|
|
|
|
|
|
|
|
|
|
|
|
|
|
||
|
|
||
|
|
|
There is a crack, a crack in everything. That's how the light gets in. |
|
|
|
|
|
|
:0043D257 PUSH 00
:0043D259 CALL USER32!MessageBeep
Scroll upwards to see what caused the program to jump to :0043D257.
Ahhh...
:0043D1BF
CALL 0048E608
<- Check Name and Registration Number
:0043D1C4
TEST EAX, EAX
<- Is the Registration Number legit?
:0043D1C6
JZ 0043D257
<- If zero, then bad cracker!
:0043D1CC PUSH 004C8358
<- Start of Good Code
Now ask yourself: "If I were a programmer, and I wanted to make sure
that the calculation routine worked, what would I do?" Answer: Why, set
a breakpoint on the call at :0043D1BF, of course!
Clear your breakpoints by typing bc *
Now, set a breakpoint on the call at :0043D1BF by typing bpx 015F:0043D1BF
(note: the 015F is the code segment, and it might be different on your
computer).
Type X to return to the program. Ready? Enter your name
and fake registration number again (and...DON'T FORGET THE '-').
Click on "Register!" Bang! We are now at:
:0043D1BF CALL 0048E608
Do you see that there are two interesting PUSH instructions just above
this call?
:0043D1B5
PUSH 004D1E70
:0043D1BA
PUSH 004D1BB4
Type d 004D1E70. Hey, the fake number!
Type d 004D1BB4. Hey, your name!
Ok. Press 'F8' into the call.
F10 until you reach:
:0048E615 CALL 004B39C8 <-routine to calculate length of Name
If you look at the three instructions above this call, you will see
(by dumping them) that ESI now contains the fake number, and EBX
contains the Name. Notice how only EBX (containing the Name) gets pushed
before the call.
F10 over the call.
This routine was redundant, really, as EAX already held the length
of the name that you had entered. Did the programmer really think that
the name was going to change AFTER you clicked on "Register!"?
:0048E61B CMP EAX, 05
:0048E61E JAE 0048E624
<- Jump if name is at least 5
characters in length
F10 until you reach the next call:
:0048E626 CALL 0048E528
F8 into this call.
F8 until:
:0048E534 PUSH 2D
If you type ? 2D you'll see that it is a '-'. So, the program
is going to be looking for a '-' in the registration number.
F8 into the next call at:
:0048E537 CALL 004B3974
Here we have a routine that is going to count the number of characters/numbers in the registration number that you had entered.
:004B3978
MOV EDI, [EBP+08] <- Fake
reg number in EDI
:004B397B
MOV EDX, EDI
<- EDX now holds fake reg number
:004B397D
MOV ECX, FFFFFFFF <- Setting
up for a count
Note: anytime you see FFFFFFFF being put into ECX, you are most likely at the start of a routine that determines the length of some string or number.
:004B3982
XOR AL, AL
<- Zero out AL
:004B3984
CLD <- CLear
the Direction flag for a string operation
:004B3985
REPNZ SCASB
<- While not 0, scan string byte
:004B3987
NOT ECX
<- ECX = length of string + 1
:004B3989
MOV EDI, EDX
<- EDI holds fake reg number
:004B398B
MOV AL, [EBP+0C]
Ahhh...AL now holds 2D. So. The program IS going to check for a '-' in the reg number.
:004B398E REPNZ SCASB <- While not 0, scan string byte
You DID put a '-' in your registration number, didn't you? If not, then please do so and then return to this point.
:004B3990
JNZ 004B3998 <- No
'-' found? Then jump, bad cracker!
:004B3992
LEA EAX, [EDI-01] <- Fake
reg number from '-' to end of
<- number in EAX
F8 until you return from the call.
:0048E53C
ADD ESP, 08
:0048E53F
MOV EBX, EAX <- Fake
reg number from '-' to end of number
<- in EBX
:0048E541
TEST EBX, EBX <- IS there
a number in EBX?
:0048E543
JNZ 0048E54C <- If
not 0 there is!
