:::::::::::::::::::::::::: mEX/c4N TUTORIAL DIVISION :::::::::::::::::::::::::
Author : Vizion
Level : newbie ( ) - intermediate (x) - advanced ( )
Tools : SoftIce, W32Dasm
Target : GlobeTime v1.21 (http://www.powerup.com.au/~marver)
Topic : keyfile
Remark : AOTW-0298
------------------------------------------------------------------------------
Hi! Welcome to another of my tutorials. I hope that just like the others this
one will help you a bit in achieving that level of cracking knowledge you
always dreamed of ;)...
The target we'll crack in this tute uses a more difficult form of the well
known S/N protection, called a keyfile. A keyfile is mostly a plain text file
containing all the information needed to register the program. In some cases
the keyfile can be encrypted (see CuteFTP v2.0), it can contain one or more
lines, numbers, strings... A keyfile needs to be placed into the directory
the target is located in.
But first lets take a quick look at the target. Run the program and try to
register it. Check help files, read.me files to find out how to register the
program. When you exit the program you'll get a nag screen. If you read the
help files you'll notice that the author will mail you the unlock code once
you paid - so there got to be another way to inform the program that you're
a registered user. This can be done true the registry or by using key files.
In most cases you can easily find out if the target needs a keyfile to be
registered. Using a program like filemon.exe (www.ntinternals.com) will show
you very quickly if keyfiles are used. Another way is using string references
in W32Dasm,
* Possible StringData Ref from Code Obj ->"REG.KEY" ; name of keyfile
|
:0044A233 BAB0A34400 mov edx, 0044A3B0 ;
:0044A24E E879CEFBFF call 004070CC ; find, open file
:0044A253 84C0 test al, al ; file found?
:0044A255 0F84FB000000 je 0044A356 ; jump if not there...
Ok, like in most cases, this target uses a very obvious name for the keyfile
it needs. And believe me, xxxxxxxx.key is used A LOT...
Now we need to find out what is read from the keyfile. This can be quite
difficult to find out. But this makes it fun, doesn't it ;)... In some cases
API calls like GetPrivateProfileString are used but in our case we'll have to
use a little bit of ZEN - I found out what the keyfile needs by studying the
target and the validation part. It's time to create or first keyfile. Create
a plain text file containing one line with a number - try 1212121212 - and
save it with 'REG.KEY' as name. Run the program. You'll get an error message
box, all it says is that "nothing is not an integer" - so lets add a second
line to the keyfile, try 3434343434, and run again. Same error again, so add
a third line, 5656565656. Run again, now we get "5656565656 is not an
integer". So lets change the third line to 56565656 and run the target once
more. No errors should occur - BUT you still get the reminder nag when you
exit the program. It's time for some live cracking in SoftIce (SI),
:0044A307 E8D0CEFBFF call 004071DC ; (1)
:0044A30C 8BD0 mov edx, eax ;
:0044A30E 4A dec edx ;
:0044A30F 85D2 test edx, edx ; (2)
:0044A311 7C11 jl 0044A324 ; (3)
:0044A313 42 inc edx ;
The call at (1) returns the length of a string - why? learn ASM or trace the
call. Lines (2) and (3) are a test to determine if the lenght is more then 1.
In SI you'll notice that eax is 0Ah and if you traced call (1) you'll know
that the second line of the keyfile is used (at least you should ;),
:0044A2FC BB01000000 mov ebx, 00000001 ;
:0044A31A 33C9 xor ecx, ecx ; ecx = 0
:0044A31C 8A08 mov cl, byte ptr [eax] ; move digit in cl
:0044A31E 33D9 xor ebx, ecx ; ebx = ebx xor ecx
:0044A320 40 inc eax ;
:0044A321 4A dec edx ; decrease counter
:0044A322 75F6 jne 0044A31A ; end? no, then jump...
I think this code is quite easy to understand. This code loops and xor's each
digit from the string at eax with ebx. The value in ebx will be important for
us.
Now a second part of the validation follows (I edited the code slightly to
fit the screen),
:0044A324 8B45EC mov eax, [ebp-14] ; (1)
:0044A327 99 cdq ;
:0044A328 F7FB idiv ebx ; (2)
:0044A32A 8BD8 mov ebx, eax ; (3)
:0044A32C C605B0D7440001 mov [0044D7B0], 01 ; good flag
:0044A333 817DECBE77EF02 cmp [ebp-14], 02EF77BE ; (4)
:0044A33A 7407 je 0044A343 ;
:0044A33C C605B0D7440000 mov [0044D7B0], 00 ; bad flag
At line (1) a number (dword ptr...) is moved into eax - trace this code in SI
and you'll notice that the first line of our keyfile is used. Line (2) does
some math with the number and stores the result in ebx (3). Line (4) is quite
important - again the first line of our keyfile is used and compared to a
fixed number. This means that we need to change the first line of our keyfile
into 49248190 - I suggest you do that and trace the target again in SI. Now
we skip the bad flag and go directly to the next code,
:0044A343 8B45F0 mov eax, [ebp-10] ; (1)
:0044A346 E8B9CBFBFF call 00406F04 ; (2)
:0044A34B 3BD8 cmp ebx, eax ; (3)
:0044A34D 7407 je 0044A356 ;
:0044A34F C605B0D7440000 mov [0044D7B0], 00 ; bad flag
Trace the above code in SI and see what happens. At line (3) the result from
the previous part is compared to eax. You'll see that eax contains the number
from the third line of our keyfile - this is great but the value is wrong, so
lets change the third line into the value contained in ebx at line (3) - see
SI ;). Trace again and you will skip the bad flag and get at,
:0044A356 803DB0D7440000 cmp [0044D7B0], 00 ; good keyfile?
:0044A35D 750D jne 0044A36C ; yes! jump...
So are we at the end? Well, let the program run and see if anything changed.
And? Yes! Where 'Copyright (c) 1997 by Popcorn...' was we got 3434343434 now
so we may assume the keyfile is correct. But we don't want 34...3434 as name,
do we? :) So change the keyfile - adjust the second line to the name you like
to use - try Vizion/MEXELiTE ;)... Trace again in SI to find out what the
third line needs to be and place the new keyfile in the good directory. Now
run the program again and enjoy all your hard work, also when you exit the
target the nag screen won't appear so we can conclude we've finished with
this crack.
Easy not? Just a bit confusing I guess ;).
So this is all folks... hope you've enjoyed it. Any remarks, bugs, ideas may
be posted to me - just contact me...
I'll add some working keyfiles, so you newbies can practice a bit,
49248190
Vizion/MEXELiTE
1448476
49248190
MEX/C4N ROXS
435824
49248190
GRTZ 2 THE MEX-CREW
1047833e directories. The IT and the IAT are both in