Results 1 to 4 of 4

Thread: Win CE Program Cracked... Or not???

  1. #1

    Win CE Program Cracked... Or not???

    I'm new to the forums, and to Windows CE Cracking. I'm working on a GPS program. So, I loaded my program into IDA Pro, found the serial check spot, changed a BEQ to B. Started the program on my PPC and it seemed to work. However, when the program is cracked, it works for 3 minutes (180 seconds) and then DROPS the GPS signal. I know it's not the receiver, its the program refusing GPS information. Anyone have any ideas? Here is the code:

    I changed:
    .text:000E6ADC BEQ loc_E6B7C ; Branch
    .text:000E6ADC B loc_E6B7C ; Branch

    .text:000E6A84 loc_E6A84                               ; CODE XREF: sub_E61A0+90Cj
    .text:000E6A84                 ADD     R0, SP, #0x6744+var_6714 ; Rd = Op1 + Op2
    .text:000E6A88                 LDRB    R1, [R4,R0]     ; Load from Memory
    .text:000E6A8C                 SUB     R0, R3, #1      ; Rd = Op1 - Op2
    .text:000E6A90                 SUBS    R3, R3, #1      ; Rd = Op1 - Op2
    .text:000E6A94                 MOV     R2, R1,LSL R0   ; Rd = Op2
    .text:000E6A98                 MOV     R1, R5,LSL#16   ; Rd = Op2
    .text:000E6A9C                 ORR     R0, R2, R1,LSR#16 ; Rd = Op2 | Op1
    .text:000E6AA0                 MOV     R2, R0,LSL#16   ; Rd = Op2
    .text:000E6AA4                 MOV     R5, R2,LSR#16   ; Rd = Op2
    .text:000E6AA8                 ADD     R4, R4, #1      ; Rd = Op1 + Op2
    .text:000E6AAC                 BNE     loc_E6A84       ; Branch
    .text:000E6AB0                 CMP     R4, #0x10       ; Set cond. codes on Op1 - Op2
    .text:000E6AB4                 BLT     loc_E6A7C       ; Branch
    .text:000E6AB8                 MOV     R0, #0xB        ; Rd = Op2
    .text:000E6ABC                 BL      sub_C23A4       ; Branch with Link
    .text:000E6AC0                 MOV     R1, #0xB        ; Rd = Op2
    .text:000E6AC4                 MOV     R7, R0          ; Rd = Op2
    .text:000E6AC8                 BL      sub_2D7800      ; Branch with Link
    .text:000E6ACC                 MOV     R0, R6,LSL#16   ; Rd = Op2
    .text:000E6AD0                 MOV     R3, R5,LSL#16   ; Rd = Op2
    .text:000E6AD4                 MOV     R1, R0,LSR#16   ; Rd = Op2
    .text:000E6AD8                 CMP     R1, R3,LSR#16   ; Set cond. codes on Op1 - Op2
    .text:000E6ADC                 BEQ     loc_E6B7C       ; Branch
    .text:000E6AE0                 LDR     R1, =unk_34FA4C ; char *
    .text:000E6AE4                 LDR     R0, =unk_34FA40 ; char *
    .text:000E6AE8                 BL      fopen           ; Branch with Link
    .text:000E6AEC                 MOV     R4, R0          ; Rd = Op2
    .text:000E6AF0                 LDR     R0, =unk_34FA38 ; void *
    .text:000E6AF4                 MOV     R3, R4          ; FILE *
    .text:000E6AF8                 MOV     R2, #6          ; size_t
    .text:000E6AFC                 MOV     R1, #1          ; size_t
    .text:000E6B00                 BL      fwrite          ; Branch with Link
    .text:000E6B04                 MOV     R0, R4          ; FILE *
    .text:000E6B08                 BL      fclose          ; Branch with Link
    .text:000E6B0C                 ADD     R0, SP, #0x6744+var_66B4 ; Rd = Op1 + Op2
    .text:000E6B10                 BL      sub_2DFED4      ; Branch with Link
    .text:000E6B14                 ADD     R0, SP, #0x6744+var_66EC ; Rd = Op1 + Op2
    .text:000E6B18                 BL      sub_2DFED4      ; Branch with Link
