|
|
|
|
|
|
|
|
|
|
|
|
|
|
||
|
|
||
|
|
|
There is a crack, a crack in everything. That's how the light gets in. |
|
|
|
|
Hiding behind this computer language is
a simple serial number protection system which is based on the User entering
a valid Alpha-numeric serial number that is based on the User's
Name.
|
|
Hmmm, so I can't patch this babe and that the serial generated by this program can be figured out if I see it!. It gets better and better..:)
Here's how I figured out how this program works...
If you run this program then you will be greeted with a simple dialog box, asking you to enter a User Name and Serial, which I type:-
User Name:
The Sandman
Serial
: 7777777
At this point I fired up softice, pressing Ctrl & D keys together..
Now we need to select a system function for Softice to break on, my favorite and one I find is perfect for getting into Visual Basic programs especially at this point in the target program is Hmemcpy.
Type: bpx hmemcpy then x
to return to our Crackme.
Now click on the large OK button.
Softice Breaks
at the start of the Hmemcpy routine...
We're now deep within the operating system, we now need to type: bd 00 to disable our original Hmemcpy breakpoint, this will prevent softice from acting on it as we start going through the rest of the Crackme's code.
Now Press...
F11 Once
F12 Thirteen
Times
F10 Once
You should now be in the Crackme's Code at this memory location...
:0040A8CA 3BC7
cmp eax, edi ;We land here...
:0040A8CC 7D12
jge 0040A8E0
:0040A8CE 68A0000000
push 000000A0
:0040A8D3 68E01E4000
push 00401EE0
:0040A8D8 53
push ebx
:0040A8D9 50
push eax
At the bottom of Softice Disassembly Window it should show something
like: CRACKME#1!_Text+98C4
| At this point I
traced through the code using F10 until I hit the call instruction
that displays the 'loser Message' which gave me a good idea just how much
more code I had to go through before I hit this loser message. I did this
several times, each time building up my notes on which conditional jumps
were 'set' and which jumps I took and where they sent me.. I'm building
up a picture that now gives me a pretty clear idea of how this program
works..
Here's what I found... :0040A864
mov eax, dword ptr [ebp+FFFFFF48]
;Address of our User Name
:0040A891
lea ecx, dword ptr [ebp+FFFFFF44]
;ECX = Your User Name in
In my case I now see: T.h.e...S.a.n.d.m.a.n. Interestingly, if you scroll down the Code Window you'll also see in full, your *REAL* serial number for your User Name, trust me, it's there all right. However, at this stage of the crack we don't yet know that this is our *REAL* serial number so we must continue on with our crack.. The code starting
from 0040A983
to 0040AAC4 loops
round for each letter in your User Name.
:0040A983
test eax, eax
;Start of Character Loop
|
Once the above code
has been executed X number of times for each letter in your User Name the
program continues from here... Unless you wish to follow the above
steps for yourself you can skip them by typing: bpx 0040AAC9 then
press X to skip the above code so that you land here...
:0040AAC9 8D55AC
lea edx, dword ptr [ebp-54] ;We land here.
:0040AACC 8D857CFFFFFF
lea eax, dword ptr [ebp+FFFFFF7C]
:0040AAD2 52
push edx
:0040AAD3 50
push eax
:0040AAD4 FF154CD14000
Call MSVBVM50.__vbaVarTstEq ;Check both
the
;*Fake & Real* serials
:0040AADA 6685C0
test ax, ax
;Valid Serial?
:0040AADD 0F84B9010000
je 0040AC9C
;No? then Jump to Loser
Our first conditional jump after
the Character Code loop and we find that the program calls the Visual basic
routine _vbaVarTstEq to check both
serials!. If both serials don't match then it must
mean that we used a *fake* serial where the program then jumps to the 'Loser
Message' routine. Of course we don't really know this
at this point, so lets check this out for ourselves, just as though this
is our first time at cracking this program..:)
You should still be waiting at:-
:0040AAC9 8D55AC lea edx, dword ptr [ebp-54] ;We land here.
So press the F10 key FOUR times so that your now on this instruction:-
:0040AAD4 FF154CD14000
Call MSVBVM50.__vbaVarTstEq
From here press the F10 key once
more...
