Dated:    28th May 2001       

Author Dakoder:    contact me!!  

This document is for real Lamers and Newbies who want to learn the exotic art of reverse engineering...... I wrote this because there are too many of these trainers on the net that simply go tooooo deep and leave you completely lost. I hope you find this usefull, if you get lost I will be happy to anwer any questions relating to this artical to help you get started....

Why am I doing this...... before we (hackers/crackers) become extinct, it is important that the next generation of hackers/crackers get the best possible start.................Good luck and happy cracking !


How to crack GIF Movie Gear 3.0.1

 

Before we start

You need a good working knowlege of 8/16/32 bit x86 assembly language. If you don't understand this then go get sum of Adams assembler  tutorials Here

You will of course need Gif  Movie Gear   (Dohhh)   Go get it  Here

 

The TOOLS you will need

 

SoftIce for Windows. If you Don't have this get it Here .

IDAWIN Interactive Disassembler. Get it Here ,Has a built in help. (sorry for legal reasons I can supply this and is not available at the moment.....but do go look for it... else use W32DASM    but it aint as good as IDAW.

A good TEXT EDITOR. I use VEDIT.EXE. Get your own editor !!

An assembler. You should already have one !

You may find it usefull to print this document out........then you can follow it line by line....


How we are going to do the crack for GIF Movie Gear 3.0.1

Simple. As you will discover.....Gif Movie Gear has a fairly simple mechanism, and a very very simple algorithm.

 

1. We are going to find out how the protection mechanism works and decide on the best route to take. The best action is to always create a key generator. Patching is not a good idea !

2. We are going to use softice to locate the routine inside gif movie gear that deals with registering the product.

3. We are then going to use IDAWIN to disassemble the program and print out the relevant code.

4. We are going to use softice and the printout to try and extract the keygen algorithm

5. We are going to write our own keygen program based on the algorithm found inside gif movie gear.

6. Have a cup'o'coffee, fag and a short nap......( This is optional, but quite agreeable!)

 

You will notice that I did not include the "We will then register movie gear using our keygen program etc. etc.| As it is ilegal to do so !!!!   ha-ha-ha


 

Finding the protection mechanism for GIF Movie Gear 3.0.1

 

1. Install GIF Movie Gear, and run the program. The first thing you will notice is that there is a message box saying thank you etc....But at the bottom a small message says. Re-installing does not alter the clock.    mmmmmm Why say that ?    it tells me that the programmer is worried about being cracked. so maybe it's not as difficult as it looks. We shall see

2. Click on HELP and then click REGISTER NOW, in the name box type  ABCD      (This is a good string to type in because a long string requires lots and lots of single stepping in softice, also if the string is linear ie. ABCD or WXYZ as opposed  QAPZ, it is easier to spot a linear pattern. In the code box, because we don't know what code to type we simply type in 1234, we use numbers instead of letters to help distinguish between the NAME and the CODE.

3. Don't press OK yet, we first need to setup a breakpoint in softice so press   CTRL-D and type in BPX getwindowtexta If you get an error message saying SYMBOL NOT DEFINED (dohhhh) then go find the WINICE.DAT file in your winice directory and use notepad to remove the semi-colons on the two lines that say 

;EXP=c:\windows\system\kernel32.dll
;EXP=c:\windows\system\user32.dll


You will need to re-boot in order to allow the changes to take effect., so re-boot and start again. otherwise press CTRL-D to exit softice. (If you don't know what getwindowtexta does, then get the WIN32.HLP (can't remeber where I got it from, so no link sorry)  file which is the windows API function calls.

4. Now click OK on the register movie gear box, softice should pop up and be pointing to the start of the windows API   GETWINDOWTEXTA  function. (remember that the A on the end specifies a 32 bit function call) so type in P RET or press F12 to continue execution until softice reaches a return instruction (or an IRET),

at this point you should be pointing to the address   00431962

 

00431962   call    ebx                                                  ;This is what caused our 1st break point
00431962   lea     edx,  [esp+0C4]                             ;This is where you should be now !

Now remember that there are two lots of data to be fetched (The NAME="ABCD" and the CODE "12345" so press CTRL-D or type X to exit softice and continue executing until the same breakpoint is reached again.
ahhhh softice has popped up again, and is pointing to the first instruction inside the API function (just like it was before), so type

P RET

to get back to the caller of this function,
at this point you should be pointing to the address 00431977

00431960     call ebx                                                          ;this is what caused our 2nd break point
00431977    lea eax, [esp+0C4]                                        ;
this is where you should be now !
0043197E     lea ecx, [esp+60h]
00431982    push eax
00431983    push ecx
00431984    call 00431580
00431989     add esp, 8
0043198C    test eax, eax
0043198E     jz    00431A41
00431994     lea edx, [esp+10h]
00431998     lea eax, [esp+0Ch]



5. Now we need to have a look at what happens next, the next five instructions (highlighted yellow) seem to get two values off the stack and then push them back again just before a call is made to 00431580.

