In this article I will explain a personal a crack technique called internal keygening, so it's required a good knowledge of the assembly code

Just OllyDebugger

We are going to crack NetInfo 5.7 of the TSarfin Computing sofware house

The NetInfo program is packed with NeoLite 2.0, so we need to unpack it and fix the IAT table. However the OEP=00422F27 and the program is written in Microsoft Visual C++ 7.0 Method2.
This is not a tutorial on how to unpack a NeoLite program or how to simply crack the program, so I will assume the reader could find the control function by itself and I will just explain the way of internal keygening.
Program limitation:

1. is fully functional but the program show a registration splash screen at the beginning.
2. the license is linked to the computer, so if the use want to use another computer he must buy another license

We want to delete the nag screen and to bypass the computer control check, the reader must be careful with the program, because it connect to internet to check if the license it's truly buy. So keep the firewall on, and don't trust the program, finally we will remove also this dangerous online check.
This program manage the license in this way:

• take the username and license key from the registration dialog
• generate an hash=f(username,computername) and compare it with a set of predefined hash
• put both username and license key on the windows register here:
  HKEY_CURRENT_USER\Software\Tsarfin Computing\NetInfo\Register\Username
  HKEY_CURRENT_USER\Software\Tsarfin Computing\NetInfo\Register\LicenseKey
• when booting the program read this keys from register and make another control

So what is clear is that we have to do a lot of work!
Working on this dialog:


We begin first with the RegistrationDialog and the corresponding function:



Now we want to change this routine to generate an hash indipendend from the computer host name!
So the first change is to generate the hash in this way: hash=f(username,username) . This means we have to push 2 times the username in the stack so that the hash function will gen always the same hash.
The asm code modified is this:

And one problem is over, but now we want to put in the LicenseKey of the register NOT the license of the dialog box, but the hash generated by the program that in this case is: f(epokh,epokh) -> "9093-98B255ED-D2".
Now we have to be very careful to what we do, so after the call to the hash verification
0041DAD3 CALL DS:[<&mfc71.#1482>] ; CHECK THE LICENZE
we have this status on the register:
ECX point to the hash string
EDX point to the string "licenze"
In addiction we have for sure to bypass this jump:
0041DADB JNZ SHORT 0041DB50 ; HERE THE CRITICAL JUMP
The problem now is that the program first store on the register the username and then the licenze, but what we want to do is to store in the licenze register key the hash, so let's analize the code well:



So we have to save the hash on the stack and then pop into EAX to make it saved on the register key called License Key!
The patched code is this:


Simply in this way we pop the previous hash code from the stack and push into the stack so that the :
0041DB21 CALL <JMP.&mfc71.#6306>
Will save on the register the hash that is "9093-98B255ED-D2" and not "licenze" put on the dialog box. In this way we have an internal keygen the hash is different according to the username chosen by the user. Then we have to check what the program do during the boot to validate the license.
During the boot the program get the Username and License key from the register, and the hostname with the API function winsock32.gethostname:




Then it generate the hash at this point:



Also this time we want the hash generated in this way f(username,username)-> hash, so we must put 2 times on the stack the pointer to the username string:



In this way the next comparison:
00407799 CALL DS:[<&mfc71.#1482>] ; COMPARE WITH THE HASH READ FROM REGISTER
will always succed and the splash scree is removed!
There are still some check to bypass. The first made when we try to save from Settings-> Save




The corresponding control is this:



The save settings function call another check in this point:



That we patch, simply nopping the red call:




The last thing we have to do is to remove the Internet check, this is quite easy because as the firewall says to us, the program is connecting to the website of the software company by HTTP. So we put some breakpoint on HTTP function and find this:




The first URL is for the HTTP GET if don't make the jump the program will exchange the license key with the server to check if we really bought the license. So we just patch in this way:
00409E5D JMP 00409FAC
This way, the program will not be try to connect to internet. I was tricked by the program the first time, I took the screenshot:



So from this experience I learned to keep always up the Firewall!
For any question about this article the reader can find me on IRC or by e-mail.

                                                                                                                 ..::EPOKH::..

Thanx to all girls who not consider me, so that I have more time for hacking and reversing.

Vorrei ricordare che il software va comprato e  non rubato, dovete registrare il vostro prodotto dopo il periodo di valutazione. Non mi ritengo responsabile per eventuali danni causati al vostro computer determinati dall'uso improprio di questo tutorial. Questo documento � stato scritto per invogliare il consumatore a registrare legalmente i propri programmi, e non a fargli fare uso dei tantissimi file crack presenti in rete, infatti tale documento aiuta a comprendere lo sforzo che ogni sviluppatore ha dovuto portare avanti per fornire ai rispettivi consumatori i migliori prodotti possibili.

Reversiamo al solo scopo informativo e per migliorare la nostra conoscenza del linguaggio Assembly.