|
|
( 'An easy crack for the first timer' ) |
Win Code Reversing |
|
|
|
|
|
|
|
|
|
Program Details Program Name: LockDown 2000 Program Type: Internet anti-trojan Utility Program Location: LockDown2000.com Program Size:zipped; aprox. 1,730 kb |
||
|
W32Dasm disassembler and any hex editor |
||
|
|
|
There is a crack, a crack in everything. That's how the light gets in. |
LockDown 2000
( 'A
FireWall for your PC' )
Written by D0gBytes
|
|
What the Authors of LockDown 2000 say:-
Lock Down 2000 is now the world's most
effective and complete security system available for Windows 95, 98, and
NT. LockDown 2000 automatically disconnects, traces and identifies unauthorized
users in electronic seconds. With LockDown 2000 you will never have to
worry about Hackers invading your privacy, deleting your files, attaching
a virus or a trojan horse program without your knowledge
|
|
The protection system is probably one of
the easiest that you will ever encounter; making it an excellent project
for any "wanna be" cracker who is looking for a "First Time Project" to
learn from.
|
|
I became involved with this project when
a friend made a comment to me that he would like to crack the program,
but, he was a one week old newbie to cracking and had only just downloaded
some of the tools. He was not yet able to use the tools in any meaningful
manner.
I jokingly said to him "just download
it and crack it." He replied that the program had a $99 price tag, to which
I said, "Just like a Newbie Cracker to pick a difficult protection scheme
as a first project."
Little did I know how wrong I was.
After he downloaded the program and disassembled it he asked what to do next. I was thinking that this has to be a well protected program with no visible strings at that price. But, I told him he should check the string references just for practice. He should look for something to do with the word register or anything else that might seem like it had to do with the registration process. I was floored when he told me that there were several references to it with one of them being "Thank you for registering LockDown 2000."
It was at this point that I realized he had a very simple protection scheme and that it was a 5 minute crack for any newbie.
Download and install the program. Run the
program enough to get a feel for how it operates. Right clicking on the
LockDown 2000 icon in the task bar and selecting "Open LockDown 2000" will
give you access to set any preferences and to register the program. Clicking
on "View" and selecting "Register" will bring you to the Registration form.
You should see that there is a "Product Serial"# (Which you only need if
you are going to register the product with the author. Send it along with
your check), or if you just want to practice cracking, ignore that, and
enter a false number into the box labeled "Unlock Code" Any number will
do, I used 999999999. Click OK and you will see that a message pops up
telling you:
"The unlock code
you have entered " "is invalid for this machine, please " "re-type the
number or contact " "Harbor Telco to receive a new " "registration number."
Now, close the program by clicking the "X" and choosing "Yes" when prompted about exiting. We do not want the program "In Use" when we go to disassemble it.
Disassemble the program with W32Dasm and
click on the "Strn Ref" button. Scroll down the strings until you see some
of the message that we saw when we entered the 999999999 Unlock Code. Double
click on any of those strings and it will take us to where it is found
in the disassembled code. The following snippet is what you shouldd see:
:0047A998 E87783FBFF call 00432D14 :0047A99D 837DFC00 cmp dword ptr [ebp-04], 00000000 :0047A9A1 742A je 0047A9CD---Conditional Jump :0047A9A3 8D55FC lea edx, dword ptr [ebp-04] :0047A9A6 8B86D0020000 mov eax, dword ptr [esi+000002D0] :0047A9AC E86383FBFF call 00432D14 :0047A9B1 8B4DFC mov ecx, dword ptr [ebp-04] :0047A9B4 A1A85A4900 mov eax, dword ptr [00495AA8] :0047A9B9 8B900C010000 mov edx, dword ptr [eax+0000010C] :0047A9BF A1A85A4900 mov eax, dword ptr [00495AA8] :0047A9C4 E84FF7FFFF call 0047A118 :0047A9C9 8BD8 mov ebx, eax :0047A9CB EB02 jmp 0047A9CF * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0047A9A1(C) | :0047A9CD 33DB xor ebx, ebx * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0047A9CB(U) | :0047A9CF 84DB test bl, bl :0047A9D1 7523 jne 0047A9F6---Conditional Jump :0047A9D3 6A00 push 00000000 :0047A9D5 668B0D5CAA4700 mov cx, word ptr [0047AA5C] :0047A9DC 33D2 xor edx, edx * Possible StringData Ref from Code Obj"The unlock code you have entered " ->"is invalid for this machine, please " ->"re-type the number or contact " ->"Harbor Telco to receive a new " ->"registration number." :0047A9DE B868AA4700 mov eax, 0047AA68 :0047A9E3 E8F0ACFDFF call 004556D8 :0047A9E8 8B86D0020000 mov eax, dword ptr [esi+000002D0] :0047A9EE 8B10 mov edx, dword ptr [eax] :0047A9F0 FF92B4000000 call dword ptr [edx+000000B4] * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0047A9D1(C) | :0047A9F6 84DB test bl, bl :0047A9F8 743F je 0047AA39---Conditional Jump :0047A9FA 8D55FC lea edx, dword ptr [ebp-04] :0047A9FD 8B86D0020000 mov eax, dword ptr [esi+000002D0] :0047AA03 E80C83FBFF call 00432D14 :0047AA08 8B55FC mov edx, dword ptr [ebp-04] :0047AA0B A1A85A4900 mov eax, dword ptr [00495AA8] :0047AA10 E8E3FBFFFF call 0047A5F8 :0047AA15 A188414900 mov eax, dword ptr [00494188] :0047AA1A C60001 mov byte ptr [eax], 01 :0047AA1D 6A00 push 00000000 :0047AA1F 668B0D5CAA4700 mov cx, word ptr [0047AA5C] :0047AA26 B202 mov dl, 02 * Possible StringData Ref from Code Obj ->"Thank you for registering LockDown " ->"2000!"
There are several easy ways to crack this program. With a little expirence and practice, they would all jump out at you. We will examine just one simple method. looking at the code snippet above, we can see that there are three conditional jumps. In this case, the conditions are that you have entered the correct "Unlock Code" If you enter the correct "Unlock Code" on the registration screen, you would see the "Thank you for registering LockDown 2000!" message. If we think about it for a minute, we would conclude that if the conditions were the "Opposite", we would arrive at the "Thank you for registering LockDown 2000!" message if we entered the wrong "Unlock Code", and would only see the "Bad Cracker" message if we accidently entered the Correct "Unlock Code" The three conditional jumps that we would need to change are: :0047A9A1 742A je 0047A9CD :0047A9D1 7523 jne 0047A9F6 :0047A9F8 743F je 0047AA39 We know from looking at "Opcodes" that: je = Jump if Equal and jne = Jump if NOT Equal Wouldn't it be great if we could just change those jumps to do the opposite of what the author wanted them to do......Well, YOU CAN. And it's easy. For that task we will use the Hex Editor. Any Hex Editor will do. Close the W32Dasm program and save when prompted. Open your Hex Editor and and load the LockDown2000.exe file. It should be in the C:\Program Files\Harbor Teleco\LockDown 2000 v2.5 folder. We will make the following changes: 83 7D FC 00 74 2A 8D 55 (Original) 83 7D FC 00 75 2A 8D 55 (Changed to) 84 DB 75 23 6A 00 66 8B (Original) 84 DB 74 23 6A 00 66 8B (Change to) 84 DB 74 3F 8D 55 FC 8B (Original) 84 DB 75 3F 8D 55 FC 8B (Change to) Just use "Search" in the hex editor and enter the (Original) NOTE: USE ALL LOWER CASE... The first search would look like this: 837dfc00742a8d55 Once the hexeditor has found the code for you, just change the "74" to "75" or the "75" to "74" as indicated above. We are almost done. There is a little more to the protection scheme that we must deal with. The program uses a hidden file for the 10 day trial period. We must arrange for the program to ignore this hidden file. lets look at this snippet