Page 1 of 3 123 LastLast
Results 1 to 15 of 31

Thread: how to reverse an application that restarts after entering fake serial

  1. #1

    how to reverse an application that restarts after entering fake serial

    Hi everybody, I'm a newbie, this is my first post, I hope I don't break the rules. I'm trying to reverse simple applications for fun, recently I met a tough application, I managed to dump it but I can't crack it cuz it's well protected I think. I open it in olly and try to analyse jumps and messages, I couldn't find the right comparing codes, when I enter fake serial to catch comparison lines it doesn't work, it simply says "Thank you for registering ....! Please restart the product."
    I even couldn't figure out if it was genuine message or playing with me, would anybody help me? Thanks in advance.
    Regards.

  2. #2
    My next step would be to search for those strings, use the strings to lead you back to the function(s) that print them, and trace back from there where it gets the serial from the dialog box (assuming this is a windows app). And that should be enough to get you on your way.

  3. #3
    FrankRizzo, thanks for being so kind as to have replied me, it's very nice to have help from an experienced guy. Yes, it's a Windows application, history extractor. I have been working on it for a week, I tried many things to crack it, no way. It works in a limited functionality, at least the limited functionality can be turned to full functionality but it's beyond my skill. I searched for serial string line by line but it is not shown, it must be easy to crack but I'm getting hopeless, I feel like I can never crack it

  4. #4
    The benefit that YOU have that the software doesn't, is that YOU can learn, and keep hacking away at it. Everything you learn is another nail in the coffin of the app. The one thing that I think has made me a deadly reverser over the nearly 30 years that I've been doing it is, PATIENCE. Have I gotten stumped? Yes. Have I given up? Yes. Have I spent a MONTH hacking a NASTY DOS based protection? YES! And I eventually conquered it. The thing was, IT couldn't change, but I could continue to learn more about it, and to chip away at it. Keep your chin up!

    Now, have you found the strings in your disassembly yet? Tell me where you are, what you have done, and I'll try to point you in the next logical direction.

  5. #5
    FrankRizzo, thanks again for giving a hand to me, I VERY much appreciate your guidance, I promise I ll be a good disciple of you Now I ll tell you where I am :
    I unpacked the application (I was at it months ago but I couldn't unpack it) I unpacked it last week, unpacked application works, then I dived into cracking it, I put some breakpoints on certain lines before jumps and messages. Shall I tell you the name of the application?
    0040C64C . B8 01000000 MOV EAX,1 : with this line message box for registration appears, then I keep pressing F7 to see what's happening, I should point out that message box forms step by step, not all at once. Then I enter any serial ( I put "xxxx")
    Then I hit register button, it stops at another breakpoint I put.
    I noticed that my serial xxxx is stored in
    EAX 00000005
    ECX 0012F02C ASCII "xxxx"
    EDX 0012F02C ASCII "xxxx"
    EBX 00000000
    ESP 0012EF14
    EBP 0012F97C
    ESI 0012F445
    EDI 0012F031
    EIP 0040C790 original.0040C790

    A few lines below it compares CMP EAX,ESI
    below is the register values in the comparison.

    EAX 00000000
    ECX 004318F8 ASCII "YG"
    EDX 00124759
    EBX 00000000
    ESP 0012EF08
    EBP 0012F97C
    ESI 0012F02C ASCII "xxxx"
    EDI 0012F031
    EIP 0040C7A6 original.0040C7A6

    All of these are meaningful for you? I am lost

  6. #6
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,087
    Blog Entries
    5
    Quote Originally Posted by kenn View Post
    Shall I tell you the name of the application?
    No. It's against forum rules.

    That said, if the app says "Thank you for registering ....! Please restart the product.", then the real check will likely be on startup, not during the "registration". While it's not a waste of time following the registration box, it will probably only lead you to a function which writes the info to the registry (or a file). If you can determine the name of the registry key then you can track that on startup and begin reversing from there.

    Kayaker

  7. #7
    ha33
    Guest
    Yes, it is very likely the serial will be stored in either a file or registry key.

    First approach:
    - BP on registry related win32 calls, primarily RegOpenKeyEx/RegGetValue/RegQueryValueEx
    - BP on file related win32 calls, ReadFile, CreateFile(A/W).

    If above approach fails (maybe serial is hashed / encrypted before stored), then I would start checking where serial is obtained and start putting memory breakpoints to see where it is read and eventually stored (to registry/file).

