It all started when I got hold of the Harrison’s Internal Medicine 14th ed. CD-ROM. I found that it shipped with a very interesting and useful Challenger Interactive program. The only trouble was that it needed to be registered to become fully functional (sound familiar?). After extensive searches on the internet, I found that no one had bothered to crack this program.
That was when I decided to delve into the world of cracking. There was plenty of help out there on the net for a newbie like myself (tutorials, crackme’s and the sort). After a couple of weeks of research, a couple more of sleepless nights I finally did it. This tutorial was not written to boast about my cracking skills nor was it intended to be the final word in the matter of cracking (there will never be). It was written to show that anyone could learn to crack with a little guidance.
You need to alter the winice.dat file in the SoftICE directory before we can get started.
Open the file in notepad.
INIT = "color f a 4f 1f e;wc 8;wd 5;ww 2;code on;watch es:di;watch ds:si;x;"
TRA = 92
Save the file, restart windows and press Ctrl-d and you should be greeted by a black screen with arcane numbers and letters. Welcome to the world of SoftICE!. You will find it easier if you take a hardcopy of this tutorial so that you don’t have to switch between cracking and reading this text often.
A little knowledge of assembly language is essential. There are many books available on the subject. You can even download entire texts from the net. I recommend Peter Norton’s ‘Assembly language book for the IBM PC’ to start with. Familiarize yourself with hex numbers, hex maths, logical operators, memory & registers.
When you press Ctrl-d you should see something like this (values will differ) :-
EAX = BF77D004 EBX = ABCD1234 ECX = 00845ED1 EDX = 001985DA ESI = C0FE2401 EDI = ABD12390 EBP = 123DC12A ESP = 00789122 EIP = 12345ACD o d s I z a p c CS = 1024 DS = AC12 SS = 19AC ES = AC12 FS = 5D00 GS = 0000
ES:DI = 46AD DS:SI = AC
2227:00001AB0 AD CD 00 00 12 14 15 A0 - CA AB CD 12 00 00 A0 BA ….$4….!…
1ABC:00002AEF 51 PUSH ECX 1ABC:00002AF0 CC INT 3
WINICE: Free32 Obj=02 Mod=recovr32I’ll explain as we go along.
Our aim is to break out of the loop and find out what the program checks for in the entered sn. Having done that we should be able to defeat the protection scheme.
bc * (To clear all previous breakpoints). bpx getwindowtext (To set the breakpoint). Press Ctrl-d again. Enter a serial number. I typed DAZE-1234-ABCD-wxyz. Press next and voila! you are back in SoftICE.Now press F12 to get to 'Medchall' where the function was called from. You should see the following :-
3A01 CALL USER!GETWINDOWTEXT 3A08 JMP 3A09
s ds:0 l 800000 ‘DAZE’ (search from ds:0 to ds:8000000 for ‘DAZE’). We find it at DS:B5A8 (values may change). Now lets set another breakpoint at the memory address where our sn is stored. bd 0 (Disable first breakpoint). bpm DS:B6A8+15 rw (break on memory access of sn read/write).
Press ^D and you should see the entire sn in the data window. Press ^D again and the sn should change to capitals. This is the first operation on the sn.
F2AE REPNZ SCASB ; Determine length of entered sn.
NOT CX
JNZ 49E0
F3A5 REP MOVSW ; Copy sn from ds:si to es:di.
ADC CX,CX
REPZ MOVSB
XCHG AX,CX
Now type :-
bpr ds:b6a8 ds:b6a8+15 rw (set the breakpoint on the memory range where the sn is stored). bd 1 (disable the prev. bp). ^D
xxxx:3E69 CMP BYTE PTR [BP-26],57 ; Check if the first letter is ‘W’
JZ 3E72 ; Proceed if yes.
JMP 3F17 ; Quit if no.
xxxx:3E72 MOV BL,[BP-25] ; Check 2nd letter against value in table.
SUB BH,BH ; Located at BX+0B29.
TEST BYTE PTR [BX+0B29] ; Perform logical AND.
