Playing With mIRC Version 5.7
|Patch the program so that we can enter any name/serials|
|W32dasm 8.93, Papers and pen, Hex Editor( I use hex workshop)|
|Rookie (X) Starter ( ) All Stars ( ) Super Stars ( )|
These tutorials are written by a Rookie Player(Newbies) of Cracking, and they are assume for newbies readers, if you are a cracking master or have lots of experiences of cracking program, here are nothing new and you may just delete it.
I am so glad that I can write this tutorial, this is my first cracking tut base on mIRC version 5.7. Why did I choose it? It is a very popular software and it use a quite common protection method, I think it is a good practical on cracking program. In this tutorial, I assume that you have some basic concepts of cracking, as the title says this is a cracking practical, I am also going to write some tuts about cracking theory, they will inculd assembly language, cracking tips, how to use cracking tools, number system on computer, hardware structure, etc. You may see them first. By the way, assembly language is very important and useful for cracking, actually if you know more about assembly language, you will get more power and easier on cracking, yes, I love assembly! The other thing I want to mention here at first is cracking needs time, especially for rookies(newbies), so when you decide to crack a program, make sure you have plenty of time. After you have some basic concepts of cracking and have time, the most important thing is please BE PATIENT, don't think about you can crack it as easy as you think, you will always face different protection method and you always face difficulty. One last thing here is all cracking tutorials are for reference and learning purpose, if you want to be a real cracker, you must crack a program without any tuts near you , remember, there NO more than two program use the same protection method, we just give you tips or the general ways of cracking.
OK, forget the bullshit, we start cracking now. First of all, I downloaded mIRC V5.7 from "download.cnet.com", after install it, we try to run mirc32.exe to see that what protection method it use, we always do this when each time we are going to crack a program, I know that lots of program place register funtion near "help", so I click on "hlep" on the menu, I found that two items that will useful for us, one is "about", the other is "register". OK, first we click on "About", a nag screen pop up and show us it is "Unlicensed Version", so I think if we register the program using our name correctly, here will show our name, now, close the nag screen and click on "register", a small window pop up, it ask me to enter my full name and the registration code, I enter my name and some number and then click on "Register!" button, another small window pop up and show me "Sorry, your registration name and number don't match!", my registration fails because I just enter any ramdom number, but this message is very important, write it down on a paper. Why should I do it? Good question! We try to think about why the program show me the message, it is because I enter a wrong registration number, so the program must check our name and registration number to see that they match or not, if not, register fails. I use following sentences to make it more clearly :
If registration code don't match our name, then go to fail message. <----Will be change. If registration code match our name, then registration success!
What we need to do is to change the above sentences to :
If registration code don't match our name, then registration success! If registration code match our name, then registration success!
Backup "mirc32.exe" to "mirc32.exe.bak", you will need it later. Run w32dasm 8.93 and disassemble mirc32.exe, you may do this by clicking "disassembler"--> "open files to disassemble". After a few minutes (sometimes it may take longer time depending on your file size), all assembly code show! Don't worry if you are not familiar with it,still remember the fail message we wrote down before? check the sentense on your paper, or recall it from your brain, I remember the message is "Sorry, your registration name and number don't match!", go search it from "Search"--> "find text", or "Refs"--->" string data references", this time, there are a lots string data references and I need to scroll it down and find it on each line, I feel very tired so I use "Search"--->"find text" to search it, but sometimes the "String data References" are more powerful. After finish searching, we see the following:
* Possible Reference to String Resouce ID=01912: "mIRC Registration!" :00498B7B 6878070000 push 0000778 :00498B80 E8F365F8FF call 0041F178 :00498B85 50 push eax :00498B86 6A00 push 00000000 * Possible Reference to String Resouce ID=01913: "Sorry, your registration name......."<---find here :00498B88 6879070000 push 0000779 :00498B8D E8E665F8FF call 0041F178 :00498B92 50 push eax :00498B93 8B4508 mov eax, dword ptr [ebp+08] :00498B96 50 push eax
I scroll it up some lines and I found a conditional jump :
* Referenced by a (U)nconditional or (C)onditional Jump at Address: | :00498AA1(C) <---(C) means conditional Jump, write down this Address | :00498B42 6A00 push 00000000
Up to now, we know that there is a conditional jump( similar to "If......Then...." statement in high level language) at address "00498AA1", this jump will take me to the fail message, OK, I found our target! Yes, why not take a look at the conditional jump? Let's go to address "00498AA1", you may do this by clicking "Goto"--->"Goto Code Location" and enter "00498AA1", click "OK", you will see :
* Reference To:User32.SendDlgItemMessageA,Ord:0000h <----W32 API that will show us registration window :00498A8B E841800500 call 004F0AD1 <----Call API that show us the registration window :00498A90 68334A5000 push 00504A33 <----Accept entered Name/Serial :00498A95 684C465000 push 0050464C <----Accept entered Serial/Name :00498A9A E8E5FBFFFF call 00498684 <----Call a funtion to calculate and check Name/Serial :00498A9F 85C0 test eax, eax <----Test registration success or not :00498AA1 0F849B000000 je 00498B42 <----If name and serial don't match, jump to fail window :00498AA7 BE3C9D4F00 mov esi, 004F9D3C :00498AAC BF4C465000 mov edi, 0050464C
In w32dasm, cover with green bar means that the line contain a jump instruction. These few line do the follow thing : first, it pop up a registration window and ask us to enter our full name and registration code(serial number), after we entered, the program calculate the real serial number according to the name we entered, and then compare the real serial and the serial we entered, if they match, the program store "1" in "eax", otherwise, "eax" will contain "0". The conditional jump check the number store in "eax", if "eax"=1, then it will NOT jump to fail message(Registration success), if "eax"=0, it will jump to Address "00498B42" and show us the fail message. It that clear enough? What we going to do here is to Patch the jump make it never jump to fail message! Let's take a quick review on some Assembly :
:00498AA1 <----This is Memory Address or Memory Location 0F849B000000 <----Machine Code In Hexdecimal Form je 00498B42 <----Assembly Program Code
To explain how to patch the program, we must familiar with Hexdecimal number first, see the table below :
Decimal Hexdecimal Binary 0 0 0000 1 1 0001 2 2 0010 3 3 0011 4 4 0100 5 5 0101 6 6 0110 7 7 0111 8 8 1000 9 9 1001 10 A 1010 11 B 1011 12 C 1100 13 D 1101 14 E 1110 15 F 1111
This table is quite useful especially if you need to convert number between Binary and Hexdecimal, further details please see my other tuts on "Cracking concept". To represent a single Hexdecimal number, we only need a nibble( half byte which is 4 bits), so TWO Hexdecimal digits will always need ONE byte to represent. The machine code in memory address "00498AA1" is "0F849B000000" which is total 12 digits, so it will use 12/2=6 bytes. To patch the jump, we need to replace "0F849B000000" with another 6 bytes instruction, this 6 bytes instruction will make the program never jump to the fail message. Here you have some choices :
Assembly Code Machine Code Description inc eax 40 increase 1 to eax register dec eax 48 decrease 1 to eax register inc ebx 43 increase 1 to ebx register dec ebx 4B decrease 1 to ebx register inc ecx 41 increase 1 to ecx register dec ecx 49 decrease 1 to ecx register inc edx 42 increase 1 to edx register dec edx 4A decrease 1 to ecx register nop 90 nop means do nothing je 74 xx je means jump if equal jne 75 xx jne means jump if not equal je 0F84 xxxx xxxx jump if equal jne 0F85 xxxx xxxx jemp if not equal
This table is very useful for newbies, I use different color to separate each group of inc/dec instructions, actually, increase 1 and then decrease 1 to a register means do nothing to the program, but each inc/dec instructions fill TWO bytes of memory, so it is a good way to replace an instruction with the same numbers of byte, also, it can nop the operation. But please remember, we MUST use inc and dec together, one inc instruction corresponding to one dec instruction, the total number of inc instructions always equal to the total number of dec instructions.
The instruction "nop" means nop operation, the program will do nothing. We can use a single nop instruction to fill ONE byte of memory.
Instruction je and jne are both conditional jump, when it is a short jump(74/75), xx means number of bytes to jump away, when it is a far jump(0F84/0F85), xxxx xxxx is memory address to jump to. Further details please refer to my "Cracking Concept" tuts. Here, I want to say is convert je to jne or jne to je can also patch the program, you just need to change 74 to 75(or 75 to 74), 0F84 to 0F85(or 0F85 to 0F84). By doing such change, we can enter any serial EXCEPT the real one.
OK, I think now we have all knowledges we need, it is time to patch the program, at address "00498A8A", the instruction "0F849B000000" use 6 bytes of memory, you can use "41494048424A" or "434B40414849" or "9090424A9090" to replace it and nop it, if you don't understand what these code does, go see the table above again.
Now, make sure the green bar covered at address "00498AA1", at the bottom of w32dasm, you can see "Line 329132 Pg 5232 of 8284 Code Data@00498AA1 @Offset000980A1h in File mirc32.exe" write down the number(without h, it just means Hex) just after Offset, we need it for Hex Editor.
Now load your program to a Hex Editor, I use Hex Workshop, another good choice is HIEW. After it we search Offset 000980A1, the cursor should land before "0F 84 9B 00 00 00", replace these 6 bytes with our code, then save the program.
Exciting time! We are going to test our job. Run mIRC and go to "Help"---->"Register", I enter "Hans Wong" in the name field and enter "88" in the registration code field, yes, 88 is my lucky number, press "OK", the program say "Thank you for registration!". If this is the first time you crack a program, you must feel very exciting and happly like me, yes, we patch it! Go to "About" menu, it show me "Licensed to Hans Wong", that's great! But is that all FINISH? Never!
Quit mIRC V5.7 and rerun it, we always do this after we "finish" cracking. Go to "Help"---->"About" again, what will you see? It show me "Unlicensed Version", what? Why it still unregister? I just patch it and register it before! Don't worry about, please keep calm and think about : Why it still unregister when the program rerun? The answer is when the program start running, it must check our name and serial again to see that we are seccessfully register or not. There some common ways that the program store our name/serials :
After the first time we register the program, the program may store these information to a key file, when the program rerun, it check that whether the key file exist or not, if it found the key file, the program check our name/serial stores in the key file again, if the name and the serial don't match, the program will still unregistered. This is a bit more difficult to crack especially if the key file were encrypt by the program, sometime you even don't know what key file the program created, but there are some useful tools to help us to monitor the change of any files, such as filemon.
The other way(moer common) is, the program may store our name and serial to window registry table, when first time we register the program, it create some keys to the window registry, next time the program rerun, it will fetch these information and check it again, mIRC use this method. Let's see how we can patch it.
First, I go to check the window registry table, you may do this by clicking "Start"---->"Run", type "Regedit" at the command box, I found my name and serial at "HKEY_CURRENT_USER\Software\mIRC", so I am sure that this program will fetch the serial number from registry and check again. To fetch information from window registry table, the Microsoft provide some API to finish these works, some example are : "ADVAPI32.RegOpenKeyA", "ADVAPI32.RegQuerryValueA". So I back to w32dasm and try to search these string, I found more than one "RegquerryValueA", near it I also try to patch some jump, but after a few trial, I still fail to patch the program successfully, at these time, I feel too bad, but I never think about give up, remember I said at the beginning? Cracking need time and we should always be patient, here I want to point out another thing : "When you face difficulty and you can't solve it, ASK some people else", I post some message on some cracking forum, foutunity, lots of people support me and give me lots of information. Here I need to say thanks to Krobar and Snake, they send me some quite useful tuts, from these tuts, I know that in the older version of mIRC, patching the code near "RegQuerryValueA" can bypass the protection, but it seems doesn't work at Version 5.7, but anyway, I learn more and increase lots of experience.