    If you need any other advice just let us know.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  8. #8
    Thank you again kind guys, I'm grateful to you. Hi Kayaker, are you famous cracker? Nice to meet you. You all must be famous and professional reversers, sorry for my ignorance, as I said I'm a newbie. Now that it is not against forum rules name of the application is **********. As you said serial key must be stored outside in the registry or in a file, I noticed that it checks registry values. I had no time to work on it today, I wanted to reply you at first.
    Hi ha33, thanks for suggestion, I ll check out your suggestions though it will be a tough job for me.
    I congratulate all of you on Valentine's Day!
    Last edited by kenn; February 14th, 2011 at 09:55.

  9. #9
    kenn:

    One thing you need, to become a "reverse engineer," is to pay attention to details. Kayaker's response to your post started with:

    Quote Originally Posted by kenn View Post
    Shall I tell you the name of the application?
    No. It's against forum rules.

    You read that as "Yes" and named the target software. I have removed it.
    Please demonstrate that you actually can learn!!!

    Now go and actually Read the Rules!!!

    Regards,
    JMI

  10. #10
    sorry!

  11. #11
    Now, since you are assuming that it's registry related, let me point you to a tool that I find handy in times like this:

    http://technet.microsoft.com/en-us/sysinternals/bb896652

    You run it, tell it what the name of the app is that you're working on, and it'll log all the registry accesses. New key creation, writes, reads, etc.

    Granted, it sometimes gives A LOT of info, but wading through it will both make you familiar with the registry keys your program uses, and will let you get a feel for what it's doing.

  12. #12
    Hi Master FrankRizzo It's very nice to hear from you. I used process monitor as you advised to trace what's happening, I am still awkward at using it, it took an hour for me to understand how to use it, at last I managed to include only the process I wanted. I'm lucky that I have you, I feel self-confident now.
    I found some suspicious queries.
    unpacked.exe CreateFile C:\Program Files\*******\unpacked.exe.Local NAME NOT FOUND
    unpacked.exe CreateFile C:\Windows\Prefetch\UNPACKED.EXE-E04A47A0.pf NAME NOT FOUND
    unpacked.exe ReadFile C:\$Directory SUCCESS
    unpacked.exe QueryStandardInformationFile C:\Windows\registration\R00000000000d.clb SUCCESS
    unpacked.exe QueryDirectory C:\Users\ACER\AppData\Roaming\******\********\Settings.xml SUCCESS unpacked.exe RegSetValue HKCU\Software\***********\***********\Key SUCCESS

    I took a look at C:\Windows\registration\R00000000000d.clb but I have no idea how to decrypt it.
    Does it matter if I use different application names in place of original application, I mean if software checks its original name ? I named it as unpacked.exe

  13. #13

    As Above

    Kenn, you bend over backwards any more son, and you're gonna snap that spine!

    On a more serious note, welcome to the board. Its good to see you've managed to become self-confident... gives us a fuzzy feeling.... Nice to see you getting ahead in the game. While cracking is definitely the use of your tools and mind, not giving up is most important here. So whatever you do in the future, DON'T GIVE UP!

    And thanks to Frankrizzo (he not a master, he is GRANDMASTER of GRANDMASTERS!!) and Kayaker (perhaps, the Greatest cracker that ever lived on this earth.... say, do you know -- Kayaker used to TEACH Fravia and ORC!! --- and unconfirmed rumors that he coded version 1 of IDA PRO!!) you are now having a headstart!

    Hope to see you more often here.

    Have Phun
    Blame Microsoft, get l337 !!

  14. #14
    say, do you know -- Kayaker used to TEACH Fravia and ORC!!
    Holy O' crap Aimless, Talk about bending over. Front ways even .
    Are you getting money from Kayaker for that incredible line of...........

    Woodmann
    Learn Or Die.

  15. #15
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,087
    Blog Entries
    5
    This is getting amusing

    Kenn will soon learn that obsequious behaviour is useless here. We're all too old for that and there's nobody famous here anyway.


    That reminds me of Shrek, looking up at the stars with Donkey

    "Look, there's Blood-Nut, the Flatulent. You can guess what he's famous for."

Similar Threads

  1. Kaspersky - fake av.
    By Indy in forum Advanced Reversing and Programming
    Replies: 5
    Last Post: December 31st, 2013, 14:49
  2. This site really seems like snakeoil + fake AV potential candidate.
    By encryptedmind in forum Malware Analysis and Unpacking Forum
    Replies: 5
    Last Post: April 11th, 2013, 13:22
  3. Replies: 6
    Last Post: July 23rd, 2011, 04:28
  4. Hardlock, fake or really implemented
    By OHPen in forum The Newbie Forum
    Replies: 2
    Last Post: April 15th, 2003, 13:30

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •