This tutorial are coming from
Acid Cool 178
Tutorial Number 53
Target
Program_____________ TrayColonist v1.01 Protection___________ Name - Serial Downlaod it at ______ www.newapps.com Date________________ 22 June 2000
Toolz
W32Dasm
Soft Ice
Essay
Well, another program are sniffen.. I have
been idle for to days now, are getting bad for tca, i want to becoma a member now soon so
i have downloaded some apps to crack now... This time it will be TrayColonise Version 1.01
made by some in germany... When you have installed the program and everything are set up
so in TrayColonise goto About and register, now you have to fill in your name and serial..
I wrote in this,
Name: Acid_Cool_178
Serial: 2951
and click on the ok button, now you will get one "invalid registration code" nag up, remember that message, and open the traycln.exe file in your W32Dasm and in "String Data Referenses" so will you find the string "invalid registration code" and now youn will see this code...
* Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00478250(C) | :00478270 6A00 push 00000000 :00478272 668B0DA8824700 mov cx, word ptr [004782A8] :00478279 33D2 xor edx, edx
* Possible StringData Ref from Code Obj ->"Invalid registration code." | :0047827B B80C834700 mov eax, 0047830C :00478280 E8AFA0FDFF call 00452334
Now, this peace of code are refered by a jump at location 478250 so scroll up to that code and you will see this code..
:0047823A 83C010 add eax, 00000010 :0047823D E8CAB7F8FF call 00403A0C :00478242 A1A0294800 mov eax, dword ptr [004829A0] :00478247 8B00 mov eax, dword ptr [eax] :00478249 E83A4F0000 call 0047D188 <-- Trace this call :0047824E 84C0 test al, al :00478250 741E je 00478270 <-- The jump :00478252 6A00 push 00000000 :00478254 668B0DA8824700 mov cx, word ptr [004782A8] :0047825B B202 mov dl, 02
* Possible StringData Ref from Code Obj ->"Registration is valid." | :0047825D B8B4824700 mov eax, 004782B4 :00478262 E8CDA0FDFF call 00452334 :00478267 8BC3 mov eax, ebx :00478269 E8DA0CFDFF call 00448F48
This are the code under the call at location 47825B
:0047D188 55 push ebp :0047D189 8BEC mov ebp, esp :0047D18B 6A00 push 00000000 :0047D18D 53 push ebx :0047D18E 33C0 xor eax, eax :0047D190 55 push ebp :0047D191 68E8D14700 push 0047D1E8 :0047D196 64FF30 push dword ptr fs:[eax] :0047D199 648920 mov dword ptr fs:[eax], esp :0047D19C 8D4DFC lea ecx, dword ptr [ebp-04] :0047D19F 8B153C274800 mov edx, dword ptr [0048273C] :0047D1A5 8B520C mov edx, dword ptr [edx+0C] :0047D1A8 B887370000 mov eax, 00003787 :0047D1AD E8F6EFFFFF call 0047C1A8 :0047D1B2 8B55FC mov edx, dword ptr [ebp-04] :0047D1B5 A13C274800 mov eax, dword ptr [0048273C] :0047D1BA 8B4010 mov eax, dword ptr [eax+10] :0047D1BD E8826BF8FF call 00403D44 <-- Ready to be traced.... :0047D1C2 0F94C3 sete bl :0047D1C5 A13C274800 mov eax, dword ptr [0048273C] :0047D1CA 885814 mov byte ptr [eax+14], bl :0047D1CD A13C274800 mov eax, dword ptr [0048273C] :0047D1D2 33C0 xor eax, eax :0047D1D4 5A pop edx :0047D1D5 59 pop ecx
And here are the code from the call at 47D1BD
:00403D44 53 push ebx :00403D45 56 push esi :00403D46 57 push edi :00403D47 89C6 mov esi, eax :00403D49 89D7 mov edi, edx :00403D4B 39D0 cmp eax, edx <-- EAX = Fale Serial / EDX = Real Serial :00403D4D 0F848F000000 je 00403DE2 :00403D53 85F6 test esi, esi :00403D55 7468 je 00403DBF :00403D57 85FF test edi, edi :00403D59 746B je 00403DC6 :00403D5B 8B46FC mov eax, dword ptr [esi-04] :00403D5E 8B57FC mov edx, dword ptr [edi-04] :00403D61 29D0 sub eax, edx :00403D63 7702 ja 00403D67 :00403D65 01C2 add edx, eax
Now, we need to get to location 403D4B and look at out serial in EDX...
