Tutorial 16 Part 8.txt

PART 8:
~~~~~~

                        A DREADed Guide to Cracking
                             Written by MisterE
                              13th March 1999

.----------------------------------------------------------------------------------------------.
|                                             Index                                          |
`----------------------------------------------------------------------------------------------'
Introduction

Serials
  Windows32BitDisassembler: String Fishing
  SoftIce: Getting Started
    Short Intermezzo about APIs and dlls
  Combining the power of Windows32BitDisassembler and SoftIce
  SoftIce: The 'Break on Memory Access' Approach
  Other Serial Protections

Patching
  A warning before we start
  Finding the offset of the code you want to patch
  Intermediate way of finding the serial
  Let's Patch!
  Spreading the Patch
  Problems

Nags
  Very Easy Nags (MessageBoxes)
  Universal approach to get rid of those nags
  Hard Nags
  Intermediate: String fishing using a hex-editor and W32dasm

Keyfiles
  Arriving at the protection scheme
  Some common keyfile checks

Visual Basic Cracking
  Introduction
  Requirements
  Visual Basic Programs
  Approaches
  Case1: Visual Basic 3 Programs
  Case2: Visual Basic 4 Programs
  Case3: Visual Basic 5 and Visual Basic 6 programs
  Using Numega's Smartcheck
  Using SoftICE and W32Dasm

Greyed targets and CrippleWare
  Find out if the target is missing a feature
  Uncrippling

CD-Checks

Last Words And Greetz

Tools

API's that might help you breaking into SoftIce
  API's that are used to get text from the screen
  API's that protection scheme's might use
  API's that keyfiles protections use
  API's that CD protections use
  API's that are used to read/write from plain text files (INI, CFG)
  API's that programs use to access the registry
  API's that have something to do with time
  API's that put a nag-screen on the screen
  Visual Basic APIs
    Compare APIs
    Other APIs that are common



.----------------------------------------------------------------------------------------------.
|                                        Introduction                                      |
`----------------------------------------------------------------------------------------------'
Hi,

Here's another essay from me and all the people that helped me by writing pieces of this guide
and supporting me with info. You wouldn't be reading this essay without the help of
BaneOldMan, Rhytm and {_Suby_}. I started this Guide in December 1998, quite some time back.
But after some time I joined DREAD (Dutch Reverse Engineers And Deciperians), so now this is
a DREADed Guide.

In this Guide, I'll try to explain to you how most protections work and -moreover- how to defeat
them. The protection schemes will NOT be explained in a target specific way; rather, in a
general fashion, so be prepared for some theory :)

I've tried to keep this Guide as readable as possible, starting from newbie level to more
advanced level, sometimes you might see some intermediate cracker tips. Those tips are NOT
meant for newbies, but for crackers who have some experience in cracking. I've included those
tips so both newbie and more advanced crackers will have fun in reading this Guide.

I've included some reference material and an index at the end of this Guide to keep it
as readable as possible. Well, won't bother you with a longer Introduction, here we go :)

MisterE

PS: If YOU also want to write a piece for the Guide, contact me!!
PSS: Expect updates for this Guide, as new pieces will be added.

.----------------------------------------------------------------------------------------------.
|                                          Serials                                           |
|                                      Written by MisterE                                      |
`----------------------------------------------------------------------------------------------'
Windows32bitDisassembler (W32dasm): String Fishing
Most people who want to learn about cracking, start with W32dasm, because it's easy to
understand. Just open the program you want to crack and go to 'Refs - String Data References'.
See if you can find a string that has something to do with the registration of the target.
Look for strings like: 'Thank You (for registering)', 'Wrong Serial', 'Invalid Serial', etc.
You found such string? Cool! Now double-click on the string to go to the location where that
string is mentioned (do another double-click on the string to go to the next location). Take a
good look at the code now..........Do you see some conditonal jump to the string? Go to the
location of the jump that points at the string. It is very likely that this jump determines if
the serial number you entered is either right or wrong. You can create a patch for this target.
You can patch this by toggling the jump. Say turn a JumpifZero (JZ) into a JumpifNotZero (JNZ).
See the part about Patching for that.

