in the BIN directory. This is the original code: --------------------------------------------------------------------------- :004A0F2F 8B7D10 mov edi, dword ptr [ebp+10] :004A0F32 8D4DE8 lea ecx, dword ptr [ebp-18] :004A0F35 C60701 mov byte ptr [edi], 01 :004A0F38 8B86F0010000 mov eax, dword ptr [esi+000001F0] :004A0F3E C1E002 shl eax, 02 :004A0F41 50 push eax :004A0F42 51 push ecx :004A0F43 E8A8BEFFFF call 0049CDF0 :004A0F48 8B4DE8 mov ecx, dword ptr [ebp-18] :004A0F4B 8D4704 lea eax, dword ptr [edi+04] :004A0F4E 8BD0 mov edx, eax :004A0F50 50 push eax :004A0F51 890A mov dword ptr [edx], ecx :004A0F53 8B4DEC mov ecx, dword ptr [ebp-14] :004A0F56 894A04 mov dword ptr [edx+04], ecx :004A0F59 8B4DF0 mov ecx, dword ptr [ebp-10] :004A0F5C 894A08 mov dword ptr [edx+08], ecx :004A0F5F E85CBFFFFF call 0049CEC0 <-- don't answer this call! :004A0F64 83C40C add esp, 0000000C :004A0F67 894710 mov dword ptr [edi+10], eax :004A0F6A B801000000 mov eax, 00000001 :004A0F6F 5F pop edi :004A0F70 5E pop esi :004A0F71 5B pop ebx :004A0F72 8BE5 mov esp, ebp :004A0F74 5D pop ebp :004A0F75 C3 ret --------------------------------------------------------------------------- call 0049CEC0 'would have taken us UP in the code' to the following place: This is the datelookup routin that we don't want VMware to use: --------------------------------------------------------------------------- :0049CEC0 55 push ebp <-- we would have landed here! :0049CEC1 8BEC mov ebp, esp :0049CEC3 83EC1C sub esp, 0000001C :0049CEC6 53 push ebx :0049CEC7 56 push esi :0049CEC8 8D45E4 lea eax, dword ptr [ebp-1C] :0049CECB 57 push edi :0049CECC 50 push eax * Reference To: KERNEL32.GetLocalTime, Ord:015Ch | :0049CECD FF15D4A04E00 Call dword ptr [004EA0D4] :0049CED3 8B45E4 mov eax, dword ptr [ebp-1C] :0049CED6 8B55E6 mov edx, dword ptr [ebp-1A] :0049CED9 8B7DEA mov edi, dword ptr [ebp-16] :0049CEDC 8B7508 mov esi, dword ptr [ebp+08] :0049CEDF 25FFFF0000 and eax, 0000FFFF :0049CEE4 81E2FFFF0000 and edx, 0000FFFF :0049CEEA 81E7FFFF0000 and edi, 0000FFFF :0049CEF0 8945F4 mov dword ptr [ebp-0C], eax :0049CEF3 8955F8 mov dword ptr [ebp-08], edx :0049CEF6 897DFC mov dword ptr [ebp-04], edi :0049CEF9 33DB xor ebx, ebx :0049CEFB EB09 jmp 0049CF06 --------------------------------------------------------------------------- This is the cracked code: (were we modify the call to datelookup) --------------------------------------------------------------------------- :004A0F2F 8B7D10 mov edi, dword ptr [ebp+10] :004A0F32 8D4DE8 lea ecx, dword ptr [ebp-18] :004A0F35 C60701 mov byte ptr [edi], 01 :004A0F38 8B86F0010000 mov eax, dword ptr [esi+000001F0] :004A0F3E C1E002 shl eax, 02 :004A0F41 50 push eax :004A0F42 51 push ecx :004A0F43 E8A8BEFFFF call 0049CDF0 :004A0F48 8B4DE8 mov ecx, dword ptr [ebp-18] :004A0F4B 8D4704 lea eax, dword ptr [edi+04] :004A0F4E 8BD0 mov edx, eax :004A0F50 50 push eax :004A0F51 890A mov dword ptr [edx], ecx :004A0F53 8B4DEC mov ecx, dword ptr [ebp-14] :004A0F56 894A04 mov dword ptr [edx+04], ecx :004A0F59 8B4DF0 mov ecx, dword ptr [ebp-10] :004A0F5C 894A08 mov dword ptr [edx+08], ecx :004A0F5F 40 inc eax <-- we simply replace :004A0F60 48 dec eax <-- the call, with some :004A0F61 40 inc eax <-- harmless registers :004A0F62 48 dec eax <-- like inc, dec and :004A0F63 90 nop <-- of course nop! :004A0F64 83C40C add esp, 0000000C :004A0F67 894710 mov dword ptr [edi+10], eax :004A0F6A B801000000 mov eax, 00000001 :004A0F6F 5F pop edi :004A0F70 5E pop esi :004A0F71 5B pop ebx :004A0F72 8BE5 mov esp, ebp :004A0F74 5D pop ebp :004A0F75 C3 ret --------------------------------------------------------------------------- So what did just happen? Ey you! wakeup, and try to focus!!! Well do you remember this line of code from the original part: :004A0F5F E85CBFFFFF call 0049CEC0 <-- don't answer this call! That's the line of code we modified! We simply replaced 5 bytes of code with 5 other bytes of code. Take a look at that line of code again. And look for: "E85CBFFFFF". Notice that it contains 10 characters. And that's because 1 byte of code consists of 2 characters. For example 'E8' is 1 byte, and 'E85C' is 2 bytes. Now...we replaced: E8 with 40 5C with 48 BF with 40 FF with 48 FF with 90 40 will increase the EAX register and 48 will decrease the EAX register. Increasing and decreasing like this will simply do this to the EAX register: EAX = EAX + 1 EAX = EAX - 1 EAX = EAX + 1 EAX = EAX - 1 And this will result in...nothing! (exactly what we want). The last byte we replaced was 'FF' and we replaced it with 90. 90 is the NOP register, and NOP stands for (No Operation). It is great to replace code with, because it doesn't do anything. Now...we could have replaced all the bytes with the NOP register! But then I wouldn't have got the opertunity to give you a lesson in basic assembler. (sneaky!). The only thing that is left to do, is to create a patch and send it away to family and friends. They will be so proud of you...errhum! This is parts of a possible patch: (the one I wrote is very simular) --------------------------------------------------------------------------- ; VMware Workstation ; vmware 4.0.0 build-4460 (vmui) ; By iqlord | Legion2000 | Addict ; ; File to patch = vmware-vmx (executable) ; Patch length = 5bytes (decimal) ; Starting offset = 659295 (decimal) ; ; 64 -> INC EAX ; 72 -> DEC EAX ; 144 -> NOP vmware4 db 64,72,64,72,144 ; End of patch! --------------------------------------------------------------------------- I think that wraps up the whole thing pretty good! Enjoy! /iqlord | Legion2000 Security Research