Tutorial Crack! - TEST, XOR 기능

Tutorial Crack!                                                   8th/07/97
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Program: CD Wizzard
Version: 4.30
URL: http://www.bfmsoft.com
Cracker: Niabi [Me'97/C4N]
Level: Beginner but written for Intermediate
Tools: SoftICE, W32Dasm, a Hex Editor.   
Protection Type: Serial
Encrypted/DLL: No
Method: getdlgitemtexta


1st of all we do a BPX on GetWindoWtextA to see if we can get a break
if we don't get one then we try GetDlgItemTextA.
(If you want to know more of the API's get Win32.hlp (12 mgs)
or get our common api reference for crackers (2k) :-]) )

You should now in SoftIce.
We hit F12 a couple times till we get to the wizzard code part.
Now inside the wizzard code part whe start Tracing (hit f10).
We try and read and understand what the registers are doing.

Try a D xxxxx from time to time also try ? xxxxxxx too. 
(? in SICE Shows the REAL value of a reg at that time)


Ok after a while of tracing we come to a part of the code like this :

XXXX:0041441C   CALL 004151CD     ; CALL CHECKING ROUTINE
XXXX:00414412   ADD ESP,0C      
XXXX:00414424   TEST EAX,EAX      ; IS PASSWORD OK ?
XXXX:00414426   JZ 00414444       ; NO THEN JUMP TO NOT_REGGED
XXXX:00414428   PUSH 40           ; ELSE CONTINUE GOOD BUYER
SOME_MORE CODE...

NOT_REGGED:
XXXX:0041444    XOR EAX,EAX       ; Make EAX ZERO
XXXX:0041446    PUSH NAG_YOU      ; PUSH NAG SCREEN NOT REGGED

Some ways to Crack this:

The first one is to just change jz 00414444 to jnz 00414444.
(in an Hexeditor, more on this later)

This will not jump to NOT_REGGED so the code is "Anything u type" 
But it will if the code is the original, the program thinks that the good 
code is now bad.
(Not really a good Patch)

A second and better option is a lame one though.
Remove the test eax,eax, by changing them to nop's.
Since test eax,eax uses 2 bytes and nop's only 1 
you have to add 2 nops to it so it will read like this :

XXXX:00414424 NOP
XXXX:00414425 NOP
XXXX:00414426 JZ 00414444

     ^^^^^^^^
(N.B. Check out the size here)

This will cause it to not jump since it never really checked the Password. 
This will register the program with good or bad Serials.

Ok the third option is better it is :
Remove the test eax,eax and replace 
with inc eax and a nop so it will read like this :

XXXX:00414424  INC EAX
XXXX:00414425  NOP
XXXX:00414426  JZ 00414444

This will also cause the program to register with any password cause it does not check it either it just assume that the password is right everytime (it set's the flag to 1).

Ok so now we need to hexedit it.

We enter any hexeditor (hiew, Hexworkshop or any good one) we see what the bytes need to be chenged like this 
D XXXX (where XXXX is the segment or reg you want to see) 

you will see something like this in the data window

XXXX:XXXXXXX   9E CA 0F 00  65 04 70-16 00 00 5C  0A  65  04 70  00

Ok so starting from 9E to the "-" is what we need to seach in the Hexeditor, but how do i know what to change them to ?
good question, ok to find out what to change them to 1st change do a 
D XXXXX  inside Sice you will see something like the above
numbers.
Write them down on a piece of paper ( what ? u to lazy to do it?) the change them inside Softice like this
A XXXX:XXXXXXXX u will get something like this

XXXX:XXXXXXXXX                       <== u type here what u whant to change
like let's say you want  to change JZ 0414444 to JNZ 00414444 you would :
1.- D 00414426 
we see the code whe write it down 
2.- A 00414426
XXXX:00414426  jnz 00414444           <= we type this in sice

When we hit enter another line follows just hit enter again to get out of the assembly mode, now do a d 00414426
and you will see that the code has changed.
Now write down the new one. Now you have the old (what we searched for)
and the new ( what we change it to), so now in the hexeditor,
search for the old one and when we find it we change it to the new one 
(beware that you need to search in hex and not in ascii).

Run the program register it and Boom! its yours. Thankyou very much.

Exit... and restart 
shit what is this !! nag screen again ! it is not registered !! wtf !, k so we now know that the program does 2 checks one at input and one at the begining.

This is the output that i get from w32dasm (Great tool BTW) 
I commented it a little.

* Possible StringData Ref from Data Obj ->"Password"  <-- this is where my password resides ?
                                  |
:00401BD6 68D4364300                      push 004336D4                     
:00401BDB 56                              push esi                                     
:00401BDC 889A18BD4300                     mov [edx+0043BD18], bl                     
* Reference To: KERNEL32.GetPrivateProfileIntA, Ord:010Ch
                                  |
:00401BE2 FF1570464400              Call dword ptr [00444670]
:00401BE8 50                        push eax
:00401BE9 66A3D0A84300              mov [0043A8D0], ax                                
:00401BEF FF750C                    push [ebp+0C]
:00401BF2 68C0B34300                push 0043B3C0              
           ; push my name to the stack
:00401BF7 E8D1350100                call 004151CD                                      ;call REAL password checking routine
:00401BFC 83C40C                         add esp, 0000000C
:00401BFF 85C0                           test eax, eax                                ; Was the password correct ?
:00401C01 0F84A2000000            je 00401CA9                        
         ; no then bug off bad cracker !
:00401C07 68C0B34300              push 0043B3C0              
         ; push my name again
:00401C0C 895D14                   mov [ebp+14], ebx

