August 2001

"Space 1.2"
 
 
Win Code Reversing
 
 
by Hoof Arted 
 
 
Code Reversing For Beginners 
 
 
 
Program Details
Program Name: Space.exe
Program Type: Disk Space Utilization Utility
Program Size: 744 K 
 

   

Tools Used:
 

OllyDbg 1.04 - Debugger

Your favorite hex editor

 

 

Rating
Easy (   )  Medium ( X )  Hard (    )  Pro (    ) 
 

    Space v 1.2

Written by Hoof Arted (Hoof's Workshop)
 

Introduction

This application is a great utility. It can create various graphs, pie and lists of any drive space utilization. In this tutorial, we will look at using the application itself as the key generator. This can be quite a task. As this is the first time I have managed to do some sort of code manipulation, I thought that I would share it with all newbies out there. It took me a little while to figure it out but I will hopefully explain it well enough for anyone to do this. Have fun and let me know if there are any problems.

 

About this protection system
 
We will be changing the code to make a keygen out of the application itself so who cares. No file protection.
     
The Essay 

Download the target and lets get started.

Open the application with Olly and press F9 to run the application. Click the "Enter Code" button and provide your handle and fake serial. Once you have clicked OK, a lengthy "Invalid" message appears. That is how the app is registered so lets get to work. In Olly, right click the Disassemble window and select "Search for - Text strings". Inspect the text strings used by the app and you will see nothing about the invalid message but we will see several "Thank you" messages. The one that we are interested in is the long one that says "The expiry time has been removed...". Highlight it and press Enter. We land at 40143D in the disassemble window. Just above, at 401434, there is a conditional jump "JE Space.XXXX", highlight this line and press F2 to set the breakpoint. If you can't find the "bad" message, then use the next best thing, the "Good" message.  Go back to the app and enter your info again and click OK. The "bad" message still appears but when you click OK there, Olly breaks at our point. By scrolling up on the stack window, we can see our valid serial, roughly one page up. Ok, you can stop there if you want, but that is for the lamers. :-)

Right, now if you try find out how the serial is created, you will see that the routine used is very complex and I could not be bothered to trace the whole thing so I want the app to show me the serial, no matter which name I put into the Name box. :-) What we will be doing now is edit the "bad" message dialog box to tell us the correct serial. As we did not see the bad message in the strings, we will need to set breakpoints on all MessageBoxA calls. Right click the disassemble window and select "Search for - Name(Label)". Right click MessageBoxA and select "Find references to..." There are two calls, select each one and press F2. 

Enter your name and serial again and click OK. Olly will break at 42EDAD.

0042EDA5 |> 53 PUSH EBX ; /The style of the Message Box
0042EDA6 |. 57 PUSH EDI ; |The title of the Box
0042EDA7 |. FF75 08 PUSH DWORD PTR SS:[EBP+8] ; |The text to show in it
0042EDAA |. FF75 F4 PUSH DWORD PTR SS:[EBP-C] ; |hOwner
0042EDAD |. FF15 68654400 CALL DWORD PTR DS:[<&USER32.MessageBoxA>>; \MessageBoxA

Ok, lets just take a moment to see what is going on. We entered our wrong password and after calculating and checking, it has loaded the information into the stack, all the PUSH references above, that is required for the BAD message. What we want to do is somehow make the app show us our correct serial. As there are 14 bytes used to create this MessageBox, there will not be enough available space here to do this. Place a break point on line 42EDA5, the start of the information being loaded. Press F9 and enter your name and serial again. We will then stop on this break point. This is done to avoid changing the MessageBox while the system is using it.

 We will need to jump to another location, execute our MessageBox and then continue from where it left off. Lets do this now. We need to change the code at 42EDA5 to "JMP 00445768". How do we get this address, it is quite simple. If you scroll down the disassembly window to the bottom of the code, this is the address that is available to us to insert any code, without much of a limitation. We want to NOP the remaining 9 bytes, so your new code section will look like this:

0042ED99 |. 8DBD ECFEFFFF LEA EDI,DWORD PTR SS:[EBP-114] ; |
0042ED9F |. FF15 00634400 CALL DWORD PTR DS:[<&KERNEL32.GetModuleF>; \GetModuleFileNameA
0042EDA5 E9 BE690100 JMP Space.00445768
0042EDAA 90 NOP 
0042EDAB 90 NOP
0042EDAC 90 NOP
0042EDAD 90 NOP 
0042EDAE 90 NOP
0042EDAF 90 NOP
0042EDB0 90 NOP
0042EDB1 90 NOP
0042EDB2 90 NOP
0042EDB3 |. 85F6 TEST ESI,ESI

The way we do this, is to highlight line 42EDA5 and press "Space". The assembly box opens. Change the code to the jump mentioned above and press enter. When the change has been made, click "Cancel" and then highlight the next line. This time, right click and select "Binary - Fill with NOPs". Also do this to the line under that, 42EDAD. You should be left with code as above. Right, now lets make our new MessageBox. Right click the Disassembly window and select "Go To - Address" and go to 00445768.  

At this point, we see the following code:

00445754 . 8B4D F0 MOV ECX,DWORD PTR SS:[EBP-10]
00445757 .^E9 33BBFDFF JMP Space.0042128F
0044575C . B8 204D4500 MOV EAX,Space.00454D20
00445761 .^E9 2691FCFF JMP Space.0040E88C
00445766 00 DB 00
00445767 00 DB 00
00445768 00 DB 00
00445769 00 DB 00
0044576A 00 DB 00
0044576B 00 DB 00

We want to start building our MessageBox call from here. This is done by using the "Assembly" method mentioned above, to change the code to JMP.... and the binary method to change the bytes one at a time. (A side note) : Sometimes, Olly will not allow you to change a line of code. What I do then is use the "Binary" change and do it byte for byte. Not to difficult to do.

We want to add the code as shown:

00445766 00 DB 00
00445767 00 DB 00

00445768     53     PUSH EBX             < The Style is already defined in EBX as we have not change it
00445769     57     PUSH EDI                < The Title is already defined
0044576A    36:FF35 E8F61200     PUSH DWORD PTR SS:[12F6E8]        < Memory location of pointer to memory location with SERIAL
00445771     FF75 F4                         PUSH     DWORD PTR SS:[EBP-C]
00445774     FF15 68654400           CALL DWORD PTR DS:[<&USER32.MessageBoxA>>        <Call MessageBox function
0044577A     E9 2B96FEFF              JMP Space.0042EDAA        <Jump back to where we left off.

Make copies of what we have changed, we will need to know the byte changes to make when we make the changes permanent. Press F9 and BINGO... a message box pops and there is the serial. 

The job has been done but this is only temporary as the changes were made in Olly and are not real. Lets make these changes permanent.

Close Olly and fire up your favorite hex editor.

We need to find the code to change so we need to locate the original bytes to change and then change them. Search the Space.exe file for the bytes : 5357ff7508FF75F4FF1568654400 and change it to : E9BE690100909090909090909090 - our first change.

Then we locate : B8204D4500E92691FCFF

We move two bytes along, and start at the offset 45768 with these bytes : 535736FF35E8F61200FF75F4FF1568654400E92B96FEFF.

Save you changes and execute the file. Check it. You should have a working code generator. :-)

If what we have just done is a little difficult to understand, think of it this way, we know which bytes are the original bytes, this info is in Olly. When we make our changes in Olly, it also changes the byte information, these are the bytes that we need to change in the file. If you open the exe and it has anything other than the changes we planned, then it will not work and you will need to see where you went wrong. When the application is disassembled, it reads the bytes and creates the relevant ASM commands. Get 1 number wrong at it changes the entire application.

That is it, all done.

The Crack 
 
Taken care of in the essay.
 
Final Notes 
 
I learned a lot from this target. This is the first time I have done this sort of crack and it worked well. It is not perfect because when you do enter the correct serial, the "Thank you" message is a little screwed but hey, we get the idea. There are many facets to code injection and modification. Time and practice will teach us all. Hope you had fun, keep an eye out for my next tutorial.... dont know that I will be doing but I hope it will be interesting.

 
Ob Duh 
 
Do I really have to remind you all that by buying and NOT stealing the software you use will ensure that these software houses will continue to  produce even *better* software for us to use and more importantly, to continue offering even more challenges to breaking their often weak protection systems.
 


Essay by:          Hoof Arted (Hoof's Workshop)
Page Created: 12 Aug 2001