Lets see what is being pushed, because whatever it is, we know that the sub routine at 00431580 is going to use them. so press type P or press F10 a few times (four to be precise) until you reach the call 00431580 instruction now type into softice

D EAX                  or you can use    DEX 0 EAX  which gives a dynamic view using data window 0

this tells softice to display the data found at the memory address whos value is in the EAX register, if you don't have a data window visible, type WD 8 this will create a data windows with 8 lines. Jeeez it's simple when you know how. Guess what ? WC is for code, WR is for the registers.. Bollox.... just type HELP for fuck's sake, that's what it is there for. ok  what can you see in the data window ???? Yup it's our "12345" string, this confirms that the next call instruction is to do with checking our registration code. Now type in

D ECX                  or you can use    DEX 0 ECX  which gives a dynamic view using data window 0

You should see the leters ABCD that you entered into the name box. You will allso notice the TEST EAX,EAX instruction (Is this a test for True or False) ? maybe. so lets fuck with it.

6. Press F10 or type P to proceede and keep going until you reach the test eax,eax instruction. What does the contents of eax hold right now, ie after the call instruction has been executed ? well it's zero and we all no that ZERO means FALSE which means wrong code..... ha ha ha (what would the chance be of hitting the correct code first time round ?

Because we know that if we continue we are simply going to be rejected we are going to change the contents of the eax register and then continue execution so as to fool the program into thinking that we entered the correct code so type

R EAX = 1

This sets the eax register to true,  look in the register window at the top left. Now press CTRL D or type X to exit softice and lets see what has happened. You will notice that the ability to register has been removed from the help menu.. WOW it can't be that simple can it ?   If it is then forget a keygen, use a patch it will only be one byte.....so  Lets find out eh.

7. Exit the gif movie gear program and you will see that a nag message says that you have minus one days to register this program. Shit... never mind
lets start again, this time we are going to trace into that call at address 00431580 and find out what happens to the two values that were pushed onto
the stack. namely our name and code. So wait a few seconds and then click the OK button and then re-start gif movie gear, goto the HELP menu and
select REGISTER NOW. type in the ABCD and 12345 and click OK BANG ! up comes softice again, type in

X

to exit softice and then type

P RET

Now press F8 until you reach that call 00431580 instruction.

8. Now press F8 once more, we are now in the checking routine, so lets go carefully. Press F8 a few times (FIVE to be precise) until we reach the

00431588     cmp [ebp+0], 6Dh ;m                                                 ;you should be here
0043158C     jnz 00431632
00431592     cmp [ebp+1], 67h ;g
00431596     jnz 00431632
0043159C     cmp [ebp+2], 33h ;3
004315A0     jnz 00431632
004315A6     cmp [ebp+3], 37h ;7


WTF is all that about, what happens at the JNZ address  00431632 ?  Lets have a quick look:----

00431632     pop edi
00431633     pop esi
00431634     pop ebp
00431635     xor eax, eax
00431637     pop ebx
00431638     retn

If your not sure then trace it through, but you will find that it simply turns eax into false, and rets back,  and we know that is bad don't we ?

So what is ebp pointing to ?    You should know what to do now ???? yeah thats it type in

D EBP

And lets have a look at the data, well i'll be twatstrangled, it looks like our 12345 code,and the following four instructions are checking if the first four characters are equal to 06D, 067, 033 and 037 ,     what is all that then ?       let us  use softice to work out what they are, type in

? 6d673337

and you should get the answer "mg37" so press CTRL-D and exit softice and re-enter the ABCD string into gif movie gear, but this time don't use 12345, so type in "mg3712345" and do the usual steps to get back to where we were. ie the following code at address :-00431588, you can either single step or set a new breakpoint, you choose.....

00431580     push ebx                                                      ;you should be here
00431581     push ebp
00431582     mov ebp, [esp+010]
00431586     push esi
00431587     push edi
00431588     cmp [ebp+0], 6Dh ;m
0043158C     jnz 00431632
00431592     cmp [ebp+1], 67h ;g
00431596     jnz 00431632
0043159C     cmp [ebp+2], 33h ;3
004315A0     jnz 00431632
004315A6     cmp [ebp+3], 37h ;7
004315AA     jnz 00431632


you should remember that the code at address 00431632, ie where all the jnz instructions point to simply xor's the eax register (sets it to zero) and exits, back, so we know that to go down the right road, we must have "mg37" at the start of our code.

