![]() |
![]() |
![]() |
http://kickme.to/tnt | http://death.at/tnt | ||
[Serials 2000 v6.0 Administration Tools Password Tutor by XASX] | ||
[Tutor Layout by XASX] |
![]() |
|
Date | 18 January 2000 |
Cracker | XASX |
App | Serials 2000 v6.0 |
Appz URL | http://serialz2000.da.ru http://tntpower.hotmail.ru/ser2k60.zip |
Protection | Administration Tools Password Required |
Tools | SoftIce v4.x only need + Hexeditor to play with code :) |
![]() |
|
Introduction |
Hi all, this is a basic tutorial dedicated/written to newbies. I'll try to explain all posible giving some interesting notes and concepts. I hope
reading this tut u begin/improve your cracking affition
and learn some basic concepts. The target is known Serials 2000 v6.0, a nice serial recopilation with a really fast search engine and actually biggest list of serials. Get (if u don't have it) this app coz is a must have and also then u'll apply and test easier this tut. Ok, go to see what protection have this proggy.
|
Cracking |
Serials 2k have an option in File Menu: Administration Tools that requires a PASSWORD. S2k Protection scheme is easy to crack, i got password after 1 min. of run it... any novice level cracker can crack this in a moment too. ok, u only need one tool... is... of course SoftIce (v3.x or 4.x). I assume u have
installed/configured SoftIce and u know how make basic
tasks as put a breakpoint. Then we got SoftIce ready, and Serials 2k awaiting to be cracked. First step is see what we got... If we put an invalid password we get a messagebox that say 'Incorrect Password'. Ok, all is normal... now our 'loved' SoftIce must make some work; we want see what is made when we click OK button. To make this we put a breakpoint (BPX) in SoftIce, best election is break in app when get entered password. To make this, there are some possible breakpoints, more used are:
Because we don't know what option can work... put two possible breakpoint in SoftIce:
This will make SoftIce 'break'
when app get our password. ohhh, welcome to SoftIce :), we are one step after call to get (getwindowtexta) password has been made. First of all, look at green bar down... we are located in USER32! code. Not valid coz is not Serials 2k exe. To be in our target we must go out from calls. Click F11 (go out of call)
one time to go at return of actual call, ok, now are in MFC42! code. This is a DLL that app use to run. whou, now in Serials2k! code ... with some interesting code :) Note: to move in code window u must use CTRL+up or CTRL+down. We can see this code: :00403445 E8AECF0000 Call 004103F8 :0040344A 8B86E4000000 mov eax, dword ptr [esi+000000E4] | Our begin place :00403450 8378F808 cmp dword ptr [eax-08], 00000008 :00403454 7536 jne 0040348C :00403456 803868 cmp byte ptr [eax], 68 :00403459 7531 jne 0040348C :0040345B 80780161 cmp byte ptr [eax+01], 61 :0040345F 752B jne 0040348C :00403461 80780263 cmp byte ptr [eax+02], 63 :00403465 7525 jne 0040348C :00403467 8078036B cmp byte ptr [eax+03], 6B :0040346B 751F jne 0040348C :0040346D 80780474 cmp byte ptr [eax+04], 74 :00403471 7519 jne 0040348C :00403473 80780568 cmp byte ptr [eax+05], 68 :00403477 7513 jne 0040348C :00403479 80780669 cmp byte ptr [eax+06], 69 :0040347D 750D jne 0040348C :0040347F 80780773 cmp byte ptr [eax+07], 73 :00403483 7507 jne 0040348C :00403485 C7466001000000 mov [esi+60], 00000001 :0040348C 8BCE mov ecx, esi :0040348E E8D9CD0000 Call 0041026C :00403493 5E pop esi :00403494 C3 ret STEP by STEP CODE ANALISYS: Note: to advance next instruction in SoftIce, use F10. I have divided this code in 2 groups... first is this: ok, we begin in 0040344A. As we can see register DS contain a number... if we entered password 'crackisfun', then, number is 009. hmm our password have 9 characters... click F10 to give one step Next instruction is: :0040344A 8B86E4000000 mov eax, dword ptr [esi+000000E4] | Our begin place.. set pasw. lenght :00403450 8378F808 cmp dword ptr [eax-08], 00000008 | Comparation Password Characters :00403454 7536 jne 0040348C | Jump if our password lenght isn't 8 :004034xx ..... ......(second group)...... :0040348C 8BCE mov ecx, esi | offset where jump... :0040348E E8D9CD0000 Call 0041026C | non important call :00403493 5E pop esi | put esi 0 :00403494 C3 ret | return from call... bye This is instruction compare: (( dword ptr [eax-08] )) with (( 8 )). Take a look to EAX register... do a: db eax in SoftIce to locate data window in EAX Register Data, ohhh!!!, we can see in data Window our pasword!... then s2k is comparing our password characters number with 8... after comparation there is a JNE (Jump if Not Equal) instruction. Then is clear: if our password
