Cracking Projects For Newbies

TASK 2 SOLVED - 3 solutions
Saturday, 06-Feb-99 08:31:48
    195.36.143.84 writes:

    Here are three possible ways to patch the program. I provide you a (I hope) comprehensive explanation for each of them.

    If you want to search by yourself (and it's better to do) please do not read yet.

    Friendly


    Using W32Dasm, and an hex editor, you can crack this program definitely (patch). This is the solution required in Task 2, but we'll see other ways to do it in task 3 and other ones after...

    The «Easy» Way:
    ===============

    Using W32Dasm, you have disassembled the target. Now, we look in the "string references", and look for the sweet messages saying we have a right code or not. You'll find the 2 messages: «Sorry the Registration code does not match...» and «Thank you for registering...».

    Double-clicking on the first string (Sorry the...) you'll see the code at the line 00405C50. Double click again on the string (in the string references window, of course) and you'll find there is a second location for this string, at the address 0040B9BC.

    Let's have a look at the two pieces of code (I have included the few lines above the string itself):

    :00405C3D E87E700000 call 0040CCC0
    :00405C42 83C408 add esp, 00000008
    :00405C45 85C0 test eax, eax
    :00405C47 0F8434010000 je 00405D81
    :00405C4D 8B45E4 mov eax, dword ptr [ebp-1C]

    * Possible Reference to String Resource ID=61244: "Sorry, the registration... "
    |
    :00405C50 683CEF0000 push 0000EF3C

    and, for the second one:

    :0040B9B7 E936040100 jmp 0041BDF2

    * Referenced by a (U)nconditional or C)onditional Jump at Address:
    |:0040B744(C)

    * Possible Reference to String Resource ID=61244: "Sorry, the registration... "
    :0040B9BC 683CEF0000 push 0000EF3C

    Well, we can see here that the program jump from the line 0040B744 when it lands here. We are sure it come from this line because the line of code just before (0040B9B7) is a JMP, meaning it'll jump elsewhere, and the "Referenced by a Jump..." line says: 0040B744(C). So let's have a look at the code, where is the conditional jump:

    :0040B73A E881150000 call 0040CCC0
    :0040B73F 83C408 add esp, 00000008
    :0040B742 85C0 test eax, eax
    :0040B744 0F8572020000 jne 0040B9BC

    What we want is to never reach the "bad message". So we'll replace the JNE (Jump if Not Equal) by... NOP (No OPeration). Then the program will never jump to this bad place, whatever is in EAX. So we replace the line 0040B744 with six NOPs. The change is from 0F8572020000 to 909090909090. (90 is the hex code for NOP). As we have 6 bytes in the liine, we MUST replace it with six NOP...

    But we also have this "bad message" at the line 0040C50, so we need to patch it here too. We can see if EAX=0 then we are registered, and the program jump to the «Thank you...». So we'll reverse the conditional jump. The line is JE (Jump if Equal) so we'll use a JNE (Jump if Not Equal)... We change 0F8434010000 with 0F8534010000. And we're done with this program.

    Here are some hex values for the assembler instructions:

    JMP = EB
    JE = 74 or 0F84 (the 0F84 is used when the address where the jump points is far away)
    JNE = 75 or 0F85 (the 0F84 is used when the address where the jump points is far away)
    NOP = 90

    The «Inside The Call» Way:
    ==========================

    Well, in the previous example, do you remember when we saw a CALL 0040CCC0, before the test to see if EAX=0 ? If not, check the lines 00405C3D and 0040B73A. So we'll have a look inside this CALL, because it could be the place where the program decides if EAX=0 or not. Let's see what's on the line 0040CCC0:

    * Referenced by a CALL at Addresses:
    |:00401D3D , :00401E74 , :00402194 , :00405C3D , :0040B73A
    |:0041C424 , :0041C43D
    |
    :0040CCC0 83EC04 sub esp, 00000004
    :0040CCC3 833D24F1420000 cmp dword ptr [0042F124], 00000000
    :0040CCCA 53 push ebx
    :0040CCCB 56 push esi
    :0040CCCC 7537 jne 0040CD05
    :0040CCCE 8B4C2410 mov ecx, dword ptr [esp+10]
    :0040CCD2 8B542414 mov edx, dword ptr [esp+14]

    Well, we can see this routine is CALLed from several places... hehe, that was a good idea to NOT only patch the JNE we saw earlier... let's examine this code... At first, there's a comparison to see if something is equal to 0 (you can see that on the line 0040CCC3). Hmmm, if it's not then we jump far away from here. As we don't know what this code is doing, I'll won't touch it... Presuming it won't jump, I notice that two values are put in ECX and EDX... That could be our fake serial AND the right one... Have a look at the next part of the code:

