Please consider a donation to the Higher Intellect project. See https://preterhuman.net/donate.php or the Donate to Higher Intellect page for more info.

THE NEWBIES GUIDE TO CRACKING - Part I

From Higher Intellect Vintage Wiki
Jump to navigation Jump to search
THE NEWBIES GUIDE TO CRACKING - Part I, By CrackZ

THE EXAMPLE PROGRAM'S

Windows Enforcer v4.1, (http://posum.com).
Start Clean v1.0. (http://users.aol.com/felhasan/index.htm).
BS/1 Small Business v1.1h, (Davis Business Systems, http://www.dbsonline.com).
Spear Internet Marketing Tool Beta Release 1, (http://www.metafuse.com).
Premia Codewright Professional v5.1, (http://www.premia.com).
Cygnus v1.5, (http://www.softcircuits.com).
Vulcan Notes v2.13, (http://www.webcom.com/vulcan).
WinHacker 95 v2.0 (http://www.winhacker.com).
DiskCopy v4.0 (http://members.aol.com/ron2222).
Emulive Wave Audio Encoder v2.2 (http://www.emulive.com).
Space Monitor v1.1a (http://dialspace.dial.pipex.com/parasoft/spacemon).
Any Speed v1.3 (http://www.pysoft.com).
ScrnSaveSwitch/Plus v4.50 (http://www.ssswitch.com).
File-Ex v2.00c (http://www.cottonwoodsw.com).
Jot Note Manager 32-bit v1.3 (http://www.mjmarshall.demon.co.uk).

BONUS - Virtual Gibbs v4.23.13 (http://[email protected]).

BRIEF INTRODUCTION

Welcome to my first document about the subject of cracking, this tutorial is aimed at a target audience of people taking their first steps into the world of cracking although a few of the cracks may interest more experienced crackers.  Experienced crackers or those with programming knowledge may like to skip this tutorial as most of the cracks covered are fairly basic.

You should familiarise yourself with the many Internet search engines (I recommend Yahoo / AltaVista) in order to track these programs down, I've tried to give url's where I can but they will no doubt expire during my writing of this document, if you are lucky enough to find me on EFNET I may be persuaded to provide you with the files.  Remember that later versions of these programs may and often do use the same protection mechanism.

May I just personally greet all those people I've seen on #cracking4newbies and other channels who inspired me to write this document (in no particular order).

WHAT IS CRACKING?

Well, Cracking is essentially the process of understanding how computer programs operate, its traditional use has been for disabling or beating the numerous protection schemes which are placed upon many applications and games today.  I am legally obliged to say that I do not support software piracy in any of its guises and that this document is purely for educational use.

TOOLS

One of the first things you will need to do in order to crack is to equip yourself with a good set of tools, the better you prepare the better you will crack.  At the minimum you will need a Windows debugger, a HEX editor and a good Windows Disassembler plus other auxiliary tools for specific cracks.  Copies of Borland C++, Visual Basic & Visual C++ are also useful even if you are not yet able to program.  I have suggested those tools you obtain below.

NuMega's Softice - The best windows debugger.  I use v3.22 for Windows 95, get v2.8 /2.6 for DOS also.
Hackers View or any other good HEX editor.
WinDASM v8.9, alternatively Sourcer, IDA Professional.
NaTzGUL's InstallShield Disassembler - now an essential tool.

OPTIONAL

QuickView or QuickView Plus - Included with Windows 95.
Windows API 32 Guide - Help file covering all of the Windows functions or Help PC.
A Windows 95 registry monitoring tool.  (Registry Monitor).
NuMega's SmartCheck v5.0 - Useful for VB5 applications.

SOFTICE & HOW TO USE IT

If you ask most crackers which tool they recommend or have the highest regard for, the answer will inevitably be Softice, from NuMega Technologies (ftp://ftp.numega.com).  Softice is the windows debugger of choice.

When installed it is loaded through autoexec.bat as a TSR program, usually as WINICE.EXE, when you restart Windows it will be activated.  Before you reboot you should familiarise yourself with the file WINICE.DAT in the installation directory.  You should open this file in a standard text editor e.g. Notepad and make the following changes to enhance Softice's usability.

1.  Firstly ensure that you have removed all of the semi-colon's from the section that says "Examples of export symbols.....".  This will ensure that you can set breakpoints on the common set of Windows functions known as the Win32 API (Application Programming Interface).

2.  You should also ensure that the INIT line looks like this below:
INIT="CODE ON; X;"  This ensures that HEX values are displayed.

To toggle between Windows & Softice we use the key combination Ctrl+D, try it now, if you are unable to return to Windows with Ctrl+D again then the most likely problem is with your display card configuration.  When you first enter SI the top of the screen should look something like this:

EAX		EBX		ECX		EDX		ESI
EDI		EBP		ESP		EIP		o d I s Z A P C

These show the CPU registers and their contents as well as the various flags.  The most important of these is the Z or zero flag as it is used by conditional jump statements.  The 'r' command allows you to edit registers contents, the Insert key will then change the status of the flag and the registers window can be toggled on and off with the wr command.  The various other flags are as follows, read the Intel guides for more information.

o = Overflow.		d = Direction.		I = Interrupt.
s = Sign Flag.		Z = Zero Flag.		A = Auxilary Carry Flag.
P = Parity Flag.		C = Carry Flag.

The Data Window follows, it looks something like this (toggle command wd):

0157:406030	20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 - HEX values, there are 16.
0157:406040	20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20

You can use 'd memory address' e.g. d 00406030 to view the contents of a memory location, or use 'e memory address' to edit those contents.  This applies also to the registers e.g. 'e eax'.

Finally the code window (toggle command wc), which shows you all of the assembler level code that is currently in progress, the 'a' command, covered later allows you to change instructions.

Other useful keys include:

'h' or F1 for Help.
F2 to toggle the CPU registers, mine are always on.
F8 to step instructions and into functions.  F10 to step over functions or step through code.
F11 to step out of a function i.e. return to the caller.

BREAKPOINTS

Most cracking begins by establishing the location of the protection scheme, to do this we use carefully chosen breakpoints, the idea being that we wish to be in Softice just at the point the protection 'snaps' and then start examining the code.  In SI we break at protection schemes using breakpoints on functions, so for example a serial # protection we know must read in the contents of what we entered to verify it, hence the use of the function GetWindowTextA.  The following breakpoint commands are used in SI.

'bpx' (sets a break point on execution e.g. bpx GetWindowTextA).
'bl' (lists all currently set break-points).
'bc' (clears the most recently set breakpoint or use bc * to clear all).
'be' (enables breakpoints).
'bd' (disables breakpoints).

There are other SI tutorials which may explain this in greater detail, I suggest you also obtain the SI documentation from NuMega's ftp, both the manual and command reference and study them.

SERIAL # CRACKS

Without further ado lets move into the cracking.  Serial # cracks tend to be the easiest to start with, however they will vary in their operation with most programmers using techniques such as byte shifting, xoring and arithmetic operations to try and confuse or disguise the operation of these routines, essentially these routines are merely a hindrance and as a cracker they will waste lots of your time.

Serial # checks are usually implemented upon one of these lines.

1.  The program either compares your code with a universally good code (hard coded-in), or..
2.  The program computes your individual code based upon information provided by you or obtained from your registry.  (These tend to require that you produce a keygen if you want to make a general purpose distribution).

I start this tutorial with a program which has 1 universally acceptable code.  (After reading this example you may like to attempt WorkStation Lock (also from Posum Software)) or Norton's TaskLock as their serial # system is very similar to the one shown here.

Windows Enforcer v4.1 (enfset.exe, 176,128 bytes)

To start this cracking tutorial I thought I would select a fairly small and simple serial # protection.
With cracking, any information is power so I recommend you always read any help files or readme.txt files that are provided with an application, just to see what information you can gain.  I found by reading the help file that this program has both single user and site licence options and that these are enabled by entering a serial # in a registration box.

It seemed likely to me that this program was coded by a single programmer being so small and fairly simple in function, so in theory at least there is unlikely to be a very powerful protection scheme.  So lets start our cracking approach.

You should quickly use QuickView upon the file enfset.exe file and take a look at the section entitled Import Table and just check which dll's are imported by the program (you should always do this with any program).  I get the following, I've also illustrated what these files are actually responsible for:

Winmm.dll		Multimedia API.
Kernel32.dll
User32.dll
Gdi32.dll
Comdlg32.dll		Common Dialog's.
Winspool.drv		Printing.
Advapi32.dll		Registry Access.
Shell32.dll

All of these dll's are shipped with Windows 95 as standard components, Kernel, User, Shell & Gdi make up a core part of the Windows 95 OS and handle I/O operations as well as memory allocation.  A you can see this program imports standard Windows dll's only and thus it is safe to assume that only functions from the Win 32 API are being used.

QuickView will also tell you that this is a 32-bit program so already we know that 32-bit standard Win 32 API functions are being used.  Notice that GetDlgItemTextA is imported from User32.dll.

