This tutorial are coming from

Acid Cool 178

Tutorial Number 53

Target

Program_____________ TrayColonist v1.01

Protection___________ Name - Serial
Downlaod it at ______ www.newapps.com
Date________________ 22 June 2000

Toolz

W32Dasm
Soft Ice


Essay

Well, another program are sniffen.. I have been idle for to days now, are getting bad for tca, i want to becoma a member now soon so i have downloaded some apps to crack now... This time it will be TrayColonise Version 1.01 made by some in germany... When you have installed the program and everything are set up so in TrayColonise goto About and register, now you have to fill in your name and serial.. I wrote in this,

Name: Acid_Cool_178
Serial: 2951

and click on the ok button, now you will get one "invalid registration code" nag up, remember that message, and open the traycln.exe file in your W32Dasm and in "String Data Referenses" so will you find the string "invalid registration code" and now youn will see this code...

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00478250(C)
|
:00478270 6A00                    push 00000000
:00478272 668B0DA8824700          mov cx, word ptr [004782A8]
:00478279 33D2                    xor edx, edx
* Possible StringData Ref from Code Obj ->"Invalid registration code."
                                  |
:0047827B B80C834700              mov eax, 0047830C
:00478280 E8AFA0FDFF              call 00452334

Now, this peace of code are refered by a jump at location 478250 so scroll up to that code and you will see this code..

:0047823A 83C010                  add eax, 00000010
:0047823D E8CAB7F8FF              call 00403A0C		
:00478242 A1A0294800              mov eax, dword ptr [004829A0]
:00478247 8B00                    mov eax, dword ptr [eax]
:00478249 E83A4F0000              call 0047D188			<-- Trace this call
:0047824E 84C0                    test al, al
:00478250 741E                    je 00478270		<-- The jump
:00478252 6A00                    push 00000000
:00478254 668B0DA8824700          mov cx, word ptr [004782A8]
:0047825B B202                    mov dl, 02
* Possible StringData Ref from Code Obj ->"Registration is valid."
                                  |
:0047825D B8B4824700              mov eax, 004782B4
:00478262 E8CDA0FDFF              call 00452334
:00478267 8BC3                    mov eax, ebx
:00478269 E8DA0CFDFF              call 00448F48

This are the code under the call at location 47825B

:0047D188 55                      push ebp
:0047D189 8BEC                    mov ebp, esp
:0047D18B 6A00                    push 00000000
:0047D18D 53                      push ebx
:0047D18E 33C0                    xor eax, eax
:0047D190 55                      push ebp
:0047D191 68E8D14700              push 0047D1E8
:0047D196 64FF30                  push dword ptr fs:[eax]
:0047D199 648920                  mov dword ptr fs:[eax], esp
:0047D19C 8D4DFC                  lea ecx, dword ptr [ebp-04]
:0047D19F 8B153C274800            mov edx, dword ptr [0048273C]
:0047D1A5 8B520C                  mov edx, dword ptr [edx+0C]
:0047D1A8 B887370000              mov eax, 00003787
:0047D1AD E8F6EFFFFF              call 0047C1A8
:0047D1B2 8B55FC                  mov edx, dword ptr [ebp-04]
:0047D1B5 A13C274800              mov eax, dword ptr [0048273C]
:0047D1BA 8B4010                  mov eax, dword ptr [eax+10]
:0047D1BD E8826BF8FF              call 00403D44		<-- Ready to be traced....
:0047D1C2 0F94C3                  sete bl
:0047D1C5 A13C274800              mov eax, dword ptr [0048273C]
:0047D1CA 885814                  mov byte ptr [eax+14], bl
:0047D1CD A13C274800              mov eax, dword ptr [0048273C]
:0047D1D2 33C0                    xor eax, eax
:0047D1D4 5A                      pop edx
:0047D1D5 59                      pop ecx

And here are the code from the call at 47D1BD

:00403D44 53                      push ebx
:00403D45 56                      push esi
:00403D46 57                      push edi
:00403D47 89C6                    mov esi, eax
:00403D49 89D7                    mov edi, edx
:00403D4B 39D0                    cmp eax, edx	<-- EAX = Fale Serial / EDX = Real Serial
:00403D4D 0F848F000000            je 00403DE2
:00403D53 85F6                    test esi, esi
:00403D55 7468                    je 00403DBF
:00403D57 85FF                    test edi, edi
:00403D59 746B                    je 00403DC6
:00403D5B 8B46FC                  mov eax, dword ptr [esi-04]
:00403D5E 8B57FC                  mov edx, dword ptr [edi-04]
:00403D61 29D0                    sub eax, edx
:00403D63 7702                    ja 00403D67
:00403D65 01C2                    add edx, eax

Now, we need to get to location 403D4B and look at out serial in EDX...

