I do disclaim thee, Oh Liability!
All information on these pages is published for educational purposes only. You may reverse engineer, debug or crack only applications or programs you have legally bought, and only for your personal use.
Cracking is understanding, broadly individuating, locating exactly and eliminating or suspending one or more protection schemes inside a software application. In laymen's terms, it removes nag screens, gives serial numbers, defeats time limits, and allows the registration of shareware for free. If you expect to become an instant cracker by reading this, you're mistaken. cracking takes months and years to master. I'm writing this just to give novices a basic concept of how to reverse engineer software. so read on, and learn something.
First off, you arent going to be able to crack anything without the proper tools--these would be a decent hex editor(hackers view), a windows95 32bit dissasembler(w32dasm v8.9), and a windows95 debugger(Numega's SoftIce).
download the tools!
hackers view v5.66 -/- w32dasm v8.9 -/- softice v3.20
jump point: cracking example - #1 [very easy] - #2 [easy]
#3 [fairly easy] - #4 [fairly complex] - writing patchers
- cracking example #1 - simple -
quick way to kill nag screens using only a hex editor
|
This first example is probably the most basic I can give you. lets take a look at a simple little program called dropit(click here to download). when this thing is loaded a nag screen appears asking for a name and unlock code, it also makes us wait about 10 seconds before we can continue. the only difference between the registered version and shareware copy is this nag.
1. you're going to need a hex editor for this one, I'd suggest using hackers view--download it from the section above. make a backup copy of dropit for us to tinker with, copy it to d.exe or something similar(to save us a few keystrokes).
2. run dropit a few times through, pay close attention to the nag screen and the words that appear on it. Notice that "To register (and eliminate this nag)..." are the first few words on it.
3. run hacker's view on d.exe and press F4 for mode, choose Hex.
4. press F7 to do a search for those words. You'll soon get the error message that they dont exist! thats perfectly normal, remember that this is a 32bit application, and in 32bit apps there are 00's that exist between letters of text in dialog boxes. when doing the search, dont just type 'nag'--type 'n', then press down arrow key, enter two zeros, then press up arrow key, and type 'a'. you get the idea, do this for the word nag until you have the following:
+-[F2:Forward /F4:Full ]---------------------------------------------+
ª ASCII: n a g______________________________________________________ ª
ª ª
ª Hex: 6E 00 61 00 67 ______________________________________________ ª
+--------------------------------------------------------------------+
5. after finding your 'n 00 a 00 g' string inside of the file, look where the text begins and see if you can find (in hex) a string that looks like FF-FF-FF-FF-82. This is the beginning of a routine to create windows message boxes.
.0000A4A0: 80 00 4F 00-4B 00 00 00-00 00 00 00-00 00 02 50 ╟ O K � P
.0000A4B0: 00 00 00 00-1C 00 03 00-80 00 14 00-FF FF FF FF � � ╟ ╢ ___
.0000A4C0: 82 00 54 00-6F 00 20 00-72 00 65 00-67 00 69 00 Θ T o r e g i
.0000A4D0: 73 00 74 00-65 00 72 00-20 00 28 00-61 00 6E 00 s t e r ( a n
.0000A4E0: 64 00 20 00-65 00 6C 00-69 00 6D 00-69 00 6E 00 d e l i m i n
.0000A4F0: 61 00 74 00-65 00 20 00-74 00 68 00-69 00 73 00 a t e t h i s
.0000A500: 20 00 6E 00-61 00 67 00-20 00 73 00-63 00 72 00 n a g s c r
.0000A510: 65 00 65 00-6E 00 29 00-2C 00 20 00-73 00 65 00 e e n ) , s e
6. once you've found that string, use your arrow keys to move the cursor so its over the '82'. Press F3 to edit the code, then type in '90'. we're changing the 82 to 90. once you've made the changes, press F9 to write to the file...and now, we're done! press escape to exit. run d.exe and watch the thing get loaded up without any screens nagging you to register!
okay, this is cool. I have a cracked copy of dropit. The unfortunate thing is, If i wanted to send a registered copy to a friend who already has the unreg'd version, I'd have to send the whole package. It'd be much easier to send a few hundred byte crack that will simply patch the executable. go to the end of this page if you want to learn about creating your own patching programs.
- cracking example #2 - easy -
changing the final compare in lview pro
|
In this example I'm using w32dasm and hackers view to crack lviewpro(click here to get it). we're not worried about the correct code right now, we're going to change the final compare scheme that checks our code. that means, we're going to change a 'jump if not equal to zero' function to 'jump if equal to zero'--this will register the program with the wrong code, but come back with an error if you type in the correct code.
1. run lviewpro
2. click about
3. click on registration - then the 'I'll register' box.
4. enter bogus name and id #, it will come back and say: "User name and ID numbers do not match, please verify if name and ID# were typed correctly." - remember that error message!
5. dissasemble lviewpro.exe in w32dasm
6. once the dissasembly is completed, click on 'Refs', and then click on String Data References.
7. double click on the reference showing 'User name and ID numbers do not'
8. close the dialog box with the SDR's and look at the dissasembly of lviewpro itself. press the up arrow key a few lines and you'll see this code:
:00424D4A call 004165A0
:00424D4F lea eax, dword ptr [esp+38]
:00424D53 lea ecx, dword ptr [esp+14]
:00424D57 add esp, 00000004
:00424D5A push eax
:00424D5B push ecx
:00424D5C call 00424E80 <--[routine generating correct code]
:00424D61 add esp, 00000008
:00424D64 test eax, eax <--[test real code against ours]
:00424D66 jne 00424D82 <--[jump if not equal to zero]
* Possible StringData Ref from Data Obj ->"User name and ID numbers do not"
"match, please verify if name and "
"ID# were typed correctly."
[side note - this final compare (jne 00424D82) will make the jump(or not jump) to the 'thank you for registering!' message, amoung other things--like writing registration information to your win95 registry. If we change it from JNE -> JE, it will go to the 'thank you' routine if its a bad code, and it'll come back with the 'wrong code' message if you enter the correct license info.]
9. move the highlighted bar in w32dasm over the ':00424D66 jne 00424D82' line and notice the bottom of the w32dasm window. It should be giving an offset for that function of 00024166h. we need that offset so we can tell our hex editor where to go in the file when we go to change the code.
10. copy lviewpro.exe to l.exe and run hacker's view over it. press F4 to change the viewing mode, and choose Decode. press F5 to allow us to enter in an offset in the program to jump to (w32dasm told us that our offset was 00024166h, so we simply enter 24166 in the text box in the upper left corner--and press enter).
11. after entering the offset address, you'll end up with your double cursor on the data string shown below:
.00024D66: 751A jne .000024D82 ---------- (2)
the cursor will be over the 75 of the 751A. press F3 to edit the code and type 74 over the 75, you'll see the 'jne' change to 'je' on the right side where the assembler instructions are. once you've got that done, simply press F9 to write the changes to the file--lviewpro has been cracked.
12. exit the hex editor and run your cracked copy of lviewpro(l.exe). click on help, then registration, then the 'I'll register' button. enter your name, or anything you'd like the program to be registered to. In the ID# box, enter any random code, it'll work! and now, you're done, with a fully registered copy of lviewpro.
okay, this is cool. I have a cracked copy of lviewpro. The unfortunate thing is, If I wanted to send a registered copy to a friend who already has the unreg'd version, I'd have to send the whole package. It'd be much easier to send a few hundred byte crack that will simply patch the executable. go to the end of this page if you want to learn about creating your own patching programs.
- cracking example #3 - fairly easy -
finding the unlock code in workstation lock w/ GetDlgItemTextA |
In this example we're going to use softice. click here to download 'workstation lock'. If you'd like some basic information on using softice, check out this quick tutorial.
I'm going to show this crack quickly and to the point. If you can't understand or want something explained, email me.
> signs will denote a softice command.
1. load wrkset.exe that comes in the workstation lock package, this is the program that will allow us to enter the registration code.
2. click on help, and then register.
3. enter any bogus number you want in the dialog box, and press control-D to bring softice up. I set breakpoints on the normal API calls (GetWindowTextA, GetDlgItemTextA) in hopes that one will work.
> bpx getwindowtexta
> bpx getdlgitemtexta
4. return to the wrkset program and press OK to let your bogus code get checked against the real one. POP! softice should come up and let you know that it broke on GetDlgItemTextA (Break due to BPX USER32!GetDlgItemTextA ET=1.23 seconds). we might as well clear the breakpoints because we're going to rip the 'single user' and 'site' license codes in one shot.
> bc 0
5. we're in the middle of a call right now, and yes, we want out. when using the API calls mentioned above in softice, its always a good idea to press F11 right after it pops. so we hit F11 and it'll drop us into some code that looks like this (keep pressing F10 to step through the code):
022F:004021F8 CALL 004105FF
022F:004021FC LEA EAX,[EBP-68]
022F:00402200 PUSH EAX
022F:00402201 CALL 0040185E
022F:00402206 POP ECX
022F:00402207 LEA EAX,[EBP-009C]
022F:0040220D PUSH EAX
022F:0040220E CALL 00402025
022F:00402213 POP ECX
[the code above is useless, pay attention after this point]
022F:00402214 LEA EAX,[EBP-68] <--[put single user license in eax]
022F:00402217 PUSH EAX <--[push it to the stack]
022F:00402218 LEA EAX,[EBP-34] <--[put our bogus code in eax]
022F:0040221B PUSH EAX <--[push it to the stack]
022F:0040221C CALL 004033E0 <--[compare our codes]
022F:00402221 POP ECX <--[clear the ecx register]
022F:00402222 TEST EAX,EAX <--[final test of the two codes]
022F:00402224 POP ECX <--[clear ecx, again.]
022F:00402225 JNZ 00402235 <--[jump to 'bad reg code' message]
[or register the program as a]
[single user license copy]
6. press F10 until you have the lightbar on [022F:00402217 PUSH EAX], which is just past where ebp-68 gets copied to eax. dump the contents of ebp-68 and you'll see the single user license code in the data window.
> d ebp-68
the data window will show something like this:
246553586443554
3654......I.e.p
o..9.R...M..$..
....-..p..[W"..
0..|.S..o......
......n...I....
J...d#...~....k
.m...9^../.$...
there's our single user code. but who wants to use the single user license when you can go and find the site license serial number? not I.
7. continue stepping through the code maybe 6 or 7 times until you come to this:
022F:00402233 JMP 00402257
022F:00402235 LEA EAX,[EBP-009C] <--[copy site license code into eax]
022F:0040223B PUSH EAX
022F:0040223C LEA EAX,[EBP-34] <--[copy our bogus code into eax]
022F:0040223F PUSH EAX
go through the code until you get to [022F:0040223B PUSH EAX] and dump the contents of ebp-009c, you'll see the site license in the data window.
573543543415432
1554.....246553
5864435543654..
...9.R...M..$..
....-..p..[W"..
0..|.S..o......
J...d#...~....k
.m...9^../.$...
you can see the site license up on top of the data window while the single user license is below. you can use either one, there aren't any program differences.
- cracking example #4 - fairly complex -
finding serial numbers in the file chopper w/ HMemCpy |
In this example we're going to use softice. click here to download 'the file chopper'. If you'd like some basic information on using softice, check out this quick tutorial.
> signs will denote a softice command.
now the first thing I did with this program was to simply check it out.
I installed it, looked over the registration form quick, and actually
tried it out on splitting files. after I had gotten my use out of the
program (about 30 seconds) I went over to the registration section where
it allows you to enter a name and unlock code.
1. load the program
2. click on help - then click on license information
3. play around with the way you enter the code(ie: the amount of numerics and such). It might save you some trouble later on, and in this case, it did. I put the name 'everyone' in the name box, and started typing random numbers into the unlock code field. after exactly 14 letters/numbers were entered into the field, a message box popped up and told me that they were 'sorry, but your code was incorrect'. It would seem that 14 would be our magic number in this situation, keep it in mind...
4. There isn't any OK box to click, so this thing is either checking our
code every time we hit a key(via HMemCpy), or it's waiting until we enter 14 characters and then tests it out. When stepping through the code I saw a 'CMP EAX, 0E' (see if EAX has 14 characters). Well, that's no surprise, since the thing came back and told us our bogus code wasn't any good on the 14th number--the 14th keystroke will be the important one. Let's enter our name: (everyone), and enter a bogus code with 13 chars. 1234512345123
press control-D to get into softice and set a breakpoint on hmemcpy.
> bpx hmemcpy
> x
We're back in 'the file chopper'. Move sure your cursor is in the code box and hit a key, any key. POP! Softice pops and we're dumped in the middle of a load of crap.
5. Let's see how many times hmemcpy is used after we enter the 14th char.
> x
> x
> x
> x
...boom! we're back in win95 and file chopper is telling us that
we've entered an invalid reg code. let's repeat the above steps but only
hit 'x' 3 times so we stay in softice. disable the breakpoint
> bd 0
and renter the first 13 characters of your bogus code. Before you enter
the 14th, go back to softice (control-D) and enable the breakpoint we
disabled a second ago.
> be 0
now enter that last character and allow softice to pop.
