Good, fun, Cracking for newbies!? [Archive] - RCE Messageboard's Regroupment

View Full Version : Good, fun, Cracking for newbies!?

Manko

October 8th, 2002, 22:17

Being a complete newbie with almost exclusively, only "crapprotections" on my throphy-belt, I must say I really enjoyed taking a crack at this target:

IP-Tools 2.08

The program might not be worth keeping, but it's nice to see, they at least (tried to make(?)/)made an effort to protect it!

If you take a crack at this one I'd be happy to receive statusreports, ideas, requests for help/hints or whatever!

But remember!
Test it thourougly, before you think you've succeded!
I have, and honestly don't know for sure if I did it.

/Manko

Manko

October 9th, 2002, 16:05

OK, more info...

It's the usual Name/serial/timelimit thingie.

There is no correct serial to fish, instead it produces a longer portion of bytes from the name and serial respectively.
These are checksummed agains each other, and one or two places (forgot) are compared against each other.
There's also a crc-check.

The nice thing is that these are used later too...

If you press some of the buttons in the program you/it will cause access violations and tell you, you've probably used a cracked serial or the program was cracked.

I've managed to quiet it down, but I'm just waiting to be surprised.

There's a number of things I don't understand though, but I'll probably dig deeper too...

Hope someone else will be interested!

/Manko

Iwarez

October 9th, 2002, 21:16

The CRC was easy to find and to quiet down. The nag screen was also easy to kill. So, uhm, what's the problem? I must say that they did not really hide their CRC checking or their checkings on serial numbers. Anyway, it was a nice target to play with but not really difficult.

Manko

October 9th, 2002, 22:54

Nope, it's not hard, it's just that I haven't run into this sort of thing before, and so there must be others that haven't and would benefit from doing this crack, or atleast find it amusing.

I know that almost all of you are WAY ahead of me... ;p

...but just to be sure...
Have you tried going into options and then get out?
And have you tried to run (start) the NB Scanner or the Port Scanner for example?

You probably have already done this and if so I'd like to hear how. Could you pm me? Maybe you have a much nicer solution than I had.

(Probably I cracked it some hard way, and came out thinking too much of the protection. I think he ought to have taken it further though. Because it was too simple, if I am finished...)

/Manko

disavowed

October 10th, 2002, 04:03

Quote:

Originally posted by Manko
These are checksummed agains each other, and one or two places (forgot) are compared against each other.

two

Iwarez

October 10th, 2002, 19:39

Well, don't think I ain't a newbie. Sometimes there are things discussed here where I can only dream about (ASProtect and import table rebuilding, sometime someday but not for now).

The CRC routine I changed so that it would return the correct CRC so that any checks done with the result would work. I did indeed go to the options and tried all the buttons and all works well. I may add that the program doesn't think it's registered. It doesn't show the about box with my name or something like that. I only killed the CRC routine and the resulting nag that comes up every once in a while. Registering it was not the exercise I needed. I only wanted it to run correctly after I patched it and I wanted no nag screens.

hobgoblin

October 10th, 2002, 20:25

Hi guys,
Maybe I have stared too long on this one, but I just can't seem to find the CRC routine. Anybodu wants to shed some light for me?
I've found the spot where the program checks the key-file, and can make the program look regg'ed. But as you say, tha'ts not enough. I did put a bpr rw on the area where I changed the code, but no luck so far in finding the CRC..

Mail me of you feel like it...

hobgoblin.

Manko

October 10th, 2002, 20:27

to Iwarez,

Ahh! Oki. Well I ofcourse did the same with the crc.
I went on and forced some jumps and discovered I had to do something with the data the name/serial had produced.
(EDIT: Maybe I should not give away my solution? Might spoil things... Ask me if you like...)
...because of my sollution I'm not sure there's not a suprise come later down the road.
But I also suspect there IS no timelimit, to the effect of crippling/disabling the prog... Setting the clock after expiration does nothing I can see... Or maybe I only did that on my crack? Hmm... Maybe it just get more anoying with the nag?

Anyway... What makes me wonder even more is that the "elite" crackheads have put out loaders for v2.07. More than one group.
Haven't bothered to reverse them, but, why?!
Doesn't seem to be a need... Maybe we should check up on them?
Would be cool if there really was something missing in our cracks... Maybe it's just their response to the crc-issue though?

Wonder if the 2.07 is much different to 2.08?

Enough talk... Guess I should just go look.

