|
Index:
0. Introduction.
1. Disclaimer.
2. The main steps of cracking.
3. Additional programs you need to have for this
part of the tutorial.
4. Cracking the first program (sweet little
piano).
5. Conclusion
0.
Introduction:
In this part, the second part of the cracking tutorial, you
will learn to use the most important tools of the common
cracker: W32Dasm and HIEW. You will also learn to crack some
simple programs.
The tutorials are divided into 3 parts:
Part 1: Introduction, tools and the basics of cracking.
Part 2: Practical training, using W32Dasm, and HIEW.
Part 3: key-generators.
Welcome to the second part. :-)
1.
Disclaimer:
I created this tutorial for informational purposes only!
Much of the information in this document can be used to
perform illegal activities!
Don't attempt to do anything stated in this document!
If you do attempt to do anything, you are solely and fully
responsible for what you do!
If you get caught and get in any kind of trouble, it's your
own fault!
If you intend to use this information to impress your
friends, leave it and grow up!
If you don't agree to this, do not read any more!
If you crack a program, and either sell the crack or offer
it for free, it is a crime!
2. The
main steps of cracking
You have already seen these steps in the previous part of
the tutorial, but it's very important to know them.
Remembering these steps and following them is 40% of the way
towards success in cracking the program!!!
There are 7 steps in the cracking process:
1. Run the program you want to crack and study it's
behavior. try to locate strings and keywords, try to enter
the password and see how the program responds.
2. Open the program with the W32Dasm and disassemble it.
3. Find typical and common Strings in the disassembly that
appeared within the program.
in most cases, you have to look for keywords such as:
password, name, date, expired,
Time limit, wrong, entered and so on.
4. Find and observe the password generator, find the learn
protection routine and the API calls.
5. Try to understand the jumping mechanism of the
protection.
6. Open the program in Hiew. change the jump of the flow
control to it's opposite jump command, or NOP it out.
7. Run and check how the change you have made in the
original program affected it.
Feel the power you have, the power of of cracking, making
programs behave the way you want them to.
Learn those steps very well, until u dream of them, u will
use them in every program you crack.
3.
Additional programs you need to have for this part of the
tutorial
By now, in this part of the tutorial, you have learnt the
main steps of cracking. Now, you are going to crack your
first program.
But before that, you need to get a little program called:
"Sweet Little Piano" You can download it from:
http://www.ronimusic.com/
Now, when you have the program, let's start!
4.
Cracking the first program (Sweet little Piano)
Now we will follow each step and crack the program:
Step
1: Running the program:
Well, Run it! Duh... :-)
Well, what do we see here..... The program opens two text
files. Also we see "Unregistered Shareware" on the caption
bar... Now let's open the Help menu for any registration
options... Humm, what do we see here now...
oh, it's a password option... Well, select it and enter
something (don't hope it will be right :-)). To see what
happens... Click OK.. Hmm, nothing happens.... Maybe it
accepted it? Hmm.. no way... the caption bar still says
Unregistered... Ok close it... bah ... more text files ...
and a notification that the settings are not saved in the
unregistered version ... well ... kind of irritating those
text files! Let's fix it :-)
Step
2: Disassemble the program:
Disassemble the program. Good, small is fast :-) Always....
Now, we don't have any strings that pop up when we want to
register something... Let's browse for strings like
registered, unregistered, the string about the unsaved
settings. Hmm... evaluation time left ... password.txt....
passworddialog.... sweet little piano - Unregistered <<--
looks like our caption bar ;-) go on...Thanks for
registering ... cool! So it thanks you anyway :-) Let's jump
to that place ... Double click on it an we will pop right on
top of the registration routine...
Step
3: Analyzing the protection routine.... / Understanding the
jumping Mechanism...
Let's analyze the protection routine.
|
////////////////////// Code snip
/////////////////////////// |
|
ADDRESS |
MACHINE CODE |
ASSEMBLER INSTRUCTIONS |
|
* Possible Reference to Dialog: PASSWORDDIALOG,
CONTROL_ID:0064, "" |
|
|
|
| |
|
:00401715 |
6A64 |
push 00000064 |
|
:00401717 |
53 |
push ebx |
|
* Reference To: USER32.GetDlgItemTextA,
Ord:0000h |
|
|
|
| |
|
:00401718 |
E8A5B50000 |
Call 0040CCC2 |
|
:0040171D |
E822FFFFFF |
call 00401644 |
|
:00401722 |
85C0 |
test eax, eax |
|
:00401724 |
741E |
je 00401744 |
|
:00401726 |
6A30 |
push 00000030 |
|
* Possible StringData Ref from Data Obj
->"SweetPiano" |
|
|
|
| |
|
:00401728 |
6866D24000 |
push 0040D266 |
|
* Possible StringData Ref from Data Obj
->"Thanks for registering!" |
|
|
|
| |
|
:0040172D |
68FED14000 |
push 0040D1FE |
|
:00401732 |
53 |
push ebx |
|
|
|
|
|
////////////////////// Code snip
/////////////////////////// |
PasswordDialog ... a call to GetDlgItemTextA ... another
call.... a test... and depending on the test a je.... The je
jumps over the thank you ... And just ends the dialog box
... without telling you that you entered something wrong...
So this is right ... we did indeed not see that we typed
something wrong ... but apparently we are supposed to see if
we type something right :-)
Again execute the je jump, and look where it goes to ...
return from the jump.... Now lets try to rewrite what goes
on here...
call ShowPasswordDialog
call GetEnteredText
call IsEnteredTextGood
test value in eax
je QuietExit
ShowThanksForRegistering
QuietExit:
the source code must have looked like this :
GetDlgItemText(_ID_Serial);
if (EnteredTextGood) ShowThanksForRegistering
// else nothing....
This is another interesting piece of code.... test eax, eax
... this assembler instruction tests if the value of eax is
equal to itself ... if it is it is equal ... so a je
instruction jumps ... if it is not equal, it does not
jump.... To crack this program we can change the je
instruction into two nop instructions... and we are done...
We have seen here, that the call has put a value in eax....
something which is not equal to zero or a zero... In our
previous example we saw that the called Is_Serial_Valid call
set some value in memory ... Here we see that the called
Is_Serial_Valid call sets the eax register of our processor
to some value....
Step
4: Changing the original program...
So modify it :-)
1. Open Hiew.
2. Open the file within Hiew.
3. Find the Adress of the line in W32Dasm (it's on the
status bar beginning with '@').
4. Press F5 in Hiew.
5. Enter the address you have found in (4) and press ENTER.
6. Press F3 - for activating the write option.
7. Press F2 - to change the instruction.
8. Replace the command by 'NOP' (without quotes), which
means NO OPERATION.
9. Now a new command appeared in the next line.
10. Replace it by NOP too.
11. If another new instruction hasn't appeared, Press F9 to
update the file.
12. Press F10 to exit.
13. Run the program and see the result.
If you didn't succeed, have any questions or need any
additional information, E-Mail me and I will answer all of
your questions.
5.
Conclusion
I gave this quite 'hard' cracking example so that u know
that if you crack this program, you can crack almost every
program, and most of them are much simpler to crack. In the
next part you will learn to detect key generators and crack
them.
Before you go to the next chapter, go over the steps again,
and also go over the protection mechanism detection and
modification.
C ya then.
Credits
written by <TeCh~LoRd> (blacksun.box.sk)
version 1.0, 27/10/99 |