http://kickme.to/tnt | http://death.at/tnt  
  [Serials 2000 v6.0 Administration Tools Password Tutor by XASX]  
  [Tutor Layout by XASX]  
Date 18 January 2000
Cracker XASX
App Serials 2000 v6.0
Appz URL http://serialz2000.da.ru
http://tntpower.hotmail.ru/ser2k60.zip
Protection Administration Tools Password Required
Tools  SoftIce v4.x only need + Hexeditor to play with code :)
   
Introduction

Hi all, this is a basic tutorial dedicated/written to newbies.
I'll try to explain all posible giving some interesting notes and concepts.

I hope reading this tut u begin/improve your cracking affition and learn some basic concepts.
This isn't a 'change 74 to EB with ur hexeditor and see how works' tutor, i'll explain all steps so a begginer finish this crack with some new in his head :).

The target is known Serials 2000 v6.0, a nice serial recopilation with a really fast search engine and actually biggest list of serials.

Get (if u don't have it) this app coz is a must have and also then u'll apply and test easier this tut.

Ok, go to see what protection have this proggy.

Xasx / TNT!
Cracking

Serials 2k have an option in File Menu: Administration Tools that requires a PASSWORD.

S2k Protection scheme is easy to crack, i got password after 1 min. of run it... any novice level cracker can crack this in a moment too.

ok, u only need one tool... is... of course SoftIce (v3.x or 4.x).

I assume u have installed/configured SoftIce and u know how make basic tasks as put a breakpoint.
If u don't know how use softice or not have installed, get a SoftIce tutorial, read it and then back here :).

Then we got SoftIce ready, and Serials 2k awaiting to be cracked.

First step is see what we got...
A window that requieres a password, and ok/cancel buttons.

If we put an invalid password we get a messagebox that say 'Incorrect Password'.

Ok, all is normal... now our 'loved' SoftIce must make some work; we want see what is made when we click OK button.

To make this we put a breakpoint (BPX) in SoftIce, best election is break in app when get entered password. To make this, there are some possible breakpoints, more used are:

  • GetDlgItemTextA
  • GetWindowTextA

Because we don't know what option can work... put two possible breakpoint in SoftIce:

Run SoftIce (CTRL+D)
bpx getdlgitemtexta
bpx getwindowtexta

Note about breakpoints:

to list all BPXs in SoftIce, write bl. (BreakPoint List)
to remove all BPXs in SoftIce, write bc*. (BreakPoint Clear *= Remove All Set BreakPoints)
to disable all BPXs in SoftIce, write bd*. (BreakPoint Disable *= Disable All Set BreakPoints)
to enable all BPXs in SoftIce, write be*. (BreakPoint Enabler *= Enable All Set BreakPoints)
* can be changed to breakpoint number to enable/disable/remove it. Examples: be1 | bd2 | be1,2 | bc1,2

This will make SoftIce 'break' when app get our password.
Ok, go to test if work... enter a password... for example: crackisfun and then click OK button.

ohhh, welcome to SoftIce :), we are one step after call to get (getwindowtexta) password has been made.

First of all, look at green bar down... we are located in USER32! code. Not valid coz is not Serials 2k exe. To be in our target we must go out from calls.

Click F11 (go out of call) one time to go at return of actual call, ok, now are in MFC42! code. This is a DLL that app use to run.
Can see a RET (Return) instruction... click F10 (execute next instruction) sometimes to leave this call, ok after press F10 in last RET we are in Serials2k! code...
ok, only two instructions and then another RET... click again F10 to go out of this call... again in MFC42! code... click F10 again sometimes until u go out ot this call.

whou, now in Serials2k! code ... with some interesting code :)

Note: to move in code window u must use CTRL+up or CTRL+down.

