+------+ +----+ +----+
+-----------+ +------+ +------+
| | |
| | | / | | |
| |
| | |
| | | | |
+ + +
+
+------+
+------+ | +---+ | |
+------+ | |
| |
| | | | | +
| | |
|
| | | | | +
| | |
|
+------+
+------+ | +---+ | |
+------+ | + + |
| | |
| | | | |
| +---+ |
| | |
| | | \ |
+ +
+------+ +----+ +----+
+-----------+ +-----------+
+-----------------------------------------------------------------------------+
| For The +HCU: Academy Of Reverse
Engineering |
| by Bengaly published by +Tsehp |
|
|
+=============================================================================+
Welcome New Beginners.
So, You finally found your way into
Cracking world eh? :-)
Hacking seems too much of a Borden to
you? :-)
You think you can Handle ASM? :-)
Than you are welcomed to read this
Cracking Guide for new/adva
Note: this tutorial can be published
only by Axion, and cannot Distributed over,
The net. (Due to a special Request) or
other say so by the author of this text.
This Tutorial is for Educational Propose
only! All cracked applications will be
Well respected by us crackers, If you
use a Shareware, please buy it!
Help support those who give you the time
and effort learning and gaining knowledge.
Guide Hierarchy:
----------------
[-]-Overview-------+
|
+----> I.
"Assembly" (Quick Touch)
|
|
+----> II.
"Tools"
|
|
+----> III.
[+]Cracking----+
| |
| +---->[+] Basics
| |
| +---->[+] Adva
| |
| +---->"The
Big Ride"
|
+---->
"Troubleshooting"
|
+----> "Links"
|
+----> "Thanks"
=============
| Overview |
=============
Cracking, what is it? ...
Cracking is what we call: "Software
hackers", those people who "Destroy",
The CODE of the application that they
are examining.
Real cracking began long ago, something
about 10+ years.
But, none of them has been seen like
today,
Today's cracking could be even easier
than before but still can be tough.
1990 Old dos ruled (?) allot of
apps/games were out, those are really the,
Interesting part, as dos seems neglected
nowadays, allot of dos based Protections
Hasn't been cracked (reversed), due to
lack of interest, or just plain hard task.
Dos uses what we call
"Interrupts", those fu
Type something on keyboard, display on
screen, send to printer and etc...
Those fu
But now..1995-2001 Si
Simple task than Ever (Dos actually :)
).
Windows as you don't know, does not use
Interrupts anymore, si
With 32Bit OS (Operation System), all
interrupts were deleted and were rewrite from
Scratch to what we know as
"API" (Application Programming Interface).
Microsoft has wrote allot of APIs and
*almost* all Documented on their Win32API.hlp.
Now, just as Dos crackers used
Interrupts for cracking weak Points + Attacks,
Win9X will use APIs for that matter as
well.
Si
Own good :-).
1996: new cracker called as ORC (Old Red
Cracker) came out with series of huge/long tutorials Explaining about new
attacks/crack points/new ways/ to crack Dos+win32 applications.
Sure now they could be absolute Useless
because it was written in late 1996-1997, but still give us the right track.
(Although I do not recommend read them
unless you familiar with cracking).
Now ask, How much time will it take me
to be a good skilled Cracker..??
Well actually is depend on you and your
devotion to the Subject, I believe 3+ years will
Make you average skilled none the less.
(Unless you are one of those Smart kids :-) ).
You could not crack unless you are
practicing, that's a fact.
Sit at least 2 hours a day to crack 1
application will do fine.
Don't expect being a master if you crack
the Lamest/easiest app around, Don't Hold your
Breath :-), some programmers are stupid,
some not!!..:-)
So I hope you got a brief Idea what the
hell Cracking is-).
I hope you will enjoy reading this
tutorial as much as i enjoyed write it for you. :-)
*There are allot Cracking guides out
there, each guide is written from own Cracker Perspective.
-----------------------------------Page
1-----------------------------------------------
================
| I. ASSEMBLY |
================
This is the most important Section which
cracking could not exist without it.
The low assembly programming language,
ASM is the Core,
The heart knowledge every Cracker Need
to know,
Without it you are basically wasting
your time :) .
