Writing your own cracks

W32dasm

Mirc 5.7

We first went to a site http://mirc.stealth.net/download/oldver.html which has a list of old versions of mirc that we could download. We downloaded the version 5.7 by clicking on the link http://mirc.slacker.to/download/track.html?bits=32&version=5.7. We then needed two more products w32dasm and hex workshop. Use whatever version suits you. The software installs itself in the directory C:\mirc and the executable is called mirc32. We ran this program and then clicked on help about. It tells us that this program is unlicensed. We then click on help register where we are asked to key in our use name and registration key. We key in any dummy values and then click on register. We are shown a message box with the words sorry.

We then load on the program w32dasm and click on the first menu option Disassembler, Open File to disassemble, and choose mirc32.exe in the C:\mirc directory. After a short wait this program disassembles mirc32.exe for us. If we knew assembly we could read the source code of mirc32 like a book. We then click on menu search and then find text. Here we write sorry and click on Find next.

The first line of the screen shows us where in our code we could be using this string. This is what we see.

00498B86 6A00 push 00000000

* Possible Reference to String Resouce ID=01913: "Sorry, your registration name......."<---find here

:00498B88 6879070000 push 0000779

:00498B8D E8E665F8FF call 0041F178

We now scroll some lines up until we come to the line stating

* Referenced by a (U)nconditional or (C)onditional Jump at Address:

| : 00498AA1 (C)

:00498B42 6A00 push 00000000

This code tells us that at the instruction 00498AA1 there is a jump pointing to this code. Thus from memory location 00498AA1 there is a jump to this location. So lets go to this location and see what is going on. We now click on menu Goto, Goto Code Location and write the address 00498AA1 and click on OK. We come to the following lines of code.

:00498A9A E8E5FBFFFF call 00498684

:00498A9F 85C0 test eax, eax

:00498AA1 0F849B000000 je 00498B42

:00498AA7 BE3C9D4F00 mov esi, 004F9D3C

:00498AAC BF4C465000 mov edi, 0050464C

The call is calling some code at 498684 which will check for the correct number. Then it places a value in the eax register. We next test it value with 0, if it execute the je or jump if equal instruction. This takes us into our code that we saw earlier and displays the message box string of sorry.

At the bottom of the screen it tells us that the actual position in the file is 980a1. Now all that we do is replace the 6 byte jump with nops or 90. We load on hex workshop, click on menu File, Open and navigate to mirc32.exe. We click on menu edit Go to and choose hex in the radio button write 980a1 and click on Go. We land up at the first of the six bytes and replace these 6 bytes with the opcode 90. We then click on File Save and then say no for the backup copy. We have now patched up the copy of mirc32.

To try it we run the program again, click on menu help register, write our name, a registration number of our choosing and click on register. We do not get a sorry but a success message. We then click on help about and see our name displayed. The register button now disappears.

Problem we start the program again and now it does not seem to remember us at all. Two lines above the line we patched the system is calling a function at 498684. At offset 004986E6 we are calling the function using the instruction call 0049858C hex bytes E8A1FEFFFF.

:004986E6 E8A1FEFFFF call 0049858C

:004986EB 85C0 test eax, eax

:004986ED 7407 je 004986F6

We next double click on the line je and this location is now 97ced. Here we write 2 no ops using hex workshop. We now repeat the same process in mirc32 and now we get no error and he remembers us for good.

Regview

The file name is tut10.zip from the site http://woodmann.net/krobar/ which has the zip file tut10.zip which in turn has a file regview,zip that simply has one exe file and no uninstaller regview.exe. We run regview 30 times before it expires and now it asks us for a user name and key and we click on OK. We key in the wrong details and it comes back with a message Wrong Register key.

We load regview.exe in our disassembler w32dsm by clicking on the first menu Disassembler, then open file to disassemble. If the fonts do not look readable choose menu disassemble , Font , Select Font and choose FixedSys the second font. Then again choose same menu, Font and save default font.

We then click on menu Search, Find Text and write the text Wrong. This takes us to the line 48d8b1. We just scroll a couple of lines where we come to the conditional jump 48d885. This means that if w ego to the line 48d885 there will be a conditional jump instruction that will point to the 48d8b1.

Lets click on Goto, Goto code location and write there 48d885. Here we see a jump instruction je 48d8a6. This simply means that if the condition is we will jump to the code 48d8a6. Here we display the message box. This je instruction on disk is at 8cc85 and the two opcodes are 741f. We will nop these two bytes so that the wrong register key error message will not be displayed ever and the system will pass us.

We load on hex workshop, File, Open and open regview.exe from the regview directory. We click on edit. Goto and write the location 8cc85. We change the two bytes to 90 and then File Save No to create a backup. The program runs, asks us to register ourselves we say ok, key in any user name and key click on ok and the system says all is ok. The second time we run it we are not asked to register ourselves.