So lets launch the program, and look at the register option.  You should see a standard dialog box asking you to input a registration code.  So let's enter something in the box (there's no set length), don't push OK yet, just Ctrl+D into SI and start setting some breakpoints on likely functions used to read a value from a dialog box.

As it's 32-bit our choices are restricted to GetWindowTextA & GetDlgItemTextA (note that we know which of these is used from our research earlier).  So set a breakpoint on GetDlgItemTextA as you have been shown in the Softice section (>bpx getdlgitemtexta) and then Ctrl+D to return to the box.

Now when you click the OK button, you should be returned to Softice with a break on GetDlgItemTextA, you should immediately push F11 to find out which program actually called this function.  (It should be enfset.exe).  Now you should be looking at the following code fragment:  Using Ctrl+Up you can see previous lines of code.

CALL	[USER32!GetDialogItemTextA]	The function call.
JMP	004123A5				A compulsory jmp.
POP	EBP				Pop EBP from the stack.
RET	000C				Return from function.

LEA	EAX,[EBP-68]			EAX = EBP-68
PUSH	EAX				Push EAX on to the stack.
CALL	00402439				
ADD	ESP,04				Tidy up stack after function.
LEA	EAX,[EBP-68]			EAX = EBP-68.  (EAX now holds good serial #).
PUSH	EAX				Save EAX.
PUSH	EDI				Save EDI.
CALL	00404F60
ADD	ESP,08				Tidy up stack after function.
TEST	EAX,EAX				Check function return.
JNZ	00403C6F				Jump if not zero.

This code fragment should be fairly simple to understand, at the 2nd LEA EAX,[EBP-68] the good serial number can be viewed by typing 'd eax', at this stage there is no need to really understand the functions at 00402439 & 00404F60 seeing as the TEST EAX,EAX is the only check for a valid serial # and we know what that is already.  Windows Enforcer 4.1 serial # 5434343543435431354.
Start Clean v1.0 (startcln.exe, 29,184 bytes)

My next target introduces the concept of the key generator although you may only like to do this when you have examined some of the later cracks in this tutorial.  When you start this program it pops up a nag screen saying register, and when you click the register button you are confronted with a please insert name and code screen.  Prior to this you should have identified this program as 32-bit and using Win 32 functions.

So lets set some SI breakpoints.  Enter some information into both of the boxes, now Ctrl+D into Softice and set a breakpoint on GetDlgItemTextA, after leaving Softice with Ctrl+D you should click O.K. in the register dialog box and instantly be returned to SI.

Now lets push F11 and see what called this function, (now, important, remember that this program uses 2 dialog boxes and GetDlgItemTextA fetches only 1 at a time, so you should press Ctrl+D again to read in the second dialog box contents), then again push F11.  You should be looking at the following code.

PUSH	00406030				Push correct serial # to 00406030.
PUSH	00406130				Push the # entered to 00406130.
CALL	00401280
LEA	EAX,[ESP+18]			EAX=ESP+18.
ADD	ESP,08				Tidy up stack.
PUSH	EAX				Push EAX onto the stack.
PUSH	00406030				Push correct # onto the stack.
CALL	[Kernel32!lstrcmp]			Call String Compare function.
TEST	EAX,EAX
JNZ	00401271				The classic sequence.

So, here we can see that the program pushes both the serial you entered and the correct serial number to memory addresses, use 'd 00406030' and 'd 00406130' to view them.  Then the values are pushed to the stack and compared, if you are a good buyer then eax=0.  The function LStrCmpA is worth noting as you could have set a breakpoint on that to get quickly to the code, however not all programs would use it so its merely an option not a strategy.

As a point of interest, a disassembly of this program shows you that this value is stored in the registry, and is verified at run-time.  I'll now just highlight how you might make a key generator for this program should you want to.  Note that my code was 3478-33826-2377-461, with name Cracking Tutorial.

Key Generator Outline

Well, we know that if you allow 2 breaks the serial # has already been calculated.  However if you take just one break on GetDlgItemTextA you will be able to trace the function used to compute the registration code.
The relevant function is 00401280, I've just commented the first part of the function below, note that I've taken the live Softice listing so there may be one or 2 notation differences if you use the disassembler.

PUSH	00406130				Holds name.
CALL	00401280				F8 to trace.
SUB	ESP,00000100			Sub 100 decimal from the stack.
MOV	AL,[00406264]			Move contents of memory location 00406264 into AL.
MOV	[ESP+00],AL
PUSH	EBX				Push EBX to the stack.
PUSH	ESI				Push ESI to the stack.
XOR	EAX,EAX				XOR EAX, (EAX=0).
PUSH	EDI				Push EDI to the stack.
MOV	ECX,0000003F			Move ECX to 3F (63 decimal)
LEA	EDI,[ESP+0D]
PUSH	EBP
REPZ	STOSD
STOSW						Store AX to memory location ES:DI.
MOV	EBP,0000006A			EBP now = 106 decimal.
.....
MOV	ESI,[ESP+0000011C]
PUSH	ESI
CALL	[User32!wsprintfA]			Function to store strings in a buffer.
MOV	EBX,[ESP+0000011C]		EBX now holds the name you entered.
ADD	ESP,08				Tidy the stack.
MOV	EAX,EBX				EAX now holds EBX.
MOV	EDI,[user32!CharNextA]		Move EDI to the next character.
CMP	BYTE PTR [EBX], 00		Was a name actually entered? i.e. does EBX = 0.
JZ	004012E1				If not then jump.
MOVSX	ECX,BYTE PTR [EAX]		Move the names first letter ASCII value into ECX.
PUSH	EAX				Save EAX on the stack.
LEA	EBP,[ECX*2+EBP+00]		Calculation, place the result in EBP.
CALL	EDI				Have we reached the end of the string, if not repeat.

So, this first section of the 00401280 function call calculates the first part of the code, for example when you work out the inner workings of a protection scheme use very short names.  Note the key section is the latter part, the rest merely sets up the memory and stack.

So, if our name was A we can see that the first part of our code would be as follows:

A = 65 ASCII (65 * 2) + 106 (EBP) = 236

Below you will find how the program computes the next 3 parts of the code, I've highlighted below the relevant pieces of code using our example name of A as before.

2nd Part

MOVSX	ECX,BYTE PTR[EAX]		ECX now holds decimal 65 i.e. A.
ADD	ECX,ECX				ECX = ECX + ECX (130).
LEA	EDX,[ECX*8+ECX]		EDX = 9 * ECX = 1170.
ADD	EBP,EDX				EBP+EDX = 236 (1st part + 1170 = 1406).

3rd Part

MOVSX	ECX,BYTE PTR[EAX]		ECX now holds decimal 65 i.e. A.
.....
LEA	EBP,[ECX*4+ECX]		EBP = 5 * 65 = 325.
LEA	ECX,[EBP*2+ECX]		ECX = (325 * 2) + 65 = 715.
LEA	EBP,[ECX*2+00000001]		EBP =  (715 * 2) + 1 = 1431.

4rth Part

MOVSX	ECX,BYTE PTR[EAX]		ECX now holds decimal 65 i.e. A.
.....
LEA	EBP,[ECX*4+0000001D]		EBP = (4 * 65) + 1D (decimal 29) = 289.

So for the letter A we can see that the correct code is 236-1406-1431-289.  As this isn't a programming tutorial the coders amongst you may like to convert this into a key generator.

A different approach to the Key Generator

In the above example we can see by analysing the assembly code how the program computes our good serial #, but if we are going to distribute our crack that means work making a key generator, why not have the program actually do all that work for you.
Lets look again:

JNZ	00401271		The test for serial # validity.

Now lets see what happens when we put in a bad serial.

XOR	EAX,EAX		Clean up EAX.
POP	EDI
POP	ESI
ADD	ESP,0000020C
RET				Return.

ADD	ESP,04
TEST	EAX,EAX
JZ	004021E1

PUSH	00
PUSH	00
PUSH	004063A8		Push "Invalid Key" message as parameter to MessageBoxA
PUSH	ESI
CALL	[User!MessageBoxA]	Displays "Invalid Key"

So, you see, what if the PUSH 004063A8 instruction gets changed to PUSH 00406030 (the good serial #), user enters a bad number and the message box pops up with the correct one!.  This eliminates the need for a key generator as well being a general purpose distribution.

BS/1 Small Business v1.1h/g - Davis Business Systems (bs1.exe, 1,818,624 bytes)

So far in this tutorial, I have concentrated on fairly small shareware programs that are fairly easy to crack, the next program however is much more a commercial product with a larger executable file and I'm going to introduce a new strategy, the disassembler as well as showing you why when one approach fails you should try another.

Well, lets start, so the first thing I did was take a look with QuickView and then disassemble bs1.exe (that takes time), I looked around and found that standard import functions were being used.  In the Help/About menu the program offers you a License Upgrade option, you must then enter 2 pieces of information, Company Name and License Number and we know from the help file that there are several licensing options.

I took the approach we used before.  The program broke only once on GetWindowTextA (you should realise that only one of the boxes was actually read by the program), I then traced through the code with F10 looking for a compare/test conditional jump sequence only to step around 20 instructions and then step over the function call at 0040379C which returned me to the screen saying invalid registration, I recommend you try this just to see.  Incidentally you could have noted the functions that you passed down and attempted to trace them but that's painful in this example as there are 6 of them.