    .text:000E6B1C                 LDR     R0, [SP,#0x6744+var_6730] ; Load from Memory
    .text:000E6B20                 BL      sub_C23AC       ; Branch with Link
    .text:000E6B24                 LDR     R0, [SP,#0x6744+var_671C] ; Load from Memory
    .text:000E6B28                 BL      sub_C23AC       ; Branch with Link
    .text:000E6B2C                 LDR     R0, [SP,#0x6744+var_6734] ; Load from Memory
    .text:000E6B30                 BL      sub_C23AC       ; Branch with Link
    .text:000E6B34                 LDR     R0, [SP,#0x6744+var_6738] ; Load from Memory
    .text:000E6B38                 BL      sub_C23AC       ; Branch with Link
    .text:000E6B3C                 MOV     R0, R11         ; Rd = Op2
    .text:000E6B40                 BL      sub_C23AC       ; Branch with Link
    .text:000E6B44                 MOV     R0, R10         ; Rd = Op2
    .text:000E6B48                 BL      sub_C23AC       ; Branch with Link
    .text:000E6B4C                 MOV     R0, R9          ; Rd = Op2
    .text:000E6B50                 BL      sub_C23AC       ; Branch with Link
    .text:000E6B54                 MOV     R0, R7          ; Rd = Op2
    .text:000E6B58                 BL      sub_C23AC       ; Branch with Link
    .text:000E6B5C                 MOV     LR, #0xA        ; Rd = Op2
    .text:000E6B60                 MOV     R9, LR          ; Rd = Op2
    .text:000E6B64                 STR     LR, [SP,#0x6744+var_673C] ; Store to Memory
    .text:000E6B68                 MOV     R0, R9          ; Rd = Op2
    .text:000E6B6C                 MOVL    R12, 0x6720
    .text:000E6B74                 ADD     SP, SP, R12     ; Rd = Op1 + Op2
    .text:000E6B78                 LDMFD   SP!, {R4-R11,PC} ; Load Block from Memory
    .text:000E6B7C ; ---------------------------------------------------------------------------
    .text:000E6B7C loc_E6B7C                               ; CODE XREF: sub_E61A0+93Cj
    .text:000E6B7C                 MOV     R0, #0x34       ; Rd = Op2
    .text:000E6B80                 BL      sub_C23A4       ; Branch with Link
    .text:000E6B84                 MOV     R1, #0x34       ; Rd = Op2
    .text:000E6B88                 MOV     R4, R0          ; Rd = Op2
    .text:000E6B8C                 BL      sub_2D7800      ; Branch with Link
    .text:000E6B90                 LDR     R0, [SP,#0x6744+var_6730] ; Load from Memory
    .text:000E6B94                 MOV     R2, #0x34       ; size_t
    .text:000E6B98                 MOV     R1, R0          ; void *
    .text:000E6B9C                 MOV     R0, R4          ; void *
    .text:000E6BA0                 BL      memcpy          ; Branch with Link
    .text:000E6BA4                 LDR     R0, [SP,#0x6744+var_6728] ; void *
    .text:000E6BA8                 MOV     R2, #0x35       ; size_t
    .text:000E6BAC                 MOV     R1, #0          ; int
    .text:000E6BB0                 BL      memset          ; Branch with Link
    .text:000E6BB4                 LDR     R5, [SP,#0x6744+var_6738] ; Load from Memory
    .text:000E6BB8                 LDR     LR, [SP,#0x6744+var_6728] ; Load from Memory
    .text:000E6BBC                 MOV     R2, #0x34       ; Rd = Op2
    .text:000E6BC0                 LDR     R6, [SP,#0x6744+var_6734] ; Load from Memory
    .text:000E6BC4                 MOV     R3, #0x31       ; Rd = Op2
    .text:000E6BC8                 SUB     R1, R10, LR     ; Rd = Op1 - Op2
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2