Crackme1.exe

We once again downloaded the file proj1.zip from the site http://woodmann.net/krobar/ and this contains a zip file crackme1.zip that contains the exe file crackme1.exe. When we run this program it asks us for a serial number and then we click on Check. At this time we get an error starting with incorrect.

We fire up w32dasm and then click on Search, Find Text, we write incorrect and land up at code line number 4015b4. Looking a few lines above we see that we came to this code from line number 401595. Here we must find some jump to line number 4015ad. Lets choose Goto, Goto Code Location and write 401595. Here we see the line je 4015ad.

At the bottom it tells us that the actual position on disk is 1595 and the opcode takes up two bytes. Always look for a call, test and jump combination. We fire up Hex Workshop, File, Open , crackme1.exe , Then menu edit goto, 1595 and here we write two 90’s over the byte 75 16.

We save the file and now rerun crackme1. Now whatever we type numbers or letters of the alphabet it all works like a charm.

Evdcm2

We downloaded a file haque.zip from the site http://woodmann.net/krobar/ that contains a exe file evdcm2.exe. We run this program, key in a user name and key and click on button Check. We get an error that says Sorry. We fire up w32dsam and open the file evdcm2. We search for the text sorry and now come to a conditional jump that says that there are two points that lead to this error message. These are jumps are from code locations 401140 and 4011ef.

This is what makes disassembly interesting. No hard and fast rules. We start backwards and jump to code position 4011ef. Here we see a two byte je 4011fb and disk location 7ef. The instruction before is a compare and not a test. We change the two bytes to 90 90 in hex workshop.

Now when we type in any name and any key, we get no error message box but also no success message. When we close the application we get an error message sorry. Thus the second reference to our code is when we close the window.

As we do not get a MessageBox for success lets try another way. We find the words sorry again at code location 401223. If we move our eyes to line number 40121a, three lines above we come across a jump instruction. The opcodes are EB 19, EB for a jump, 19 bytes from where we want the next code to be executed. These 19 bytes offset is converted to a actual location and the jump reads jmp 401235.

The problem here is that we are doing lots of checks so lets change the 19 to 3f. We go to location 81b on disk and change the 19 to 3f. The instruction now changes to jmp 40125b. The reason we jump here 40125b is because we see a push and the string yep. This is obviously the start of code that displays the message box. Earlier there was no reference to this point but now there is.

Earlier we changed the opcode to nop, now we can make it ump to another location. We are bypassing all the error checks that were made earlier.

Crackme2.exe

This above exe file comes from the zip file proj2.zip. Running the exe file gives us a message box and then a dialog box and we click on the third button serial. We key in our key in the text box and click on the button Check it baby. This gives us a message box with the words failed. Click on exit to quit out.

We load our program in w32dasm and find the words failed. The line number it appears is 42f423. Looking two lines up we see that we have reached here because there is a jump from line number 42f4d5. At this location there is a 2 byte jne 42f4f1. The disk location is 2ed5.

We change these two bytes in hex workshop and we get a message box saying Good job dude.

Crackmes

We went to the site http://www.crackmes.de/users/khattam/khattam_s_patch_me_v2/download to download a file pm2.zip. Throughout this tutorial we will show you how to crack actual code as well as crackmes that people put on the net.

Lets now move to the softice section to find out more.

SoftIce Section

Crackme1

We press Ctrl-D to move into softice and write bl to list breakpoints. We should see none. We then run the command bpload crackme1. This will call softice whenever we load our program crackme1. We then use bl to see that we have one breakpoint active. We now run the program crackme1. This loads softice and we set a breakpoint on function lstrcmpA by the command bpx lstrcmpA. We use the command bl to see that the second breakpoint is set.

Never write out the full command. Pressing tab will show us possible options. We then write our name in the text box and click on the button check. Magically softice gets called. This is because the program uses a simple compare to compare the two strings. Finally in some form our program has to call function lstrcmp to do the final string comparisions.

We then write d esp and this displays the memory location pointed to by esp. The lstrcmpA function receives the parameters on the stack. The display shows us <Brd-SoB> and vijay Mukhi. This is how we know that the password is the first string. The second way is by using the softice debugger by pressing f12 to execute the lstrcmp function. This places 1 in the eax register and now we come to the test instruction. Before we press f10 we press ALT-R to activate the register window. Change the value of eax to 0, press CTRL-D and we get a success message box.

This is how we can actually get at the actual values of the key. Bc * clears all the breakpoints set.

Evdcm2.exe

We first load the exe file in w32dasm, menu functions, import gives us a list of functions names and the dll’s that these functions come from. Thus allows us to set breakpoints only on those functions that our program uses.

