Log in

View Full Version : Lost in the code


Coersum
July 16th, 2002, 02:44
HI all,

First so u know as u will discover it I'm newbie...

About the target:
It is an investing neural simulation program. There is different sub-version in the same v2.4 depending on the numbers of Neurons allowed by your license (from $70 to $16,200).

About the protection:
The program doesn't use any serial but instead when you register, they send you a key (install prog that install a key).
As the fact that how many $$ you pay gives you more or less functions (functions not paid for are disabled) I tried to enable the disabled menu items.

My appraoch:
I first tried to find out if it was reading the key from the registry by setting some breakpoint but nothing came up. Then I tried to find out where the menu items where disabled (enabled at first then disabled at run-time), I was able to enable one of them but as soon as the function was done and before it gives me the result it seems to check AGAIN and gives me a msgbox saying blahblah blah this function not availlable etc.....

I'd like to be able to crack at the source and find out how to simulate the higher level of the key installed ($16.200 but it seems to do test on it all the way through execution...
Like I said I'm a newbie, I read MANY tutorial, exemples about reversing but nothing comparable to this kind of protection.
I've been using HVIEW, SI, and W32dsm

ANY IDEAS ? Any input are more than welcome. I can send the (registered but without key version if u wanna look at it (coersum@netcourrier.com)

Thank you
Coersum
PS: sorry for bad english.. french

naides
July 16th, 2002, 16:27
It MAY be easier to understand how the functions are enabled and the number of neural cells are determined if you invested the $70 in the low end version of the licensing program, and then reverse engineer the license generation process.
On the other hand, this may be the most secure element of the potection scheme.

get2
July 16th, 2002, 17:21
Some questions for ya
In W32dsm can you find the message that it gives ya "gives me a msgbox saying blahblah blah this function not availlable etc....."?
Maybe try IDA might find something there

Is the program packed or protected somehow?

Have you tryed setting a break on the message box or what have you tried in SI.

If you provide a little more info I'll bet there would be a lot more here able to help ya. the people here are the BEST at this

Coersum
July 16th, 2002, 19:09
naides>
I actually did bough the $70 licence, this is how I know about it (wasn't going to crack it but the $16,200 license looks so good This is just a tiny setup prog that install a "key" and then gives u a "Install successfull" msgbox. I tried setting breakpoint at the regqueryvalue, regcreatevalue etc.... SI breaks on it but I could not figure out where and what it was writting.

get2>
W32dsm did find the string of the msgbox but after that I tried to reverse this part of the check to and wasn't able.. (making the prog bugs at startup). I'm a newbie and am not sure how to test if the program is packet or protected.. I guess there is tools for that...do u have some names ? thanks
Like I said to naides, I tried to break on the msgbox but wasn't able to reverse it. I'm lost in the code, it seems to make check a little everywhere. I'm trying hard lol...

Thanks both for your help,
If anybody wants to look at the program I can mail it.
Coersum
Coersum@netcourrier.com

Aimless
July 17th, 2002, 08:51
Hullo,

I think you need to modify your approach a bit. Start first by understanding more about the "type" of key. There are 3 possible options:

1) The key generates a file/(s) that act as licenses.

2) The key generates a normal/encrypted key/subkey/value in the registry

3) The key "MODIFIES" the already existing files. Exe/DLL/Ocx/etc.

4) All of the above.


To find out where it does what, do the following:

1) Use FILEMON to figure out if it CREATES any new files.

2) Use REGMON to figure out if it CREATES/MODIFIES/DELETES any new keys/subkeys/values. If so, are they normal/encrypted?

3) "Before" installing the license, go on the internet, search on google for MD5 program (a simple command prompt based exe that takes a file as an input and outputs its MD5 signature). Run that program on your "directory" and store the output (MD5 hashes of ALL files in directory and sub-directory). Install the licensing and "After" doing the installation of the license, run the same procedure again, to find out the MD5 hashes of files AFTER the installation. If there seems to be NO change, repeat the same procedure to the C:\WINNT\SYSTEM32 directory (I use Winnt, you could point to the windows path) and get the MD5 for ALL its dll files. A *moronic* protection could change (very very rare) the system dlls too. You never know enough to be careful.

4) If ALL of the above show something, then I would suggest you try something simpler at first.


AFTER all the above processes are done, find out whether the associated key/(s) is:

1. NORMAL
2. COMPRESSED
3. ENCRYPTED
4. Both 2 and 3

In either case, to Unpack/Decrypt the key files (if at all applicable) check out the various tutorials to do so. You need to do this ONLY and ONLY if you are trying to generate VALID licenses. If you simply want to bypass then:

1. Understand where in the exe/dll/both the ROUTINE for validating the same is. Remember, most time the INSTALLATION routine and the VALIDATION routine will be the same.

2. Understand whether in that VALIDATION routine, OTHER registers are changed or values submitted to the memory, is used in any OTHER part of the program apart from the main VALIDATION routine.

3. If so, chase the branches of that tree and see what the program expects. If necessary, dig deeper into the codewoods. (I did not say that cracking was a "pleasant" and "happy" experience )

4. Disable ALL checks (in a good protectionists' sense, more that you can really handle).

5. If you find that disabling checks is TOO convulted and complex, I'd suggest you stick to generation of a license key. And this is all the more simple as you do not reverse engineer the whole application but the installation file for the license to see how it works (assuming that the Installation Creates the keys, rather than simply Pasting them).

6. If none of the above work, try a simpler target.

Have Phun

Coersum
July 17th, 2002, 09:21
Hi Aimless!

Wow.. that's some help thanks...

After passing the key installation program through SmartCheck here is what I found out, the Key installation program install a file in the target's directory and a key in the registry (both the same thing and I think encrypted, here it is:
朹棵銜质�?鐤獭颟?勌滓_逇腔袞遘簦櫅棡脛�?�?膿崴唏_鯉簤к奏謿菖喼蒉� ( inone line and minus some chars )

If the registry key is removed the target finds the key in the file and rewrite the registry key and inverse if the file is deleted.

I don't know much about encryption, I found a "Tutorial: finding encryption code " in the messageboard and am at trying to find the decryption routine.... already passed the last 4 hours on it without luck (like it would be that easy lol)

Mike from the "finding encryption code" msgs should try at this target as everytime you click on a menu, it checks the registry (not sure if this is to verify the key or not neither if it also checks they file with the key).

Also, is there any program that could "find" a decrypt method if you know what 70% of the encrypted string is decrypted ?

Anymore advice are welcome.
Again thanks for your help,
Coersum

naides
July 17th, 2002, 21:30
As above