Dated: 28th May 2001
This document is for real Lamers and Newbies who want to learn the exotic art of reverse engineering...... I wrote this because there are too many of these trainers on the net that simply go tooooo deep and leave you completely lost. I hope you find this usefull, if you get lost I will be happy to anwer any questions relating to this artical to help you get started....
Why am I doing this...... before we (hackers/crackers) become extinct, it is important that the next generation of hackers/crackers get the best possible start.................Good luck and happy cracking !
| How to crack GIF Movie Gear 3.0.1 |
| Before we start |
You need a good working knowlege of 8/16/32 bit x86 assembly language. If you don't understand this then go get sum of Adams assembler tutorials Here
You will of course need Gif Movie Gear (Dohhh) Go get it Here
| The TOOLS you will need |
SoftIce for Windows. If you Don't have this get it Here .
IDAWIN Interactive Disassembler. Get it Here ,Has a built in help. (sorry for legal reasons I can supply this and is not available at the moment.....but do go look for it... else use W32DASM but it aint as good as IDAW.
A good TEXT EDITOR. I use VEDIT.EXE. Get your own editor !!
An assembler. You should already have one !
You may find it usefull to print this document out........then you can follow it line by line....
| How we are going to do the crack for GIF Movie Gear 3.0.1 |
Simple. As you will discover.....Gif Movie Gear has a fairly simple mechanism, and a very very simple algorithm.
1. We are going to find out how the protection mechanism works and decide on the best route to take. The best action is to always create a key generator. Patching is not a good idea !
2. We are going to use softice to locate the routine inside gif movie gear that deals with registering the product.
3. We are then going to use IDAWIN to disassemble the program and print out the relevant code.
4. We are going to use softice and the printout to try and extract the keygen algorithm
5. We are going to write our own keygen program based on the algorithm found inside gif movie gear.
6. Have a cup'o'coffee, fag and a short nap......( This is optional, but quite agreeable!)
You will notice that I did not include the "We will then register movie gear using our keygen program etc. etc.| As it is ilegal to do so !!!! ha-ha-ha
| Finding the protection mechanism for GIF Movie Gear 3.0.1 |
1. Install GIF Movie Gear, and run the program. The first thing you will notice is that there is a message box saying thank you etc....But at the bottom a small message says. Re-installing does not alter the clock. mmmmmm Why say that ? it tells me that the programmer is worried about being cracked. so maybe it's not as difficult as it looks. We shall see
2. Click on HELP and then click REGISTER NOW, in the name box type ABCD (This is a good string to type in because a long string requires lots and lots of single stepping in softice, also if the string is linear ie. ABCD or WXYZ as opposed QAPZ, it is easier to spot a linear pattern. In the code box, because we don't know what code to type we simply type in 1234, we use numbers instead of letters to help distinguish between the NAME and the CODE.
3. Don't press OK yet, we first need to setup a breakpoint in softice so press CTRL-D and type in BPX getwindowtexta If you get an error message saying SYMBOL NOT DEFINED (dohhhh) then go find the WINICE.DAT file in your winice directory and use notepad to remove the semi-colons on the two lines that say
;EXP=c:\windows\system\kernel32.dll
;EXP=c:\windows\system\user32.dll
You will need to re-boot in order to allow the changes to take effect., so re-boot
and start again. otherwise press CTRL-D to exit softice. (If you don't know what
getwindowtexta does, then get the WIN32.HLP (can't remeber where I
got it from, so no link sorry) file which is the windows API function calls.
4. Now click OK on the register movie gear box, softice should pop up and be pointing to the start of the windows API GETWINDOWTEXTA function. (remember that the A on the end specifies a 32 bit function call) so type in P RET or press F12 to continue execution until softice reaches a return instruction (or an IRET),
at this point you should be pointing to the address 00431962
00431962 call ebx
;This is what caused our 1st break point
00431962 lea
edx, [esp+0C4]
;This is where you should be now !
Now remember that there are two lots of data to be fetched (The NAME="ABCD"
and the CODE "12345" so press CTRL-D or type X to exit softice and continue
executing until the same breakpoint is reached again.
ahhhh softice has popped up again, and is pointing to the first instruction inside the API
function (just like it was before), so type
P RET
to get back to the caller of this function,
at this point you should be pointing to the address 00431977
00431960 call ebx
;this is what caused our 2nd break point
00431977 lea eax,
[esp+0C4]
;this is where you should be now !
0043197E lea ecx, [esp+60h]
00431982 push eax
00431983 push ecx
00431984 call 00431580
00431989 add esp, 8
0043198C test eax, eax
0043198E jz 00431A41
00431994 lea edx, [esp+10h]
00431998 lea eax, [esp+0Ch]
5. Now we need to have a look at what happens next, the next five instructions
(highlighted yellow) seem to get two values off the stack and then push them back again
just before a call is made to 00431580.
Lets see what is being pushed, because whatever it is, we know that the sub routine at
00431580 is going to use them. so press type P or press F10 a few times (four to be
precise) until you reach the call 00431580 instruction now type into softice
D EAX
or you can use DEX 0 EAX which gives a dynamic view using data
window 0
this tells softice to display the data found at the memory address whos value is in the
EAX register, if you don't have a data window visible, type WD 8 this will create a data
windows with 8 lines. Jeeez it's simple when you know how. Guess what ? WC is for code, WR
is for the registers.. Bollox.... just type HELP for fuck's sake, that's what it is there
for. ok what can you see in the data window ???? Yup it's our "12345"
string, this confirms that the next call instruction is to do with checking our
registration code. Now type in
D ECX
or you can use DEX 0 ECX which gives a dynamic view using data
window 0
You should see the leters ABCD that you entered into the name box. You will allso notice
the TEST EAX,EAX instruction (Is this a test for True or False) ? maybe. so lets fuck with
it.
6. Press F10 or type P to proceede and keep going until you reach the test eax,eax
instruction. What does the contents of eax hold right now, ie after the call instruction
has been executed ? well it's zero and we all no that ZERO means FALSE which means wrong
code..... ha ha ha (what would the chance be of hitting the correct code first time round
?
Because we know that if we continue we are simply going to be rejected we are going to
change the contents of the eax register and then continue execution so as to fool the
program into thinking that we entered the correct code so type
R EAX = 1
This sets the eax register to true, look in the register window at the top left. Now
press CTRL D or type X to exit softice and lets see what has happened. You will notice
that the ability to register has been removed from the help menu.. WOW it can't be that
simple can it ? If it is then forget a keygen, use a patch it will only be one
byte.....so Lets find out eh.
7. Exit the gif movie gear program and you will see that a nag message says that you have
minus one days to register this program. Shit... never mind
lets start again, this time we are going to trace into that call at address 00431580 and
find out what happens to the two values that were pushed onto
the stack. namely our name and code. So wait a few seconds and then click the OK button
and then re-start gif movie gear, goto the HELP menu and
select REGISTER NOW. type in the ABCD and 12345 and click OK BANG ! up comes softice
again, type in
X
to exit softice and then type
P RET
Now press F8 until you reach that call 00431580 instruction.
8. Now press F8 once more, we are now in the checking routine, so lets go carefully. Press
F8 a few times (FIVE to be precise) until we reach the
00431588 cmp [ebp+0], 6Dh
;m
;you should be here
0043158C jnz 00431632
00431592 cmp [ebp+1], 67h ;g
00431596 jnz 00431632
0043159C cmp [ebp+2], 33h ;3
004315A0 jnz 00431632
004315A6 cmp [ebp+3], 37h ;7
WTF is all that about, what happens at the JNZ address 00431632 ? Lets have a
quick look:----
00431632 pop edi
00431633 pop esi
00431634 pop ebp
00431635 xor eax, eax
00431637 pop ebx
00431638 retn
If your not sure then trace it through, but you will find that it simply turns eax into false, and rets back, and we know that is bad don't we ?
So what is ebp pointing to ? You should know what to do now ???? yeah
thats it type in
D EBP
And lets have a look at the data, well i'll be twatstrangled, it looks like our 12345
code,and the following four instructions are checking if the first four characters are
equal to 06D, 067, 033 and 037 , what is all that then ?
let us use softice to work out what they are, type in
? 6d673337
and you should get the answer "mg37" so press CTRL-D and exit softice and
re-enter the ABCD string into gif movie gear, but this time don't use 12345, so type in
"mg3712345" and do the usual steps to get back to where we were. ie the
following code at address :-00431588, you
can either single step or set a new breakpoint, you choose.....
00431580 push ebx
;you should be here
00431581 push ebp
00431582 mov ebp, [esp+010]
00431586 push esi
00431587 push edi
00431588 cmp [ebp+0], 6Dh ;m
0043158C jnz 00431632
00431592 cmp [ebp+1], 67h ;g
00431596 jnz 00431632
0043159C cmp [ebp+2], 33h ;3
004315A0 jnz 00431632
004315A6 cmp [ebp+3], 37h ;7
004315AA jnz 00431632
you should remember that the code at address 00431632, ie where all the jnz instructions
point to simply xor's the eax register (sets it to zero) and exits, back, so we know that
to go down the right road, we must have "mg37" at the start of our code.
9. If you now press F10 to step through the above four instructions you should now be at
address
004315BE rep ne scasb
We need to know what this instruction is checking so type
D EDI
hey look there is a long string, we did not type it in so it is internal to the program,
maybe that is the code, forget it, I tried that, so don't bother. If you look at the
following code you will see that it is simply scanning for the zero termination of the
string, the inverting of ECX and then subtracting one, leaves ecx with a value of 0B and
low and be-hold guess how many characters there are in the string ? so press F10 once to
complete the instruction and check that ecx does in fact hold 0B. now press F10 a few
times until you reach
004315C9 repe cmpsb
ok, we know ecx holds the length, but what does ESI and EDI hold ?
well go on then go look, type D EDI and D ESI you will notice that both strings are
different, this is the first problem. We know we have to type in "mg37" to get
past the first few lines of this routine, and we know that the "mvg21951736"
string is built into the program so we know that the REPE CMPSB is only going to work once
and then kick out, what the hell, lets assume that everything is ok, and that we have not
fouled up somwhere. so press F10 a few times until you get to address
004315E3 CALL 0043F3B8
WTF This is getting complex and deep or is it ?
10 Time to get IDAWIN to work, exit SOFTICE and GIF MOVIE GEAR, now go run IDAWIN and make
sure you point the module loader to c:\windows\system32 in order to get the function
symbols loaded. IDAWIN takes a little time to do, now get IDA to create a LIST file, so
use ALT F create output file, and do it. You will find that IDA will create a whopping 10
meg file. Load this file into NOTEPAD (small joke, we all know how crap notepad is)
load it into your editor and locate the above routines particularly the .text:00431580
which you need to print out, if you can't be bothered, then I have the listing below, but
whatever, you will need a listing on paper so you can write down notes !!!!.
I will now comment this routine any comments in red will be expanded upon later. You will
notice that the 004315E3 CALL 0043F3B8 is
not a complex call, but simply a call to a standard library function called _ATOI
which is ASCII to INTEGER. (signed) basically on exit the
EAX register will hold the real value of the ascii number string in our password.
00431580 push ebx
00431581 push ebp
00431582 mov ebp, [esp+010]
00431586 push esi
00431587 push edi
00431588 cmp [ebp+0], 6Dh
;"m" 1st character
0043158C jnz 00431632
;set eax to 0 (FALSE) and exit
00431592 cmp [ebp+1], 67h
;"g" 2nd character
00431596 jnz 00431632
;set eax to 0 (FALSE) and exit
0043159C cmp [ebp+2], 33h
;"3" 3rd character
004315A0 jnz 00431632
;set eax to 0 (FALSE) and exit
004315A6 cmp [ebp+3], 37h
;"7" 4th character
004315AA jnz 00431632
;set eax to 0 (FALSE) and exit
004315B0 mov ebx, 0044D4C4
;vector to start of the string
004315B5 mov edx, [ebx]
;edx = start address of string
004315B7 or ecx, 0FFFFFFFFh
;get the count ready
004315BA mov edi, edx
;edi = start of string
004315BC xor eax, eax
;eax = 0
004315BE repne scasb
;find the end of the string
004315C0 not ecx
004315C2 dec ecx
;ecx = length of string
004315C3 mov edi, edx
;start of the internal string
004315C5 mov esi, ebp
;start of what we typed in
004315C7 xor eax, eax
004315C9 repe cmpsb
;find the first non matching character
004315CB jz short 00431632
;if ecx has run out then exit, ie we have not typed in enough characters in the password
box.
004315CD add ebx, 4
;skip the vector address and point to string
004315D0 cmp ebx, aMvg21951736
;check that the address is not relocated, ie it has to be running at this address.
004315D6 jl short 004315B5
;
004315D8 cmp [ebp+4], 73h
;is the 5th character an "s" ?
004315DC jnz short 004315DF
;if not then skip the next instruction whos purpose is to re-align the address
004315DE inc ebp
;the correct address is 8 bytes away which is the start of our 12345
004315DF add ebp, 7
;7 + the previous inc = 8 so our code is "mg37s"
004315E2 push ebp
;push this address
004315E3 call _atoi
;convert this ascii string into a real value into eax,
004315E8 mov edx, [esp+0Ch+0C]
;start of the ABCD shit we typed in
004315EC add esp, 4
004315EF mov edi, edx
;this is also the satrt of the ABCD shit we typed in
004315F1 xor ecx, ecx
;Special loop counter
004315F3 mov dl, [edx]
;get the first character "A" next will be "B" and so on.
004315F5 mov esi, 0BDFh
;start esi with fudge factor
004315FA test dl, dl
;have we reached the end of the string ?
004315FC jz 00431624
;if so then exit out *** more on this later
004315FE movsx edx, dl
;the rest of this is a simple, it creates a unique integer from the ascii string ABCD that
we typed in.
00431601 inc ecx
;increment the special loop counter
00431602 imul edx, ecx
;ascii "A" multiply by ECX (special loop counter)
00431605 add esi, edx
;now add to the fudge factor number,
00431607 cmp esi, 17BEh
;has the fudge factor gone over 017be ?
0043160D jle 00431615
; if so then reset it, you should have noticed that this is in fact a simple MODULO
function.
0043160F sub esi, 17BEh
00431615 cmp ecx, 0Ah
;has the special loop counter gone over 10 ?
00431618 jle 0043161C
0043161A xor ecx, ecx
;if it has then reset it back to zero
0043161C mov dl, [edi+1]
;if not then just get the next character, this is the letter "B" that we typed
in
0043161F inc edi
;increment the pointer, interesting that they got (PTR+1) and then incremented, this is
M/C patched.
00431620 test dl, dl
;have we reached the end of the string "ABCD" ?
00431622 jnz 004315FE
;if not then carry on with algorithm until EOF is found.
00431624 cmp esi, eax
;compare the two values
00431626 jnz 00431632
;if they are not the same then exit with a FALSE condition
00431628 pop edi
;if they are the same, then pop all registers
00431629 pop es
0043162A pop ebp
0043162B mov eax, 1
;set EAX to true
00431630 pop ebx
00431631 retn
00431632 pop edi
;this is the BAD exit, ie you typed in the wrong code.
00431633 pop esi
00431634 pop ebp
00431635 xor eax, eax
;set EAX to false
00431637 pop ebx
00431638 retn
convert this ascii string into a real value into eax
Ok, simple now, thanks to IDAWIN we know this is a simple library function call, we can test this by using the question mark command to evaluate something, so tyoe in ? EAX after the call _atoi has been done and you find that the eax holds the actual number that we tyoed into the password box
Special loop counter
This is just one part of the algorithm for calculating what is simply a checksum for the string you typed into the name box, the number rotates from 1 to 10 inclusive, while it calculates the check sum.ie A*1 B*2 C*3 and so on..
start esi with fudge factor
The fudge factor is a summing unit that adds up the total running values of the special loop counter calculation, I called it the fudge factor because it starts with a none zero value, this is very odd....never mind. every time this summing unit goes over 017BE it is reset, or more precisely it is MODULUS.
compare the two values
fThis simply compares the two values, the first is the number you typed into the password box, the second is the checksum calculated using the ABCD you typed as your name. we know that by forcing this result to TRUE, it does remove the ability to register but then it says that you have minus one days to register, so lets do it all again , fire up GIF MOVIE GEAR, bring up SOFTICE , set your break points and keep going until you reach that all important address 00431624 cmp esi, eax Now if you have been paying attention you will know that ESI actualy holds the correct CRC value, so type into SOFTICE ? ESI and then write down the decimal number that comes back..... now quite softice and now fire up GIF MOVIE GEAR and type in ABCD for the name and type in mg37smvg******* where ******* is the number you wrote down.
HEY!!!!!! you have a fully registered version of gif movie gear, well done..... but it is registered to ABCD so lets write our keygen, using the above algorithm.
NOTE! You will need to edit your registry and find under /software/gamani and delete the gamani entry, we need to test the keygen you are about to write.
| How we are going to extract the keygen algorithm for Gif Movie Gear 3.0.1 |
Here is the listing again, but this time I have colour coded the routine to help isolate the important areas of the generator.
004315E2 push ebp
;push this address
004315E3 call _atoi
;convert this ascii string into a real value into eax,
004315E8 mov edx, [esp+0Ch+0C]
;start of the ABCD shit we typed in
004315EC add esp, 4
004315EF mov edi, edx
;this is also the satrt of the ABCD shit we typed in
004315F1 xor ecx, ecx
;Special loop counter
004315F3 mov dl, [edx]
;get the first character "A" next will be "B" and so on.
004315F5 mov esi, 0BDFh
;start esi with fudge factor
004315FA test dl, dl
;have we reached the end of the string ?
004315FC jz 00431624
;if so then exit out *** more on this later
004315FE movsx edx, dl
;the rest of this is a simple, it creates a unique integer from the ascii string ABCD that
we typed in.
00431601 inc ecx
;increment the special loop counter
00431602 imul edx, ecx
;ascii "A" multiply by ECX (special loop counter)
00431605 add esi, edx
;now add to the fudge factor number,
00431607 cmp esi, 17BEh
;has the fudge factor gone over 017be ?
0043160D jle 00431615
; if so then reset it, you should have noticed that this is in fact a simple MODULO
function.
0043160F sub esi, 17BEh
00431615 cmp ecx, 0Ah
;has the special loop counter gone over 10 ?
00431618 jle 0043161C
0043161A xor ecx, ecx
;if it has then reset it back to zero
0043161C mov dl, [edi+1]
;if not then just get the next character, this is the letter "B" that we typed
in
0043161F inc edi
;increment the pointer, interesting that they got (PTR+1) and then incremented, this is
M/C patched.
00431620 test dl, dl
;have we reached the end of the string "ABCD" ?
00431622 jnz 004315FE
;if not then carry on with algorithm until EOF is found.
00431624 cmp esi, eax
;compare the two values
00431626 jnz 00431632
;if they are not the same then exit with a FALSE condition
00431628 pop edi
;if they are the same, then pop all registers
00431629 pop es
0043162A pop ebp
0043162B mov eax, 1
;set EAX to true
00431630 pop ebx
00431631 retn
00431632 pop edi
;this is the BAD exit, ie you typed in the wrong code.
00431633 pop esi
00431634 pop ebp
00431635 xor eax, eax
;set EAX to false
00431637 pop ebx
00431638 retn
| How we are going to write our own keygen for Gif Movie Gear 3.0.1 |
I have included the source code below for my keygen routine, I have also colour coded
the relevent parts so you can compare it with the same colour codes above.
Note ! it will only assemble under a386/d386. this program uses 386 specific instruction
and runs in REAL/V86 mode.......if you want it to run under PMODE then assemble as FLAT
and attache your PMODE dos header.....hey get your own sodding
header..........<grin>.
xor ecx,ecx
;start of loop to extract our NAME
mov si,081
;point to first character
mov ebp,0bdf
;setup counter thingy
or b[080],cl
jz buckit
;I make no excuses for my label names.....hey I was not intending to release this stuff
!!!!!
start:
lodsb
;strip out spaces
cmp al,020
jz start
dec si
start1:
movsx edx,b[si]
;get the ascii stuff
inc ecx
;The special loop counter
imul edx,ecx
;calculate the ascii stuff
add ebp,edx
;update the fudge factor counter
cmp ebp,017be
;modulo the result
jle skip1
sub ebp,017be
skip1:
cmp cl,0a
;special loop counter reset ?
jle skip2
xor ecx,ecx
;yes
skip2:
inc si
;ascii character pointer
mov dl,b[si]
;get the next ascii stuff
cmp dl,0d
jnz start1
mov eax,ebp
;prepare the output... EAX = VALUE..
ds:dx = address for the string
mov dx,string+8
mov bx,0a
;the rest of this stuff just prints on the screen the full code, ie your shit with
"mg37smvg" at the start
xor cx,cx
mov di,dx
mov es,cs
es mov d[di]," "
es mov d[di+4]," "
convert_16a:
xor dx,dx
div bx
add dl,030
push dx
inc cx
cmp ax,0
jne convert_16a
convert_16b:
pop ax
stosb
loop convert_16b
mov dx,string
exitout
mov ax,0900
int 021
int 020
buckit:
mov dx,string2
jmp exitout:
string: db "mg37smvg ",0d,0a,"Cracked by
Dakoder@yahoo.com",0d,0a,"$"
string2: db "Usage. GMG_CRK <yourname> ",0D,0A,"KeyGen for Gif Movie
Gear 3.01",0d,0a,"$"