| INTRO | |
|---|---|
| Hi Guys. Firstly, I'd just like to thank TORN@DO for coming up with the great idea of having a weekly project for newbies to learn with. I think it's a great idea. I'll try to be as thorough as I can with this tutorial so even the newest of newbies can understand it.. | |
| INFO | |
| The Proggie - | Security Administrator for Windows95/98 v1.3. Download from The C4N Projects Webiste. | 
| The Protection - | This program has reg code protection. And it's fairly simple too! | 
| The Required Tools - | I used NuMega Softice, the debugger of all debuggers. You could use W32Dasm, as this program's protection is fairly easy to defeat, but you'll benefit from seeing whats going on with softice. Also, as per usual, a brain and an open mind are required. | 
| The Greetz - | Many thanks to those who take the time to write the crackmes. Thanks to all people in #cracking4newbies and #win32asm. Greetz to StRAzOr, ACiD BuRN, Shannon-, Volatility, The Sandman, Fravia, +ORC, ALx, _Tribe, all the legends from Desync and any other aspiring Crackerz! | 
| Other Info - | All S-ICE commands will be highlighted in RED. I will
		possibly use the following abbreviations: 
		 - WTF = What the fuck?! Before I cracked the app in question, I was planning on keygenning it. I soon found out that this wasn't required. I will show you how the protection works, and how to get round it will a valid serial number. | 
| THE ESSAY | |
| OK People. Load up the app (download now if you haven't downloaded it). And
		you'll see that the first thing that comes up is the registration screen asking you to
		enter a reg code. Now the way I approached this from here, I entered my usual reg code
		that I enter when cracking - karnak19781205. So punch in your dummy reg code now (i'll use
		mine for reference throughout this tutorial). Now we'll set a breakpoint in softice using the hmemcpy function (coz alot of the time this will work). So BPX hmemcpy. And come back to windows. After pressing the go button, SICE with jump back up again. Since we are deep down in the depths of the windows functions, we need to F12 until we see the applications name in the border. So we know we are looking at the right code. When you first reach the programs code, you'll still have to press F12 a few more times until you reach the following code: | |
| :0046AFED E822F8FBFF CALL 0042A814 :0046AFF2 8B45F8 MOV EAX,[EBP-08] <--- We are here :0046AFF5 8D55FC LEA EDX,[EBP-04] :0046AFF8 E8CF62FFFF CALL 004612CC :0046AFFD 837DFC00 CMP DWORD PTR [EBP-04],00 :0046B001 750D JNZ 0046B010 :0046B003 8D45FC LEA EAX,[EBP-04] :0046B006 BA74B04600 MOV EDX,0046B074 :0046B00B E82C8AF9FF CALL 00403A3C :0046B010 A1F43E4700 MOV EAX,[00473EF4] :0046B015 8B00 MOV EAX,[EAX] :0046B017 8B55FC MOV EDX,[EBP-04] :0046B01A E8256C0000 CALL 00471C44 :0046B01F 8B8308030000 MOV EAX,[EBX+00000308] :0046B025 8B10 MOV EDX,[EAX] :0046B027 FF92B4000000 CALL [EDX+000000B4] :0046B02D A14C3E4700 MOV EAX,[00473E4C] :0046B032 803800 CMP BYTE PTR [EAX],00 :0046B035 740A JZ 0046B041 | |
| Right, at this point we have just returned from the "GetText" routine. If you take a look at the EAX register you'll see the length of our 'RegCode'. Press F10 once, and DD EAX, and in the data window you should see the reg code that you typed in. Now at this point I decided to trace through the code (using F10 to step OVER) until I found the following code: | |
| :0046CCDF E8C06CF9FF CALL 004039A4 :0046CCE4 8B45FC MOV EAX,[EBP-04] :0046CCE7 E8346FF9FF CALL 00403C20 <--- I stopped here :0046CCEC 83F80C CMP EAX,0C :0046CCEF 0F8599000000 JNZ 0046CD8E :0046CCF5 8B45FC MOV EAX,[EBP-04] :0046CCF8 803838 CMP BYTE PTR [EAX],38 <--- Interesting :0046CCFB 0F858D000000 JNZ 0046CD8E :0046CD01 8B45FC MOV EAX,[EBP-04] :0046CD04 80780233 CMP BYTE PTR [EAX+02],33 <--- Interesting :0046CD08 0F8580000000 JNZ 0046CD8E :0046CD0E 8B45FC MOV EAX,[EBP-04] :0046CD11 80780331 CMP BYTE PTR [EAX+03],31 <--- Interesting :0046CD15 7577 JNZ 0046CD8E :0046CD17 8B45FC MOV EAX,[EBP-04] :0046CD1A 80780439 CMP BYTE PTR [EAX+04],39 <--- Interesting :0046CD1E 756E JNZ 0046CD8E :0046CD20 8B45FC MOV EAX,[EBP-04] :0046CD23 80780830 CMP BYTE PTR [EAX+08],30 <--- Interesting :0046CD27 7565 JNZ 0046CD8E :0046CD29 8B45FC MOV EAX,[EBP-04] :0046CD2C 80780935 CMP BYTE PTR [EAX+09],35 <--- Interesting :0046CD30 755C JNZ 0046CD8E :0046CD32 8B45FC MOV EAX,[EBP-04] :0046CD35 80780A53 CMP BYTE PTR [EAX+0A],53 <--- Interesting :0046CD39 7553 JNZ 0046CD8E :0046CD3B 8B45FC MOV EAX,[EBP-04] :0046CD3E 80780B45 CMP BYTE PTR [EAX+0B],45 <--- Interesting :0046CD42 754A JNZ 0046CD8E :0046CD44 B8BC584700 MOV EAX,004758BC :0046CD49 8B55FC MOV EDX,[EBP-04] :0046CD4C E8A76CF9FF CALL 004039F8 :0046CD51 C605B858470001 MOV BYTE PTR [004758B8],01 :0046CD58 B301 MOV BL,01 :0046CD5A 33D2 XOR EDX,EDX :0046CD5C 8B8600050000 MOV EAX,[ESI+00000500] :0046CD62 E86DCEFCFF CALL 00439BD4 | |
| OK, at the point where I stopped EBP-04 contained my reg code. Pressing
		F10 again, I saw that EAX contained 0E (the length of my
		reg code). This is compared to the value 0C, and if they aren't the same then we jump
		to the end of the routine. Hmmm.. not good :-) So I put 2 and 2 together, and decided to
		change the length of my regcode to 12. But before carrying on I couldn't help but notice
		the code afterwards. Take note of all of the 'INTERESTING'
		comparisons in the above code. As you can see, EAX contains our regcode, and particular parts of the code are compared to particular values. If any of these values are different, we jump to the end of the routine. So at this point we can safely say that we need to be able go through all these comparisons without jumping. So let's take a look at the comparisons: 
		
		EAX is compared to 38. 38h = '8' So, in other words, if our regcode follows the above criteria, we should have a valid key! OK, so lets try it out. Disable all breakpoints, and punch in a code following this format: 8x319xxx05SE I used '8K319ARN05SE'. Hit the 'GO' button. BINGO!! Program cracked! 
 | |
| THE SOLLUTION | |
| Well this has already been shown. Any registration code that follows the
		format: 8x319xxx05SE (where x = any character) will work perfectly! | |
| THE END | |
| Well thats it guys, hope you learned something from this essay! Please
		drop me a line at karnak@techies.com if you need
		any help. Thanks again to TORN@DO for mainting the C4NProjects Site. Happy Cracking! Karnak. | |