Well I realized that it might be difficult for people to understand what I'm talking about if they can't try it themselves. So, I threw together a little program called CrackIt. CrackIt allows you to choose between three different types of protection systems and to try and crack each one. And the best thing about it is that it's 100% legal to crack this program (you have my permission! As a matter of fact, that's what it is for!) And since I wrote it, it's legal for me to describe how to crack it! These odds I like! But let me warn you again that cracking commercial software is illegal! And remember that we're trying to fight big corportations monopolizing the computer hardware and software industries. So support sharewares by paying for them!
---===< Reg Type 1>===---
OK, let's have a look at CarckIt! As I said before, this is a very simple program, but great for practicing cracking! And the best of it all is that it's LEGAL to crack this program!
Select "Reg Type 1" from the File menu! A dialog box appears and you are asked to enter your reg name and reg number. Do the usual procedure and type in your reg name into the dialog box. Then type in the number: 12345678 and go into MacsBug. Initiate the break for the a-trap "modaldialog" by issuing the command "atb modaldialog". Return to CrackIt by issuing the return command "g", and finish the registration number by typing "9".
This time you should be dropped straight into MacsBug. Now trace over the modaldialg a-trap with the "t" command. And in CrackIt click on the "Register" button. Once again you should be in MacsBug, and now we're ready to follow through the code!
This is what you should see once you start traceing trough the code from here: (the lines starting with two stars, **, are commands that I issued to MacsBug. They would not appear if you were simply traceing trough the code)
+0004C 00C933BC BRA Scramble+0039E ; 00C9370E | 6000 0350
+0039E 00C9370E CLR.W -(A7) | 4267
+003A0 00C93710 MOVE.W #$0071,-(A7) | 3F3C 0071
+003A4 00C93714 CLR.L -(A7) | 42A7
Well... This is NOT supposed to be a tutorial on programing in assembely so I will not bore you with programing stuff! Notice this, however! Before every _GetDialogItem a-trap there is a bunch of shit pushed onto the stack with the "PEA" command. After every _GetDialogItem a-trap, there is a _GetDialogItemText a-trap. And once this a-trap is complete address register one points to a location in the memory containing the registration info. The first _GetDialogItemText occurs at offset +362. And straight after that I issued the following command in MacsBug "dm a1" (display memory from address register one). And as I predicted, a1 contained my registration name! The next _GetDialogItemText a-trap in turn puts my reg number in a1.
At offset +384, there is a return from sub routine command "RTS", meaning that we have exited the section of the program dealing with getting information from the dialog box.
Straight after the RTS command at offset +34 the program will branch off to another subroutine. That is not important for now! I simply traced over it. But what do I see immediately after the subroutine? A command pushing an address into a0! So imediately I figure out that something is going to happen, or has happened to a0. Therefore, I issue the "dm a0" command. And I notice that a0, contains the Pascal format of my registration number. (In Pascal strings the first byte is always the number of letters used in the string. eg: 1234=ASCII: 31323334. In Pascal this string would be represented as: 04 31323334. Don't worry about it! I read somewhere that Pascal was not designed for human use and I completely aggree with it!)
Anyway, after this is another a-trap. The _StringToNum trap is used to convert ASCII values into hexadecimal form (it has some other uses as well). How do I know? Well, have a look at data register zero. D0=075BCD. If you type "d0" into MacsBug, it will show you the current value stored in d0. I did that, and I imideately noticed that the number stored in d0 was actually the hex value of my registration number!
This is important! You should ALWAYS be able to recognize the hex value of your reg number! So before cracking make sure you convert your reg number to hex!
This instruction compares the number in d0 to $646F726B. Why does it say "dork" you ask? Well to the best of my knowledge the hexadecimal values of the ASCII letters "dork" = $646F726B. After this command there is a conditional which will not branch and after that an alert box greets me saying that I entered the wrong reg number. At this point it is very safe to conclude that it is the conditional at offset +48 that needs to be changed.
Launch CrackIt again, and repeat the above procedures so that you end up at the conditional at offset +48. (Of course you didn't forget to clear the a-traps did you with the "atc" command? Also, don't worry if the hex number next to the offsets do not match! Those are the values of the current locations that the program occupies in the RAM, and will most likely vary every time you launch CrackIt.)
