Cracking Security Administrator 1.3M

Introduction

First of all, let me say this is a very easy target, it took me more time to unregister it
then to crack it.. It has a (half) hardcoded serial. I first cracked it using the live approach
(Soft-ICE) but I'd like you to crack it using the dead listing approach (W32Dasm) .

Before cracking...

Run the programme. You see a nag window. At option 2.1 - Entering the Registration
code we will work :)

Enter any false code, and press the Go button. You see a Message box telling you
"Sorry, this registration code is invalid!" .. Well we'll have to get a valid one ;)

Cracking

Close the programme. Open W32Dasm and disassemble the programme. Click on
the String Reference button (or Refs->String Data References). Let's search the
"Sorry.." message.. Found it? Good. Double click on it and close the references window.

If you scroll up abit you see there is a conditional jump to the error message at offset 471C70: 

...
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00471C70(C)
|
:00471CAA 6A10                    push 00000010

* Possible StringData Ref from Code Obj ->"Error"
                                  |
:00471CAC B9281D4700              mov ecx, 00471D28

* Possible StringData Ref from Code Obj ->"Sorry, this registration code "
                                        ->"is invalid!"
                                  |
:00471CB1 BA301D4700              mov edx, 00471D30
:00471CB6 A1C0404700              mov eax, dword ptr [004740C0]
:00471CBB 8B00                    mov eax, dword ptr [eax]
:00471CBD E84250FDFF              call 00446D04
...
Ok let's check near this offset, here's the code: 
...
:00471C69 E842B0FFFF              call 0046CCB0
:00471C6E 84C0                    test al, al
:00471C70 7438                    je 00471CAA
:00471C72 8B4DFC                  mov ecx, dword ptr [ebp-04]
...
We see that if al is equal to zero then the programme will jump to the error message,
means al needs to be other than 0. Hey, what's that call before the test al, al?
Chances are that this call leads to the protection of the programme. Mark up the CALL
and click the CALL button in the toolbar. Now we see this: 
...
* Referenced by a CALL at Addresses:
|:0046D040   , :00471C69
|
:0046CCB0 55                      push ebp
:0046CCB1 8BEC                    mov ebp, esp
:0046CCB3 51                      push ecx
:0046CCB4 53                      push ebx
:0046CCB5 56                      push esi
:0046CCB6 8955FC                  mov dword ptr [ebp-04], edx
:0046CCB9 8BF0                    mov esi, eax
:0046CCBB 8B45FC                  mov eax, dword ptr [ebp-04]
:0046CCBE E81171F9FF              call 00403DD4
:0046CCC3 33C0                    xor eax, eax
:0046CCC5 55                      push ebp
:0046CCC6 68A4CD4600              push 0046CDA4
:0046CCCB 64FF30                  push dword ptr fs:[eax]
:0046CCCE 648920                  mov dword ptr fs:[eax], esp
:0046CCD1 33DB                    xor ebx, ebx
:0046CCD3 C605B858470000          mov byte ptr [004758B8], 00
:0046CCDA B8BC584700              mov eax, 004758BC
:0046CCDF E8C06CF9FF              call 004039A4
:0046CCE4 8B45FC                  mov eax, dword ptr [ebp-04]
:0046CCE7 E8346FF9FF              call 00403C20
:0046CCEC 83F80C                  cmp eax, 0000000C
:0046CCEF 0F8599000000            jne 0046CD8E
:0046CCF5 8B45FC                  mov eax, dword ptr [ebp-04]
:0046CCF8 803838                  cmp byte ptr [eax], 38
:0046CCFB 0F858D000000            jne 0046CD8E
:0046CD01 8B45FC                  mov eax, dword ptr [ebp-04]
:0046CD04 80780233                cmp byte ptr [eax+02], 33
:0046CD08 0F8580000000            jne 0046CD8E
:0046CD0E 8B45FC                  mov eax, dword ptr [ebp-04]
:0046CD11 80780331                cmp byte ptr [eax+03], 31
:0046CD15 7577                    jne 0046CD8E
:0046CD17 8B45FC                  mov eax, dword ptr [ebp-04]
:0046CD1A 80780439                cmp byte ptr [eax+04], 39
:0046CD1E 756E                    jne 0046CD8E
:0046CD20 8B45FC                  mov eax, dword ptr [ebp-04]
:0046CD23 80780830                cmp byte ptr [eax+08], 30
:0046CD27 7565                    jne 0046CD8E
:0046CD29 8B45FC                  mov eax, dword ptr [ebp-04]
:0046CD2C 80780935                cmp byte ptr [eax+09], 35
:0046CD30 755C                    jne 0046CD8E
:0046CD32 8B45FC                  mov eax, dword ptr [ebp-04]
:0046CD35 80780A53                cmp byte ptr [eax+0A], 53
:0046CD39 7553                    jne 0046CD8E
:0046CD3B 8B45FC                  mov eax, dword ptr [ebp-04]
:0046CD3E 80780B45                cmp byte ptr [eax+0B], 45
:0046CD42 754A                    jne 0046CD8E
:0046CD44 B8BC584700              mov eax, 004758BC
:0046CD49 8B55FC                  mov edx, dword ptr [ebp-04]
:0046CD4C E8A76CF9FF              call 004039F8
:0046CD51 C605B858470001          mov byte ptr [004758B8], 01
:0046CD58 B301                    mov bl, 01
:0046CD5A 33D2                    xor edx, edx
:0046CD5C 8B8600050000            mov eax, dword ptr [esi+00000500]
:0046CD62 E86DCEFCFF              call 00439BD4
:0046CD67 33D2                    xor edx, edx
:0046CD69 8B8614050000            mov eax, dword ptr [esi+00000514]
:0046CD6F E8B8D9FBFF              call 0042A72C
:0046CD74 33D2                    xor edx, edx
:0046CD76 8B8610030000            mov eax, dword ptr [esi+00000310]
:0046CD7C E853CEFCFF              call 00439BD4
:0046CD81 33D2                    xor edx, edx
:0046CD83 8B860C030000            mov eax, dword ptr [esi+0000030C]
:0046CD89 E846CEFCFF              call 00439BD4