So we are going to need a different approach, or at least one that allows us to approach the actual compare code from behind.  Lets introduce another useful Windows function, that of Hmemcpy, it is called when strings i.e. serial #'s, names are copied into memory.  So lets clear the other breakpoints and set a 'bpx hmemcpy' in SI (follow the procedure below).

So, you should first enter some details in the boxes, Ctrl+D into SI, type 'bpx hmemcpy', Ctrl+D out of SI and then click OK in the registration box.  You are returned to SI so hit F11 to return to the calling function, now as there are 2 boxes you should press Ctrl+D again and then F11 again to ensure that both dialog boxes contents were copied into memory.

So you are now looking at something like this:

PUSH	DWORD PTR [DI]
CALL	KERNEL!LOCALUNLOCK

This code is in User, and most codes are checked from the program executable file i.e. Bs1.exe, so lets start stepping with F10 (make sure you disable all breakpoints before you do this), you should step through a lot of instructions (maybe 50 or more), and you will probably go through Kernel32!_freqasm before you reach the code that looks like this:

MOV	[ESI+0C],EAX			1st instruction inside BS1!CODE+........
.....
Now lets start stepping slowly with F10 until we reach this:

MOV	EAX,[EBP-10]			EAX=EBP-10.
MOV	ECX,00000001			ECX=00000001.
MOV	EDX,00000001			EDX=00000001.
CALL	004037DC				Function Call.

Here you should check the contents of EAX with 'd eax', it should contain the name you entered so the next compare sequence or function is obviously interesting.  Not long after you hit this code:

CALL	004036E8				Another function call.
JNZ	004EBA62			The first conditional jump inside the Bs1.exe.

So this JNZ instruction is suspicious because our number was just placed in EAX, but without analysing the function at 004036E8 in detail you can't be sure and when you crack you want to find the easiest solution not trace functions all day, remember that with this sort of scheme there is most likely a function to check whether you actually input anything in the box, so lets skip this call for now.

If you continue stepping you will start hitting lots of function calls and conditional jump statements, now its just not practical to start tracing all of these purely because of the time aspect but lets see if our disassembler can be of any assistance.  Lets introduce the concept of 'using' the program's nag message, quit Softice and proceed:

Now, when your code is rejected by the program it says "Registration Code is invalid", try and see, so lets have a search in our disassembler for "Registration", and you should find this:

* Possible StringData Ref from Code Obj -> "Registration Code is invalid"

:004EC722	B9DCCA4E00		MOV ECX,004ECADC		You screwed up message.

A little below you should also see something interesting about users.ini, so it looks possible that our registration information is stored in the file users.ini.  Further down you'll find that address 004EC776 is linked to RegisteredTo, so its likely that any bad numbers will find themselves at the code at 004EC722, but good buyers will go to 004EC776.  So with this information in hand lets go back to SI and start trying to get the program to the good guy code.

Once inside Softice, start stepping and you will start seeing a lot of this type of code:

CALL	004036E8				This function is called a lot.
JNZ	somewhere

The function at 004036E8 as it turns out is called many times (it obviously verifies the license code), however we have our strategy so lets start stepping.  We need the code to avoid 004EC722 at all costs, so you should step a long time before hitting the following code.
MOV	EDX,[EBP-14]
POP	EAX				Pop EAX from the stack.
CALL	004036E8				The function we've seen a lot of.

014F:004EC6FA	JNZ	004EC717	This is suspicious <--.

This code is suspicious because the jnz (if it happens) takes you dangerously close to the dreaded 004EC722 instruction, a quick look with Ctrl+Down Arrow should confirm your fears, it looks like if this jnz actually jumps to 004EC717 then 004EC722 occurs, so we need to change this instruction or modify the status of the zero flag.

So in Softice, step to the call 004036E8 instruction and stop, now lets change that instruction, do that in Softice by typing 'a 014F:004EC6FA' (obviously this memory address may be different on your PC), now lets type 'jz 004EC717' to reverse that nasty instruction.  Push Return and hit escape, and now step over the new instruction with F10, you will see that the next jmp statement 'jumps' the bad registration code and after several more steps finishes at this:

MOV	ECX,004ECB18
MOV	EDX,004ECB30

At this point we know that we have reached the good registration number part so we can stop using SI, clear all the breakpoints and Ctrl+D back to Windows and check about, you should now be the proud owner of a 10 network user licence.

Now, lets take a look at users.ini in the DATA subdirectory, mine looks like this:

[General]
CurrentUsers=0
RegisteredTo=CrackZ
License=f25xfs

So, is our job done?, well we didn't see where f25fxs came from so lets look in the disassembler for it, you should find it, now lets scroll around, a whole load of 6 character StringRefs, I wonder what are they all for.

Well, I'll leave it to you to locate all of the codes and try them in users.ini, I found the following but there may be more.  Advanced crackers may like to work out the internal workings of the notorious 004036E8 function but there's really no point because the program only checks the serial # before entering one of these default codes in the initialisation file.

b935k4 (Single User)		a9tr24 (2-user)		c9kk42 (3-User)
a3ab6y (4-User)		285rer (5-User)		298bb3 (6-User)
k2w6tt (7-User)			2h9gt5 (8-User)		9j5att (9-User)
f25xfs (10-User)

Spear Internet Marketing Tool Beta Release 1 - 30-day trial spear.exe (906,224 bytes)

Well, I think this tutorial has done enough serial # cracks just for now, so its time to move on to another favourite with programmers and software vendors (the time-limited trial), here's the caveat, you get all the functions of a fully working piece of software to try for 30 days before the program stops working or nags you to death (Paint Shop Pro).

In fact there is usually no need to crack these type of protections since most can simply be re-installed again and again, with PSP, many cracks I've seen just simulate the pushing of the O.K button, however these trials are often inconvenient and some trials can even be malicious (self-deleting files).  So lets have a look at this program (which you may now find difficult to get hold of).
The first thing I did was disassemble spear.exe and look for StringRef's for something like "trial period over", in fact I found nothing interesting there at all, in fact the imports seem remarkably scarce.  Well, the next thing you should do with time-trials is see if you can trigger the nag and then crack from there.

The easiest way to do this is to adjust your BIOS clock temporarily.  Sure enough when I rebooted it came back and bitched about the trial period being over and the message box looks pretty much like a standard WIN32 call.  Now there are several ways to crack from here, you could try setting a breakpoint on something like MessageBoxA to intercept the message box and then trace back from there, however there is an easier way in this case.

The program obviously gets the date from somewhere, it would most likely have to use either GetSystemTime or GetLocalTime or a flag in the registry.  We can eliminate the 3rd possibility easily by using Registry Monitor (no calls are made).  So let's enter SI and set these breakpoints (I advise you to do them individually otherwise you will be tracing calls all day).

With GetLocalTime, the first break is in mscvrt20.dll (a Visual C run-time file - not our check), so push F11 and then Ctrl+D again, the second break and F11 should place you inside the file spear.exe+LiWenJun, looking at the following code.

CALL	[KERNEL32!GetLocalTime]	Retrieves the current local time and date.

Now step through the instructions here.  Just pop's from the stack and a function return, then this:

CALL	004D81B0				Call some function.
CALL	004DA360				& Another.
TEST	EAX,EAX
JZ	004DA6DC			Has trial user any time left?, if yes jump.

Well, there's really not much to understand here, its cracking by intuition, the 2 functions at 004D81B0 & 004DA360 are very tedious to trace, but 004D81B0 seems to do some password checking and call's 004D9630 a lot, I guess this is error checking, 004DA360 seems to check registry settings.

With this sort of crack you should use a heuristic approach, we know that a message box will pop up if we are out of time, so I looked at the code that followed, the JZ 004DA6DC takes us to JZ 004DA763 which then tidies the registers and stack and calls MessageBoxA.  Well lets change this jz to a jnz live in SI or modify EAX and see what happens, you already know, the program starts.

Now that we know how to jump the date check we can hex patch this program so that it will never mind what date it is.  There are lots of ways, we could change the jz 004DA6DC instruction to a jnz or set EAX = 0, but I settled for changing jz 004DA6DC to an unconditional jmp 004DA6DC.  So lets HEX patch this file.

Firstly search the disassembly listing for the address 004DA6DC, you should find it says je 004DA6DC, so lets find out what that is in HEX by selecting the HexData menu and then Hex Display of code data.  You should see that the je 004DA6DC = 74 11 A1 C0 D6 4D 00 3B (Hex Display), now lets change that to jmp 004DA6DC by patching the 74 to an EB (the opcode for jmp).  Make that change in your favourite HEX patcher and this program is cracked, note that you could have ascertained the correct code for the jmp live in Softice with the >a command.

Real crackers might also like to remove the 30-day trial text from the About Box, its fairly easily done just by searching for the text in a HEX editor and then altering it.  (I actually when I released this program just settled for overwriting the 30-day trial text with HEX 20, i.e. blank spaces but the more egotistical of you may like to add your nickname).



