Thinking Like a Cracker
A lesson for the Beginner

Written by The _RudeBoy_[PC]
Corrected by hacker

Introduction

This essay is aimed towards beginning crackers, and helping them to think like a cracker.I can't count how many times I have been asked by a beginning cracker about why they can patch a program so that it says that it's been registered, but then when they restart the application it no longer says that it's registered. The solution is usually quite simple, but requires you to "think like a cracker".

Tools required


W32Dasm 8.9
Hex Workshop 32
PolyView 3.00 beta 9


Essay


Before we get started with cracking our target, PolyView 3.00 beta 9, we need a lesson in thinking like a cracker/programmer.
Programmers are taught that whenever you have a task that is going to be done more that once, you should create a function to do that task, and just call the function when you need to perform the task.
Now, most programs that use a name/serial # combination check the code at least twice, once when you enter the code, and once when the program starts up. Because of this the programmer will usually call a function to test your reg code. And usually, this function will be called every time the code is checked.
At this point you should probably see where I am going with this. If you patch the function that is called to test the reg code, it will show up as valid whenever the program does it's check.
Now, for an example of this technique, on to PolyView 3.00 beta 9. When you run the program you should notice on the menubar the Registration section, and under that, License Information. It has a place to enter a name and a license code. Enter whatever you like for these values and press OK. If you have not entered an integer into the license code box, you will receive an error saying Please enter a positive integer, otherwise you will receive the error Registration Unsuccessful.
Fire up W32Dasm, and load PolyView.exe. When this is done go to the string references and look for "Registration Unsuccessful". When you find it in the list, notice that just above it is the string "Registration successful", You should see this section of code:

> Page 1944 Line 120465

* Possible StringData Ref from Data Obj >"Registration Successful"
|
:00440AF6 6880544F00 --------------------push 004F5480
:00440AFB 51 --------------------------------push ecx
:00440AFC E8B80E0600 --------------------call 004A19B9
:00440B01 8B10 ------------------------------mov edx, dword ptr [eax]
:00440B03 53 --------------------------------push ebx
:00440B04 53 --------------------------------push ebx
:00440B05 52 --------------------------------push edx
:00440B06 C684249000000002 ------------mov byte ptr [esp+00000090], 02
:00440B0E E813950600 ---------------------call 004AA026
:00440B13 8D4C2414 ------------------------lea ecx, dword ptr [esp+14]
:00440B17 C684248400000001 -------------mov byte ptr [esp+00000084], 01
:00440B1F E8CC0B0600 ---------------------call 004A16F0
:00440B24 8D4C2410 -----------------------lea ecx, dword ptr [esp+10]
:00440B28 899E78030000 -----------------mov dword ptr [esi+00000378], ebx
:00440B2E 889C2484000000 --------------mov byte ptr [esp+00000084], bl
:00440B35 E8B60B0600 --------------------call 004A16F0
:00440B3A EB1E ----------------------------jmp 00440B5A

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|
:00440A99(C)
|


* Possible Reference to String Resource ID=00141: Unregistered
|
:00440B3C 688D000000 ------------------push 0000008D
:00440B41 8BCF ---------------------------mov ecx, edi
:00440B43 E8CD110600 -------------------call 004A1D15
:00440B48 53 -----------------------------push ebx
:00440B49 53 -----------------------------push ebx

* Possible StringData Ref from Data Obj >"Registration unsuccessful". Please
-------------------------------------------->"verify that you have entered the"
-------------------------------------------->"information exactly as shown on"
-------------------------------------------->"your registration letter."
|
:00440B4A 6800544F00 -----------------push 004F5400
:00440B4F 899E78010000 ---------------mov dword ptr [esi+00000178], ebx
:00440B55 E8CC940600 -----------------call 004AA026

You should notice first that this section of code was referenced by a conditional jump at 00440A99. Scroll up in W32dasm until you get to that location, you should see this code:

> Page 1943 Line 120417

:00440A87 50 ----------------------------push eax
:00440A88 51 ----------------------------push ecx
:00440A89 898678010000 --------------mov dword ptr [esi+00000178], eax
:00440A8F E85CF1FEFF -----------------call 0042FBF0
:00440A94 83C408 ----------------------add esp, 00000008
:00440A97 85C0 -------------------------test eax, eax
:00440A99 0F849D000000 -------------je 00440B3C


Here is where we apply what we learned earlier. If you were to simply NOP out the je 0440B3C the program would say that it is registered when you enter in your code. However, When you restart the program, it would still say "Unregistered".
Remember what I said about programmers writing one function, and calling it many times to see if the code is valid?
That is what this author has done, the call to 0042FBF0 is the program calling that function.
In W32dasm, goto code location 0042FBF0, and you will see this:

> Page 1465 Line 90785

* Referenced by a CALL at Addresses:

|:0040443B , :004048B8 , :004057FA , :0042E80E , :0042E886
|:00439F74 , :0043D7CA , :0043E060 , :0043ECDA , :004409F5
|:00440A8F , :0044234C , :00442CDD , :004543F9 , :004545CB
|:004BA403
|
:0042FBF0 64A100000000 --------------mov eax, dword ptr fs:[00000000]

Every one of those addresses is a place where this program calls the IsValidCode() routine to see if the program is registered. Now, the question remains.how do you patch this program so that it is registered.
Look again to the section of code that calls the IsValidCode() routine, specifically at the jump to 00440B3C. It will jump if eax = 0. So, the easiest way to patch this program is to write over the mov eax, dword ptr fs:[00000000] in the called function with: [00000001].
At this time make a copy of PolyView.exe in the same directory as installed.
Fire up Hex32 and load the copy you just made. Use the 'find' function and locate the hex string '5BC39090909064A1' and change that string to hex '5BC3909090906A0158C3'.
If you dissamble the modified program again you should see at :0042FBF0.

push 00000001
pop eax
ret

The function now always returns 1 in eax, and the program thinks that it has been registered. Be sure to change your desk top icone to point to the cracked program......... 8)

Final Notes


The techniques employed here do not only apply to cracking programs with name/reg code routines. Do not limit yourself by thinking "Inside the Box", these techniques can be used with many other types of protections as well. (for example, many times a date check and a nag screen are done by one function) .

8)
e>