Ok people. First of all I´d like to say that I do not want to support any illegal action with this tutorial. It´s just for educational purpose. It should help you to undestand what´s going on in a PC any why things are the way they are. You should also get an idea of what good craking is about and be able to recognize genaral patterns used by many programs. If you want to use the software beyond it´s trial-status then there´s only one way. This way is to buy it. After doing and understanding the crack you should buy or delete the software. Because cracking isn´t neccessarilly illegal. It´s a way having fun and it´s a real good feeling when you´re done with a hard program. Believe me.
So, if you do not think the same or if you were too stupid to find an exe crack and just want to crack it by my tutorial, then I´d like you to go to bed, take a nap, think about ethical cracking, your life, things you archieved and how did it, love, hate, ignorance, of course Roadrunner and Koyote and come back with the wish to learn and understand. Repeat this part until you feel you are the kind of person having the wish to seek for knowledge bestowed upon.
Well, let´s get started. First let´s say somethig
about tools. Having good tools is the most important thing for being a
good cracker. You will never ever become an average one with the wrong
tools. So this is the list of standard must-have tools (we´ll also
need for this program.)
MP3Wolf: the target program MP3
for Windows 95
Win32 Disassambler: A very fine Disassambler with loads
of useful options and a nice interface. (writers choice)
Soft ICE: A runtime debugger. The tool you nearly can´t
live without. (writer´s choice)
HView: great Hex-Text-Assembler in one editor. (wirter´s
choice)
Registry Monitor: a useful program telling you which
registry files were looked up during the start of a program or it´s
execution
where to get them:
The
cracking palace
CrackZ's
Tool Shop
Flu[X]/PC98's
Homepage
After getting the tools and having a look around the pages we should now start to find out something about our target program. The first thing to do is reading the help and manual of the program. Also, look for keywords such as register or ordering. Get familiar with the software and see if you can find out what restrictions there are for the demo-version. We´ll need this to find out if our crack really works, or if just stopped the beggar-off screen.
So the things I found interesting are:
(1) Unregistered Version Restrictions
If you have not yet registered, you
will have cause to despair, for you will not be able to utilise the full
potential of this product. There
are a number of restrictions in the
Unregistered version.
You will be not be able to restart searches and will thus loose the benefit of previous sessions.
Report files
will display and Play advertisements for recording artists, and you will
not be able to automatically disable the Audio
Stream.
The maximum
number of concurrent connections is restricted to 10.
The maximum
number of files you will be able to index is restricted.
If you have not done so already, please register your copy. You will find it most worth while.
(2) licence agreement
Then visit the homepage and look what you can find.
After all this it´s time to figure out if there´s
something interesting reffering to registries at the startup. Therefor
we launch RegMon and set the filteroption to M*, so we only get the requests
from MP3-Wolf. If you want you can also disable the filter.
0 Mwolf32 QueryValueEx HKCU\Control
Panel\Desktop\SmoothScroll NOTFOUND
1 Mwolf32 QueryValueEx HKCU\Control
Panel\Mouse\MouseHoverTime NOTFOUND
2 Mwolf32 OpenKey HKLM\System\CurrentControlSet\Control\CommAlias
NOTFOUND
3 Mwolf32 OpenKey HKLM\System\CurrentControlSet\Control\SessionManager\KnownVxDs
NOTFOUND
4 Mwolf32 QueryValueEx 0xC92215E0\URL
NOTFOUND
5 Mwolf32 QueryValueEx 0xC92215E0\C:\PROGRAMME\DATA
FELLOWS\F-SECURE\ANTI-VIRUS\DFSAV32 NOTFOUND
Starting MP3 Wolf it looks up for these things.
Too bad! Even if we didn´t find anything of big interest here, but
we should always do this. When cracking other programs it might bring valuable
information to check it´s registry attempts. Ok so now after we started
the Wolf let´s see if we can register by chance, and what happends
if we fail in our attempt.