characters number
is not equal to 8... next instruction will jump
to designed offset. hmm, our pass have 9
characters... Try to put a 8 characters password in s2k, for example: 'tntpower' and then back to this code again... hmm don't jump :) ok, now we know correct password have 8 characters. Second 'group' of Instructions... :00403456 803868 cmp byte ptr [eax], 68 :00403459 7531 jne 0040348C :0040345B 80780161 cmp byte ptr [eax+01], 61 :0040345F 752B jne 0040348C :00403461 80780263 cmp byte ptr [eax+02], 63 :00403465 7525 jne 0040348C :00403467 8078036B cmp byte ptr [eax+03], 6B :0040346B 751F jne 0040348C :0040346D 80780474 cmp byte ptr [eax+04], 74 :00403471 7519 jne 0040348C :00403473 80780568 cmp byte ptr [eax+05], 68 :00403477 7513 jne 0040348C :00403479 80780669 cmp byte ptr [eax+06], 69 :0040347D 750D jne 0040348C :0040347F 80780773 cmp byte ptr [eax+07], 73 :00403483 7507 jne 0040348C :00403485 C7466001000000 mov [esi+60], 00000001 :0040348C 8BCE mov ecx, esi :0040348E E8D9CD0000 Call 0041026C :00403493 5E pop esi :00403494 C3 ret ok, going to analice
these instructions... are easy to see... 8 comparations
and 8 jump if not equal. Yeah, every character of entered password will be compared with some and if not equal then will jump to a location. First comparation is: (( byte ptr [eax] )) with (( 68 )) byte ptr
[eax] = first
character of EAX...in EAX is located our password. If first character of EAX
its equal to 'h' then will not jump and continue with
next instruction... First comparation is: (( byte ptr [eax] )) with (( 68 )) Then correct password is: 68(h) 61(a) 63(c) 6b(k) 74(x) 68(x) 69(x) 73(x) x = make it yourself :) ok, work is done... as u can see is has been really easy get correct password, only needed some code analysis. Now we are going to play with code... only get correct password is not enough for our heads. |
Playing With Code |
hmm, why always put that password to access menu? we can play with code and make it accept any code... is really easy. As u can see length
check or every
character check got a JNE, directed to
offset 0040348C. This '1' say to app in a later check (that we don't need to find) if password entered is correct. :00403483 7507 jne 0040348C :00403485 C7466001000000 mov [esi+60], 00000001 :0040348C 8BCE mov ecx, esi What we can do to fix this?... yes, there are lots of ways...
Ok, then we'll modify first JNE (lenght check) to a JMP (JMP instruction make always jump... now itsn't a conditional jump) where we want. Original: 00403454 7536 jne 0040348C First make your change with SoftIce (before make a real file modification) to test if all go well. To make change, go to
this offset (begin all process using F10 to go there). Now u are editing that offset... write the new instruction: jmp 403485 and press enter. Patched: 00403459 EB2F jmp 00403485 Bytes has been changed (in memory), after that, disable all breakpoints (bd*) and continue with normal execution,.. whouuu!!!!, is working perfectly :), now s2k accepts everything we enter, of course accept blank password too. I make a short explain of
file patching way... Yep, u have how easy is working with code when we know what made that code. Greets: First of all go to Thndrkiss for make Serials 2k: ey, i'm helping your coders to improve security for next version... · mr.White , mr.Black , Russ97 ,
Rahim
, Zor , Ivanopulo , Daddy · and of course all TNT! Members!!!!... ey guys u rock! See U in next tutorial... |