The Name - Serial are filled in the program now, switch back to W32Dasm and open Soft Ice and set one breakpoint at LineTo "BPX LineTo" and switch back to TrayColonist, now will Soft Ice pop up and you are in the Traycolonist Code... Clear all breakpoints and set one new breakpoint at location 478249 "BPX 478249" and close Soft Ice. Now you only need to press on the OK button and you are back in SoftIce again, But now you are here..
:0047823A 83C010
add
eax, 00000010
:0047823D E8CAB7F8FF
call
00403A0C
:00478242 A1A0294800
mov eax,
dword ptr [004829A0]
:00478247 8B00
mov
eax, dword ptr [eax]
:00478249 E83A4F0000
call
0047D188 <-- You are here
:0047824E 84C0
test
al, al
:00478250 741E
je
00478270
:00478252 6A00
push
00000000
:00478254 668B0DA8824700 mov cx,
word ptr [004782A8]
:0047825B B202
mov
dl, 02
Press on F8 to trace the call, and now you will land here..
:0047D188 55 push ebp <-- You are here :0047D189 8BEC mov ebp, esp :0047D18B 6A00 push 00000000 :0047D18D 53 push ebx :0047D18E 33C0 xor eax, eax :0047D190 55 push ebp :0047D191 68E8D14700 push 0047D1E8 :0047D196 64FF30 push dword ptr fs:[eax] :0047D199 648920 mov dword ptr fs:[eax], esp :0047D19C 8D4DFC lea ecx, dword ptr [ebp-04] :0047D19F 8B153C274800 mov edx, dword ptr [0048273C] :0047D1A5 8B520C mov edx, dword ptr [edx+0C] :0047D1A8 B887370000 mov eax, 00003787 :0047D1AD E8F6EFFFFF call 0047C1A8 :0047D1B2 8B55FC mov edx, dword ptr [ebp-04] :0047D1B5 A13C274800 mov eax, dword ptr [0048273C] :0047D1BA 8B4010 mov eax, dword ptr [eax+10] :0047D1BD E8826BF8FF call 00403D44 <-- Ready to be traced.... :0047D1C2 0F94C3 sete bl :0047D1C5 A13C274800 mov eax, dword ptr [0048273C] :0047D1CA 885814 mov byte ptr [eax+14], bl :0047D1CD A13C274800 mov eax, dword ptr [0048273C] :0047D1D2 33C0 xor eax, eax :0047D1D4 5A pop edx :0047D1D5 59 pop ecx
Now, trace down to the call and trace that one too.. You will now see the compare routine
:00403D44 53
push
ebx
:00403D45 56
push
esi
:00403D46 57
push
edi
:00403D47 89C6
mov
esi, eax
:00403D49 89D7
mov
edi, edx
:00403D4B 39D0
cmp
eax, edx <-- EAX = Fale Serial / EDX =
Real Serial
:00403D4D 0F848F000000
je 00403DE2
:00403D53 85F6
test
esi, esi
:00403D55 7468
je
00403DBF
:00403D57 85FF
test
edi, edi
:00403D59 746B
je
00403DC6
:00403D5B 8B46FC
mov
eax, dword ptr [esi-04]
:00403D5E 8B57FC
mov
edx, dword ptr [edi-04]
:00403D61 29D0
sub
eax, edx
:00403D63 7702
ja
00403D67
:00403D65 01C2
add
edx, eax
Just do one "D EDX" at location 00403D4B and you will se your real serial, i saw 792af760
Now you now your serial but this compare routine works like this, it are pushin your fake serial into EAD and you real serial into EDX, and when it have checked if the serial are correct or not so are it setting up one flag...
This are taked from LaZaRuS Tutorial 37 "Assemberly For Crackers II"
The flags:
Flags are single bits which indicate current states of something. The flag register on modern 32bit CPUs is 32bit large -> There are 32 different flags, but don't worry. You will only need 3 of them for cracking. The Z-Flag, the O-Flag and the C-Flag. For cracking you need to know those flags to know if a jump is executed or not.
