View Full Version : Help getting back on track..
krylon
February 18th, 2003, 19:25
Hello everyone, I've recently got addicted to a fun little game Dynomite (its a yahoo game, that you can also download). Well after getting me all into the game, it wanted to be registered to continue playing (go figure)! So I figured after successfully completing many a crackme I would make this my first real target.
What I've gathered so far:
It writes some game specific info to the registry, along with how many times you've played. After play about 20+ games it wouldn't let me play anymore.. so I figured let me change the timesplayed value in the registry (not really expecting it to work). Well it didn't and then defaulted the times played to 100.
So I figured it made a file somewhere that checked for a expired game. The game directory had no suspicious files, but using filemon I found the culprit. It creates the file popcinfo.dat in c:/winnt and its value (in hex) is ..Dynomite.. when the game is still playable, and ..Dynomited.. when the timesplayed reaches the limit.
So resetting the timeplayed in the registry and deleting that file proved effective, and I can continue to play the game. However, my goal is to make it think its registered so I don't have the hassle (and so I can save my highscores!).
So a little more digging with w32Dasm and I see that it also looks for the regkeys RegName and RegCode in the registry. Which I assume it will store the values once you register the game. I made the keys manually and followed the code that querys the value and tried to trace how it manipulates the name and hopefully found the regcode that it compares my bogus one too. I think I also found a string that it may use to create the regcode from, like a sort of hash (its at 4A4900). Basically I just got lost following it around.. and maybe my approach is wrong.
So I'm posting this mainly for some input to put me back on the right track, from some people with fresh eyes! I'm gonna take a break from it tonight and jump back in tomorrow. My next step was going to be trying to break the prog when I input some bogus registration values from within the game and see if I can follow it from there.
The prog is written in C++ according the language and I do not believe it to be packed in any way. Thanks for your time (and for reading this long post!)
-Krylon
disavowed
February 18th, 2003, 21:05
Quote:
Originally posted by krylon
So I'm posting this mainly for some input to put me back on the right track, from some people with fresh eyes! |
i haven't taken a look at the program, but it sounds like you're definitely on the right track. the only piece of advice i have is that it might never compare your bogus regcode to the valid one (depending on how it does the hashing, etc.)
but it looks like you don't need help, and that you know what you're doing!
Manko
February 19th, 2003, 16:18
..Dynomited..
You know why? I thought it was really funny!
d=64h=100 (So now you know it stores it in 2 places...)
And right after it pulls the other from the registry, it compares them and if they differ it puts 100=64h=d in both reg and file, as you mentioned.
Anyway! Nice game! Gonna look at this one tonight...
How's it gone for you?
/Manko
krylon
February 19th, 2003, 16:35
haha very interesting Manko...
I'm pretty much still where I was yesterday. I do have a question, what are some other ways of reading in text from the user? Being as this game doesn't use dialog boxes there is no handy GetDlgItem to look for.
disavowed
February 19th, 2003, 17:23
GetWindowTextA
SendMessage with WM_GETTEXT
krylon
February 19th, 2003, 17:45
Hmm, neither of those are used (well SendMessage wasn't used as mentioned).. I must admit I'm a little thrown off by the "graphical" nature of this program. I'm not totally lost, but I have been scanning the imported functions trying to find ones that looked useful for what I'm trying to do.
Thanks for the help disavowed, its appreciated.

Manko
February 19th, 2003, 19:34
I solved it after many hours of tracing, to no use...
looked at dissassembly instead...
The details are fuzzy...
Followed some string and then traced back in the dissassembly and found the regproc...
It was BIG and ugly...
Was feeling tired, so I just patched it in the end...
Gona look a little more tomorrow.
It uses the same proc for the regentries and the textboxinput...
Blah, need sleep...
/Manko
krylon
February 19th, 2003, 22:09
well I'm very interested to hear what you've found Manko.
I've been going over the code all day and its making my brain numb again. I see that it takes the RegName and converts it all to upper-case but I keep getting lost in the trace, not wanting to step into every call. I'm trying to see where it actually uses that large string to check for a valid RegCode.
If anyone else has decided to take a look at this prog please let me know!

