version 1.0 |
|
Convert obstacles into advantages and take the opportunity to fight. Sun Tzu "The Art of War" |
How to become a cracker ? How to start cracking ? This is my humble contribution to the vast domain : "introduction to reverse engineering and cracking", or The Art as I like to call it (which is part of The Arts).
This tutorial is meant for beginners. As you will see, the protection we shall remove is quite simple. The target program is a nice tool, WinHex (http://www.winhex.com/), that you will certainly need in your cracking career.
This is the way crackers work, if you need something, you either modify a similar program or crack the one you need. I know this may sound a bit extreme, but nothing must stop you in your Quest, especially not a protection.
Of course, I encourage you to send the due money to the author if you think that WinHex is a great tool. The price is not excessive (around $ 25 for personal use), and updates are frequent. It is up to you. . .
Should you wish to contact me, mail to xerxes@altern.org. You can get my public PGP key at http://altern.org/xerxes/ which is the URL of my modest web site. Since I am French, you can mail me either in French or in English. Use the language you prefer. You may also contact me through +Fravia's message board.
Please, avoid useless mails, i.e. ask only clever questions ! On the other hand, I welcome critics and suggestions, as well as corrections.
I use neither ICQ nor IRC, if you meet someone claiming to be ArthaXerXès using these media, it is a lie.
To become a Windows cracker, you mainly need to know two things :
It will be really hard to become a cracker if you know nothing about assembly language. I admit that you do not need a perfect Windows' API knowledge, but the Microsoft Win32 Programmer's Reference remains a precious documentation.
To crack, you need a debugger, and SoftIce is the best. There is no second place in the cracking world. For further information, browse to http://www.compuware.com/. The version I used in this essay is 4.01, but I do not think it matters.
|
Important : SoftIce is not free. |
Before doing anything, back up winhex.exe to another file, winh.exe for example.
As you noticed, WinHex can not save files bigger than 250 kb in the unregistered version. This is a great hint to obtain a nag box (since other nag boxes appear randomly). Load any file greater than 250 kb in WinHex, and try to save it. A dialog box should inform you that it is impossible.
What you can remark, is that it is not a message box (created by the function MessageBoxA or MessageBox) but a dialog box. Put a breakpoint on DialogBoxParamA, which is the function used by Windows to initialize a dialog box (as you probably guessed). The command is bpx DialogBoxParamA.
|
Softice may answer something like "Symbol not defined (DIALOGBOXPARAMA)", this means that you did not inform Softice to load User32's exports. Do not panic, this is not hard. Run the Symbol Loader and choose "SoftIce initialization settings" in the "Edit" menu. Click on "Exports" and add user32.dll. It is also a good idea to add other exports, such as kernel32.dll, gdi32.dll, shell32.dll, etc. This task can also be performed in editing the file winice.dat, that is located in SoftIce's directory, with the help of a text editor. Of course, you need to reboot for the changes to take effect. |
Try to save again the file and you will find yourself at the very beginning of the function DialogBoxParamA. You have to return to the caller of the function, this is done in pressing F11 whichis aliased to g @ss:esp.
Indeed, the address of the caller is at the top of the stack, therefore if you tell to SoftIce "execute until you reach the address located at ss:esp (which is the top of the stack)", you will return to the caller.
|
Do not pay attention to the layout of the code I show you in this essay. It comes from IDA (a tool you will also hear about in your cracking career) not from SoftIce, this is the only reason. |
After you pressed F11, press enter to make the dialog box disappear, and you will be in SoftIce
again.
push 1
mov eax , DS :44300 Ch
push eax
call sub_404A40
mov byte ptr DS :446 C52h, 0 ; <-- here you are !
cmp byte ptr [ esi +0Ah], 2
jnz short loc_408E56
Trace with F10, until you return to a caller of the function in which you currently are that performs some kind of jump or operation right after the call. In our case, we have to go to the caller of the caller, i.e. we shall leave the current function plus another one (you leave a function when you execute the instruction ret).
This is where you should be now :
call sub_408D80
xor eax , eax ; <-- eax is set to 0 here
jmp short loc_4251EA
loc_4251E8 :
mov al , 1 ; <- return value is 1, note that we jump over .
loc_4251EA :
pop ebp
retn 8
Now stop and think. At a moment or another the program must check if WinHex is registered or not. If it is not registered a dialog box must be displayed, else the file will be saved, as asked. This implies, that a comparaison has been performed before the current location, and that it must jump over the current location (probably to loc_4251E8).
Scroll up (CTRL + UP), until you find this :
cmp byte ptr DS :446 C81h, 0
jnz short loc_4251E8
Well,if the content of address 446C81h is 1, no dialog box is displayed and the file is saved. The first idea that may come to your mind is to replace jnz short loc_4251E8 with jmp short loc 4251E8. This is not a good reflexe.
In myhumble opinion, the best solution is to put a breakpoint on memory access on the address 446C81h, quit the program and restart it.
Why? When the program starts, it has to check if it is registered or not (in looking either in the registry or in a configuration file), and according to the result, the boolean will be set to 0 or 1. If you put a breakpoint on memory access on the value we found, you will break in the initialization routine, thus you will know how to fool the program from the outset, which is much better.
Instead, if you modify the jump, you also have to change all the other checks within the program, and believe me it is very easy to forget a check.
You need to put the breakpoint for write access, in order to avoid the code that merely reads the value of the boolean. The command is bpm ds:446C81 W. Now quit the program and restart it.
You will break here :
reg _not _ok :
xor eax , eax
jmp short save _reg _bool
reg _ok :
mov al , 1
save _reg _bool :
mov DS :446 C81h, al ; <-- here , the boolean is modified !
jmp short loc _441268
It is easy to understand what happens here. Checks are performed before this code, and if an error occurs, you will jump to reg_not_ok which will set al to 0, otherwise you will jump to reg_ok whichwill set al to 1. The register is then saved in the boolean.
For now, you have to test if our guess is correct. Place yourself at location reg_not_ok (change eip's value, r eip = 441232). Change the code at this position so that eax will be set to 1, not to 0.
Before doing that, write down the hexadecimal values (10 values are enough) of the code starting at 411232 which is the location of reg_not_ok. We shall need them later. To display the instruction bytes in the code windows, you need to use the command code on.
We can now patch the code : you have to use SoftIce's internal assembler. Type a, and afterward mov al, 1. Press return twice. Write down the two new bytes.
It is now time to check the crack. Disable all your breakpoints (type bd *) and run the program (type g). It looks like it is registered now, is not it ? :-)
Do not quit the program ! The code has only been modified in memory. Open your copy of winhex.exe which is in my example winh.exe. Search for the bytes 33 c0 eb 02 b0 01 a2 81 and replace with b0 01. As you noticed, this is the bytes values I asked you to write down.
Quit the program and run winh.exe. . . . . . congratulations, you just cracked WinHex !
You now have the best hexadecimal editor currently available. This kind of editor is an important tool, believe me. WinHex allows complex comparison between files, it can perform complex search, it is able to edit memory, etc.
Many programs that ask for a registration code are protected this way. I suggest that you try on other programs what you learnt here, for there is no greater teacher than experience.
I really hope this essay will encourage you to continue learning The Art, if there are requests for more "newbies" essays, I shall write a sequel with a different target. What you should remember :
For further information, I warmly recommend you to browse to "Fravia's continued page of reverse
engineering" (http://go.to/tshep).
Made with LATEX2e on Saturday 28th February 2000. Version 1.0 (HTML)