CRACKING SERIES VOL. 5
----------------------
by : OCHE SATRIANI [REMEMBER THE F@CKIN EDUCATIONAL PURPOSES ONLY !]
CRACK IT BUY IT or LEAVE IT !
[TARGET]
HEX WORKSHOP v 2.54
WWW.BPSOFT.COM
[SOFTICE BREAKPOINT]
BPX GETWINDOWTEXTA
If you had read my other TUTS, then this one won't be HARDER for you and it's
seems very INTERESTING for your CRACKING knowledge, coz the purpose of this TUTS is
CRACKING in a FAST way. The important thing is to understand what you are dealing with,
you can use a DEAD LISTING trick to do that, just find the PROTECTION SCHEME and setting some BREAKPOINT
in SOFTICE then everything is POSSIBLE !
What you have to do is :
Go to the REGISTRATION AREA in HEX WORKSHOP enter it with some DUMMY CODE then set
that BREAKPOINT above in SOFTICE, click the REGISTER button then SOFTICE will pops up,
press F11 to get the CALLER. Finally TRACE along with F10 until you see something like this !
* Possible StringData Ref from Data Obj ->"JN11mARQ"
|
:0042627B 68E8F74700 push 0047F7E8
:00426280 8D45DC lea eax, dword ptr [ebp-24] -----> EAX = address of OUR CODE
:00426283 50 push eax
:00426284 E867450100 call 0043A7F0 ------> I almost get FOOLED with this
ASS HOLE, coz what inside the CALL
is comparing our CODE with 'JN11mARQ'
If EQUAL then EAX = 0
(remember that we don't want EAX = 0)
THEN JUMP to 004262A8
:00426289 83C408 add esp, 00000008
:0042628C 85C0 test eax, eax
:0042628E 0F8414000000 je 004262A8
:00426294 8D45DC lea eax, dword ptr [ebp-24]
:00426297 50 push eax
-------------------------------------------------
:00426298 E823110100 call 004373C0 --------> This CALL is counting
-------------------------------------------------
:0042629D 83C404 add esp, 00000004 the lenght of our CODE.
Go inside this IMPORTANT
CALL !
-------------------------------------------------------------
:004262A0 8945EC mov dword ptr [ebp-14], eax ------> NOTE that [ebp-14] have his FINAL VALUE from EAX !
:004262A3 E907000000 jmp 004262AF That mean EAX is the KEY from this STUPID PROTECTION
------------------------------------------------------------- and EAX must contain 1 if you want it to be REGISTERED.
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042628E(C)
|
:004262A8 C745EC00000000 mov [ebp-14], 00000000 ----> BAD !
WE WANT [ebp-14] = 1
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004262A3(U)
|
:004262AF 837DEC00 cmp dword ptr [ebp-14], 00000000
:004262B3 0F8479000000 je 00426332 -----> F@CKIN BAD JUMP !
Let's figure out what inside the CALL 004373C0 !
* Referenced by a CALL at Addresses:
|:00409C7E , :00426298
______
:004373C0 83EC14 sub esp, 00000014 |
:004373C3 B9FFFFFFFF mov ecx, FFFFFFFF |
:004373C8 2BC0 sub eax, eax |
:004373CA 56 push esi | Some ROUTINE to COUNT
:004373CB 8B74241C mov esi, dword ptr [esp+1C] | our CODE Lenght.
:004373CF 57 push edi |
:004373D0 8BFE mov edi, esi | ECX contain the lenght of
:004373D2 F2 repnz | our CODE
:004373D3 AE scasb |
:004373D4 F7D1 not ecx |
:004373D6 49 dec ecx _____|
:004373D7 83F908 cmp ecx, 00000008 ---> The LENGHT of the REAL SERIAL MUST
:004373DA 7408 je 004373E4 BE EQUAL TO 8, IF NOT ZERO THE EAX
then get out from the CALL.
Now go back to the REGISTRATION AREA
and entered the CODE with 8 char of lenght.
:004373DC 33C0 xor eax, eax ---> BAD !
:004373DE 5F pop edi
:004373DF 5E pop esi
:004373E0 83C414 add esp, 00000014
:004373E3 C3 ret
[CONTINUED IF OUR CODE LENGHT = 8]
Before you continued it's IMPORTANT to understand this situation,
what we always want is EAX containing 00000001 then return from the CALL, so have a look
at the end of this DEAD LISTING before returning from the CALL !
:004373E4 6A0A push 0000000A
-------------
-------------
------------- SOME JUNKS HERE
-------------
-------------
------------------------------------------------
:004373FC E83FFFFFFF call 00437340 CREATE The first 2 char for the REAL SERIAL
------------------------------------------------ you can see it by typing D ESP+10 in SOFTICE
or go inside the CALL if you don't believe me.