For crackers (at least new ones) only
essential parts of asm are needed...else you are
A keygener/Coder..etc, Asm is a word
language (would you like to code in
Opcodes? <= Hex form of asm:
B8012C...) I think not :).
When I mean word language I mean:
MOV/INC/DEC/MUL/LEA/JMP/JNE... you can see they are only shorted words:
I.E: JMP = JUMP
LEA = LOAD EFFECTIVE ADDRESS
MOV = MOVE
And so on..
This way it's very handy for us to
understand instructions.
Although I recommend all cracking lovers
to start read asm books: "the art of asm".
You can easily find those over the net
in E-book/Html form.
BINARY:
-------
Binary is the machine language, it is
understood as 1/0
Every instruction is translated as 1 or
0 that the computer can understand and
Perform then instruction.
I.E: 110011010001110101011111001
BITS/NIBBLES/BYTES/WORD/DWORD:
-----------------------------
BIT
Can be 0 or 1
NIBBLE
4 Bits (1,2,3,4,5,6,7..Every number is a 4bit nibble, Binary system)
BYTE
8 Bits (or 2 nibbles : low/high) ->
7 6 5 4 3
2 1 0
[ ][ ][
][ ][#][#][#][#]
High low
WORDS - 16 Bits (4 nibbles, or 2 bytes:
low/high) -> 15......0
Double WORDS (DWORD) - 32 Bites (2 Words
high/low, or 4 Bytes) -> 31......0
HEX/DECIMAL:
------------
HEX is what we call Base16...
Base116..What is it?
Well HEX uses 16 numbers from 0-15
(start with 0 not 1)
0 1 2 3 4 5 6 7 8 9 A
B C D E F <- Hex
| | | | | | | | | | |
| | | | |
0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15
<- Decimal (regular numbers)
Max Hex numbers you can get in: 8 Bit is
0-FF, 16bit are 0-FFFF, where in 32bit it's 0-FFFFFFFF
[Converting Systems]:
Hex->Dec:
Suppose you have: 1B as hex number and you want know it's Decimal form
We do this (do you remember from math class thing called: Power?)
Well Power is 2^3 = 8 (2*2*2)..Got it? :-)
Well it work as well here...we Power the number by it's position..
I.E:
We have 1B, let's Break it:
(Hex is base 16!) / 1
=> 16*1 = 16\
+ = 27 Decimal
\ B
=> 11*1 = 11/
Let's make another example with 4 letters, we have hm...4B2Eh (h = Hex)
Let's Break it:
Position 3 4 => 4*4096 = 16384
Position 2 B => 11*256 = 2816
Position 1 2 => 2*16 = 32
Position 0 E => 14*1 = 14
---
Sum = 19246 Decimal
Remember: you power 16^position
(position 0 always start with 1 not 0)
I.E: (from the above example: 16^position 3 = 16*16*16=4096)
Dec->Hex:
Well this is somehow harder, Cuz it's involved with Reminders.
I will show example, but it's hard to do cuz sometimes u need to round
numbers :-/
Suppose we have 212 Decimal, to make it Dec, we don't multiply, but we
divide by 16:
212/16 = 13 Reminder 4--------+
13/16 = 0.8 Reminder 13----+ |
0.8/16 = 0 Reminder 0-----+ | |
0 D 4 Hex =
212 Decimal
Well, it seems much easy, but in fact I
have rounded numbers, long Decimal even much more harder.
Another Example? ...OK :-)
Let's take 5421 Decimal (regular
number).
5421/16 = 338 Reminder 13 -----+
338/16 = 24 Reminder 2 -----+
|
24/16 = 1 Reminder 5 ----+ | |
1/16 = 0 Reminder 1 --+ | | |
1 5 2 D Hex =
5421 Decimal
Don't forget to use Window's Calculator
Scientific Mode.
All Understood now :-) ?...
You now know some converting...Continue
for ASM registers.
REGISTERS:
----------
Registers are the most common used
"VARIABLES" by the CPU.
You can access to them at anytime, as
they are there to serve you.
