Sourcer
v6.51
Tool
of Our Trade
by
ytc_ [tNO '99]
| Target | Sourcer v6.51 |
| URL | Not available (but target can be found in ORCPAK2.ZIP at +Greythorne's website) |
| Tools used | Softice v3.x (I'm using WinNT version) |
| Protection | Serial number |
| Level | Beginners/Newbies |
|
Introduction
|
Uh oh, I'm going insane ;-). This is my third tutorial in one day!! I think I'm going to love DOS cracking more than Windows cracking. It is so MUCH more interesting. As usual, I'm tackling an old version of Sourcer v6.51. Actually, a serial number is already given in the package which comes with orcpak2.zip, by X-Force (I assume, a very famous group, with very good crackers too). But we are crackers!! We should be getting OUR own serial numbers instead of depending on others!! So, let us continue.
|
Essay
|
I will assume that you have already set up your copy of Softice and know how to use it well, including knowing what the shortcut function keys are (F8, F10, F11 and F12). If not, I suggest you read some other essays on how to set up Softice first before continuing. I will also assume that you have a fair knowledge of assembly language.
Like my previous tutorials, we are going to depend on loops to find our VALID serial number. So, run sr.exe and you will be presented with a screen asking you to enter your serial number. Entering an invalid number and pressing Enter will clear the space and you are asked to enter again. So, Ctrl-D into Softice and start tracing to find that holy loop. I found mine in less than a minute and it looks like this.
FE2E:3768 E87D18 CALL 4FE8 FE2E:376B 53 PUSH BX FE2E:376C 33DB XOR BX,BX FE2E:376E E8F711 CALL 4968 FE2E:3771 5B POP BX FE2E:3772 72EE JB 3762 FE2E:3774 B401 MOV AH,01 FE2E:3776 E8DF13 CALL 4B58 FE2E:3779 7502 JNZ 377D FE2E:377B EBEB JMP 3768 FE2E:377D 32E4 XOR AH,AH FE2E:377F E8D613 CALL 4B58 FE2E:3782 C3 RET
Very familiar isn't it? So, place a 'bpx' on 377Dh, get back to program, enter a bogus serial. And you break again immediately. Here, notice that the program gave us a hint on how the serial looks like, which is in the form of 'SR123456-ABCD'. The first 2 characters must be SR, followed by 6 numbers, a dash (-) and 4 letters, all in upper case (but since it mentioned that casing isn't important, that means sr.exe uppercases our serial during the serial check).
So, after following a few returns and finally an 'iret' (interrupt return, indicating you're returning from an interrupt routine), you find yourself here.
1442:06E4 B407 MOV AH,07 <== beginning of loop 1442:06E6 CD21 INT 21 <== Direct Character Input, Without Echo 1442:06E8 3C00 CMP AL,00 <== AL contained entered character 1442:06EA 7506 JNZ 06F2 <== jump if character is entered (AL is not 0) ... 1442:06F0 EBF2 JMP 06E4 1442:06F2 80FE03 CMP DH,03 ... 1442:0704 3C0D CMP AL,0D <== is Enter key pressed? 1442:0706 7442 JZ 074A <== jump if yes ... 1442:071C 8807 MOV [BX],AL <== store character 1442:071E B402 MOV AH,02 1442:0720 8AD0 MOV DL,AL <== DL=Character to write 1442:0722 CD21 INT 21 <== Write Character to Standard Output 1442:0724 43 INC BX <== increase ptr 1442:0725 49 DEC CX <== decrease counter 1442:0726 EBBC JMP 06E4 <== loop back
Hmm..pretty obvious isn't it? This code retrieves every character we entered and store, and when Enter key is pressed, go to line 074Ah. At that location (which isn't worth pasting its code here), our serial is copied to another location, then followed by a 'retf' (return far) instruction. Next, we land here.
7A16:5E3B 9AC0064214 CALL 1442:06C0 <== call retrieve_serial
7A16:5E40 80F90B CMP CL,0B <== you land here
7A16:5E43 7240 JB 5E85 <== compare if serial length<13 (which isn't)
and jump if it isn't
7A16:5E85 2E8E1E1A69 MOV DS,CS:[691A]
...
... compare if first 2 bytes are "8" or "5", then uppercase and replace old bytes ...
7A16:5ECF BF6A00 MOV DI,006A <== points to partly hardcoded serial!!!
(which is SR322449-XBIO)
...
7A16:5ED7 47 INC DI
..
7A16:5EDD 47 INC DI <== points to "322449", and SI, our serial
7A16:5EDE B90600 MOV CX,0006 <== no. of bytes to compare
7A16:5EE1 F3A6 REPZ CMPSB <== compare!!!
7A16:5EE3 750A JNZ 5EEF <== jnz beggar_off
...
7A16:5EEA AC LODSB <== load next byte (the dash)
7A16:5EEB 3C2D CMP AL,2D <== CMP AL,"-"
7A16:5EED 7403 JZ 5EF2 <== jmp if equal
7A16:5EEF E95101 JMP 6043 <== jmp bad_cracker
7A16:5EF2 BE5465 MOV SI,6554 <== points to 2nd letter of serial
... loop to calculate a constant from "SR322449" ...
7A16:5F23 46 INC SI <== now SI points to the last 4 letters
7A16:5F24 BB0869 MOV BX,6908
7A16:5F27 B504 MOV CH,04
7A16:5F29 B104 MOV CL,04
7A16:5F2B D3C0 ROL AX,CL <== AX is constant from previous loop
7A16:5F2D 8BD0 MOV DX,AX
7A16:5F2F 250F00 AND AX,000F
7A16:5F32 D7 XLAT <== converts AX!!!
7A16:5F33 8024DF AND BYTE PTR [SI],DF <== uppercases our letter
7A16:5F36 3A04 CMP AL,[SI] <== compare!!!!!!
7A16:5F38 75B5 JNZ 5EEF <== JNZ beggar_off
7A16:5F3A 46 INC SI <== next byte
7A16:5F3B 8BC2 MOV AX,DX
7A16:5F3D FECD DEC CH
7A16:5F3F 80FD00 CMP CH,00 <== anymore bytes?
7A16:5F42 75E7 JNZ 5F2B <== if yes, repeat
7A16:5F44 B8E1FD MOV AX,FDE1 <== go on!! registered!!
As you can see from my comments, this is a simple type of encryption to determine our correct serial. The end result we should get is SR322449-TAWE. Upon entering a correct serial, sr.exe will patch itself to indicate that this program is already registered.
> fc sr.exe sr.bak /b Comparing files SR.EXE and SR.BAK 00000A08: 9F 9E 00000A09: 9E A5 00000A0B: A0 9F 00000A0C: A7 A2 00000A0F: A4 A3 00000A12: 1E 20
|
Final Notes
|
I remembered seeing an essay on Sourcer v7 in Fravia's site (advanced cracking section), by +Frog Print, using bpints to crack the program. The strange thing for me is that, no matter what bpints I used, it will NEVER break. That's why I depended a LOT on these loops. Anyway, I hope you can understand the method I used.
|
Greets
|
There's a lot of people that I know, so I'll just greet everyone, especially those in #tno, #win32asm, #cracking4newbies and #cracking at EFNet.
Email :
y_t_c@usa.net
Website : http://ytc98.cjb.net