Ok Gang, here's the long awaited Crack Tutorial for Hardwood Solitaire.
Some of you with more experience, may see some flaws in the logic process here. If you do please let me know.
The hard part was trying to figure out how to enter my data.
While deadlisting it I found references to "Wrong Serial"
and "You must input a valid Serial Number" (or to that effect),
but alas I couldn't find where to enter the Registration Data.
My first instinct was to start hitting control keys.
I tried ctrl+a, ctrl+b and so on and so forth...finally when I hit ctrl+k the reg screen popped up. WOW!!!!!
(BTW for some lame programmers, you should make it Control D, that might stop some newbie Crackers until they change winice.dat.)
Now onto the main course
------------------------
Let me start by saying that first I tried to crack this program using
SoftICE.
I tried 'BPX hmemcpy then followed my dummy serial.
This got me totally lost.
I then tried to just patch it so it would accept any user and serial.
This wasn't hard to do!! However when I restarted the program
it still said that I was not registered!?
Damn I missed something. I tried and tried to get it to break when it read my serial from where ever it was stored, but to no avail.
By this time I was almost at wits end.
I looked at the program again using w32dasm.
This time I REALLY looked at it.
By following the code I figured something out!
Take a look at line 00417484 and tell me what you see.
Exactly!!!, its the last test before you are sent to the
"CONGRATS YOUR REGISTERED" screen.
Hmm at this point I was thinking to myself that if it's set = 0,
then that's bad. So, I searched for where it was set in the program.
I looked at the line before it and it was CALL 004176f0.
I went into that call a little ways.
When you do this, look around at the routine. You might find a few interesting things. *side note* ( I don't like to follow calls too far; I just look at them to see if I notice anything neat).
When I looked at this call I found 3 jumps to the same address....hmmm (maybe that is a bad place) so I also looked there. Inside that routine I saw where it did a xor eax, eax and then returned to the place where the call was made from. And as you remember the next line is test eax, eax. If xor eax, eax makes eax equal to zero, then that's bad.
I knew I didn't want this to happen, so I thought I was in the right routine.
To test this theory I hexed an int 3 into the middle of the routine just before the 3 jumps to 0041779b, this was line 00417715.
In case you didn't know it, int 3 was set aside for debugging purposes. The op code for int 3 is just CC. Since it is just one byte I usually try to replace another single byte op code with it. If you cant find one and have to put it inside a full instruction remember to nop (90) the remaining bytes in that instruction
OK like I said hexed CC into the spot where the push eax (50)was (in the hex editor, you have to search for 11 bytes total: 8d4424208bcc8964240c50) and then ran the program like normal.
Since we put an int 3 inside the program we have to make sure that sice pops when it hits it.... I entered sice and did bpint 3. I've been told that if u have the I3here function turned on inside sice then it will pop for you, however I don't. Therefore I did the bpint 3.
Just remember to enter sice (before you hit ctrl+k - to get to the reg screen) and make sure it will break on int 3
Now hit ctrl+k and enter the data you want (I used josephCo [C4N '97] for my name and 7777777 for my serial )and press enter.
sice pops on the int3 that u hexed into the program....at this point you have to change it back to the original instruction (push eax) to prevent corruption of the data.
To do this hit A then the return key. You just entered assemble mode in sice.
Now type PUSH EAX then hit the enter key.
Now hit the ESC key to get out of assemble mode.
The currently highlighted instruction is where the int3 used to be, but now it's replaced by PUSH EAX
We want to single step through the code. We do this by hitting f10.
What I was looking for when I did this is to see which jmp cleared eax.
I also tested all the registers before each jump to see if I could find my serial. The first conditional jump was a test eax, eax.
This was just testing to see if eax was 0.
I didn't do anything here.
The next test was cmp edi, eax.
At this point I did D edi and D eax. I noticed that when I did this the starting address was different for both edi and eax.
I then did ? eax and ? edi
this resulted in the values in eax and edi being printed on the screen.
The first number is the hex value of the 2nd number and the 3rd is what it looks like in ascii.
I noticed that one of the values was 7777777 !!!!!!!!
This was the serial I entered!
So I looked at the other one and saw that the serial should have
been 137347 !!!!!!
I didn't test anything else.
I just let the program finish it's check and return with the messagebox saying that I had entered the wrong serial.
This time I entered 137347 and hit enter.
When sice popped I stepped through again to see what would happen.
This time edi and eax were equal. I let the routine keep checking and then a box popped saying thank you for upgrading!!!
I had cracked it!!!!
The only thing left to do was to change my CC back to a 50 in hex editor.
I hope this has helped you understand and maybe shed a little light on the many different ways of finding a serial.
I really don't believe a novice can do this from scratch.
I have a hard time myself, but with lots of patience and practice (not to mention learning asm) you can eventually do this too.
Well thank you for reading this Tutorial, and if you have any questions feel free to stop by #cracking4newbies. We are located on EFNET on IRC.
Thanks again and good luck
PS. I've added a few comments below to help you out too.
......................................................................................................................................................... THIS ROUTINE CLEARS EAX