At this point the program jumps to :0048E54C if there is a '-' in the fake registration number.
:0048E54C MOV BYTE
PTR [EBX], 00 <- Zero out the '-' in the fake
number
:0048E54F PUSH
ESI
If you type d ESI you'll see your fake number without the '-'.
:0048E550 CALL 004B8D5C
F8 into this call.
F8 until:
:004B8D66 MOV AL, [EDX]
This puts the first number in your fake reg number into AL.
F8 until:
:004B8DA0
CMP AL, 30 <- Is
it a '0'?
:004B8DA2
JL 004B8DA8
:004B8DA4
CMP AL, 39 <- Is
it a '9'?
:004B8DA6
JLE 004B8D90
What this routine does is check to see whether the reg number character
in AL is between a 0 and a 9.
F8 through the checking until you reach:
:0048E56A CALL 004B8D5C
At this point, in case you didn't notice, the program put the '-' back
in the fake reg number.
F8 into this call until you return (well, you CAN hit F10
if you really want to).
F8 until you reach the next call:
:0048E577 CALL 004B39C8
Notice that just before this call the program pushes EAX, which holds
the name that you entered.
F8 into this call.
If you study this routine, you'll see that it again seems to count
the number of characters in your name.
F10 until you return from the call.
Now, F8 until you reach:
:0048E594
MOVZX ESI, BYTE PTR [ECX]
:0048E597
IMUL ESI, [EAX*4+004CCB30]
:0048E59F
ADD EBX, ESI
:0048E5A1
INC EAX
:0048E5A2
CMP EAX, 26
:0048E5A5
JLE 0048E5A9
Hmm...looks like a calculation routine to me!
F8 until the conditional jump at :0048E5AE no longer jumps:
:0048E5AE JL 0048E594
Next, you'll see a CMP instruction:
:0048E5B0 CMP EBX, [EBP-04]
If you check to see what EBP-04 is, you'll find the hex value for the
first part of your fake reg number. To get this (if you really don't want
to look at the upper-right corner just above your data window in Softice),
type d EBP-04. See the first numbers in the data window? (Example:
1617:00034567 FD 02 00 00 00 00......). Take the numbers that you
find there (in my case they are FD 02) and reverse them: 02FD. If you type
? 02FD (or whatever your numbers were), you'll see that it is the
first part of your fake registration number (before the '-').
If you now type ? EBX you'll see what the program is looking
for. Write this number down.
Disable your breakpoints (type bd *) and set a new one at that
CMP instruction.
BPX 015F:0048E5B0 (the 015F is the Code Segment. It might be
different on your computer).
Now, type X to return to the program. Oops...back in Softice.
Type X again to return to the program. Put in your name and the
value that you wrote down (that EBX held at :0048E5B0). After that number,
put a '-' and whatever other numbers that you want. Ready?
Click on "Register!"
Ok. We're back in Softice at the CMP EBX, [EBP-04] instruction:
:0048E5B0 CMP EBX,
[EBP-04] <- Are they the same? (they
SHOULD be, now)
:0048E5B3 JZ 0048E5B9
<- Yes? Then jump.
F8 until the conditional jump at 0048E5EE no longer jumps:
:0048E5EE JL 0048E5CD
Note that the whole routine that you just traced through calculates
the second part of the REAL registration number.
F8 past this JL 0048E5B9 instruction.
:0048E5F0 CMP EBX, [EBP-08]
Could it be? Yes, it is! If you look at the value at EBP-08, you'll
see that it is the second part of your fake number. What, then, does EBX
hold?
Type ? EBX
Well, what do you know! The REAL second part of the registration number.
Write this number down (the decimal part of it without the leading
zeros).
Clear your breakpoints (type bc *).
Type X to go back to the program.
Enter your name, as usual.
Now, enter the first number that you wrote down + '-' + the second
number that you wrote down (in my case it is 3559-259043).
Click on "Register!"
Ahhh...the smell of success!
Program cracked.
|
|
|
|
|
|
| [ Return ] |