This is my first attempt to write an essay so feel free to send me any comments. I assume the reader knows how to trace with SoftIce and how to disassemble with Wdasm 6.0 (or higher). If you don't, read the tutorials from ED!SON (Wincrack), Indian trail, Frog's Print, Fravia, +orc,....They teach you all you need to know to start cracking and more ....
best cracking regard, Llama.(CWR1) Tools : Winice Wdasm 8.5 HexWorks Software: WinZip95 6.3
My goal here is to find the regkey for shareware wich asks for a name and the corresponding key. You can find many protections like this just about everywhere (CD-Rom, shareware.com ...). Winzip is a good example of this kind of registering procedure, so let's go !
First, I test the Software I want to crack and note the unregistered
'pollution', so
after a while with WinZip we notice :
Go to the HELP/ABOUT/REGISTER menu . The « RegisterWinzip » screen appears and asks me to enter my name and registration #. So for me, name: Llama and code: 6969. After validating this, a message-window appears telling they were wrong. So now the goal is to break into the code just before -or just after- this window appearance. You can do this in many way, actually by putting different breakpoint, from the easiest to ... A commonly used method is to put a breakpoint onto API Windoze function. As you can see in Indian Trail Lesson 5 (and in ED !SON's Wincrack), the usual API to get text are :
So we enter BPX GetDlgItemTextA and BPX GetWindowTextA and press CTRL/D to continue the execution of winzip. We break onto softice and see that the programm call GetDlgItemTextA. As we 've got two editable field (Name and Code) there's probably two call at GetDlgItemTextA,so press CTRL/D again to restart winzip execution. It breaks again onto GetDlgItemTextA. So now it's almost sure winzip got our name and code, and that GetDlgItemTextA won't be call anymore here(you can verify with CTRL/D, the programm won't break before the message !). By now I want to return where this function was called. To do this I can trace (F 10) to the RET instruction or just press F 12. Victory ! ! ! Here we are, just after the GetDlgItemText CALL, so clear all the break point (BC *) and put a new one on the line following the CALL DlgItem..., it shoude be this line
So now what's the situation ? We 're back in softice just after it read our name and
code .So if we execute the prog step by step (F 10 'step over' ), we'll probably find a
conditionnal jump, after a call, that verify the code and decide if it's right or wrong.
So now that's what I'm looking for, and my method is to trace (F 10) until the message
box (imcomplete or incorrect imformation ..) appears, cause if I know where the call for
this Message is, I can look for a cmp/jxx lines wich could jump over this.
Let'go ! I press (I hope,we press ;-) F10 few time and the 'imcomplete... ' message pop
up. Clic on OK, and voila softice. Note the address of the call => 00409DA8
So now we know where to search for the checking routine, it must be called between line
:00409D73 and lines:00409DA8. So now try yourself, by tracing, to understand the code
around this...
* Reference To: USER32.GetDlgItemTextA, Ord:00F5h
|
:00409D6D Call dword ptr [00476AC8]
:00409D73 movzx eax, byte ptr [00471258] <-it's the name
:00409D7A test eax, eax (d 00471258)
:00409D7C je 00409D92 <-jmp if nothing was entered
:00409D7E movzx eax, byte ptr [0046F578] <-it's the code
:00409D85 test eax, eax (d 0046F578)
:00409D87 je 00409D92 <-jmp if nothing was entered
:00409D89 call 004096EA <-Check the name and key
:00409D8E test eax, eax
:00409D90 jne 00409DD3 <-Jmp if it's wrong
-->Beginnig of the proc for the wrong password entry
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00409D7C(C), :00409D87(C)
|
:00409D92 call 00409F9C
* Possible Reference to String Resource ID=00654: "Incomplete
or incorrect information"
|
:00409D97 push 0000028E
:00409D9C call 00424ECF
:00409DA1 pop ecx
:00409DA2 push eax
:00409DA3 push [ebp+08]
:00409DA6 push 0000003D
:00409DA8 call 004230FD <-'wrong key' message
:00409DAD add esp, 0000000C
:00409DB0 mov eax, dword ptr [0046C860]
:00409DB5 inc eax
:00409DB6 mov dword ptr [0046C860], eax
:00409DBB cmp dword ptr [0046C860], 00000003
:00409DC2 jne 00409DCF
:00409DC4 push 00000000
:00409DC6 push [ebp+08]
* Reference To: USER32.EndDialog, Ord:00B4h
|
:00409DC9 Call dword ptr [00476AE4]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00409DC2(C)
|
:00409DCF xor eax, eax
:00409DD1 jmp 00409E45 <-jmp to the end of routine
-->End of the proc for the wrong password entry
-->Beginnig of the proc for the right password entry
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00409D90(C)
|
:00409DD3 push 00471258
* Possible StringData Ref from Data Obj ->"Name"
|
:00409DD8 push 0046396C
* Possible StringData Ref from Data Obj ->"WinZip"
|
:00409DDD push 00466F00
* Reference To: KERNEL32.WriteProfileStringA, Ord:0288h
|
..........
.......... I skip this lines coz, we just
.......... want the good serial, not to
.......... decode all the bunch
|
:00409E16 Call dword ptr [00476AE4]
:00409E1C xor eax, eax
:00409E1E jmp 00409E45
End of the proc for the right password entry
We can verify if the call, line 00409d89, is truly the checking routine by changing the
flag z value (r or with the mouse). Do this and CTRL/D, the message has change !!! So we
were right.
We are almost at the end, cause we know the call where to search for the serial.
Now reenter your name and code, and break at this call. Then step into it (F 8). That's
where the search of the serial begin :
my approach is to find the call that create the true code( the name is then surely a
parameter), or the call that compare my code with the true code. To find them I used to
spy on the pushes and mov's before and after the calls.
That's what I do for Winzip and that's what I found :
Push EAX -> Contain the name...
Push 00471258 -> A memory location ...
Call 004098c3 -> Perhaps the good key
creation routine?
So this routine has the name and a memory location for parameters, I could understand
the use of the name, but the matter about this mem loc ? I read the value at 00471258
(type d 00471258) before and after executing the call. Before, there's nothing in it,
after, we can read this value --> 216c03f9
Oh Oh Oh, I think I got it. Let's try if it's really my serial, but first I desactive
all breakpoints (bd *). I enter my name and key=216c03f9.
It works ! I Exit Winzip and restart it, I'm still register: it was the good serial.
3/CONCLUSION
As you see, finding the right key for winzip wasn't very hard (Who could believe it ?)
but be carefull, it's not always so easy.
If you want training, try WINZIP SELFEXTRACTOR for Win 95, it's nearly the same method.
But be careful, it's not exactly the same ! I would appreciate an e-mail about what you
done on it .
I know the default of this essay : it's too specific to one soft!
So perhaps I'll write something giving several method to find serials.
I hope you appreciate my little work.If you want to exchange idea about cracking,
e-mail me a word or two,it would encourage me to continue.
LLAMA email