So you've come to this conditional once again. As you may notice, it says "Will not Branch" above the current instruction in MacsBug. This means that the conditions are not met for it to branch. However, MacsBug does show, where it WOULD HAVE branched. Using my values (this will be different for you) it was the address: C93720. I found out where it was going to branch by reading the value next to the current command, which was C93720. From the second part of The Ultimate Cracking Guide you might remember that you go to a particular address in the memory by issuing the command "pc=address value", in this case "pc=C93720". Once you've done that, clear the a-traps "atc", and let CrackIt take control again with the "g" command. And presto, the "thank you for registering" dialog shows up!
So how would I change this branch permanantly? Open up CrackIt with Super ResEdit. Open up the resource "CODE" and resource ID 2. Activate the hex editor (if it's not active) and find offset 48. (Find menu, "Find offset" or Apple-H) This should have selected the number 67 in the hex editor window. If you want, you can activate the code editor window, and notice that the first two digits have been selected of the machine code part of the code responsible for the conditional. Now, activate the hex editor window again and type "60". 60 is the machine code for "BRA" and since we wanted the command to "always branch" we changed it to "BRA". If you now have a look in the code editor window, the "BEQ" command should have changed to "BRA". It is very important that you only change the first two digits! If you change any more digits, your computer will freeze for sure when you launch CrackIt again! If you think you did all right, save your work and quit Super ResEdit. Launch CrackIt again, and select "Reg Type 1" from the File menu. And if you did everything correctly, then no matter what you entered as a reg number you will always get the "good reg number" dialog! In this particular example it was not necessary for you to change the code with Super ResEdit. You would, however, need to change the actual code of the application if the program checked your registration every time it was launched. But if it's enough to crack it with MacsBug, then don't bother changing the code with ResEdit!
---===< Cracking Reg Type 3 (Being a Serial Killer) >===---
I will not deal with how to crack Reg Type 2, as it is not complicated at all, and if you can't crack it, then you can always refer to the user's manual or the source code, which describes in detail what is going on!
Anyway, Reg Type 3. This is a bit of a bitch. And since I haven't covered the concept of "being a serial killer" yet I will not discuss how to do a physical crack for this, but rather how to find a correct registration number for a certain registration name! If you have tried to crack Reg Type 3 using the previous method you might have found it a bit tedious. Although far from being good, Reg Type 3 is maybe the type of protection you could expect from a medium sized shareware. And in some situations it is a lot easier to actually find a correct serial number then to follow through the code then to change zillions of conditionals! So what are the main differences?
When trying to find a valid serial number, we are not looking for a conditional specifically, but for the section of the code generating the correct registration number. When finding serial numbers we don't really care what type of protection systems the software uses. We just wanna find that place where the program enters the algorithm for determining a valid serial number for a specific registration name, and figure out what it does.
Reg Type 3 uses a very simple algorithm for determining the valid registration number, and does not hide this algorithm much either. So let's get CrackIt running and do the modaldialog a-traps. After returning from the subroutine dealing with getting information from the dialog box (the same routine that is used in Reg Type 1 and 2), you will find a subroutine, this one is used to dispose the dialog box (nothing to worry about).
After that you have the first trick of Reg Type 3. This is the easiest protection type and is used rather heavily by software developers. It mearly checks how many letters there are in the reg name and if there are too many or not enough letters (max. 10 in this case), the "wrong number" dialog will appear.
After this there is the already familiar _StringToNum a-trap which converts the entered reg number to hex. And after that there are two subroutines, if you trace over them you will find that the second one brings up the "wrong number" dialog. Therefore, something important must occur in one of those routines!
Well this is interesting. Clearing data registers... This looks like preparation for something. If you care to take a look at the address registers, you will find out even more! Anyway, step into the subroutine at +24E:
Oh great! We just stepped into a loop! (And not even a good one as it doesn't use the loop command) Let's try to figure out what it does!
First, it moves the byte from a0 into d1, with post increment. If you take a look at a0 ("dm a0") before and after the command you will find that the first letter in your reg name was put into d0, and a0 is now pointing to the second letter in your reg name. Then d1, is added to d2 (which is zero to start out with).
What was the value of d0 until now? Well gosh... That just happened to be the number of letters used in the registration name. And now one is subtracted from it... At offset +84 d0 is tested. And since it wasn't zero it branched to the beginning of the subroutine!