Premia Codewright Professional v5.1 cw32.exe (98,816 bytes)

Another variation upon the previous time-trial tool (albeit much more sophisticated), Premia have used a few extra features to annoy and cripple their flagship code editor.  When you install you'll find 3 main problems with this program, the first is a nag box at the start-up, the 2nd is a time restricted trial and the 3rd is in the Help/About menu, a nasty string which says FREE DEMO COPY.

Now the way to approach these sort of programs is to crack systematically and really make sure as I'll highlight that you know exactly the changes your making, I'm not going to step you through as much code as in previous examples.  The first thing I did was to advance my BIOS date a little past the time-trial and sure enough once I'd clicked the annoying O.K button, up popped the "Sorry, program has expired message", so I disassembled cw32.exe to see what I could find, and there the problems began, no StringRef.

Well, I guessed that the time-trial was being checked from another file but there are lots in the install directory, so I set a breakpoint on MessageBoxA and launched the program, sure enough up popped our nasty time-trial message and into Softice I landed, an F11, a click of O.K and finally, yes I'm in the file csdll32.dll, found where our check is.

So we disassemble csdll32.dll and you should have noted the address of the MessageBoxA break when you landed in Softice, its at 1014B920 in case you didn't look.  Now, we can see where our nag is called but tracing back from here in the disassembly leaves many possibilities, my next thought therefore was to try breaking in with Softice using one of the date API calls and then trace from there to work out how to avoid the message box.

I used bpx getsystemtime and after clicking the O.K button I got a return to Softice at 10181C76, now I stepped noting down the functions which got called as I proceeded.  This is the list I made.

:10181CCE			GetTimeZoneInformation
:10181D70			CALL 10183AC0
:1011D0A0			CALL 1014BC62
:1011D0B9			CALL 1014B8D9		Displayed the message box.

I elected then to trace the call at 1014B8D9 and see if I could avoid the message box, in fact it turns out that which ever way the JZ 1014B909 goes (see the disassembly for this also) the nag message gets displayed, so to beat the time-trial CALL 1014B8D9 must never happen.

I looked back in the code to see how this could be avoided and I soon spotted this:

JLE	1011D0E1		(Address 1011D04C)
MOV	EAX,[10197A64]
MOV	[EBP-18],EAX
CMP	DWORD PTR [EBP-0C],00
JZ	1011D090

Note this code carefully, when your out of time neither of these conditional jump statements actually jump, but the JZ 1011D090 if you check the disassembly even if it happens still calls 1014BC62 and then 1014B8D9 (the nag) so the JLE 1011D0E1 must always happen if we are to avoid this message box.
I therefore changed the JLE 1011D0E1 into a JMP 1011D0E1 + 1 NOP for an even byte swap.

0F 8E 8F 00 00 00	JLE 1011D0E1
E9 90 00 00 00 90	JMP 1011D0E1 + NOP		(Cwdll32.dll)

With the time-trial now ineffective I wanted to remove the welcoming O.K box which popped up after the splash screen.  It looked like a standard windows dialog box so I set a breakpoint on DialogBoxParamA and Softice popped at this code - note here, why did I chose DialogBoxParamA. 
Well a bit of intuition told me this, the splash screen was painted and then after that the nag appeared, I was confident that beginpaint and endpaint were being used to paint the splash so in the disassembly I looked after the call to endpaint and worked out that DialogBoxParamA was displaying the nag.

Using the same tactics as with the time trial nag I bpx-ed on DialogBoxParamA, and noted the welcome box call at 1011D036.  In the disassembly I traced back up the hierarchy of conditional jumps to work out where I could avoid this call.  I soon located this interesting conditional jump (note the address).

JE	1011D0E1		(Address 1011CF9A) - Jumps nag.

Well, here's where I made a mistake, I thought I could get the nag not to display by making this JE always JUMP, in fact if you try it you'll find something's wrong because the program doesn't start, so I decided to go back to the INT 3 trick just before this JE and trace (see later tutorial's for INT 3 trick details).

I traced through these calls, remembering that I had to avoid the call at 1011D036, I soon found what I was looking for at address 1011D022 - JNZ 1011D03C, I decided to make this JNZ into a JMP to avoid the welcome box.  You should now make this patch in your favourite HEX editor, 75 18 into EB 18.

Now for the final cosmetic change.  You launch the program and all is well, no nags, but the Help/About is not very pretty, FREE DEMO COPY, we'd like to change that to something slightly nicer looking.
Well, I couldn't find the HEX for this String in any of the files, though I was sure that cwdll32.dll was responsible, so I guessed it was encrypted somewhere.

I set a bpx on DialogBoxParamA and found that address 10144420 displayed the box, I decided to therefore try a bpx on SetDlgItemTextA in the hope that I could find where the FREE DEMO COPY came from.  I selected Help/About and sure enough Softice broke, I then started tracing, noting down the functions which were called and seeing what strings I could locate, I didn't step for long before the call 1014BD7C came to my attention.

CALL	101624FB
.....
CALL	1014BD7C			Placed FREE DEMO COPY in ECX.
TEST	EAX,EAX
JLE	10146EDC			<-- Why jump?
CMP	DWORD PTR [EBP-04],00
JZ	10146EDC			<-- Why jump?

Well, what's happening here, well neither the JLE or the JZ actually jumped so I decided to see what happened after this, well what happens is this, EAX holds FREE DEMO COPY and then after a few function returns wsprintfa is called at address 10146EBB and sets the S/N: prefix, also look in the disassembler at address 10146EB2 just before, so its in our interest to allow one of these jumps to actually happen, either is desirable, I changed the JZ to an unconditional, this leaves us with a S/N: of V5.1 which is more visually appealing (note there are other jumps further on in that can be changed so long as 10146EB2 never happens).

JZ	10146EDC	0F 84 9D 00 00 00
JMP	10146EDC	E9 9E 00 00 00 90	(1 NOP required for an even byte swap).

You may like to investigate how you could actually alter the functions to return a String of your choice but that involves adding some coding of your own.

Cygnus (Hex Editor) v1.5 (cygnus.exe 421,888 bytes)

Well, here's another program which I thought would be interesting to take a look at simply because its protection scheme is interesting and it requires a little bit of Softice confidence.

Although you don't yet know it this program uses the Windows 95 registry as the basis for its serial # protection, essentially the registry consists of 2 files, they are System.dat & User.dat, you will find them with the system, read only and hidden attributes in the Windows directory, the registry is basically a large database which stores details about your system, run Regedit.exe and take a look (but don't alter anything unless you are really sure).

So, lets start cracking this target.  I ran the program for the first time and up popped our nag screen, I clicked O.K then exited and re-started, well no nag the second time which is actually quite pleasant of the author.  I then checked the register.txt file which informed me that the program was function disabled unless I registered, so I checked again and sure enough in the Help menu there's an option called Register Cygnus and voila 3 dialog boxes asking for a registration code.

So the first thing I did was disassemble, you should really do this all the time now, and you should easily be able to locate these string references (of interest), these are briefly those that I noted.

* Possible StringData Ref from Data Obj ->"Registration was successful."

:0040EA39 68348E4500		push 00458E34

* Possible StringData Ref from Data Obj ->"Registration Successful"

:0040EAF9 68F08D4500	push 00458DF0

* Possible StringData Ref from Data Obj ->	"The authorization code you've "
"entered is not valid. Please contact "
"SoftCircuits for a valid code."
"Select Help for more information."

:0040EB29 68508D4500	push 00458D50	

So, we can now see what strategy to use, our code must avoid 0040EB29 and it looks like standard Windows API calls are being used.  So lets set those Softice breakpoints, you should find that GetWindowTextA works well.  Now, from here on in it seems easy, I show you the Softice code and you find the good serial #, however its not that simple.

I broke 3 times on GetWindowTextA and started tracing to reach 0040EAF9 but it seemed as if I would never get there, in fact this program seems to stay permanently around the 0042xxxx memory address but we know that it must step back at some point to do the compare, just try this and see, you will even step right out of cygnus.exe back into kernel and then into user, but persevere and eventually you will get back into cygnus.exe (you know it must do this compare).  Try a breakpoint on IsDialogMessage if you want to avoid some of the tedious stepping.

Eventually you will reach this:

CALL	[USER32!IsDialogMessage]
POP	ESI				Pop ESI from the stack.
RET	0004
CMP	EAX,01				Compare 1 with EAX.
JNZ	0040EB36				The jump which pushes the 'bad registration code' 							message.  Fortunately it seems that this only happens 							if you enter nothing for a serial #.

So, lets step on until we hit this function call, (note that you should step through the call at 0042121C):

CALL	0040ED80
MOV	ECX,[EAX]			Here you should take a look at ECX.
Mine shows the following serial # at ECX, that of 221-7020-700, and as it turns out this works unanimously.

IMPORTANT TIP:  Whenever you elect to step over a call in a protection scheme check the contents of any registers which have changed, you may find your serial # there, alternatively when you have exhausted all possibilities re-trace your steps and examine functions.