Sorry, lots of bullshits again, but I think telling my experience will increase the experience for newbies too. Back to the work, actually I can't still get an exact solution now, I sit infront of my computer and suddenly, I think the following :
Run the program and register it again using your name and any serial number, after the program saying "Thank you for registration!", quit the program and rerun it, this time, the program is still register and in the "About" menu, it show us "Licence to your name string". We really finish patching it, congraduation Rookie Players!
During registration Step one : We enter our name and serial number. Step two : The program recieve the information above. Step three : Call a function to calculate and compare them. <----Please attention to this call Step four : Process a jump to decide register or not.
During rerunning the program Step one : The program querry window registry table. Step two : The program receive our name and serial. Step three : Call the same function to compare name/serial. <----Same call Step four : According to the result, decide register or not.
We note that whenever the prgram get our name and serial number from entering or from window registry table, it will always call the same function to calculate and compare the serial number, so it doesn't matter how many place the program check our name and serial, we just need to patch one call to finish our work. Now, what we going to do is take a look at this call and see any jump we can patch. You may ask, Which call should I look at? OK, back to w32dasm and back to address "00498AA1", I am sure that you must remember it, above this address two lines, you will find a call at address "00498A9A", this call will take us to address "00498684", go to it and you will see some other list of lines :
:00498684 55 push ebp <----Starting of the call :00498685 8BEC mov ebp, esp : : <----Scroll down until you see the following lines : :004986DC 68204A5100 push 00514A20 <----push our serial number to stack :004986E1 6820495100 push 00514920 <----push our name string to stack :004986E6 E8A1FEFFFF call 0049858C <----Another important call to calculate real serial :004986EB 85C0 test eax, eax <----test eax=0 or not :004986ED 7407 je 004986F6 <----jemp to address "004986F6" if eax=0 :004986EF B801000000 mov eax, 00000001 <----move 1 to eax(registration success) :004986F4 EB74 jmp 0049876A <----jump to return call, will back to "00498A9F" : : : :0049876A 5F pop edi :0049876B 5E pop esi :0049876C 5B pop ebx :0049876D 5E pop ebp :0049876E C20800 ret 0008 <----Return to address "00498A9F"
Take a small notice to the call covered with red bar. We will study and discuss this call in the following tuts, it is quite important if we want to find out a real serial and write our own KeyGen, but this time, we may forget it.
I am sure that you all notice that there are another eax test and je instruction, do you remember that in address "00498AA1", the jump will take us to fail message if eax=0, so here eax must NOT allow to equal to zero, I also see that there is an instruction that will store 1 to eax, that's good job, but before it, there is an je instructoin. I am sure that you all know what should do if you read this tutorial from beginning, yes, nop the je instruction!
Did you still remember that I told you to backup mirc32.exe to mirc32.exe.bak? delete the last patch one and load mirc32.exe.bak(make sure it is the original one and haven't modify) to Hex Editor, patch the code and save our program to mirc32.exe.
Now you may write your own patch file and distribute it to the net or share it to your friends, your friends will think you are quite helpful and you will feel very proud. You may go to see my other tuts to learn how to write your own patch, there I will introduce some useful tools to finish these work, actually they all easy to use and samll in file size, I use "Ptasiek's CrackMaker 1.3", a good patcher.
Finally I need to greets to all writers on cracking tuts, they all write perfect tuts and provide lots of information about cracking, anti-protection, reverse-engineer, etc. Some people I even forgot their name and sorry here I can't list them all.
Special thanks to Krobar and Snake, without them I can't finish writing this tut, they provide lots of information on cracking mIRC series. Thanks a lot!
All Rookie Player(Newbies) should take a look at Krobar's collecting of cracking tuts site, it contain lots of cracking tuts and you can increase your cracking experience, from the links inside it , you can download all cracking tools I mentioned in this tuts, by the way, if you didn't install SoftIce yet, please goto http://zor.org/krobar/, find a link to download SoftIce and see some tuts about it, we will need it at the next part of tuts.
On the next parts of tuts, I will discuss how to find out a real serial number according to our name, and I will also discuss how to write our own KeyGen. these parts will more interesting and more attraction, they will release soon.