There are 8 different REGISTERS:
16Bit Registers: AX, BX, CX, DX, SI, DI,
BP, SP (DOS)
========================================================================
32Bit Registers:
EAX,EBX,ECX,EDX,ESI,EDI,EBP,ESP (WINDOWS, E = EXTENDED)
Each register used for a specific task
or multiples:
E/AX = ACCUMULATOR (calculations..etc)
E/BX = THE REMINDER REGISTER (i.e: 2/16
= 0.13..13 should be passed, else i am wrong :-) )
E/CX = THE COUNTER REGISTER (useful for loops, i.e.: loop 13 times)
Other registers are dealing with memory
(offsets/segments..read book :) )
Every Register is divided to low/high
bit:
AX
/ \
AH AL
(AH = high bits / HL = low bits)
If AX = 00001234
/
\
AH=12 AL=34
Same goes for: CX,DX,BX
*Remember, Registers holds HEX values
NOT decimal
*1234h = 4660 Decimal
*h = hex
JUMPS:
------
We all know what jump is no? :-)
Same thing happened with asm.
JMP = JUMP (always jump..no condition)
JNE = JUMP IF NOT EQUAL (also called
Jump Not Zero)
JE
= JUMP IF EQUAL (also called
Jump Zero)
JA
= JUMP IF ABOVE
JAE = JUMP IF ABOVE OR EQUAL
JB
= JUMP IF BELOW
JBE = JUMP IF BELOW OR EQUAL
JC
= JUMP IF CARRY (not common used for crackers..used on ror/rol/shl/shr
instructions)
JG
= JUMP IF GREATER
JGE = JUMP IF GREATER OR EQUAL
JL
= JUMP IF LOWER
JLE = JUMP IF LOWER OR EQUAL
JNA = JUMP IS NOT ABOVE
JNB = JUMP IF NOT BELOW
And so on, the above asm instructions are
commonly used by crackers to reverse the source.
Example:
MOV EAX,00000008
CMP EAX,EDX
JNE <adress>
if EAX register = EDX register (value)
than we wont jump, else we will
MOV
---
We can suspect what it does no?
Well it move a value, memory
location..etc to a Register
Example:
MOV EAX,00000032 (than EAX =
00000032 <= hex format 32h = 50dec)
CMP
---
Well we can guess again what it does :)
CMP = COMPARE
CMP can compare between registers/memory
Example:
CMP EAX,EDX
*Very important for crackers, as they
can check their serial compared :-) (Later on that)
*Unfortunately I can't twelve into ASM
any more, si
Of course I can't explain it :-), so get
a book, you will find ASM fascinating,
Very hard to use but some day you will
be happy you know ASM.
*Read/learn the ASM instructions from
the book, or get the opcodes.hlp and read from there.
*O
---------------------------------Page
2-----------------------------------------------
==============
| II. TOOLS |
==============
Tools is the second essential part for
Cracking,
Without them, you will have to face
"barehanded" against huge amount of code.
Neither to say that you'll be lost
without them :-)
Here are the most used Tools by crackers
(basic/adva
1. Brain - You won't get far without one
;-) (100% WorkTime)
2. Debugger - The only way you can
trace/break a fu
I will suggest using SoftIce as
your only weapon for Debugging.
The Numega's "SoftIce"
is a very powerful Debugger for Kernel.
SoftIce works at the Background
and can detect every thing that
Happens on your computer (if u
break on it), what we call system debugger.
There is a version for
NT/2000/XP, Recommended win98.
If you can get DriverStudio than
it's welcomed the most :-).
95% you will use the debuggers
get it from the net:
Www.playtools.cjb.net or try
(www.protools.cjb.net).
Other Debuggers: Olydgb /
debug.com / w32dasm (debug option) / TRW2000
3. Dissadembler - You will use
Dissasembler for the visual code.
If you don't know what a
Dissasembler actually
Load the application, read
hex values (Opcodes), and Output
The assembly code.
I will suggest you to get:
Win32dasm (www.protools.cjb.net) / IDA
IDA is a first class
Dissasembler, very recommended. [Dos interface].
Very handy piece of work, can
output strings, jumps, calls, imports
Other dissasemblers:
Debug.com (in windows) / Hview..etc
4. HexEditor - The only way we can modify an EXE is via
HexEditor
HexEditor let you modify
Opcodes (some ASM as well).
We use the HexEditor to
find/change code that we as crackers
Know it will make us happy :-)
HexEditors:
WinHex (handy) / Hacker's View
...etc (I use those 2 only, no need more)
Get your copy at the net, or
try www.protools.cjb.net
5. Registry / File Monitors - Those app
will help you find any DLL, reg..etc used
By the apps you
crack, and where they hide there
Registry information
(useful if u want to Unregister).
