Cracking Tutor for Cookie Crusher v2.11 http://www.thelimitsoft.com/ Cookie Crusher is a program that stops web sites from dumping cookies onto your system. Cracking Experience: [ ]. Guru [ ]. Expert [ ]. Intermediate [ ]. Beginner [ ]. Novice [x]. Newbie Tools needed: [x]. SoftIce v3.x (I use version 4.0) <----Debugger [x]. W32Dasm v8.93 <---------------------Disassembler [ ]. Hiew v6.x <---------------------------Hex/Dec Editor [ ]. Regview <-------------------------------Registry Watcher [ ]. File Monitor <--------------------------File Monitor You can get all tools on the web. So go get 'em. Got 'em?....GOOD. Let's dance!! I always wanted to say that YOU MAY WANT TO PRINT THIS OUT. IT'S 7 PAGES. CUZ ONCE YOU'RE IN SOFTICE YOU CAN'T GO BACK TO READ THIS. YOU HAVE TO EXIT SOFTICE. Section 1.00 SoftIce: 1.10 Setting up SoftIce: (If you already have done this and are familiar with SoftIce skip to Section 2.00) 1.11 Editing WinIce.dat: Winice.dat is in the directory that you installed SoftIce (ex. C:\Program Files\Numega\Softice) open it with NOTEPAD.EXE. Delete any line that starts with INIT=". And add the to lines below, don't ask just do it. INIT="code on; altscr off; lines 60; wc 42; WD 4; faults off;" INIT="X;" 1.12 Editing WinIce.dat to load all necessary Breakpoints: Scroll down to the bottom of Winice, now scroll up until you see: ; ***** Examples of export symbols that can be included for Windows 95 ***** ; Change the path to the appropriate drive and directory ;EXP=c:\windows\system\kernel32.dll ;EXP=c:\windows\system\user32.dll ;EXP=c:\windows\system\gdi32.dll ;EXP=c:\windows\system\comdlg32.dll ;EXP=c:\windows\system\shell32.dll ;EXP=c:\windows\system\advapi32.dll ;EXP=c:\windows\system\shell232.dll ;EXP=c:\windows\system\comctl32.dll ;EXP=c:\windows\system\crtdll.dll ;EXP=c:\windows\system\version.dll ;EXP=c:\windows\system\netlib32.dll ;EXP=c:\windows\system\msshrui.dll ;EXP=c:\windows\system\msnet32.dll ;EXP=c:\windows\system\mspwl32.dll ;EXP=c:\windows\system\mpr.dll Now delete all semi colons (;) that are in front of the EXP. So it looks like this: ; ***** Examples of export symbols that can be included for Windows 95 ***** ; Change the path to the appropriate drive and directory EXP=c:\windows\system\kernel32.dll EXP=c:\windows\system\user32.dll EXP=c:\windows\system\gdi32.dll EXP=c:\windows\system\comdlg32.dll EXP=c:\windows\system\shell32.dll EXP=c:\windows\system\advapi32.dll EXP=c:\windows\system\shell232.dll EXP=c:\windows\system\comctl32.dll EXP=c:\windows\system\crtdll.dll EXP=c:\windows\system\version.dll EXP=c:\windows\system\netlib32.dll EXP=c:\windows\system\msshrui.dll EXP=c:\windows\system\msnet32.dll EXP=c:\windows\system\mspwl32.dll EXP=c:\windows\system\mpr.dll Now add these three lines: EXP=C:\windows\system\vb40032.dll ;<--Visual Basic4 runtime file EXP=C:\windows\system\msvbvm50.dll ;<--Visual Basic5 runtime file EXP=c:\windows\system\msvcrt.dll ;<---- MSVC run-time WinIce.dat is now set. Restart your computer. Sorry it has to be a full restart (that means no shift key) 1.13 Commands: CTRL+D Enter/Exit SoftIce Commands while in SoftIce: G Go to D Display memory ? Evaluate H, F1 Help. F5, X Exit SoftIce, return to Windows F8 Steps thru code and into CALLs F10 Steps thru code and over CALLs F12 Steps thru until RETurn caller BPX Breakpoint Hmemcpy Something is written to memory GetdlgItemTexta(a) Get data from input fields (ex. name/serial) GetWindowText(a) Get data from input fields (ex. name/serial) With GetdlgItemText(a) and GetWindowText(a) the (a) is only needed for 32 bit programs (ex. GetdlgItemTexta). For 16 bit programs you don't need it (ex. GetdlgItemText). BL List Breakpoints BC Clear Breakpoint(s) BE Enable Breakpoint(s) BD Disable Breakpoint(s) ?Enter Activate command O.K Are you lost yet? If you are, then try to stick with me or get a tutorial for SoftIce at Lord Caligo's page-----> http://caligo.cjb.net. If you're not lost then keep going or keep going anyway. 