View Full Version : how to reverse an application that restarts after entering fake serial
kenn
February 12th, 2011, 14:49
Hi everybody, I'm a newbie, this is my first post, I hope I don't break the rules. I'm trying to reverse simple applications for fun, recently I met a tough application, I managed to dump it but I can't crack it cuz it's well protected I think. I open it in olly and try to analyse jumps and messages, I couldn't find the right comparing codes, when I enter fake serial to catch comparison lines it doesn't work, it simply says "Thank you for registering ....! Please restart the product."
I even couldn't figure out if it was genuine message or playing with me, would anybody help me? Thanks in advance.
Regards.
FrankRizzo
February 12th, 2011, 21:20
My next step would be to search for those strings, use the strings to lead you back to the function(s) that print them, and trace back from there where it gets the serial from the dialog box (assuming this is a windows app). And that should be enough to get you on your way.
kenn
February 13th, 2011, 06:17
FrankRizzo, thanks for being so kind as to have replied me, it's very nice to have help from an experienced guy. Yes, it's a Windows application, history extractor. I have been working on it for a week, I tried many things to crack it, no way. It works in a limited functionality, at least the limited functionality can be turned to full functionality but it's beyond my skill. I searched for serial string line by line but it is not shown, it must be easy to crack but I'm getting hopeless, I feel like I can never crack it

FrankRizzo
February 13th, 2011, 14:21
The benefit that YOU have that the software doesn't, is that YOU can learn, and keep hacking away at it. Everything you learn is another nail in the coffin of the app. The one thing that I think has made me a deadly reverser over the nearly 30 years that I've been doing it is, PATIENCE. Have I gotten stumped? Yes. Have I given up? Yes. Have I spent a MONTH hacking a NASTY DOS based protection? YES! And I eventually conquered it. The thing was, IT couldn't change, but I could continue to learn more about it, and to chip away at it. Keep your chin up!
Now, have you found the strings in your disassembly yet? Tell me where you are, what you have done, and I'll try to point you in the next logical direction.
kenn
February 13th, 2011, 16:14
FrankRizzo, thanks again for giving a hand to me, I VERY much appreciate your guidance, I promise I ll be a good disciple of you

Now I ll tell you where I am :
I unpacked the application (I was at it months ago but I couldn't unpack it) I unpacked it last week, unpacked application works, then I dived into cracking it, I put some breakpoints on certain lines before jumps and messages. Shall I tell you the name of the application?
0040C64C . B8 01000000 MOV EAX,1 : with this line message box for registration appears, then I keep pressing F7 to see what's happening, I should point out that message box forms step by step, not all at once. Then I enter any serial ( I put "xxxx"

Then I hit register button, it stops at another breakpoint I put.
I noticed that my serial xxxx is stored in
EAX 00000005
ECX 0012F02C ASCII "xxxx"
EDX 0012F02C ASCII "xxxx"
EBX 00000000
ESP 0012EF14
EBP 0012F97C
ESI 0012F445
EDI 0012F031
EIP 0040C790 original.0040C790
A few lines below it compares CMP EAX,ESI
below is the register values in the comparison.
EAX 00000000
ECX 004318F8 ASCII "YG"
EDX 00124759
EBX 00000000
ESP 0012EF08
EBP 0012F97C
ESI 0012F02C ASCII "xxxx"
EDI 0012F031
EIP 0040C7A6 original.0040C7A6
All of these are meaningful for you? I am lost

Kayaker
February 13th, 2011, 17:33
Quote:
[Originally Posted by kenn;89417]Shall I tell you the name of the application? |
No. It's against forum rules.
That said, if the app says "Thank you for registering ....! Please restart the product.", then the real check will likely be on startup, not during the "registration". While it's not a waste of time following the registration box, it will probably only lead you to a function which writes the info to the registry (or a file). If you can determine the name of the registry key then you can track that on startup and begin reversing from there.
Kayaker
ha33
February 14th, 2011, 05:34
Yes, it is very likely the serial will be stored in either a file or registry key.
First approach:
- BP on registry related win32 calls, primarily RegOpenKeyEx/RegGetValue/RegQueryValueEx
- BP on file related win32 calls, ReadFile, CreateFile(A/W).
If above approach fails (maybe serial is hashed / encrypted before stored), then I would start checking where serial is obtained and start putting memory breakpoints to see where it is read and eventually stored (to registry/file).
If you need any other advice just let us know.
kenn
February 14th, 2011, 09:27
Thank you again kind guys, I'm grateful to you. Hi Kayaker, are you famous cracker?