of code. :0049248A E8B991FEFF call 0047B648 :0049248F 8BF0 mov esi, eax :00492491 A188414900 mov eax, dword ptr [00494188] :00492496 803800 cmp byte ptr [eax], 00 :00492499 7546 jne 004924E1:0049249B A164414900 mov eax, dword ptr [00494164] :004924A0 803800 cmp byte ptr [eax], 00 :004924A3 743C je 004924E1 :004924A5 6A00 push 00000000 :004924A7 668B0D14264900 mov cx, word ptr [00492614] :004924AE B202 mov dl, 02 * Possible StringData Ref from Code Obj ->"Your evaluation period has ended. " ->" Please Register LockDown 2000." | :004924B0 B820264900 mov eax, 00492620 :004924B5 E81E32FCFF call 004556D8 :004924BA 8B0DC8404900 mov ecx, dword ptr [004940C8] :004924C0 8B03 mov eax, dword ptr [ebx] :004924C2 8B15F4A64700 mov edx, dword ptr [0047A6F4] :004924C8 E88FCEFBFF call 0044F35C :004924CD A1C8404900 mov eax, dword ptr [004940C8] :004924D2 8B00 mov eax, dword ptr [eax] :004924D4 8B10 mov edx, dword ptr [eax] :004924D6 FF92CC000000 call dword ptr [edx+000000CC] :004924DC E9FC000000 jmp 004925DD * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:00492499(C), :004924A3(C) | :004924E1 33C9 xor ecx, ecxBy changing the two conditional jumps above, we can bypass the routine that would give us the "Your evaluation period has ended" screen and place the program in an expired mode. We know from looking at Opcodes that the hex equivilent of EB is jmp. jmp means jump. Period. There are NO conditions. It will jump every time. This is what we would want it to do. Jump over the routine that checks the expiration file every time. Using the hex editor again, enter the search parameters using some of the hex code from the lines above and below each jump. 80 38 00 75 46 A1 64 41 (Original) 80 38 00 EB 46 A1 64 41 (Change To) 80 38 00 74 3C 6A 00 66 (Orginal) 80 38 00 EB 3C 6A 00 66 (Change To) again enter the search in lower case: 8038007546a16441 for the first one. 803800743c6a0066 for the second one. After you have made the changes, close the hex editor and choose Save when prompted, to make the changes permanent. You should also select to "Back Up" if asked by the hex editor. Now, restart the "LockDown 2000 program. Again, bring up the registration screen and enter 999999999 as the "Unlock Code". Click "OK" and you should see the GOOD CRACKER message, "Thank you for registering LockDown 2000!" Congratulations, Cracker!!
|
|
The actual purpose of this tut is to give the Newbie Cracker some hands on experience with W32Dasm and a Hex Editor. So often today, Newbie Crackers get swept up with trying to learn how to use SoftIce and other tools, on their first attempts at cracking, that they may make the crack seem much harder then it really is. I will probably do another tut, on this same program, explaining in much more detail how the protection scheme works and the many other ways to crack it. Comments to: d0gbytes@hotmail.com
|
|
I would like to say "Thanks" to The Snake for allowing me to present this essay to you, The Sandman for showing me the light that radiates from the Cracks. Also to My friend Jeff who has provided my inspiration in learning to crack. If it were not for The Sandman, jeff and their Newbie Cracking Forums, and the great time I had participating with The Snake and others in the "projects," I would not have learned what it takes to be a Cracker. Also to Ozz da Man, Thanks for showing me the program.
Regards, D0gBytes
|
|
Do I really have to remind you all that by buying and NOT stealing the software you use will ensure that these software houses will be encouraged to producing even *better* software for us to use and enjoy.
Ripping off software through serials and cracks is for lamers..
If your looking for cracks or serial numbers from these pages then your wasting your time, try searching elsewhere on the Web under Warze, Cracks etc.
For more info on using W32Dasm, Click Here to go to the Sandmans' Essay on Dead Listings
| Return |