how 2 crack
ClipMate v5.0
by seneca of stoicForce
|
|
newbie-information
there are actually two tutorials on Clipmate 5.0 by stoicForce - the one you're reading
now targets on complete newbies. i'll put a lot of useful background-information
in here, the cracking of Clipmate is just a kind of - uhm - side-effect. ;)
the second tutorial was written by Ignatz and shows you the 'slightly advandced techniques'
of creating a key-generator for the prog.
if you've ever cracked some serial-protection all by yourself you're completely wrong
in here (go read ignatz's tut instead). if not, it'd be a good idea to read this tut first
to familiarize yourself with the target and move on to the second tut afterwards.
foreword
hi guys and girls, believe it or not, i'm writing my 2nd tutorial... a few days have
passed since i wrote my first one, and you know what? i learned a lot meanwhile.
i'm telling you this because i guess starting to crack can be - uhm - kinda depressive
sometimes. if you don't think so, just skip the next paragraph. ;)
yep, i have to admit that i was quite happy when i cracked Xara3D (my first crack ever - see
tutorial 1) coz i thought "allright, it's easy, what the heck is the fuss all about?"
man, was i wrong. i started to download one shareware-piece after the other and failed
to crack 'em. failed badly. i soon decided to do what i've should done all the time. i
decided to learn. and to read... to read great tutorials, just like this one ;).
so if you think you're stuck in cracking something, don't give up, just forget it for a while
and read some more tutorials and then try it again and be successful.
ok, enough with the babbling already, let's get to work.
i'll try to put things as clearly as i can for you and i'll try to explain what we're
doing instead of just telling you which byte to patch, allright? here we go...
brain and tools, once again
we will need a few things to complete this crack:
it's ok if you have absolutely no idea what WDasm32 is and what Hiew does, i'll explain
this later.
just be sure you download and install these tools - don't read on before you haven't.
get going...
now start up Clipmate and - doh! - the first thing those guys from thornsoft give us is nothing
else than a dumb first-time-nag-screen. read the text on the nag carefully: it says that you may
enter a registration key to turn Clipmate into a fully functional, licensed program. aha. looks like
everything depends on this key, right?
now click on Enter Registration Key, 'cause we'll try our luck. a new page pops up. allright,
they want us to enter our name and the mentionned key which are some kind of magically linked to each
other. every name has a corresponding number and vice versa. that's how they proof if we actually
bought the key or if we're just trying to enter bogus data. to be even more exact - the
registration process works as follows: you give thornsoft some money and your name, and they give you
the key corresponding to your name for it. if the program can validate the key you entered, it'll
unlock itself and stops displaying the nags etc.
now let's put it all together: how can thornsoft give you a key the program won't reject? easy: they
push your name through some crazy functions and get a unique key in return. if you give your name to
Clipmate it pushes it through exactly the same crazy functions and secretly compares the
generated key to the one you enter. if they match, you're in, if not then ... well, guess. ;)
pretty simple so far, huh?
allright, you didn't close the registration-dialog, did you? now click on Validate Key because
we want to find out who Clipmate tells us that our key was wrong. There is a problem with the
2nd or 3rd digit. aha. that's strange. that's not really what we expected.
ok, they didn't accept NO key as a valid one, that's allright, but nevertheless, the message the
give us is kinda strange. anyway, try to enter any bogus data now and click on Validate Key
again. now look at this: This Is An Invalid Name/Number Combination. that's more like it.
write down the two messages you got and light another cigarette before you continue. ;)
we're going to set up a strategy now. it's alway good to disassemble the target-program and to look
around a bit in its source, but unfortunatelly we can't always do this. i said it in my 1st tut and
i'm saying it again: we can't disassemble programs written in Visual Basic (this does by no
way mean that vb's are uncrackable, we just have to do it another way).
for those of you who don't know what disassembling means: it's turning a .exe (or .dll or whatever) back
to the corresponding Assembler-Instructions. and for those of you who don't know what Assembler (ASM) is:
it's is a very low-levelled programming language.
sure, the programmers of Clipmate didn't write their code in ASM but in some higher-levelled language,
namely VC++. the point is that we just can convert the compiled program back to ASM.
some of you might think "how the hell can this idiot say Clipmate was written in VC++? it could as well be
written in VB and he just said we can't disassemble VB's. how does he know?" good question. i don't care
if the program was written in C, C++, Visual C++ or Delphi, as long as it's NOT VB. and there are ways to
find that out. easy ways... ;)
VB is not a real programming language because most of the code executed by these programs is not stored in
the .EXEs themselfes, but in certain .DLLs (Dynamic Link Libraries). these special Libraries are
called "Visual Basic Runtimes" and they have to be imported prior to possible usage.
VB5 uses msvbvm50.dll, VB6 uses msvbvm60.dll, blah blah blah.
we just have to look if a program imports any of these DLLs and we can say if it was written in VB. now
open up the windows explorer, goto Clipmate's directory and right-click on ClipMt50.exe, then select
"Quickview". a new window pops up, showing us some information 'bout the file. scroll down a bit until
you reach a section labelled Import Table. Every DLL imported by the program is listed in here.
you'll find kernel32.dll, user32.dll and some other stuff, but actually none of the
VB-runtimes. that's good because it means that we can disassemble.
by the way: i know that Clipmate is written in VC++ because i pushed it through a File-Analyzer.
i won't go any deeper into this now, read my 1st tutorial if you're interested. (lazy me!)
taking it apart
you may close every opened window now (you'll have to cancel ClipMate's registration process to
enter the prog and to close it).
first of all, backup ClipMT50.exe (always make a backup copy in case soething goes wrong. shit
happens, believe me ;). launch W32DAsm and select Disassembler | Select File to Disassemble from
the menu. Choose ClipMT50.exe and wait for W32Dasm to finish the disassemling process (this might take a
minute or so).
we're in. the strange-lokking garbage you're seeing now is the pure asm-code of Clipmate. now choose
Disassembler | Save... from the menu to write the code to a text file, which is, by the way,
22 MB big (!).
allright, we now have to find the part of the code which processes our name and the key we entered.
doh! 22 mb of asm-code and we're searching for a few specific lines. how can we ever find those?
remember the two messages you should've written down earlier? they sure appear somewhere near the
protection scheme... now we have to know that static texts as these messages are nor really stored in
the code everywhere they're used. they are kept in the data block of the file and are only
referenced everytime they're needed. choose Refs | String Data references from the menu
to see a complete listing of all these strings. now search for the string "There is a problem with the
2nd or 3rd digit" and once found, double-click on it. WDAsm beams your right to the code-location
where this string is referenced the first time. cool. now double-click on the string again and see if
we're beamed to some other location (which would be the next one the string is used). no? allright,
this means that the string is only used once in the whole prog. we're getting somewhere...
look at WDAsm's main window: you should see something like this:
* Possible StringData Ref from Code Obj ->"There is a problem with the 2nd "
->"or 3rd digit."
|
:004D8D68 B8F88F4D00 mov eax, 004D8FF8 <-- [1] you landed here
:004D8D6D E82A12F8FF call 00459F9C
:004D8D72 E941020000 jmp 004D8FB8
aha. in the first line, [1], our string (or better: some adress containing it, namely 004D8FF8) is MOVed to
a register called eax, then a procedure located at 00459F9C is called. it's very likely that this procedure
creates and shows the dialogbox saying "There is a problem with ...". then the code JuMPs to
004D8FB8. this seems to be the place where no more actions are taken, where control is passed back to
the program as if nothing had happened. now let's see if we're right: go to this location (004D8FB8) by
placing your cursor over the line with the JuMP and pressing the right-cursor-key. zap, you're there.
if you scroll up a little bit, you'll see this:
* Possible StringData Ref from Code Obj ->"This Is An Invalid Name/Number "
->"Combination"
|
:004D8FAE B850924D00 mov eax, 004D9250 <-- [2] very interesting
:004D8FB3 E8E40FF8FF call 00459F9C <-- [3] NOT a JuMP !
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004D8D72(U), :004D8DB5(U), :004D8DF8(U), :004D8FA1(U) <-- [4] even more interesting
|
:004D8FB8 33C0 xor eax, eax <-- [1] you landed here
:004D8FBA 5A pop edx
:004D8FBB 59 pop ecx
:004D8FBC 59 pop ecx
:004D8FBD 648910 mov dword ptr fs:[eax], edx
:004D8FC0 68E38F4D00 push 004D8FE3
look at location 004D8FAE [2]. they MOVe the "This is An..."-string to eax and then they call the same
procedure [3] as they did before (the one that shows us a dialogbox).
and now comes somehing very interesting: the next line of code [4] is exactly the one we JuMPed to from the
piece of code we saw before (the one where they showed us the "digit"-message ;). now look at the note
WDAsm gives us for this line:
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004D8D72(U), :004D8DB5(U), :004D8DF8(U), :004D8FA1(U)
it says that this line is (U)ncoditionally jumped to from 4 other locations.
aha. now what does this mean? looks like there were 5 different ways the porgram goes after checking the
registration-key. 4 of them are very likely to tell us we did something wrong, but one of them will actually
unlock the software for us.
doh! how the heck do i know this? it's easy, think a little bit:
we found the place in code where control seems to be passed back to the program. it's jumped to from 4 locations
(we preassume these to be the calls of dialoboxes) plus one location directly before it (this one doesn't need to
jump) makes 5 locations in sum.
what else did we find out? we already know what happens around the first of the 4 jumps and we know what happens
directly before the "back-to-program"-code, thus we know 2 of the 5 possibilities. if you take a deeper look at
WDAsm's note shown above you'll notice that the rest of the jumps (the 3 we didn't inspect so far) are located
between the 2 locations we already know. this renders things quite easy for us...
now go back to the There was a problem with...-message at 004D8D68 and scroll down until you reach
This Is An Invalid Name/Number Combination again and look at the code (especially the JuMPs!). you don't have
to understand the code, just look at it, that's enough ;). you'll see some interesting string references:
[1 ] "There is a problem with the 2nd or 3rd digit", ...jumps to 004D8FB8
[2 ] "Sorry, that is an old number form Clipmate 4", ...jumps to 004D8FB8
[3 ] "Sorry, that is an old number form Clipmate 3", ...jumps to 004D8FB8
[4a] "Software/Thornsoft/Clipmate5"
[4b] "Name"
[4c] "Registration"
[4d] "RegistrationNumber"
[4e] "Registration"
[4f] "Please Re-Start Clipmate To Restore Full
Functionallity", ...jumps to 004D8F7F (!)
[5 ] "This Is An Invalid Name/Number Combination", ...continues at 004D8FB8
damn!
we (or I, respectively) have done it all wrong! why? look at the strings 4a to 4f. they're doing something
in the registry! first (4a), they open up the key "Software/Thornsoft/Clipmate5".
then (4b & 4c) they push "Name" and "Registration" and call some procedure (look at the code).
this means they read or write a value named "Name" in a key named "Registration". aha.
they do the same with "RegistrationNumber" and "Registration" (4d & 4e). afterwards (4f),
we're asked to restartd the program to enable it's functionality.
ok. now let's think. what does this all mean?
Clipmate test our name and number and if they are ok, it writes 'em to the registry. aha. it does NOT unlock
itself at this point, it unlocks when restarted - that's the important stuff.
now try to put the things we found out together and you should finally make up the follwoing simple
conclusions:
1. we were completely wrong until now. ;)
2. that's ok, we're newbies.
3. when started, Clipmate checks if some name and number are in the registry and, if yes, read 'em and
checks 'em. if they're ok, we're registered, else we're not.
4. we have to go and find this part of code and crack it!
fine. open up the string-references window in WDAsm again and search for an item labelled
"RegistrationNumber". double-click it. you'll be beamed to the 1st a reference to the string and
that's the place we just saw - the place where they write into the registry. that's not what we're
searching for, so double-click again. you're beamed to code-location 004D982C. bingo! (note: if you'd
double-click again, you'd go back to whare you came from, so there are only two references to this string -
this means that we're at the right place!)
now look at the code and scroll down a bit. you'll see that the Name is read as well as the number and if you
scroll down a little more you'll encounter 5 jumps:
the first four jumps are conditionally jumps (4 jne's (Jump if Not Equal), the last one is unconditional. also
note that the first four jumps go to the same location in code.
let's think again: 4 conditional jumps go to location X, the last one goes to Y. i bet my arse that the first
four jumps are taken if our number is wrong (remember, we had 4 possible error-messages). if our number is
ok, none of 'em will jump, that's why the fifth, last jump will do: it's an unconditional one...
we know what do to know: we have to make sure that none of the first four jumps is taken - but how?
cracking it - at last
allright, we're going to alter clipmt50.exe now. we need to know the offset where to change something so
move your cursor in WDAsm over the first of the 5 jumps. that should be at address 004D991D. look at
WDAsm's statusbar, it says we're at offset D8D1D. write down that number.
open clipmt50.exe in Hiew, a Dos-Hex-Editor with a very special ability...
you'll have to do this in dos-mode, type "hiew <path_to_clipmate>\clipmt50.exe").
you should see the file in hex-mode now. press F4 and choose "decode" as the new display-mode and
voilá: you see nothing else than Clipmt50.exe's asm-code! cool.
Now we have to go to the offset we noted first, so press F5, enter "D8D1D" and press enter. you're
transported to the correct offset. look at the code, do you recognize it? it's just the one we saw in
WDasm.
now, here they are, the "5 jumps of interest"... hehe. we said we had to kill the first four of 'em,
right? now that is what we're going to do! we "nop" 'em out. what? "nop" stands for
"No OPeration" and is a special asm-instruction that does absolutley nothing. it's hexadecimal equivalent
is 90 - that's one byte. you can see that each jump takes 2 bytes, so we'll have to overwrite these two bytes
per jump with "9090" to kill it. easy.
press F3 to get in edit mode and place your cursor over the line with the first "jne" and enter
"9090". do the same with the next 3 "jne"'s. press F9 to update the file, i.e. to
write the changes. you should see something like this now:
¦ 000D8D1D: 90 nop <-- 1st nop's
¦ 000D8D1E: 90 nop
¦ 000D8D1F: 8D8553FFFFFF lea eax,[ebp][0FFFFFF53]
¦ 000D8D25: E8BEFBF2FF call 0000088E8 -------- (1)
¦ 000D8D2A: 83F80D cmp eax,00D
¦ 000D8D2D: 90 nop <-- 2nd nop's
¦ 000D8D2E: 90 nop
¦ 000D8D2F: 8A4703 mov al,[edi][00003]
¦ 000D8D32: 3A8556FFFFFF cmp al,[ebp][0FFFFFF56]
¦ 000D8D38: 90 nop <-- 3rd nop's
¦ 000D8D39: 90 nop
¦ 000D8D3A: 8A470C mov al,[edi][0000C]
¦ 000D8D3D: 3A855FFFFFFF cmp al,[ebp][0FFFFFF5F]
¦ 000D8D43: 90 nop <-- 4th nop's
¦ 000D8D44: 90 nop
¦ 000D8D45: A17C0D5000 mov eax,[000500D7C]
¦ 000D8D4A: C70001000000 mov d,[eax],000000001
¦ 000D8D50: EB09 jmps 0000D8D5B <-- hehehe... ;)
¦ 000D8D52: A17C0D5000 mov eax,[000500D7C]
¦ 000D8D57: 33D2 xor edx,edx
¦ 000D8D59: 8910 mov [eax],edx
¦ 000D8D5B: A17C0D5000 mov eax,[000500D7C]
¦ 000D8D60: 833800 cmp d,[eax],000
Clipmate will actually recognize you as unregistered but it can't do anything against it because it will
always take the last, fifth jump now which starts the program unlocked - in short: it's cracked!
try it. start clipmate and open the about box. it says: "registered to: A" cool, it's really regged!
but who the hell is "A"? let's try this:
start regedit and open the key "Software/Thornsoft/Clipmate5/Registration". we know Clipmate searches
for 2 entries in here: "Name" and "RegistrationNumber". allright, let's create a name:
right-click at the white space under the item labelled "First time" and choose "New | String". use
"Name" as it's name. double-click on the newly created item and enter whatever name you want.
exit Clipmate, restart it and look at the About-Box again; it's your name at last - cool
we're done!
success!
shake your hand and tap yourself on the shoulder.
last words
allright folks, thanx alot for reading! i'd really appreciate any comment on this tutorial.
c'mon guys & girls, it took quite a lot of time to bring this to you, whereas writing a mail with your
opinion about it isn't that damn hard, is it? here's the email-adress:
dr.seneca@gmx.net.
feedback, guys & girls, feedback!
oh, i almost forgot this very important stuff:
the coders at Thornsoft had a lot of work making Clipmate and they absolutely have my respect for this.
it's not ok to get their shareware, crack it and then use it any longer than you are allowed to.
if you like the program then get your ass moving and buy it! allright? thanks.
keep on learning,
seneca
|