This essay is aimed towards beginning crackers, and helping them to think like a

cracker.  I can't count how many times I have been asked by a beginning cracker about why

they can patch a program so that it says that it's been registered, but then when they 

restart the application it no longer says that it's registered.  The solution is usually

quite simple, but requires you to "think like a cracker".

 

Tools required

W32Dasm 8.9 (or whatever version you prefer)
Hex Workshop (or your favorite hex editor)
PolyView 3.00 beta 9

 

Target's URL/FTP

http://www.polybytes.com/betafiles/pvbeta.exe

 

Program History

 
 

 

Essay

Before we get started with cracking our target, PolyView 3.00 beta 9, we need

a lesson in thinking like a cracker/programmer.  Programmers are taught that 

whenever you have a task that is going to be done more that once, you should

create a function to do that task, and just call the function when you need to 

perform the task.  Now, most programs that use a name/serial # combination 

check the code at least twice, once when you enter the code, and once when the

program starts up.  Because of this the programmer will usually call a function

to test your reg code.  And usually, this function will be called every time the

code is checked.  At this point you should probably see where I am going with

this.  If you patch the function that is called to test the reg code, it will 

show up as valid whenever the program does it's check.



Now, for an example of this technique, on to PolyView 3.00 beta 9.



When you run the program you should notice on the menubar the "Registration" section,

and under that, "License Information".  It has a place to enter a name and a license

code.  Enter whatever you like for these values and press "OK".  If you have not

entered an integer into the license code box, you will receive an error saying "Please

enter a positive integer", otherwise you will receive the error "Registration Unsuccessful".



Fire up W32Dasm, and load PolyView.exe.  When this is done go to the string references

and look for "Registration Unsuccessful".  When you find it in the list, notice that

just above it is the string "Registration successful", and then double click on 

"Registration Unsuccessful".  You should see this section of code:



* Referenced by a (U)nconditional or (C)onditional Jump at Address:

|:004400C9(C)

|



* Possible Reference to String Resource ID=00141: "Unregistered"

                                  |

:0044016C 688D000000              push 0000008D

:00440171 8BCF                    mov ecx, edi

:00440173 E8D9070600              call 004A0951

:00440178 53                      push ebx

:00440179 53                      push ebx



* Possible StringData Ref from Data Obj ->"Registration unsuccessful. please "

                                        ->"verify that you have entered the "

                                        ->"information exactly as shown on "

                                        ->"your registration letter."

                                  |

:0044017A 684C364F00              push 004F364C

:0044017F 899E70010000            mov dword ptr [esi+00000170], ebx

:00440185 E8D88A0600              call 004A8C62



You should notice first that this section of code was referenced by a

conditional jump at 004400C9. Scroll up in w32dasm until you get 

to that location, you should see this code:



:004400B7 50                      push eax

:004400B8 51                      push ecx

:004400B9 898670010000            mov dword ptr [esi+00000170], eax

:004400BF E8DCF0FEFF              call 0042F1A0    ;IsValidCode()

:004400C4 83C408                  add esp, 00000008

:004400C7 85C0                    test eax, eax    ;The infamous test

:004400C9 0F849D000000            je 0044016C      ;je Bad_Guy



Here is where we apply what we learned earlier.  If you were to simply

NOP out the je 044016C the program would say that it is registered when

you enter in your code.  However, When you restart the program, it would

still say "Unregistered".  Remember what I said about programmers writing

one function, and calling it many times to see if the code is valid?  That

is what this author has done, the call to 0042F1A0 is the program calling

that function.  In w32dasm, goto code location 0042F1A0, and you will see

this:



* Referenced by a CALL at Addresses:

|:0040423B   , :004046B8   , :004055FA   , :0042DDBE   , :0042DE36   

|:004395C4   , :0043CE1A   , :0043D6B0   , :0043E35A   , :00440025   

|:004400BF   , :004419BC   , :0044234D   , :00452FF9   , :004531CB   

|:004B9033   

|

:0042F1A0 64A100000000            mov eax, dword ptr fs:[00000000]



Every one of those addresses is a place where this program calls the 

IsValidCode() routine to see if the program is registered.  Now, the 

question remains.how do you patch this program so that it is 

registered.  Look again to the section of code that calls the 

IsValidCode() routine, specifically at the jump to Bad_Guy.  It will 

jump if eax = 0.  So, the easiest way to patch this program is to write 

over the mov eax, dword ptr fs:[00000000] in the called function with:



push   00000001

pop    eax

ret



(In hex that would be 6A0158C3)



The function now always returns 1 in eax, and the program thinks that 

it has been registered.

 

Final Notes

The techniques employed here do not only apply to cracking programs with

name/reg code routines.  Do not limit yourself by thinking "Inside the Box",

these techniques can be used with many other types of protections as well.

(for example, many times a date check and a nag screen are done by

one function)

 

Ob Duh