9. If you now press F10 to step through the above four instructions you should now be at address
004315BE     rep ne     scasb

We need to know what this instruction is checking so type

D EDI

hey look there is a long string, we did not type it in so it is internal to the program, maybe that is the code, forget it, I tried that, so don't bother. If you look at the following code you will see that it is simply scanning for the zero termination of the string, the inverting of ECX and then subtracting one, leaves ecx with a value of 0B and low and be-hold guess how many characters there are in the string ? so press F10 once to complete the instruction and check that ecx does in fact hold 0B. now press F10 a few times until you reach

004315C9     repe cmpsb


ok, we know ecx holds the length, but what does ESI and EDI hold ?
well go on then go look, type D EDI and D ESI you will notice that both strings are different, this is the first problem. We know we have to type in "mg37" to get past the first few lines of this routine, and we know that the "mvg21951736" string is built into the program so we know that the REPE CMPSB is only going to work once and then kick out, what the hell, lets assume that everything is ok, and that we have not fouled up somwhere. so press F10 a few times until you get to address
004315E3     CALL 0043F3B8

WTF  This is getting complex and deep or is it ?

10 Time to get IDAWIN to work, exit SOFTICE and GIF MOVIE GEAR, now go run IDAWIN and make sure you point the module loader to c:\windows\system32 in order to get the function symbols loaded. IDAWIN takes a little time to do, now get IDA to create a LIST file, so use ALT F create output file, and do it. You will find that IDA will create a whopping 10 meg file. Load this file into NOTEPAD (small joke, we all know how crap notepad is)  load it into your editor and locate the above routines particularly the   .text:00431580 which you need to print out, if you can't be bothered, then I have the listing below, but whatever, you will need a listing on paper so you can write down notes !!!!.
I will now comment this routine any comments in red will be expanded upon later. You will notice that the  004315E3     CALL 0043F3B8   is not a complex call, but simply a call to a standard library function called  _ATOI   which is  ASCII to INTEGER. (signed)   basically on  exit the EAX register will hold the real value of the ascii number string in our password.


00431580 push ebx
00431581 push ebp
00431582 mov ebp, [esp+010]
00431586 push esi
00431587 push edi
00431588 cmp [ebp+0], 6Dh                                  ;"m"    1st character
0043158C jnz 00431632                                        ;set eax to 0 (FALSE) and exit
00431592 cmp [ebp+1], 67h                                  ;"g"      2nd character
00431596 jnz 00431632                                         ;set eax to 0 (FALSE) and exit
0043159C cmp [ebp+2], 33h                                  ;"3"      3rd character
004315A0 jnz 00431632                                        ;set eax to 0 (FALSE) and exit
004315A6 cmp [ebp+3], 37h                                  ;"7"      4th character
004315AA jnz 00431632                                        ;set eax to 0 (FALSE) and exit
004315B0 mov ebx, 0044D4C4                              ;vector to start of the string
004315B5 mov edx, [ebx]                                        ;edx = start address of string
004315B7 or ecx, 0FFFFFFFFh                              ;get the count ready
004315BA mov edi, edx                                           ;edi = start of string
004315BC xor eax, eax                                            ;eax = 0
004315BE repne scasb                                             ;find the end of the string
004315C0 not ecx
004315C2 dec ecx                                                   ;ecx = length of string
004315C3 mov edi, edx                                           ;start of the internal string
004315C5 mov esi, ebp                                           ;start of what we typed in
004315C7 xor eax, eax
004315C9 repe cmpsb                                             ;find the first non matching character
004315CB jz short 00431632                                  ;if ecx has run out then exit, ie we have not typed in enough characters in the password box.
004315CD add ebx, 4                                              ;skip the vector address and point to string
004315D0 cmp ebx, aMvg21951736                       ;check that the address is not relocated, ie it has to be running at this address.
004315D6 jl short 004315B5                                   ;
004315D8 cmp [ebp+4], 73h                                   ;is the 5th character an "s" ?
004315DC jnz short 004315DF                               ;if not then skip the next instruction whos purpose is to re-align the address
004315DE inc ebp                                                   ;the correct address is 8 bytes away which is the start of our 12345
004315DF add ebp, 7                                             ;7 + the previous inc = 8 so our code is "mg37s"
004315E2 push ebp                                                ;push this address
004315E3 call _atoi                                                ;convert this ascii string into a real value into eax,
004315E8 mov edx, [esp+0Ch+0C]                       ;start of the ABCD shit we typed in
004315EC add esp, 4
004315EF mov edi, edx                                          ;this is also the satrt of the ABCD shit we typed in
004315F1 xor ecx, ecx                                           ;Special loop counter
004315F3 mov dl, [edx]                                          ;get the first character "A" next will be "B" and so on.
004315F5 mov esi, 0BDFh                                     ;start esi with fudge factor
004315FA test dl, dl                                               ;have we reached the end of the string ?
004315FC jz 00431624                                         ;if so then exit out *** more on this later