1.13 Getting familiar: Now press CTRL+D to enter SoftIce, at the top of the screen you'll three lines, these are the registers. All you have to know is that the registers hold information in your memory like your name and serial. Below that is the data window. It shows what is at any memory address. Next is the code window it holds the assembly code of the program. Under that is the input/output window, this is where we enter commands into SoftIce. And read any responses that it has. Section 2.00 Quick Assembly: Here I'll teach you some quick assembly, just enough to get you started. ASM(S): HEX: MEANING: NOP 90 don't do anything MOV makes "dest" equal to "src" (ex. mov dest,src) CMP compares "dest" to "src" (ex. cmp dest,src) JMP EB jump straight to JE, JZ 0F84 or 74 jump if equal JNE, JNZ 0F85 or 75 jump if not equal JA 0F87 or 77 jump if above JAE, JNB 0F83 jump if above or equal JNA, JBE 0F86 jump if not above JB 0F82 jump if below JG 0F8F jump if greater JGE, JNL 0F8D jump if greater or equal JL 0F8C jump if less than JLE 0F8E jump if less or equal If you're still with me than GREAT! If not sorry but now we're going to start the cracking. So here we go. Section 3.00 Cracking: 3.10 Learning the Protection Scheme: Start Cookie Crusher and you get that bitch ass nag screen. "This copy of Cookie.....blah blah blah woo woo woo" and so on. Click "NO" because we're not planning on purchasing it. Double click on the light bulb that appeared next to your clock in the taskbar. Now click About| License now.... Enter "UNREGISTERED" without the quotes (of course) for name and "81427" without the... for serial. Hit "Register" We get the error "The Information provided..." Remember this message or write it down you'll need it. 3.11 Disassembling Cookie Crusher: Fire up W32Dasm and disassemble Cookie Crusher. Smoke a joint, drink the alcohol of your preference it's going to take a couple minutes. Done? ...... No? ....... How 'bout now? ....... Damn! ..... Alright done?! ....... Finally! Click the menu item Refs|Strings Data Reference. Search for our error message.... (The Information provided...) once found double click it. Notice the background change? (1) The address highlighted is where the program displays the error. You should be here: * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0040CCC9(C) ; <----- this address said jump (2) | :0040CE12 6A30 push 00000030 * Possible StringData Ref from Data Obj ->"Cookie Crusher v2.1" | :0040CE14 68BE334600 push 004633BE * Possible StringData Ref from Data Obj ->"The information provided is not " ->"valid data, or some other error " ->"has disrupted this attempt." | :0040CE19 6862334600 push 00463362 ; <------ we land here (1) :0040CE1E 6A00 push 00000000 Push the UP ARROW until you see the first *Referenced by a (U)nconditional or (C)ondtional Jump .... (2) Notice the :0040CCC9(C) it's the address that says jump to :0040CE12. Click the menu item Goto| Goto Code Location. Enter 0040CCC9 to see why it jumps to :0040CE12. You should land here: :0040CCC3 33C2 xor eax, edx :0040CCC5 2BC2 sub eax, edx :0040CCC7 3BD8 cmp ebx, eax ; <----- comparison (4) :0040CCC9 0F8543010000 jne 0040CE12 ; <------ we land here (2) :0040CCCF 6A40 push 00000040 * Possible StringData Ref from Data Obj ->"Cookie Crusher v2.1" | :0040CCD1 680B334600 push 0046330B * Possible StringData Ref from Data Obj ->"Thank you for licensing Cookie " ->"Crusher! We appreciate your business " ->"and support." ; <---- good message (3) | :0040CCD6 683D324600 push 0046323D :0040CCDB 6A00 push 00000000 Look above :0040CCC9, to find the first comparison, (4) it reads cmp ebx, eax. Bingo, it compares something!! Could it perhaps be our good serial with the one we entered? (2) Now look back at :0040CCC9, this is where the program decides what to do after the comparison. JNE means jump if not equal. (1) So if ebx is not equal to eax it will jump to the error message. (3) If it is equal then continue on to good message. So now that we think we know the address where it checks our serial with the valid one. Now we need to figure out away to get SoftIce to "break" into Cookie Crusher. Go to the Cookie Crusher registration screen. Enter "UNREGISTERED" without the quotes (of course) for name and "81427" without the... for serial. DON'T HIT