    So you just changed one check to ignore the invalid serial. Did you ever think about the possibility that the developers might have used serial checks in multiple places? Why is it so difficult for newbies to use their imagination? One of the most essential things about reverse engineering is using the grey stuff between your ears (and I'm not talking about earwax). Just imagine how would you protect your stuff against curious people? Right, the most commonly used thing is a CRC check. Second place comes duplicating code to perform checks in various places.
    Now go ahead and use your head
    Double the killers!

  3. #3
    I figured that there was more than 1 check. I found a second place already, but it still didn't fix it. What does a CRC check look like? Got an example? I said I was new to cracking, not that I was stupid. I was only asking for a little guidance, not bashing. I figured that there might be some kind of timer, and it might be easier to disable the timer rather than find every spot in the code where the serial/activation is checked.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  4. #4

    Reversing in not something one should just wake up one day and say to themselves: "Hell, I can do that." It also is not something one should just jump into without some substantial preparation. It is both a "wide" and a "deep" subject which generally requires some substantial "study" and, particularly "preparation" before it should be attempted. By "study" and "preparation," I mean there is a great deal of work one should actually do before you pick up some "tut" and blindly try to follow along without activating your brain.

    So far, it appears that you brain is in hibernation on several levels. The first level is that, despite the instructions when you Registered, you have OBVIOUSLY FAILED TO READ THE FRIGGIN FAQ. We even went to the trouble of adding below the signature of all new members the phrase:

    "I promise that I have read the FAQ and tried to use the Search to answer my question."

    Despite these statements, YOU didn't read the FAQ, because "cracking" that program what just TOO important to YOU, for you to BOTHER YOURSELF with doing what you SHOULD do, instead of what you WANTED to do. So you noticed that your program had a serial number input box and you said to yourself: "Damn this cracking stuff sure is simple, I think I'll just reverse a jump where it goes off to the serial input box and I'll own this puppy."

    Of course, you also didn't bother actually LEARNING very much at all about reverse code engineering before you started out, because YOU were too smart and too much in a hurry to "defeat" these stupid protection makers and impress your friends with your "special" talents. But, damn Boss, I reversed a single jump and it didn't work, what should I do now ..... I know, I still won't use my brain, I'll just ask someone else to solve the problem for me and then I can still impress my friends by NOT telling them I REALLY don't have ANY idea what I'm doing and someone else did it for me.

    Now there are many "possibilities" why reversing a single call to a serial input box will not magically cure all protection in a piece of software. Did that occur to you??? If it did, what did YOU do with that thought? Did you believe the makers of the software put as little effort into protecting their software and YOU apparently did in trying to learn how to crack it???

    Among the many possibilities, as laola suggested, is the possibility that the software author included code in the software to actually check if some complete "noob wannabe cracker" changed ANYTHING in the program. If they did, guess what, the damn thing just won't work. Boy, weren't YOU shocked to find out someone might actually be trying to determine if YOU were mucking with the software they were trying to make money from by having you buy it instead of "liberate" it. How could the world be so cruel?

    Of course, true to "character", YOU are so self-confident, but under motivated, that you don't yet recognize GOOD ADVICE when you read it and, instead, you thought you would just go back and "it might be easier to disable the timer rather than find every spot in the code where the serial/activation is checked."

    Now, let's give "a little credit" where a "little" credit is due. You were bright enough to figure out that if the program was shutting down in "180 seconds" there must be some form of a "timer" somewhere. Of course you haven't suggested YOU know anything about how that might be done and you suggest you just want to "disable" it, which would just be more "changes" to the code. But, hey, it's YOUR LEFE, why start now using you noggin for anything other than holding up your hair.

