how 2 crackXara 3D v3.0by seneca of stoicForce |
|
foreword
hi guys and girls, this is my 1st tut ever, so please don't expect too much from this. ;)
besides i'm quite a newbie, so this text rather targets on complete newbies...
i'll try to put things as clearly as i can for you and i'll try to explain what we're
doing instead of just telling you which byte to patch, allright? here we go...
brain and tools
the beginnig (as well as the experienced) cracker needs exactly 2 things to do his job: some
brain and the right tools.
unfortunatelly, i can't tell you where to get some brain from, but i can give you some useful
links to get the tools you need (the links will take you to the author's homepages -
nevertheless you'll find most of the tools in our homepage's
tool-section too.)
items marked with a '*' are necessary for this tutorial; get them before you read on...
| WDasm32 by URSoftware* | THE Disassembler. try to get version 8.9 or above | |
| Hiew by SEN* | 'Hacker's View' - get this one from our site's tools-section | |
| SoftICE by Numega | THE debugger for windows. best use version 3.24 + | |
| FILEMon by Russinovich and Cogswell | monitors file access - very useful! | |
| REGMon by Russinovich and Cogswell | monitors registry access - even more useful! | |
| File Analyzer by Vadim Tarasov* | retrieves information from lotsa files (mainly .EXEs) |
get going...
allright, now that we got this tools, we wanna use 'em, right? [we wanna kill something]
the enemy is a fine piece of code called Xara3D by Xara Ltd. - we're going to crack version 3.03.
i guess that the cracking procedure described in here will work for later version of this software too,
so if you can't get a copy of Xara version 3.03, you may as well use any older or even earlier one.
in either case, some details mentioned below will differ, but this won't keep you from cracking it,
will it? ;)
if you don't have Xara3D, you'll find it at Xara Ltd.'s homepage.
ok, first thing we always do is we get to know the enemy which means that we try to find out as much as
possible about the programs protection scheme. gathering information about Xara is easy, as this prog
shows a damn ugly nag-screen each time it's started. start it up now and look at the nag. it tells us how
much days remain before the prog will stop working. quite impressive, huh?
what to do next?
clicking on continue will do what it says, i.e. close the nag and let us use the software. but wait:
we got another button: purchase. this is what we really want to do, isn't it? now click on purchase,
we're getting into it...
aha. the usual serial-number stuff. they want us to enter some special number to unlock the software.
(look at the caption of this dialog: it says "Xara3D3 - Key XYZ" - remember this.)
well, let's give it a try and enter any dummy-number. whatever. now click unlock software. didn't work?
you kinda expected that, right? ;)
ok, we're in the prog now and it's still locked (damn!). play around a bit and look at the help-menu.
you should find an unlock...-item here. clicking this one will bring us to the same screens we saw above:
looks like there is only one way to "buy" Xara officially.
get your brain going. what possibilities do we have? we could either
1 - find the right code by trying every single possible unlock-code in the universe.
2 - fake the system's date, so we never run out of those 15 days trial-period.
3 - let the prog think that whatever code we enter is the correct one.
#1 is a bad idea. actually, this technique exists, it's called "brute forcing". there are some tools that
do nothing else than trying every possible code until they find the correct one. but we don't even know
if Xara wants us to enter numbers or text nor do we have any idea of how long the
registraion code should be. brute-forcing could take us ages to find the correct code, and by the way: that's
not cracking.
#2 is a good idea for some programs, but it's definitely not for Xara. why? even if we succeeded in faking
the systems date every time we start the program (there are actually tools for that, too), it would not be
a clean enough method: we still had to click away the damn nag-screen every time. besides, we can do
better than that, can't we?
#3 is what we're going to do. but how? get yourself another cup of coffee and read on.
behind the GUI
first thing we have to do is to understand what Xara does after we entered a code and clicked on
the unlock software-button. it's very likely that the code is tested in some ways and, if it passes
all the tests, will unlock the program. these tests could look something like this:
"was there any code entered?" if yes then go on, else show the "wrong code"-dialog.
"has the code the correct length?" if yes then go on, else...
...
remember the key you saw in the caption of the purchase-dialog? i think the correct
code is generated from this key and then tested against the code we entered. if our code passed all
the tests before and matches the one generated by the prog itself, it will do what we want it to do -
unlock Xara.
all this is just guessing right now, it might as well be that the prog just compares the code we entered
to a hardcoded general unlocking code and nothing else. well, we will find out.
a few more checks
we will try to disassemble X3Dd.exe now, i.e. we will convert the .exe back to assembler-code in order to
view what's actually happening behind the GUI. we just have to do 2 more checks before that, which tell us if
we're actually able to disassemble the exe to its correct source-code:
1 - if the .exe is packed (shrinked), we'll have to deshrink it before going on.
2 - if the prog was written in Visual Basic, we can't disassemble it. VB is not a real programming language, you know?
there are more than one ways to find out which language the prog was written in. the simplest one is to
just quikview the file in the windows-explorer and look which .dlls it imports (i.e. uses). do this for
X3D.exe right now.
you'll find out that the file imports (among others) Kernel32.dll and User32.dll. bingo! this
one's written in C++, Delphi or else but at least NOT in VB. You can easily recognize VB-progs because
they have to import the VB-runtime-DLLs, like MSVBVM50.dll. VBs usually don't use Kernel32.dll, only the
languages mentioned above do that.
now how do we know if the prog was packed or not? i use a tool called File Analyzer by Vadim Tarasov. (you can get
it from our tool-section). used on X3D.exe it tells us that the file is an Windows-executable written in MS VC++ 5.0
(we knew that) and that it's not packed in any way. cool. we're halfway done. they can't stop us any more. really.
get yourself another cup of coffee (or a glass of martini, whatever ;) and read on.
disassembling
disassembling. aah. what a fabulous word. taking apart a program. nice.
now start up WDasm32. (this stands for Windows DisASeMbler; 32 means it can handle 32bit-code). Select "Disassembler |
Open file to disassemble" from the menu and open X3d.exe. WDAsm works a litte bit and voilá: we're in! lying
before us is pure and naked asm-code, helpless against our searching eyes.
allright, now we have to use our brains once more. we have 13.5mb (!) of asm code, and we can't read it line by line
just until something seems suspicious to us. we will have to find the piece of code that actually test our
unlocking-code and kind of disable this part. This is usually done in the following way:
go back to Xara3D and enter any dummy number as the unlock-code again, then press unlock software. Now they tell us
"You entered an invalid unlock code..." and they break their necks with it. they really do.
the cool thing about WDAsm are the "String references". almost every static string used in a program is listed by
this fab tool, and it even tells us WHERE this string is used. no go back to WDAsm and select Refs | String Data
References from the menu.
a new window pops up, showing us a list of all the used strings in x3d.exe. now search for "You entered an.." and
doubleclick on the item once found. WDAsm now jumps to the code-location where this string is used. cool. doubleclick
again on the string to find out the next location where this string is referenced (i.e. used). nothing happens? good.
now we know that this damn message is generated in only one place throughout the whole code.
now look at the code window: you should see something like this:
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0040F8E4(C), :0040F8F8(C), :0040F914(C), :0040F930(C), :0040F94C(C)
|:0040F968(C), :0040F984(C), :0040F9A0(C), :0040FA0D(C)
|
:0040FAC6 6AFF push FFFFFFFF
:0040FAC8 6A10 push 00000010
* Possible Reference to String Resource ID=03005: "You entered an invalid unlock code.
The program has not been"
|
:0040FACA 68BD0B0000 push 00000BBD
:0040FACF E8F3E70700 call 0048E2C7
look at the asm-code alone, it says:
:0040FAC6 6AFF push FFFFFFFF :0040FAC8 6A10 push 00000010 :0040FACA 68BD0B0000 push 00000BBD :0040FACF E8F3E70700 call 0048E2C7
aha. some stuff (and our string) are pushed onto the stack and then a procedure is "call"ed. this is the
way procedures with parameters are called in asm. you could read this four lines as:
showMsg("You have entered...",16,-1); (preassuming that the call of 0048E2C7 is a showMsg procedure)
allright, now look at what stands directly above this 4 lines: "Referenced by blablabla..." and 9 (!)
addresses (code-locations), each marked with a "(C)". what dow this mean?
these are the addresses from where to code jumps to our showMsg-procedure if a certain condition is met.
remember what we said about the testing of our unlocking code before? these ARE the tests! we're getting
closer and closer...
now look at the listed code-locations and think. do you notice anything? they're all at almost the same
position in the code. it is *VERY* likely that if we scroll up to the first address listed, we will find
some structure like this:
if (condition 1 is met) then do the "You have entered..."-call else go on.
if (condition 2 is met) then do the "You have entered..."-call else go on.
if (condition 3 is met) then ...
...
if (condition 9 is met) then do the "You have entered..."-call else go on.
(btw: this jump is called a bad guy jump. i will use this term from now on, allright?)
the protection scheme
let's see if we were right - scroll up to address 0040F8E4 and look at the code. you should see
something like this:
:0040F8E1 3958F8 cmp dword ptr [eax-08], ebx :0040F8E4 0F85DC010000 jne 0040FAC6
aha. the dword stored at address [eax-08] is compared to the value of ebx. (first line).
then we have a "jne 0040FAC6", which means "Jump to 0040FAC6 if Not Equal" - the bad guy jump,
the first test. now what can we do? wouldn't it be great if we could tell the program to
"Jump to 0040FAC6 if Equal", i.e. to make the "jne" to a "je"? yes, this would be great... ;)
scroll down a little bit and you will see 8 more "jne"s and "je"s to 0040FAC6 - all of them do the bad
guy jump if our Unlock-Code doesn't pass a test. (a test is actually performed between two jumps).
allright, we're almost finished because we know what to do: we change the "jne"s to "je"s and vice versa.
the bad guy jump will therefore only be made if the code we entered actually passes a test successfully,
and that's very unlike.
changing the jumps is quite easy. scoll up again to the first "jne" at address 40F8E4. the line should
be green-highlighted now. look at WDAsm's statusbar, it says:
Line 27671 pg 334 of 3912 Code Data : 0040F8E4 Offset 0000ECE4h in File X3D.exe
the interesting part is "Offset 0000ECE4h" which tells us the exact position of the first "jne" in X3d.exe.
remember this offset.
cracking (finally)
first, backup X3d.exe to X3d.bak (or whatever else), and then start up Hiew at the dos-prompt:
"hiew \path to xara\x3d.exe"
once in Hiew, press F4 and select Decode as the display mode (we don't want to see the file as
raw hex, right?), then press F5 (goto) and enter the offset WDasm told us: ECE4. you should see
something like this now:
¦ 0000ECE1: 3958F8 cmp [eax][-0008],ebx ¦ 0000ECE4: 0F85DC010000 jne 00000EEC6 -------- (2) ¦ 0000ECEA: 0FBE10 movsx edx,b,[eax] ¦ 0000ECED: 52 push edx ¦ 0000ECEE: E88D7C0500 call 000066980 -------- (3) ¦ 0000ECF3: 83C404 add esp,004 ¦ 0000ECF6: 85C0 test eax,eax ¦ 0000ECF8: 0F84C8010000 je 00000EEC6 -------- (4) ¦ 0000ECFE: 8B842440010000 mov eax,[esp][000000140] ¦ 0000ED05: 0FBE4801 movsx ecx,b,[eax][00001] ¦ 0000ED09: 51 push ecx ¦ 0000ED0A: E8717C0500 call 000066980 -------- (5) ¦ 0000ED0F: 83C404 add esp,004 ¦ 0000ED12: 85C0 test eax,eax ¦ 0000ED14: 0F84AC010000 je 00000EEC6 -------- (6) ¦ 0000ED1A: 8B942440010000 mov edx,[esp][000000140] ¦ 0000ED21: 0FBE4202 movsx eax,b,[edx][00002] ¦ 0000ED25: 50 push eax ¦ 0000ED26: E8557C0500 call 000066980 -------- (7) ¦ 0000ED2B: 83C404 add esp,004 ¦ 0000ED2E: 85C0 test eax,eax
do you recgnize the code? it's the beginning of the bad guy jumps we just saw in WDAsm...
look at the line at adress ECE4, it says:
¦ 0000ECE4: 0F85DC010000 jne 00000EEC6 -------- (2)
this means that "0F85DC010000" is interpreted by your PC as "jne 0000EEC6", or, to be even more
exact: "0F85" ist the "jne" and "DC010000" means "0000EEC6". nice. now if "0F85" means "jne", how
is "je" coded? look at the line ECF8 - you'll find a "je" here, coded as "0F84".
cool. we just have to change "0F85" to "0F84" and vice versa to make the prog belive it has to perform
a bad guy jump only if the unlock-code is correct! let's crack:
press F3 to enter Edit-Mode and change the first "jne" at ECE4 to "je". now press F9 to save your
changes and do the same with the next 8 bad guy jumps (the ones that jump to EEC6).
now press F10 to exit Hiew and start up the cracked version of Xara3D.
click on Purchase, enter any code (i used '123') and click on Unlock Software.
success!
no more "you entered an invalid..."-message!
no more Unlock...-entry in the help-menu!
we're regged!
we're bad!
now tap yourself on the shoulder or jump around a little bit, do whatever you want. you should be
able to crack most of the serial-number-protected shareware out there by now. be happy and keep on
trying. i'm sure you have some similar protected shareware installed - go get it. right now.
last words
allright folks, thanx alot for reading! i'd really appreciate any comment on this tutorial.
c'mon guys & girls, it took quite a lot of time to bring this to you, whereas writing a mail with your
opinion about it isn't that damn hard, is it? here's the email-adress:
dr.seneca@gmx.net.
feedback, guys & girls, feedback!
oh, i almost forgot this very important stuff:
the coders at Xara Ltd. had a lot of work making Xara3D and they absolutely have my respect for this.
it's not ok to get their shareware, crack it and then use it any longer than you are allowed to.
if you like the program then get your ass moving and buy it! allright? thanks.
keep on learning,
seneca