JNZ 3E81 ; Jump if it checks out.
JMP 3F17 ; Quit.
xxxx:3E81 MOV BL, [BP-24]
SUB BH,BH
TEST BYTE PTR [BX+0B29],80
JNZ 3E90
JMP 3F17
OK, what do we have here? looks like a check routine. Each block checks a part
of the sn. If it checks out, it jumps to the next step else it quits (JMP 3F17).
Press F10 to step through the code one line at a time. At the first jump, we
would expect the program to quit since ‘D’ is the first letter of
our sn. Now comes the cheating part. After the CMP statement at 3E69, type
'r fl z' to toggle the zero flag. The no jump will magically change into a
jump, now press F10 to continue to 3E72. I'll leave you to play hopscotch with
the rest of the code in the same manner.
3F12 JZ 3F17
3F14 JMP 3F3E
Keep pressing F10.
3F3E MOV BL,[BP-25] ; 2nd letter of sn.
3F78 MOV WORD PTR [BP-3C], 0001
MOV AL,[BP-23] ; 4th letter.
MOV [BP-3A],AL ; Copy to BP-3A
MOV AL,[BP-22] ; 5th letter.
MOV [BP-39],AL ; Copy to BP-39
MOV AL,[BP-1B] ; 12th letter.
MOV [BP-38],AL ; Copy to BP-38
Whats going on here? it looks like parts of the sn are being taken
and stored elsewhere (at BP-3A to BP-38). Take a look at the
data window a few lines above where the sn is by using the ALT-up arrow.
You should see E1D (if you entered the same sn as I did) which are
the 4th, 5th & 12th letters of the
sn respectively. Now lets place a breakpoint on this new location.
bpr ds:bp-3a ds:bp-41 rwA ^D will land you some where in the middle of this big loop.
3FED INC WORD PTR [BP-3E]
CMP WORD PTR [BP-3E],08
JL 3FF9
JMP 4075 ; This routine builds up the remaining 5 letters.
3FF9 MOV CL, [BP-42] ; Of the reassembled code at [BP-37] to [BP-33].
LES BX, [BP-4A] ; You could do some hex math and figure what
INC WORD PTR [BP-4A] ; really is going on here, but we don’t
have to!.
MOV AL,ES: [BX]
SHL AL,CL
MOV SI, [BP-3E]
40AA MOV [BP+SI-3A], AL
MOV CL, [BP-44]
JMP 3FED ; Loop to 3FED.
Keep pressing F10 to loop around eight times! or press ^D 7 times and then
F10 to step through the last time till the routine exits the loop at JMP 4075.
MOV AL, [BP-30] CMP [BP-46], AL JNZ 4080 ; Invalid sn routine. JMP 40A7 ; sn is OK !.This is the final check on the sn. F10 through the code and at the JNZ statement type 'r fl z', you should know why by now!. Lets analyze what has happened till now. An eight letter string is extracted from the 16 digit sn we entered. Could this be a filename? It just so happens that it is. In the Challeng\data directory there exists the following files :-
ECGCHALL.LIC IM1CHALL.LIC IM2CHALL.LIC IM3CHALL.LIC IM4CHALL.LIC IM5CHALL.LIC INTCHALL.LICIs it a coincidence that all these files are 8 characters long? There is only one way to find out. Press Alt-D to edit the data window. Press Tab to get to the ASCII display. Change the E1D to ECGCHALL. Press Tab to edit the hex display and add a ’ ’ after the ECGCHALL. Press Alt-D to return to the command window.
Disable all breakpoints with 'bd *' and ^D to start the ball rolling again. Voila! the Registering… wait a moment window should popup. I’ll leave it up to you to license the other modules. Remember once licensed you can make a license diskette for use on another machine!.
The principles described above hold good for any program. So practice on other software. Remember learn what you don’t know, share what you do. Good luck!.
dr_daze.
Mail your comments to: dr_daze@usa.net.
Hint: WAAA-AAAA-AAAA-AAAA.