We gat an ugly Messagebox saying "Invalid Registration Name or Serial Number". That´s very good because we do need some clues to look after in Win32Disassambler (W32Dasm) which we start right now. We open a file to disassamble -the MWolf32.exe file. Then we search for this very interesting string "Invalid Registration Name or Serial Number", because we hope, that the target program prepares the string for the output and, much more important, that this happens near the compare of the Serial. After searching we really find it. This is the first time we know we´re on the right way but it´s still much to learn. This is a very common way to find the interesting areas in the disassambled file. Find an interesting string in the target program and search for it in the disassambled mess. Let´s take a look at what we found.
listing:
:00403541 E8DC9D0000
call 0040D322
This seems to be the call where the Serial
is compared
:00403546 59
pop ecx
The Registration Name is stored in ecx
:00403547 85C0
test eax, eax
Let´s test the result
:00403549 59
pop ecx
The Registration serial is stored
in ecx
:0040354A 7518
jne 00403564
Jump and continue if Serial is good else
continue without jump
:0040354C 6A30
push 00000030
* Possible StringData Ref from Data
Obj ->"Invalid Registration"
|
:0040354E 68245B4100
push 00415B24
Prepare text for Messagebox
* Possible StringData Ref from Data
Obj ->"Invalid Registration Name or Serial "
->"Number"
|
:00403553 68F85A4100
push 00415AF8
Prepare text for Messagebox
:00403558 53
push ebx
* Reference To: USER32.MessageBoxA,
Ord:0195h
|
:00403559 FF1570544200
Call dword ptr [00425470] Open Messagebox
Very good. At this point we can
be quite sure, that we found the right place in the file. Very typical
is the
"Call ... test eax ... jne XXXX"
section. This is a very common protection scheme. But more important is,
that the Jump decides if you go the Message box or not. It therefore is
the deciding jump.
General Assembler explanaiton:
(1) push: this command saves a
value by putting, pushing it onto the Stack-memory.
(2) pop: this command gets the
first value of the so called stack-memory.
(3) call: it´s if there´s
a part in the program which is used many times it´s more comfortable
to write it down one time and then refeering it with a call. You can compare
it with a refrain in a song. The refrain is only written once and then
you get something like refrain afterwards. It´s the same with the
call. Call tells the program to go to a location where it finds the next
instructions and return after doing these.
(4) jne: Jump if not equal. This
jump is made if the zeroflag is not set.
(5) Jumps: Jumps put you to an
other location in code. For example if you make a test and it says " if
you are male then continue else go to question 10.." it´s a jump.
You won´t get back to the jump as you would do it with a call.
For the ones of you who were just interested in the crack we´re done now because you just have to change the jne in je.
Let´s continue now. But first
we have to remember the location we´re interested in that is the
place of the call at address :00403541. This will be important for our
furrther actions. So everyone please start MP3 again and go to the registry
dialog. After filling in a name and a serial we can now start SoftICE by
pressing Shift+D. Now we have to set a breakpoint so that we stop bevor
the Messagebox. A very powerful breakpoint is hmemcpy. Others are getwindowtexta,
getdlgitemtexta, messagebox, showwindow, enablewindow and there are plenty
others. Normally you have to try some of them but we´ll get a good
result if we take getdlgitemtexta. All we have to do is type
bpx getdlitemtexta in SofiICE. After doing
this we get back in Windows by preesing F5. Now we press the OK button
in the registry dialog. Now you should see yourselves back in SoftICE.
It was called by the breakpoint. Actually you have two Input boxes. So
it seems reasonable that the program gets the input two times. Once the
Serial once the Name. The getdlgitemtexta just gets one input at a time
so we´ll have to wait until the second input is grabbed. We just
continue the program by pressing F5 again and, allright, stop again at
the getdlgitemtexta. Why all this breakpoint stuff? What do we need it
for? Do you remember the pert in Win32Dasm? We found the call...test...jump
section. Now we want to use this knowledge and see what happens. We want
to see it live on SoftICE. All we have to do therefore is to set the preakpoint
on the address we figured out. BUT we must be in the Process of MP3Wolf.
Otherwise we´d set the breakpoint in a wrong process, where it´s
useless for us. To get to the Wolf-process we need this getdlgitemetexta.
Now at this breakpoint we are in a process called by the WolfProcess. So
not exactly in the Process we needed. But by pressing F12 we continue the
program until we are at the that position that called this part of code.
So we´ll get right after a call.
example:
:00433301 call 004140ee
:00433304 push eax
.
.
the address of the call:
|
:004140ee push edi
:004140f1 test ecx,ecx
.
.
.
: 0041434 ret
this returns to the next line after the call. Here it is 00433304.
If you press F12 somewehre between 004130ee and the ret (return) you´ll
get to the push after the call. the next line after the call.
This is very helpfull because like this you can backtrace the calls
until you find the call in the MP3WolfProcess. Here we can set our breakpiont
and see what happends.
