Page 1 of 3 123 LastLast
Results 1 to 15 of 45

Thread: Newbie trying to learn. Think my project maybe a little to advanced.

  1. #1
    Michael_J
    Guest

    Newbie trying to learn. Think my project maybe a little to advanced.

    Hey

    Firstly, I would like to say I have been reading up on this for a bit now. I am understand how most serial numbers work, and how to crack them. I am using OllyDbg, and am finding it nice to work with.

    I am trying to crack an application which requires a keyfile. There is a file already on my system called KeyInstaller.exe which was installed with the application I'm trying to crack.

    The KeyInstaller.exe file has these text strings:

    Keyfile Installer
    Keyfile has been installed!
    Keyfile Instaler
    Keyfile Installer
    Invalid argument given

    As far as I can tell, the Application loads, checks to see if KeyInstaller is there, if it is, then it loads into Demo mode. If its not, It installs it.

    So I have been trying to understand how the KeyInstaller works.

    I know when you buy the software, you are sent a small file, which is placed in the same folder as the main application, which then gives you an option to type in the following:

    Username
    User Email

    It then gives you a serial, to email to the developers, who send you a code to unlock the application.

    I cant find any infomation within the application about the Keyfiles name, extension or size.

    Im not here asking for someone to do this for me, as Im doing it to learn. Can anyone point me in the right direction.


    Cheers

    Michael
    Last edited by Michael_J; September 13th, 2007 at 20:46.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    Registered User
    Join Date
    Aug 2005
    Location
    Greece
    Posts
    157
    You can buy it and find out how it works or try to look for encryption constants inside the keyfile application (PEiD & IDA have plugins for this). Anyway this is too much of ping pong situation between a customer and a company, i wonder if they have any customers...
    A picture worth 1K words (or .5K DWORDS).

  3. #3
    Michael_J
    Guest
    Thankyou Blurcode for replying, but I feel your suggestions are sumwhat unhelpful.

    As I explained earlier, I do not have the keyfile. Its sent when you buy the application. So looking at its contents is impossible. Buying the software is an option, and I didnt plan on doing so. But I am currently trying to learn something new, and do this myself.

    I feel just buying the software would defeat object here.

    The company in question have plently of customers, because if you buy the software, its not to much hassel really.

    If anyone else has any suggestions, I would really appriate it.

    Also, I have tried getting it to always jump to the code which says "Registration Keyfile '{0]' Found" but even this doesnt work. I have no idea what '{0}' is, but I have seen it a few times. for example still within the application:

    MOV DWORD PTR SS:[ESP+48],0A4CDB0 | Unicode "{0}\{1}"

    Within the KeyInstaller.exe

    PUSH 40B274 | Unicode "{0}\{1}"

    My plan is to get it to think there is a valid keyfile there. Not by actually making one, but to have it see there isnt one, but still execute the code which would run one. The only problem is, I cant find the code for not finding it.

    Also, does anyone have any idea what a Displacement Key is?

    Cheers

    Michael
    Last edited by Michael_J; September 14th, 2007 at 07:24.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4
    Registered User
    Join Date
    Aug 2005
    Location
    Greece
    Posts
    157
    Have you thinked that the code that missing is this small file they send you the first time?
    A picture worth 1K words (or .5K DWORDS).

  5. #5
    Michael_J
    Guest
    Yep, I do indeed think that is the case.

    But the main application must be looking for this small file, because it has unicode saying:

    "Registration key file '{0}' found"

    This makes me think that there is away to get it always recieve a possitive on that check.

    But I cant find the negative, to edit it.

    Cheers

    Mic
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  6. #6
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647
    Quote Originally Posted by Michael_J View Post
    I am trying to crack an application which requires a keyfile. There is a file already on my system called KeyInstaller.exe which was installed with the application I'm trying to crack.

    As far as I can tell, the Application loads, checks to see if KeyInstaller is there, if it is, then it loads into Demo mode. If its not, It installs it.

    I would guess that by the time keyfile installer is found or created, the application already has NOT found the keyfile. Think of it: Why do you need a key installer when you already have the key?

    Here is the plan: Find FileMon (A free util by Russinovich, widely available on the web) and see which files your app is trying to find, before it searches for KeyInstaller. Let's assume it searched for "MyFile.key". (FileMon will give you a list of a lot of files your app attempted to open but were not found).

    Then you can make your own bogus MyFile.key and place inside of it your favorite text: So you can find it in memory later on i.e. your favorite song?