    * Referenced by a (U)nconditional or C)onditional Jump at Address:
    |:0040CCF0(C)
    |
    :0040CCD6 8A01 mov al, byte ptr [ecx]
    :0040CCD8 3A02 cmp al, byte ptr [edx]
    :0040CCDA 751E jne 0040CCFA
    :0040CCDC 0AC0 or al, al
    :0040CCDE 7412 je 0040CCF2
    :0040CCE0 8A4101 mov al, byte ptr [ecx+01]
    :0040CCE3 3A4201 cmp al, byte ptr [edx+01]
    :0040CCE6 7512 jne 0040CCFA
    :0040CCE8 83C102 add ecx, 00000002
    :0040CCEB 83C202 add edx, 00000002
    :0040CCEE 0AC0 or al, al
    :0040CCF0 75E4 jne 0040CCD6

    Here is a loop, as you can see on the line 0040CCF0. It looks like the program checks all the characters of the true serial, and compare it with our fake serial. As say the line 0040CCDA, if the two don't match, we jump to the line 0040CCFA... and that's not good. We'll see later why :-)

    Then, the program check if AL is empty. Yes, it's a basic boolean operation. If AL=0 then «AL or AL» will result 0, and the line just after will jump to 0040CCF2. Until AL<>0 we continue without jumping... and the same test is done for ECX+1 and EDX+1. Surely the test for the next character !!! If our characters are differents from the true serial, then we jump to the bad location in 0040CCFA (the JNE at the line 0040CCE6 will do it).

    Next two lines (0040CCE8 and 0040CCEB) will add "2" to EDX and ECX... and again, if AL is empty we go out, else we go back to the begining of the routine... testing the two next characters probably :-)

    Now, we know that: if our dummy serial doesn't match the right one, we're going to the line 0040CCFA. If all the characters of our serial are oki, we'll land in 0040CCF2. OK, let's see what is on this two lines. At first, the BAD jump:

    :0040CCFA 1BC0 sbb eax, eax
    :0040CCFC 5E pop esi
    :0040CCFD 83D8FF sbb eax, FFFFFFFF
    :0040CD00 5B pop ebx
    :0040CD01 83C404 add esp, 00000004
    :0040CD04 C3 ret

    Ouch, following this lines, we can see EAX is going to be different from zero !!! And remember, if EAX=0 then we're regg'd, else we're not :-(
    The SBB EAX, EAX will give us 0 (means EAX=EAX-EAX=0). But two lines bellow, we see
    SBB EAX, FFFFFFFF, and that means EAX=0-FFFFFFFF=1. You find that's strange ? Just launch the Calculator provided with window, and use the scientific mode. Then check HEX, enter 0 - FFFFFFFF and read the result... 1 !!!

    So we have to avoid this zone to be registered. If we look at the address 0040CCF2, we see:

    :0040CCF2 33C0 xor eax, eax
    :0040CCF4 5E pop esi
    :0040CCF5 5B pop ebx
    :0040CCF6 83C404 add esp, 00000004
    :0040CCF9 C3 ret

    Hehe, that looks better. The XOR EAX, EAX instruction will give us... EAX=0 !!! Cool, isn't it ? So let's patch (modify) our program to have it jumping to the right address. We'll replace the line 0040CCDA with the NOP instruction (meaning No OPeration). so the program won't jump to the BAD place.

    Well, just after, we have the line 0040CCDE, and this jump should bring us to the right place... but we saw it won't jump until all the serial is checked. Do you think to the same thing than I am ?? We don't care if the program check ALL the characters... we know it's a fake one, so we should change that to make it jump each time, replacing the JE with a JMP...

    Another «Inside the CALL» Way
    =============================

    In the previous part, we have modified the jumps to make the program going to the right place. But there's an easier way to do that, without applying any change to the jumps.

    Remember, we saw these two lines:

    :0040CCCE 8B4C2410 mov ecx, dword ptr [esp+10]
    :0040CCD2 8B542414 mov edx, dword ptr [esp+14]

    And we know that ECX will contain our fake serial, and EDX will have the true serial. But if we replace the content of ECX with the TRUE serial ? We know this serial is in EDX, and the line 0040CCD2 shows us it's loaded from [ESP+14]. SO we only have to load the same thing in ECX and we're done :-)

    Let's replace (in the line 0040CCCE) 8B4C2410 with 8B4C2414. Now try to register the program, and don't forget to try all the options too...


    End Of The Patching Way
    =======================

    You could patch the program in a few other ways too, but I think here are the most common ways to do it :-)

    I won't explain you how to patch a program using your hex editor... If you're really lost then fill free to post a follow-up here, and I'll explain you how to do it :-)





    HarvestR


Message thread:

HarvestR: Checking the HLP file (03-Feb-99 11:53:15)

Back to main board


Message subject:

Name: (optional)

Email address: (optional)

Type your message here:




Back to main board

Copyright © InsideTheWeb, Inc. 1997-1999
All rights reserved.