L0phtCrack 2.52 - Cracking tutorial by Goatass

L0phtCrack 2.52 for Win95/NT  -  Cracking Tutorial by Goatass

--------------------------------------------------------------

  BEGINNER (X) - NEWBIE () - INTERMEDIATE () - ADVANCED ()





	First off, L0phat Heavy Industries is one of the best

hacking groups out there today along with some others that release

some of the best hacking/security tools. I am a newbie but I will

do my best to teach you how to crack L0phtCrack 2.52 which is the

latest NT password cracking tool.





About this protection:

-----------------------

This is a very simple time trial/serial number protection. An unlock

code gets compared with a pre-assigned serial number.  I was very

surprised to find out that such a great hacking group didn't bother

to protect their trademark tool very well. They are selling it for $100.



Ok well lets get going with the crack.







What you will need:

--------------------



- L0phtCrack 2.52    (http://www.l0pht.com/l0phtcrack/)



- SoftIce



- your eyes







The crack:

-----------



This is a memory echo crack which should be very easy for all newbies.

First off, make a backup of l0phtcrack.exe incase you screw something up.

Run the program and you should see a nag screen showing you how many days

you have left (15 days total) and there is also a "Register" button. 

Click the "Register" button and you should see a dialog box with a 

grayed out box with the pre-assigned serial number and below it there 

will be a box for your unlock code.  The unlock code is alphnumeric but

that doesn't matter right now. Go ahead and put any number you like, I 

used 12345678 for my unlock code.



Now go into SoftIce (CTRL+D) and set a breakpoint on GetWindowTextA

(BPX GetWindowTextA). The approach here is to break right after the

program reads your unlock code and then uses it along with the 

pre-assigned serial number to generate and compare the good unlock code.

Now get out of SoftIce (X) and click the OK button. SoftIce breaks, 

press F11 to return to the calling function, that read in the 

pre-assigned serial number. Now press F5 to read your unlock code, 

SoftIce breaks a second time, press F11 again and now you are in the

program's code. Trace through the code until you get to this part:



:406345	MOV	EAX, [EBX]         <-- if you type D EAX you will see 

				       the code you entered.

:406347	LEA	ECX, [ESP+1C]      <-- here is the unlock code,  D ECX

				       to see it.



If you dump ECX you will see two 8 digit alphanumeric strings they are

both the correct unlock codes. Why two ? you'll see in a second.



Next we see the program PUSHing EAX and ECX onto the stack then comes

the CALL to compare the codes.





:40634D	CALL	00426260           <-- this is where the program compares

				       your number and the first unlock

				       code. Since you entered a wrong 

				       code the CALL will return with 

				       EAX=FFFFFFFF (-01), if the code 

				       you entered was correct it would

				       return with EAX=00000000

:406355	TEST	EAX, EAX	   <-- checks to see what the CALL returned,

				       if the code is good or not.

:406357	JZ	004063A2	   <-- if the CALL returned 00, good code,

				       jump to "Thank You"



Now the program gives you another try and does the exact same thing as

above with the second code.



:406359	MOV	EAX, [EBX]	   <-- here is your the code you entered

:40635B	LEA	EDX, [ESP+2C]      <-- and here is the second unlock code,

 				       type D EDX to see the 2nd code

....

:406361	CALL	00426260	   <-- here is that same call for comparing

				       the codes, same as before the 

				       program will return EAX=FFFFFFFF (-01)

....



I skipped some code here that does the same as above with the TEST and 

JZ. Since the code you entered was wrong the program proceeds to the 

nag screen:



:406376	CALL	0045666B           <-- this is the call to display the nag

			               screen.



Now you can get out of SoftIce and try your new unlock code and you'll 

be registered.



There are a few ways of going about cracking this program, the easiest

would be what I have described above but if you want you can force the

jump at 406357 by changing it from JZ to JMP but why screw with the code

if you don't have to.



Another way is to use the program to create a small KeyGen. By changing

one of the two PUSHes before the CALL to the nag screen at 406361 and

making it display the correct code,  PUSH [ESP+1C] or PUSH [ESP+2C].







The End:

---------



That's all for this tutorial I hope I helped you better understand the

memory echo concept. This was a very easy crack but keep in mind that 

many other programs use the same way for protection.



I just want to say THANK YOU to my mentor zip for getting me started 

with cracking. Also great thanks goes out to EDiSON, +ORC, Fravia, 

CrackZ, Sandman and all the great people who reverse for knowledge, 

keep writing those great tutorials.



I'm out, PEACE !



Goatass