Well, in the real world of cracking many would have missed that call at 0040ED80 and just traced on and altered an instruction to get to the good serial # message, then when you restart the program its still unregistered (every cracker has done this, believe me).  So, in these cases you must not be afraid to take a different approach.  It is probable that when this happens the program has written out your bogus serial # somewhere and then checks it at run-time.  The 3 most likely ways of doing this are as follows:

i)  An *.ini file or initialisation files, these are small text files usually stored in 1 of 2 locations, either in the home directory of the program or the Windows directory, they tend to be used more by older applications.
ii)  The Windows 95 registry, (note that any program that carries the designed for Windows 95 logo will use this).
iii)  The programs own separate (usually encrypted) file, *.dat, *.idx or *.lic are ones that I have seen, e.g. UniVBE 5.3, WinHacker 95.

With Cygnus you will find that the program possesses no cygnus.ini file or encrypted file as such so the registry remains as the most likely possibility.  So launch Registry Monitor and then Cygnus, now lets see what values are being checked.  The following values look interesting:

758	QueryValueEx	CURRENT\Software\SoftCircuits\Cygnus\General\UserName	SUCCESS
759	QueryValueEx	CURRENT\Software\SoftCircuits\Cygnus\General\UserName	SUCCESS	"Cracking Tutorial"

768	QueryValueEx	CURRENT\Software\SoftCircuits\Cygnus\General\UserCompany	SUCCESS
769	QueryValueEx	CURRENT\Software\SoftCircuits\Cygnus\General\UserCompany	SUCCESS	"Cracking Tutorial Address"

778	QueryValueEx	CURRENT\Software\SoftCircuits\Cygnus\General\UserCode	SUCCESS
779	QueryValueEx	CURRENT\Software\SoftCircuits\Cygnus\General\UserCode	SUCCESS	"221-7020-700"

So at run-time, these values get verified by the program, so you can now use Softice to intercept all registry calls and then trace where the value is verified, I warn you that tracing registry accesses can be quite tedious.  These are the breakpoints used for registry access, to be honest though I've only ever used the first 2 for querying registry values.

RegQueryValueExA
RegQueryValue
RegOpenKeyA			Open's a registry key.
RegCloseKeyA			Close's a registry key.
RegCreateKeyA		Create's a registry key.
RegDeleteKeyA		Delete's a registry key.

Vulcan Notes 95 v2.13 (vnotes95.exe 567,296 bytes) - junking tricks

Well, I'm back to serial #'s again with this slightly more interesting application which I'm hoping houses a more complex code generation routine than the previous example, or at least something worthy of our studies.  So you should by now have the disassembled listing of vnotes95.exe in front of you.  I've just selected a few interesting StringRef's which you may also have located.

00465182 - "Thank You for registering ".<-- this then runs on with the text "Vulcan Notes 95" + "Please close and restart " + "Vulcan Notes 95" + "to enable all features/functions."  If you've been paying more attention you will have also noted the reference "Software\Vulcan\Notes", because that's where the information is going to get stored.

Fairly standard stuff there.  But here's an interesting little trick, look above the 'real' registration message at 00465182 and at 00465118 we'll see "Thank you for registering" and also at 00465128 "Vulcan Notes", this code is actually a trick to fool you into making a quick patch when you first examine the disassembly.

This alleged good guy message is apparently referenced by a conditional jump at 00465114 i.e. JNE 00465180, in the hope you will just go ahead and change that and think it will always be registered, but in fact if you look again, trace back a little from that, you'll see that the REAL deciding good guy / bad guy jump is at 00465032 - JNE 00465208, in fact in Softice this is easily spotted because the really good buyer never hits the code at 00465103.

At 0046521B we have this "Sorry! The information you entered does not match!" and that's referenced at 00465032 which confirms our beliefs that this is the good guy/bad guy flag status.

Well, lets select register and input some details into the dialog box, unfortunately our Getxyz breakpoints won't work here so bpx on Hmemcpy instead and remember that 2 dialogs are being copied into memory.
So, you should be now in User, start the stepping process with F10, go through kernel32 and the first instruction inside vnotes95.exe is at 00416FE5, now the next stepping session does a lot of function returning (around 6 returns I recall), then you are returned here (note this is the Softice listing):

:00464FFE	MOV EAX, [EBP-10]		EAX holds the serial # entered.
:00465001	LEA EDX, [EBP-14]
:00465004	CALL 00405A70		A junking function.

* Well, I'll explain here what I mean by junking, this function just checks whether you entered a serial # that was at least 1 in length, it does absolutely pointless operations and tests on the length of the string you entered, some of the code is just plain silly, like this fragment, get the string length, store it in ESI, now store it in ECX, increment ECX, decrement ECX, is the result zero?.

:00465009	MOV EAX, [EBP-14]		Serial # in EAX.
:0046500C	PUSH EAX			Save it for use on the stack.
:0046500D	LEA EDX, [EBP-10]		
:00465010	MOV EAX, [EBP-04]		
:00465013	MOV EAX, [EAX+000001B8]	
:00465019	CALL 00414F00		More silly junking calculations.
:0046501E	MOV EAX, [EBP-10]		Name is now in EAX.
:00465021	LEA EDX, [EBP-18]
:00465024	CALL 00464DF0		The calculation routine.

The calculation routine calls lots of other functions (most actually do very little), you can try and trace them if you really want but its unfortunately the same old sauce, after the return the good guy code is left in EDX, if your interested the code is built up from HEX manipulations of the name.

:00465029	MOV EDX, [EBP-18]		EDX holds good number.
:0046502C	POP EAX			Pop EAX from the stack i.e. the serial # you entered.
:0046502D	CALL 004036DC		Compare EAX with EDX (your code with good code).
:00465032	JNE 00465208			Jump bad cracker / Continue good buyer.

So lets see if a simple crack will work here, we need to reverse or change this JNE so that it never jumps, so lets just kill the jne with 5 NOP's and see what happens.  Well, when you restart the program its registered with the correct code placed in the registry.

Just a matter of aesthetics, but when you patch programs in this manner, try to avoid excessive NOP's, some programs contain code to detect this sort of patching, I would suggest in the above example that you pad with instructions like this (the hex codes are in brackets).

INC EAX (40)
DEC EAX (48)
INC EBX (41)
DEC EBX (49)
NOP (90)

The net result of this code is obviously to do nothing at all but it is more aesthetically pleasing than a row of 5 NOP's.

A Word about Microsoft Foundation Class Applications (MFC) & Visual Basic Applications

The Microsoft Foundation Classes are essentially a set of core components which can be used by Microsoft Visual C/C++programmers looking for rapid application development, in terms of cracking MFC applications are identified by looking for specific dynamic link library (dll) imports.  The MFC files are usually stored in the Windows/System directory.  These are the files which I know of, note the rather obvious MFC and MSVC prefixes:

Msvcrt.dll, Mfc30.dll, Mfc40.dll, Mfc42.dll

Of these Mfc42.dll seems to be the most common, you'll see a lot of MFCxx:NoName in a disassembled MFC application.

VB applications are also easy to recognise, again because of their imported dll's.  Essentially most VB programs are scripts calling the dll's functions.

VB3	Imports vbrun300.dll	(16-bit)
VB4	Imports vb40032.dll	(32-bit)
VB5	Imports msvbvm50.dll	(32-bit Microsoft Visual Basic Virtual Machine).

WinHacker 95 v2.0 - (wh95.exe 495,616 bytes)

Well, after reading my section about MFC applications what better way to continue than by attempting a program that uses MFC's.  Upon starting the next target a huge dialog box pops up advising that only 20 days are permitted for evaluation.  However we can see a registration option asking for name, company & serial #, as it turns out this program actually calculates an individual key based upon those 2 fields but unfortunately the serial # is left in a register after a function call which makes it easy to locate.

A disassembly listing should reveal that mfc42.dll and msvcrt.dll are being used, just note also that wh95.dll is also imported, (this is actually a non-standard dll included by the program author and sometimes they hide serial # routines).  Now a quick look at the stringRef's will yield these details.

* Reference To: MFC42.MFC42:NoName0335, Ord:021ch

:0041933C	E8E5D40000		CALL 00426826

* Possible StringData Ref from Data Obj -> "Invalid Serial Number!"

So we can see where bad numbers end up but I couldn't actually find anything that really looked like the good guy code nearby, so when you start cracking this you know only that this program must avoid 0041933C.  Let's set a breakpoint on our standard functions just to see what happens.  In fact in this instance GetWindowTextA works well, most of the time you will not be so fortunate and will have to use Hmemcpy.
So, 3 boxes need to be read into memory so perform the necessary actions in Softice and then you should see this:

CALL	[User32!GetWindowTextA]
MOV	ECX,[EBP+10]
PUSH	FF

Now this code actually turns out to be in mfc42!text+.....so you need to step around 5-6 instructions until you find yourself in wh95.exe.  Now remember your tactics and stay calm as you step, you will actually go briefly back into mfc42 again during the stepping process but eventually you will near the following.