004315FE movsx edx, dl                                        ;the rest of this is a simple, it creates a unique integer from the ascii string ABCD that we typed in.
00431601 inc ecx                                                   ;increment the special loop counter
00431602 imul edx, ecx                                          ;ascii "A" multiply by ECX (special loop counter)
00431605 add esi, edx                                            ;now add to the fudge factor number,
00431607 cmp esi, 17BEh                                      ;has the fudge factor gone over 017be ?
0043160D jle 00431615                                         ; if so then reset it, you should have noticed that this is in fact a simple MODULO function.
0043160F sub esi, 17BEh

00431615 cmp ecx, 0Ah                                         ;has the special loop counter gone over 10 ?
00431618 jle 0043161C
0043161A xor ecx, ecx                                           ;if it has then reset it back to zero

0043161C mov dl, [edi+1]                                       ;if not then just get the next character, this is the letter "B" that we typed in
0043161F inc edi                                                    ;increment the pointer, interesting that they got (PTR+1) and then incremented, this is M/C patched.
00431620 test dl, dl                                                 ;have we reached the end of the string "ABCD" ?
00431622 jnz 004315FE                                         ;if not then carry on with algorithm until EOF is found.

00431624 cmp esi, eax                                            ;compare the two values
00431626 jnz 00431632                                          ;if they are not the same then exit with a FALSE condition
00431628 pop edi                                                    ;if they are the same, then pop all registers
00431629 pop es
0043162A pop ebp
0043162B mov eax, 1                                             ;set EAX to true
00431630 pop ebx
00431631 retn

00431632 pop edi                                                    ;this is the BAD exit, ie you typed in the wrong code.
00431633 pop esi
00431634 pop ebp
00431635 xor eax, eax                                             ;set EAX to false
00431637 pop ebx
00431638 retn


 

convert this ascii string into a real value into eax

Ok, simple now, thanks to IDAWIN we know this is a simple library function call, we can test this by using the question mark command to evaluate something, so tyoe in ? EAX after the call _atoi  has been done and you find that the eax holds the actual number that we tyoed into the password box

Special loop counter

This is just one part of the algorithm for calculating what is simply a checksum for the string you typed into the name box, the number rotates from 1 to 10 inclusive, while it calculates the check sum.ie  A*1 B*2 C*3  and so on..

start esi with fudge factor

The fudge factor is a summing unit that adds up the total running values of the special loop counter calculation, I called it the fudge factor because it starts with a none zero value, this is very odd....never mind.  every time this summing unit goes over 017BE it is reset, or more precisely it is MODULUS.

compare the two values

fThis simply compares the two values, the first is the number you typed into the password box, the second is the checksum calculated using the ABCD you typed as your name. we know that by forcing this result to TRUE, it does remove the ability to register but then it says that you have minus one days to register, so lets do it all again , fire up GIF MOVIE GEAR, bring up SOFTICE , set your break points and keep going until you reach that all important address 00431624 cmp esi, eax  Now if you have been paying attention you will know that ESI actualy holds the correct CRC value, so type into SOFTICE   ? ESI  and then write down the decimal number that comes back..... now quite softice and now fire up GIF MOVIE GEAR and type in ABCD for the name and type in  mg37smvg*******     where ******* is the number you wrote down.

HEY!!!!!!    you have a fully registered version of gif movie gear, well done..... but it is registered to ABCD  so lets write our keygen, using the above algorithm.

NOTE!  You will need to edit your registry and find under  /software/gamani    and delete the gamani entry,  we need to test the keygen you are about to write.  

 

 

How we are going to extract the keygen algorithm for Gif Movie Gear 3.0.1

 

 

Here is the listing again, but this time I have colour coded the routine to help isolate the important areas of the generator.

