Log in

View Full Version : Win CE Program Cracked... Or not???


voidunknown
June 17th, 2005, 12:38
I'm new to the forums, and to Windows CE Cracking. I'm working on a GPS program. So, I loaded my program into IDA Pro, found the serial check spot, changed a BEQ to B. Started the program on my PPC and it seemed to work. However, when the program is cracked, it works for 3 minutes (180 seconds) and then DROPS the GPS signal. I know it's not the receiver, its the program refusing GPS information. Anyone have any ideas? Here is the code:

I changed:
.text:000E6ADC BEQ loc_E6B7C ; Branch
TO
.text:000E6ADC B loc_E6B7C ; Branch

Code:

.text:000E6A84 loc_E6A84 ; CODE XREF: sub_E61A0+90Cj
.text:000E6A84 ADD R0, SP, #0x6744+var_6714 ; Rd = Op1 + Op2
.text:000E6A88 LDRB R1, [R4,R0] ; Load from Memory
.text:000E6A8C SUB R0, R3, #1 ; Rd = Op1 - Op2
.text:000E6A90 SUBS R3, R3, #1 ; Rd = Op1 - Op2
.text:000E6A94 MOV R2, R1,LSL R0 ; Rd = Op2
.text:000E6A98 MOV R1, R5,LSL#16 ; Rd = Op2
.text:000E6A9C ORR R0, R2, R1,LSR#16 ; Rd = Op2 | Op1
.text:000E6AA0 MOV R2, R0,LSL#16 ; Rd = Op2
.text:000E6AA4 MOV R5, R2,LSR#16 ; Rd = Op2
.text:000E6AA8 ADD R4, R4, #1 ; Rd = Op1 + Op2
.text:000E6AAC BNE loc_E6A84 ; Branch
.text:000E6AB0 CMP R4, #0x10 ; Set cond. codes on Op1 - Op2
.text:000E6AB4 BLT loc_E6A7C ; Branch
.text:000E6AB8 MOV R0, #0xB ; Rd = Op2
.text:000E6ABC BL sub_C23A4 ; Branch with Link
.text:000E6AC0 MOV R1, #0xB ; Rd = Op2
.text:000E6AC4 MOV R7, R0 ; Rd = Op2
.text:000E6AC8 BL sub_2D7800 ; Branch with Link
.text:000E6ACC MOV R0, R6,LSL#16 ; Rd = Op2
.text:000E6AD0 MOV R3, R5,LSL#16 ; Rd = Op2
.text:000E6AD4 MOV R1, R0,LSR#16 ; Rd = Op2
.text:000E6AD8 CMP R1, R3,LSR#16 ; Set cond. codes on Op1 - Op2
.text:000E6ADC BEQ loc_E6B7C ; Branch
.text:000E6AE0 LDR R1, =unk_34FA4C ; char *
.text:000E6AE4 LDR R0, =unk_34FA40 ; char *
.text:000E6AE8 BL fopen ; Branch with Link
.text:000E6AEC MOV R4, R0 ; Rd = Op2
.text:000E6AF0 LDR R0, =unk_34FA38 ; void *
.text:000E6AF4 MOV R3, R4 ; FILE *
.text:000E6AF8 MOV R2, #6 ; size_t
.text:000E6AFC MOV R1, #1 ; size_t
.text:000E6B00 BL fwrite ; Branch with Link
.text:000E6B04 MOV R0, R4 ; FILE *
.text:000E6B08 BL fclose ; Branch with Link
.text:000E6B0C ADD R0, SP, #0x6744+var_66B4 ; Rd = Op1 + Op2
.text:000E6B10 BL sub_2DFED4 ; Branch with Link
.text:000E6B14 ADD R0, SP, #0x6744+var_66EC ; Rd = Op1 + Op2
.text:000E6B18 BL sub_2DFED4 ; Branch with Link
.text:000E6B1C LDR R0, [SP,#0x6744+var_6730] ; Load from Memory
.text:000E6B20 BL sub_C23AC ; Branch with Link
.text:000E6B24 LDR R0, [SP,#0x6744+var_671C] ; Load from Memory
.text:000E6B28 BL sub_C23AC ; Branch with Link
.text:000E6B2C LDR R0, [SP,#0x6744+var_6734] ; Load from Memory
.text:000E6B30 BL sub_C23AC ; Branch with Link
.text:000E6B34 LDR R0, [SP,#0x6744+var_6738] ; Load from Memory
.text:000E6B38 BL sub_C23AC ; Branch with Link
.text:000E6B3C MOV R0, R11 ; Rd = Op2
.text:000E6B40 BL sub_C23AC ; Branch with Link
.text:000E6B44 MOV R0, R10 ; Rd = Op2
.text:000E6B48 BL sub_C23AC ; Branch with Link
.text:000E6B4C MOV R0, R9 ; Rd = Op2
.text:000E6B50 BL sub_C23AC ; Branch with Link
.text:000E6B54 MOV R0, R7 ; Rd = Op2
.text:000E6B58 BL sub_C23AC ; Branch with Link
.text:000E6B5C MOV LR, #0xA ; Rd = Op2
.text:000E6B60 MOV R9, LR ; Rd = Op2
.text:000E6B64 STR LR, [SP,#0x6744+var_673C] ; Store to Memory
.text:000E6B68 MOV R0, R9 ; Rd = Op2
.text:000E6B6C MOVL R12, 0x6720
.text:000E6B74 ADD SP, SP, R12 ; Rd = Op1 + Op2
.text:000E6B78 LDMFD SP!, {R4-R11,PC} ; Load Block from Memory
.text:000E6B7C ; ---------------------------------------------------------------------------
.text:000E6B7C
.text:000E6B7C loc_E6B7C ; CODE XREF: sub_E61A0+93Cj
.text:000E6B7C MOV R0, #0x34 ; Rd = Op2
.text:000E6B80 BL sub_C23A4 ; Branch with Link
.text:000E6B84 MOV R1, #0x34 ; Rd = Op2
.text:000E6B88 MOV R4, R0 ; Rd = Op2
.text:000E6B8C BL sub_2D7800 ; Branch with Link
.text:000E6B90 LDR R0, [SP,#0x6744+var_6730] ; Load from Memory
.text:000E6B94 MOV R2, #0x34 ; size_t
.text:000E6B98 MOV R1, R0 ; void *
.text:000E6B9C MOV R0, R4 ; void *
.text:000E6BA0 BL memcpy ; Branch with Link
.text:000E6BA4 LDR R0, [SP,#0x6744+var_6728] ; void *
.text:000E6BA8 MOV R2, #0x35 ; size_t
.text:000E6BAC MOV R1, #0 ; int
.text:000E6BB0 BL memset ; Branch with Link
.text:000E6BB4 LDR R5, [SP,#0x6744+var_6738] ; Load from Memory
.text:000E6BB8 LDR LR, [SP,#0x6744+var_6728] ; Load from Memory
.text:000E6BBC MOV R2, #0x34 ; Rd = Op2
.text:000E6BC0 LDR R6, [SP,#0x6744+var_6734] ; Load from Memory
.text:000E6BC4 MOV R3, #0x31 ; Rd = Op2
.text:000E6BC8 SUB R1, R10, LR ; Rd = Op1 - Op2
.text:000E6BCC