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0046CCEF(C), :0046CCFB(C), :0046CD08(C), :0046CD15(C), :0046CD1E(C)
|:0046CD27(C), :0046CD30(C), :0046CD39(C), :0046CD42(C)
|
:0046CD8E 33C0                    xor eax, eax
:0046CD90 5A                      pop edx
:0046CD91 59                      pop ecx
:0046CD92 59                      pop ecx
:0046CD93 648910                  mov dword ptr fs:[eax], edx
:0046CD96 68ABCD4600              push 0046CDAB

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0046CDA9(U)
|
:0046CD9B 8D45FC                  lea eax, dword ptr [ebp-04]
:0046CD9E E8016CF9FF              call 004039A4
:0046CDA3 C3                      ret
...
We see a pattern of code in this call, a cmp led by jne's. Hey I think we found the serial
check! (actually I know.. but.. ;)
Ok, let's zen abit. The call at 46CCE7 is probably a length check, since the compare after
it compares with 0Ch (12) which is quite standard ;) length for a serial.. This also means
that [ebp - 4] is the serial's pointer, when its moved to eax, eax gets the offset of the serial..
Now, let's take a look at the return value. We said al should be other than 0 for a valid serial.
Offset 46CD8E zeros al, so it's the bad check, it also has alot of jumps leading to it, these
are all the cmp/jne's.. Offset 46CDA9 therefore means a valid serial.

Ok, next we look at the compares in order to find a valid serial, I'll paste them again so it will
be easier, I'll also comment the serial at the checks (you'll see ;): 

...
:0046CCF5 8B45FC                  mov eax, dword ptr [ebp-04] ; Get serial
:0046CCF8 803838                  cmp byte ptr [eax], 38      ; 8xxxxxxxxxxx
:0046CCFB 0F858D000000            jne 0046CD8E                ; BADBOY
:0046CD01 8B45FC                  mov eax, dword ptr [ebp-04] ; Get serial
:0046CD04 80780233                cmp byte ptr [eax+02], 33   ; 8x3xxxxxxxxx
:0046CD08 0F8580000000            jne 0046CD8E                ; BADBOY
:0046CD0E 8B45FC                  mov eax, dword ptr [ebp-04] ; Get serial
:0046CD11 80780331                cmp byte ptr [eax+03], 31   ; 8x31xxxxxxxx
:0046CD15 7577                    jne 0046CD8E                ; BADBOY
:0046CD17 8B45FC                  mov eax, dword ptr [ebp-04] ; Get serial
:0046CD1A 80780439                cmp byte ptr [eax+04], 39   ; 8x319xxxxxxx
:0046CD1E 756E                    jne 0046CD8E                ; BADBOY
:0046CD20 8B45FC                  mov eax, dword ptr [ebp-04] ; Get serial
:0046CD23 80780830                cmp byte ptr [eax+08], 30   ; 8x319xxx0xxx
:0046CD27 7565                    jne 0046CD8E                ; BADBOY
:0046CD29 8B45FC                  mov eax, dword ptr [ebp-04] ; Get serial
:0046CD2C 80780935                cmp byte ptr [eax+09], 35   ; 8x319xxx05xx
:0046CD30 755C                    jne 0046CD8E                ; BADBOY
:0046CD32 8B45FC                  mov eax, dword ptr [ebp-04] ; Get serial
:0046CD35 80780A53                cmp byte ptr [eax+0A], 53   ; 8x319xxx05Sx
:0046CD39 7553                    jne 0046CD8E                ; BADBOY
:0046CD3B 8B45FC                  mov eax, dword ptr [ebp-04] ; Get serial
:0046CD3E 80780B45                cmp byte ptr [eax+0B], 45   ; 8x319xxx05SE
:0046CD42 754A                    jne 0046CD8E                ; BADBOY
...
OK.. So now we know the serial is 8?319???05SE (? = Whatever you want!)..

Next time, DEATH