REGISTER!! Start up SoftIce, by pressing CTRL+D. Once in SoftIce set a breakpoint on Hmemcpy by typing bpx hmemcpy. A breakpoint tells SoftIce to break when a certain action is used by a program. This breakpoint breaks when something is written to memory. O.K. hit enter. Now hit F5, to return back to windows. Now hit Register. BOOM!! We're in SoftIce. Hit F12 (about 8 times) until you see the name the program on the line between the code window and the input/output window. It should look like this COOKIE!.txt+0003ADDC. Your numbers may be different. But you'll be at this address: * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0043BDB9(C) | :0043BDE1 5E pop esi ; <----- we land here :0043BDE2 5B pop ebx :0043BDE3 C3 ret This address doesn't matter. Type bl (this displays a list of breakpoints that we have. Should only be one breakpoint listed -----> 00) BPX KERNEL!HMCPY. Type bd 0 to disable the hmemcpy breakpoint (the zero is the number of the breakpoint in the list). Since we're done with it. We found out from above that the address that we're interested in is :004CCC7 (where it compares our fake with our valid) so type g 40CCC7 hit enter (this will go straight the address). We land here: :0040CCC7 3BD8 cmp ebx, eax ; <----- we land here :0040CCC9 0F8543010000 jne 0040CE12 :0040CCCF 6A40 push 00000040 :0040CCD1 680B334600 push 0046330B Type d ebx (this displays what is stored in ebx in data window) and what do we see? Nothing but a bunch of dots. Now type ? ebx and what do we see in the input window? 81427, our fake serial! So that must make eax our valid serial. Now type ? eax and we see ..... 103131405, our valid serial. Write this number down. Now push F5, go back to the registration screen. Enter "UNREGISTERED" without the quotes (of course) for name and "103131405" without the... for serial. Hit Register. BOOM!!! .... Thank You for licensing Cookie Crusher .......... You now have a fully registered copy of Cookie Crusher v2.11. But with one problem, it may be registered but the about box says UNREGISTERED. What are you going to do about this? Perhaps try to enter your own name/nick. It saves your registration info at "LOCAL_MACHINE\SOFTWARE\The Limit Software\Cookie Crusher" in your registry. To unregister Cookie Crusher, go into your registry go under LOCAL_MACHINE\SOFTWARE\The Limit Software\Cookie Crusher, on right delete the entries, and BOOM! It's unregistered. Section 4.00 Final words: This is a great newbie program. This is the easiest protection you'll come across. There's no encryption of the serial. All you have to do is find the bad jump. Find the first comparison above it and look at the registers. Exactly like we did above. Granted this program can be cracked many ways, but what's better than actually registering the program. You'd be surprised at how many programs are protected like this. If you want to be a true cracker you can't do this forever. You have to read, read, read, and read some more. The best thing you can do is learn. First read any information on Assembly Language Programming that you can get your crummy key punching hands on. Once your satisfied you've learned enough, read some more on it. Then start with walk thru tutorials. Kinda like this one. This tutorial teaches you the extreme basics of SoftIce and ASM. And lets you apply them. Go to the CrackMe? site -----> http://surf.to/crackmes. This site gives you practice programs and tutorials for each program. After you've learned how to crack a simple encryption, find a mentor. Ask someone that's leet. Don't harass them!!!! Don't be afraid to ask them questions. They're pretty cool and they realize at one point, they were in the same place as you. There's no easy way around it. GOOD LUCK!!!!! :-P In my next tutor I'll explain how the program generates the serial number. And teach how to make a key generator. Don't rush it either, it takes time. -------------- SoftIce wasn't built in day -------------- Tundra Prepare yourself I'm Ruff Terrain. Dead Crax Society Triquster@hotmail.com Got any questions on cracking, or comments on how I can make this better don't be afraid to email me.