Becoming a Cracker (2)
Table of Contents:-
A) Introduction
B) Additional programs
C) Cracking the first program (sweet little piano)
D) Conclusion
Introduction:
In this part, the second part of the cracking tutorial, you will learn to use the most important tools of the common cracker: W32Dasm and HIEW. You will also learn to crack some simple programs. But before you continue you should be thorough with First Chapter ,otherwise, it will be just a waste of time.
Additional Programs
By now, in this part of the tutorial, you have learnt the main steps of cracking. Now, you are going to crack your first program. But before that, you need to get a little program called: "Sweet Little Piano" You can download it from: www.ronimusic.com
Now, when you have the program, let's start!
Cracking the first program (sweet little piano)
Now we will follow each step and crack the program:
Step 1: Running the program: Well, Run it! Duh... :-) Well, what do we see here..... The program opens two text files. Also we see "Unregistered Shareware" on the caption bar... Now let's open the Help menu for any registration options... Hmm, what do we see here now... oh, it's a password option... Well, select it and enter something (don't hope it will be right :-)). To see what happens... Click OK.. Hmm, nothing happens.... Maybe it accepted it? Hmm.. no way... the caption bar still says Unregistered... Ok close it... bah ... more text files ... and a notification that the settings are not saved in the unregistered version ... well ... kind of irritating those text files! Let's fix it :-)
Step 2: Disassemble the program: Disassemble the program. Good, small is fast :-) Always.... Now, we don't have any strings that pop up when we want to register something... Let's browse for strings like registered, unregistered, the string about the unsaved settings. Hmm... evaluation time left ... password.txt.... password dialog.... sweet little piano - Unregistered <<-- looks like our caption bar  go on... Thanks for registering ... cool! So it thanks you anyway :-) Let's jump to that place ... Double click on it an we will pop right on top of the registration routine...
Step 3: Analyzing the protection routine.... / Understanding the jumping Mechanism... Let's analyze the protection routine.
///////////////////// Code snip ////////////////////
ADDRESS MACHINE CODE ASSEMBLER INSTRUCTIONS
* Possible Reference to Dialog: PASSWORD DIALOG, CONTROL_ID:0064, "" |
:00401715 6A64 push 00000064
:00401717 53 push ebx
* Reference To: USER32.GetDlgItemTextA, Ord:0000h |
:00401718 E8A5B50000 Call 0040CCC2
:0040171D E822FFFFFF call 00401644
:00401722 85C0 test eax, eax
:00401724 741E je 00401744
:00401726 6A30 push 00000030
* Possible StringData Ref from Data Obj ->"SweetPiano" |
:00401728 6866D24000 push 0040D266
* Possible StringData Ref from Data Obj ->"Thanks for registering!" |
:0040172D 68FED14000 push 0040D1FE
:00401732 53 push ebx
////////////////////// Code snip ///////////////////////////
Password Dialog ... a call to GetDlgItemTextA ... another call.... a test... and depending on the test a je.... The je jumps over the thank you ... And just ends the dialog box ... without telling you that you entered something wrong... So this is right ... we did indeed not see that we typed something wrong ... but apparently we are supposed to see if we type something right :-) Again execute the je jump, and look where it goes to ... return from the jump.... Now lets try to rewrite what goes on here...
call ShowPasswordDialog
call GetEnteredText
call IsEnteredTextGood
test value in eax
je QuietExit ShowThanksForRegistering QuietExit:
the source code must have looked like this
: GetDlgItemText(_ID_Serial);
if (EnteredTextGood) ShowThanksForRegistering
// else nothing....
This is another interesting piece of code.... test eax, eax ... this assembler instruction tests if the value of eax is equal to itself ... if it is it is equal ... so a je instruction jumps ... if it is not equal, it does not jump.... To crack this program we can change the je instruction into two nop instructions... and we are done... We have seen here, that the call has put a value in eax.... something which is not equal to zero or a zero... In our previous example we saw that the called Is_Serial_Valid call set some value in memory ... Here we see that the called Is_Serial_Valid call sets the eax register of our processor to some value....
Step 4: Changing the original program... So modify it :-)
1. Open Hiew.
2. Open the file within Hiew.
3. Find the Address of the line in W32Dasm (it's on the status bar beginning with '@').
4. Press F5 in Hiew.
5. Enter the address you have found in (4) and press ENTER.
6. Press F3 - for activating the write option.
7. Press F2 - to change the instruction.
8. Replace the command by 'NOP' (without quotes), which means NO OPERATION.
9. Now a new command appeared in the next line.
10. Replace it by NOP too.
11. If another new instruction hasn't appeared, Press F9 to update the file.
12. Press F10 to exit.
13. Run the program and see the result.
Conclusion:
I gave this quite 'simple' cracking example so that you know that if you crack this program, you can crack quite a few programs, but some of them are much difficult to crack. In the next part you will learn to detect key generators and crack them. Before you go to the next chapter, go over the steps again, and also go over the protection mechanism detection and modification.
|
go on... Thanks for registering ... cool! So it thanks you anyway :-) Let's jump to that place ... Double click on it an we will pop right on top of the registration routine...