Welcome to Cracking Tutorial #64!
Hiya guys,
Ah finally, a first cracking tutorial in year 2000!
As you can see, here's a new version *again* and I hope you
like this one! :) And today for a bonus, I give you 7 tutors, #58-64!
OK, let's rave!
TOOLS
~~~~~
You'll need the following tools:
(I use these tools, I assume you'll use 'em, but it doesn't
mean that you'll need to use all those tools, so be sure to
get them handy for the examples in this tutorial!)
SoftICE v4.01
W32Dasm v8.93
Hacker's View v6.20
SmartCheck v6.03
ProcDump32 v1.6
Windows Commander v4.03 (I use it coz of easier to multitask)
Delphi, VB, C++, or TASM to code a keygen or a patch..
Don't ask me where to download all these tools since you had
a chance to get them when you used my older tutorials. Here
is a good site where you can grab tools from:
http://protools.cjb.net or http://w3.to/protools
or ask any crackers to get you these tools!
Are you ready?!
OK! ;)
PART 1
~~~~~~
Name : Quick View Plus Trail
Version : 5.1
Editor : JASC
Target : qvp51.exe
Tools : W32Dasm
Snooper
Hiew
Brain
Cracker : LW2000
Tutorial : No.37
http://www.jasc.com/
---
DISCLAIMER
For educational purposes only!
I hold no responsibility of the mis-used of this material!
---
1. Ok, after the 15 day trail Quick View Plus greets you with a nag,
without the continue option. You can deinstall the proggy, or exit
it. This is not what we want *g*. So let's snoop a bit.
Mhmm, Qvp.dll, quite interesting. Let's make a deadlisting
in W32Dasm. Mhhm, no interesting SDR, but what's about the
Export/Import Functions?
You should see this:
[...]
DllCanUnloadNow
DllGetClassObject
FVGetDocObjectView
QVPManager
QVPTrialWareStart <<<--- nice *g*
2. Let's go to QVPTrialWareStart. Doubleclick on this
string and close the E/I Window.
* Referenced by a CALL at Address:
|:208058D7 <--- here we go
Exported fn(): QVPTrialWareStart - Ord:000Bh
:20805650 81EC28010000 sub esp, 00000128
:20805656 53 push ebx
:20805657 55 push ebp
:20805658 56 push esi
:20805659 33DB xor ebx, ebx
:2080565B 57 push edi
:2080565C 891D340A8220 mov dword ptr [20820A34], ebx
:20805662 E8E9FEFFFF call 20805550
:20805667 3C51 cmp al, 51
:20805669 88442413 mov byte ptr [esp+13], al
:2080566D 7417 je 20805686
:2080566F 3C73 cmp al, 73
:20805671 740F je 20805682
:20805673 33F6 xor esi, esi
:20805675 8BC6 mov eax, esi
:20805677 5F pop edi
:20805678 5E pop esi
:20805679 5D pop ebp
:2080567A 5B pop ebx
:2080567B 81C428010000 add esp, 00000128
:20805681 C3 ret
3. Goto 208058D7 to see what's going on.
* Reference To: QVP.QVPTrialWareStart
:208058D7 E874FDFFFF call 20805650 <<-- jmp to function QVPTrialWareStart
:208058DC 83C404 add esp, 00000004
:208058DF 85C0 test eax, eax <<-- test is ok if eax =1
:208058E1 0F84DD060000 je 20805FC4 <<-- If test fails jump to expired
:208058E7 8B4508 mov eax, dword ptr [ebp+08]
:208058EA A3280A8220 mov dword ptr [20820A28], eax
:208058EF E86C240000 call 20807D60
:208058F4 8BF0 mov esi, eax
:208058F6 A144058220 mov eax, dword ptr [20820544]
:208058FB 33FF xor edi, edi
4. Ok, let's beat this babe! To fake the trailperiod simply fill
eax with 1 by 20805650 and then return. To do this, note the
offset, start hiew and goto the offset with F5.
Then press F3 for editmode and F2 to enter asm commands.
Then type:
mov eax, 1 [Enter]
ret [Enter]
[Esc]
Save your work and try to use Quick View Plus.
Congratulation! You have beaten the trail!
FINISH! Easy, or?
cu LW2000
Any comments? Mail me LW2000@gmx.net!
----
tKC, thx for your tutors!
I started with tutor 1 and i still read them... they are the best!
PART 2
~~~~~~
Name : Windows Sniper
Version : 2.1
Editor : unHUman Software
Target : WindowsSniper.Exe
Tools : W32Dasm
Hiew
Brain
Cracker : LW2000
Tutorial : No.38
www.unhuman.com
---
DISCLAIMER
For educational purposes only!
I hold no responsibility of the mis-used of this material!
---
Ok, hope you have already read the tut about windows sniper from +SEKt0r.
Here ist another approach. Let's denag our target!
1. Ok, enter the details:
Name: LW2000
Code: 1234
*Boom* Shit, wrong code, think we found a bug... ;)
Let's note the msg and open the bitch in W32Dasm.
2. Same procedure as everytime, click on the string
data reference and search for our string. Mhmm, found very often.
So let's look for
"You must agree to the license before you can use Windows Sni"
This string was used for the license agreement.
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040C539(C)
|
:0040C5DA 8BCE mov ecx, esi
:0040C5DC E896260100 call 0041EC77
:0040C5E1 8B8684080000 mov eax, dword ptr [esi+00000884]
:0040C5E7 85C0 test eax, eax
:0040C5E9 0F854B010000 jne 0040C73A <--- Bad Boy!
:0040C5EF 8DBE14080000 lea edi, dword ptr [esi+00000814]
* Possible Reference to String Resource ID=00001:
"You must agree to the license before you can use Windows Sni"
|
:0040C5F5 BB01000000 mov ebx, 00000001
:0040C5FA 8BCF mov ecx, edi
:0040C5FC 899E84080000 mov dword ptr [esi+00000884], ebx
:0040C602 E88966FFFF call 00402C90
:0040C607 3BC3 cmp eax, ebx
:0040C609 744A je 0040C655
:0040C60B 8B07 mov eax, dword ptr [edi]
:0040C60D 8BCF mov ecx, edi
:0040C60F FF90B8000000 call dword ptr [eax+000000B8]
:0040C615 8BCF mov ecx, edi
:0040C617 E87466FFFF call 00402C90
:0040C61C 85C0 test eax, eax
:0040C61E 7535 jne 0040C655
:0040C620 6AFF push FFFFFFFF
:0040C622 50 push eax
* Possible Reference to String Resource ID=00009:
"The 30 day trial of Windows Sniper has expired. Windows Sni"
|
:0040C623 6A09 push 00000009
:0040C625 E8EB820100 call 00424915
:0040C62A 6A00 push 00000000
3. Looks quite clear =)
Simply change the jne to je. To do this, open hiew and goto
Offset C5E9 (noted from W32Dasm). Press F3 to edit and change
0F85 to 0F84. Save your work.
Congratulation! You have denaged Windows Sniper!
FINISH! Easy, or?
cu LW2000
Any comments? Mail me LW2000@gmx.net!
----
tKC, thx for your tutors!
I started with tutor 1 and i still read them... they are the best!
PART 3
~~~~~~
Name : Start Clean
Version : generic
Editor : Firas
Target : startcln.exe
Tools : Softice
Brain
Cracker : LW2000
Tutorial : No.39
---
DISCLAIMER
For educational purposes only!
I hold no responsibility of the mis-used of this material!
---
1. Ok, load start clean and click on register.
Then enter LW2000 as Username and 1230099 as code.
Press ok. *BOOM* A Error Messagebox pops up.
2. Switch with [ctrl]+[d] to sice and set a breakpoint on the
function Getdlgitemtexta.
BPX GetDlgItemtext
Press F5 to contine. Try it again. *BOOM* Sice pops up.