    Then by placing break points on CreateFileA for instance, catch your app opening MyFile.key loading it to memory. Then figure out what code validates the contents of MyFile.key.



    So I have been trying to understand how the KeyInstaller works.


    I doubt this will take you very far, Michael
    In Blue

  7. #7
    Michael_J
    Guest
    Cheers, I have now found out what the keyfile is called and created an empty version of it. You have really helped me along. Thankyou Naides.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  8. #8
    Naides is Nobody
    Join Date
    Jan 2002
    Location
    Planet Earth
    Posts
    1,647
    The moral of this story (at least this little chapter in Michel's story) is that, no matter how secretive an application is regarding its protection, sooner or latter it has to interact with the operating system: call APIs, read files, set Internet sockets. It is then that we can peek at the protection hidden cards. . .

  9. #9
    Michael_J
    Guest
    Well, Im not there just yet. Still working on it, but I have now read the softwares log file which reads:

    i 2007-09-14 17:03:37] Cap::Licensing::LoadKeyFiles : Registration key file '.c2k' found
    [E 2007-09-14 17:03:37] SysLib::File::Read : File ('D:\Program Files\*********\\.c2k') size differs from size indicated in file

    So, its not cracked yet.

    Cheers
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  10. #10
    reknihT esreveR SiGiNT's Avatar
    Join Date
    Sep 2004
    Location
    Wherever I am
    Posts
    750
    Look for a value , probably in EAX that is compared to a vlaue on the stack or to a value in memory - that's probably the expected value, you have several choices here you can do a mov eax,eax or make your file the size it wants - or simply xor eax,eax then make the appropriate jump - then you'll end up with an "invalid key" message, unlerss you can step thru and fish out the proper key, you have more work ahead of you - you're very lucky that your target is so verbose, many nowadays are not - intentionally to limit the amount of clues.

    SiGiNT
    Last edited by SiGiNT; September 14th, 2007 at 14:59.
    Unemployed old fart Geek - Self Employed Annoyance
    Team: Noobisco Crackers
    If someone can't do it for you, you'll never learn!

  11. #11
    Michael_J
    Guest
    Im currently looking at how to just skip any kind of keyfile. It knows it there, which is great. Now im trying to just tell its there, when its not. Im not sure lucky is the right word here.

    Its a good challange though. Been editing the code on this now for 2 days, each day brings me a tiny little bit closer, but the software really does some wierd things.

    For example, I can change the Demo account to a Extended version by editing some of the code.

    Demo Code:

    PUSH 0A4CF2C
    CALL 004E0BA0
    MOV EAX,EBX
    POP EBX
    RETN
    MOVZX EAX,WORD PTR DS:[EAX+14]
    CMP AX,1


    Extended Edition Code:

    PUSH 0A4CF54
    CALL 004E0BA0
    MOV EAX,EBX
    POP EBX
    RETN
    CMP AX,3

    Now, looking at the code there are only a few differences.

    One being:

    Demo = PUSH 0A4CF2C
    Exteneded Edition = PUSH 0A4CF54

    &

    Demo = CMP AX,1
    Extended Edition = CMP AX,3

    Also, Demo has this line, which Extended, Basic and Partner edition do not:

    MOVZX EAX,WORD PTR DS:[EAX+14]. (I have little to know Idea what this does)


    when I edit Demo to follow the code of Extended, I load the application and it shows the applications name and then Extended Edition in the tool bar, but the save function and time limit is still running.

    So dispite changing the application to run in Extended mode, the software is only telling me its running in the mode, when its still actually has all the limitations of Demo.

    Slightly confusing, but that If i focus on telling the application that there is always a keyfile, which is exactly what it wants to see on the system. Then I may be in luck.

    Although, It did occur to me, that maybe the keyfile modifies some code within the application itself, which could leave me a little stuck.

    Cheers

    Michael.
    Last edited by Michael_J; September 14th, 2007 at 15:55.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  12. #12
    reknihT esreveR SiGiNT's Avatar
    Join Date
    Sep 2004
    Location
    Wherever I am
    Posts
    750
    Just a guess but find out where MOVZX EAX,WORD PTR DS:[EAX+14] is in memory - look in the bottom of the disassembly window - write it down, reload and if you can and it's not in lower all purpose memory, set a memory breakpoint on write - when the prog breaks change the value loaded from 1 to 3 - and my guess is you will have a full enabled extended vers. tip: if when you reload the memory location is not available run the prog to that line then set a hardware BP on write at the memory location - restart when the prog breaks the code loading the value will be above the line it breaks on. - set a break on that line and remove the HW BP and restart.

