|
|
|
|
|
|
|
|
|
|
|
|
|
|
||
|
|
||
|
|
|
There is a crack, a crack in everything. That's how the light gets in. |
|
|
|
|
This essay attempts to show you just one
of many ways to crack Uninstall Manager. The method I've chosen to
use was chosen specifically to show everyone that what is considered complicated,
figuring out how the serial code is generated can in fact be explained
in easy to understand terms. I will show you how to work out
the formula used by this program to 'encrypt' your User Name which it then
goes on to treat as a registration number as well as YOUR User Name!. A
pretty good idea IMHO.
Here's the basis of this protection system, study it well my friends
but don't worry if it doesn't make much sense to you at first, the rest
of this Essay will explain this much clearer...
The program will, on successful registration, convert your User Name/Handle into a meaningless text string using the Assembler instruction XOR twice on it then adding a value of one to the grand total for good measure..
Suppose for this example, I register this program using my Handle: The Sandman
Then the program
will convert my Handle: The Sandman,
one letter at a time to lower case letters and store the ASCII value for
each lower case letter into one of the pc's register's that will
hold the final total value in Hex for my handle.
|
|
|
|
|
|
|
|
Converted To => |
|
|
|
|
|
Converted To => |
|
|
|
|
|
Converted To => |
|
|
|
|
|
Converted To => |
|
|
|
|
|
Converted To => |
|
|
|
|
|
Converted To => |
|
|
|
|
|
Converted To => |
|
|
|
|
|
Converted To => |
|
|
|
|
|
Converted To => |
|
|
|
|
|
Converted To => |
|
|
|
|
|
Converted To => |
|
|
|
| ------------- | ||||
| Total Value in Hex => | 423 (hex) | |||
| ------------- |
Once the program has added up all the Ascii values together in hex format, not decimal, which in our example came to 423 (hex) this is then stored in the EBX register for safe keeping. Now the program will use a very simple form of 'encryption' based on Xor'ing the EBX register that is holding our 423 (hex) value and then applying it with the value of 89 (Hex).
Like this:-
Xor EBX with 89 (hex)
This results in the EBX register now containing the value of: 4AA (hex) or 1194 (Decimal)
Next, Uninstall Manager will repeat the above step again using XOR but this time applying the value of 33 (Hex) to our new total of 4AA (Hex)
This results in the EBX register containing a new value of: 499 (Hex) or 1177 (Decimal)
Finally, Install Manager increases our hex total of 499 (hex) by one.
So our FINAL hex value for my handle of "The Sandman" is: 49A (hex)
Now if we convert
this Hex number to a decimal number we get a value of: 1178
which is the serial number required to register "The Sandman" in Uninstall
Manager!.
|
|
This essay is the Second in a series
of tuts based on a program that was featured in the 'Cracking
Challengers For All' forum that shows what can be achieved if
people join together to crack a particular program.
OK, lets crack on with this essay...
As always, lets use our tools and see what information we can gather about this program before we fire up Softice.
Running Regmon on Uninstall Manager right up to where the Nag Screen is displayed shows us these lines of interest..
64 Uninsman OpenKey HKCU\software\NoktaSoftware\UninstallManager
SUCCESS
65 Uninsman QueryValueEx
HKCU\software\NoktaSoftware\UninstallManager\Reg
NOTFOUND
66 Uninsman CloseKey HKCU\software\NoktaSoftware\UninstallManager
SUCCESS
Basically what Regmon shows is that Uninstall Manager first checks to see if the HKCU\software\NoktaSoftware\UninstallManager branch exists within your System Registry file.
Line 64 shows a SUCCESS, meaning this branch does exist.
Line 65 shows that Uninstall Manager query's the System Registry to see if their is an entry called Reg, the NOTFOUND shows that this entry does not exist.
Line 66 shows that Uninstall Manager cancels further checks using the system function CloseKey.
