|
(-\/\ dRaG0n´s CrAcKinG Lesson 5 /\/-)
|
Tools you need :
Softice V.3.X ( get it at cracking.home.ml.org & surf.to/harvestr)
W32dasm V8.X ( get it at cracking.home.ml.org & surf.to/harvestr)
Submit Wolf Pro ( get it at Click Here[swolf306.exe - MISSING] )
Hiew 5.xx
( get it at cracking.home.ml.org
& surf.to/harvestr
)
Introduction :
HeY ya ;) ... Welcome to mY cRAckInG lesSon 5 :-)
Ok .. No much to Talk about thiz target , its protection is a Name / Serial , but a little bit difficult =)
k , LetS gO foR it !
Cracking Submit Wolf Pro with Softice :
I will do thiz in Steps , so its better to Understand :-) .. like in the other Lessons ...
Step 1 : Run Submit Wolf Pro and go to "About/Register"
Step 2 : Enter "dRag0n FFO98"
as name and "777777" as dummy serial .. enter S-iCE ...
Now we´ll set the most common Breakpoints .
"Bpx GetDlgItemTextA"
"Bpx GetWindowTextA"
Now leave S-iCE .
Step 3 : Press "Ok" button and let S-iCE break ... We´ll break duo ..
"break duo to BPX GetDlgItemTextA ... "
Step 4 : Now press "F5" to let
it break again on the second (serial) box ...
Press "F11" to go to where this has been called from ;)
We´ll see following code now !
:0040719F FFD7 call edi
; Not intresting Call
:004071A1 8D8500FFFFFF lea eax, dword ptr [ebp+FFFFFF00] ; Value Ebp+FF00
->Eax
:004071A7 50
push eax
; Push Eax on Stack
:004071A8 E883A0FFFF call 00401230
; No intresting Call
:004071AD 59
pop ecx
; Pop Ecx from Stack
:004071AE 8D4580 lea eax, dword ptr
[ebp-80] ; Value in ebp-80 -> Eax
:004071B1 50
push eax
; Push Eax on Stack
:004071B2 E879A0FFFF call 00401230
; No intresting Call
:004071B7 59
pop ecx
; Pop Ecx from Stack
:004071B8 8D4580 lea eax, dword ptr
[ebp-80] ; Value in Ebp-80-> Eax
:004071BB 50
push eax
; Push Eax on Stack
:004071BC 8D8500FFFFFF lea eax, dword ptr [ebp+FFFFFF00] ; Val. Ebp+FF00
->Eax
:004071C2 50
push eax
; Push Eax on Stack
:004071C3 E8568D0000 call 0040FF1E
; Intresting Call !
:004071C8 59
pop ecx
; Pop Ecx from Stack
:004071C9 85C0 test eax,
eax
; Test if Equal
:004071CB 59
pop ecx
; Pop Ecx from Stack
:004071CC 7518 jne 004071E6
; Jump if not Equal ,
; Changing this Jump
; to Jump if Equal ,
; would go to the good
; Buyer msg !
Step 5 : We saw above , that the red marked
call is the important one .. You ask WhY? ..
Cause its the last Call to some Routines before it decides the serial is
right or
wrong at the Jne command .. We´ll trace in this Call and see following
code :-)
:0040FF1E 55
push ebp
; Push Ebp on Stack
:0040FF1F 8BEC
mov ebp, esp
; Mov Esp -> Ebp
:0040FF21 83EC30 sub esp,
00000030
; Esp - 30
:0040FF24 8B450C mov eax,
dword ptr [ebp+0C] ; Mov Value Ebp+0c
-> Eax
; Eax!
; Do "d eax" to see it !
:0040FF27 53
push ebx
; Push Ebx on Stack
:0040FF28 56
push esi
; Push Esi on Stack
:0040FF29 57
push edi
; Push Edi on Stack
:0040FF2A 85C0
test eax, eax
; Test eax ^ eax are equal
:0040FF2C 7431
je 0040FF5F
; Jump if Equal
:0040FF2E 8B5D08 mov ebx,
dword ptr [ebp+08] ; Mov Value Ebp+08
-> Ebx
; Thiz moves our name to
; Ebx !
; Do "d ebx" to see it !
:0040FF31 85DB
test ebx, ebx
; Test Ebx^Ebx are Equal
:0040FF33 742A
je 0040FF5F
; Jump if Equal
:0040FF35 803850
cmp byte ptr [eax], 50
; HERE ! It compares the
; first value of our Serial
; with 50!
; which is "P" in Decimal
; 80 . DO " ? 50 " to see !
:0040FF38 7506
jne 0040FF40
; Jump if first Value
; wasn´t a "P"
:0040FF3A 80780157 cmp byte ptr [eax+01],
57 ; HERE! It compares
the
; second Value of our
; Serial with 57 ..
; which is "W" in Decimal ,
; do " ? 57 " to see it !
:0040FF3E 7426
je 0040FF66
; Jump if Equal , jump if
; the first Decimal Letters
; were PW !
; Else go to wrong Serial
; msg below !
--> Bad Serial Msg code below
:0040FF40 8A4801
mov cl, byte ptr [eax+01]
:0040FF43 80F934
cmp cl, 34
:0040FF46 741E
je 0040FF66
:0040FF48 80F945
cmp cl, 45
:0040FF4B 7419
je 0040FF66
:0040FF4D 8325D840420
and dword ptr [004240D8], 00000000
:0040FF54 803853
cmp byte ptr [eax], 53
:0040FF57 7506
jne 0040FF5F
:0040FF59 80780157
cmp byte ptr [eax+01], 57
:0040FF5D 7411
je 0040FF70
:0040FF5F 33C0
xor eax, eax
:0040FF61 5F
pop edi
:0040FF62 5E
pop esi
:0040FF63 5B
pop ebx
:0040FF64 C9
leave
:0040FF65 C3
ret
Step 6 : Ok ... Now press "Ctrl-D" to leave
Sice .. Replace Serial 777777 with PW777777
and hit OK.
Press "F5" to go to Serial Box and then "F11" to go where it was called
from !
Now .. Step into the call again , trace to the JE , behind the Compare
with 50 & 57...
It will now jump over the Bad Msg box to a second check ...
You´ll see something like this :
:0040FF70 50
push eax
; Push Eax on Stack
:0040FF71 8D45E4
lea eax, dword ptr [ebp-1C] ; Mov Value in Ebp-1c -> Eax
:0040FF74 50
push eax
; Push Eax on Stack
:0040FF75 E856370000
call 004136D0
; No intresting Call
:0040FF7A 59
pop ecx
; Pop Ecx from Stack
:0040FF7B 8D45E4
lea eax, dword ptr [ebp-1C] ; Mov Value Ebp-1C -> Eax
:0040FF7E 59
pop ecx
; Pop Ecx from Stack
:0040FF7F 6A2D
push 0000002D
; Push 2D on Stack ..
; This is interesting .. It
; pushes 2D to Stack .. do
; "? 2D" you´ll see that 2D
; is "-" .
:0040FF81 50
push eax
; Push Eax on Stack
:0040FF82 E8D9300000
call 00413060 ; This
checks iF there´s a "-"
; in the third part of the
; Serial .
-> Some code of call 00413060
.....
:0041306C 8B542408
mov edx, dword ptr [esp+08] ; Move dummy Serial to Edx
; its PW77777 !
:00413070 F7C203000000 test edx,
00000003
; Here it checks the
; third value
; of the serial is a "-" ..
:00413076 7413
je 0041308B
; Jump Equal .. else go to Bad
; Cracker msg box ;) ....
-> End of of call
:0040FF87 8BF0
mov esi, eax
; Mov Eax -> Esi
:0040FF89 59
pop ecx
; Pop Ecx from Stack
:0040FF8A 85F6
test esi, esi
; Test Esi ^ Esi are Equal
:0040FF8C 59
pop ecx
; Pop Ecx from Stack
:0040FF8D 89750C
mov dword ptr [ebp+0C], esi ; Mov Esi --> Ebp-0C
:0040FF90 74CD
je 0040FF5F
; Jump Equal .. else go to
; Bad Cracker msg bpx !
Step 7 : Ok ... Go out "ctrl-d" and replace
PW77777 to PW-77777 !
Hit Ok again and press "F5" to go to Serial Box and "F11" to go to where
it was called from ..
Now you´ll see thiz code again !
:0040719F FFD7
call edi
; Not intresting Call
:004071A1 8D8500FFFFFF lea eax, dword ptr [ebp+FFFFFF00] ; Value
Ebp+FF00 ->Eax
:004071A7 50
push eax
; Push Eax on Stack
:004071A8 E883A0FFFF
call 00401230
; No intresting Call
:004071AD 59
pop ecx
; Pop Ecx from Stack
:004071AE 8D4580
lea eax, dword ptr [ebp-80] ; Value in ebp-80 -> Eax
:004071B1 50
push eax
; Push Eax on Stack
:004071B2 E879A0FFFF
call 00401230
; No intresting Call
:004071B7 59
pop ecx
; Pop Ecx from Stack
:004071B8 8D4580
lea eax, dword ptr [ebp-80] ; Value in Ebp-80-> Eax
:004071BB 50
push eax
; Push Eax on Stack
:004071BC 8D8500FFFFFF lea eax, dword ptr [ebp+FFFFFF00] ; Val. Ebp+FF00
->Eax
:004071C2 50
push eax
; Push Eax on Stack
:004071C3 E8568D0000
call 0040FF1E
; We had thiz Call b4 !
:004071C8 59
pop ecx
; Pop Ecx from Stack
:004071C9 85C0
test eax, eax
; Test if Equal
:004071CB 59
pop ecx
; Pop Ecx from Stack
:004071CC 7518
jne 004071E6
; Jump if not Equal ,
; Changing this Jump
; to Jump if Equal ,
; would go to the good
; Buyer msg !
Step 8 : Now after you have traced over the Call 0040FF1E , do a "d edx" to see the real Serial
For me it was 197298 ... Now our Serial would be PW-197298 ...
You could also follow the whole steeping into Call 0040FF1E... but i think
this is
much faster Cause the prog dont remove the serial after calculation it
.. So we could
easily do " d edx" to see the serial ... ;-)
Ok , do "bd * " to clear all serials and replace PW-7777 to PW-197298 ...
BoooM , NoW yoU´rE a ReGGeD uSeR ! =)
Last Words :
I think thiz was a bit harder ... but not sooo hard at all ;) ...
So ... I hope i Will c yA in LeSSon 6 some time .. hehe
L8r - dRag0n FFO98 -