Cracking Tutorial
#70:
Password.Construction.Kit.v1.02
[cracked bY:] sLeEpY¿[FWA/NWA/FTPR8Z] iN 08/2002
[difficulty:] beginner
[where:]
http://www.buttuglysoftware.com/PCK.html
[tOOLz:] W32dasm 8.93 & Hiew, *optional Softice & Resource Hacker*
KANAL23 Tutorial
|
Password.Construction.Kit.v1.02 |
|
|---|---|
|
Download it from |
|
|
Written by |
sLeEpY¿ |
|---|
|
Tools |
|
|---|
|
Rating |
|
|---|
|
Introduction |
|---|
Password.Construction.Kit.v1.02
Password Construction Kit makes it very easy to construct from 1 to 10,000
constant or random length passwords. Each password can be from 1 - 256
characters in length. Each character of the password can be comprised of
uppercase letters, lowercase letters, numbers, special characters, hyphens and
spaces. Password Construction Kit allows you to easily tailor the format of the
passwords to your specifications by using the Mask Editor and Specify Characters
dialogs. Each character of the password is compared against the previous
character to make sure no duplication is occurring (unless setup by the user
through the Mask and Specify Characters dialogs). Each password generated is
checked against the others in the list to make sure that they are unique.
Features of Password Construction Kit include: 1. Mask editor - allows you to
exactly specify the format of your password 2. Specify Character dialog - total
control over which characters will be selected when creating your passwords 3.
Specify the seed for the random generator 4. Save list of passwords as HTML or
as a delimited file 5. Copy individual or the entire list of passwords to the
clipboard
Taken from insight.nfo...
Anyway I saw this 0 day from May 26th, 2002 and decided I didn't wanna use
insights patch even though I'm sure it probably works ok. It's raining out and
my kids are actually not raising hell like they were born to do it seems. I
don't have to be at work for another hour or so...So time to crack this one.
Let's see what crap we have to deal with.
|
The Essay |
|---|
At first glance after running the app we find:
30 day trial...
Nag at startup:
Thank you for evaluating Password Contruction Kit
You have 30 evaluation days remaining
[OK]
Registration Crap has 2 errors:
PCK v1.02
You must enter a valid user name and registration number <-this one if you leave
both fields blank
[OK]
PCK v1.02
You have attempted to input an invalid registration number <-this one for bogus
info!
[OK]
Lets chase the last one first, it shows in w32dasm in 2 places, since we dunno
which one just patch em both! Disassemble the prog in w32dasm after you make
your backups and look for the error message in the String Refs.
:004092DB FF1520D96800 call
dword ptr [0068D920]
<-probably the compare routine, i dunno nor care on this one
:004092E1 0FBFC0 movsx eax, ax
:004092E4 85C0 test eax, eax
:004092E6 5D pop ebp
:004092E7 7D1B jge 00409304
<-conditional jump
:004092E9 6A30 push 00000030
* Possible StringData Ref from Data Obj ->"PCK v1.02"
|
:004092EB 687C904100 push 0041907C
* Possible StringData Ref from Data Obj ->"You have attempted to input an "
<-error msg
->"invalid registration number"
|
:004092F0 68949C4100 push 00419C94
:004092F5 8BCB mov ecx, ebx0
* Reference To: MFC42.Ordinal:1080, Ord:1080h
|
:004092F7 E88E760000 Call 0041098A
:004092FC 6A00 push 00000000
* Reference To: MSVCRT.exit, Ord:0249h
|
:004092FE FF1594434100 Call dword ptr [00414394]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004092E7(C)
|
:00409304 6A40 push 00000040
* Possible StringData Ref from Data Obj ->"PCK v1.02"
|
:00409306 687C904100 push 0041907C
* Possible StringData Ref from Data Obj ->"Thank you for registering Password "
<-happy msg
->"Construction Kit!"
|
:0040930B 685C9C4100 push 00419C5C
:00409310 8BCB mov ecx, ebx
---LOCATION 2---
:00408DF5 FF1520D96800 call
dword ptr [0068D920]
<-probably the compare routine, i dunno nor care on this one
:00408DFB 0FBFC0 movsx eax, ax
:00408DFE 85C0 test eax, eax
:00408E00 7D37 jge 00408E39
<-conditional jump
:00408E02 6A30 push 00000030
* Possible StringData Ref from Data Obj ->"PCK v1.02"
|
:00408E04 687C904100 push 0041907C
* Possible StringData Ref from Data Obj ->"You have attempted to input an "
<-error msg
->"invalid registration number"
|
:00408E09 68949C4100 push 00419C94
:00408E0E 8BCB mov ecx, ebx
* Reference To: MFC42.Ordinal:1080, Ord:1080h
|
:00408E10 E8757B0000 Call 0041098A
:00408E15 66FF0558D96800 inc word ptr [0068D958]
:00408E1C 66833D58D9680003 cmp word ptr [0068D958], 0003
:00408E24 7509 jne 00408E2F
:00408E26 6A00 push 00000000
:00408E28 8BCB mov ecx, ebx
* Reference To: MFC42.Ordinal:0A55, Ord:0A55h
|
:00408E2A E8A77A0000 Call 004108D6
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00408E24(C)
|
:00408E2F E8ACA3FFFF call 004031E0
:00408E34 E9D4000000 jmp 00408F0D
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00408E00(C)
|
:00408E39 6A40 push 00000040
* Possible StringData Ref from Data Obj ->"PCK v1.02"
|
:00408E3B 687C904100 push 0041907C
* Possible StringData Ref from Data Obj ->"Thank you for registering Password "
<-happy msg
->"Construction Kit!"
|
:00408E40 685C9C4100 push 00419C5C
:00408E45 8BCB mov ecx, ebx
So we just change these two places like so:
Change this:
:004092E7 7D1B jge 00409304
To this:
:004092E7 EB1B jmp 00409304
Change this:
:00408E00 7D37 jge 00408E39
To this:
:00408E00 EB37 jmp 00408E39
Now as long as there is something in the boxes the registered message will
popup.
As usual with progs these days, the registration doesn't stick on restart, so
lets go after the time limit!
Fast forward you system clock a month and you will get the dreaded expire
message:
PCK v1.02
Your trial period has expired!
[OK]
So lets go after that...
* Reference To:
KERNEL32.Sleep, Ord:0296h
<-ehh..
|
:0040368A FF1540404100 Call dword ptr [00414040]
:00403690 8B17 mov edx, dword ptr [edi]
:00403692 8BCF mov ecx, edi
:00403694 FF5260 call [edx+60]
:00403697 8BCE mov ecx, esi
:00403699 E8F2540000 call 00408B90
:0040369E 53 push ebx
:0040369F 8D8C24C0000000 lea ecx, dword ptr [esp+000000C0]
:004036A6 E815DBFFFF call 004011C0
:004036AB 66A108D96800 mov ax, word ptr [0068D908]
:004036B1 C78424E801000001000000 mov dword ptr [esp+000001E8], 00000001
:004036BC 663BC3 cmp ax, bx
<-ax and bx, probably one of
these is 30, i dont have SI on this comp so...
:004036BF 66898424DC010000 mov word ptr [esp+000001DC], ax
:004036C7 751C jne 004036E5
<-conditional jump, when both
ax and bx are 0, dont jump and go on to error msg, 30 day trial is up.
:004036C9 6A40 push 00000040
* Possible StringData Ref from Data Obj ->"PCK v1.02"
<-error
|
:004036CB 687C904100 push 0041907C
* Possible StringData Ref from Data Obj ->"Your trial period has expired!"
|
:004036D0 6810934100 push 00419310
:004036D5 8BCE mov ecx, esi
* Reference To: MFC42.Ordinal:1080, Ord:1080h
|
:004036D7 E8AED20000 Call 0041098A
:004036DC 8BCE mov ecx, esi
:004036DE E87D5A0000 call 00409160
:004036E3 EB1F jmp 00403704
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004036C7(C)
|
:004036E5 663D0F27 cmp ax, 270F
<-land here where ax is
compared with 9999
:004036E9 7419 je 00403704
<-jump if it is (our next
conditional jump, lets take it)
:004036EB 8D8C24BC000000 lea ecx, dword ptr [esp+000000BC]
* Reference To: MFC42.Ordinal:09D2, Ord:09D2h
|
:004036F2 E871D00000 Call 00410768
<-call nag screen
:004036F7 83F801 cmp eax, 00000001
:004036FA 7408 je 00403704
<-if below the 30 day trial
this usually jumps to the app loading, otherwise it continues on and wont let
the app start, you might get the programs help.
:004036FC 53 push ebx
:004036FD 8BCE mov ecx, esi
* Reference To: MFC42.Ordinal:0A55, Ord:0A55h
|
:004036FF E8D2D10000 Call 004108D6
<-if you hit this you failed
and app wont load
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004036E3(U), :004036E9(C), :004036FA(C)
|
:00403704 8BCE mov ecx, esi
<-land here and all is well
* Reference To: MFC42.Ordinal:1266, Ord:1266h
|
:00403706 E8B3D10000 Call 004108BE
:0040370B 8B86A0050000 mov eax, dword ptr [esi+000005A0]
So we just need to modify these 2 places (if you
wanna see whats in AX and BX, and other locations use softice and breakpoint on
MessageBoxA, once you are in the code of the program (F12 the break) set a
breakpoint on any of the locations above and type D AX or D whatever):
Change this:
:004036C7 751C jne 004036E5
To this:
:004036C7 EB1C jmp 004036E5
Change this:
:004036E9 7419 je 00403704
To this:
:004036E9 EB19 jmp 00403704
Now we have gotten rid of the nag screen.
Now we can go here in Resource Hacker:
-Menu
-132
-1033
Change this:
POPUP "&Help"
{
MENUITEM "&Contents", 32794
MENUITEM "Tutorial", 32845
MENUITEM SEPARATOR
MENUITEM "Contact Information", 32846
MENUITEM "&Registration Information", 32796 <-dont
need this anymore
MENUITEM SEPARATOR
MENUITEM "Register", 32849 <-dont need this anymore
MENUITEM "&About", 32782
}
}
TO this:
POPUP "&Help"
{
MENUITEM "&Contents", 32794
MENUITEM "Tutorial", 32845
MENUITEM SEPARATOR
MENUITEM "Contact Information", 32846
MENUITEM SEPARATOR
MENUITEM "&About", 32782
}
}
Browsing the resources some more we find the about screen!
-Dialog
-135
-1033
Then here:
CONTROL "Thank You", 1, BUTTON, BS_DEFPUSHBUTTON |
WS_CHILD | WS_VISIBLE | WS_TABSTOP, 80, 215, 60, 14
to this:
CONTROL "CraCkEd bY sLeEpY¿", 1, BUTTON, BS_DEFPUSHBUTTON
| WS_CHILD | WS_VISIBLE | WS_TABSTOP, 80, 215, 60, 14
I had to stretch the button out a little bit to make the text fit, but it works
=) Hey we gotta personlize right =)
Ok now the app is cracked and will work like the
regged version, but some people like seeing there name in the reg box so read on
if you want that otherwise you're done.
If you want to leave the above:
MENUITEM "Register", 32849
in the program you can modify these 4 locations into jumps and it will keep
whatever reg info you faked in there so it will say registered to your name.
*Note* you must fake reg it like we did at the top with whatever you want in the
box before doing this step.
Change these:
:004091EC 751F jne 0040920D
:0040922C 0F85AB010000 jne 004093DD
:00408CFF 751F jne 00408D20
:00408D3F 0F852F020000 jne 00408F74
To these:
:004091EC EB1F jmp 0040920D
:0040922C E9AC01000090 jmp 004093DD
:00408CFF EB1F jmp 00408D20
:00408D3F E93002000090 jmp 00408F74
A little explanation is here:
:004091EC 751F jne 0040920D
<-jump past error
:004091EE 6830100000 push 00001030
* Possible StringData Ref from Data Obj ->"PCK v1.02"
<-blah error, probably if you
change info in the registry
|
:004091F3 687C904100 push 0041907C
* Possible StringData Ref from Data Obj ->"PCK's registration files have "
->"been violated"
|
:004091F8 68DC9B4100 push 00419BDC
:004091FD 8BCB mov ecx, ebx
* Reference To: MFC42.Ordinal:1080, Ord:1080h
|
:004091FF E886770000 Call 0041098A
:00409204 6A00 push 00000000
:00409206 8BCB mov ecx, ebx
* Reference To: MFC42.Ordinal:0A55, Ord:0A55h
|
:00409208 E8C9760000 Call 004108D6
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004091EC(C)
|
* Possible StringData Ref from Data Obj ->"r9WR3}l8Zs"
|
:0040920D 688C9B4100 push 00419B8C
<-land here
:00409212 FF1518D96800 call dword ptr [0068D918]
:00409218 8D442434 lea eax, dword ptr [esp+34]
:0040921C 8D4C240C lea ecx, dword ptr [esp+0C]
:00409220 50 push eax
:00409221 51 push ecx
:00409222 FF1528D96800 call dword ptr [0068D928]
:00409228 84C0 test al, al
:0040922A 6A00 push 00000000
:0040922C 0F85AB010000 jne 004093DD
<-jump to customer name
:
:lines of code is as above
:
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040922C(C)
|
:004093DD 8D8C24A0010000 lea ecx, dword ptr [esp+000001A0]
<-land here
:004093E4 E857190000 call 0040AD40
:004093E9 8D4C2434 lea ecx, dword ptr [esp+34]
* Possible StringData Ref from Data Obj ->"Customer Name"
<-hmm..load name in register
box
|
:004093ED 684C9C4100 push 00419C4C
:004093F2 8D542410 lea edx, dword ptr [esp+10]
:004093F6 51 push ecx
:004093F7 52 push edx
:004093F8 C784249802000005000000 mov dword ptr [esp+00000298], 00000005
:00409403 FF1510D96800 call dword ptr [0068D910]
:00409409 50 push eax
:0040940A 8D8C2480020000 lea ecx, dword ptr [esp+00000280]
* Reference To: MFC42.Ordinal:035C, Ord:035Ch
|
:00409411 E8E4740000 Call 004108FA
:00409416 8D442434 lea eax, dword ptr [esp+34]
* Possible StringData Ref from Data Obj ->"RegNum"
<-hmmm...load fake serial in register box
|
:0040941A 68449C4100 push 00419C44
:0040941F 8D4C2410 lea ecx, dword ptr [esp+10]
:00409423 50 push eax
:00409424 51 push ecx
:00409425 FF1510D96800 call dword ptr [0068D910]
:0040942B 50 push eax
:0040942C 8D8C2484020000 lea ecx, dword ptr [esp+00000284]
The other location is basically the same as this one so I wont paste all the
code in here. Just do the same thing as above.
Cracked!
|
Final thoughts |
|---|
Kool program, although it looks easy to code, send them money of ya use it. I
wont, its allready deleted off my HD.
Laterz!
|
Greetings |
|---|
Groups:
FWA, NWA, FTPiRatEz! HAR! BEASTFXP!, KANAL23
Individuals:
MiNioN,
GreycZ & his cuppy, KlutCh, KiNgEr, MidNight, Edogg, Neoman, movax4c00int21, Acid_Cool_178, All those tuts I read
from everyone who writes them.
CopyLeft:
sLeEpY¿
[all rights reversed]
Boredom causes crackers and babies.
Visit http://zor.org/sleepy &
http://www.bright.net/~testsubject001
Mail sleepy@linuxwaves.com
This Document is copyrighted by kanal23 and it's members. Please mail the
author of this document for complaints and those things.
Kanal23
is signing out for now.