Tutorial Cracking :|
Target : GlobeTime v1.21
Tool : SoftIce v4.05, W32Dasm v8.93
The target we'll crack in this tute uses a more difficult form of the well known
S/N protection, called a keyfile. A keyfile is mostly a plain text file containing
all the information needed to register the program. In some cases the keyfile can
be encrypted (see CuteFTP v2.0), it can contain one or more lines, numbers, strings...
A keyfile needs to be placed into the directory the target is located in.
But first lets take a quick look at the target. Run the program and try to register it.
Check help files, read.me files to find out how to register the program. When you
exit the program you'll get a nag screen. If you read the help files you'll notice
that the author will mail you the unlock code once you paid - so there got to be
another way to inform the program that you're a registered user. This can be done
true the registry or by using key files. In most cases you can easily find out if
the target needs a keyfile to be registered. Using a program like filemon.exe
(www.ntinternals.com) will show you very quickly if keyfiles are used. Another way
is using string references in W32Dasm,
* Possible StringData Ref from Code Obj ->"REG.KEY" ; name of keyfile
:0044A233 BAB0A34400 mov edx, 0044A3B0 ;
:0044A24E E879CEFBFF call 004070CC ; find, open file
:0044A253 84C0 test al, al ; file found?
:0044A255 0F84FB000000 je 0044A356 ; jump if not there...
Ok, like in most cases, this target uses a very obvious name for the keyfile it needs.
And believe me, xxxxxxxx.key is used A LOT...
Now we need to find out what is read from the keyfile. This can be quite difficult
to find out. But this makes it fun, doesn't it ;)... In some cases API calls like
GetPrivateProfileString are used but in our case we'll have to use a little bit
of ZEN - I found out what the keyfile needs by studying the target and the validation
part. It's time to create or first keyfile. Create a plain text file containing one
line with a number - try 1212121212 - and save it with 'REG.KEY' as name. Run the
program. You'll get an error message box, all it says is that "nothing is not an integer" -
so lets add a second line to the keyfile, try 3434343434, and run again. Same error
again, so add a third line, 5656565656. Run again, now we get "5656565656 is not an
integer". So lets change the third line to 56565656 and run the target once more.
No errors should occur - BUT you still get the reminder nag when you exit the program.
It's time for some live cracking in SoftIce (SI),
:0044A307 E8D0CEFBFF call 004071DC ; (1)
:0044A30C 8BD0 mov edx, eax ;
:0044A30E 4A dec edx ;
:0044A30F 85D2 test edx, edx ; (2)
:0044A311 7C11 jl 0044A324 ; (3)
:0044A313 42 inc edx ;
The call at (1) returns the length of a string - why? learn ASM or trace the
call. Lines (2) and (3) are a test to determine if the lenght is more then 1.
In SI you'll notice that eax is 0Ah and if you traced call (1) you'll know
that the second line of the keyfile is used (at least you should ;),
:0044A2FC BB01000000 mov ebx, 00000001 ;
:0044A31A 33C9 xor ecx, ecx ; ecx = 0
:0044A31C 8A08 mov cl, byte ptr [eax] ; move digit in cl
:0044A31E 33D9 xor ebx, ecx ; ebx = ebx xor ecx
:0044A320 40 inc eax ;
:0044A321 4A dec edx ; decrease counter
:0044A322 75F6 jne 0044A31A ; end? no, then jump...
I think this code is quite easy to understand. This code loops and xor's each digit
from the string at eax with ebx. The value in ebx will be important for us.
Now a second part of the validation follows (I edited the code slightly to fit the screen),
:0044A324 8B45EC mov eax, [ebp-14] ; (1)
:0044A327 99 cdq ;
:0044A328 F7FB idiv ebx ; (2)
:0044A32A 8BD8 mov ebx, eax ; (3)
:0044A32C C605B0D7440001 mov [0044D7B0], 01 ; good flag
:0044A333 817DECBE77EF02 cmp [ebp-14], 02EF77BE ; (4)
:0044A33A 7407 je 0044A343 ;
:0044A33C C605B0D7440000 mov [0044D7B0], 00 ; bad flag
At line (1) a number (dword ptr...) is moved into eax - trace this code in SI and
you'll notice that the first line of our keyfile is used. Line (2) does some math
with the number and stores the result in ebx (3). Line (4) is quite important -
again the first line of our keyfile is used and compared to a fixed number. This
means that we need to change the first line of our keyfile into 49248190 - I suggest
you do that and trace the target again in SI. Now we skip the bad flag and go directly to the next code,
:0044A343 8B45F0 mov eax, [ebp-10] ; (1)
:0044A346 E8B9CBFBFF call 00406F04 ; (2)
:0044A34B 3BD8 cmp ebx, eax ; (3)
:0044A34D 7407 je 0044A356 ;
:0044A34F C605B0D7440000 mov [0044D7B0], 00 ; bad flag
Trace the above code in SI and see what happens. At line (3) the result from the
previous part is compared to eax. You'll see that eax contains the number from the
third line of our keyfile - this is great but the value is wrong, so lets change
the third line into the value contained in ebx at line (3) - see SI ;). Trace again
and you will skip the bad flag and get at,
:0044A356 803DB0D7440000 cmp [0044D7B0], 00 ; good keyfile?
:0044A35D 750D jne 0044A36C ; yes! jump...
So are we at the end? Well, let the program run and see if anything changed. And?
Yes! Where 'Copyright (c) 1997 by Popcorn...' was we got 3434343434 now so we may
assume the keyfile is correct. But we don't want 34...3434 as name, do we? :) So
change the keyfile - adjust the second line to the name you like to use -
try Vizion/MEXELiTE ;)... Trace again in SI to find out what the third line needs
to be and place the new keyfile in the good directory. Now run the program again
and enjoy all your hard work, also when you exit the target the nag screen won't
appear so we can conclude we've finished with this crack.
Easy not? Just a bit confusing I guess ;).