|
|
|
|
|
|
|
|
|
|
||
|
||
|
|
There is a crack, a crack in everything. That's how the light gets in. |
|
|
Creating Dead listings using W32Dasm or IDA Pro won't help you much because most of the code won't make any sense to you what-so-ever and trying to use Softice to trace through the program's code will only succeed in burying you under huge numbers of sub-routines thereby tiring you out long before you found the actual code you were looking for. I speak on behalf of newbies for the above statement, the more experienced crackers like Razzia, +Fravia etc would find ways and means to avoid these pitfalls.
Once you put these silly thoughts out of
your mind about Visual Basic programs being hard to crack then all your
left with is a weak, serial number registration scheme hiding behind a
'myth' hehehe. The serial number used in Minimize Magic is based on your
Handle/Name and just to add a little more spice to the *crack* it's also
tied into the 'Installation key', which is a randomly generated sequence
of numbers that is produced each time this software is installed. This
means you can't use the same serial number twice on different computers
but we don't have to worry about that..:)
One other small item of info about the
protection system used by this program. It can detect changes to it's registry
entries and upon detection will disable most of the functions within this
program, but you can still access the Registration screen without any problems.
Here's where I
found a bug in the program. It seems that once the program detects
changes with it's registry entries it performs a number of steps (one of
which to display a few message boxes informing the User that the program
has detected "tampering" with it's registry entries) that in someway causes
it to create a General protection Fault
each time you subsequently exit from the program. Even if you register
this program this fault STILL persists. Re-booting the system does not
cure this problem.
On successful installation of Minimize Magic the following entries are created in your System Registry:
HKEY_CURRENT_USER\Software\Genesoft
HKEY_LOCAL_MACHINE\SOFTWARE\Genesoft Developments
Once registered the following entry is
created with the following data.
HKEY_LOCAL_MACHINE\SOFTWARE\Genesoft\MinimizeMagic
Key
= KJBJBAG <--- Unique key generated on each
installation copy.
Password = KCIIGFAEB <--- The
serial number to register this babe.
User
= The Sandman
Version = 2.2.870
|
; WINICE.DAT
; (SIW95\WINICE.DAT)
; for use with SoftICE
Version 3.2 (Windows 95)
; 14 July 1997
; Change the path to the appropriate drive and directory
EXP=C:\windows\system\kernel32.dll
EXP=C:\windows\system\user32.dll
EXP=C:\windows\system\gdi32.dll
EXP=C:\windows\system\comdlg32.dll
EXP=C:\windows\system\shell32.dll
EXP=C:\windows\system\shell232.dll
EXP=C:\windows\system\advapi32.dll
EXP=C:\windows\system\vb40032.dll
<--VB4 Run Time library.
Without this line Softice won't be able
to tell you which sub-routine you might be tracing through or which sub-routine
is being called by the target program.
2. Next, we are going to reconfigure one
of Softice's Function keys Alt-F4 which is not often required or used and
re-program it so that it will automatically locate the EXACT Visual Basic
sub-routine that compares our entered serial number against the one the
target program expects us to use. Forget about setting any breakpoints
on memory locations etc, we will go for the juggler with this new function.
While still editing Winice.dat locate the
line starting with AF4="^
and REPLACE it with the
highlighted line shown below.
F1="h;"
F2="^wr;"
F3="^src;"
F4="^rs;"
F5="^x;"
F6="^ec;"
F7="^here;"
F8="^t;"
F9="^bpx;"
F10="^p;"
F11="^G @SS:ESP;"
F12="^p ret;"
SF3="^format;"
CF8="^XT;"
CF9="TRACE OFF;"
CF10="^XP;"
CF11="SHOW B;"
CF12="TRACE B;"
AF1="^wr;"
AF2="^wd;"
AF3="^wc;"
AF4="^s 0 l ffffffff
56,57,8b,7c,24,10,8b,74,24,0c,8b,4c,24,14,33,c0,f3,66,a7;"
AF5="CLS;"
AF8="^XT R;"
AF11="^dd dataaddr->0;"
AF12="^dd dataaddr->4;"
CF1="code on; altscr off; lines 58; wc
33; wd 8; wr; wl; ww 2; faults off;"
CF2="^wr;^wd;^wc;"
The above lines assigns commonly used Softice commands to some of your function keys, this saves a lot of typing on your part if you can execute a whole sequence of commands just by press two keys together. Now the new ALT-F4 function will save you from having to type:
s 0 l ffffffff 56,57,8b,7c,24,10,8b,74,24,0c,8b,4c,24,14,33,c0,f3,66,a7
every time you wish to locate the VB routine that compares two strings together.
This command simply tells Softice to search for a unique sequence of 19 bytes starting from memory location 0 all the way to the maximum amount of memory installed on your pc. These bytes form just a part of the VB routine we're interested in and have to include this number of bytes because there are other very similar routines to the one we're interested in and this way we can be sure that the VB routine Softice finds is the right one.
Now save your winice.dat
file. Make sure you make a backup first just in case you make any
mistakes.
That's it!.
|
Razzia had already done the ground work for cracking this program and others like it so I will also take this opportunity in giving you some helpful tips along the way which should help you to make VB cracking a lot easier.
Once Minimize Magic has been properly installed, run the program and select the menu option Help then Permanent Registration..
Type in your Name/Handle then a random sequence of numbers into the Registration box.
Before going any
further press CTR-D to
fire up Softice and then type:
bpx hmemcpy.
Now type X to
leave Softice. So far so good..
OK, now you can click on the 'OK' button...
Softice breaks at the beginning of the HmemCpy sub-routine.
From here press the 'F11' key once then start pressing the 'F10' key UNTIL you see softice display on it's code status line this:
MSVBVM50!.Text +
000B881
:---------: <--This address will be different on your puter.
Your now deep within the Visual Basic Code. You might have to press the 'F10' quite a few times before you actually see this but do keep trying, you'll get there..
Now we want to quickly find the routine that compares our serial number with the *real* one and we can do this effortlessly by pressing the ALT-F4 keys together.
Softice should now report back one memory location of where the sub-routine were looking for is to be found in memory.
In my case Softice
reported:
Pattern found at:
0030:0F00D9EA
:-----------------: <-This address will be different on your puter
Now type: u followed_by_the_memory_address_just_given_by_Softice
In my case I type:
u 0030:0F00D9EA
but you will have a different memory address and it's this memory
address YOU must type in.
All going well and
Softice should now display this code snippet:-
: 56
push esi
: 57
push edi
: 8B7C2410
mov edi, [esp + 10]
: 8B74240C
mov esi, [esp + 0C]
: 8B4C2414
mov ecx, [esp + 14]
: 33C0
xor eax, eax
: F366A7
repz cmpsw
: 7405
je 0F79B362
: 1BC0
sbb eax, eax
: 83D8FF
sbb eax, FFFFFFFF
: 5F
pop edi
: 5E
pop esi
: C20C00
ret 000C
If your going to
crack VB4 programs then memorize this tiny routine, it's the whole key
to unlocking a whole host of VB4 programs just waiting for you to crack!
Ok, from here type:
bpx
Example: u
followed_by_the_memory_address_just_given_by_Softice
In my case I type:
bpx 0030:0F00D9EA
but you will have a different memory address and it's this memory
address YOU must type in.
Lastly, type: bd
00 to disable our original hmemcpy breakpoint,
we don't need it anymore and finally, type
X to leave Softice.
Softice now breaks again, this time on
our newly created breakpoint, so it's a good opportunity for us to explore
and understand just exactly how this sub-routine compares two sets of strings.
I've done this for you (see below) but by all means check for yourself by pressing the 'F10' key a few times:-
: 56
push esi
;Save register esi for safe keeping
: 57
push edi
;Save register edi for safe keeping
: 8B7C2410
mov edi, [esp + 10] ;edi = "PC97" Check
for known cracker!
: 8B74240C
mov esi, [esp + 0C] ;esi = Your entered
serial number
: 8B4C2414
mov ecx, [esp + 14] ;Length of User name
"PC97" ecx=4
: 33C0
xor eax, eax ;Clear
eax register
: F366A7
repz cmpsw
;repeat_until_ecx=0 & compare strings
: 7405
je 0F79B362 ;jmp
if both the same.
: 1BC0
sbb eax, eax
: 83D8FF
sbb eax, FFFFFFFF
: 5F
pop edi
: 5E
pop esi
: C20C00
ret 000C
;Return from this sub-routine.
Notice anything odd here?. This routine is checking for a User Name we didn't type in, in this case "PC97". It seems the authors of this program have added a few extra routines to their latest version of Minimize Magic than what Razzia used.
No problem, while still in Softice press X to leave and once again Softice breaks at the same place as before. So, the program want's to do some more string checking..:)
: 56
push esi
;Save register esi for safe keeping
: 57
push edi
;Save register edi for safe keeping
: 8B7C2410
mov edi, [esp + 10] ;edi = Your entered
Serial Number
: 8B74240C
mov esi, [esp + 0C] ;esi = The *REAL* Serial
Number
: 8B4C2414
mov ecx, [esp + 14] ;Length of your Serial
Number
: 33C0
xor eax, eax ;Clear
eax register
: F366A7
repz cmpsw
;repeat_until_ecx=0 & compare strings
: 7405
je 0F79B362 ;jmp
if both the same.
: 1BC0
sbb eax, eax
: 83D8FF
sbb eax, FFFFFFFF
: 5F
pop edi
: 5E
pop esi
: C20C00
ret 000C
;Return from this sub-routine.
Notice now that the edi and esi registers now are reversed when holding the two strings to be compared against each other. It makes no difference to us however because once we are on the instruction: mov ecx, [esp + 14] all we need to do is type d esi and we see our Registration Code in Softice's Code Window.
Unlike cracking in other programs, our registration code will be in Wide Character Format, which simply means that instead of our Registration/Serial number looking like HGII74EAG it will now look like: H.G.I.I.7.4.E.A.G instead. Other than that it's still the REAL serial number.
CONGRATULATIONS!
You've just cracked your first VB4 program!
Job Done.
|
|
Visual Basic is now DEAD!
My thanks and gratitude goes to:-
Fravia+
for providing possibly the greatest source of Reverse Engineering
knowledge on the Web.
+ORC for showing me the light at the end
of the tunnel.
|
Ripping off software through serials
and cracks is for lamers..
If your looking for cracks or serial
numbers from these pages then your wasting your time, try searching elsewhere
on the Web under Warze, Cracks etc.
Next | Return to Essay Index | Previous |