CALL	EDI		The last function before the test/jz sequence to the bad serial #.
NEG	EAX
SBB	EAX,EAX
POP	ECX		Pop ECX off the stack (Good serial # is now in ECX).
INC	EAX		Increment EAX.
POP	ECX
TEST	AL,AL		Test AL for 0.
JZ	00419333		Jump if AL=0.

Now, you should trace the CALL EDI with F8 and you will find this fragment, it looks as if the code was actually calculated in a previous function call however this function compares certain values of your serial # with the correct code.

MOV	ESI,[EBP+18]	ESI holds the number you entered.
MOV	EAX,[EBP+14]	EAX holds the good serial #.

For interest, you may like to actually investigate earlier function calls and see if you can work out how the serial # is calculated, in fact I've written in an addendum here because this crack is really just find the serial # and run.  The functions you step through seem to work like this:

In mfc42.dll the call at 5F4028B8 leaves the serial # you entered in ECX, then in the WinHacker executable the call 0042682C is called 3 times, it seems to set up strings to push as parameters to the message box, like time-trial etc., the function at 00426820 is then called twice, its just checking whether you actually entered something in the Name & Company dialogs, the calculation routine is at 004193CD and tracing it is painful, it calls at least 5 other functions and is a misery to work out, it seems to work on the basis that "if the deserts big enough you'll never find what you are looking for", skip over it and save yourself the hassle.

The final call before the call EDX compare is at 004268F2, you can trace this one and find the correct serial # also, its placed in EAX.  Its much easier (if you are going to make a general purpose crack) to push the good serial # as a parameter to the error message in call 00424CB4 rather than work out the key generator.  The code, well that gets written to a file wh95.dat in the Windows directory.

DiskCopy v4.0 - (diskcopy.exe 147,968 bytes)

Well I cannot stress how important this particular crack is, perhaps this should be a single tutorial in its own right, you should read this crack a few times just so you are clear exactly why I use this method and why it is so effective.  Well take a look at our target and you instantly see the vb40032.dll import, so its a VB 4 application.

Now after I cracked this and worked out the serial # I realised just how difficult this program would actually be if you did a bpx on multibytetowidechar and started tracing.  Now, the following code fragment is the standard VB4 code for comparing strings in wide character format.


HEX		INSTRUCTION

56		PUSH ESI
57		PUSH EDI
8B7C2410	MOV EDI, [ESP + 10]
8B74240C	MOV ESI, [ESP + 0C]
8B4C2414	MOV ECX, [ESP + 14]
33C0		XOR EAX, EAX
F366A7	REPZ CMPSW			Here the contents of ESI & EDI get compared.

So what I am actually going to do is patch the Visual Basic dll in such a way that we can break in on this sequence of instructions with Softice.  So, open up a copy of vb40032.dll in your favourite HEX editor and search for the HEX bytes listed above, 56 57 8B 7C 24 10 etc.  Now when I used Hiew I patched the XOR EAX,EAX with CC 90, (note that CC is the HEX for Interrupt 3, and 90 you should know is nop or no operation), I then saved those changes and started.

So before starting the application I Ctrl+D into Softice and set a breakpoint on int 3, by typing:

>bpint 3

After exiting, I launched the target and selected register, note the 2 dialog boxes, note that our interrupt is enabled, now enter your name and any registration number into the boxes, I used Cracking Tutorial and 12121212, now click O.K, you should be in Softice at int 3 staring at the above compare, so now lets change that int 3 and no-op to its correct xor eax,eax.  I typed the following:

>A 014F:0F79B356 (Enter)
>XOR EAX,EAX (Enter)
>Escape

Now if you look in ESI with >D ESI you will see the code you entered, and guess what's in >D EDI, you guessed it, the correct code.

With Cracking Tutorial, my code was cTpA,1174 (I think this is a universal code).  Note also that although the actual code is located in memory very close to the one we entered would you actually have picked this up as the legitimate serial # in the search window, I very much doubt it.

As a small project you may like to practise this technique of the cracked VB 4 dll on CT HotSpot v2.0, another product from the same author, although he wasn't silly enough to code in exactly the same serial # as his other product, you should find s400,913,*113 fairly easily.

Emulive Wave Audio Encoder 2.2 - (emuwave.exe 248,320 bytes)

Well, its time for me now to look at a VB5 target application, when you don't know how to crack these types of application it can be a nightmare, disassembling these applications is for the most part a total waste of time, you'll know a VB program when the installation copies lots of dll's into your system directory, VB5 uses msvbvm50.dll.

Now when you start this application its a choice, either a 10 minute demonstration or register, so select register, and you have 2 key dialog boxes, mine says 323730247736 in the top part and asks for another key in the other, its probably a safe assumption that the 'key' will be the same length as the security code.  Well, if you try our standard API functions which we have used previously you'll find that Softice won't break, you could also try the hacked dll trick as used in the previous tutorial but on this occasion it will not work, its all due to VB 5 having its own set of functions.

I also just for this tutorial attempted to see if hmemcpy would actually lead to any traceable code, I spent a few hours trying but just got lost in the msvbvm50.dll, so I decided to try other breakpoints.
Again with VB 5 this tends to be more trial and error as opposed to anything else.  You should find in this case that bpx multibytetowidechar works well, so set that breakpoint in Softice and click O.K on the register button.

Now when you hit F11, here's the code you should be looking at:  (Commenting it is fairly pointless as its inside the msvbvm50.dll).

CALL	[Kernel32!MultiByteToWideChar]
MOV	EBX, EAX
CMP	EDI, -01
JNZ	0F0414EA
DEC	EBX
PUSH	EBX
PUSH	00
CALL	[0F0019A0]
MOV	EBP, EAX
TEST	EBP, EBP
JZ	0F07C71D

Now, I stepped past the function call at 0F0019A0 because the conditional jump 0F0414EA (if it happened only skipped) a few lines of code, I then stopped just before the JZ 0F07C71D and decided to use another of Softice's useful features, the memory search.

Now, I entered 1212121212 as my serial # so I entered the following in Softice.

>S 30:0 L FFFFFFFF 31 00 32 00 31 00 32 00 31 00 32

Note that the S is the search command, 30:0 L FFFFFFFF is the memory range, and 31 00 etc is the HEX value of the serial # I entered (note the wide character format).

Now Softice found my string at 0030:004540B8, so I typed E to edit or browse around that location.  After around 10 presses of Pg Up I found something interesting lurking in memory, The Invalid Key message and a few presses further on something like this.

0.D.0.5.0.F.1.6
.4.8.0.4. . . . . .		Well, its 12 characters long and in wide character format.

So, I entered 0D050F164804 as my unlock code and registered the program, note also the rather simplistic correlation between the unlock code and the key, it seems that all the 3's in the key correspond to 0's in the unlock code.

3 2 3 7 3 0 C 4 7 7 3 6
0 D 0 5 0 F 1 6 4 8 0 4

Whilst at http://www.emulive.com, I downloaded Emulive Premiere & Video Producer (both the same 10 minute trial), you should find them remarkably easy to register in the same fashion as shown above.

Space Monitor 1.1a - (spacemon.exe 340,992 bytes)

Well, I just included this program as a little bonus because it just illustrates the use of the Softice 'evaluate' feature and this program has also got some fairly nice code that I can comment well.
Without further ado, run the program and then right click on the icon it places on the taskbar, then select register, note that the vendors have been kind enough to tell you that the code is 6 numbers.
So, enter a value, I used 121212 and then pop over into Softice, this program uses the WIN32 API so trial and error will suffice.  (GetWindowTextA does it for me).

Now when you push F11 you should be looking at this code:

CALL	User32!GetWindowTextA		Standard WIN32 function call.
LEA	EDX,[EBP-0C]			Loads the contents of EBP-0C into EDX (in this case 							our serial number).
PUSH	EDX				Save our serial # on the stack.
CALL	00435E8C				Function call, trace with F8 if you like.
POP	ECX				Move our number from the stack.
MOV	ESI,EAX				Move EAX to ESI.
MOV	[00449734],ESI			Move ESI to memory location 00449734.
CMP	ESI,000B1014			Compare 000B1014 with the value of ESI.
JNZ	00404175				Jump if the result is not zero.

So, this code should be easy to follow and if you had looked at a disassembled listing of spacemon.exe you would have known that 0040413A = good guy code & 0040417E = bad guy, so at the cmp sequence you can use Softice's evaluate feature to check what is in ESI by typing '? esi', the result I got is shown below.

0001D97C	0000121212	"Text View"	Our serial #.

So if we evaluate the contents of memory address 000B1014 by typing '? 000B1014' we get this:

000B1014	0000725012	"Text View"	The good guy serial #.

So we can see that the good buyers code is 725012 because the result of the compare has to set the Zero Flag.  You can now go ahead and register this program (note the details are stored in the registry).

Any Speed v1.3 (anyspeed.exe 1,076,736 bytes)

Another fairly interesting crack this because many newer crackers will have experienced the challenge that this application presents, as you know my first step to crack most applications is too take out the disassembler, so don't wait on my account, you'll easily locate our nag at 0046A771 and also some other interesting references concerning Reg_Key & Reg_Name, but there's a problem, just above the 0046A771 we'll see this code:

0046A768	7418	JE 004687A2	<-- Jumps Invalid Code Msg.