With F11 we get the Caller. Ok, trace with F10 till esp is moved
into eax. Ok, d eax shows our serial.
3. After a pair of F10s we see Lstrcmp and then Test EAX, EAX.
When we take a look into the api help for LSTRCMP, we know that
the two values must be saved before.
value 1
value 2
compare
So let's take a close look at the code. It saves eax (our s/n)
and 00406030. Mhhm, 'd 406030' *g*
Ok, let's try this code...
Congratulation! You are a registered user.
FINISH! Easy, or?
cu LW2000
Any comments? Mail me LW2000@gmx.net!
----
tKC, thx for your tutors!
I started with tutor 1 and i still read them... they are the best!
PART 4
~~~~~~
Name : Xaudio Wave ENCODER
Version : 1.xx
Editor : Xaudio
Target : encoder.exe
Tools : W32Dasm 8.93
Hiew 6.01
Brain
Cracker : LW2000
Tutorial : No.40
http://www.xaudio.de/encoder
---
DISCLAIMER
For educational purposes only!
I hold no responsibility of the mis-used of this material!
---
1. Ok, try to start wave encoder.
*BOOM* 'The Wave-Encoder only works in the registered version!'
Mhhm, seems that we have found a bug ... ;)
Let's fix it!
2. Load W32Dasm and click on the SDR. Search for
'The Wave-Encoder only works in the registered version!'
and doubleclick on it. Then close the SDR Window.
:004CBE2E 8945F4 mov dword ptr [ebp-0C], eax
:004CBE31 837DF400 cmp dword ptr [ebp-0C], 00000000
:004CBE35 0F8ED4000000 jle 004CBF0F
:004CBE3B A1B82A5000 mov eax, dword ptr [00502AB8]
:004CBE40 803800 cmp byte ptr [eax], 00
:004CBE43 7518 jne 004CBE5D <-- mhmm, bad boy
:004CBE45 6A40 push 00000040
* Possible StringData Ref from Code Obj ->"Unregistered"
|
:004CBE47 6854BF4C00 push 004CBF54
* Possible StringData Ref from Code Obj ->"The Wave-Encoder only works in"
->"the registered version!"
|
:004CBE4C 6864BF4C00 push 004CBF64
:004CBE51 6A00 push 00000000
3. Mhmm, by 004CBE4 is checked if this is a registered version, or
not. Note the offset and open the file in Hiew.
Goto cb243 (this was the offset) with F5 and press F3 for editmode.
Now change the 7518 to 7418 (jne -> je).
Save your work and try the wave encoder!
Congratulation! All done.
FINISH! Easy, or?
cu lw2000
Any comments? Mail me lw2000@gmx.net!
----
I'd like to thank tKC for his tutors!
I started with tutor 1 and i still read them... they are the best!
PART 5
~~~~~~
Tutorial for StreamBox VCR 1.0 Beta 2 Crack
ps. as of 1/7/99, the crack and the original program were both available at
ftp.gentile.cc (login: mp3, password: mp3).
Part I -About StreamBox VCR
StreamBox VCR is a brilliant example of reverse engineering; it will take the
address of a real audio file (or in fact a long list of such files), decode
them, contact the proper realaudio servers, and (cough cough) bully the server
into sending it the raw files which it then saves to your harddrive.
As a historical note, StreamBox VCR used to be a program called "x-fileget,"
which is available on the web and seems more stable than this beta version of
StreamBox VCR, but it does not know how to negotiate with many of the newer
realaudio servers, wheras StreamBox VCR does. Be warned that it is still a
beta and sometimes crashes. It's also not the easiest program to use, but on
the other hand, it's the only program that knows how to reach through space
and time and suck the life out of those realaudio streams, so you've got to
love it.
Of course RealAudio doesn't want you recording their streams using this
program, because they don't want you using another program to access realaudio
files, and more importantly don't want you being able to save their real audio
streams (it's probably more accurate to say that the stream distributors may
not want you to record them, and RealAudio has assured them that they will be
protected).
To make a long story short, sometime around 12/7/99, RealAudio was able to
obtain an injunction on StreamBox, preventing them from distributing the
StreamBox VCR program (www.StreamBox.com for more info). It remains to be seen
the outcome of this litigation.
Part II - The Crack
Anyway, the crack for this proggie was trivial. It *could* have been made very
tricky - any program that can assume an internet connection can be made quite
tough to crack, but we got lucky here. So I'll tell you about how the program
was cracked for the benefit of the real newbies who are curious. Everyone else
can change the channel now. But before i do i want you to search the web for
some tutorials by 'the keyboard caper' a cracker who founded the phrozen crew.
not to learn from, but to just read the words and enjoy the spirit of this
person. there are more sophisticated complex essays on cracking, but i want
you to get a feel for how happy these tutorials can make you. at least they
did that for me.
Okay here goes the story of the crack, which will be of interest only to a
person who has never cracked a program before.
The punchline is that we first find the funciton calls where the program places
to its server (located at internet address 216.034.068.140), and then patch in
instrutions which just return immediately from the function, without performing
any call to the server.
You are probably thinking that it can't be that easy, but it is. It could have
been that the server sent some critical information nescesary to continue
operating the program, but it doesn't.
Of course when you begin cracking a program you don't know how easy it's going
to be. The tools used for this crack were:
SoftIce, a debugger which gets under the skin of windows, watches programs as
they run, and can interupt them and let you look at the memory and code of
running processes as they run.
W32DASM, a dissasembler which helps you view executable programs by converting
the binary to assembly and doing some very clever stuff about guessing where
references are made to certain text strings, and showing you what code gets
called from where. Very nice.
Ultraedit, an editor that can do hex editing of arbitrary bytes in a file.
This was used to make the modifications to the executable.
PacketBoy, a program for observing Windows Sockets communication, ie the
internet conversations that the program has with its server.
The first thing i tried was running Packet_boy and observing the communication
between the program and the server. Packet_boy actually intercepts incoming and
outgoing windows-sockets calls and shows you who is sending what to whom.
14 bytes Ethernet Header
6 bytes Destination Ethernet Address xx:xx:xx:xx:xx:xx <- i blacked out address
6 bytes Source Ethernet Address 00:e0:b0:e2:a9:28
2 bytes type 0x800 ( IP )
20 bytes IP Header
4 bits version 4
4 bits header length (longwords) 5
1 byte type of service 0x0
2 bytes total length 40
2 bytes identification 0xce0e
3 bits Fragmentation Flags
1 bit 0 . . - Reserved
1 bit . 1 . - Don't Fragment (DF)
1 bit . . 0 - More Fragments (MF)
13 bits fragment offset 0x0
1 byte time to live 119
1 byte protocol 0x6 ( TCP )
2 bytes header checksum 0x1a89
4 bytes source IP address 216.34.68.140 <------------- the home base
4 bytes destination IP address xx.xx.xx.xx <---------- i blacked out address
Data:
1.1 200 OK
Set-Cookie:
WEBTRENDS_ID=xxx.xxx.xxx.xx-3431x5x304.2x316x51; <--- i blacked out address
expires=Fri, 31-Dec-2010 00:00:00 GMT; <--- looks like we have a while ;)
path=/
Server: Microsoft-IIS/4.0
Date: Sat, 01 Jan 2000 09:08:42 GMT
Pragma: No-Cache
Content-length: 212
Things looked bad because it was clear that the server was *not* just sending
back a bit that said yes or no, but rather was sending back more than 300 bytes
of information, and that the server was sending back different info depending
on the request made by the client. Anyway, this made me think that i was going
to have to spoof the server and write a fake server for the program to converse
with. That would not be fun.
I decided to try the simple route first. Using a firewall (AtGuard) i was able
to see how StreamBox VCR reacted when it couldn't get in touch with its mommy.
Interestingly, after three unsuccesful attempts, it claims that "StreamBox VCR
service will shutdown for maintenance." hmm... pretty weasly how it doesn't
want to admit that it couldn't connect...
Opened up the program (vcr_e_.exe) from W32DASM, and having not used the new
dissasemblers, was quite surprised to see how smart it was. A search for a
string containing "shutdown for maintenance" takes us right to the error
reporting code in the program. Some interesting messages there including
messages for when your username/password is rejected, when you are forced
to upgrade the program, and other miscelaneous denials of service. We found
the bitch's nest, as the keyboard caper might say, and now we are feeling a
little less guilty about cracking this baby open.
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00451D7B(C)
|
:00451DAB 837D0805 cmp dword ptr [ebp+08], 00000005
:00451DAF 751E jne 00451DCF
:00451DB1 6A00 push 00000000
:00451DB3 6A00 push 00000000
:00451DB5 8B4D10 mov ecx, dword ptr [ebp+10]
:00451DB8 51 push ecx
:00451DB9 8B550C mov edx, dword ptr [ebp+0C]
:00451DBC 52 push edx
* Possible StringData Ref from Data Obj ->"Access Denied"
|
:00451DBD 68A8DC4C00 push 004CDCA8
:00451DC2 6A01 push 00000001
:00451DC4 E868B0FBFF call 0040CE31
:00451DC9 83C418 add esp, 00000018
:00451DCC 8945F0 mov dword ptr [ebp-10], eax
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00451DAF(C)
|
:00451DCF 837D0806 cmp dword ptr [ebp+08], 00000006
:00451DD3 751D jne 00451DF2
:00451DD5 6A00 push 00000000
:00451DD7 6A00 push 00000000
:00451DD9 6A00 push 00000000
* Possible StringData Ref from Data Obj ->"Sreambox VCR Server Service will "
->"shut down for maintance. After "
->"the server maintance has been "
->"completed, you will be able to "
->"use Sreambox VCR."
|
:00451DDB 68B8DC4C00 push 004CDCB8
So our first strategy will be to try to walk backwards through the program,
from the occurence of this error, and try to find the location where the
program *decides* it is going to deliver the error to us.
The basic process involves running vcr.exe through softice, and setting
breakpoints where we want softice to stop the program and let us look at the
greasy insides of it. And then going back and forth between the dissasembler
and softice to try out new guesses about what calls are being made from where.
After several hours of walking the cat backwards from the error message, we
begin to have a harder time. perhaps if i was able to convince softice to show
me some backtraces, we might have been succesful with this approach, but this
is the first time i've used softice and as it was, we eventually traced back
to a section of code that was being jumped to indirectly (ie there wasn't a
hardcoded jump to the code segment which would allow you to find the source of
the jump from within the dissasembler). I try faking a RET into softice to get
it to pop back to it's indirect caller but don't end up at a CALL statement,
so am at a dead end.
:0045A6D8 5F pop edi
:0045A6D9 5E pop esi
:0045A6DA 5B pop ebx
:0045A6DB C9 leave
:0045A6DC C22000 ret 0020
:0045A6DF 55 push ebp <- dissasembler doesn't know how we could get here..
:0045A6E0 8BEC mov ebp, esp
:0045A6E2 83EC28 sub esp, 00000028
:0045A6E5 8B4508 mov eax, dword ptr [ebp+08]
:0045A6E8 53 push ebx
:0045A6E9 56 push esi
:0045A6EA 57 push edi
We decide to make a slight modification to our strategy. Again using the
dissasembler, we are able to search for what we know are tell-tale Winsock
commands (those used for internet communication). We search for 'recv' and
find several locations. Unfortunately, this whole program is about talking
over the internet, so we've got lots of candidates. Just for fun we search on
the server address string "216.34.68.140," and surprise, there it is (actually
in 3 locations). And we can see from the dissasembled code where it is in fact
building the data packets to send.
Possible Reference to String Resource ID=00131:
"http://216.34.68.140/_vti_bin/go.dll?ID=%s"
|
:004165C2 6883000000 push 00000083
:004165C7 8D4DF0 lea ecx, dword ptr [ebp-10]
:004165CA 51 push ecx
:004165CB E8B02C0600 call 00479280
Again we go back to softice and set some breakpoints to figure out exactly
which of the 3 code segments where the server address is referred to is
actually used for the download verification (the others are presumably for
other events, notably the initial registration).
Now we go back to our old strategy of perusing the dissasembled code backwards
from this code segment, and look for the signs of a modular function call. ie,
in the midst of these jmps and movs, we are looking to see if we can't identify
the functional component of the call to the server. Eventually, tracing back
and performing a few breakpoint experiments, we see the tell-tale bookends of
a function call (the saving of registers on entry via push, and the popping
them off and retting at exit).
* Referenced by a CALL at Addresses:
|:00412317 , :00414D7D , :00414EEA , :00417753 , :004178C0
|:004310F3 , :00431260 , :00434316 , :0043E155 <--- look at all the places
| that calls this
:0043CC49 55 push ebp <----------- here's the start
:0043CC4A 8BEC mov ebp, esp
:0043CC4C 51 push ecx
:0043CC4D 894DFC mov dword ptr [ebp-04], ecx
:0043CC50 8B45FC mov eax, dword ptr [ebp-04]
:0043CC53 83B8EC00000000 cmp dword ptr [eax+000000EC], 00000000
:0043CC5A 7407 je 0043CC63
:0043CC5C B801000000 mov eax, 00000001
:0043CC61 EB2F jmp 0043CC92
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0043CC5A(C)
|
:0043CC63 8B4DFC mov ecx, dword ptr [ebp-04]
:0043CC66 51 push ecx
:0043CC67 8B4DFC mov ecx, dword ptr [ebp-04]
:0043CC6A 81C1A4000000 add ecx, 000000A4
:0043CC70 E82B5B0000 call 004427A0
:0043CC75 50 push eax
:0043CC76 B9B00C4D00 mov ecx, 004D0CB0
:0043CC7B E8B396FDFF call 00416333
:0043CC80 8B55FC mov edx, dword ptr [ebp-04]
:0043CC83 8982EC000000 mov dword ptr [edx+000000EC], eax
:0043CC89 8B45FC mov eax, dword ptr [ebp-04]
:0043CC8C 8B80EC000000 mov eax, dword ptr [eax+000000EC]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0043CC61(U)
|
:0043CC92 8BE5 mov esp, ebp
:0043CC94 5D pop ebp
:0043CC95 C3 ret <------- and here's the finish
Just for fun, but without much expectation we put a breakpoint at the start of
the function call, and when it traps, we manually resume from the end of the
function call. surprise, this little proggie got confused and thought that
everything was approved.
Okay, so now we know what we need to do. we go back into the dissasembler,
read off the absolute file location for the first instruction of the function
call (which W32DASM shows you on the bottom status line) and write it down,
along with the hexadecimal byte code at that location (which codes for the
PUSH opcode). Since my assembly is shakey, I also write down the byte opcode
for a RET instruction which I get from looking at the end of the function code.
Now we load up the executable in our hex editor, go to the location we wrote
down that we know corresponds to the start of the function call. It all looks
like gibberish, but we know we are at the right location since the byte matches
that for the PUSH opcode that we wrote down from the dissasembler. We replace
this byte with the byte representing the RET instruction, save file and exit.
Just to make sure all went well, we reload the file into the dissasembler and
sure enough, our change took and the function call starts with a RET.
* Referenced by a CALL at Addresses:
|:00412317 , :00414D7D , :00414EEA , :00417753 , :004178C0
|:004310F3 , :00431260 , :00434316 , :0043E155 <--- look at all the places
| that calls this
:0043CC49 C3 ret <----------- this used to say PUSH ebp
:0043CC4A 8BEC mov ebp, esp
:0043CC4C 51 push ecx
:0043CC4D 894DFC mov dword ptr [ebp-04], ecx
:0043CC50 8B45FC mov eax, dword ptr [ebp-04]
:0043CC53 83B8EC00000000 cmp dword ptr [eax+000000EC], 00000000
:0043CC5A 7407 je 0043CC63
:0043CC5C B801000000 mov eax, 00000001
:0043CC61 EB2F jmp 0043CC92
We run the program and make sure it works. it does, natch.
The patch above is for the call the program makes every time you want to
download a file. Tracing through the other references to the server address
we come across the function where it sends the initial registration info.
:00416E9C 55 push ebp
:00416E9D 8BEC mov ebp, esp
:00416E9F 6AFF push FFFFFFFF
:00416EA1 6864104A00 push 004A1064
:00416EA6 64A100000000 mov eax, dword ptr fs:[00000000]
:00416EAC 50 push eax
...
:00416F7F 5D pop ebp
:00416F80 C20400 ret 0004 <----- here's the return from the call
So again we patch in a RET instruction at the front of this call. We note that
the return call at the end of the function is a RET 04 (hex bytes C20400), so
that's what we patch in at the begining of the call (this time it's at file
location 00016E9C, disassembly location 00416E9C).
To test it out, we remove the registry entries for the program, rerun it and
watch to see if the firewall is triggered. Nope, works like a charm. Still
asks for the information but doesn't sent it anywhere.
Now we could try to bypass the code that asks for this information, but
instead we open the hex editor and look for the message that comes up in the
opening window, the message that tells you how this information you are
filliing out is going to be sent to streambox.com; since that's no longer true
we feel we should correct the message. We find the message text at file
location DD9E64, and replace it with a message that tells the user not to
worry about any information being sent anywhere, remember that each character
is followed by a 00 byte, and making sure not to change the size of the file.
Now we want to automate the patch so that anyone can work it without having to
edit the executable with a hex editor. So we grab perfx' patchfx utility and
compile an official patch for the crack.
Are we done? well, yes and no. We have reached the limit of our abilities.
There are some remaining mysterious though, that we are not able to solve.
First, we discover a segment of code that appears to be trying to connect to
a server at 210.217.191.143. We run this address through visual router, and it
comes up with a no-name machine in seol korea. Hmm, that sounds interesting.
We try to figure out what the code is doing, but no luck. We watch the firewall
and play with the program to see if it tries to go there. no luck. then we try
to be clever and use softice to jump straight into that code, but aren't able
to generate a call that doesn't segment fault on us. Okay, so in the interest
of expediency, we give up on this and leave it fr the more experienced
reverse-engineers. Now we've got a choice whether to leave the code in there
or kill it. For safety, we zero out the reference to the address
"210.217.191.143" and all references to the streambox server address
"216.34.68.140" The other interesting thing we find in the code is a message
that says "the true test of great espresso is savoring it without sugar or
milk" - and the message is manipulated every time the program tries to talk
with its mommy. We can't figure out how it's being used though. Maybe as a
kind of one-time (every-time) encryption pad? It's just a lingering curiousity
though, since the thing is mute now.
That's it - hope you had as much fun as we did. And a final question to the
cracker historians out there: do you know about the calculator crackers who
cracked into the HP41C calculator? If not, time to go back and hit the books.
-Flying Raichu
ABOUT
~~~~~
I really hope you've enjoyed this tutorial as much as I did!
Don't miss Tutor #65 soon! ;)
And as I said last time: Without knowledge, there's no power! ;)
Credits go to:
tKC for Interface.
tKC for Splash Logo
Flying Raichu for providing a tut in this version.
LW2000 for providing 4 tuts in this version.
tKC for coding this version :)
All the crackers (non-members of CiA) are welcome to send tutors
for the next tutorials .. see below for my email address!
*** 80 chars per line in textfile please! ***
And all the tutors can be found at http://www.msjessca.da.ru!
Greetz goto all my friends!
You can find me on IRC or email me at tkc@reaper.org
Coded by The Keyboard Caper - tKC
The Founder of PhRoZeN CReW/Crackers in Action 2000
Compiled with Delphi 5 on 10 January 2000
Cracking Tutorial #64 is dedicated to Mandy.