6. since hmemcpy is a kernel32 function, we end up in the middle of the dissasembly of the kernel task. press f12 about 8 times until we're in the 'filechop' task. step through the assembler code with f10 until you stop coming accross return functions (RET, RET 0004, etc) and land in the middle of something that looks like this:
022F:00409848 XOR EDX,EDX
022F:0040984A MOV [EBP-0C],EDX
022F:0040984D LEA EDX,[EBP-0C]
022F:00409850 INC DWORD PTR [EBP-34]
022F:00409853 CALL 004750E8
022F:00409858 LEA EAX,[EBP-0C]
022F:0040985B POP EDX
022F:0040985C CALL 00474F74 <--[important call, read below]
022F:00409861 PUSH EAX
022F:00409862 DEC DWORD PTR [EBP-34]
022F:00409865 LEA EAX,[EBP-14]
022F:00409868 MOV EDX,00000002
after a few trial runs with softice through this program I've discovered that the call mentioned above is key in finding our correct code. When you get to that call (022F:0040985C CALL 00474F74), press F8 to step into the call instead of stepping over it with F10.
7. after entering the call, you'll see something looking like this:
022F:00474F75 MOV EBP,ESP
022F:00474F77 PUSH EBX
022F:00474F78 MOV EAX,[EAX] <--[move our bogus code into EAX]
022F:00474F7A MOV EDX,[EDX] <--[move the REAL code into EDX]
022F:00474F7C CALL 004677D0 <--[check our code against the real one]
022F:00474F81 SETZ AL
022F:00474F84 AND EAX,01
022F:00474F87 POP EBX
022F:00474F88 POP EBP
022F:00474F89 RET
bingo! we made it. all we have to do is step through the code with F10 until [EDX] gets moved into EDX ( MOV EDX,[EDX] ). once that's said and done, simply dump the contents of EDX and check your data window.
> d edx
the data window will show something like this:
56-25-34-55-36.
......p...I.e.p
o..9.R...M..$..
....-..p..[W"..
0..|.S..o......
......n...I....
J...d#...~....k
.m...9^../.$...
viola, 56-25-34-55-36 is the correct code for the name 'everyone'. if you were to dump the contents of EAX you would see our original bogus code.
8. at this point, you've accomplished your goal, so have a little fun with the registration scheme. clear your hmemcpy breakpoint and set another for the function right after the working code gets dumped into EDX.
> bc *
> bpx 022F:00474F7C
return to the file chopper (control-D) and enter a different name to register the program with. started entering those 14 bogus numbers or letters and on the 14th, watch softice pop right after the real code gets dumped into EDX. simply do a 'd edx' again and you'll get the correct code for your new name.
If you can follow along, then you might be on your way to master...
the - 50-55-63-52-00
art - 31-32-55-55-20
of - 53-70-89-53-60
reverse - 59-76-75-05-92
engineering - 98-67-08-21-12
|
- how to write your own patching/cracking programs - |
I was once the newbie you were, about 4 months ago actually--thats just about when I started cracking. I always thought it was neat how people would package little programs(usually under 10k) that would do the actual cracking. now you can go about creating these patchers two different ways: simple and quick, or complex and time wasting. it's not a hard choice. :)
The intricate and time wasting procedure would include editing either pascal or assembler source code to change certain bytes at specific locations and then compiling that code. it's much easier to let a patching program do it all for you(especially since you probably don't know how to write your own patching program). my program of choice would have to be mr.wicked's rtd patcher.
COPYRiGHT (c) MR WiCKED^RTD 1996-97
USAGE: RTD_PATC <ORiGiNAL[.???]> <CRACKED[.???> [/OPTiON]
<OPTiON>
[P]: PASCAL CRACK CODE
[C]: C++ CRACK CODE
[A]: ASSEMBLER CRACK CODE [MASM/TASM]
[X]: EXECUTABLE [COM]
[D]: DATA FiLE [SEE DOX FOR iNFO]
from dos...
C:\temp\>rtd_patc orig.exe cracked.exe /x
change the text strings if you'd like to, and then simply press escape to have the program write the patch itself.
- CHECKiNG FiLE [ORIG.EXE] : EXiSTS!
- CHECKiNG FiLE [CRACKED.EXE] : EXiSTS!
- OPENiNG FiLE [ORIG.EXE] : OKE!
- OPENiNG FiLE [CRACKED.EXE] : OKE!
- CHECKiNG AVAiLABLE MEMORY [LEFT : 489392KB] : OKE!
- COMPARiNG [ORIG.EXE] [CRACKED.EXE] (WRiTiNG iN TEMP FiLE) : DONE!
- WRiTiNG EXECUTABLE [COM] FiLE [CRKORIG.COM] : DONE!
- NOW TRY TO DO SOMETHiNG WiTH [ORIG.EXE] :-)
crkorig.com is the crack itself, do what you will with it. :)
|