laola
June 18th, 2005, 07:05
*sigh*
So you just changed one check to ignore the invalid serial. Did you ever think about the possibility that the developers might have used serial checks in multiple places? Why is it so difficult for newbies to use their imagination? One of the most essential things about reverse engineering is using the grey stuff between your ears (and I'm not talking about earwax). Just imagine how would you protect your stuff against curious people? Right, the most commonly used thing is a CRC check. Second place comes duplicating code to perform checks in various places.
Now go ahead and use your head

voidunknown
June 18th, 2005, 11:29
I figured that there was more than 1 check. I found a second place already, but it still didn't fix it. What does a CRC check look like? Got an example? I said I was new to cracking, not that I was stupid. I was only asking for a little guidance, not bashing. I figured that there might be some kind of timer, and it might be easier to disable the timer rather than find every spot in the code where the serial/activation is checked.

JMI
June 18th, 2005, 13:50
voidunknown:

Reversing in not something one should just wake up one day and say to themselves: "Hell, I can do that." It also is not something one should just jump into without some substantial preparation. It is both a "wide" and a "deep" subject which generally requires some substantial "study" and, particularly "preparation" before it should be attempted. By "study" and "preparation," I mean there is a great deal of work one should actually do before you pick up some "tut" and blindly try to follow along without activating your brain.

So far, it appears that you brain is in hibernation on several levels. The first level is that, despite the instructions when you Registered, you have OBVIOUSLY FAILED TO READ THE FRIGGIN FAQ. We even went to the trouble of adding below the signature of all new members the phrase:

"I promise that I have read the FAQ and tried to use the Search to answer my question."

Despite these statements, YOU didn't read the FAQ, because "cracking" that program what just TOO important to YOU, for you to BOTHER YOURSELF with doing what you SHOULD do, instead of what you WANTED to do. So you noticed that your program had a serial number input box and you said to yourself: "Damn this cracking stuff sure is simple, I think I'll just reverse a jump where it goes off to the serial input box and I'll own this puppy."

