|
(-\/\ dRaG0n´s CrAcKinG Lesson 4 /\/-)
|
Tools you need :
Softice V.3.X ( get it at cracking.home.ml.org & surf.to/harvestr)
W32dasm V8.X ( get it at cracking.home.ml.org & surf.to/harvestr)
Chkfiles V1.5a ( get it at Click Here )
Hiew 5.xx
( get it at cracking.home.ml.org
& surf.to/harvestr
)
Introduction :
Hi , welcome back to Leson 4 ;)
In thiz lesson we´ll crack Chkfiles V1.5a . A simple Name/Serial Protection :)
k .. lets go !
Cracking Chkfiles V1.5a with Softice :
I will do thiz in Steps , so its better to Understand :-) .. like in the other Lessons ...
Step 1 : Run Chkfiles and hit Register ....
Step 2 : Enter "dRag0n FFO98"
as name and "777777" as dummy serial .. enter S-iCE ...
Now we´ll set the most common Breakpoints .
"Bpx GetDlgItemTextA"
"Bpx GetWindowTextA"
Now leave S-iCE .
Step 3 : Press "Ok" button and let S-iCE break ... We´ll break duo ..
"break duo to BPX GetWindowTextA ... "
Step 4 : Now press "F5" to let
it break again on the second (serial) box ...
Press "F11" to go to where this has been called from ;)
We´ll see following code now !
:004011F5 E823DE0100 Call 0041F01D
; Call to some other Code
:004011FA 85C0
test eax, eax
; Test eax , eax are equal
:004011FC 751D
jne 0040121B
; Jump not Equal to 0040121B
; --> 0040121B
:0040121B 8D4DFC lea ecx, dword ptr [ebp-04]
; EBP-04 -> Ecx
:0040121E 51
push ecx
; Push Ecx on stack
:0040121F 8D4775 lea eax, dword ptr [edi+75]
; EDI+75 -> Eax
:00401222 50
push eax
; Push Eax on stack
:00401223 8D55C4 lea edx, dword ptr [ebp-3C]
; EBP-3C -> Edx
:00401226 52
push edx
; Push Edx on stack
:00401227 E8807D0100 call 00418FAC
; Call to : Is something entered
; or more then 20 values .. ?
:0040122C 83C40C
add esp, 0000000C ; Add C -> Esp
:0040122F 48
dec eax
; Eax - 1
:00401230 741D
je 0040124F
; Jump if all is right !
; --> 0040124F
:0040124F 837DFC00 cmp dword ptr [ebp-04], 00 ;
Compare 00 with Ebp-04
:00401253 7520
jne 00401275
; Jump if Equal ..
; Same equal check as above
; If u reverse this jump with
; "r fl z" then it goes to wrong
; key msg below !
:00401255 8B03 mov eax, dword
ptr [ebx] ; Mov Value EBX -> Eax
:00401257 6A00 push 00000000
; Push 00 on Stack
:00401259 6A00 push 00000000
; Push 00 on Stack
:0040125B 8D97A800000 lea edx, dword ptr [edi+A8] ; Mov Value Edi+A8 ->
Edx
:00401261 52 push
edx
; Push Edx on Stack
:00401262 FF700C push [eax+0C]
;Push value Eax+0c on Stack
:00401265 FF7068 push [eax+68]
; Push val. Eax+68 on Stack
:00401268 E858CE0000 call 0040E0C5
; Call to wrong key msg box
; --> 00401275
:00401275 8D4DE0 lea ecx, dword ptr [ebp-20
; Mov Val. Ebp-20 -> Ecx
:00401278 51 push
ecx
; Push Ecx on Stack
:00401279 E854FEFFFF call 004010D2
; HERE ! This call calcul. the
; Real Serial .. If You trace
; "F10" over it , you´ll notice
; Eax & Edx changed ..
:0040127E 59 pop
ecx
; Pop Stack -> Ecx
:0040127F 3B45FC cmp eax, dword ptr [ebp-04]
; Compare Ebp-04 ^ Eax
:00401282 7420 je 004012A4
; Reverse this jump , would
; make it jump to the the
; Good Buyer msg ... !
Step 5 : So .. Trace over the Call 004010D2
, here it calculates the serial , press "F8" to see
what it does ... But we dont need to trace in ... Just press "F10" to run
/ trace over
thiz call .. You´ll notice Eax & Edx Values changed to the same
Number ... hmmm .. for me it was Eax & Edx = DF9EA3D2 ...
Step 6 : So a "d eax" .. points to nothing else to ?? ?? ?? ... ok ... do a
"? eax" .. and you´ll get a number .. for me it was 3751715794 ...
"bd * " to disable all breakpoints , ctrl-d to leave S-iCE ...
Step 7 : Now replace our dummy serial with the decimal Value we got from Eax ( 3751715794 )
" Thank you for Registering .. " BoooM , we got it =)
Last Words :
So .. Now we´re finished Lesson 4. .. i hope u enjoyed thiz lesson , as much as i did writing it :-)
Ok .. 02:33 in the morning ... my Bed is calling me .. hehe ... ok .. sEE yA iN lESSON 5 !
l8rz - dRag0n FFO98