Can somebody please help me, I am trying to crack a serial number for a program. The serial number uses a hardware ID so it changes from computer to computer. WOuld it bepossible to lock the hardware ID so it does not change as I have a serial number for 1 computer. It appears that the password is binary based and is therefore like trying to find a needle in a haystack.

Can anybody please help me

wonderwoman

*sigh* crack request again

what are you talking about "crack request" I have no intentions of requesting cracks I am only after help in order to do it my self. You would not be able to get the program anyway

Any USEFUL comments would be very welcome

Thanks

Wonderwoman

Did ya read the FAQ?
What tools are ya using?
where are ya stuck?
Show some code and effort and ppl will help

Yes I have read the FAQ (maybe I could of been a bit more specific)

I am using SI with frogice to stop SI being detected.

I am geting to the password screen and using hmemcpy as a breakpoint to gain access into the code.

I can usually crack this type of protection by looking through the code for were the password you entered is compared to the actual password (serial fishing) but I have never come accross the protection were the password is locked to your computer using hardware ID.

Also can the programmer use the password in binary format so it will just display meanless letters were you are trying to display the memory location output.

Sorry for any misunderstanding

WonderWoman

Hiya,
Thank you for respecting the board.
Try Bpx Getvolumeinformationa it might help.

Best regards

Well , a hardware ID is actually a string when we talk
about keygens . try to find in the reg routine when
this string is first used , at this point jmp to somewhere
else in the proggie's code ( like inline patch ) and change
the string to some uniqe hardware ID , for example your hardware ID ! so there is ONLY ONE HARDWARE ID so you
will need just one key to distribute.

Thanks esther and nigma

Would it be possible to change the string in the the reg file, as I have got 1 computer were the program works and i am tring to duplicate the string on the other computer so the 2 computers have the same ID. I have used regmon to try and locate the string but upto now it has been pretty ellusive.

WonderWoman

don't count on it

Disa......




Peace, Woodmann

I have come across this type of program before and its a royal pain. Most likely though all you have to do is patch one jump where it does the compare unless of course it stores other information like what kind of user you are etc. Often patching in these cases would require more work than its worth. I would definetly go for a keygen. You can get the hardware ID I imagine from the registry so just input that into the keygen and have it generate valid keys. The algorithm should not be hard to find. Disassemble it and see if IDA gives you library functions that can make life much easier.

Snatch

Hiya,

Without knowing the name of your target and without benefit of any code, it is difficult to give *specific* advice... With that said, have you considered running an API monitor? Its very probable that the prog is using a standard windows API to obtain the hardware specific info (ie. like GetvolumeinformationA which Esther suggested). You should be able to pick out suspicous function calls from your log and then you can look them up in your API reference. Alternatively, you could study the list of imports from your disassembly, but IMO the real-time API log will give you less "noise" to sift through in looking for your function. If you need more specific help, I'm afraid you'll have to provide more specifics about what you've tried, some code where you think the serial is calculated....ect.

Cheers,
Clandestiny

Try using a disk editor and edit the Primary Drives MBR to have the same serial number as the drive the software is currently working on.

It is also possible that the software is uding the hardware MAC address of your nic card.

I was wondering... There was a time when Intel introduced their cpu serial thing. I wonder if it's possible to get hold of via software or you need to enable it before it gets availble. Maybe some of you guys messed around with it before. Today it's common to use serial of the formated partition but as you guys pointed out allready it's easy to exploit and change using a diskeditor for your own needs.

// CyberHeg

Hello tgodd !

I'm sure you don't think of the HDs MBR, else you must be mistaken.
No serial number is stored in the MBR, only the partition boot sector loader.


Hello cyberheg !

Only the P3 had a serial number. It was always activated and if you didn't like it you had to run an Intel program every time you restarted your computer to disable reading the serial until the next reboot. Some weeks after the P3 was out the first magazines found ways to enable the serial again without rebooting.

Since the endusers weren't very happy that they were "unique" users, Intel decided to drop the CPUs with serial number again.

