What to look for

╖ Hints for the beginner - what shoud I look for? ╖

© 1997 by Cruehead / MiB

Preface

Hello once agian wannabe-cracker! Are you're sitting there, thinking "Yeah - Now I think I know what all those strange words like CMP, JE, Softice and Wdasm are, but I still dont know what I'm looking for?". If your answer is yes, then read on because here I'll describe some common things to look for when you're reverse engineering. If your answer is no, dont spend your time with this - get out there and start the cracking!

Memory Echo - A common way to find a valid serial is to find what the legendary +ORC calls the memory echo. This is the place where our entered serial is compared to the real, valid serial (often calculated from our entered username). You can crack alot of programs, just finding the memory echo, so be suspicious when you see a code like this:


mov bl,[esi]	;Take one byte from the correct serial
mov bh,[edi]	;Take one byte from the serial entered
cmp bl,bh	;Compare them
jne ...		;If they dont match, then the serial entered is an invalid serial.

So, to find the memory echo here, you would, in softice, write "d esi", and then you'd see the correct serial in your datawindow.
Another code snippet that does the same thing could look like this:


mov ecx,lengthofvalidserial	;How many bytes to compare
repz cmpsw  			;Compare string at ds:esi (correct serial) with es:edi (our serial)
je ...	 			;Jumps to the "valid serial" label if the strings match.

To find the memory echo for a program that uses a code like this, you would, in softice, write "d esi". Just like the example above! Well, By now I hope that you understand a little bit more about what the memory echo is, and how to find it!

30daylimit - Many days only work for a sertain number of days (mostly 30 = 1 month), but the apart from this limit, the program is fully functional. What you must do in this case, is to find where the "number of days used" get compared to "30", and modify the code. Here is what the code may look like:

mov ecx,1E		;Mov 1Ehex (=30 dec)  into ecx
mov eax,[esp+10]	;Mov number of days used into eax
cmp eax,ecx		;Compare eax (number of days used) with ecx (30)
jl ...			;If eax is less then 30 we can still evaluate the program.

A simple way to crack this would be to change "mov eax,[esp+10]", into "mov eax,1" or something. Then the program will always think that we are on our first evaluation day. Another way to crack this would be changing the conditional jump, into a unconditional jump.

Nagscreens - "This version of xxxxxxxx is shareware! Please register if you use it blah blah...". You recognize this??? This is what we call a Nag screen! Sometimes there are no serial box, or no time limit, just a nag screen, so if we could remove it, we would have cracked the program. So, what you should be looking for is something like this:


cmp byte ptr [00480EB9], 00	;Compare a flag (the registered flag) in memory with zero
jne 004212F2			;If it is something else then zero, then it's a registered copy, so dont show the nagscreen

You can crack this example in many ways, the easiest would be just changing the "jne" to a "jmp".

Target programs - Ok, now that you know what to look for you problaby want an easy target to practise on, right?

Winzip 6.2 - A good newbie target for the memory echo method.
Ultraedit v5.00a - A nice target for time limit cracking.
Graphic Workshop 95 v1.1y - A nice target for removing nagscreens.

There - by now you should at least have a clue on what to look for, but remember that MANY programs have atleast somewhat more difficult protection schemes, but if you read and UNDERSTAND this essay, you should soon be able to crack those too!

Anything you want to ask me about? Cruehead_@hotmail.com is my email.

Back to tutorial page.