To start our cracking session
choose "Bestellen & Freischalten" (Ordering & Unlock). Now you'll be
looking at two input fields. One asking for your User Name and one asking for your Unlock
Code. As User Name enter "Cracking Tutorial" and as Unlock Code enter
"12345". Now we need to set the breakpoints in SoftICE, so enter SoftICE and set
a breakpoint to HMEMCPY. Then leave SoftICE and press the Unlock Button (the button with
the key). SoftICE will pop up now; since there were two input fields, we can skip the
first one, so press CTRL-D. SoftICE will pop up again. Press F12 until something like the
following code get's displayed:
:0042B903 MOV EDI,[KERNEL32!lstrlen]
:0042B909 LEA EAX,[EBP+FFFFFBE8]
:0042B90F PUSH EAX
:0042B910 CALL EDI
:0042B912 CMP EAX,04
; Has User Name at least 4 chars?
:0042B915 JGE 0042B92D
; If so, JMP!
... ...
:0042B923 CALL 00407DE2
:0042B928 JMP 0042BB03
:0042B92D LEA EAX,[EBP-0214]
:0042B933 PUSH EAX
; PUSH our fake Unlock Code
:0042B934 CALL EDI
; do some Unlock Code checking
:0042B936 TEST EAX,EAX
; Special Part of Unlock Code ok?
:0042B938 JNZ 0042B95E
; if not JMP |
Since this JNZ at 42B938 is
very important, we must check that CALL at 42B934! So enter this CALL. After some tracing
something like the following code snippet will be displayed:
:0042B95E LEA EAX,[EBP-0214]
:0042B964 PUSH EAX
; PUSH fake Unlock Code
:0042B965 LEA EAX,[EBP+FFFFFBE8]
:0042B96B PUSH EAX
; PUSH User Name
:0042B96C CALL 004F6F1A
; do some checking |
Well, the CALL at 42B96C
will check a part of our unlock code obviously, so ENTER this CALL. Now something like the
following code snippet will be displayed:
:004F6F1A PUSH EBP
; PUSH fake Unlock Code
:004F6F1B MOV EBP,ESP
:004F6F1D SUB ESP,00000204
:004F6F23 LEA EAX,[EBP-0204]
:004F6F29 PUSH EAX
:004F6F2A PUSH DWORD PTR [EBP+08]
; PUSH User Name
:004F6F2D PUSH DWORD PTR [EBP+0C]
:004F6F30 CALL 004F6E81 |
Since our fake Unlock Code
and our User Name get's checked again, we need to trace this CALL at 4F6F30. So if you
enter this CALL you'll be confrontated with the following code snippet:
:004F6E81 MOV EAX,[ESP+04] ; MOV fake Unlock Code in EAX
... ...
:004F6E93 MOV CL,[EAX+EDX] ; MOV edxTH number of fake UC in CL
:004F6E96 CMP CL,30 ; compare
CL with "1"
:004F6E99 JL 004F6F14 ; if less, invalid code message
:004F6E9B CMP CL,39 ; compare
CL with "9"
:004F6E9E JG 004F6F14 ; if
greater, invalid code message
:004F6EA0 MOVSX ECX,CL
:004F6EA3 LEA ESI,[EDI*4+EDI]
:004F6EA6 INC EDX ; EDX+1 (next number of fake UC)
:004F6EA7 CMP EDX,05 ; 5th number of fake UC reached?
:004F6EAA LEA EDI,[ESI*2+ECX-30]
:004F6EAE JL 004F6F93 ; if not, JMP to 4F6F93
:004F6EB0 CMP BYTE PTR [EAX+05],2D ; Is 6th number of UC a "-"?
:004F6EB4 JNZ 004F6F14 ; If not so, invalid code message
:004F6EB6 CMP EDI,00004E20 ; Is "12345" less than 20000?
:004F6EBC JL 004F6F14 ; If so, invalid code message
:004F6EBE CMP EDI,00005014 ; Is "12345" greater than 20500?