Hello,
Thought I might give some general advice. I cracked a program that uses the same type of scheme (i.e. hardware based; program Legato Networker Solaris/Windows if your wondering.) What I found there was that it was really annoying (read hard) tracing around the code to find the serial routine (it uses like twenty different exe's; and all do specific stuff... (talk about unix prog. port ) and it has multiple codes. Anyhow in the end the easiest way to crack it was by simply cracking the compare routine. However I still go back to that target now and again to see if I can make a keygen for it. An idea would be to find the DLL it uses to check the serial and (if possible... speculating here) write a "custom" keygen which utilizes their own DLL to create a valid serial. Another approach is to find the part which generates the hostid and simply make it the same as your other machine either by:
a.) modifying the generation routine
b.) having it not generate but set it rather.
Well as I am myself a newbie this is all the advice I can give. Hope it maybe gave you some ideas of how to attack it.

// cHeCksUm

I know exactly what you mean checksum I spent 12hrs yesterday searching through the code for the right compare and I am still yet to find it. I used the getwindowtexta breakpoint and searched high and low for the correct compare statement. Is it possible as I know the serial is 11 sets of 4 number (12c4-1221.....) that the serial number will not show up as it is stored in hex. I also think that each set of 4 numbers are compared seperatly and there is eleven of them. I think I am a bit out of my depth with this program as I do not have a great deal of experience, I have cracked simple serial protection but his is another level. I do know it uses the getvolumeinformationa to get the hardware ID, but I have got no chance of patching the hardware ID. I will check to see if it uses the partition ID it may well do.

The program is called winserver but it is not avaiable to download off the internet, it is not commercially available

Thanks everyone for your posts,

wonderwoman

Thanks for the info DakienDX. I read a few weeks ago that the next version of Intels cpu's will include digital certificates which should be even worse then those serials numbers.

This is probably offtopic for this thread though.

// CyberHeg

I've come accross a protection that is even worse.
I can't really get into any specifics but it profiles your
system and that is used to generate a keyfile (the generation part is done at the company's side).
bitchin'

hehe

You are so correct DaikenDX;

My slip.

Can anyone please point me in he direction of a good tut on this subject (serial crack which uses Hardware ID) I have looked high low and cannot find anything, I feel as though I am banging my head against a brick wall.

WonderWoman

Bottom line is the hardware ID you are seeing could be any number of things. Look at the one Microsoft makes! Hashes together all kinds of things to try to make it as unique as it can. The P3 serial might or might not be in there. It could check if the P3 serial is a available if it isnt it stores one value and if it is it stores the actual serial value hashed etc. Theres infinite possibilities of what could have been done. You need to use API spies and see if theres any hardware function or special CPU instructions CPUID for one being executed. Chances are everything is done in one routine.

Snatch

you might try Snakes home page. It was up a while ago, kinda dated but good place to start.

Hi wonderwoman,

I read a very nice article about hardware-checking routines (related to the new Fritz technology) that it might help you.
I'm going to search it and I'll post you the link tomorrow.

It was like an ISP provider that also offered 'resorces' to 'abonate' lusers, I mean users.
Then i'd remotelly check for some hardware info in the client and either let him download/use/etc or not.

It was nicely explained, with an example.

(Btw, nice to see more girls here )

(Btw, nice to see more girls here ) [/B][/QUOTE]

Zen-Cracking?

LOL, good point
But welcome anyway if Zen is correct

Kayaker

Hi wonderwoman,
as promised I'm attaching here the doc.
It's incredible how much it reminds me of some old 'dongles' (the boasting I mean): "Impossible to crack", "the ultimate anti-pirating gizmo", "it would take 10,000,000 years to find the correct password"...
That's the pdf.
And if you visit their page you have there some more info PLUS a complete explanation of how they hacked Windows XP hardware-checking routine.

Hope it helps.
(Now, how about a date?)

[EDIT]Hi wonderwoman,
the .pdf was too big to download (it's 140.985 bytes long), so I just copyed the first page, and let you search for it

fjrp2 you smoothie, how do you know ww is a girl?, esther has been around for years and I though he was a woman till recently. Guess if ww is not a girl your request should be in the "peverse engineering forum" :-)

Hi Js,

I know, but you gotta try first.
I also use the reversing approach with it

Hi there, I have come across something like this a long time ago. In the end I found that a bpx VarBstrCmp gave the answer!

BTW just been down to Corona looking for more aliens!!!