We are now in the Visual Basic RunTime library...MSVBVM50.DLL Try and stay with me for the rest of the way because many visual basic programs can be cracked using the methods described in this Essay..:)
OK, we should see this code routine:-
Exported fn(): __vbaVarTstEq - Ord:01E4h
:0F107828 FF742408
push [esp+08]
:0F10782C FF742408
push [esp+08]
:0F107830 6A00
push 00000000
:0F107832 E8E55DFFFF
call 0F0FD61C ;Press the T key HERE.
:0F107837 8B0485C4830E0F
mov eax, dword ptr [4*eax+0F0E83C4]
:0F10783E C20800
ret 0008
F10 until you land on the call 0F0FD61C.
Now Press the T key.
If you had correctly Traced into the above call 0F0FD61C then you should now see this new code snippet..
:0F0FD61C 55
push ebp ;You land here. Start F10'ing
:0F0FD61D 8BEC
mov ebp, esp
:0F0FD61F 83EC44
sub esp, 00000044
:0F0FD622 833D5CB3100F00
cmp dword ptr [0F10B35C], 00000000
:0F0FD629 53
push ebx
:0F0FD62A 56
push esi
:0F0FD62B 57
push edi
:0F0FD62C 0F859B5C0000
jne 0F1032CD
:0F0FD632 A164B3100F
mov eax, dword ptr [0F10B364]
:0F0FD637 8D4850
lea ecx, dword ptr [eax+50]
:0F0FD63A 83C060
add eax, 00000060
:0F0FD63D 8B5D10
mov ebx, dword ptr [ebp+10]
:0F0FD640 8B550C
mov edx, dword ptr [ebp+0C]
:0F0FD643 668B32
mov si, word ptr [edx]
:0F0FD646 894DF0
mov dword ptr [ebp-10], ecx
:0F0FD649 6681E6FF7F
and si, 7FFF
:0F0FD64E 8945F4
mov dword ptr [ebp-0C], eax
:0F0FD651 668B03
mov ax, word ptr [ebx]
:0F0FD654 6625FF7F
and ax, 7FFF
:0F0FD658 668945FE
mov word ptr [ebp-02], ax
:0F0FD65C 6683FE11
cmp si, 0011
:0F0FD660 0F87785C0000
ja 0F1032DE
:0F0FD666 0FB745FE
movzx eax, word ptr [ebp-02]
:0F0FD66A 0FB7CE
movzx ecx, si
:0F0FD66D 6BC012
imul eax, 00000012
:0F0FD670 03C1
add eax, ecx
:0F0FD672 3D43010000
cmp eax, 00000143
:0F0FD677 0F872F5D0000
ja 0F1033AC
:0F0FD67D 0FB69072DA0F0F
movzx edx, byte ptr [eax+0F0FDA72]
:0F0FD684 FF2495E2D70F0F
jmp dword ptr [4*edx+0F0FD7E2]
Keep pressing the F10 key until you land on the jmp dword ptr [4*edx+0F0FD7E2] where this jump will take you here..
:0F0FD7B0 8B550C
mov edx, dword ptr [ebp+0C] ;We land here
:0F0FD7B3 FF7308
push [ebx+08]
:0F0FD7B6 FF7208
push [edx+08]
:0F0FD7B9 FF7508
push [ebp+08]
:0F0FD7BC E8C2A0F4FF
call 0F047883 ;Press the T
key to trace
;into this call
Which now takes us to this code routine...
:0F047883 66837C240400
cmp word ptr [esp+04], 0000
:0F047889 B800000000
mov eax, 00000000
:0F04788E 0F85105C0300
jne 0F07D4A4
:0F047894 FF74240C
push [esp+0C]
:0F047898 FF74240C
push [esp+0C]
:0F04789C 50
push eax
:0F04789D E85F6A0000
call MSVBVM50.__vbaStrComp ;Press
the T
;key to trace
;into this
;call
Now isn't that interesting, we've come across a CALL to the _vbaStrComp routine!. This is our Visual Basic String Compare routine!. If you want to compare two serials against each other then the _vbaStrComp routine is the one your most likely to use in your Visual Basic programs!.