-------------
-------------
------------- ANOTHER JUNKS HERE
-------------
-------------
:00437425 8D742408 lea esi, dword ptr [esp+08] ------> The first 2 char for the REAL SERIAL
:00437429 8D4C240C lea ecx, dword ptr [esp+0C] ------> OUR CODE
:0043742D 51 push ecx
------------------------------------------------
:0043742E E82D2D0000 call 0043A160 -------> If you entered some STRINGS as the CODE
------------------------------------------------ then this PROC convert it to UPPERCASE.
:00437433 83C404 add esp, 00000004 The result is EAX = OUR CODE
* Possible Reference to Menu: MenuID_0002
|
* Possible Reference to String Resource ID=00002: "Hex Workshop"
|
:00437436 B902000000 mov ecx, 00000002 ---> coz ECX = 2 that mean compare only the first 2 char
:0043743B 8BF8 mov edi, eax ---> EDI = OUR CODE , ESI = REAL ONE, Look at the
:0043743D 2BC0 sub eax, eax explanation below !
:0043743F F3 repz
:00437440 A6 cmpsb
------------------------------------------------
:00437441 7405 je 00437448 -----> FINAL CHECK !JUMP then everything is fully REGISTERED
------------------------------------------------ coz it give the value of EAX = 00000001
:00437443 1BC0 sbb eax, eax (that's what we want when he get out from the CALL)
:00437445 83D8FF sbb eax, FFFFFFFF
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00437441(C)
|
:00437448 85C0 test eax, eax
:0043744A B800000000 mov eax, 00000000
------------------------------------------------
:0043744F 7505 jne 00437456
------------------------------------------------
* Possible Reference to String Resource ID=00001: "Hex Workshop Version 2.54"
|
:00437451 B801000000 mov eax, 00000001
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0043744F(C)
|
:00437456 5F pop edi
:00437457 5E pop esi
:00437458 83C414 add esp, 00000014
:0043745B C3 ret
[EXPLAINED]
:00437436 B902000000 mov ecx, 00000002
:0043743B 8BF8 mov edi, eax
:0043743D 2BC0 sub eax, eax
:0043743F F3 repz
:00437440 A6 cmpsb
:00437441 7405 je 00437448
REPZ CMPSB -----------> Compare string between ES:[EDI] with DS:[ESI]
after the comparison EDI and ESI plus or minus 1
it depend on the DIRECTION FLAG.
So if you entered a DUMMY Code like XXXXXXXX in the REGISTRATION
then EDI = XXXXXXXX and ESI = SY..XXXXXXXX (The char in ESI is created from the CALL 00437340)
ECX = 2 that mean COMPARE only 2 times
in this case COMPARE our first two char with 'SY' if EQUAL then it's REGISTERED !
REAL SERIAL# is 'SYXXXXXX'.
Do you see that ?
I told you before that if you understand the situation then you can crack it much faster,
just by analyzing at the DEAD LISTING in W32DASM then set a BPX GETWINDOWTEXTA
and BPX 0043743F then TYPE D ESI
Finally you can see the REAL SN# in front of your UGLY FACE !!!!!!
oche_satriani@start.com.au
oblek@start.com.au:00431BD4 8B4508 mov eax, dword ptr [ebp+08]
:00431BD7 E8EC3EFDFF call 00405AC8
:00431BDC 3BF0 (4) cmp esi, eax here is comparing our code with the real code
:00431BDE 0F8533010000 jne 00431D17 in case that we change this into je the program will acept our code as corect
:00431BE4 8B45F8 mov eax, dword ptr [ebp-08]
:00431BE7 E8A819FDFF call 00403594
:00431BEC 83F80A cmp eax, 0000000A here is checking if your name has more than 10(=0A) letters
:00431BEF 0F8C22010000 jl 00431D17 if no bye bye cracker
:00431BF5 B201 mov dl, 01
:00431BF7 B8E8F74200 mov eax, 0042F7E8
:00431BFC E89BDCFFFF call 0042F89C
:00431C01 8945E8 mov dword ptr [ebp-18], eax
:00431C04 33C0 xor eax, eax
So when you are at (4) [cmp esi, eax ]
(=comparing eax with esi) press "?EAX" to see the value
of eax at hex and decimal which is is the serial we entered 12345 .Then write
"?ESI" which is the correct key. Two values will be created in the
registry (use regedit.exe to check) at [HKEY_LOCAL_MACHINE\Software\Beyersdorf\HexDecCharEditor]
Name and Key
I would characterize this protection scheme weak as you can clearly see the
real serial number at the comparison routine while it should have been hidden.
I wont even bother explaining you that you should BUY this
target program if you intend to use it for a longer period than the allowed
one. Should you want to STEAL this software instead, you don't need to crack
its protection scheme at all: you'll find it on most Warez sites, complete and
already regged, farewell, don't come back.
| main
|