The Name - Serial are filled in the program now, switch back to W32Dasm and open Soft Ice and set one breakpoint at LineTo "BPX LineTo" and switch back to TrayColonist, now will Soft Ice pop up and you are in the Traycolonist Code... Clear all breakpoints and set one new breakpoint at location 478249 "BPX 478249" and close Soft Ice. Now you only need to press on the OK button and you are back in SoftIce again, But now you are here..

:0047823A 83C010                   add eax, 00000010
:0047823D E8CAB7F8FF               call 00403A0C
:00478242 A1A0294800               mov eax, dword ptr [004829A0]
:00478247 8B00                     mov eax, dword ptr [eax]
:00478249 E83A4F0000               call 0047D188
<-- You are here
:0047824E 84C0                     test al, al
:00478250 741E                     je 00478270
:00478252 6A00                     push 00000000
:00478254 668B0DA8824700          mov cx, word ptr [004782A8]
:0047825B B202                     mov dl, 02

Press on F8 to trace the call, and now you will land here..

:0047D188 55                      push ebp                <-- You are here
:0047D189 8BEC                    mov ebp, esp
:0047D18B 6A00                    push 00000000
:0047D18D 53                      push ebx
:0047D18E 33C0                    xor eax, eax
:0047D190 55                      push ebp
:0047D191 68E8D14700              push 0047D1E8
:0047D196 64FF30                  push dword ptr fs:[eax]
:0047D199 648920                  mov dword ptr fs:[eax], esp
:0047D19C 8D4DFC                  lea ecx, dword ptr [ebp-04]
:0047D19F 8B153C274800            mov edx, dword ptr [0048273C]
:0047D1A5 8B520C                  mov edx, dword ptr [edx+0C]
:0047D1A8 B887370000              mov eax, 00003787
:0047D1AD E8F6EFFFFF              call 0047C1A8
:0047D1B2 8B55FC                  mov edx, dword ptr [ebp-04]
:0047D1B5 A13C274800              mov eax, dword ptr [0048273C]
:0047D1BA 8B4010                  mov eax, dword ptr [eax+10]
:0047D1BD E8826BF8FF              call 00403D44		<-- Ready to be traced....
:0047D1C2 0F94C3                  sete bl
:0047D1C5 A13C274800              mov eax, dword ptr [0048273C]
:0047D1CA 885814                  mov byte ptr [eax+14], bl
:0047D1CD A13C274800              mov eax, dword ptr [0048273C]
:0047D1D2 33C0                    xor eax, eax
:0047D1D4 5A                      pop edx
:0047D1D5 59                      pop ecx

Now, trace down to the call and trace that one too.. You will now see the compare routine

:00403D44 53                       push ebx
:00403D45 56                       push esi
:00403D46 57                       push edi
:00403D47 89C6                     mov esi, eax
:00403D49 89D7                     mov edi, edx
:00403D4B 39D0                     cmp eax, edx
<-- EAX = Fale Serial / EDX = Real Serial
:00403D4D 0F848F000000             je 00403DE2
:00403D53 85F6                     test esi, esi
:00403D55 7468                     je 00403DBF
:00403D57 85FF                     test edi, edi
:00403D59 746B                     je 00403DC6
:00403D5B 8B46FC                   mov eax, dword ptr [esi-04]
:00403D5E 8B57FC                   mov edx, dword ptr [edi-04]
:00403D61 29D0                     sub eax, edx
:00403D63 7702                     ja 00403D67
:00403D65 01C2                     add edx, eax

Just do one "D EDX" at location 00403D4B and you will se your real serial, i saw 792af760

Now you now your serial but this compare routine works like this, it are pushin your fake serial into EAD and you real serial into EDX, and when it have checked if the serial are correct or not so are it setting up one flag...