We can see this code:

:00403445 E8AECF0000      Call 004103F8
:0040344A 8B86E4000000    mov eax, dword ptr [esi+000000E4] | Our begin place
:00403450 8378F808        cmp dword ptr [eax-08], 00000008
:00403454 7536            jne 0040348C
:00403456 803868          cmp byte ptr [eax], 68
:00403459 7531            jne 0040348C
:0040345B 80780161        cmp byte ptr [eax+01], 61
:0040345F 752B            jne 0040348C
:00403461 80780263        cmp byte ptr [eax+02], 63
:00403465 7525            jne 0040348C
:00403467 8078036B        cmp byte ptr [eax+03], 6B
:0040346B 751F            jne 0040348C
:0040346D 80780474        cmp byte ptr [eax+04], 74
:00403471 7519            jne 0040348C
:00403473 80780568        cmp byte ptr [eax+05], 68
:00403477 7513            jne 0040348C
:00403479 80780669        cmp byte ptr [eax+06], 69
:0040347D 750D            jne 0040348C
:0040347F 80780773        cmp byte ptr [eax+07], 73
:00403483 7507            jne 0040348C
:00403485 C7466001000000  mov [esi+60], 00000001
:0040348C 8BCE            mov ecx, esi
:0040348E E8D9CD0000      Call 0041026C
:00403493 5E              pop esi
:00403494 C3              ret

STEP by STEP CODE ANALISYS:

Note: to advance next instruction in SoftIce, use F10.

I have divided this code in 2 groups... first is this:

ok, we begin in 0040344A. As we can see register DS contain a number... if we entered password 'crackisfun', then, number is 009. hmm our password have 9 characters... click F10 to give one step

Next instruction is:

:0040344A 8B86E4000000   mov eax, dword ptr [esi+000000E4] | Our begin place.. set pasw. lenght
:00403450 8378F808       cmp dword ptr [eax-08], 00000008 | Comparation Password Characters
:00403454 7536           jne 0040348C | Jump if our password lenght isn't 8
:004034xx .....          ......(second group)......
:0040348C 8BCE           mov ecx, esi | offset where jump...
:0040348E E8D9CD0000     Call 0041026C | non important call
:00403493 5E             pop esi | put esi 0
:00403494 C3             ret | return from call... bye

This is instruction compare: (( dword ptr [eax-08] )) with (( 8 )).

Take a look to EAX register... do a: db eax in SoftIce to locate data window in EAX Register Data, ohhh!!!, we can see in data Window our pasword!... then s2k is comparing ‘our password characters number’ with ‘8’...

after comparation there is a JNE (Jump if Not Equal) instruction.

Then is clear:

if ‘our password characters number’ is not equal to ‘8’... next instruction will jump to designed offset.
if ‘our password characters number’ its equal to ‘8’ next instruction will not jump and continue.

hmm, our pass have 9 characters...
Then JNE instruction will jump, yes.

Try to put a 8 characters password in s2k, for example: 'tntpower' and then back to this code again... hmm don't jump :)

ok, now we know correct password have 8 characters.

Second 'group' of Instructions...

:00403456 803868          cmp byte ptr [eax], 68
:00403459 7531            jne 0040348C
:0040345B 80780161        cmp byte ptr [eax+01], 61
:0040345F 752B            jne 0040348C
:00403461 80780263        cmp byte ptr [eax+02], 63
:00403465 7525            jne 0040348C
:00403467 8078036B        cmp byte ptr [eax+03], 6B
:0040346B 751F            jne 0040348C
:0040346D 80780474        cmp byte ptr [eax+04], 74
:00403471 7519            jne 0040348C
:00403473 80780568        cmp byte ptr [eax+05], 68
:00403477 7513            jne 0040348C
:00403479 80780669        cmp byte ptr [eax+06], 69
:0040347D 750D            jne 0040348C
:0040347F 80780773        cmp byte ptr [eax+07], 73
:00403483 7507            jne 0040348C
:00403485 C7466001000000  mov [esi+60], 00000001
:0040348C 8BCE            mov ecx, esi
:0040348E E8D9CD0000      Call 0041026C
:00403493 5E              pop esi
:00403494 C3              ret

ok, going to analice these instructions... are easy to see... 8 comparations and 8 jump if not equal.
Remember in EAX is located our entered password, if we are here then out password got 8 characters, and now 8 comparations :)... u don't need think a lot to see what is going be here.