Mmm, so looking at the whole of Regmon's output up until the point that Uninstall Manager displays the Nag Screen we see that this is the only check this program performs in order to decide wether or not to show the Nag Screen.. Yes, their are many other entries shown in Regmon's output but they are 'normal' system access that most programs, when run, perform as a matter of routine.
We could, I guess, go directly into our System Registry and create a new entry called Reg and then try and 'guess' what might be assigned to it in order for the program to become 'registered' but that's not practical and besides, we still need more information to make any reasonable assumptions on this Reg entry.
Looking at the uninsman.ini file that is used by Uninstall Manager shows only that it contains the program settings and little else.
OK, from running this program we see that we have a 30 day time limit with this babe and in the Registration Screen the program asks us two items of data, our Registration Name & registration Key..
If we now type in our name into the Registration Name box and then type some letters for the Registration Key we get a nice error message " '????' is not a valid Integer' " We now know that this program expects a numeric value between 0-65535 that represents a valid serial number.. But what else does this tell us?. At this point I came to the conclusion that the Registration Key expected by this program is a kind of 'Check-Sum', which is based soley on the Registration Name being entered to the program. If the check-sum is correct for the User Name you type in then Bingo, you have a registered program.. However, without knowing what values this program assigns to each letter of the alphabet it's still too difficult to try and 'guess' this at the moment.. We still need some clues...
Now we create a Dead Listing using W32Dasm, lets go fishing...
In the String Data Resources we take a look at all the text strings and try and see how they fit into the overall program. Hey, what's this?.
SILICON SURFER [PC]
Double-click on this text string, W32Dasm will take us to the section of code that handles this text string, worth checking out.
It's seems the programer has come across this cracker's serial crack and want's to prevent anyone from using this particular serial number on his future versions.. Just confirm that we are indeed within the code routines that handle the validation of the serial number we see a few lines down this text string:-
"This registration
info is illegal. No need to pirate this software. It is just $10 to register."
*:0045BFDE 8B45EC
mov eax, dword ptr [ebp-14]
:0045BFE1 BAA0C34500
mov edx, 0045C3A0 ;->"SILICON SURFER [PC]"
:0045BFE6 E8297EFAFF
call 00403E14
:0045BFEB 753D
jne 0045C02A ;Jump
if User Name not equal
;to Silicon Surfer [PC]
:0045BFED 6A00
push 00000000
:0045BFEF B8B9000000
mov eax, 000000B9
:0045BFF4 E877100000
call 0045D070
:0045BFF9 50
push eax
:0045BFFA B828000000
mov eax, 00000028
:0045BFFF E890100000
call 0045D094
:0045C004 50
push eax
:0045C005 668B0DB4C34500
mov cx, word ptr [0045C3B4]
:0045C00C 33D2
xor edx, edx
:0045C00E B8C0C34500
mov eax, 0045C3C0 ;->"This registration
info is"
;->"illegal.
"
;->"No
need to pirate this"
;->" software."
;->"It is just 10$ to register"
That, I hope, explains why this program
has this cracker's handle within it's code and what it will do if you try
and use this handle to register the program with *grin*
Back to our examination of this program... Anyone who tries to locate any error messages or Nag Screen text used within this program will be disappointed. The Author has already thought of this and has used a very simple form of encryption on these text strings.. He knows they are like flashing neon signs for crackers, especially newbies who rely very heavily on them being present to guide them around. No matter, because the author has only half done this job and we can still use the above snippet of code to our advantage *grin*.
Notice that IF the User does NOT use the handle SILICON SURFER [PC] then the program uses a conditional jump that bypasses the message "This registration info is illegal bla bla bla"..
:0045BFEB 753D
jne 0045C02A ;Jump if Name
not equal to Silicon Surfer [PC]
So lets now see where the program jumps
to...
* Referenced by a (C)onditional Jump
at Address: 0045BFEB(C)
:0045C02A 8B45FC
mov eax, dword ptr [ebp-04]
:0045C02D E8E6F8FFFF
call 0045B918 ;Returns with Low byte of EAX:-
;AL = 00 - Bad Cracker
;AL = 01 - Good Cracker
:0045C032 3C01
cmp al, 01 ;AL =01? Was serial#
correct?