Let use soft ice to find out the key for vijay. We first run the program and then key in vijay and some dummy key son. We move into softice and set a break point for the function GetDlgItemTextA. We then Ctrl-D, click on check we land up in softice. We press f12 once to get out of the function GetDlgItemtextA. We next single step in our case 115 times until we come across the instruction cmp edx,[esi]. It is here that a check is being made for the key. In our case the value of esi is the key we types, edx is 0946d7. We use the calc program to convert this value into decimal which is 607959. We write this for the new key in the program and it works for name vijay. This is how you can figure out a key by using softice

It takes tons of patience as we kept looking for some cmp or test instruction. When we found it we knew that one register was storing our key esi and the other edx was storing the key calculated by the program. We have to single step as we do not know where the check is being made.

Our own code

a.c

#include <windows.h>

main()

{

char *p, *q,*r;

p = "one";

q = "two";

MessageBox(0,p,q,0);

printf("%x\n",main);

}

We first run our program that displays for us a messagebox with one and two displayed. We then set a breakpoint in softice by pressing CTRL-D and writing bpload a. Now each time we load program a soft ice gets called. When we run the program the last printf displays the address of main which is 401000.

When we fall into softice after running a we set a breakpoint at the function main by the command bpx 401000. We press CTRL-D again, and now see the first lines of our code. The two strings one and two get stored in memory from the data region by the instructions

Mov DWORD PTR [ebp-4],0040c00

Nov DWORD PTR [ebp-8], 0040c04

The address of string one goes to ebp-4 and string two to ebp-8. These strings are stored at 40c00 and 40c04. If we run the command d 40c000 we will see our two strings one, two and the %x displayed. If we look some lines down we will see the following code

Push 00

Mov eax,[ebp-08]

Push eax

Mov ecx , [ebp-04]

After running the first mov, the eax register gets the value 40c000 which is the address of the string one. The first mov begins at 401016. We now write the following command in softice

A 401016 <enter>

We are now asked by softice to write the new command that will replace the earlier command. We write

Mov eax , [ebp-08] <enter> <enter>

Immediately we see the change in the code window and now if we press CTRL-D, we see our message box with two one’s and not a single two. The point of the above is that we can change the code to our liking dynamically. When we run the program again we get the same answer two one’s as softice actually makes changes to the file on disk.

When we recompile the program and run again it shows us a one and a title of two. Thus all changes made by using the a command are saved to disk. Thus most people use this feature to crack software and make changes permanent. Thus wedo not have to use a disassembler at all. This is what we thought. All the changes made are sticky. They remain until we change the exe file or reboot windows. Thus we thing they are permanent they are not.

We compile our program again and now a the second CTRL-D we write the following command,

Wd 40c000

This open up a data window displaying for us the data beginning at location 40c000. This display shows us one, two etc. We use the ALT-D hotkey to activate the data window, tab to move to the ascii side and replace one by vij. In our code window one changes to vij immediately.

We CTRL-D and we see vij in the message box. In this case as the variable is on the stack, no changes are made permanent and the next time we run we see one and not vij. Making the variables p and q global also does not help.

Cracke2.exe

Lets find out the password by using softice. We first set a breakpoint on the program crackme2 by issuing the command in softice bpload crackme2. We then load on w32dasm and realize that before the je 42f4f1, there is a call 4039fc. It is this code that is checking for the password. This instruction begins at line number 42f4d0. Just before this call we are moving some values into the edx and eax registers.

We run crackeme2, we get into soft ice, here we set a break point on 42f4d0 by bpx 42f4d0 and CTRL d. We click on the first message box and then on serial , we write vijay in the text box and click on baby. We go into softice. We write d eax to display what eax is pointing to and this is our string that we typed vijay. We then d edx and see Hello Dude!.

We get a good job done message box and this is how we can get at passwords. In this case the function called was passed the two strings not on the stack but in registers.

At code location 42f4d5 we have the opcodes 75 1a and the line reads jne 42f4f1. We changed this to 90 in hex workshop. We run crackme, move out of softice and write the serial. We once again move into softice. Here we are stopped at the call. We write

A 42f4d5 <enter>

We write

Jz 42f4f1 <enter> <enter>

The opcodes change to 74 1a from 75 1a and the jnz to jz. We press CTRL-D and we see a success message box. We run the program again and the same success message box appears. The disassembler shows us 75 1a, our code shows us 74 1a. After some time softice once again reverts back to the original.

Lets now use all the three programs so that we can remove the nag screens. We first ctrl-D into softice, set a breakpoint on MessageBoxa by writing bpx MessageBoxA. We then CTRL-D out, start crackme2. We immediately move into softice but here we are at the start of MessageBox code and not at the call. We are in the code of user32 not crackme.

We press f12 to leave the code of MessageBox and we are at the next line that called MessageBox. Thus we know that the call of MessageBox is at code line number 42a1a9. We go to w32dasm and here we find out that the disk address of the call is 295a9. We then load hex workshop and change these 5 bytes to 90’s. The nag screen disappears.