So after breaking in SoftICE the first time and pressing F5 we break
into SoftICE again. Now we only need to press F12 one time until we´re
in the MP3-WOlfprocess. Here we can set the breakpoint found with Win32Dasm
by typing bpx 00403541 in
SoftICE. The big advantage Win32Dasm gives us is that we know what we´re
looking for. NOw continuing with F5 we stopp at the right position- the
call..test..jump part. Now let´s see what happends live. After the
call we check on eax which is zero. So we see, that the call sets the eax
which is used in the test. For this reason we can say now that this call
does the compare at least. Mybe it does the calculation too. For now press
F10 we´ll care about the call later. Now we see the pop
exc. Let´s make a right klick on it
and choose the display option. Aha now you see the registration name. This
hardens our thesis. F10 again. Next is the test
eax which prepares the flags for the jump.
Befor the jump we have pop exc again. Nosy as we are we also want to know
what´s in there. Right mouseklick and then display again. Now it´s
our fake serial we see. This makes it obvious that we found the call we
were looking for. continue with F5.
Now let´s see what happends
if we change the value in eax befor the test. So let´s disable the
useless getdlgitemtexta breakpoints by pressing
bd 0 (breakpointdisable 0) and reregister.
We´ll break into SoftICE again at the call. after the call click
an eax register and change it to 1. go on with F5. Well now we get the
licence screen and press accept. We´re now asked to restart the program.
After doing so we see that our registration failed. But with what we know
so far we should be able to complete the crack unless it´s only a
small way now and we´ll see much knowledge on both sides of it.
Till here it was just the normal
cracking routine. We didn´t really laern much about the program and
how it finds out wether you´re registered or not. But we know where
to find the information. It´s in the call. Now we will start to reverse
the program and learn. The thing we now want to do is to
have a closer look at the call and understand what it does. Like this we
also want to find out about the startup problem. We also want to keep the
registry after the new start.
Let´s take some time and think about what the call could do,
what it has to do?
First of all the call must compare the fake serial with the real serial.
We just have to find out where and how. It then must store the result in
eax in the end.
The call might also check the style of the serial and the username.
If it finds that the serial is styled the wrong way it stops. For example
if a serial has to look like xxx-xx-xxx and it doesn´t it can already
drop us out. Why would it be useful to do this? On the one hand it speeds
up the process because it skips the calculating routine. This is marginal
and of no real use for the user, who normally logs in only once. In fact
it makes life harder for the bad boys, because it´s keeping us away
from the real compare of the serials. If a bad boy doesn´t know this,
he get´s caught in this style-check, trying to find the real serial
which isn´t there. This could take much time to realize and make
a brute force guy give in. Another thing we could find in the call is some
fake compares or some fake calculations. We must be careful in our choice
which way to go if we want to be sucessful. Something we should also care
for is a conversion of our User Name. It´s often upcased or downcaesd
for example. (HaRt-->hart downcase) or some parts are changed or cut off
or added. We´ll also look out for the calculating routine where the
name is used to produce the real serial. These are the main things we could
meet within the call. Well the programm is waiting for us.
Return to the call at :00403541
E8DC9D0000 call 0040D322and
step into it by pressing F8. Her we see something like this.
* Referenced by a CALL at Addresses:
|:00403541 , :0040D2DD
|
:0040D322 55
push ebp
:0040D323 8BEC
mov ebp, esp
:0040D325 83EC30
sub esp, 00000030
:0040D328 8B450C
mov eax, dword ptr [ebp+0C]
:0040D32B 53
push ebx
:0040D32C 56
push esi
:0040D32D 57
push edi
:0040D32E 85C0
test eax, eax
:0040D330 0F840F010000
je 0040D445
jump if no Name entered (eax=0)
:0040D336 8B5D08
mov ebx, dword ptr [ebp+08]
:0040D339 85DB
test ebx, ebx
jump if no Serial entered (eax=0)
:0040D33B 0F8404010000
je 0040D445
:0040D341 80384D
cmp byte ptr [eax], 4D
eax has the serial stored, the first char has to be an M (=2d hex)
:0040D344 0F85FB000000
jne 0040D445
+interesting
that this and....