* Referenced by a CALL at Addresses:
|:00401BF7                                                                            ; Real Password Checking routine

:004151CD 837C240808              cmp [esp + 08], 00000008        
         ; is the paswword 8 charaters long ? 
:004151D2 7D03                    jge 004151D7                                        ; yes then go on 
:004151D4 33C0                    xor eax, eax                                        ; no then bug off with Z flag 
:004151D6 C3                      ret

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004151D2(C)
|
:004151D7 FF742408             push [esp + 08]                                   
:004151DB FF742408            push [esp + 08]
:004151DF E8B3FFFFFF      call 00415197
:004151E4 6BC00B                imul eax, eax, 0000000B      ; mutiply eax by 0bh  <-- sounds to                                                                                                              me like a keygen                                                                                                                                                          
:004151E7 59                          pop ecx                                
:004151E8 0FB7C0                      movzx word ptr eax, eax
:004151EB 59                          pop ecx
:004151EC 6A07                        push 00000007
:004151EE 99                          cdq
:004151EF 59                          pop ecx
:004151F0 F7F9                        idiv ecx
:004151F2 33C9                        xor ecx, ecx
:004151F4 663944240C                  cmp [esp + 0C], ax
:004151F9 0F94C1                      sete al
:004151FC 8BC1                        mov eax, ecx
:004151FE C3                          ret
 
ok when we restarted CD wizzrd whe got the not regged about box, so ok then whe set a new BPX in Si to point at
GetPrivateProfileIntA or Getprivateprofilestringa (the 1st one works better in CD wizzard),
ok if we set a bpx on it whe will land in some others whe try and understand wich them are they we do a trace and 
read and understand what the program is doing  do a D xxxx once in a while... ok after some breaks on
GetprivatePrifeliIntA whe will soon land in here :

00401BE2 FF1570464400            Call dword ptr [00444670]
:00401BE8 50                                push eax
:00401BE9 66A3D0A84300          mov [0043A8D0], ax                                
:00401BEF FF750C                       push [ebp+0C]
:00401BF2 68C0B34300               push 0043B3C0                          ; push my name to the stack
:00401BF7 E8D1350100               call 004151CD                            ; call REAL password checking routine
:00401BFC 83C40C                      add esp, 0000000C
:00401BFF 85C0                           test eax, eax                                ; Was the password correct ?
:00401C01 0F84A2000000           je 00401CA9                              ; no then bug off bad cracker !
:00401C07 68C0B34300              push 0043B3C0                          ; push my name again
:00401C0C 895D14                      mov [ebp+14], ebx

we can go futher inside the calls, how do i go futher u ask, ok is easy just see what the call is heading to and set a bpx on it
like lets say CALL 004151CD if we want to go futher we do a BPX 004151CD ( easy eh?)
ok if we go inside the call we will see this :

:004151CD 837C240808       cmp [esp + 08], 00000008       ; is the paswword 8 charaters long ? 
:004151D2 7D03                    jge 004151D7                                  ; yes then go on 
:004151D4 33C0                    xor eax, eax                                      ; no then bug off with Z flag 
:004151D6 C3                        ret

Right here i can crack it because if you check the line in 00401BFF u can see it tests eax to check if it's 0. If it's 0 then bug
off bad cracker happens but if it's not 0 then go on nice buyer, so we can do this:

:004151CD 837C240808       cmp [esp + 08], 00000008        ; is the paswword 8 charaters long ? 
:004151D2 90                         NOP                                         ; I don't care if it's 8 
:004151D3 40                         INC  EAX                                ; Increment EAX by 1  
:004151D4 48                         DEC EAX                                 ; Decrement EAX by 1   
004151D5 40                          INC EAX                                  ; Increment  EAX by 1
:004151D6 C3                        ret                                              ; Return With REGGED Flag SET

so what we did there it was some flag changing we don't even go futher inside the check we just make the program
assume that it did and that the password was a good one. since EAX was 0 when we got into the call we 1st did a nop
because if we had done an INC EAX or a DEC EAX we would have found out that it would work ;).

This is the second part of the crack or we can go for another. One less byte changing than this one ( you whant to change
the fewer bytes u can).

ok, after the RET from the real password check is done whe land exactly here :

:00401BFF 85C0                           test eax, eax                                ; Was the password correct ?
:00401C01 0F84A2000000           je 00401CA9                              ; no then bug off bad cracker !

what whe do here is really easy u maybe know it by now.

:00401BFF 90                                nop
:00401C00 40                                inc eax                                         ; set flag to 1 <== good password
:00401C01 0F84A2000000           je 00401CA9                              

easy eh? so we did it we completely cracked CD wizard the last part is doing the hex editing which u have to know by now
if ya read my first part ;) i will give the exact bytes to change:

741C6A40C705B8BC change it to 40906A40C705B8BC <== Reg Check
85C00F84A2000000 change it to 40900F84A2000000      <== nag removed

if we do the last crack by itself u will find out that doing the reg check crack is useless see for yourself,
 if you do only the second crack (a.k.a nag removed) u will find out that is regged and fully working.


ok i hope u enjoyed this tutorial i know it is hard to understand in some parts but u can figure it out 
till nex time.
                                                                                                                                  nIabI [C4N/ME'97]