Some apps reads
the serial/name from hidden Registry info,
So I recommend
using those:
FileMon / RegMon
(www.protools.cjb.net)
6. IceDUMP (Adva
It has really cool
features SoftIce don't have.
Also IceDUMP is
ANTI-ANTI SoftICE tool
Meaning if an app has a Protection:
If SoftICE is Active
than app wont work.
IceDUMP hides SoftICE
so no app can detect it :-)
Useful eh? Also it can
serve us as a Print Screen
Tool and save code to
a TXT.
Get it from
(www.protools.cjb.net)
7. PE-Editors (Adva
Modify the Sections,
directory, delete, add
View and etc...Very
useful when you unpack packed
Applications.
For PE knowledge
(www.win32asm.cjb.net)
Recommended PE
editors:
ProcDump /
PeEditor (www.protools.cjb.net)
8. Resource Editors (Optional) -
Resource editors load the desired app
And if the
Resource is read, you can
Delete,
change, rename, stuff in the windows
Messages and
etc...
(Useful if you
want to kill a nag screen)
Useful
Resource editors:
Borland Resource Work Shop 4.5 / Resource
Hacker
Get them at:
(www.protools.cjb.net) /
(Playtools.cjb.net)
9. Assembly Compilers (For Coders) -
Compilers for asm are: MASM / TASM
MacroASM
is most useful and easy to use
But if you
already code in TASM, than Get it ;-)
You can dl
your copy of MASM at:
For TASM try:
http://egoiste.da.ru/
Or
www.win32asm.cjb.net
10. Programming Languages (For Coders)
- Recommended programming language:
Are: C / Pascal / ASM
Crackers do not tend to Code in Visual Basic
As it
is heavy, UN optimized, slow, using DLLs
And not Portable without them.
Bottom Line, don't use Visual Basic for
Cracking!
About
Delphi. I don't know, I don't code in it
So I
can't say.
Get
compilers at net: borland.com / google.com
11. File Analyzers - The file analyzer Will help you
To know the whole
information about
Your EXE, as from which
packer it was
Packed with, Size PE
information, and many more.
I recommend:
"FileInfo" (www.protools.cjb.net)
Others: GetType, and
more.
All tools above are your Weapon against
Shareware's ;-)
Every tool play different roll in your
cracking stage, as long as you use them and get to know them, The better you
will crack.
Always remember no matter how time a
simple crack can be, you will do it in the end, so don't Get softy if you can't
:-) ,
Many hard apps has been reversed so if
those crackers can do it
You can do it to.
Brain is the only tool you really need
to work on :-)
--------------------------------------Page
3-----------------------------------------
==================
| III. Cracking |
==================
Finally, we are at the learning &
practicing stage.
From now on, take your time, don't be
rush, cracks wont run away, the net
Is full of junk you can practice on.
+----------------------+
+****BASIC
CRACKING****+
+----------------------+
[Welcome To the Camp]
---------------------
Welcome to Cracking Camp my fella
wannabe cracker, for the pass days you and others
Will learn to use their First weapon,
thinking like crackers, learn the art of Zen,
Using weak points, Learning APIs
attacks...and finally training in the field.
This camp is very huge, alot of people
are learning and training in this Camp from all over the world.
Don't expect people to help you, because
they wont, they don't have time to help Newbies
In the camp, so try least to be friendly
to them if you want to get some help :-)
In our big camp you can find the
Library, huge and amount of text, which stored in the Camp Will be accessible
for you due time,
After Basic Training you can enter the
Library and
Keep learning from the Old masters who
passed this camp and left knowledge for free.
[Day One]
Heads up all Newbies.
I want quite and co
Today We are gonna learn about Our First
Weapon, How to use it and set it up.
Our weapon called: SoftICE v4.x Made By NuMega.
I want you all memorize it and think
it's your only friend on this camp.
Always to be by your side as it will be
your best friend while cracking.
SoftICE...SoftICE...someone can tell me
what it does?? For what purpose??...
I guess not, well my fella students,
SoftICE is a system DEBBUGER.