Yeah, every character of entered password will be compared with some and if not equal then will jump to a location.

First comparation is: (( byte ptr [eax] )) with (( 68 ))

byte ptr [eax] = first character of EAX...in EAX is located our password.
68 = Ascii.... use SoftIce to convert 68 (write ?68) then we get: 'h'.

If first character of EAX its equal to 'h' then will not jump and continue with next instruction...
As u can see all comparations are same style...

First comparation is: (( byte ptr [eax] )) with (( 68 ))
Second comparation is: (( byte ptr [eax+1] )) with (( 61 ))
Third comparation is: (( byte ptr [eax+2] )) with (( 63 ))
Four comparation is: (( byte ptr [eax+3] )) with (( 6B ))
Five comparation is: (( byte ptr [eax+4] )) with (( 74 ))
Six comparation is: (( byte ptr [eax+5] )) with (( 68 ))
Seven comparation is: (( byte ptr [eax+6] )) with (( 69 ))
Eight comparation is: (( byte ptr [eax+7] )) with (( 73 ))

Then correct password is:

68(h) 61(a) 63(c) 6b(k) 74(x) 68(x) 69(x) 73(x)

x = make it yourself :)

ok, work is done... as u can see is has been really easy get correct password, only needed some code analysis.

Now we are going to play with code... only get correct password is not enough for our heads.
 
Playing With Code

hmm, why always put that password to access menu? we can play with code and make it accept any code... is really easy.

As u can see length check or every character check got a JNE, directed to offset 0040348C.
This make that if password is not correct, offset 00403485 is jumped and 1 is not moved (mov) to [esi+60] position.

This '1' say to app in a later check (that we don't need to find) if password entered is correct.

:00403483 7507            jne 0040348C
:00403485 C7466001000000  mov [esi+60], 00000001
:0040348C 8BCE            mov ecx, esi

What we can do to fix this?... yes, there are lots of ways...

  • Overwrite all JNE instructions with NOP (nop=do nothing instruction).

This is dirty way... lots of bytes patched... will work, but I think less bytes patches best crack.

  • Make code directly jump to 00403485 (where 1 is putted to [esi+60])

This is a more clean way... only two bytes patched.

Ok, then we'll modify first JNE (lenght check) to a JMP (JMP instruction make always jump... now itsn't a conditional jump) where we want.

Original: 00403454 7536    jne 0040348C

First make your change with SoftIce (before make a real file modification) to test if all go well.

To make change, go to this offset (begin all process using F10 to go there).
When u are located in victim offset, write: a

Now u are editing that offset... write the new instruction: jmp 403485 and press enter.

Patched:  00403459 EB2F    jmp 00403485

Bytes has been changed (in memory), after that, disable all breakpoints (bd*) and continue with normal execution,..

whouuu!!!!, is working perfectly :), now s2k accepts everything we enter, of course accept blank password too.

I make a short explain of file patching way...
Get a good hexeditor like hiew (dos) or ultraedit (windows), go to this offset and change modified bytes.
These bytes are Original: 75 36 | Changed: EB 2F
(U get Hexadecimal data in Softice)
To go direct location use a offset/hex conversor.

Yep, u have how easy is working with code when we know what made that code.

Greets:

First of all go to Thndrkiss for make Serials 2k: ey, i'm helping your coders to improve security for next version...

· mr.White , mr.Black , Russ97 , Rahim , Zor , Ivanopulo , Daddy
· Biglarry , NetKing , ChosenFew , Zutphen, SoundMan
· rott , Vagante , ip| , Trevil , iNS0MNiA , iD|Victim , bigeasy
· DRinfoTHV , SiLvIuVBS , Strega , ^neo , CiRUS

· and of course all TNT! Members!!!!... ey guys u rock!

See U in next tutorial...