SoftIce: Getting Started
Most of the time, when I want to crack a serial protection, I just set some breakpoint
on GetWindowText(A) and GetDlgItemText(A). The A on the end means that the API is 32-bit.

Short Intermezzo about APIs and dlls
I just mentioned an API. I'll give you some more info about this. You probably seen all those
weird .dll (dynamic-linked libraries) files in your windows directory. These dll files contain
APIs or Application Programming Interface. Now what does this all mean? To start with the APIs:
an API is something like a procedure or function as you know them in pascal or C. You call the
API (or function) and gives it some parameters for input, in pascal you would have:
Function CombineStrings(string1, string2 : string):string;

In windows 32Bit assembly it would look like this:
push string2
push string1
call CombineStrings   (the API returns a pointer to the output string in EAX)

This is just some fictional API. Notice that the parameters string1 and string2 are pushed in
reverse order on the stack. You can probably guess what a dll is now: it's a library that
contains APIs.
End Intermezzo

You press F12 (trace until you get out of a call) a few times so you get into the main program.
How do you know you are out of a call? Well, that's in the caption of the code window, press
'wc' a few times to see what the code window is. If there's no caption, you aren't in a call
anymore. Now look for a TEST or a CMP mnemonic (that's how these instructions are called,
impress your friends with it :) You spotted such mnemonic??? Great! You've got a big chance
that you landed right in the protection scheme, and -maybe- even discovered the
Registered/Unregistered jump. Now trace (F9) until you reached this TEST ecx, ebx
(or some other register, that doesn't matter). Take a look at the register (using 'd ebx' or
'd ecx') and write down the serial. BUT we are not always that fortunate that we get the serial
at once...so read on!
Note: Hmemcpy might break if GetWindowText(A) or GetDlgItemtext(A) doesn't work. See this
for more API's.

Combining the power of Windows32bitDisassembler and SoftIce
I like W32Dasm very much! With some brain you can (sometimes) even get a serial without
SoftIce. Open the Refs - String Data references, and take a look at the strings in the program.
Some programs have their serial number hardcoded (written in plain text) in the program, bah, no
honour to get from that program. Now, say the program has a better protection :) Say you even
find a string that says you failed the serial test, or something like 'Thank you!'. That's what
we want to hear! Now take a look at the address of this string (by double clicking on the
string). Scroll a bit up and LOOK, examine the code, it won't take you long. You probably see
something like 'Referenced by a conditional jump at 44E7C3'. Scroll up to this address and write
down this address. You could Patch the jump. But there are some warnings. Now you
don't want a lousy patch! You want a SERIAL. I'll tell you how to. Fire the target and place a
breakpoint on Hmemcpy. Press a button or something and you'll get kicked into SoftIce. Place a
breakpoint at the address you wrote down and disable the breakpoint on Hmemcpy. Go to the
registration screen and enter some name/serial and the program should break. Look into some
register to find out what your serial is. Why did I tell you to place a breakpoint on hmemcpy?
Well, if you didn't place this breakpoint and just set a breakpoint at the address, SoftIce
wouldn't break. That's because SoftIce has to know on which program it should break on.

Intermediate tip: type 'addr' to see which program SoftIce is hooking on, you can also type
'addr name_program' to tell SoftIce which program it should break on.

Softice: 'break on memory access' approach
Ok, we got better protection scheme! Time for the 'break on memory access' approach. Say you got
a program to break and you're in SoftIce. Do a search on the serial that you entered by typing
's 0 l ffffffff 'my_serial'' If SoftIce finds your serial before 80000000h then you got a good
chance finding a serial. Why did I say 'before 80000000h'? Because above 80000000h you only have
useless copies of your serial (well, most of the time). Now put a breakpoint on this memory
location. Do this by typing 'bpm address' or 'bpr starting_address ending_address RW'. The RW
means that SoftIce has to break when a program reads or writes to that address. Now continue
running the program. The program should break. Take a look at the code and follow it. Look for
CoMPare functions, procedures that check if you entered a correct serial (no ascii codes above
7Ah, etc). If you spot such procedures, you just have to trace to look what the program is
doing, use your brain to figure out what the program ...