|
|
|
|
|
|
|
|
|
|
|
|
|
|
||
|
|
||
|
|
|
There is a crack, a crack in everything. That's how the light gets in. |
|
|
Hey you guys at
Glacier Software, your program is still bug ridden, it needs more testing,
especially when, after installing the program and Strip_it is unable to
find WinAmp it asks the User to either download this program or Cancel
this until later, so your program then displays an "Information" dialog
box telling the User how to get Strip_it to communicate with WinAmp when
they do download it" however, any attempts to click on the 'OK' button
results in this dialog being displayed over and over again in an endless
loop. The only way to stop this is by pressing CTRL + ALT + DEL keys
and selecting END TASK on your program or by re-booting the pc!..
|
|
The key we're interested in is the \REG
entry, which contains the following values:-
REG_CODE =0
REG_NAME =""
One other item of Interest...
If you run the program and then after
exiting from it you set the computer's date to BEFORE the original
date you ran Strip_It then a message box appears asking you if your trying
to get round the Shareware restriction!.. Selecting the 'OK' button
the program then exits and you can't then run the program UNTILL
you set the computer's date back to the date you original ran the program..
If this happens and you can't run the program with the the real day/month/year
then Open up your System Registry File
with REG-EDIT (Windoz '95 utility ) then search for Glacier then
DELETE the whole branch including sub keys.
Then, re-run Strip_It and re-register
it with your sniffed out serial number.
Nice try guys, but this is a rather lame
trick and one that can be easily patched or re-set in about 5 second flat..:)
|
|
So it seems all we have to do is nop (90h) out this conditional jump instruction for the program to accept any serial number we give it!.
Lets see what happens shall we..
Fire up the program and on the initial Nag Screen choose to Register it.. Fill in you Name and any sequence of numbers you care to use.
Press Ctrl-D and then type: bpx
hmemcpy then x to exit out of Softice.
We can't get softice to break on our favorite
functions like messageboxa or getwindowtexta
or getdlgitemtexta because
this program does not use any of these functions during it's processing
of our serial number so we fall back on good old hmemcpy.
If you find another way into the program then by all means use that instead
of hmemcpy since we only want to get into the program's code at this point.
Now try and add a SPACE character
to the end of your name or serial number..
Softice breaks, so press the 'F11'
key then keep pressing the 'F10' key many times (be patient) until
Softice tells you that your now in the Strip_it's code.. Softice
should display:-
STRIP_IT!Code+XXXXXXXX
;The 'x''s represent a memory offset value.
From here we want to set a breakpoint
to just before the Jump Not Equal instruction at memory offset: 00487138
that we suspects decides wether or not our Serial Number is valid or not.
So type: bc * to clear any previous
breakpoints within Softice then type: u 00487114 to show us that section
of code were interested in. Make sure Softice displays section of
code:
:00487114 8B858CFEFFFF
mov eax, dword ptr [ebp+FFFFFE8C]
:0048711A 50
push eax
:0048711B 8D9588FEFFFF
lea edx, dword ptr [ebp+FFFFFE88]
:00487121 8B8318020000
mov eax, dword ptr [ebx+00000218]
:00487127 E864AAF9FF
call 00421B90
:0048712C 8B9588FEFFFF
mov edx, dword ptr [ebp+FFFFFE88]
:00487132 58
pop eax
:00487133 E8A8CEF7FF
call 00403FE0
:00487138 7565
jne 0048719F ;The jump we're interested in.
From here you will
need to type: bpx 00487114 followed by x to leave
Softice.
Right, now delete the extra SPACE
character you've just added to your name or serial number then click once
on the 'Register' button.
Softice now breaks once again..
:00487114 8B858CFEFFFF
mov eax, dword ptr [ebp+FFFFFE8C];You Land here.
:0048711A 50
push eax ;
:0048711B 8D9588FEFFFF
lea edx, dword ptr [ebp+FFFFFE88]
:00487121 8B8318020000
mov eax, dword ptr [ebx+00000218]
:00487127 E864AAF9FF
call 00421B90
:0048712C 8B9588FEFFFF
mov edx, dword ptr [ebp+FFFFFE88]
:00487132 58
pop eax
:00487133 E8A8CEF7FF
call 00403FE0
:00487138 7565
jne 0048719F ;The jump we're interested in.
If you press the 'F10' key once and then type: d eax then you should see your REAL serial number for the Name/Handle you've used in Softice's Code Window!.
Pressing the 'F10' key and displaying the contents of the registers you will quickly be able to build up a better picture to what is happening here:-
:00487114 8B858CFEFFFF
mov eax, dword ptr [ebp+FFFFFE8C];Get Real Serial
:0048711A 50
push eax
;Save real Serial
:0048711B 8D9588FEFFFF
lea edx, dword ptr [ebp+FFFFFE88];Get your Name
:00487121 8B8318020000
mov eax, dword ptr [ebx+00000218];
:00487127 E864AAF9FF
call 00421B90
;Returns:
;EAX = length of
;your serial No
:0048712C 8B9588FEFFFF
mov edx, dword ptr [ebp+FFFFFE88];EDX=Your Serial
:00487132 58
pop eax
;Get real Serial
:00487133 E8A8CEF7FF
call 00403FE0
;Returns:
;EAX = FFFFFFFF
;if invalid or
;EAX = 00000000
;if valid serial
:00487138 7565
jne 0048719F ;The jump we're interested in.
As you can see, we don't need to patch
that jne 0048719F instruction after all, we can sniff out the real serial
number much easier..:)
Job Done.
|
|
|
|
However, once we had set a breakpoint a
few instructions before our conditional jump instruction and took the time
to see what information was being manipulated we quickly saw yet another,
much easier way to *crack* this program.
My thanks and gratitude goes to:-
Fravia+ for providing possibly the greatest
source of Reverse Engineering
knowledge on the Web.
+ORC for showing me the light at the end
of the tunnel.
|
|
| Next | Return to Essay Index | Previous |