:0045C034 0F8551020000
jne 0045C28B ;Jump if AL NOT EQUAL to 01
At this point, the above four lines of
code mean very little to us, although we can see that it performs some
sort of test on the al register (AL = lower byte of the EAX register)
followed by a conditional Jump Not Equal instruction. Since we found the
above snippet of code by following a reference from the routine that handles
the use of the SILICON SURFER [PC] handle we can be quite sure that the
above four lines of code won't get called UNTIL we try and register this
program. If we're newbies than we may want to investigate this
code snippet further using Softice.
Many newbies will often forget that they don't need to find the right bpx function in order to get to where they want, simply because we already know where we want to go so it does NOT matter how or where we enter the target program's code!.
let me show you what I mean by this..
Press Ctrl & D keys together to fire up softice..
Now type: bpx getlocaltime then
x to leave softice.
This system function GetLocalTime
is used all the time by many programs
running in Windoze such as Explorer and not just by our target program,
so make sure to close as many active programs as possible before setting
this breakpoint in Softice, else you'll find Softice breaking all the time
and that's before you've had the chance to start up Uninstall Manager.
Ok, as soon as you've set this breakpoint quickly fire up Uninstall Manager..
Softice Breaks at the start of the System Function GetLocalTime....
Press F11 Once...
Does Softice show you something like this text "UNINSMAN!CODE+75FC" at the bottom of the Assembly Listing Window? If you can see UNINSMAN!CODE then you will be within Uninstall Manager's code. If Not then Press x once more and Softice will again break on the system function GetLocalTime where you will again need to press the F11 key once more. You should now see the text "UNINSMAN!CODE+75FC" at the bottom of the Assembly Listing Window?
OK, we're miles from those four lines of code I've shown you above but that's ok because now we know where we want to go and we do this by typing:
u 0045C02A ;This
will show make softice show us those four lines we're interested in.
bpx 0045C02A ;This now tells Softice
that we want it to break each time the program tries to
;execute mov eax, dword ptr [ebp-04]
at this memory address.
Before we go any further lets clear the
bpx GetLocalTime breakpoint from Softice, it's done it's job and we have
no further use for it..
Type: bc 00 then x to leave softice..
We're back into Uninstall Manager so now select the menu option Help then choose About then click on the Register button..
We should now be in the Registration Screen...
For the User Name I want you to type: Cracker
Then for the Register key I want you to type: 1234.
Once you've done this click on the OK button...
Softice breaks at: 0045C02A
You should now see that softice has stopped at the start of those four lines code I've shown you above, here they are again..
:0045C02A 8B45FC
mov eax, dword ptr [ebp-04] <----Softice
break here..
:0045C02D E8E6F8FFFF
call 0045B918
:0045C032 3C01
cmp al, 01
:0045C034 0F8551020000
jne 0045C28B
Now press the F10
Key THREE times, you should now be resting on the
jne 0045C28B instruction...
Can you see that Softice is indicating (JUMP |) alongside this instruction? it means that it we proceed any further Softice WILL jump to the memory location pointed by this conditional jump..
We don't want this to happen, instead lets see what would happen IF the program does NOT jump to this memory location, but instead continues on with the next instruction below this conditional jump...
OK, now type: r eip=0045C03A
We've now skipped this conditional jump instruction as though it never existed and all that remains is to now type x to leave softice,,
Uninstall Manager Displays "Thanks for your Registration"
Yep, we've just FULLY registered this program!. You can test this out by closing down Uninstall Manager and restarting it. The About Screen shows the 'Register' button is now disabled and there are now no nag screens to bother us again.
Normally, when newbies find the right conditional jump that decides wether or not the User's serial number is correct ( as we've just found at 0045C034) they get out a hex editor like Hex Workshop and proceed to NOP out this jump and if you did this to Uninstall Manager then you will indeed, have a fully patched copy of Uninstall Manager!..
<----- BUT WAIT! ------>
We CAN do much better than this! all the hard work has been done so we now have the means to unravel this program in a way that I'm sure you will understand, REGARDLESS of how little you understand Assembly Language and best of all, requires NO patching to the program's code!. How easy can it get!.. just read on...
Close down Uninstall
Manager then fire up REGEDIT, this is a built-in utility for Win 95/98
and allows us to examine our system Registry..
[ STEP 1.................................................................... ]
Once REGEDIT is open, go into this Branch of your System Registry file:-
HKCU\software\NoktaSoftware\UninstallManager
Inside this branch we will see this entry:-
Reg = I@Kzikcmz
This does not make any sense to us at this point but write this line down on a piece of paper.
Once you've done this I want you to Delete this entry.. Simply highlight this line then press the DEL key.. REGEDIT will ask you if your sure, answer YES to this message..
We have just made Uninstall manager an unregistered copy again.. Don't worry, within the next ten minutes we will be able to write our own 'special' Registration code into our System Registry without even going through the program's Registration Screen!...
Now Re-run Uninstall Manager, our two nag screens will be back, but not for long...
Now go back into
the Registration Screen...
[ STEP 2.................................................................... ]
For the User name
I want you to type: ABCDEFGHIJKLMNOPQRSTUVWXYZ
For the Registration
Key I want you to type: 1234
Now click on the OK button again..
Softice breaks at: 0045C02A
Press F10
Three times..
Type: r eip=0045C03A
Type x to leave
Softice..
Uninstall Manager Displays "Thanks for your Registration"
Close down Uninstall Manager.
Open up REGEDIT and
go into the Branch:
HKCU\software\NoktaSoftware\UninstallManager
Write down the registration code you see for reg =
Reg=I@IJKLMNO@ABCDEFGXYZ[\]^_PQR
Once again, delete the entry REG= as explained above.
Uninstall Manager
now unregistered again..
[ STEP 3.................................................................... ]
Now re-run Install Manager and go into the Registration Screen..
For the User name
I want you to type: abcdefghijklmnopqrstuvwxyz
For the Registration
Key I want you to type: 1234
Now click on the OK button again..
Softice breaks at: 0045C02A
Press F10
Three times..
Type: r eip=0045C03A
Type x to leave
Softice..
Uninstall Manager Displays "Thanks for your Registration"
Close down Uninstall Manager.
Open up REGEDIT and
go into the Branch:
HKCU\software\NoktaSoftware\UninstallManager
Write down the registration code you see for reg =
Reg=I@ijklmno`abcdefgxyz{|}~pqr
Once again, delete the entry REG= as explained above.
Uninstall Manager
now unregistered again..
[ STEP 4 - Final Stage............................................................... ]
Now re-run Install Manager and go into the Registration Screen..
For the User name
I want you to type: 1234567890
*ADD A SPACE AT
THE END OF THE ABOVE NUMBERS*
Next, for the Registration Key I want you to type: 1234
Now click on the OK button again..
Softice breaks at: 0045C02A
Press F10
Three times..
Type: r eip=0045C03A
Type x to leave
Softice..
Uninstall Manager Displays "Thanks for your Registration"
Close down Uninstall Manager.
Open up REGEDIT and
go into the Branch:
HKCU\software\NoktaSoftware\UninstallManager
Write down the registration code you see for reg =
Reg=I@9:;<=>?018(
Once again, delete the entry REG= as explained above.
Uninstall Manager now unregistered again..
Lets now look at these registration codes and see if their are any patterns to them..
User Name
:= Cracker
Registration Code:=
I@Kzikcmz
User Name
:= ABCDEFGHIJKLMNOPQRSTUVWXYZ
Registration Code:=
I@IJKLMNO@ABCDEFGXYZ[\]^_PQR
User Name
:= abcdefghijklmnopqrstuvwxyz
Registration Code:=
I@ijklmno`abcdefgxyz{|}~pqr
User Name
:= 1234567890
Registration Code:=
I@9:;<=>?018(
See any patterns yet?.
