Results 1 to 6 of 6

Thread: I'm stuck

  1. #1
    zitterbe
    Guest

    I'm stuck

    If anyone's got some time I need some help with this program.

    Program - A-book v.2.2.1
    Company - Duality Software
    Download site - h*tp://www.dualitysoft.com/abook/index.html
    Install File - abk221.exe
    Size - 1.1 Mb

    It's pretty basic cracking but I need somebody else to help get me out of my mental block. The program takes a Name and Reg Code. It also requires a key file called abook.key which they send along with a valid Reg Code. It places the Name and RegCode in the registry at:

    HKEY_USERS\.Default\Software\PIM+\A-book\Settings\UserName
    HKEY_USERS\.Default\Software\PIM+\A-book\Settings\RegCode

    Quiller said "The RegCode appears to be in the format:
    WIN-xxxxxxxxxx-xxxxxxxxxxxxxxx with x's being letters (small and capital) and numbers."

    I believe this is true. In fact for some strange reason there are 7 UserNames and RegCodes in the exe - see CS:0046A1F8. Don't know what that's all about but I used one of them.

    Quiller went on to say "It can be patched in one location by moving a 1 into the memory flag that is used. In that case, the proggie is registered and it does not even look at the file abook.key..."

    I just can't find any way that this is so. I can't find any flag test that bypasses checking the key file - especially when you first start the program.

    Here's what I did:
    [order=1][#1]I made a bogus abook.key with the numbers 6666111155552222 and saved it to the same folder as abook.exe.
    [#2]I ran the proggie and chose to register it.
    [#3]I used a Name and RegCode from the disassembly:
    Name: Mark Riddle
    RegCode: WIN-e805dR7dhA-t7jFfydjf5j3guS[/order]

    That got me past the "incorrect user name" and "incorrect code" message boxes. Then I started tracing by loading it with symbol loader and trapping the registry queries. To make a long story short, the code starting at 401355 thru 40143B gets the UserName and RegCode registry info when first starting the program. That gets passed into a call at 40143D (Call 401CC0). The first Call in that function (Call 469DCO) reads abook.key into memory. If there was any error in reading the file or the UserName and RegCode were wrong it returns an error code and the calling function posts the particular message in a message box. Otherwise it gets to 469F05 which calls 4AE8A0. This is the function that tests the key file data that was previously read into memory. The actual algorithm is the code between 4AE8AE and 4AE910. I started to reverse this but I keep thinking about what Quiller said about there being a memory flag check that could bypass all this. Anyway, it appears that this Test Key function should return a valid address - maybe the memory location of the key. It definitely should NOT return 0.

    Well - that's as far as I got. If anyone could give me some insights on this I'd appreciate it. I'm probably making an easy crack into a nightmare :-)

    zitterb
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    quiller
    Guest

    Getting Close

    I guess that I should have a been a little clearer, "the proggie is registered and it does not even look at the file abook.key..." The program does look at the abook.key file, it just does not care what the result is (when patched).

    You are in the ball park, you found the important call at 401CDA (CALL 469DC0). If you look a few lines below that you can see eax moved into a memory location. If eax (which is the return value from the above fuction)is 1, the program says that you are a good boy. You will need to go through typing in a username and regcode, but it will now accept anything and store it in the registry.

    I'm not sure keyfile is the correct term for abook.key. I believe that file gets written automatically if a good username and regcode is provided, but I haven't checked. You might look into that. The reason I think that is that CALL 469DC0 is called from 2 locations. Anyway keep rolling, you're making headway.

    quiller
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  3. #3
    zitterbe
    Guest

    Getting Close

    quiller (07-24-2001 22:42):
    You are in the ball park, you found the important call at 401CDA (CALL 469DC0). If you look a few lines below that you can see eax moved into a memory location. If eax (which is the return value from the above fuction)is 1, the program says that you are a good boy. You will need to go through typing in a username and regcode, but it will now accept anything and store it in the registry.
    What a dummy I am!!! In Sice I BP'd at 401CF0 and calculated that EAX should be 1 in order for ECX to be 1 for the required jump to "Registration Completed". I changed EAX to 1 and got the right message box but completly overlooked 401CE7 stuffing that Good Guy 1 to memory. So I changed EAX after a Bad value was put in memory, then got sidetracked on making the Call 469DC0 return 1. Jeeze!