Nice to meet you. You all must be famous and professional reversers, sorry for my ignorance, as I said I'm a newbie. Now that it is not against forum rules name of the application is
**********. As you said serial key must be stored outside in the registry or in a file, I noticed that it checks registry values. I had no time to work on it today, I wanted to reply you at first.
Hi ha33, thanks for suggestion, I ll check out your suggestions though it will be a tough job for me.
I congratulate all of you on Valentine's Day!
JMI
February 14th, 2011, 11:51
kenn:
One thing you need, to become a "reverse engineer," is to pay attention to details. Kayaker's response to your post started with:
Quote:
[Originally Posted by kenn;89417]Shall I tell you the name of the application? |
No.
It's against forum rules.
You read that as "
Yes" and named the target software. I have removed it.

Please demonstrate that you actually can learn!!!
Now go and
actually Read the Rules!!!
Regards,
kenn
February 14th, 2011, 12:16


sorry!
FrankRizzo
February 15th, 2011, 00:57
Now, since you are assuming that it's registry related, let me point you to a tool that I find handy in times like this:
hxxp://technet.microsoft.com/en-us/sysinternals/bb896652
You run it, tell it what the name of the app is that you're working on, and it'll log all the registry accesses. New key creation, writes, reads, etc.
Granted, it sometimes gives A LOT of info, but wading through it will both make you familiar with the registry keys your program uses, and will let you get a feel for what it's doing.
kenn
February 15th, 2011, 08:33
Hi Master FrankRizzo

It's very nice to hear from you. I used process monitor as you advised to trace what's happening, I am still awkward at using it, it took an hour for me to understand how to use it, at last I managed to include only the process I wanted. I'm lucky that I have you, I feel self-confident now.
I found some suspicious queries.
unpacked.exe CreateFile C:\Program Files\*******\unpacked.exe.Local NAME NOT FOUND
unpacked.exe CreateFile C:\Windows\Prefetch\UNPACKED.EXE-E04A47A0.pf NAME NOT FOUND
unpacked.exe ReadFile C:\$Directory SUCCESS
unpacked.exe QueryStandardInformationFile C:\Windows\registration\R00000000000d.clb SUCCESS
unpacked.exe QueryDirectory C:\Users\ACER\AppData\Roaming\******\********\Settings.xml SUCCESS unpacked.exe RegSetValue HKCU\Software\***********\***********\Key SUCCESS
I took a look at C:\Windows\registration\R00000000000d.clb but I have no idea how to decrypt it.
Does it matter if I use different application names in place of original application, I mean if software checks its original name ? I named it as unpacked.exe
Aimless
February 16th, 2011, 13:43
Kenn, you bend over backwards any more son, and you're gonna snap that spine!
On a more serious note, welcome to the board. Its good to see you've managed to become self-confident... gives us a fuzzy feeling....

Nice to see you getting ahead in the game. While cracking is definitely the use of your tools and mind, not giving up is most important here. So whatever you do in the future, DON'T GIVE UP!
And thanks to Frankrizzo (he not a master, he is GRANDMASTER of GRANDMASTERS!!) and Kayaker (perhaps, the Greatest cracker that ever lived on this earth.... say, do you know -- Kayaker used to TEACH Fravia and ORC!! --- and unconfirmed rumors that he coded version 1 of IDA PRO!!) you are now having a headstart!
Hope to see you more often here.
Have Phun
Woodmann
February 16th, 2011, 21:53
Quote:
say, do you know -- Kayaker used to TEACH Fravia and ORC!! |
Holy O' crap Aimless, Talk about bending over. Front ways even

.
Are you getting money from Kayaker for that incredible line of...........
Woodmann
Kayaker
February 17th, 2011, 00:40
This is getting amusing
Kenn will soon learn that obsequious behaviour is useless here. We're all too old for that and there's nobody famous here anyway.
That reminds me of Shrek, looking up at the stars with Donkey
"Look, there's Blood-Nut, the Flatulent. You can guess what he's famous for."
kenn
February 17th, 2011, 07:34
Obsequious behaviour? It's very harsh words for a newbie, Kayaker reflected his personality by that, I respect wise people only, to only wise people! Mastership is a matter of personality and knowledge together!
JMI
February 17th, 2011, 11:01
Apparently, kenn not only doesn't always pay attention to important details, he also appears to lack a sense of humor about himself.
Regards,
Darkelf
February 17th, 2011, 12:09
kenn, try to develop a hippie-like attitude and don't take things always personally. If you don't, you will either cry like a baby or leave the board immediately once evaluator comes around

I must confess when I read your line where it says "famous cracker" I pictured myself entering a club and hear all the girls screaming my name