The Z-Flag: The Z-Flag (zero flag) is the most useful flag for cracking. It is used in about 95% of all cases. It can be set (status: 1) or cleared (status: 0) by several opcodes when the last instruction that was performed has 0 as result. You might wonder why "cmp" (more on this later) could set the zero flag, because it compares something and has how can the result of a comparison be 0. The answer on this comes later ;)
The O-Flag: The O-Flag (overflow flag) is used in about 4% of all cracking attempts. It is set (status: 1) when the last operation changed the highest bit of the register that gets the result of an operation. For example: EAX holds the value 7FFFFFFF. If you use an operation now, which increases EAX by 1 the O-Flag would be set, because the operation changed the highest bit of EAX (which is not set in 7FFFFFFF, but set in 80000000 - use calc.exe to convert hexadecimal values to binary values). Another need for the O-Flag to be set, is that the value of the destination register is neither 0 before the instruction nor after it.
The C-Flag: The C-Flag (Carry flag) is used in about 1% of all cracking attempts. It is set, if you add a value to a register, so that it gets bigger than FFFFFFFF or if you subtract a value, so that the register value gets smaller than 0.
I hope that you know something about the flag's now it are important for us cracker's to know.. But back to the protection system, it are setting the Z-Flag to 0, becayse the "JE" command that are jumping to the bad code at location 00478250 are checking if the Z-Flag are 0 or 1, and the Z-Flag will be 1 since the serial are fake, so it are jumping to the bad code...
Now again, i have founded something good in LaZaRuS Tutorial 37 "Assemberly For Crackers II"
JUMPS: Those are the most important jumps and the condition that needs to be met, so that they'll be executed (Important jumps are marked with * and very important with **):
*JA - Jump if (unsigned) above - CF=0 and ZF=0 JAE - Jump if (unsigned) above or equal - CF=0 *JB - Jump if (unsigned) below - CF=1 JBE - Jump if (unsigned) below or equal - CF=1 or ZF=1 JC - Jump if carry flag set - CF=1 JCXZ - Jump if CX is 0 - CX=0 **JE - Jump if equal - ZF=1 JECXZ - Jump if ECX is 0 - ECX=0 *JG - Jump if (signed) greater - ZF=0 and SF=OF (SF = Sign Flag) *JGE - Jump if (signed) greater or equal - SF=OF *JL - Jump if (signed) less - SF != OF (!= is not) *JLE - Jump if (signed) less or equal - ZF=1 and SF != OF **JMP - Jump - Jumps always JNA - Jump if (unsigned) not above - CF=1 or ZF=1 JNAE - Jump if (unsigned) not above or equal - CF=1 JNB - Jump if (unsigned) not below - CF=0 JNBE - Jump if (unsigned) not below or equal - CF=0 and ZF=0 JNC - Jump if carry flag not set - CF=0 **JNE - Jump if not equal - ZF=0 JNG - Jump if (signed) not greater - ZF=1 or SF!=OF JNGE - Jump if (signed) not greater or equal - SF!=OF JNL - Jump if (signed) not less - SF=OF JNLE - Jump if (signed) not less or equal - ZF=0 and SF=OF JNO - Jump if overflow flag not set - OF=0 JNP - Jump if parity flag not set - PF=0 JNS - Jump if sign flag not set - SF=0 JNZ - Jump if not zero - ZF=0 JO - Jump if overflow flag is set - OF=1 JP - Jump if parity flag set - PF=1 JPE - Jump if parity is equal - PF=1 JPO - Jump if parity is odd - PF=0 JS - Jump if sign flag is set - SF=1 JZ - Jump if zero - ZF=1
And here can you se, JE will always jump if the Z-Flag are 1..
Ending
Another cracking tutorial from me, we in Hellforge still needs new member's that are some skilles.. We want someone that can work and code or write tutorials or make some good GFX..
LaZaRuS, Wajid, Borna Janes, ManKind, Eddie Van Camper, ACiD BuRN, KoRnFLeX, Eternal_Bliss, Potsmoke, DiABLO. Torn@do, ^AlX^ , AC|D, Dark Wolf, Marton and all the other i have forgotten