Manko
February 20th, 2003, 03:33
Forget about tracing/debugging.
Dissassemble!
Follow the telltale string of all simple protections (Not to say that all protections that have such string are simple, just that the simple protections usually fall if you follow that string...) back to the jnz ... jmp and you will find the proc.
Irritating, it was so simple... :P
/Manko
Manko
February 20th, 2003, 03:57
...though it might be nice to understand what it does too...
Maybe when you know where the proc is it will be simpler, combining the dissassm with debuging, renaming procs here and there... Hmm... Maybe I will have to look into it some more....
/Manko
krylon
February 20th, 2003, 20:53
Ok well I've managed to patch it so that it will accept bogus registration info and think its reg'd. However, each time it starts up it grabs the bogus info from the registry and checks it and fails. So basically I would have to keep registering it everytime I play it...
So I'm not there yet, and in the end I would like to understand the reg proc fully as you said and create a valid RegCode for my name. But I'm not giving up.. hah.

naides
February 20th, 2003, 22:10
Quote:
Originally posted by krylon
Ok well I've managed to patch it so that it will accept bogus registration info and think its reg'd. However, each time it starts up it grabs the bogus info from the registry and checks it and fails. So basically I would have to keep registering it everytime I play it...
So I'm not there yet, and in the end I would like to understand the reg proc fully as you said and create a valid RegCode for my name. But I'm not giving up.. hah. |
OK. Now you need to catch the program opening the registry and reading the bogus registration info. its validation should follow soon there after.
Look up the Torn@do cracker notes, which are available from the CrackZ archived site, linked bellow, and learn the major registry acess APIs.
Either in a dead lsiting or in debugging look for the area where the code reads the key that contains your gegistration data. Besides, you know the key name, right? look for the string corresponding to the key name in the dead listing, or in memory. Once you know that your program has read the registration info from the registry, follow the money. . .
krylon
February 20th, 2003, 22:23
Quote:
OK. Now you need to catch the program opening the registry and reading the bogus registration info. its validation should follow soon there after.
|
Actually, I've been watching it take the values from the registry from the get go. Its just easy to get lost in the code here, because a lot of things seem to be going on.
Whether it reads the info from the registry or as input from the user it uses the same proc to see if its valid (makes sense). I patched the are of code right after it gets the values from the user and sends the info to the reg proc. I guess I need to back up a little and trick it deeper in the routine so that the reg procedure spits out a valid return.
Thanks for the incite naides!
-krylon
Manko
February 21st, 2003, 03:20
Hehe... Hi, naides!
Hmm... We've done that already, and I have it patched in 1 place to always say it's regged.
The hard part is understanding it, escpecially well enough to maybe make a valid serial...
Especially if you JUST follow the keys from registry in a debugger as we've done from the beginning.
When I switched to examine the strings and the dissassembly it was pretty easy. (OK. I had to debug a certain CALL dword ptr [e?x+??] (BIG Hint!) to get there. But that was obvious...)
Now, if I could only get buzzy trying to understand the whole proc... But I guess, once I have a crack already, I get lazy...
/Manko
krylon
February 21st, 2003, 12:23
Quote:
(OK. I had to debug a certain CALL dword ptr [e?x+??] (BIG Hint!) to get there. But that was obvious...)
|
Exactly! I was looking at the deadlisting while also debugging and once I realised the similar calls it became clearer. However, I still haven't found the correct patch location to make it always think its reg'd.
squidge
February 22nd, 2003, 19:22
Just taken a look at this game and although it's a rehash of a old game, I got instantly addicted. Must say however that I was disappointed by the registration process - Yet another "pages and pages of code to calculate username to serial, but a simple one or zero for success/failure".
If you need some more hints, try looking at some of the text the game throws at you whilst you attempt to register with bogus information - this should lead you to a nice jump that you can follow (See Manko's post) with your debugger and place a breakpoint at. Restarting the game, you find it calls this function again near the start, so I guessed it was the "CheckIfProgRegistered" routine, and a small (two instruction) in-memory patch did exactly what I thought it did.
I used IDA to search for the text, but Ollydbg should be just as good.
Powered by vBulletin® Version 4.2.2 Copyright © 2018 vBulletin Solutions, Inc. All rights reserved.