Of course, you also didn't bother actually LEARNING very much at all about reverse code engineering before you started out, because YOU were too smart and too much in a hurry to "defeat" these stupid protection makers and impress your friends with your "special" talents. But, damn Boss, I reversed a single jump and it didn't work, what should I do now ..... I know, I still won't use my brain, I'll just ask someone else to solve the problem for me and then I can still impress my friends by NOT telling them I REALLY don't have ANY idea what I'm doing and someone else did it for me.

Now there are many "possibilities" why reversing a single call to a serial input box will not magically cure all protection in a piece of software. Did that occur to you??? If it did, what did YOU do with that thought? Did you believe the makers of the software put as little effort into protecting their software and YOU apparently did in trying to learn how to crack it???

Among the many possibilities, as laola suggested, is the possibility that the software author included code in the software to actually check if some complete "noob wannabe cracker" changed ANYTHING in the program. If they did, guess what, the damn thing just won't work. Boy, weren't YOU shocked to find out someone might actually be trying to determine if YOU were mucking with the software they were trying to make money from by having you buy it instead of "liberate" it. How could the world be so cruel?

Of course, true to "character", YOU are so self-confident, but under motivated, that you don't yet recognize GOOD ADVICE when you read it and, instead, you thought you would just go back and "it might be easier to disable the timer rather than find every spot in the code where the serial/activation is checked."

Now, let's give "a little credit" where a "little" credit is due. You were bright enough to figure out that if the program was shutting down in "180 seconds" there must be some form of a "timer" somewhere. Of course you haven't suggested YOU know anything about how that might be done and you suggest you just want to "disable" it, which would just be more "changes" to the code. But, hey, it's YOUR LEFE, why start now using you noggin for anything other than holding up your hair.

But what is not "yours" is this Forum and YOU haven't yet done what the evil "WE" require of posters if they want to post here. It's not that complicated and it IS, in fact, spelled out plainly in the damn FAQ YOU still haven't read OR at least followed.

So, Bunky, here's what you better do FIRST, before you get ignorant enough to post again. Read what the FAQ tells you to do, which means YOU are supposed to do the "basic" research BEFORE you post a question here. YOU are supposed to use the DAMN search button at the top of the Forums and search out whether your question has come up before so YOU aren't asking for the umpteenth time how one ties their shoes so they can take a few steps through the dark codewoods without tripping over their feet in the dark. THEN, YOU are supposed to search out topics on the net about reversing and/or, gasp, you might actually read a lot of the information contained in the links conveniently listed at the bottom of these Forums.

THEN, any only then, when you have at least some understanding of the basics and you have actually THOUGHT about your problem at a deeper level than "well the first thing I tried didn't work," and you have thought about how to actually explain how YOU have attempted to analyze the possibilities of what may be going wrong with your efforts to reverse a target, should you ask for help and THEN you should, again, follow the instructions in the FAQ about what and how to post.

Now here's a way to THINK about your problem. Let's assume the software author has at least "slightly" more experience at cracking than YOU do, at least in the sense that he needs to know how to determine if YOU are mucking with his code. Now it might be as simple as knowing YOU might reverse a single jump and think you are "King of the World" and having, duh, more than one check of the entry of the correct serial number.

OR what a reasonably competent coder might do is add some code which checks if you are mucking with ANYTHING in his code and, if it determines you have, it sends you off to a timer which shuts the program down in a set time. AND there might be more than one of those. OR maybe, if you change ANYTHING, it does other things at RANDOM. OR maybe parts of the program don't work at all without a proper serial number having been entered. (Damn that's just not fair.)

So, why don't your get off your figuratively lazy butt and take laola's advice and determine whether the software is watching YOU by looking for any changes to the code. Well gee Sparky, how do I do that, you ask. Well Bunky, he mentioned the secret code word. Shhhh! don't say it out loud, someone might hear. (visualize here "invisible" ink that only you can read) "CRC check".

Well golly gee wiz Buffalo Bob, how do I do one of them there (secret word) checks?? Well Bunky, you follow the "secret path" described in the magic FAQ and you bravely touch the SEARCH button with your mouse and you enter the (secret word) and, gasp, you will see the Genie fly out of the lamp and reveal to your wondrous eyes no less than 136 previous threads discussing the subject of the (secret word) you might want to review. Entering "(secret word) reversing" in my favorite search engine (without the quote marks) gave me 12,400 hits.

Now, try to recognize that there IS a qualitative and literal difference between "being stupid" and "behaving stupidly." So far, in the reversing sense, you have been "behaving stupidly," as in not using your brain to try to solve your problem, before engaging your fingers on your keyboard. Fortunately, while there is no cure for "being stupid," there is, in fact, a relatively painless cure for "behaving stupidly." It only requires you to actually spend more time thinking and studying before engaging your keyboard. You will actually be surprised at how well that actually works. Give it a try.

Regards,