You reckon that just changing this so it always jumps say 7418 to EB18 might do the trick, I didn't try it but I strongly suggest it won't.  Now look a little further up the tree, referenced by call at 00403DE1, have a look there and you'll see how many functions call this function, its not going to be easy.

So, lets try the Softice approach, you launch the program and up comes the nag, you select Registration Key and its our old friends the 2 dialog boxes.  You enter some details, toddle over to Softice and try GetWindowTextA, GetDlgItemTextA in the hope they work.....and no break, well Hmemcpy must do it you think, but alas no, the program doesn't break on this either, and now if you are a newer cracker you are stuck.

Well, lets try another really great Softice feature and cracking approach, the Window Handle, bmsg approach.

Enter your details in the 2 boxes and Ctrl+D into Softice, type the following:

>hwnd		<-- Displays windows handles.

Now scroll the list using the space bar, look at the windows scrolling by, and note this:


Window-Handle	hQueue		SZ	QOwner	Class-Name		Window-Proc

04C4(1)			2A1F		32	ANYSPEED	TRegistrationDlg	147F:00000B38

Now this looks like the handle of our registration box, note that the handle will be different each time you do this, so lets bmsg on this handle and the windows message gettext using the following command in Softice.

>bmsg 04C4 wm_gettext (note that wm_command is also good for this situation).

Now, Ctrl+D out of Softice and click OK, you'll be returned probably somewhere in Kernel.alloc but now lets search for the string we entered.

>s 0 l ffffffff '12121212'

I find my string at 00A43078 and a load of 8xxxxxxx & Cxxxxxxx locations but lets dump the memory around the 00A43078 location, at 00A43038 I find an 8 figure string which looks remarkably like a serial #, so lets enter it and see, you know that it works already and as a side-note the information gets stored in the registry.

Registration Name:	CRACKING TUTORIAL	Registration Code:	CF9A3A00

ScrnSaveSwitch/Plus v4.50 (ssswitch.exe 129,536 bytes

Well, I've selected this next target purely because it introduces another useful Softice breakpoint and also because this program does some checking which you should be prepared for when you start analysing programs that may then require a key generator, it also allows me to introduce the concept of analysing functions as opposed to just stepping over them.

So, you should have by now disassembled this target and noted the following addresses as being significant.

00409DCE - "Congratulations!, ScnSaveSwitch/Plus is now registered".
00409DE8 - "Sorry.  The registration code you entered is invalid".

Now a breakpoint here on GetDlgItemTextA will work, but you will start tracing at around 00401xxx and that's a lot of cracking time to waste single stepping through code, so perhaps a little refinement may help.  Try setting a breakpoint on the function DialogBoxParamA instead, its quite fiddly to actually do but eventually you will get the program to break, just step with F10 if you can't.

This is the pertinent code, note that I entered 121212 as a serial #.

CALL	[User32!DialogBoxParamA]		Look in the WIN32 API guide for more 									information.
CMP	EAX,01
JNZ	00406223
LEA	EAX,[EBP-0F]				Load EAX with our serial number.
.....
PUSH	EAX					Push serial # on to the stack.
CALL	00409D70					A critical function.

O.K, I've just stopped here because if you actually F10 through the function 00409D70 it returns you to the bad serial number screen, so we are actually going to have to trace inside this function, so instead of hitting F10 hit F8 instead.

.....							Push's to the stack.
PUSH	ESI					ESI now contains our serial # as well.
CALL	[Kernel32!lstrlen]				A very interesting function.
CMP	EAX,05					Now test whether the serial # is of length 5.
JNZ	00409DDE				Jump if not zero.

So what happens here is that the function lstrlen gets the length of our serial # and then returns the result in EAX before comparing it with 5, if the serial # isn't 5 in length then the number will be considered wrong already, so lets return and enter a 5 string number and get into Softice again.

So we step through the cmp eax,05 now because so far our program thinks our serial # is correct.
Now we are in the checking mechanism, this is the code fully commented below, remember we know that our serial # is in ESI and that if the program jumps to 00409DDE we have entered a bad serial #.

MOV	CL,[ESI]					Move the first digit of ESI into CL.
CMP	CL,32					Compare CL with HEX 32 (2 in decimal).
JNZ	00409DDE
CMP	BYTE PTR [ESI+02],37			Compare ESI+02 i.e. the third digit with HEX 								37, (7 in decimal)
MOV	AL,[ESI+04]				Move ESI+04 (the last number) into AL.
CMP	AL,36					Compare AL with HEX 36 (6 in decimal).
JNZ	00409DDE	
CMP	[ESI+01],CL				Compare CL (HEX 32) with ESI+01.
							So the 2nd digit must be 2.
JNZ	00409DDE
CMP	[ESI+03],AL				Finally, compare ESI+03 (the 4th digit) with
							AL, (AL=HEX 36, decimal 6).
JNZ	00409DDE

So, we can see that this program has one universally good code which must be 22766.  This sort of analysis can be done live in Softice but sometimes is easier in a disassembly listing.  Note that this program writes the serial # out to its own initialisation file, ssswitch.ini.

File-Ex v2.00c (fileex32.exe 13,312 bytes)

This program is an interesting little study for us crackers even though its size may not suggest so.  This program on installation gives you a choice between 16-bit and 32-bit installations, in fact its only the executable files that seem to be different and they don't implement the serial # check (who writes 2 files to do the same thing), note that running the 16-bit executable seems to crash my system.

So lets launch the program.  It should minimise as a task bar icon and then you can single click that to access the application, now you should be able to select Enter Registration Code.  Note our old friends the dialog boxes.  Lets see what happens with a bad Name & Number, "Sorry, the code you entered is not correct.  Please verify the exact name spelling and code digits".

Lets take out our disassembler.  Now, you should be able to find some interesting registration StringRefs in fxhook.dll (but note fxhook32.dll), the more interesting references can be found in fxcomn.dll ('File-Ex common' abbreviation perhaps).  You should easily locate these 2 references.

* Possible Reference to String Resource ID=00068: "Thank You!  This copy of File-Ex is now registered and fully"

* Possible Reference to String Resource ID=00069: "Sorry, the code you entered is not correct.  Please verify"

Now a little scroll up the disassembly should give you an idea what to set a breakpoint on in Softice, this dll implementing the check is actually 16-bit so we are going to use GetDlgItemText, note also the conditional jumps, you should break in at address 07D0, now step to this code.
MOV	AX,[BP-0E]		Move code you entered into AX, ? AX = code.
MOV	DX,[BP-0C]		
CMP	[BP-12],AX		Compare.
JZ	081D			Must jump to be a good code.
JMP	0874			Jump to bad code.
CMP	[BP-10],DX		
JZ	0825			Must jump to be a good code.
JMP	0874			Jump to bad code.
MOV	AX,[BP-0C]		
OR	AX,[BP-0E]		
JNZ	0830			Jump good buyer.
JMP	0874			Jump to bad code.
MOV	AX,0000			Clean up.

Now you should find this code easy to follow, remember that 16-bit code means 16-bit registers i.e. AX as opposed to EAX.  The calculation routine is done in an earlier function call, the program can be cracked by reversing the 2 pertinent JZ's so that they always jump, remember we are in fxcomn.dll.

If you are interested in undertaking a further analysis of the code, the program writes out your registration information to its own configuration file called fileex20.bin, just view it with a standard text editor.

Mine looks like this:

[Registration]
Name=Cracking Tutorial
Code=47750632

A lot of crackers avoid 16-bit code because its not as 'friendly' as 32-bit, however many older applications and dongle chat routines use 16-bit code so I suggest you practice your 16-bit skills as regularly as 32-bit, it does seem however, that inevitably 32-bit code will be standard.

Jot Note Manager (32-bit) v1.3 (jot32.exe 610,304 bytes)

Well here's another bonus application I've included especially for this tutorial, I thought I'd just demonstrate a method of cracking serial # dialog boxes by using Softice's search facilities.  Its easy enough to disassemble this target and find that 00462AF4 = nice buyer and 00462B0F = bad serial #, but try stepping with Softice and you'll be there a very long time and unlikely trace anything, even though it breaks on GetWindowTextA.

When you start the target, there are 3 dialog boxes and one of them already has the number 1000 as a serial #, are there any implications if any? of that, as it turns out the 1000 is a red-herring, in that you need actually do nothing with it, its just used by a few functions.  If you are actually patient enough you can step to the code that determines whether you are a good buyer or bad cracker, and then reverse the JZ 00462B06 to a JNZ, the good code then gets written out to the registry, but many programs today will simply write out your bad code and then when you restart the program's still unregistered.

So lets enter our name and an Activation Key that we can remember (say 12121212), now Ctrl+D into Softice and try a breakpoint on GetWindowTextA, now after each break and return with F11 you should enter the following in Softice.

* s 30:00 l ffffffff '12121212'	(This will search memory and return all locations where this string is 				being stored).