    Code:
    :00401CDA E8E1800600              call 00469DC0
    :00401CDF 83C410                  add esp, 00000010
     
    * Possible Reference to Menu: MenuID_0080 
                                      |
    :00401CE2 3D80000000              cmp eax, 00000080
    :00401CE7 A3ECA15200              mov dword ptr [0052A1EC], eax
    :00401CEC 7761                    ja 00401D4F
    :00401CEE 33C9                    xor ecx, ecx
    :00401CF0 8A887C1D4000            mov cl, byte ptr [eax+00401D7C]
    :00401CF6 FF248D581D4000          jmp dword ptr [4*ecx+00401D58]
    I can't believe I missed that obvious mov at 401CE7 :-O



    quiller:I'm not sure keyfile is the correct term for abook.key. I believe that file gets written automatically if a good username and regcode is provided, but I haven't checked. You might look into that. The reason I think that is that CALL 469DC0 is called from 2 locations. Anyway keep rolling, you're making headway
    As for the getting called from two locations, I assumed one was when the program was run each time, the other was at initial registration. Not sure now. Maybe today I'll have time to play a bit more while at "work" :-)

    The key file is puzzling. It's contents aren't really checked (in the Call 4AE8A0) against the UserName or RegCode. It's merely checked for self consistancy via the algorithm from 4AE8E1 thru 4AE910. Plus, it is called from 25 different locations??? That's an interesting little manipulation in that Call. Want to drive yourself crazy try reversing it.

    One more thing. Why do you suppose there are those 7 UserNames and RegCodes in the exe itself? Seems weird they'd put those strings in there.

    Thanx for your help!

    zitterbe
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4
    my new hair style :) +SplAj's Avatar
    Join Date
    Feb 2001
    Location
    Afghanistan, Cuba, Iran, Iraq, Libya, North Korea, Sudan and Syria
    Posts
    373
    probably if you used astalavista and searched for cracks/serials for this target i'll bet you'll find some familiar names

    could be a list of 'bad boy's who released their serials ? If you played with CommView anytime you can see a similar thing... a list of bad boys

    +SplAj

  5. #5
    bNaza
    Guest
    zitterbe,
    U can use:

    Patch 1:
    U need RegCode and UserName in registry, but don't need .key file.
    at 4013FA u have jz 401499
    Change to: mov dword ptr [0052A1EC],1 ; it is a good boy flag
    jmp 40161D ; start the normal proggi
    This1 skips a lot of stuff and the proggi will start faster....

    or Patch 2:
    U need RegCode and UserName in registry, and .key file.
    at 46A0FF u have mov eax, 20
    change to: mov eax,1
    then u can register with any UserName and RegCode
    This1 don't skips the checks and proggi is slower..

    bNaza
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  6. #6
    zitterbe
    Guest
    I already patched it but thanx.

    I changed the CMP to a MOV EAX,1 and NOP'd the JA.

    Cya,
    zitterbe
    I promise that I have read the FAQ and tried to use the Search to answer my question.

Similar Threads

  1. Vbox 4.6.2[Im stuck] please help
    By venom925 in forum Malware Analysis and Unpacking Forum
    Replies: 14
    Last Post: September 4th, 2004, 06:22
  2. I'm stuck with flexlm 6.1
    By kade in forum Malware Analysis and Unpacking Forum
    Replies: 11
    Last Post: July 7th, 2002, 18:15
  3. stuck with securom
    By acab in forum Advanced Reversing and Programming
    Replies: 5
    Last Post: December 14th, 2001, 17:21
  4. I'm really stuck
    By scream in forum Malware Analysis and Unpacking Forum
    Replies: 1
    Last Post: June 29th, 2001, 05:41

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •