|
|
|
|
|
|
|
|
|
|
|
|
|
|
||
|
|
||
|
|
|
There is a crack, a crack in everything. That's how the light gets in. |
|
|
|
|
* StringData Ref from
Data Obj ->"Caution! We have detected a virus "
->"attached to your copy of CD Wizzard. "
->" Please contact BFM Software ASAP "
->"for a virus-free copy. CD Wizzard "
->"will now end."
:00401D51 689C574300
push 0043579C
:00401D56 E96C120000
jmp 00402FC7 ;Display message then Exit
program
One thing worth noting here, if your going to have a 'Virus' checking routine implemented then it makes sense to run it as-soon-as your program runs, however, the programmers call this routine ONLY after the program has validated your serial number, as though the programmers wanted to check that you didn't cheat by altering their program's code in order to fool it into accepting your fake serial number!.. He he, read on....
On successful registration the program will store all the User's details in a file called cdw.ini which can be found in the same directory as the program itself.
UserName=The Sandman
Password=11306
<----This password is generated by the program
itself
IDate=10425
|
|
As always, run this program several times, get to know how it works and of course make notes on any text messages that you feel will help you to quickly locate those all important protection routines.
Using W32Dasm create a 'Dead Listing' of
this program, it's going to save us a great deal of time and will help
us to familiarize ourselves with the task in hand..
Open up the program's String Data Resources
and find the text "Thank you for registering".
You will find two occurrences of this text, we want to concentrate our
efforts on the first occurrence of this string.
:00414606 E8AC0D0000
call 004153B7 ;Process the serial no's
:0041460B 83C40C
add esp, 0000000C
:0041460E 85C0
test eax, eax ;Serial ok?
:00414610 741C
je 0041462E ;no? then beggar off cracker
:00414612 6A40
push 00000040 ;serial valid then continue
:00414614 C705C0E0430001000000
mov dword ptr [0043E0C0], 00000001
:0041461E FF15F8124300
Call USER32.MessageBeep
:00414624 6A40
push 00000040
:00414626 57
push edi
* StringData Ref from
Data Obj ->"Thank you for registering CD Wizzard. "
->" The funds will help us produce "
->"more shareware!"
:00414627 68D47A4300
push 00437AD4
:0041462C EB21
jmp 0041464F
From this code snippet we can make a number of educated guesses at this stage just by working out where the conditional je (jump equal) instruction goes to. We can also say that IF the serial no is valid (program does not jump) then two lines down from this je 0041462E instruction you'll see the program place a value of '1' into the memory location [0043EC0] which, if you've examine a number of programs you'll know that this is very likely the 'Program is REGISTERED' flag by which the rest of the program will check during the course of it's use to tell it wether it is suppose to run in Shareware or Registered mode.
Since this essay is trying to teach you 'How to Crack' rather than showing you how to steal this software we're going to *crack* this babe in stages, examining as we go what happens and why we must do certain things in order to help us understand what we must do next..
OK, fire up Wizzard and select the 'Help' menu option then choose the 'About CD Wizzard' sub menu option then finally click once on the 'Register..' button.
Fill in your first
and last name then type in a 8 digit number for the password.
At this point press
the Ctrl and D keys together.. Softice appears...
Type bpx messageboxa then x to exit softice.
We are using the system function messageboxa so that it will allow us
entry into the program's code, we are not concerned too much where this
will place us, since we know where we want to be and this will allow us
to do this quickly and without bother..
Once you've type in all the details click once on the 'Register' button,
Softice should now break at the beginning of the messageboxa routine, so
from here just press the 'F11' key once, the program will now tell you
that your registration code was invalid, no problem, just click on the
'OK' button to close this message box and once again Softice breaks..
We should now be in CD Wizzard's program code. If you wish to confirm
this for yourself then Softice should now be waiting for your next instruction
at memory offset:
XXXXXXXX:004146E4 jmp 00428FF
Now you need to:-
1. Type bc
* to clear away any previous breakpoints made within Softice.
2. Type:
u 00414606 this will display the section of code within
this program we're interested in.
3. Then type: bpx 00414606 this will place a softice breakpoint just before that je 0041462E instruction that decides wether the program will allow us register it or to carry on running in Shareware Mode.
4. Now type x to leave Softice
and let the program continue on..
5. Re-run
the CD Wizzard registration process again, fill in the User details and
fake 8 digit serial number then click once on the 'Register'
button..
Softice breaks on our single breakpoint at memory location: XXXXXXXX:0041606
00414606 E8AC0D0000 call 004153B7
6. Now type e 0041461 this will place the cursor inside the Hex-Code window and over the byte that tells the conditional jump statement where to jump to. All you need to do now is type:
00 (zero zero) then press the 'ESC'ape button once to restore your cursor back to the Softice Input Window.
The disassembly listing should NOW change to show this:-
:00414606 E8AC0D0000
call 004153B7 ;Process the serial no's
:0041460B 83C40C
add esp, 0000000C
:0041460E 85C0
test eax, eax ;Serial ok?
:00414610
7400
je 00414612 ;Accept it regardless
:00414612 6A40
push 00000040
:00414614 C705C0E0430001000000
mov dword ptr [0043E0C0], 00000001
:0041461E FF15F8124300
Call USER32.MessageBeep
:00414624 6A40
push 00000040
:00414626 57
push edi
* StringData Ref from
Data Obj ->"Thank you for registering CD Wizzard. "
->" The funds will help us produce "
->"more shareware!"
:00414627 68D47A4300
push 00437AD4
:0041462C EB21
jmp 0041464F
This process is EXACTLY the same as if we had patched this program using a Hex Editor, with the difference that this 'patch' does NOT effect the copy you have on the hard disk. We have to use a Hex Editor for that.. This 'patch' is simply a memory patch, if you reload the program this 'patch' is lost and will be replaced by the original program's code.
While still in Softice press x to leave Softice.. The program now tells you that your serial number was correct and that in order to make these changes permanent the program has to be restarted again.. So OK, do this, exit the program and then restart it..
Notice that our program
is STILL running in Shareware mode!. He he, you didn't think it was
that simple did you!.. No problemo, the program has saved our User details
in it's cdw.ini
file but it's rejected it because the saved serial no does not match the
User Name you gave it..
OK, exit the program
again.. Fire up Softice once more (Ctrl-D) then type bc * to clear
away any previous breakpoints within Softice then type bpx getprivateprofileinta
then x to leave Softice.
The system function getprivateprofileinta is a 32-bit system function provided by windoz to allow programs to read information from .INI files and convert the numbers which are stored in a string format and turn them into Integer's. Don't worry too much about Integers, suffice to say that the program will read our saved serial number from a text based file and convert this serial number into a different format which will make it easier for it to handle.
Now we're ready... Start up CD Wizzard, Softice will break...Now follow these instructions exactly...
Press 'F11'
Type 'x'
Press 'F11'
Type 'x'
Press 'F11'
Type 'x'
Press 'F11'
Type 'x'
Press 'F11'
If all went well
you should now be here.. if not, then type bc * while still
in Softice then type bpx 00401C2B then type x which should
get you here.. Do this ONLY if you are unable to get to this
code snippet :-.
:00401C2B
684C584300 push 0043584C ;Read "Password"
from .INI file
:00401C30
56
push esi
:00401C31
889A20E14300 mov byte ptr [edx+0043E120], bl
:00401C37
FF1558114300 Call KERNEL32.GetPrivateProfileIntA
:00401C3D
50
push eax
;You Should
land here...
:00401C3E
66A3A0CC4300 mov word ptr [0043CCA0], ax
:00401C44
FF750C push
[ebp+0C]
:00401C47
6890D74300 push 0043D790
:00401C4C
E866370100 call 004153B7
:00401C51
83C40C add
esp, 0000000C
:00401C54
85C0
test eax, eax ;test results from checking
serial
:00401C56
0F842E010000 je 00401D8A ;Serial
# ok? no? then "beggar off"
:00401C5C
6890D74300 push 0043D790
OK, at this point type bc * then bpx 00401C2B this will make Softice break EVERYTIME you re-run CD Wizzard without having to go through the getprivateprofileIntA routine which we HAD to do when trying to find out where the program reads our serial number from it's .INI file.. Now that we know where this happens we can set a softice breakpoint here and we know the program will always stop here whenever we re-run this program.. During testing we may need to do this several times, but since I've already done this for you this won't be necessary..
By following in our
dead listing, where the je 00401D8 statement takes us we know that it directs
the program to the 'beggar off cracker' message routine, which we don't
like very much.. It's much better if we could prevent this by forcing the
program to ALWAYS jump to accepting our serial number EVERYTIME it runs..
I mentioned earlier
about the program checking for viruses or changes to it's code only IF
the program has accepted your serial number, well, a little further down
the code is where it will do this, however, we're going to divert the program
so that it skips over all checking of the serial number AND the routine
that checks for any changes to the program's code, in fact we're going
from here directly into our 'registration' routine which as it happens
starts after the virus checking routine!..
So here's where
our patch goes..
:00401C54
85C0
test eax, eax ;test results from checking
serial
:00401C56
0F84FF000000 je 00401D5B ;If
invalid serial than accept it!
:00401C5C
6890D74300 push 0043D790
All we did here was
to change the address where the program will go if the serial no is invalid
and change it to the 'Good cracker routine'.
Job Done.
|
|
[CD Wizzard]
UserName=PLACE_YOUR_NAME/HANDLE
HERE
Password=PLACE_A_FOUR-SIX_DIGIT_NUMBER_HERE
3. Save
this file.
4.
Load up cdw..exe into your favorite Hex-Editor ( I prefer hexWorkshop-32)
but just about any hexeditor will do..
5.SEARCH
FOR THE FOLLOWING BYTES : 85C0741C6A40C705
REPLACE WITH HIGHLIGHTED
BYTES : 85C074006A40C705
6.SEARCH
FOR THE FOLLOWING BYTES : 85C00F842E010000
REPLACE WITH HIGHLIGHTED
BYTES : 85C00F84FF000000
|
|
|
|
| Next | Return to Essay Index | Previous |