Can you feel the ZEN yet!...
OK, you've Traced into the Call _vbaStrComp and you should now see this last section of code...
:0F04E301 55
push ebp ;We land here... Start F10'ing
:0F04E302 8BEC
mov ebp, esp
:0F04E304 53
push ebx
:0F04E305 56
push esi
:0F04E306 57
push edi
:0F04E307 837D1000
cmp dword ptr [ebp+10], 00000000
:0F04E30B BE00000000
mov esi, 00000000
:0F04E310 7406
je 0F04E318
:0F04E312 8B4510
mov eax, dword ptr [ebp+10]
:0F04E315 8B70FC
mov esi, dword ptr [eax-04]
.........
<Snip..Snip >
.........
:0F04E34C 8BC3
mov eax, ebx
:0F04E34E D1E8
shr eax, 1
:0F04E350 50
push eax
:0F04E351 FF750C
push [ebp+0C] ;Push *REAL* serial #
:0F04E354 FF7510
push [ebp+10] ;Push *FAKE* serial #
:0F04E357 E83CDEFFFF
call 0F04C198
Bingo!... We've found where, in Visual Basic it compares our *Fake* Serial against the *Real* one..
Here's how to read it...
F10 over this instruction...
:0F04E351 FF750C push [ebp+0C] ;Push *REAL* serial #
Type d ebp+0c
In your Softice Code Window you will see:
78164100XXXXXXXX
XXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXX
What your looking at is the actual memory address stored in a sequence of bytes where your *Real* serial number is stored in memory, ready to be compared against the one you've just typed into the Crackme..
To see our *Real* serial number we must now 'reverse' this address (four bytes) like this:-
Type: d 00411678
Now you can see the *Real* serial number for the User Name: The Sandman
Serial:= Uif!Tboenbo
But wait!...
We're not done.. While we can now go into the Crackme and type in this serial number for the User Name of The Sandman and see the pretty picture of a young lady about to catch a cold we might as well see what Magenta meant when he said " The serial generator is very easy to understand. If you have your serial, you will understand it! ".
My User Name: The Sandman contains two small letter a's and two small letter n's and two capital letters, so lets see what characters this Crackme has assigned to them..
User Name : The Sandman
Serial Code: Uif!Tboenbo
Can you see that
the Crackme assigns a capital U to my 'T'
Can you see that
the Crackme assigns a Capital T to my 'S'
Can you see that
the Crackme assigns a small letter b to my two a's
That's all I need to work out what the 'key' is based on when the Crackme assigns a serial number based on the User's Name/Handle..
The key is best explained like this:-
If your User Name is: ABCDEFG then the Crackme will 'add' one letter forward to each letter of YOUR User name...
So your User Name of ABCDEFGH becomes BCDEFGHI
Another example...
If your User Name
is: abcdefgh
then your serial number for this User Name becomes bcdefghi
Job Done.
|
|
|
|
1. Visual Basic programs are no different to any other program you may come across, so if you can't dead list a program then try and get softice to break as close to the protection system as possible using a function such as Hmemcpy. Having done this then take the time to map the surrounding code and routines before you plunge head long into the VB code itself.
2. Simply sniffing out the serial number is not always your main goal to cracking a program, try and see if the serial has any 'patterns' to it such as the one described above. You can easily find them by choosing a User Name such as: aaBBccCCddDDeeFF1234 which will quickly show up any set patterns used in the target program's serial generating routines.
*Final Note*. There is a bug in this crackme... If you click on the OK button WITHOUT typing anything for the User Name or Serial Number then the program will accept this and display the 'Congratulations' dialog box followed by the final screen ..:)
My thanks and gratitude goes to:-
Fravia+ for providing possibly the greatest
source of Reverse Engineering
knowledge on the Web.
+ORC for showing me the light at the end
of the tunnel.
|
|
Ripping off software through serials
and cracks is for lamers..
If your looking for cracks or serial
numbers from these pages then your wasting your time, try searching elsewhere
on the Web under Warze, Cracks etc.
| Next | Return to Essay Index | Previous |