Hello,
I was wondering if anyone could give me some pointers on cracking software with license files with crypted keys. I am trying to crack one such program now but am not making any real advances. The license file consits of ones name and email (cleartext) and a key. This file is then used to determin what one can and cannot do in the program i.e. add new templates, save them, max templates etc. Also the temporary license I have is one month.

What I've done so far is manage to remove the time-limit and get the program to load without the keyfile. This however sucks as all options are set to off and the expire date is set to feb 1979 or something like that, although the check is removed? So the two options as I see them are:
1. Keygen it, or at least make it accept a key of your choice.
Harder for me as it would probably require me to break the key right?

2. Make it set all options on no matter what key is used.
me thinks this will eb easier... or?

The problem is the methodology, any tips would be greatly appreciated. Are there any special calls I should breakpoint etc. etc. From what I've seen parts of the protection are really lame, which makes me even lamer for not being able to crack it . The program is pretty much commented like a book so finding the time expire etc. wasn't a problem. I know this was a bit vague but I am looking for any general pointers as I am still a newbie.

// SuperCali

Hello SuperCali !

Can you tell us what target you're talking about?
If you can't, please tell us what programming language it was written in and how the key looks like? (hex, base64, decimal, binary, ...)

You could try to set BPX on CreateFileA for example. If there's something like "CheckKey=831268015600825612" in the keyfile, you should set and BPM on the memory location where "CheckKey" is stored. You could find some algorithm this way which converts the key into some binary data which can be checked for "x-bit set" or "divisible by x" or something like that. (I don't think there is a code like

this in the program. )
I hope this will help you.

Hello,
The program is ms visual c++ 6.0. The key is in the following format, although I cannot find it in the keyfile itself, only in the program about box:

HEX:

xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx

Having looked closer at the keyfile (xxx.dat) it seems to me that it is infact a dll. I need have a closer look at the target. I could post the target on my site and email you the link if you want to have a look for yourself. Well I try what you have suggested and have a closer look and see what more I can do. Thanks for the help.

// SuperCali

Hello,
Well I have had a closer look (and found another way to make it accept any key, but alas same problem... no options ). I have managed to add some options although they are not permanent, so the settings arn't saved . The crypto it uses is either RSA or MD4/5, which I am not sure as it seems to use both. The problem is that crypt algo support is builtin in the program and used not only for the license key. I have found the place where it calls the RSA and MD5 routines but I am having serious problems understanding the code in those sections.

question:

mov eax, dword ptr [eax+00000560]

How do I see what address eax+560 is pointing to?

// SuperCali

Hello SuperCali !

In case it's RSA or MD4/MD5 and you have to leave the crypto part intact, I can't tell you much how to work further, but you could now post the target and a download location, or, if you don't like, post no target and send the location via email to me.
I can't say if I can do anything, since RSA is a special problem which may take forever to reverse and MD4/MD5 are one way functions, but I can try to help you.

Hi SuperCali,

"question:

mov eax, dword ptr [eax+00000560]

How do I see what address eax+560 is pointing to? "

in SoftICE type "d eax+560"

Cya...

CoDe_InSiDe

Hello,
OK thanks for your help so far anyhow. Here is a link to the file (c.a. 4.5Mb) :

h**p://www.lotr.nu/target.ace

// SuperCali

Hello SuperCali !

The program isn't a so difficult target at all. It has it's registration information stored plaintext in the license file. It uses RSA-2048 to check if it's valid. Since it's nearly impossible to reverse RSA-2048 in the next 100,200,300,... years, you need to patch one (exactly three ) byte and the check if the license file is valid has disappeared. Now you can edit the license information to what you like to.

I've done the patches so far, if you want me to send you the patched license file please let me know.

Thanks for having a look, and for the information. I will have another look at the program and see if I can crack it myself. At least I know it's possible now . The problem is I am using trw instead of softice and am still getting use to it, so that might be what is complecating the whole thing. I will give it another shot before I ask you to send the file. Thanks.

// SuperCali

Hello SuperCali !

Good to know not all people accept cracks without asking deeper how they work. You need not to use SoftICE, of course you can use TRW too (in my case TD and a hex-editor did the job )

Hello,
I am still having problems with the target (forever newbie it seems, I should read more esays ). Like I said before I have found the license check areas (multiple but only one seems to matter) at rva 0041A346, and that is where I'm concentrating my efforts. Am I on the right track or lost? There is one call at the above mentioned rva and then a check if eax = 1 then license does exsist so jump, then later there is another call and check, has license expired, if eax = 1 then no jump continue. My guess is that the program needs to be patched somewhere in one of the three of four calls inside 41A1D1. Well I would appreciate any hint if you can give one without making the answer to obvious. Thanks.

// SuperCali

Hello SuperCali !

You're on the right way. You should follow 0041A1D1 until you reach many LIBEAY32-calls (MD5, RSA) in a subfunction. At the end there should be a "Sete AL". Just set it to "Xor EAX,EAX;Inc EAX" and the license file check is gone. (I hope I haven't said too much to help you). Now you can edit the license file. (One more hint: Change the expire date there, not in the .EXE)

Hello,
Cracked it ! Thanks ALOT for your help (maybe the last hint was to percise but I apprecitate it none the less). I have actually learnt quite alot from this target, but I wouldn't have without your help. Well so what did I do.

Well I did pretty much what you suggested. I then analized the enabling/disabling of the options. 19 options in all, each 2 bytes, fill with FFFFFFFF to enable (actually only the first three need be filled the others just require that one bit has a non-zero value) anything else to disable. I found the date but still don't quite get the format it is stored in, but I'll look at it closer now that I am done and see if I can't figure it out properly. Well now time to find another target to practice on.

// SuperCali

Well had a closer look and the date seems to be encorperated into the key and thus one cannot make a generic patch for it as the "hex values" change according to the user info. Howevr one can make a patch by chaning the key user info to what one wants and the replcing the key fields and options fields with FFFFF etc. etc. This results in teh time limit being nullified.

// SuperCali

Hello SuperCali !

Good to hear you've done it. I'm sorry I gave you the final hint, but when having a RSA_Verify and EAX can be 0 or 1 on return, there is not much I can hide from you.
I've found out that you can set complete block starting at the expire-offset and going over 84(dec) bytes to FF, so all checks I've found return "feature avaible" from now on.