:004F6EC4 JGE 004F6F14 ; If so, invalid code message |
So our Unlock Code must
start with "xxxxx-". "xxxxx" must be greater than 19999 and less
than 20500. So let's choose 20499, which is greater than 19999 and less than 20500. So the
first part of our real Unlock code is "20499-". Now reenter the Unlock Code:
this time enter "20499-12345". Now we can go on with the tracing:
:004F6EC6 PUSH 06
.. ...
:004F6ECB MOV CL,[EAX+EDX] ; MOV edxTH number of fake UC in CL
:004F6ECE CMP CL,30 ; compare CL with "1"
:004F6ED1 JL 004F6F14 ; if less, invalid code message
:004F6ED3 CMP CL,39 ; compare CL with "9"
:004F6ED6 JG 004F6F14 ; if greater, invalid code message
:004F6ED8 MOVSX ECX,CL
:004F6EDB LEA ESI,[ESI*4+ESI]
:004F6EDE INC EDX ; EDX+1 (next number of fake UC)
:004F6EDF CMP EDX,0A ; 10th number of UC reached?
:004F6EE2 LEA ESI,[ESI*2+ECX-30]
:004F6EE6 JL 004F6FCB ; if not, JMP to 4F6FCB
:004F6EE8 MOV AL,[EAX+0A] ; MOV 11th number of fake UC in AL
:004F6EEB CMP AL,2D ; is 11th number a "-"?
:004F6EED JZ 004F6EF3 ; if so, JMP to 4F6EF3
:004F6EEF TEST AL,AL
:004F6EF1 JNZ 004F6F14 ; if not, invalid code message
:004F6EF3 CMP ESI,000001C2 ; compare "1234" with "450"
:004F6EF9 JL 004F6F14 ; if less, invalid code message
:004F6EFB CMP ESI,000001F4 ; compare "1234" with "500"
:004F6F01 JGE 004F6F14 ; if greater, invalid code message |
The next part our Unlock
Code must be greater than "449" and less than "500". But we need one
more number before our "-". We can't just add a "0" to our Unlock
Code, since then it won't pass the "> 449 < 500" test. So we need to add
that "0" before. And then there must be a "-". Let's choose
"0450", which is greater than "0449" and less than "0450".
Our current real Unlock Code will now be "20499-0450-". So reenter your Unlock
Code: this time enter "20499-0450-12345". Then go on with the tracing:
:004F6F03 PUSH EBX
:004F6F04 PUSH DWORD PTR [ESP+18]
:004F6F08 PUSH ESI ; PUSH Part 1 of UC (20499)
:004F6F09 PUSH EDI ; PUSH Part 2 of UC (0450)
:004F6F0A CALL 004F6D91 ; calculate rest of real UC
:004F6F0F ADD ESP,10
:004F6F12 JMP 004F6F16
:004F6F14 XOR EAX,EAX
:004F6F16 POP EDI
:004F6F17 POP ESI
:004F6F18 POP EBX
:004F6F19 RET |
Now let's go on with the
tracing. After the RET instruction at 4F6F19 the rest of the Unlock Code must be checked.
So after you've executed that RET instruction, you'll be looking at the following code
snippet:
:004F6F35 ADD ESP,0C
:004F6F38 TEST EAX,EAX ; special part of UC not correct?
:004F6F3A JZ 004F6F55 ; if so, JMP to 4F6F55
:004F6F3C LEA EAX,[EBP-0204]
:004F6F42 PUSH EAX ; PUSH real Unlock Code
:004F6F43 PUSH DWORD PTR [EBP+0C]
:004F6F46 CALL [KERNEL32!lstrcmpi] ; compare
:004F6F4C TEST EAX,EAX ; equal?
:004F6F4E JNZ 004F6F55 ; if not, JMP to 4F655
:004F6F50 PUSH 01
:004F6F52 POP EAX
:004F6F53 LEAVE
:004F6F54 RET
:004F6F55 XOR EAX,EAX ; set 'flag' for wrong code msg
:004F6F57 LEAVE
:004F6F58 RET |
If you do a "D
EAX" at 4F6F42, you'll see the complete, real Unlock Code, which will be
"20499-0450-0633-2237-80". Please don't use this code - buy the program
and use your legal Unlock Code!
Another target has been Reverse Engineered. Any
questions?
|