    But what is not "yours" is this Forum and YOU haven't yet done what the evil "WE" require of posters if they want to post here. It's not that complicated and it IS, in fact, spelled out plainly in the damn FAQ YOU still haven't read OR at least followed.

    So, Bunky, here's what you better do FIRST, before you get ignorant enough to post again. Read what the FAQ tells you to do, which means YOU are supposed to do the "basic" research BEFORE you post a question here. YOU are supposed to use the DAMN search button at the top of the Forums and search out whether your question has come up before so YOU aren't asking for the umpteenth time how one ties their shoes so they can take a few steps through the dark codewoods without tripping over their feet in the dark. THEN, YOU are supposed to search out topics on the net about reversing and/or, gasp, you might actually read a lot of the information contained in the links conveniently listed at the bottom of these Forums.

    THEN, any only then, when you have at least some understanding of the basics and you have actually THOUGHT about your problem at a deeper level than "well the first thing I tried didn't work," and you have thought about how to actually explain how YOU have attempted to analyze the possibilities of what may be going wrong with your efforts to reverse a target, should you ask for help and THEN you should, again, follow the instructions in the FAQ about what and how to post.

    Now here's a way to THINK about your problem. Let's assume the software author has at least "slightly" more experience at cracking than YOU do, at least in the sense that he needs to know how to determine if YOU are mucking with his code. Now it might be as simple as knowing YOU might reverse a single jump and think you are "King of the World" and having, duh, more than one check of the entry of the correct serial number.

    OR what a reasonably competent coder might do is add some code which checks if you are mucking with ANYTHING in his code and, if it determines you have, it sends you off to a timer which shuts the program down in a set time. AND there might be more than one of those. OR maybe, if you change ANYTHING, it does other things at RANDOM. OR maybe parts of the program don't work at all without a proper serial number having been entered. (Damn that's just not fair.)

    So, why don't your get off your figuratively lazy butt and take laola's advice and determine whether the software is watching YOU by looking for any changes to the code. Well gee Sparky, how do I do that, you ask. Well Bunky, he mentioned the secret code word. Shhhh! don't say it out loud, someone might hear. (visualize here "invisible" ink that only you can read) "CRC check".

    Well golly gee wiz Buffalo Bob, how do I do one of them there (secret word) checks?? Well Bunky, you follow the "secret path" described in the magic FAQ and you bravely touch the SEARCH button with your mouse and you enter the (secret word) and, gasp, you will see the Genie fly out of the lamp and reveal to your wondrous eyes no less than 136 previous threads discussing the subject of the (secret word) you might want to review. Entering "(secret word) reversing" in my favorite search engine (without the quote marks) gave me 12,400 hits.

    Now, try to recognize that there IS a qualitative and literal difference between "being stupid" and "behaving stupidly." So far, in the reversing sense, you have been "behaving stupidly," as in not using your brain to try to solve your problem, before engaging your fingers on your keyboard. Fortunately, while there is no cure for "being stupid," there is, in fact, a relatively painless cure for "behaving stupidly." It only requires you to actually spend more time thinking and studying before engaging your keyboard. You will actually be surprised at how well that actually works. Give it a try.


Similar Threads

  1. A Software Program ;)
    By SirBillGatesJnr in forum The Newbie Forum
    Replies: 3
    Last Post: March 8th, 2008, 21:35
  2. 16 bit Program
    By TuttoSommato in forum OllyDbg Support Forums
    Replies: 5
    Last Post: November 9th, 2004, 06:44
  3. Star Force 3.3 Cracked!
    By LaBBa in forum Malware Analysis and Unpacking Forum
    Replies: 4
    Last Post: October 30th, 2004, 10:16
  4. HaspServicesSpy Program Release !!! :)
    By hack3r2k in forum Malware Analysis and Unpacking Forum
    Replies: 5
    Last Post: June 20th, 2002, 05:30
  5. Hard Keygennin Program
    By r00t in forum Advanced Reversing and Programming
    Replies: 0
    Last Post: May 20th, 2002, 21:02


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts