New 2 Cracking ~~~~~~~~~~~~~~ Turorial Type : Specific Tutorial Tutorial Topic : Some Ways to Crack a program Utilities : SoftIce, W32Dasm, Hiew(Hacker's View) Music : Your Choice Written by : Invoker Date : Nov. 27th, 2001 Remarks : http://www.bigfoot.com/~birla/software/maniac.html In The Beginning There Was... -==--==--==--==----==--==--==- Okay, first of all welcome to my first tutorial... We are going to discuss here some ways to crack a program... which among there are: patching one little jump in order to 'register' the program with our own Name/Serial combination, getting a valid serial, and after that we're going to make the program give us the serial (in other words modify the program into it's own keygennerator). The program i've chosen is named Internet Maniac ver 1.2b. This is a little program that has some nice features that i'll let you discover. Some of you might know some of the things presented here. My aim here is the complete newbie, the one who is just starting off now. This is why I'll describe all I do in detail. The Crack... -==--==--==- Method no. 1 ~-~-~-~-~-~-~ Ok first run the program and try to understand it. If you'll look in Help you'll see a Register menu. Try to fill the fields. Unless you are very lucky (in other words your serial is the correct one) you should receive an error message "Incorrect registration code!". Before really beginning make a backup of the .exe. We'll see why later. Open W32Dasm and choose Disassembler -> Open File to Disassemble.Now select the path to Internet Maniac.exe and choose open. This shouldnt take too long, depending on your computer. When the file is fully disassembled click on String Data References (choose it form the Refs menu or click on the button near the printer icon) and look for the error message you got when trying to register the program. Found it? Ok double click on it... It takes you to a code area. Now double click on it again...Nothing happents (this is a good thing actually, cause if we had more than one place it took us it would have been a little more difficult). We now see "*Possible StringData Ref from Data Obj ->"Incorrect registration code!"". Below it we see: *Refference to: USER32.MessageBoxA, Ord: 01BEh MessageBox is an Windows API, the A meaning it's 32 bit. This is a good thing to know as we shall see in Part II. The caracteristics of MessageBox are: It has one button, is small box and it has some nice pistures on the left side. Look at the MessageBox we got in Internet Maniac when entering fake code and you'll see what i mean. This means that the nag screen (the error message we got) will appear when the program executes this piece of code. But how will the program decide to give us the Go_Away_Cracker message Or the Oh_You_Are_So_Kind_To_Register mesage? Well...it compares our serial with a one generated using our name. If they match the program will jump the Goodboy msg, otherwise we'll get Back_off_Cracker. Our goal here is to make the program think that we've entered a valid serial. So what we have to do is modify the conditions of the jump. The easyest way to do this is to reverse the conditions. Ofcourse if we do so and then enter a valid serial we'll get BadBoy. But if we knew a valid serial we wouldnt patch jumps, would we? Ok back to our program. We now have to find the conditional jump (the one that 'decides' how we are: good or evil :o)). To do so we just have to look for a line like : *Referenced by a (U)nconditional or (C)onditional Jump at Address: |:xxxxxxxx(C) Now what does this mean? It means that in W32Dasm the conditional jumps are more easy to spot (just look for an line line the above one). We see some references to conditional jumps below the starting point. Lets check them out. Choose GoTo Code Location and write the address before the (C), that means the xxxxxxxx. For example lets take the 1st reference beow the starting point: *Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00405164(C) We get to a line like: :00405164 0F84C6000000 je 00405230 (1) (2) (3) Let's see what we're looking at: (1)-address of the instruction, (2)-Hex...opcode, (3) the assembly instruction. Let's see what happents if we change the Je to Jne. Time to Learn: Je means Jump is Equal and jne means Jumps if Not Equal. Back... When the Je line is highlighted green look on the bottom of the screen and look for something like : Line:8886 Pg 178 and 699 Code Data @:00405164 @Offset 00005164h in file :Internet Maniac.exe (*) Now go to Hiew dir and use its internal browser to locate the .exe you wish to edit. Btw Hiew (Hacker's View) is a dos like hex editor...with some nice features, the most important is the integrated asm interpretor. Now in Hiew press F4 and choose Decode. Then F5 and type in the offset number (in our case 00005164). You can enter it without the zero's in the front. We should see the line we got in W32Dasm. Now press F3, F3 being edit. We could modify 84 which is for Je after OF into 85 which is for Jne, but we dont know that do we? So instead of typing that we'll press F2 and we have the posibility to enter any asm command we want...but we want to enter Jne so we do it... After entering new command press Return and then Esc. Then when we see our change is made F9 (Update) and F10 (Quit). Now we have patched a jump. Let's test if it was the right one...Launch the patched .exe and try to register it. What is this? System Error? Well I guess it isn't the right jump to patch :o). Why did we fail? Well let's try to understand what we're doing. Go again in StringRef and double click the error message. Let's find other Refencences to Conditional Jumps. We see another one below: *Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0040513F(C) Now GoTo Code Location at that address and we're