GlobeTime v1.21

The target we'll crack in this tute uses a more difficult form of the well known S/N protection, called a keyfile. A keyfile is mostly a plain text file containing all the information needed to register the program. In some cases the keyfile can be encrypted (see CuteFTP v2.0), it can contain one or more lines, numbers, strings... A keyfile needs to be placed into the directory the target is located in.

But first lets take a quick look at the target. Run the program and try to register it. Check help files, read.me files to find out how to register the program. When you exit the program you'll get a nag screen. If you read the help files you'll notice that the author will mail you the unlock code once you paid - so there got to be another way to inform the program that you're a registered user. This can be done true the registry or by using key files. In most cases you can easily find out if the target needs a keyfile to be registered. Using a program like filemon.exe (www.ntinternals.com) will show you very quickly if keyfiles are used. Another way is using string references in W32Dasm,

* Possible StringData Ref from Code Obj ->"REG.KEY" ; name of keyfile
|
:0044A233 BAB0A34400 mov edx, 0044A3B0 ;

:0044A24E E879CEFBFF call 004070CC ; find, open file
:0044A253 84C0 test al, al ; file found?
:0044A255 0F84FB000000 je 0044A356 ; jump if not there...

Ok, like in most cases, this target uses a very obvious name for the keyfile it needs. And believe me, xxxxxxxx.key is used A LOT...

Now we need to find out what is read from the keyfile. This can be quite difficult to find out. But this makes it fun, doesn't it ;)... In some cases API calls like GetPrivateProfileString are used but in our case we'll have to use a little bit of ZEN - I found out what the keyfile needs by studying the target and the validation part. It's time to create or first keyfile. Create a plain text file containing one line with a number - try 1212121212 - and save it with 'REG.KEY' as name. Run the program. You'll get an error message box, all it says is that "nothing is not an integer" - so lets add a second line to the keyfile, try 3434343434, and run again. Same error again, so add a third line, 5656565656. Run again, now we get "5656565656 is not an integer". So lets change the third line to 56565656 and run the target once more. No errors should occur - BUT you still get the reminder nag when you exit the program. It's time for some live cracking in SoftIce (SI),

:0044A307 E8D0CEFBFF call 004071DC ; (1)
:0044A30C 8BD0 mov edx, eax ;
:0044A30E 4A dec edx ;
:0044A30F 85D2 test edx, edx ; (2)
:0044A311 7C11 jl 0044A324 ; (3)
:0044A313 42 inc edx ;

The call at (1) returns the length of a string - why? learn ASM or trace the
call. Lines (2) and (3) are a test to determine if the lenght is more then 1.
In SI you'll notice that eax is 0Ah and if you traced call (1) you'll know
that the second line of the keyfile is used (at least you should ;),

:0044A2FC BB01000000 mov ebx, 00000001 ;

:0044A31A 33C9 xor ecx, ecx ; ecx = 0
:0044A31C 8A08 mov cl, byte ptr [eax] ; move digit in cl
:0044A31E 33D9 xor ebx, ecx ; ebx = ebx xor ecx
:0044A320 40 inc eax ;
:0044A321 4A dec edx ; decrease counter
:0044A322 75F6 jne 0044A31A ; end? no, then jump...

I think this code is quite easy to understand. This code loops and xor's each digit from the string at eax with ebx. The value in ebx will be important for us.

Now a second part of the validation follows (I edited the code slightly to fit the screen),

:0044A324 8B45EC mov eax, [ebp-14] ; (1)
:0044A327 99 cdq ;
:0044A328 F7FB idiv ebx ; (2)
:0044A32A 8BD8 mov ebx, eax ; (3)
:0044A32C C605B0D7440001 mov [0044D7B0], 01 ; good flag
:0044A333 817DECBE77EF02 cmp [ebp-14], 02EF77BE ; (4)
:0044A33A 7407 je 0044A343 ;
:0044A33C C605B0D7440000 mov [0044D7B0], 00 ; bad flag

At line (1) a number (dword ptr...) is moved into eax - trace this code in SI and you'll notice that the first line of our keyfile is used. Line (2) does some math with the number and stores the result in ebx (3). Line (4) is quite important - again the first line of our keyfile is used and compared to a fixed number. This means that we need to change the first line of our keyfile into 49248190 - I suggest you do that and trace the target again in SI. Now we skip the bad flag and go directly to the next code,

:0044A343 8B45F0 mov eax, [ebp-10] ; (1)
:0044A346 E8B9CBFBFF call 00406F04 ; (2)
:0044A34B 3BD8 cmp ebx, eax ; (3)
:0044A34D 7407 je 0044A356 ;
:0044A34F C605B0D7440000 mov [0044D7B0], 00 ; bad flag

Trace the above code in SI and see what happens. At line (3) the result from the previous part is compared to eax. You'll see that eax contains the number from the third line of our keyfile - this is great but the value is wrong, so lets change the third line into the value contained in ebx at line (3) - see SI ;). Trace again and you will skip the bad flag and get at,

:0044A356 803DB0D7440000 cmp [0044D7B0], 00 ; good keyfile?
:0044A35D 750D jne 0044A36C ; yes! jump...

So are we at the end? Well, let the program run and see if anything changed. And? Yes! Where 'Copyright (c) 1997 by Popcorn...' was we got 3434343434 now so we may assume the keyfile is correct. But we don't want 34...3434 as name, do we? :) So change the keyfile - adjust the second line to the name you like to use - try Vizion/MEXELiTE ;)... Trace again in SI to find out what the third line needs to be and place the new keyfile in the good directory. Now run the program again and enjoy all your hard work, also when you exit the target the nag screen won't appear so we can conclude we've finished with this crack.

Easy not? Just a bit confusing I guess ;).