OK! Let's try to figure out what's going on here! Since it's a loop it's repetitive, and it repeats itself as many times as there are letters in the reg name. And it adds the ASCII values to d2. Meaning that it adds up the ASCII values used in the reg name! Great! We've got the first step! Now how to break outa this loop? If you recall I described how to use the "br" (break) command in the last part of The Ultimate Mac Cracking Guide. To use the break command you have to specify, which memory address you want the break to occur at (at which point you want to be dropped into MacsBug again). In this situation we want to enter MacsBug after the conditional at offset +86. In the above exert, that is the MOVE.B command, but in reality the MOVE.B command is the beginning of the loop. And what comes after the conditional is a RTS command. So I simply specify the address of the RTS instruction in the RAM, which in this case is 04B592A. (see below) And after issuing the "g" command I'm dropped into MacsBug when the loop is completed. Now it is time to clear that break point with the "brc" command.
Let's have a look at d2! If you add up the ASCII values in your registration name you will find it to equal the value in d2.
And on we go. Here's that RTS command and what follows after it!
+0008A 004B592A RTS | 4E75
+00252 004B5AF2 LEA $004E(A6),A0 | 41EE 004E
+00256 004B5AF6 MOVE.B (A0)+,D0 | 1018
+00258 004B5AF8 MOVE.L D2,D3 | 2602
Another couple of commands that look like some preparations, followed by a subroutine. Let's step into it.
Oh great! Another loop! So what's this one doing? Well once more we have the reg name in a0, and at the beginning of the subroutine (the beginning of the loop) the next letter in line in the reg name is moved to d1. Then d2 is multiplied by d1. Remember what was in d2? The sum of the ASCII values of the letters used as the reg name. Then d2 is added to d4, and d2 is replaced by d3, which is the sum of the reg name. D0 is once more the counter, as it contains the number of letters used in the reg name. At offset +280 d0 is updated and at offset +284 d0 is compared to zero. And as long as it doesn't equal zero it will branch to the beginning of the subroutine. To break out of this loop I used the "br" command again. (You can see this from the notes that were given to me by MacsBug.) If you use break commands, don't forget to clear them with the "brc" command once yer done with them!
OK, so I'm outa the loop, here's what happens.
+0028A 004B5B2A RTS | 4E75
+0025E 004B5AFE RTS | 4E75
The "RTS" commands are used since it is done with the subroutines. And after that there is yet another subroutine:
Remember what was stored in d7? The hex value of the reg number that you used! And now it's comparing d4 to your reg number. What is in d4? Well in the last subroutine d4 was used as the register where the numbers were added to each other. And if you follow the code a bit more you will notice that the two values (d4 and d7) don't match and therefore it branches off to a routine that puts up the alert dialog box informing us that we entered the wrong reg number. So, we've hit a very important part of the code. The program is now done with putting your reg name through the algorithm and now compares the reg number you entered to the valid one. Now, you ask yourself, what is the valid one? Well, it is the value stored in d4. In my case hex: 95C9 or dec: 38345 (I issued the "d4" command to find out what the decimal value of d4 was). So the simplest thing is simply to clear all a-traps and break points and go back to CrackIt. Let it inform you that you entered the wrong reg number, and the next time you select "Reg Type 3" from the File menu, enter 38345 (or whatever value was in d4 for you) and you should get the "thanx for registering" dialog! That is, only if you used the same reg name as you did before!
So the first way to find valid serial numbers is to follow through the code until it is done with the registration algorithm, and then find the conditional where it compares the valid reg number to the reg number you entered. And after that, simply get the correct value and the next time the reg dialog shows up enter that as the reg number!
The other way is to do all the calculations yourself. I used "ProZaq" as a registration name and here's what the program did to it to calculate the correct reg number (this is all in hex):
First it added up the ASCII values of the string "ProZaq":
50+72+6F+5A+61+71=25D
Then it multiplied the ASCII value of each letter by the previous sum (25D) and added them up:
Ha Ha! You say! That is not the value that was stored in d4! Well... Why don't you observe the last part of the algorithm a bit more! Whenever a number is added to d4 the size of the number is a word. Meaning that d4 will only contain a number the size of a word, which in assembly means that it can only be four digits long. Therefore, 595C9 becomes 95C9. And THAT is the correct value!
I can recommend you to read article "HOW TO BECOME A SERIAL KILLER" written by =-BOOK-WORM->. It's a nice file, however, it has one big fault! The author uses BASIC to create a program that will generate the serial number for you! (Doesn't BASIC ever get outdated?)
I on the other hand, recommend people to use the wonderful demo of PowerFantasm by Lightsoft. PowerFantasm is an assembly language compiler. And since you can create your own programs even with the demo (I haven't had a look at version 5 yet, but you could with 4.xx) it's bloody pointless to try and convert assembly commands into any other language. Also, the PowerFantasm demo comes with a lovely tutorial on how to program in assembly language! What more could you ask for?
