Web
: http://kickme.to/mxbnet
Contact Me : dheeraj_xp@yahoo.com
My First Lesson
Courtesy
: PCQuest
This is my first lesson ... which made me a cracker ...so enjoy it ....
The Dark Art of Cracking
How programmers protect software, and how crackers get past them
Let me start this article with a standard disclaimer that one sees on
sites carrying similar topics."All material in this article is for informational
and educational purposes only. Neither the author nor the publication
can be held responsible for misuse of the information provided herewith."
That done, let me lead you down the dark side and tell you of the things
you can do there. Well, not exactly.
This article is not a step-by-step cracking guide for newbies. Nor is
it a source for Web links that carry such stuff. This article introduces
the methods and tools used by legitimate programmers to copy protect or
limit functionality of shareware, and the methods crackers use to get
rid of different types of protection schemes.
A bit of history
Cracking, as opposed to hacking, has always been on the wrong side of
the law in computing circles. Hacking generally meant tweaking or understanding
the software you use to a much greater extent than the average person.
However, Hollywood flicks and misinformed newspaper reporters soon turned
the word "hacking" into something illegal. True hackers were furious and
had to curtail their activities, whereas crackers were laughing their
heads off and continuing their work.
Cracking probably started with DOS-based games. If someone didn’t have
enough health or lives to reach the next level even after trying for a
long time, they could use programs like GameHack to directly edit the
value in memory and increase it to whatever you felt like. This was a
slightly complex process, which involved tracking variables in memory
while the game was running and modifying them. In most cases it meant
a system crash. So certain enterprising individuals came up with game
trainers. Each trainer had a list of variables they could modify and their
corresponding memory addresses. You simply had to select the value to
modify, and presto! You’re in the final level with full health, invincibility,
all weapons, the works.
Methods of protection
The advent of the shareware concept brought along a new breed of software.
These are functional programs that are given free for use for a time period,
after which the user has to pay up to continue using them.
Shareware authors think up different ways of reminding users to pay up.
Some use nag screens every time the program is run, some need a registration
code to be entered, some simply expire after a certain number of days,
or after a number of times the program is run.
The following are the most popular methods of protecting software:
Nag screens: The simplest form of protection in which small windows
appear before a program loads up which reminds you to buy the software.
This is mostly achieved by creating a window before the program’s main
window is shown and providing a time- or button-based event to open the
main program. Examples of programs using this
are Paint Shop Pro and TextPad.
Expiration: These programs simply expire after a certain time period,
or after the program has run a certain number of times. To achieve this,
many different methods are used. These include the simple date checks
and registry flag checks, which are easily cracked to much more complex
header and file checksum related ones.
For example,the FrontPage 98 trial version on the March ’98 PCQ CD expires
after 45 days of installation.
User registration: This requires you to pay up after which you’ll
receive an "unlock" code based on your name, e-mail address, or some such
variable that you need to enter in the program for it to work. These work
by passing the name entered through some algorithm and comparing the result
with the entered code. If they match, the program is registered. Examples
are the very popular programs WinZip and CuteFTP. Although these methods
seem complex, they are quite simple to crack, as you’ll see later.
Commercial strength wrappers: Many companies are releasing software
in the try-before-you-buy concept, which includes a fully working product,
covered by a "wrapper" that allows online user registration after taking
in user’s details like name, e-mail, phone, and credit card number. All
Symantec products, like Norton Utilities, Norton AntiVirus, and Norton
CrashGuard use this. There are many commercial wrappers available, like
Release
Software Agent, VBox, unBoxed, Techwave, Stirling, and many more. These
are fairly complex routines and the cracks available for them are complete
programs by themselves. The best part about cracking these programs are
that once a wrapper is cracked, all programs using that wrapper are automatically
cracked. That is, if you crack the DLL that the wrapper uses, installing
any other program using this wrapper will get you the cracked
program, without needing to crack it separately.
Dongle (hardware) protection: This is supposedly the ultimate tool
to keep out crackers. Very few programs actually use this due to its complex
nature and annoyances even to a legal user. A small hardware lock is provided
with the program containing a unique key or even some API functions. The
program checks for the existence of this lock while starting. I haven’t
seen too many programs using this method, except for some
versions of AutoCAD and Tally. A different version of this protection
is the CD-ROM check associated usually with large games like Quake II.
This method is also fairly easy to trace and get rid of.
Many programs use a combination of all these to protect themselves. However,
as you will see, no protection scheme has been uncrackable yet.
Tools and methods of the dark side
The popularity of Windows and the ease of creating programs for this platform
have lead to the development of thousands of shareware programs in different
categories. Crackers have an enormous job ahead of them as they try and
keep up with new releases everyday. Crackers usually work with the assembly
code, reverse engineering it, and have an excellent grasp of the Windows
APIs as well.
There is no one modus operandi to crack a program. Depending upon the
program and the kind of protection it has, crackers employ different techniques
to get into the program. But there are some common tools that crackers
employ to start cracking the program. These programs are perfectly legal
and useful by themselves.
The most popular tool for crackers is a Windows debugger named SoftIce
from Numega Corporation. This enables developers to set "breakpoints"—points
in the program code where the program pauses while variables are checked
to see whether they match expected values, in Windows programs. You can
trace through the assembly
code to debug problems if they occur. But SoftIce in the hands of a cracker
is like a Kalashnikov with a terrorist.
For example, if a cracker wants to get rid of a nag screen that comes
up every time a program is started, he simply sets a breakpoint on a Windows
API call, ShowWindow() in SoftIce. He then calls up the program. The moment
the nag screen is shown, SoftIce pauses the program and dumps the cracker
into the piece of assembly code that shows the screen. It also shows a
large amount of important information like values of many registers in
memory and byte offsets in the EXE, or DLL. In fact, SoftIce is so powerful
that the shareware version of SoftIce was used to crack itself and make
it the full version. Numega now has many restrictions on its use and users
need to prove that they need the program for legitimate purposes before
being able to obtain a copy.
But SoftIce does not help patch the file itself. You don’t want to set
a breakpoint every time you want to start the program, do you? So you
need to "patch" the program itself. For this, read the Byte offset value
for the part of the program you wish to crack. Then open the program (EXE
or DLL) in a hex editor (trusty old Norton DiskEdit will do, but there
are Windows versions around too), go to that offset and patch it with
the hex equivalent of the assembly code you used in memory. If this sounds
complex, as I said earlier, you need to have a good grasp of assembly
for getting into this stuff.
Another method for which SoftIce is popular is to obtain "reg codes" from
programs that require registration. When prompted for a user name and
registration code, enter anything you wish, while keeping a breakpoint
on an API call like GetDlgItemA(), which is used to extract the contents
of a text box in Windows. The moment you press "OK" you get dumped in
SoftIce. Now you know that some variable holds the registration value
you
just entered.The program logically calculates the real code from the user
name and compares the two. If they are the same,the program is registered.
So all you need to do is trace the code till you see a comparison being
done and check the value of the variables. You’ve got the reg code for
the name you entered! You can actually
use this method to crack some very popular programs.
Another favorite tool of crackers is W32DASM, the Win32 DisAssembler,
a shareware program used to disassemble code to trace code jumps. For
example, you may have seen programs that check for the existence of its
CD-ROM in the drive before continuing. If it doesn’t exist, it gives you
an error message and exits. With W32DASM, simply search for the string
that is shown when quitting. The place where the string is found,
you also find the reference in memory where this was called from. Trace
back to the procedure that called it and disable it. (For assembly aficionados,
change a JNE instruction—Jump if Not Equal, to a JE—Jump if Equal,or even
better, simply NOP it.)
Protection schemes
Commercial strength protection schemes like Release Software Agent (the
one used by Symantec in all Norton products), Vbox, Unboxed, and many
others employ much more sophisticated routines for protecting the software.
However, none of these protection schemes have really been able to stop
crackers from breaking into the program and using the software for more
time than it was meant to be. Crack programs like PC_RSAG6 help you crack
these programs by simply pointing to the EXE file of the program. But
this does not mean that the protection schemes are weak. These schemes
are very powerful and secure when used to legally purchase the product.
That is, you are not in danger of broadcasting your credit card number
on the Internet when using the wrapper to buy the program. The crack works
at your end of the line, so that you do not have to enter anything at
all and can fool the program into believing that it has been purchased.
The only programs that seem to have thwarted the crackers are the ones
that employ some sort of Internet-based authentication, each time it’s
run. Ironically, most of these programs are from the same area that started
the trend of cracking—games. Programs like GameSpy and Kali are shareware
programs that allow users to play online games on commercial sites for
a limited period. After which the user needs to register at the
site to continue playing.
Although crackers have been able to crack the program itself, users cannot
use the program to connect to any server as no account exists for them
until they pay up.
As the world turns towards the Internet for almost everything, so will
the software. This will make server authentication the trend for program
registration. But knowing how resourceful crackers are, I’m sure they’ll
find ways of circumventing these checks too. Already cracking groups like
Phrozen Crew, United Cracking Force, the Exterminators, and others are
working toward this goal. The first successful Internet program crack
I know of
was the release of an alpha version of ICQ 99, which was released on many
Warez sites. Although I’ve not seen the uncracked version of this alpha,
which is supposed to use a different authentication server method, the
cracked version works just fine, with all the new features enabled.
Cracking is truly an art, even if it is a dark one. Ask any programmer
who has had to understand code written by someone else without any documentation
or comments, about what a nightmare it can be. Crackers, on the other
hand, thrive on this, and many crackers, like tKC(founder of Phrozen Crew)
and Saltine (who first cracked the commercial wrapper RS Agent), have
become legends in their own right.
To end this article on cracking, I cannot but use the tagline of one of
the most popular cracking groups around, Phrozen Crew. This explains the
psychology of the cracker in one simple line, "We always get what we want!"
Vinod Unny