at: :0040513F 0F84F7000000 je 0040523C Let's execute the jump and see where it gets us. We're at: :0040523C 8B8C248C000000 mov ecx, dword ptr [esp+0000008C] Scroll a bit up and we see we're in the MessageBox that gave us the bad message. Now this is not good because it means that the initial parameters that MessageBox operates with have already been entered. We need a Conditional Jump that pops us to before the: *Refference to: USER32.MessageBoxA, Ord: 01BEh Go again in StringRef and double click the error message. Let's look above the starting point for a Refference to Conditional Jump. Oh yes we see one at 004051C1. Lets GoTo it and see what happents. Let's execute it and we see it brings us just before the bad MessageBox. Hmm i think we have something here. Get the offset and patch the jump in Hiew. If you dont know how, read above :o). Lets try our program now. Wheeee we're registered...That was hard :o) But wait...what's this? When we start our program again it diplays the "UNREGISTERED" message. :o( Well we could patch the program again...this time good, but i wanted to show you that patching isn't always good, especially when you can sniff a serial, a valid one. Just remember: this method will work on many programs but not all, most on the programs that don't check everytime when executed if you have the right info. Conclusions: ~-~-~-~-~-~-~ So we saw how to force the program in accepting ANY name/serial combination we enter as valid. I think it would be nice to get our own valid serial. Proceed... Method no. 2 ~-~-~-~-~-~-~ In this part we'll try to obtain our own valid serial. To do so we'll use NuMega's SoftIce. SoftIce is a debugger, in other words it lets us debug bugs :o). We could use the W32Dasm debugger approach, but i chose SoftIce. To learn how to use W32Dasm debugger read ParaBytes's tutorial. How to get it? Look at the end of the tutorial. I will describe in detail everything there is to be done. You should succeed. The only probelm you should have is that your SoftIce is not configured good. Lets start. Fire up the program and fill the fields with Name and Serial. Note: be sure to run the UNPATCHED .exe . Get into SoftIce (Ctrl-d). Ussually we'll put breakpoints on : GetDlgItemTexta ,MessageBoxA, GetWindowTextA. These are the most common breakpoints that you'll use. To put a breakpoint you should type 'bpx MessageBoxA' , 'bpx GetDlgItemTextA' , 'bpx GetWindowTextA' . But in this case we'll only need the GetDlgItemTextA breakpoint. Get out of SoftIce (Ctrl-d, x , or F5). Press regiter and SoftIce breaks at GetDlgItemTextA. Since we have 2 fields : Name and Serial we'll let SoftIce process the 1st (Name) one, so we press Ctrl-d (while in SoftIce) once. To get to where the function was called let's press F11. Now we should see: 0167:004051AD 8D542448 lea edx, dword ptr [esp+48] 0167:004051B1 8D442408 lea eax, dword ptr [esp+08] 0167:004051B5 52 push edx {if we do "d edx" we'll see the serial we entered} 0167:004051B6 50 push eax {in eax we have our name} Let's think about this for a second. So it pushes into memory our Name and Serial. Hmm... Just below this we see a call: 0167:004051B7 E8142E0000 call 00407FD0 This means that the Name and Serial are pushed into memory and then there is a call to be executed. Let's get into that call and see what's inside it. Press F8 while the call line is highlighted. We should be here: 0167:00407FD0 83EC20 Sub ESP,20 We are not interested in this part... yet (I'm still trying to get the algho of this program so i can code my first keygen... when i'll do maybe i'll write a tut about it). So let's press F10 until we come to this part: 0167:0040801A FF154414100 call [USER32!wsprintfA] Now let's look at the code in the call: 0167:00408020 8B542440 mov edx, dword ptr [esp+40] {it moves into edx a value from esp} 0167:00408024 83C414 add esp, 00000014 {esp<-esp+14} 0167:00408027 8D442404 lea eax, dword ptr [esp+04] {it moves into eax another value from esp} 0167:0040802B 52 push edx {pushes something into memory. Now do "d edx" and we see our serial} 0167:0040802C 50 push eax {Do "d edx".Hmm... strange string. Write it down on a piece of paper.} Now let get out of the call...Press F10 until you pass over a "ret" instruction...Look through te code ...Nothing interesting ... We get to a call to MessageBoxA (press F10 further) and we see that our code is incorrect. What now? I guess we failed. Hey wait..but we still have that strange string we wrote down (I hope u did :o)). Lets try that... Wheeeee it works ... :o) Ok this was an easy example... Dont know if you understood why I did what i did... but the code differs from program to program... and so do the steps, but remember the idea is basicly the same... and after some more programs cracked you'll start seeing patterns in the code... So i've been said, until now I've only saw blue and pink dots... But who knows... :o) Preety nice huh? Greetz: +++++++ ParaBytes - thanks for helping me the most, being there where i had something to ask, and for showing me the way.. :o) (and for editing this tut =)_ ) zestboy,asmonaut,code_inside - its good to have someone to ask when u have something unclear... ParaBytes (yeah, again),Anvile,PhANt0m,d4d0,ChibiHime - the N2C staff..Insight crew... ASTAGA-great tutor, DarkMoon-nice gfx, all guys on N2C chan... all the tut writers... all the crackers in the world... all the newbies who start now... in other words all who know me and i know of... Invoker out... Contacted at: ++++++++++++ E-Mail : Invoker@email.ro IRC : EFNet - #New2Cracking Note: We publishing our tutorials over many tutorials sites and archives, check for tKC's tutorials, here is the address : http://www.ciafiles.visionz.eu.org/main.htm understatement. Windows being as overbloated a mess of code