Well, the obvious one is that ALL the registration codes begin with |@
We can safely assume that because these two characters are NOT used anywhere else other than at the start of the Registration Code that they act as a kind of unique 'marker' that tells Install Manager to accept the registration code regardless of whatever characters follow after it because they must have been created by the program itself!.
So, as long as the Reg entry in our System Registry file begins with these two characters |@ the program will become fully registered, but will not show any User Name in the About Screen since there are no further characters to read from..
So far it doesn't take a master cracker to work out the above two statements, just a little thought based on our observations..
Keep reading, the best bit is yet to come...
If we take away the First two characters from each of our four registration codes we see that we are left with exactly the same amount of characters as the User Name we entered..
Now if we line up the User Name along side the generated Registration code we can now see that the program assigns a unique letter to each of the letters in our entered User Name..
Like this...
User Name
:= Cracker
Registration
Code := Kzikcmz
User Name
:= ABCDEFGHIJKLMNOPQRSTUVWXYZ
Registration
Code := IJKLMNO@ABCDEFGXYZ[\]^_PQR
User Name
:= abcdefghijklmnopqrstuvwxyz
Registration
Code := ijklmno`abcdefgxyz{|}~pqr
User Name
:= 1234567890 <--SPACE CHARACTER HERE
Registration
Code := 9:;<=>?018(
What we have here
is the 'Key' to unraveling how the program creates the registration Codes!
Our User Name can contain both letters and numbers and spaces so looking at the above four registration codes we can NOW write our own Registration keys here and NOW..
Watch...
Start off with I@
then
convert Sandman into it's registration code of I@[ifleif by looking up what each of the letters is converted into by Uninstall Manager..
Another example:-
To create a Registration code for: The Sandman
Reg =I@\`m([ifleif
Once you've worked out how the program converts our User Name into Uninstall's special registration code we can now open up REGEDIT and type in whatever registration code we want in the knowledge that whatever User Name we use, it will be shown in Uninstall Manager's About Screen!. See, we didn't have to understand Assembler nor did we have to understand the process the program uses within it's code to create the registration code!
For completeness, I will explain how the 'Integer' value, used as a serial number.
Before the program will accept the User's Name as the registered owner it must be accompanied with an integer number that acts like a kind of check-sum for the User Name.
Uninstall Manager expects a valid integer value to be typed in when you type in your User Name, this integer value is calculated in six stages..
Stage 1.
The User Name is converted into lower case letters.
Stage 2.
The program then 'adds' together all the ASCII values for all the lower case letters.
Stage 3.
The resulting 'total' from stage 2 is XOR'd with the number 89 (hex).
Stage 4.
The new 'total' obtained from Stage 3 is then XOR'd again but with the number 33 (hex).
Stage 5.
Finally, the new
'total' obtained from Stage 4 is then increased by 01 (hex)
Stage 6.
Uninstall Manager then converts the 'total' from Stage 5 into a Decimal Number. This is the number the program expects you to use for the name/handle typed into the Registration Screen.
The 'table' at the
top of this essay explains the above six stages and which may help you
better to visualize these stages.. READ
TABLE...
And finally....
Once the program has been registered, the Decimal number used above is thrown away, it's no longer needed.. Your User name now becomes both the Registration Key and the Registered owner's name that is shown in the About Screen!. Two uses from just one registration code!.
Job Done.
|
|
|
|
Come on, lets see you register this program legally and in the process
thank the authors for their educational program.
My thanks and gratitude goes to:-
Fravia+ for providing possibly the greatest
source of Reverse Engineering
knowledge on the Web.
+ORC for showing me the light at the end
of the tunnel.
|
|
Ripping off software through serials
and cracks is for lamers..
If your looking for cracks or serial
numbers from these pages then your wasting your time, try searching elsewhere
on the Web under Warze, Cracks etc.
| Next | Return to Essay Index | Previous |