/Manko

Manko

October 10th, 2002, 20:37

Quote:

Originally posted by hobgoblin
Hi guys,
Maybe I have stared too long on this one, but I just can't seem to find the CRC routine. Anybodu wants to shed some light for me?
I've found the spot where the program checks the key-file, and can make the program look regg'ed. But as you say, tha'ts not enough. I did put a bpr rw on the area where I changed the code, but no luck so far in finding the CRC..

Mail me of you feel like it...

hobgoblin.

The crc is only for the exe. I guess you didn't change it? Just the data from the computation on the name/serial? Or is there a keyfile needs to be made?
If so, you're most welcome to tell me more about it!

/Manko

Manko

October 10th, 2002, 20:51

Quote:

Originally posted by Iwarez
Sometimes there are things discussed here where I can only dream about (ASProtect and import table rebuilding, sometime someday but not for now).

Exactly how I feel. Maybe I could wing it with some good threads from here and some tutorial, but I almost don't feel worthy of trying yet! ;P
I need to take SOME time yet, learning to feel the code and use the programs and so on. Heck, I haven't even tried keygenning yet.

(hrm.. I better go get those loaders now... instead of lurking around this, admittedly, very fine establishment, writing nonsense... :P There's work to do!)

/Manko

hobgoblin

October 10th, 2002, 21:58

I found it, and I found out how to get around the CRC check. I also found out a way to crack it. At least, that's how it looks.
I just needed to get away from the program for a while, then I saw the solution right away when I got back.....
You can make a fake keyfile, and then change a couple of jumps in the programs checking routine. That's how I started out. Later I discovered a simpler way to do it....

I just have to check it out to be sure.

regards,
hobgoblin

ZaiRoN

October 12th, 2002, 13:56

in the past days i have take a look at this target. I have tried to understand how the serial check is done without success.
is there someone who has tried to understand how the serial check is performed?

here is some info for those who want to help me:

Code:

004ACC90  CALL IP_TOOLS.004236F4		; returns the length of the registration name

004ACC95  MOV EAX,DWORD PTR SS:[EBP-8]		; eax -> registration name

004ACC98  LEA EDX,DWORD PTR SS:[EBP-4]

004ACC9B  CALL IP_TOOLS.00407B88      		; moves the name in a new buffer

004ACCA0  MOV EDX,DWORD PTR SS:[EBP-4]         	; edx -> name

004ACCA3  MOV EAX,EDI

004ACCA5  CALL IP_TOOLS.00423724

004ACCAA  LEA EDX,DWORD PTR SS:[EBP-8]

004ACCAD  MOV EAX,DWORD PTR DS:[ESI]

004ACCAF  MOV EDI,DWORD PTR DS:[EAX+1F4]

004ACCB5  MOV EAX,EDI

004ACCB7  CALL IP_TOOLS.004236F4		; returns the length of the name

004ACCBC  MOV EAX,DWORD PTR SS:[EBP-8]          ; eax -> serial you have typed

004ACCBF  LEA EDX,DWORD PTR SS:[EBP-4]

004ACCC2  CALL IP_TOOLS.00407B88                ; moves the serial in a new buffer

004ACCC7  MOV EDX,DWORD PTR SS:[EBP-4]          ; edx -> serial

004ACCCA  MOV EAX,EDI

004ACCCC  CALL IP_TOOLS.00423724

as you can see it performs the same operation for both name and serial.

Code:

004ACCD1  LEA EDX,DWORD PTR SS:[EBP-8]		; edx -> serial

004ACCD4  MOV EAX,DWORD PTR DS:[ESI]

004ACCD6  MOV EAX,DWORD PTR DS:[EAX+1F0]

004ACCDC  CALL IP_TOOLS.004236F4                ; !?! don't know exactly !?!

004ACCE1  MOV EAX,DWORD PTR SS:[EBP-8]          ; eax -> name

004ACCE4  CALL IP_TOOLS.0049578C		; is your name just registered!?!