004315E2 push ebp                                                ;push this address
004315E3 call _atoi                                                ;convert this ascii string into a real value into eax,
004315E8 mov edx, [esp+0Ch+0C]                       ;start of the ABCD shit we typed in
004315EC add esp, 4
004315EF mov edi, edx                                          ;this is also the satrt of the ABCD shit we typed in
004315F1 xor ecx, ecx                                           ;Special loop counter
004315F3 mov dl, [edx]                                          ;get the first character "A" next will be "B" and so on.
004315F5 mov esi, 0BDFh                                     ;start esi with fudge factor
004315FA test dl, dl                                               ;have we reached the end of the string ?
004315FC jz 00431624                                         ;if so then exit out *** more on this later

004315FE movsx edx, dl                                        ;the rest of this is a simple, it creates a unique integer from the ascii string ABCD that we typed in.
00431601 inc ecx                                                   ;increment the special loop counter
00431602 imul edx, ecx                                          ;ascii "A" multiply by ECX (special loop counter)
00431605 add esi, edx                                            ;now add to the fudge factor number,
00431607 cmp esi, 17BEh                                      ;has the fudge factor gone over 017be ?
0043160D jle 00431615                                         ; if so then reset it, you should have noticed that this is in fact a simple MODULO function.
0043160F sub esi, 17BEh

00431615 cmp ecx, 0Ah                                         ;has the special loop counter gone over 10 ?
00431618 jle 0043161C
0043161A xor ecx, ecx                                           ;if it has then reset it back to zero

0043161C mov dl, [edi+1]                                       ;if not then just get the next character, this is the letter "B" that we typed in
0043161F inc edi                                                    ;increment the pointer, interesting that they got (PTR+1) and then incremented, this is M/C patched.
00431620 test dl, dl                                                 ;have we reached the end of the string "ABCD" ?
00431622 jnz 004315FE                                         ;if not then carry on with algorithm until EOF is found.

00431624 cmp esi, eax                                            ;compare the two values
00431626 jnz 00431632                                          ;if they are not the same then exit with a FALSE condition
00431628 pop edi                                                    ;if they are the same, then pop all registers
00431629 pop es
0043162A pop ebp
0043162B mov eax, 1                                             ;set EAX to true
00431630 pop ebx
00431631 retn

00431632 pop edi                                                    ;this is the BAD exit, ie you typed in the wrong code.
00431633 pop esi
00431634 pop ebp
00431635 xor eax, eax                                             ;set EAX to false
00431637 pop ebx
00431638 retn

 

How we are going to write our own keygen for Gif Movie Gear 3.0.1

I have included the source code below for my keygen routine, I have also colour coded the relevent parts so you can compare it with the same colour codes above.
Note ! it will only assemble under a386/d386. this program uses 386 specific instruction and runs in REAL/V86 mode.......if you want it to run under PMODE then assemble as FLAT and attache your PMODE dos header.....hey get your own sodding header..........<grin>.






xor ecx,ecx                              ;start of loop to extract our NAME
mov si,081                              ;point to first character
mov ebp,0bdf                          ;setup counter thingy
or b[080],cl
jz buckit                                  ;I make no excuses for my label names.....hey I was not intending to release this stuff !!!!!


start:
lodsb                                       ;strip out spaces
cmp al,020
jz start
dec si


start1:
movsx edx,b[si]                       ;get the ascii stuff
inc ecx                                    ;The special loop counter
imul edx,ecx                            ;calculate the ascii stuff
add ebp,edx                            ;update the fudge factor counter
cmp ebp,017be                       ;modulo  the result
jle skip1

sub ebp,017be

skip1:
cmp cl,0a                              ;special loop counter reset ?
jle skip2

xor ecx,ecx                           ;yes

skip2:
inc si                                     ;ascii character pointer
mov dl,b[si]                     
    ;get the next ascii stuff
cmp dl,0d
jnz start1

mov eax,ebp                         ;prepare the output... EAX = VALUE..    ds:dx = address for the string
mov dx,string+8


mov bx,0a                           ;the rest of this stuff just prints on the screen the full code, ie your shit with "mg37smvg"    at the start
xor cx,cx
mov di,dx
mov es,cs
es mov d[di]," "
es mov d[di+4]," "

convert_16a:
xor dx,dx
div bx
add dl,030
push dx
inc cx
cmp ax,0
jne convert_16a
convert_16b:
pop ax
stosb
loop convert_16b

mov dx,string

exitout
mov ax,0900
int 021
int 020

buckit:
mov dx,string2
jmp exitout:




string: db "mg37smvg ",0d,0a,"Cracked by Dakoder@yahoo.com",0d,0a,"$"
string2: db "Usage. GMG_CRK <yourname> ",0D,0A,"KeyGen for Gif Movie Gear 3.01",0d,0a,"$"