You can use it to examining code, locate
bugs, and we can also exploit it for
Our own good.
Every one, I hope you got SoftICE on
your Computer as We told your parents to buy it
Before they sent your lazy asses here
:-)
Ok...You got it, Let us install it,
enter right serial..Next...MODIFY AUTOEXE.BAT...
Do you know why we need to modify the
autoexec.bat students??
Cuz if we wont, SoftICE will not load
during Boot, and therefore wont be active.
So MODIFY else you will have to do 50
pushups :-)
Reboot your computers and let Windows
load...
All Remember we use here Win98, Camp
wont allow use Win2000/XP until other say so. :-)
Windows loaded...all worked Fine, Great,
Listen up, I won't repeat my self now:
SoftICE run in the Background
(Invisible).
We can make SoftICE visible by pressing
on keyboard CTRL+D and exit the same way.
Did you see the black window with ASM
code (you did learn asm code, the one we recommended to you before you came to
this camp).
All students load up SoftICE and look at
it, it contains all registers, data window, input window and so on.
Let me draw you a rough sketch of
SoftICE on the blackboard so we can examine it:
...............................................................................
EAX=00000001 EBX=00000190 ECX=00000000 EDX=00000000 ESI=00000001 . Registers
EDI=00020080 EBP=007E8C56 ESP=00008C3E EIP=00001149 o d I s z a p c .& Memory
CS=170F
DS=4127 SS=0EE7 ES=4127
FS=0000 GS=016F .
.......................................................................PROT16..
170F:1146 CALL
0DD0
.
170F:1149 OR
AX,AX .
170F:114B JZ
11DD
.
170F:114F PUSH
WORD PTR [DI] .
170F:1151 CALL
KERNEL!LOCALLOCK .
170F:1156 MOV
[BP-08],AX
.
170F:1159 MOV
[BP-0A],SI
. ASM Code
170F:115C MOV
[BP-0C],SI
.
170F:115F JMP
0F0D
.
170F:1162 MOV
SI,[DI+3A]
.
...................................USER(18)....................................
WINICE: Load32 Obj=0005 Add=017F:BFE95000 Len=00001000
Mod=VERSION .
WINICE: Load32 Obj=0001 Add=0177:7D651000 Len=00001000
Mod=INDICDLL . Data &
WINICE: Load32 Obj=0002 Add=017F:7D652000 Len=00001000
Mod=INDICDLL . Text
...............................................................................
:..............................................................................
Input Data
Remember we can exit SoftICE in several
ways: CTRL+D / X / F5
Not so hard right?
But remember you load SoftICE only by
CTRL+D.
Now that you know how SoftICE
looks/works we need to modify it...
Of course you can't use the weapon
before you set it up can you?
Ok, because we are using WIN98 SoftICE
is installed here:
C:\Program Files\NuMega\SoftIce95
Now students, we need to modify it and
as i said exploit it for our own good.
We can modify SoftICE fu
There you will see on your computer that
it has allot of fu
Let us now set it up a little bit, all
follow me students, do not try to mess with the data file as it won't help us
and damage SoftICE.
I am now will write on the Blackboard
the essential parts we will change, You will see it in your Computer screen,
try follow me and write on Notebook stuff needed.
____________________________________
/ \
/--------------------------------------\
| |
| PHYSMB=32 |
|
;EXP=c:\windows\system\kernel32.dll |
| ;EXP=c:\windows\system\user32.dll |
| ;EXP=c:\windows\system\gdi32.dll |
|
;EXP=c:\windows\system\comdlg32.dll |
|
;EXP=c:\windows\system\shell32.dll |
|
;EXP=c:\windows\system\advapi32.dll |
|
;EXP=c:\windows\system\shell232.dll |
|
;EXP=c:\windows\system\comctl32.dll |
| ;EXP=c:\windows\system\crtdll.dll |
| |
|--------------------------------------|
\--------------------------------------/
Student do you see these code in the
Winice.dat?
Those are the main stuff we will change.
PHYSMB=32 <=== Of course We don't use 32MB of RAM
are we? :-)
Change it to whatever number of Ram your
computer use.
Now students look at the computer, do
you see all those Paths with point to DLLs?
Those are the Bullets for our weapon :-)
Remove the ';' from all the lines i.e.:
EXP=c:\windows\system\kernel32.dll
Now we can save the Winice.dat
Now SoftICE still don't know how to use
the Bullets, Cuz we didn't told yet to Sice to load the Bullets, so Reboot your
win98 again,
And there you go, we have the bullets
Ready to use.
Now we will make a test shoot, to see of
SoftICE did load the DLLs.
Load SoftICE, write: BPX MessageBoxA
<enter>
If you don't get a message than SoftICE
is Ready to use.
All ok students, Let summarize what we
did today, we have set SoftICE so it will load the
Windows DLLs and therefor we will use it
to trace/break for later use.
Class, we will continue tomorrow the
second class, be ready to be here in time, and don't forget what you have
learned today.
[Day 2]
Good day class, today we are going to
learn about SoftICE's Breakpoint fu
Yesterday we have learned about how to
load SoftICE, do it now.
O
You can also learn the fu
You will get list of fu
Breakpoints:
------------
Let me teach you the most used Fu
BPX / BPM / BPR
BPX - breakpoint on execute
We use this option to break
Instantly on any API
Or system fu
Choose to.
Usage: BPX <API/fu
BPM = breakpoint on Memory
We use this Option to break
On memory Read/Write
Usage: BPM <address>
Additional Options: R/W/RW/X
BPR - breakpoint on Memory Range
We use this Option to break
On memory range.
Usage: BPR <address> <address>
Additional Options: R/W/RW/T/TW
Crackers 95% use breakpoints, as without
them you could never
Break in the Program's Code and trace,
and find, and crack...etc ;=)
APIs
----
Now we will learn the APIs that we will
use to break on the application
We wish to Crack.
*Most applications nowadays uses the
32bit APIs so it make us some sort of a
Short cut to Break on the program's
original code instead of searching threw HWND
API list for basic Cracking:
MessageBox - 16Bit (win3.1)
MessageBoxA - 32Bit (win9x)
GetDlgItemText - 16Bit (win3.1)
GetDlgItemTextA - 32Bit (win9x)
GetWindowText - 16Bit (win3.1)
GetWindowTextA - 32Bit (win9x)
Hmemcpy - Memory Copy Fu
Those are the Basic API you shell
memorizes for now on.
You will use those to breakpoint at any
application we will attack.
More new APIs will be Given for you when
you are practicing, or
Reading student's essays.
MessageBox/A - Usage: Breaking on any
Windows MessageBox sent by the application.
Typing: BPX MessageBoxA
<enter> in SoftICE will set the trap
If any MessageBox is sent
by Windows SoftICE will break on it
And will show us the code
sent by the application.
GetDlgItemText/A - Usage: Breaking on
text sent to the application, and read by it
Typing: BPX
GetDlgItemTextA <enter> in SoftICE will set the
Trap, if you will
enter Text in the Dialog Text Box of the
Application, SoftICE
will break and show the code used by
The application.
GetWindowText/A - Usage: Breaking on text sent to the application, and
read by it
Typing: BPX
GetWindowTextA <enter> in SoftICE will set the
Trap, if you will enter Text in
the Application,
SoftICE will break
and show the code used by
The application.
Hmemcpy - Usage: Breaking on any Copied Memory by Windows and
By any
Fu
Typing: BPX Hmemcpy
<enter> in SoftICE will set the
Trap, o
Copied memory by any windows
Application/Fu
Shortcut Keys (SoftICE)
-----------------------
SoftICE can use shortcut keys like: F8 /
F5 / F12 / F11 / F10
We will use those shortcut keys instead
type every time 't' or alike.
F8 - Usage: F8 key usually traces into a
CALL
While we debug, we will trace into
a call,
So we could inspect/analyze the
code in it.
F5
- Usage: F5 key Exit SoftICE, simply eh? :-)
F12 - Usage: F12 Stepping out of a
DLL/Fu
F11 - Usage: F11 Return to the
Caller.
F10 - Usage: F10 is a trace code, single
step traces one by one.
Dump / Data Viewing
-------------------
When we Use SoftICE, we must know &
understand what
Do we see..
SoftICE is using HEX, therefore it will
take allot of,
Time for use to convert
hex->Dec/ASCII,
But NuMega has added to SoftICE a fu
Hex -> Dec -> ASCII automatically.
When using SoftICE we have 2 ways to see
data that
Is being stored by the Registers.
As we know, Registers are the CPU's
variables, everything
Is passed / calculated..etc by them.
To view the data stored on the
registers, SoftICE has 2 fu
'D' / '?' ('' <= Don't i
D - Usage: D stand for Dump, we use D
command
To view the Register data which holds
ASCII in the data.
Typing: D <register>
<enter> (D EAX)
? - Usage: ? Stand for Viewing the Hex
data
Stored in the Registers.
? Command will show us:
Hex-Decimal-ASCII (xxxxxxxx-xxxxxxx-xxxxxxx)
Typing: ? <Register>
<enter> (i.e. ? EAX)
To Practice on the above ?/D open up
SoftICE and try the commands,
You will shortly understand what each
command does.
-----------------------------------------Page
4 ----------------------------------------
[Day 3]
Today we will learn about different Kind
Of protections.
Protections:
------------
Registration Key - This protection is
based
On 1 single Serial Key that
Is hidden in the program's
code.
Our entered serial will be
Eventually compared with the
Real serial hidden inside
the
Program it self, we can call
It "hardcoded" ;-)
Serial/Name - This protection is the
most
Used, as it is required the
Actual serial number for the
Name you are entering.
Most cases there will be
A compare routine as well,
If not real serial will be
Hide in the registers.
This could be any shape/form
The coder will choose to.
KeyFile - Used as well, this protection
Required you will have the correct
KeyFile in the same directory of
Your application.
Most Keyfiles are using Name/Serial
Check inside of the file as well.
*Some could use e
Multiple Serials - You can recognize
this,
While installing
Windows, or
Photoshop..etc
They use 4-5 Text inputs,
every
Text button need to have the
right
ASCII combination.
I.e.: [xx]-[xxxx]-[xx]-
[xxxx]
Crypto Serials - Very hard, Crypto
serial/name
Serial is produced using a
xxxBit
E
Nag Screens - Nag screens are the
annoying
Messages that appear when
application
Is started, or closed, or even I
the middle.
Those nag screens inform you that
you need
To register your copy...
Very easy to remove.
Time Limit - Very commonly used in
shareware's
This time limit force the
application
To stop work, disable, or close
the shareware
You are using after xx amount of
time.
Default time is 30 Days.
Easy/Hard to remove, depend on
coder.
Use Limit - Commonly as well, this
protection
Will stop the shareware to work
after
xx times you have used the
shareware.
After it, program will give nag
screen
Or shell stop working and will be
disabled.
Dongle Protection - Spread in Big
Protected shareware's.
This protection is used by
a I/O LPT port (hardware)
You will need the
registration Cart attached
To your PC's parreral port
Or other in order to make
The program fully work,
otherwise it will be
Expired after xxDays /
xxUses /rippled or wont work at all
Hard to crack, depend on
Dongle protection company.
Dongles as: HASP / Sentinel
are most commonly used.
Dongles uses DLLs/VxD to
check the "is registered"
Using the Dongle API as
well for some checks.
CrippleWare - Some will meet such
Protection,
Cripple = Disabled fu
You will notice some apps have
Disabled Buttons [Save, Save
As..]
That will be enabled o
You copy of shareware.
VisualBasic - Allot of apps nowadays,
Are coded in the Visual Basic
Programming language, this
Is what makes Cracking a little
Harder, as visual Basic does not
Save all the information on the
EXE
File, instead it uses DLLs to
call the
Fu
Even Serial/name could be hard
[depend]
In a programs who has been coded
in VBasic.
DLLs - Some apps will use DLLs as a
Protection Scheme.
Time-Lock is one of them and
Used to disable program after xx Time.
Misc. Protections - Matrix Protections
[Not related this tutorial]
Packing [Adva
CD games Protection [Not
related to this tutorial]
Zip password protection
[Not related this tutorial]
CD-Protections - The most commonly used
nowadays
Almost any new game is PACKED
and
Protected by EXE packing
programs
Si
Game's companies Believe that
the only
Way to protect the game is to
use
Anti Piracy Packers such as:
ScureROM / SafeDISC
* Also be aware that some of the
protection above (except for Dongle) can,
* Be used in other files than the
original EXE, Meaning that some Serial/name,
* Protection can be hidden in a DLL that
is invisible in the dir.
* Cracking the DLL will be the regular
way :-)
[Day 4]
Yesterday we have been talking about
Variants of protections, and what
everyone of them
Is capable of doing.
Today we will analyze each protection
[hopefully]
And assume it's weak points, and ways to
attack such
Protection.
Anti Protections:
-----------------
Registration Key - You already know what
it is
Doing and how it works, now
if
You downloaded a shareware
that
Need only 1 reg Number to
make the
Program registered, we can
assume 2
Things:
1. Real serial is
hidden/Unhide
2. Eventually is will
be compared with fake serial.
How to find the
serial:
Method 1:
---------
1. Disassemble
shareware
2. Clicking the
Strn-Ref Button
3. Just search for an
Unusual Alphabetic Number
4. Copy it and try
filling it in the registration text box
*This method works on
apps, which the Coder was too lazy
To hide his
serial, and missed his money :-)
Method 2:
---------
1. Run the shareware,
enter fake serial
2. Press ok/check
Button...you will get a Bad message
3. Write the bad
serial message, and disassemble file
4. Click the
"Strn-Ref" button, we will get allot of text
5. Search for the bad
message String.
6. Double click on
the founded text in Strn-ref
7. we will be taken
to the ASM code where the string is appear
8. Looking for a
UN/Conditional Jump..there is..folow it
9. We should be in a
Jump (Je/Jne) from here we have 2 options:
A: Reverse the
jump (JNE->JE / JE->JNE)
B: searching for a
CMP instruction, break with SoftICE and
Trace
until we will be at that address, and do:
D
<register> or ? <Register>
Should show us
the good/bad serials :-)
*If you reverse
the Jump, than no matter what serial
*You are giving
it will always be acceptable
*As long as you
don't enter the right serial...:-)
Serial/Name - This alittle complicated,
but still
You know the Idea behind it.
For every name there should be
Specific
Serial number, this happens threw
an
Algorithm inside the Program
code,
For every name passed the Algo do
the
Math calculations produce a
working serial
And finally at the end it should
compare it
With your fake serial.
The algorithm can be hard, long,
easy, annoying..etc :-)
From this we can assume 2 things:
1. Real serial is produced by
Algorithm
2. Fake Serial at 70%+ will be
Compared
Someway or another to the
Real Produced Serial.
How to find the serial, Primary
Attacks:
Method 1:
---------
1. Entering a fake serial/name
2. Write the bad message you
get from the program
3. Disassemble Shareware and
do a search for the string
4. Locating where the string
is called from, and we trace
5. We should be in a Jump
(Je/Jne) from here we have 2 options:
A: Reverse the jump
(JNE->JE / JE->JNE)
B: searching for a CMP
instruction, break with SoftICE and
Trace until we
will be at that address, and do:
D <register>
or ? <Register>
Should show us the
good/bad serials we call it:
"Serial
Fishing".
*If you reverse
the Jump, than no matter what serial
*You are giving
for any name, it will always be acceptable
*As long as you
don't enter the right serial/name...:-)
Method 2:
---------
In here we do the same thing as
above but
We wont reverse a jump, but
looking for a
Flag.
* Flag is actually can be 1 or 0
* Meaning: registered /
unregistered
* The Flag can be set by many
ways (i.e: xor eax,eax )
(dec eax / i
* And so on.
* Locating the flag sometimes can
make us a
* Cleaner crack, better than
reversing a jump
* While fooling the flag and
changing his content
* The Shareware/program actually
believe it is registered.
* This is a good way and faster
to crack (depend)
Method 3:
---------
This method is a bit Adva
Required a good Brain :-) and
time.
This method Is called
"KEYGENING"
The Idea is that the Cracker will
Trace and find the produced
serial First.
Than he will find the CALL that
leads to the
Algo who produce the key from
name,
Learn, analyze, the specific Algo
And than switch to SoftICE to see
how the Algo
Behaves on the name (mathematical
Notation)
And how the registers are being
used,
And finally Imitate, Rip, Code is
new Program
Which Create the Serial for any
Name entered
This is called
"KEYGEN".
KeyFile - The KeyFile attack is somehow
Easy to recover, Shareware's whose
Uses key (small xx k file) with