004ACCE9  TEST AL,AL

004ACCEB  JE SHORT IP_TOOLS.004ACD29

004ACCED  PUSH IP_TOOLS.004ACF5C                ; ASCII "Sorry, your registration name ("

004ACCF2  LEA EDX,DWORD PTR SS:[EBP-8]

004ACCF5  MOV EAX,DWORD PTR DS:[ESI]

004ACCF7  MOV EAX,DWORD PTR DS:[EAX+1F0]

004ACCFD  CALL IP_TOOLS.004236F4

004ACD02  PUSH DWORD PTR SS:[EBP-8]

004ACD05  PUSH IP_TOOLS.004ACF84                ; ASCII " is found on the "Black List".

the crackme does a check on the registration name you have typed. in the exe (starting from offset 0x947A0) i have found some *strange* strings. these strings are firstly decrypted to a real name and then are used to check if a name has been reused.
for example:
the second encrypted name is: Rrucsglgadnr ARyauykmnovnxds FMvodrerrits
the call at 49C7C4 converts it in the real name: Ruslan Raimond Morris
the decryption is very easy to understand...1° char: yes, 2° char: no, 3° char: yes and so on

the question is: who are these persons? i don't think that the proggie updates the file with new registered user; does it have not much sense!?!
bha... go on:

Code:

004ACD29  LEA EDX,DWORD PTR SS:[EBP-8]		; [edx] -> registration name

004ACD2C  MOV EAX,DWORD PTR DS:[ESI]

004ACD2E  MOV EAX,DWORD PTR DS:[EAX+1F0]

004ACD34  CALL IP_TOOLS.004236F4

004ACD39  CMP DWORD PTR SS:[EBP-8],0 		; the name must be != NULL

004ACD3D  JE IP_TOOLS.004ACF0E

004ACD43  LEA EDX,DWORD PTR SS:[EBP-C]

004ACD46  MOV EAX,DWORD PTR DS:[ESI]

004ACD48  MOV EAX,DWORD PTR DS:[EAX+1F4]

004ACD4E  CALL IP_TOOLS.004236F4

004ACD53  CMP DWORD PTR SS:[EBP-C],0		; the serial must be != NULL

004ACD57  JE IP_TOOLS.004ACF0E

004ACD5D  LEA EDX,DWORD PTR SS:[EBP-10]

004ACD60  MOV EAX,DWORD PTR DS:[ESI]

004ACD62  MOV EAX,DWORD PTR DS:[EAX+1F0]

004ACD68  CALL IP_TOOLS.004236F4 		; returns the length of the name

004ACD6D  MOV EAX,DWORD PTR SS:[EBP-10]         ; eax -> registration name

004ACD70  CALL IP_TOOLS.0049E07C                ; hmmm...creates buffer1 using the name

004ACD75  MOV EDI,EAX

004ACD77  LEA EDX,DWORD PTR SS:[EBP-10]

004ACD7A  MOV EAX,DWORD PTR DS:[ESI]

004ACD7C  MOV EAX,DWORD PTR DS:[EAX+1F4]

004ACD82  CALL IP_TOOLS.004236F4         	; returns the length of the serial

004ACD87  MOV EAX,DWORD PTR SS:[EBP-10]         ; eax -> serial

004ACD8A  CALL IP_TOOLS.0049E118                ; hmmm...creates buffer2 using the serial

004ACD8F  CMP DI,AX                             ; first check !!!

004ACD92  JNZ IP_TOOLS.004ACF0E

004ACD98  MOV EAX,DWORD PTR DS:[4E22CC]		; eax -> buffer1

004ACD9D  MOV EDX,1FF                           ; 1FFh = 511

004ACDA2  CALL IP_TOOLS.0049E060		; checksum on 0x1FF-0x0B bytes starting from buffer1

004ACDA7  MOV EDI,EAX

004ACDA9  MOV EAX,DWORD PTR DS:[4E21D0]         ; eax -> buffer2

004ACDAE  MOV EDX,1FF                           ; 1FF = 511

004ACDB3  CALL IP_TOOLS.0049E060		; checksum on 0x1FF-0x0B bytes starting from buffer2

004ACDB8  CMP EDI,EAX				; checksums must be equals

004ACDBA  JNZ IP_TOOLS.004ACF0E			; second check !!!

004ACDC0  MOV EAX,DWORD PTR DS:[4E22CC]

004ACDC5  ADD EAX,7		

004ACDC8  MOV EAX,DWORD PTR DS:[EAX]		; takes a dword from buffer1+7

004ACDCA  MOV EDX,DWORD PTR DS:[4E21D0]         

004ACDD0  ADD EDX,7

004ACDD3  CMP EAX,DWORD PTR DS:[EDX]		; compare between two dwords from buffer1+7 and buffer2+7

004ACDD5  JNZ IP_TOOLS.004ACF0E			; third and last check!!!

easy to understand. there are some different checks.
the only thing we have to do is to understand how buffer1 and buffer2 are created.
there is something interesting at 49F9E6/49F9FF where creates the buffer1.

would you like to help me

regards,
ZaiRoN