(-\/\ dRaG0n´s CrAcKinG Lesson 4 /\/-)

 


 
 
 
 

Tools you need :

Softice V.3.X      ( get it at cracking.home.ml.org & surf.to/harvestr)

W32dasm V8.X       ( get it at cracking.home.ml.org & surf.to/harvestr)

Chkfiles V1.5a     ( get it at Click Here )

Hiew 5.xx          ( get it at cracking.home.ml.org & surf.to/harvestr )
 

Introduction :

Hi , welcome back to Leson 4 ;)

In thiz lesson we´ll crack Chkfiles V1.5a . A simple Name/Serial Protection :)

k .. lets go !

Cracking Chkfiles V1.5a with Softice :

I will do thiz in Steps , so its better to Understand :-)  .. like in the other Lessons ...

Step  1 :  Run Chkfiles and hit Register ....

Step  2 :  Enter "dRag0n FFO98" as name and "777777" as dummy serial .. enter S-iCE ...
           Now we´ll set the most common Breakpoints .

           "Bpx GetDlgItemTextA"
           "Bpx GetWindowTextA"

           Now leave S-iCE .

Step 3  :  Press "Ok" button and let S-iCE break ... We´ll break duo ..

         "break duo to BPX GetWindowTextA ... "

Step 4  :  Now press "F5" to let it break again on the second (serial) box ...
           Press "F11" to go to where this has been called from ;)

           We´ll see following code now !

           :004011F5 E823DE0100      Call 0041F01D           ; Call to some other Code
           :004011FA 85C0            test eax, eax           ; Test eax , eax are equal
           :004011FC 751D            jne 0040121B            ; Jump not Equal to 0040121B
                                                             ; --> 0040121B
           :0040121B 8D4DFC      lea ecx, dword ptr [ebp-04] ; EBP-04 -> Ecx
           :0040121E 51              push ecx                ; Push Ecx on stack
           :0040121F 8D4775      lea eax, dword ptr [edi+75] ; EDI+75 -> Eax
           :00401222 50              push eax                ; Push Eax on stack
           :00401223 8D55C4      lea edx, dword ptr [ebp-3C] ; EBP-3C -> Edx
           :00401226 52              push edx                ; Push Edx on stack
           :00401227 E8807D0100      call 00418FAC           ; Call to : Is something entered
                                                             ; or more then 20 values .. ?
           :0040122C 83C40C          add esp, 0000000C       ; Add C -> Esp
           :0040122F 48              dec eax                 ; Eax - 1
           :00401230 741D            je 0040124F             ; Jump if all is right !
                                                             ; --> 0040124F
           :0040124F 837DFC00    cmp dword ptr [ebp-04], 00  ; Compare 00 with Ebp-04
           :00401253 7520            jne 00401275            ;  Jump if Equal ..
                                                             ;  Same equal check as above
                                                             ; If u reverse this jump with
                                                             ; "r fl z" then it goes to wrong
                                                             ; key msg below !
           :00401255 8B03        mov eax, dword ptr [ebx]    ; Mov Value EBX -> Eax
           :00401257 6A00        push 00000000               ; Push 00 on Stack
           :00401259 6A00        push 00000000               ; Push 00 on Stack
           :0040125B 8D97A800000 lea edx, dword ptr [edi+A8] ; Mov Value Edi+A8 -> Edx
           :00401261 52          push edx                    ; Push Edx on Stack
          :00401262 FF700C      push [eax+0C]               ;Push value Eax+0c on Stack
           :00401265 FF7068      push [eax+68]               ; Push val. Eax+68 on Stack
           :00401268 E858CE0000  call 0040E0C5               ; Call to wrong key msg box
                                                             ; --> 00401275
           :00401275 8D4DE0      lea ecx, dword ptr [ebp-20  ; Mov Val. Ebp-20 -> Ecx
           :00401278 51          push ecx                    ; Push Ecx on Stack
          :00401279 E854FEFFFF  call 004010D2               ; HERE ! This call calcul. the
                                                             ; Real Serial .. If You trace
                                                             ; "F10" over it , you´ll notice
                                                             ; Eax & Edx changed ..
           :0040127E 59          pop ecx                     ; Pop Stack -> Ecx
           :0040127F 3B45FC      cmp eax, dword ptr [ebp-04] ; Compare Ebp-04 ^ Eax
           :00401282 7420        je 004012A4                 ; Reverse this jump , would
                                                             ; make it jump to the the
                                                             ; Good Buyer msg ... !

Step 5 : So .. Trace over the Call 004010D2 , here it calculates the serial , press "F8" to see
         what it does ... But we dont need to trace in ... Just press "F10" to run / trace over
         thiz call .. You´ll notice Eax & Edx Values changed to the same
         Number ... hmmm .. for me it was Eax & Edx = DF9EA3D2 ...

Step 6 : So a "d eax" .. points to nothing else to ?? ?? ?? ... ok ... do a

         "? eax" .. and you´ll get a number .. for me it was 3751715794 ...

         "bd * " to disable all breakpoints , ctrl-d to leave S-iCE ...

Step 7 : Now replace our dummy serial with the decimal Value we got from Eax ( 3751715794 )

         " Thank you for Registering .. " BoooM , we got it =)

Last Words :

So .. Now we´re finished Lesson 4. .. i hope u enjoyed thiz lesson , as much as i did writing it :-)

Ok .. 02:33 in the morning ... my Bed is calling me .. hehe ... ok .. sEE yA iN lESSON 5 !

l8rz  -  dRag0n FFO98