But it was good to see that there are people who can think of a cracker being famous rather than being infamous.
btw. Welcome aboard!
Kayaker
February 17th, 2011, 14:52
I was not trying to be harsh or insulting Kenn, if so I apologize. We try not to take ourselves too seriously around here, good-natured ribbing is the usual order of the day, hence the joking by Aimless and Woodmann, both famous crackers in their own right
One thing we DO like to see is your enthusiasm, yes it does give us older reversers a warm and fuzzy feeling to see someone new come along who shows an interest and excitement for reversing. It's the whole reason we're here, to try to help and pass along the knowledge. It's what ORC did, it's what Fravia did, and many others before us and hopefully many more after us.
So yeah, welcome to the board and please don't be put off by this. Stick with it, contribute and share what you learn, and in a few years you can become a famous reverser too
Cheers,
Kayaker
owl
February 24th, 2011, 16:18
Quote:
[Originally Posted by kenn;89450]I found some suspicious queries.
unpacked.exe CreateFile C:\Program Files\*******\unpacked.exe.Local NAME NOT FOUND
unpacked.exe CreateFile C:\Windows\Prefetch\UNPACKED.EXE-E04A47A0.pf NAME NOT FOUND
unpacked.exe ReadFile C:\$Directory SUCCESS
unpacked.exe QueryStandardInformationFile C:\Windows\registration\R00000000000d.clb SUCCESS
unpacked.exe QueryDirectory C:\Users\ACER\AppData\Roaming\******\********\Settings.xml SUCCESS unpacked.exe RegSetValue HKCU\Software\***********\***********\Key SUCCESS
|
Going back to topic, kenn, from the above data, ignore the Prefetch (by default windows creates this file for any execuatable run on the system), also ignore the readfile directory (it is very common occurrence). The ones that looks interesting are the QueryStandardInformationFile and the RegSetValue. You may want to focus on those. Another tool to try besides RegMon is Process Monitor (http://technet.microsoft.com/en-us/sysinternals/bb896645), also from sysinternals.
Process Monitor combines both regmon and filemon, so you ended up getting more data. After you have your data open taskmanager or Process Explorer (also from sysinternals) and get the peid for the application you are running to help you filter out the data obtained on Process Monitor. Let us know what else you find.
By the way guys, I don't think that kayaker needs to brag above his accomplishments. He doesn't have to, after all if you have been around this forum or attended some of the conferences where he has been, you already know how WELL!! he knows his stuff.

Kayaker
February 24th, 2011, 19:36
Thanks for the kind words owl, but I'm just a hobby reverser who's been doing this for, maybe too long. And for the record, I've never been to or spoken at a conference, it must be someone more deserving you're thinking about
Regards,
Kayaker
Woodmann
February 24th, 2011, 22:31
Errrrrrrrrrrrr.........
OK, I lied once and said I was you

.
I have cracker envy

.
Woodmann
Kayaker
February 24th, 2011, 22:54
Damn, I
should have gone to Recon that year you guys went. If I had known I would have had to protect to my virtue...

Elenil
February 25th, 2011, 06:06
didnt the owl wrote the icepatch ? i dont remember well atm
owl
February 25th, 2011, 12:23
Quote:
[Originally Posted by Kayaker;89558]Thanks for the kind words owl, but I'm just a hobby reverser who's been doing this for, maybe too long. And for the record, I've never been to or spoken at a conference, it must be someone more deserving you're thinking about 
Regards,
Kayaker |
REcon2006, you didn't present, but I believe you have one of the lunches' workshop. I sat on it. And, yes, woodman was there too.
Woodmann
February 25th, 2011, 22:03
No, he was not there unless he attended under his real name and was a dick and didnt tell me he was there.
All I recall is I offered to pay for him and he still declined.
Woodmann
kenn
February 26th, 2011, 07:18
Hi guys, I'm back, sorry for my touchiness. I know that reversers also have their own philosophy behind that.
Kayaker, I just read your posts about hiding olly in another thread in this forum dated back to 2006, it was helpful.
What did I do while I was away? I kept reading

It was what Kayaker aimed.
Owl, thanks for the tips, you wrote what I wondered, you are helpful.
I was not at cracking the application for a while , I followed my intuition, I'm trying to be optimistic but I think cracking of it is beyond my capacity, it seems to be using complicated algorithm to conceal serial, what shall I do?
I met another application, it's impossible for me to open it in olly, it detects olly, I used phantom plugin, olly crashes when I tick on "hook gettickcount". What is the best hiding plugin for olly?
v01d
February 26th, 2011, 08:45
There are a lot of hiding plugins. I personally use StrongOD it has a lot of options and is frequently updated.
kenn
February 26th, 2011, 08:58
v01d, I ll try that plugin, currently I am trying "OllyDBG 9 in 1 Plugin For themida1.9.5" that doesn't seem to work, I hope yours works.
v01d
February 26th, 2011, 09:03
Just download a clean olly and after that download the plugins you want to use and test how they work. Some good suggestions are StrongOD and IDAFicator by AT4RE.
Bengaly
March 27th, 2011, 13:56
Quote:
[Originally Posted by Woodmann;89469]Holy O' crap Aimless, Talk about bending over. Front ways even .
Are you getting money from Kayaker for that incredible line of...........
Woodmann |
MUAHAHAHHAHAHA
Powered by vBulletin® Version 4.2.2 Copyright © 2018 vBulletin Solutions, Inc. All rights reserved.