This are taked from LaZaRuS Tutorial 37 "Assemberly For Crackers II"


     The flags:
     Flags are single bits which indicate current states of something. The flag register on
     modern 32bit CPUs is 32bit large -> There are 32 different flags, but don't worry. You
     will only need 3 of them for cracking. The Z-Flag, the O-Flag and the C-Flag. For
     cracking you need to know those flags to know if a jump is executed or not.
     The Z-Flag: The Z-Flag (zero flag) is the most useful flag for cracking. It is used in
                 about 95% of all cases. It can be set (status: 1) or cleared (status: 0)
                 by several opcodes when the last instruction that was performed has 0 as
                 result. You might wonder why "cmp" (more on this later) could set the zero
                 flag, because it compares something and has how can the result of a 
                 comparison be 0. The answer on this comes later ;)
     The O-Flag: The O-Flag (overflow flag) is used in about 4% of all cracking attempts.
                 It is set (status: 1) when the last operation changed the highest bit of the
                 register that gets the result of an operation. For example: EAX holds the 
                 value 7FFFFFFF. If you use an operation now, which increases EAX by 1 the 
                 O-Flag would be set, because the operation changed the highest bit of EAX 
                 (which is not set in 7FFFFFFF, but set in 80000000 - use calc.exe to convert
                 hexadecimal values to binary values). 
                 Another need for the O-Flag to be set, is that the value of the destination
                 register is neither 0 before the instruction nor after it.
     The C-Flag: The C-Flag (Carry flag) is used in about 1% of all cracking attempts. It is
                 set, if you add a value to a register, so that it gets bigger than FFFFFFFF
                 or if you subtract a value, so that the register value gets smaller than 0.

I hope that you know something about the flag's now it are important for us cracker's to know.. But back to the protection system, it are setting the Z-Flag to 0, becayse the "JE" command that are jumping to the bad code at location 00478250 are checking if the Z-Flag are 0 or 1, and the Z-Flag will be 1 since the serial are fake, so it are jumping to the bad code...

Now again, i have founded something good in LaZaRuS Tutorial 37 "Assemberly For Crackers II"


     JUMPS:
     Those are the most important jumps and the condition that needs to be met, so that
     they'll be executed (Important jumps are marked with * and very important with **):
    *JA    - Jump if (unsigned) above              - CF=0 and ZF=0
     JAE   - Jump if (unsigned) above or equal     - CF=0
    *JB    - Jump if (unsigned) below              - CF=1
     JBE   - Jump if (unsigned) below or equal     - CF=1 or ZF=1
     JC    - Jump if carry flag set                - CF=1
     JCXZ  - Jump if CX is 0                       - CX=0
   **JE    - Jump if equal                         - ZF=1
     JECXZ - Jump if ECX is 0                      - ECX=0
    *JG    - Jump if (signed) greater              - ZF=0 and SF=OF (SF = Sign Flag)
    *JGE   - Jump if (signed) greater or equal     - SF=OF
    *JL    - Jump if (signed) less                 - SF != OF (!= is not)
    *JLE   - Jump if (signed) less or equal        - ZF=1 and SF != OF
   **JMP   - Jump                                  - Jumps always
     JNA   - Jump if (unsigned) not above          - CF=1 or ZF=1
     JNAE  - Jump if (unsigned) not above or equal - CF=1
     JNB   - Jump if (unsigned) not below          - CF=0
     JNBE  - Jump if (unsigned) not below or equal - CF=0 and ZF=0
     JNC   - Jump if carry flag not set            - CF=0
   **JNE   - Jump if not equal                     - ZF=0
     JNG   - Jump if (signed) not greater          - ZF=1 or SF!=OF
     JNGE  - Jump if (signed) not greater or equal - SF!=OF
     JNL   - Jump if (signed) not less             - SF=OF
     JNLE  - Jump if (signed) not less or equal    - ZF=0 and SF=OF
     JNO   - Jump if overflow flag not set         - OF=0
     JNP   - Jump if parity flag not set           - PF=0
     JNS   - Jump if sign flag not set             - SF=0
     JNZ   - Jump if not zero                      - ZF=0
     JO    - Jump if overflow flag is set          - OF=1
     JP    - Jump if parity flag set               - PF=1
     JPE   - Jump if parity is equal               - PF=1
     JPO   - Jump if parity is odd                 - PF=0
     JS    - Jump if sign flag is set              - SF=1
     JZ    - Jump if zero                          - ZF=1

And here can you se, JE will always jump if the Z-Flag are 1..

Ending

Another cracking tutorial from me, we in Hellforge still needs new member's that are some skilles.. We want someone that can work and code or write tutorials or make some good GFX..


LaZaRuS, Wajid, Borna Janes, ManKind, Eddie Van Camper, ACiD BuRN, KoRnFLeX, Eternal_Bliss, Potsmoke, DiABLO. Torn@do, ^AlX^ , AC|D, Dark Wolf, Marton and all the other i have forgotten