Eventually (around the 5th return on GetWindowTextA) you should find your string in memory.

Important, when searching you should disregard most searches that find your string around the 8xxxxxxx or Cxxxxxxx locations, these locations are sometimes mirrors but usually just used by the OS (operating) and BIOS.

I found my string at 0157:004878CC & 0030:004878CC when I did this twice in succession (your location may be different), but at this point you can disable all existing breakpoints and now set the following breakpoint in Softice:

* bpm 0157:004878CC		(Sets a breakpoint on memory location (i.e. our serial #)).

Now when you allow Softice to run again with Ctrl+D you should break again on the following code:

REPNZ	SCASB
NOT	ECX			ECX=11
LEA	EAX,[ECX-01]		EAX=10 (length of string)
POP	EDI			Pop EDI from the stack.
RET					Return from function.

This section of code gets the length of the string you entered then places it in EAX.

Now upon returning from this function, you'll see this code:

POP	ECX		Holds Serial # you entered.
JMP	0043F54A
.....
PUSH	EAX		Push's length of your serial # on the stack.
PUSH	ESI		Push's your serial # onto the stack.
MOV	EDX,[EBP-04]
PUSH	EDX

At this point you can do one of 2 things.  You can just start tracing with F10 to where you know the beggar on / beggar off conditional jump is, you will get there after a few function returns relatively quickly, or you could try dumping a little of the memory location around where your serial # that you entered is.  This is actually quite a useful thing to do when you are sure that you are looking at the protection routines, you should locate fairly easily your good serial # lying lazily near EDX.

With name Cracking Tutorial, Serial # 1000, Activation Key 1HCVPD5PE.

Dongle Cracking

Well, this section houses a fair amount of theory but you should read it, when you first start cracking, your competency will be tested and measured by others based upon your ability to crack dongles, dongled programs are widely acknowledged to be one of the most difficult applications to crack, it is the protection of choice for expensive applications such as Cubase, SoftImage and 3D Studio Max as well as various plug-ins.

So what is a dongle?, well its usually a combination of hardware and software protection, the hardware constituent is a small plug which usually connects to the parallel port of your computer (although I believe Serial devices are also available), the 2 I've seen most often are Sentinel and HASP, but there are others such as DesKEY etc., put simply if you don't have the dongle the program doesn't run, often the program will periodically check during its operation for the presence of the dongle as well.

It's actually a lot easier to crack dongles when you have the actual dongle itself, in fact most tutorial authors probably possess the dongle in the first place, without the dongle you are probably going to have to 'zen' a lot and maybe pray.
With dongles I can not stress how important it is to have information about the protection you are dealing with, 1/2 of the challenge is establishing which flavour of dongle you are dealing with, for the HASP check out ftp://ftp.hasp.com, just use a regular search engine for other vendors, also during the installation watch for files such as sentinel.vxd etc.  You should try and understand exactly the 'dongle' it is you are trying to crack and read my following tips.

1.  Remember that the weak part of the dongle is usually the software driving the hardware, for the most part all the software wants is the 'answers' from the hardware, forget cracking the dongle wrapper unless you are really wanting to sit down for a long session.
2.  Most dongle implementations are poor, the programmer will most likely write his own functions to check responses from the dongle using silly function names which are obvious under disassembly, if they used the dongle manufacturer's API the protection can be a lot stronger.
3.  Most dongles have more than one beggar off/beggar on check, sometimes flags are set discretely to trick you, tracking these down is fairly easy once you are sure that you are actually looking at the protection scheme.
4.  Some dongle routines will attempt to confuse you with complex maths expressions which in reality are very simple in operation, in assembler even simple mathematics can be confusing, this isn't that big a problem in Softice because there's usually a beggar off check at the end.
5.  For the most part, forget working out the dongles code or routines unless you really must understand it in its entirety, its sometimes better to settle for less aesthetically pleasing NOP's and brute force techniques.
6.  Don't despair when a dongle beats you, some programs can be literally uncrackable without the dongle present, some dongles drive the programs they protect to an extent where patching them is just impractical.  I wish you Good luck and remember to use any information you have, study my brute-force crack below for an idea of what your up against.


A DONGLE CRACK

Virtual Gibbs v4.23.13 (virtual.exe 4,100,096 bytes)

Well, I've just included this very sketchy tutorial on the following dongled application that I recently had the opportunity to study (thanks to Homes).  Virtual Gibbs uses the Sentinel dongle although I didn't have the dongle or drivers installed when I wrote this tutorial.

When you start this program a message box pops up with a beep telling you "Hardware key missing", you could now disassemble the virtual.exe file looking for this string but its not present and the disassembly might take a while, so lets firstly try and get an idea which program and which function is displaying our nag.

So I set the following breakpoint in Softice:

>BPIO -H 378 R	Breakpoint on Parallel port I/O access.

Now when I launched Gibbs, Softice broke, at this stage I really only wanted to find a bearing upon the protection location so I disabled the breakpoint and kept pressing F12 until the message box appeared, I then clicked O.K, and in Softice I could see that the function call 0044400C in virtual.exe had just displayed this message box, so I decided to start my tracing a little before here at this code (you can see this by pressing Ctrl+Up).

005839EF		TEST EAX,EAX	Patch this with an INT 3 so you can easily reach this code.
005839F1		JNZ 00583A0E		Jumps to function call.
.....
00583A0E		CALL 0044400C	Displays "Hardware key missing".

Now, lets start building our map of this 0044400C function (as a point of interest you can actually just no-op this entire function call and the program will start but then there's another check), forget also reversing the JNZ 00583A0E to avoid the CALL (you'll find from the disassembler that this check is with regards to the Material database).

So let's trace 0044400C and note all significant calls and conditional jumps, I've tried to tell you what I think each function call does but some I can't really work out without further examination:

CALL 007A5CB0		Called a lot, seems to set up Material.txt.
CALL 004440C5		Import Mpc.TickCount
JNZ 00444037 (jumps)		If this jump doesn't happen then 0044400C returns and Gibbs starts.
CALL 00444828		Nothing.
CALL 00444793		Nothing.
CALL 00444963		Calls a function before returning at 004449F6.
CALL 004449F7		Displays message box.

Now we can trace deeper into the protection scheme, examining 004449F7 produces these results, note how I've examined what happens in each scenario:

JZ 00444A1C (jumps)		If this doesn't jump then JZ 00444A1C gets tested (that is set to jump), if 				that then fails the function exits with a JMP 00444BB0 and Gibbs will not 				start so it looks as if this JZ is safe to allow.
JNZ 00444A34 (no jump)	Similar to previous example.
JZ 00444A39 (jumps)		If this doesn't jump a loop is initiated incrementing ECX from 0 to B then 				the function continues before exiting at 00444BB0, Gibbs then starts.
JNZ 00444AA7 (jumps)	If this doesn't jump a loop similar to JZ 00444A39 is initiated, Gibbs will 				then start.
CALL 0066A860		Looping and testing.
JZ 00444AE9 (jumps)		<-- Interesting - When this jump doesn't happen 006EB584 gets called and 				and then 006E626D displays "Hardware key does not match flavor".

CALL 0066A860
CALL 006EB584
CALL 006EAE5C - Message Beep + Message Box.

Well you can see how this cracking approach will progress, now you start tracing 006EAE5C and eventually you'll have a complete picture of the calling hierarchy and be able to see which instructions will need patching, in fact you could at this point just patch one of the instructions above so that Gibbs is allowed to start (it seems to work O.K) but I strongly advise that if you want reliable cracks you understand the 'hierarchy', some techniques suggest giving each function your interested in a name (especially if you discover interaction).

In fact with Gibbs there's not much further to go, I've given you the details of the functions below 006EAE5C.

CALL [00818A90]		Nothing.
CALL [00818A4C]		Audible Beep.
.....
CALL 0079991D		After this function EAX holds "Hardware key missing"
.....
CALL [008189B8]		Message.

Well, here's our answer to this dongle check, I'm now tracing inside 006EAE5C.  00818A90 seems to do nothing but after 00818A4C you'll here a beep, if you actually trace this call you'll see that MessageBeep is unavoidable.  I traced after this but there is absolutely no way of avoiding 008189B8 so to crack this I would suggest that the call at 006EAE5C must never happen, now HEX patch this target.

I think this approach is probably brute forcing, its not zen but then I can't teach you how to do that and this technique does work.  Now run the program with your crack (I no-opped JNZ 00444AA7 - not very professional I know), and you should just make sure there isn't a sneaky routine checking for the dongle at a given time interval (I couldn't locate one) so enjoy this program.

CONTACTING CRACKZ ([email protected] (that's 2 underscores))

Well I hope you enjoyed reading this document and maybe learnt something from it, I certainly enjoyed writing it.  I'm working on other tutorials right now so if you have any applications that you would like to see included then just e-mail me (I'm looking specifically for dongles and function disabled applications).

I'd also appreciate any comments you want to send me on this document, even just a note to say you read it.
If I get a positive response I'll make some of my other 'rougher' notes available.

CrackZ