:0040D34A 80780157
cmp byte ptr [eax+01], 57 secondone
([eax+1]) has
to be an W
:0040D34E 0F85F1000000
jne 0040D445
+
...that jump go to the same place
:0040D354 6A13
push 00000013
:0040D356 50
push eax
:0040D357 8D45E4
lea eax, dword ptr [ebp-1C]
:0040D35A 50
push eax
:0040D35B E849A1FFFF
call 004074A9
:0040D360 83C40C
add esp, 0000000C
:0040D363 8D45E4
lea eax, dword ptr [ebp-1C]
:0040D366 6A2D
push 0000002D
:0040D368 50
push eax
:0040D369 E8120D0000
call 0040E080
This Call checks the rest of the style. If
it fails you won´t get to
:0040D36E 8BF0
mov esi, eax
the serial compare.
:0040D370 59
pop ecx
:0040D371 85F6
test esi, esi
:0040D373 59
pop ecx
:0040D374 89750C
mov dword ptr [ebp+0C], esi
:0040D377 0F84C8000000
je 0040D445
+See we got 40D445 here too
:0040D37D 802600
and byte ptr [esi], 00
The "-" is deleted
:0040D380 8D45F8
lea eax, dword ptr [ebp-08]
* Possible StringData Ref from Data
Obj ->" "
|
:0040D383 68F87A4100
push 00417AF8
:0040D388 50
push eax
:0040D389 E832060000
call 0040D9C0
:0040D38E 59
pop ecx
:0040D38F 8D45F8
lea eax, dword ptr [ebp-08]
:0040D392 59
pop ecx
:0040D393 6A04
push 00000004
:0040D395 53
push ebx
:0040D396 50
push eax
:0040D397 E834190000
call 0040ECD0
The first 4 letters from the Name are taken and written in
:0040D39C 8A45E4
mov al, byte ptr [ebp-1C]
memory
:0040D39F 83C40C
add esp, 0000000C
:0040D3A2 84C0
test al, al
:0040D3A4 7427
je 0040D3CD
.
.
.
.
.
.
|
:0040D41E 68F47A4100
push 00417AF4
:0040D423 8D45D0
lea eax, dword ptr [ebp-30]
:0040D426 6A14
push 00000014
:0040D428 50
push eax
:0040D429 E872040000
call 0040D8A0
generates real serial
:0040D42E 83C410
add esp, 00000010
:0040D431 46
inc esi
:0040D432 8D45D0
lea eax, dword ptr [ebp-30]
:0040D435 56
push esi
:0040D436 50
push eax
:0040D437 E8740A0000
call 0040DEB0
compares serials. sets eax=1 if bad; 0 if
good
:0040D43C F7D8
neg eax
:0040D43E 59
pop ecx
:0040D43F 1BC0
sbb eax, eax
sets eax = -1 if bad serial else (eax = 0)
:0040D441 59
pop ecx
:0040D442 40
inc eax
sets eax = 0 if bad serial (-1 + 1
= 0)
:0040D443 EB02
jmp 0040D447
* Referenced by a (U)nconditional
or (C)onditional Jump at Addresses:
|:0040D330(C), :0040D33B(C), :0040D344(C),
:0040D34E(C), :0040D377(C)
|
:0040D445 33C0
xor eax, eax
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:
|:0040D443(U)
|
:0040D447 5F
pop edi
:0040D448 5E
pop esi
:0040D449 5B
pop ebx
:0040D44A C9
leave
:0040D44B C3
ret
Good. now we see all the interesting parts for us shortly explained.
There are three parts.
(1) the Stylecheck
(2) the generation of the serial
(3) the compare
these are the last three points.
Then you should also be able to find the jump at the startup and change
it. Try it to see if you know what we did in this tutorial.
(1) STYLECHECK
This won´t take long.
:0040D341 80384D
cmp byte ptr [eax], 4D
this compares the first char with M
:0040D344 0F85FB000000
jne 0040D445
:0040D34A 80780157
cmp byte ptr [eax+01], 57 this
compares the first char with W
:0040D34E 0F85F1000000
jne 0040D445
.
.
.
:0040D366 6A2D
push 0000002D
this prepares "-" for the compare
so we see our serial has to begin with "MW-"
Info: 4D is hex for the char M
57
is hex for the char W
2D
is hex for the char -
(2) THE SERIALGENERATION
(3) THE COMPARE
visit: Code Reversing for Beginners ! it´s great.
For any questions, advices and ratings eMail me: Ignatz_x_@hotmail.com.
PLEASE SEND ME RATINGS AND YOUR THOUGHTS. I´m thankful for your
feedback.
Happy cracking
and have the best day
Ignatz