    SiGiNT

    Afterthought - a subroutine almost never starts with a cmp xxx,xx so there must be a jump to it above the code you show - looking at what precedes that jump will tell you more.
    Last edited by SiGiNT; September 14th, 2007 at 17:44.
    Unemployed old fart Geek - Self Employed Annoyance
    Team: Noobisco Crackers
    If someone can't do it for you, you'll never learn!

  13. #13
    Michael_J
    Guest
    Here is the code for Demo user:

    JNZ SHORT 00405013
    PUSH 0A4CF54
    CALL 004E0BA0
    MOV EAX,EBX
    POP EBX
    RETN

    Correct me if Im wrong, but i see that the first line, is saying something like If not equal to something go to MOV EAX,EBX

    I have tried changing the code to say

    If equal to something go to mov eax,ebx but it doesnt work. (I used JE SHORT 00405013)

    Not knowing what SHORT means, Im a little bit in the dark to whats actually happening though.

    ------

    I have just finished searching the internet for pictures of the activation process and found one for the version before. It shows a few things:

    Before you can start using Application registraion keyfile you must unlock it for us on this computer. To accomplish this, - email your serial code and the unlock request code below to unlock MyApplication@ThisISAFakeEmail.com

    Serial Code:
    Unlock request code:

    a button saying "Run in demo mode" in the meanwhile, the time limitation will be disabled"

    and finally

    "When you recieve your unlock code, enter it in the field below and press the Unlock button.

    This is for version 3 of the software, and were now on version 4. Im trying to crack version 4.

    Looking threw the Unicode, I can find referances to unlock, but I also find this:

    Serial
    Level
    UserName
    UserEmail
    UserComment
    Displacement

    Now they may have changed the product activation a little, to include these, but I have a feeling that these are decoys. Version 3.7 has a patch on the internet, which they stopped working on the next release, 3.8. Maybe they have got wise to hackers and are trying to trick us.

    Maybe Im wrong and its just there to add more data to create the serial.

    Anyway, back to trying to work out how this beast is actually working.

    Cheers

    Michael
    Last edited by Michael_J; September 14th, 2007 at 19:59. Reason: Extra Info to add:
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  14. #14
    Oh hi, I seem to have found your problem.
    Quote Originally Posted by Michael_J View Post
    Not knowing what SHORT means, Im a little bit in the dark to whats actually happening though.
    From that line and an assessment of * your Posts, it seems you know nearly NOTHING AT ALL about Asm! Randomly changing around bits of code may eventually lead you to "breaking" the protection, but what's the point? A million monkeys modifying the code would've probably done that better than you.

    Download the 4-part IA-32/IA-64 Intel® Architecture Software Developer’s Manuals (PDFs, available at the Intel site), set aside several hours of uninterrupted time, and start reading them.

    After you have read and understood everything you can from the Manuals, start reading and understanding the code, the keyword being understanding -- figure out what the code is doing, the entire process of activation et al. Only then should you come up with a few hypotheses on points to change, and proceed to test them.

  15. #15
    Michael_J
    Guest
    Hi LLXX

    Im definently not just just randomly changing around bits of code. Im looking at how its all connected and trying to work out what it does.

    Im sorry Im not an Asm expert like youself, but we have to start somewhere. I have bought a book on Asm and im slowly reading threw it. I am very much interested how this works.

    And with regards to understanding whats happening with the code. I have a rough idea of what is happening, and this software is NOT an easy piece to crack.

    Cheer

    Michael
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. advanced iphone reversing tutorial
    By BLZPDA in forum Advanced Reversing and Programming
    Replies: 3
    Last Post: February 11th, 2013, 11:24
  2. Making an advanced api redirection more advanced?
    By rendari in forum Blogs Forum
    Replies: 0
    Last Post: October 18th, 2007, 10:16
  3. Howto put advanced breakpoint
    By hosiminh in forum OllyDbg Support Forums
    Replies: 3
    Last Post: January 31st, 2005, 06:52
  4. advanced Crackme
    By XFlorian in forum Mini Project Area
    Replies: 10
    Last Post: January 28th, 2005, 12:29
  5. Which OS to learn on?
    By ptsdmaker in forum Malware Analysis and Unpacking Forum
    Replies: 3
    Last Post: March 9th, 2002, 08:34

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •