|
Nov 23rd 1999
Tutorial #1
Win '95 PROGRAM Win Code Reversing
by NchantA
Code Reversing For Beginners
Program Details Program Name: Mirc v5.61 Program Type: Internet Chat
Program
Location: http://www.mirc.com Program Size: 1,216,512 bytes
Tools Used: Softice (I use v4.00) Rating Easy ( ) Medium ( X ) Hard ( ) Pro ( ) Violence is the last refuge of the incompetent |
"Cracking is technique."
Welcome to mIRC, an Internet Relay Chat Client.
mIRC attempts to provide a user-friendly interface for use with the Internet Relay Chat network. The IRC network is a virtual meeting place where people from all over the world can meet and talk.
To IRC all you need to do is Connect to a server, Join a channel, and Chat!
Annoying and stupid nag screens…Simple protection, serial # based on Name.
MIRC is a program I use a lot, so when I got a new version I decided to see
what I could do to get rid of those buggin Nag screens. It took me two attempt
at cracking this program, the first time a tried and got lost. I bungled around
in asm code for a long time before giving up in frustration. My second attempt
produced much better results, and in retrospect, I think that my only problem
the first time was my entry point. The entry point into cracking a program is
important, especially for newbies. Where you start cracking a program, and how
you begin the cracking is significant because if you don’t have an idea whats
going on when you enter the program, then it is very hard to understand what
to do next and that is why my first attempt felt so wrong.
Many crackers, I don’t think I need to mention who, feel that cracking is about
‘Zen’, which is a Buddhist view of life that teaches Meditation and Contemplation.
I feel that these two words explain much about cracking and most newbies would
not understand ‘Zen’, but these two techniques must be learned if you are to
become a ‘great’ cracker. I am not being presumptious however, I know my cracking
ability does not rival the ‘great’ crackers, but with every new crack, experience
and knowledge and confidence is built upwards (skys the limit). Newbies must
realize this. Cracking is NOT just knowledge, cramming in 30+ tutorials a day
will NOT help. You must use these tutorials only to increase your technique
and skill in cracking. Well, enough about the highly acclaimed and often used
word ‘Zen’. I think most newbies must be sick of the word. :)
On with the tutorial:
OK, first things first. W32Dasm can be used if it helps you, but I only used softice for this crack. You got softice loaded? OK, crack away.
First I set some breakpoints, firstly I tried Getwindowtexta
and Getdlgitemtexta, but these resulted in nothing. No Worries, I’ve
still got a good one up my sleve. I set a breakpoint on hmemcpy next,
but this also resulted in nothing but a messagebox. Saying, "Sorry, your
registration name and number don't match!". It was then I decided to change
my perspective of the crack for the program and try bpx on the messagebox.
Open the Registration Dialog Box, this is located under Help, Registration on the Main Menu.
Break into softice wih Control + D.
Set a breakpoint on the message box by typing : bpx MessageBoxA
Press F5 to exit softice and type in your name in the registration dialog box. I used "NchantA" as my name and "12344321" as my serial.
Press Register! And it breaks, press F5 again and it shows the messagebox on the screen. Hit OK in the message box and your back at softice, at the end of the MessageBox call. Whats this, directly up from the messagebox routine is a call to, SendDlgItemMessageA, maybe this is how mirc is getting the input. I was curious about this so I deleted the message box breakpoint with bc * and set this breakpoint: bpx SendDlgItemMessageA, F5 again and we are back at the program. Type in our nickname again (bloody program) and our fake serial # and hit Register!. It worked!!! We have a good starting point for cracking this program. Lets crack this bitch.
There are two Edit Boxes, one for name and one for serial so press F5 to break into second SendDlgItemMessageA call and hit F11 to return to caller.
:0043B610 6803E14E00 push 004EE103 ß We land Here.
:0043B615 681CDD4E00 push 004EDD1C
:0043B61A E899950600 call 004A4BB8 ß Stop Here CALL #1
:0043B61F 85C0 test eax, eax ß Tests whether eax is zero or not
:0043B621 0F849B000000 je 0043B6C2 ß Message Box , badboy
* Possible StringData Ref from Data Obj ->"mirc.ini"
:0043B627 68503F4E00 push 004E3F50
Do you see? That je instruction, jumps to the messagebox routine, so that is badboy. How do we not go to badboy? Buy making eax NOT equal zero when it goes into the above call. Did you stop at the call? Good, press F8 ( or ‘t’ and enter) to trace into the call.
Press F10 and step through the code for a while until you come to the very end:
:004A4C9A 68641F5000 push 00501F64
:004A4C9F E834FEFFFF call 004A4AD8 ß Another Call! Stop Here! CALL #2
:004A4CA4 85C0 test eax, eax
:004A4CA6 7407 je 004A4CAF ß If eax = zero, Jump
:004A4CA8 B801000000 mov eax, 00000001 ß If not zero then put one in eax and return ( this is what we want)
:004A4CAD EB02 jmp 004A4CB1
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004A4CA6(C)
:004A4CAF 33C0 xor eax, eax ß Make eax = zero
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004A4BD2(U), :004A4C3B(U), :004A4CAD(U)
:004A4CB1 5F pop edi
:004A4CB2 5E pop esi
:004A4CB3 5B pop ebx
:004A4CB4 5D pop ebp
:004A4CB5 C20800 ret 0008
Ahha! Do you see whats happening, another call, and again a check if eax = zero, and again if eax = zero then "xor eax eax" which makes eax = zero! And in turns makes us goto BadBoy!
Ok, lets trace into that call too. Press F8,
:004A4AE6 56 push esi
:004A4AE7 E8B8C20200 call 004D0DA4 ß Another call ! Stop Here! CALL #3
:004A4AEC 83C408 add esp, 00000008
:004A4AEF 8BD8 mov ebx, eax ß ebx = eax
:004A4AF1 85DB test ebx, ebx ß So actually testing eax again for zero!!
:004A4AF3 7507 jne 004A4AFC ß jump if NOT equal to zero
:004A4AF5 33C0 xor eax, eax
:004A4AF7 E9B2000000 jmp 004A4BAE
…………………………
Snip Snip
………………………
:004A4BAE 5F pop edi
:004A4BAF 5E pop esi
:004A4BB0 5B pop ebx
:004A4BB1 8BE5 mov esp, ebp
:004A4BB3 5D pop ebp
:004A4BB4 C20800 ret 0008
A bit confusing I know, here this might help :
If after CALL #3 eax does NOT equal zero, then in CALL #2, eax will equal 1,
and then in CALL #1, eax will equal 1 so DO NOT jump to Badboy! So all we have
to do to crack it is make sure that after CALL #3 eax DOES NOT EQUAL ZERO.
So again we must trace again into a call (Last one I Promise) :)
Press F8. This next call is interesting, if you step through it , you will realise that at the start it checks if your number, somewhere has a ‘-‘ sign in it. If it doesn’t it zeros eax…
So… we are getting close now...All you must do now is step out of softice with
F5 and make sure that your number, somewhere has a ‘-‘ sign in it…
I did this, name "NchantA" serial "123-4321"
OK…now click register again and go to CALL #3, this time we step into it and continue down until, this time instead of jumping away, we continue and find ourselves, FINALLY, in the code comparing routine.
Continue stepping down, until you see a call. It should be at this address:
:004A4B00 E817420300 call 004D8D1C
step PAST this address with F10 and a lot of registers change…whats that in eax and edx? To find out do this
? eax
and you will see your first part of number, in DECIMAL form…
Ok, interesting, what does it do with this, you wonder…
Keep steppin down and you will find yourself in a small loop:
:004A4B7D 0FB631 movzx esi, byte ptr [ecx]
:004A4B80 0FB679FF movzx edi, byte ptr [ecx-01]
:004A4B84 0FAFF7 imul esi, edi
:004A4B87 0FAF348564764E00 imul esi, dword ptr [4*eax+004E7664]
:004A4B8F 03DE add ebx, esi
:004A4B91 40 inc eax
:004A4B92 83F826 cmp eax, 00000026
:004A4B95 7E02 jle 004A4B99
:004A4B97 33C0 xor eax, eax
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004A4B95(C)
:004A4B99 42 inc edx
:004A4B9A 41 inc ecx
:004A4B9B 3B55F4 cmp edx, dword ptr [ebp-0C]
:004A4B9E 7CDD jl 004A4B7D
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004A4B7B(C)
|
:004A4BA0 3B5DF8 cmp ebx, dword ptr [ebp-08] ß Stop here
This is the last compare before it exits so what is it comparin…if you took
notice from the last call when your number was changed to decimal, you will
know it was put in [ebp-08] so what is it comparing to??? Type ? ebx
in softice to see the first part of your REAL SERIAL in DECIMAL.
Write it down, mine was 4479
Disable all breakpoints and set one on the compare and then Start again with your name and the first part of your code.
I wrote "NchantA" serial "4479-54321"
Press register and you break in again, step over the compare…this time it jumps to another part of the routine to compare the second part, See if you can find where! :P
That’s it from me, whew! What a big essay. I m sorry for the length of the essay, but I wanted to show you how easy it was to get bogged down when cracking if you don’t make sufficient notes. I also wanted you to realize that sometimes figuring out the criteria for the code ( for example, a hypen inside it) is just as hard as finding out the real code.
Buy the way mIRC is really a very good program, if you do use it and like it, paying the author for his work is the right thing to do.
Do I really have to remind you all that by buying and NOT stealing the software you use will ensure that these software houses will continue to produce even *better* software for us to use and more importantly, to continue offering even more challenges to breaking their often weak protection systems.
If your looking for cracks or serial numbers from these pages then your wasting your time, try searching elsewhere on the Web under Warze, Cracks etc.