how 2 crack

Xara 3D v3.0

by seneca of stoicForce

foreword

hi guys and girls, this is my 1st tut ever, so please don't expect too much from this. ;)
besides i'm quite a newbie, so this text rather targets on complete newbies...

i'll try to put things as clearly as i can for you and i'll try to explain what we're doing instead of just telling you which byte to patch, allright? here we go...


brain and tools

the beginnig (as well as the experienced) cracker needs exactly 2 things to do his job: some brain and the right tools.
unfortunatelly, i can't tell you where to get some brain from, but i can give you some useful links to get the tools you need (the links will take you to the author's homepages - nevertheless you'll find most of the tools in our homepage's tool-section too.)

items marked with a '*' are necessary for this tutorial; get them before you read on...

WDasm32 by URSoftware* THE Disassembler. try to get version 8.9 or above
Hiew by SEN* 'Hacker's View' - get this one from our site's tools-section
SoftICE by Numega THE debugger for windows. best use version 3.24 +
FILEMon by Russinovich and Cogswell monitors file access - very useful!
REGMon by Russinovich and Cogswell monitors registry access - even more useful!
File Analyzer by Vadim Tarasov* retrieves information from lotsa files (mainly .EXEs)


get going...

allright, now that we got this tools, we wanna use 'em, right? [we wanna kill something]
the enemy is a fine piece of code called Xara3D by Xara Ltd. - we're going to crack version 3.03.
i guess that the cracking procedure described in here will work for later version of this software too, so if you can't get a copy of Xara version 3.03, you may as well use any older or even earlier one. in either case, some details mentioned below will differ, but this won't keep you from cracking it, will it? ;)

if you don't have Xara3D, you'll find it at Xara Ltd.'s homepage.

ok, first thing we always do is we get to know the enemy which means that we try to find out as much as possible about the programs protection scheme. gathering information about Xara is easy, as this prog shows a damn ugly nag-screen each time it's started. start it up now and look at the nag. it tells us how much days remain before the prog will stop working. quite impressive, huh?

what to do next?
clicking on continue will do what it says, i.e. close the nag and let us use the software. but wait: we got another button: purchase. this is what we really want to do, isn't it? now click on purchase, we're getting into it...
aha. the usual serial-number stuff. they want us to enter some special number to unlock the software. (look at the caption of this dialog: it says "Xara3D3 - Key XYZ" - remember this.)
well, let's give it a try and enter any dummy-number. whatever. now click unlock software. didn't work? you kinda expected that, right? ;)
ok, we're in the prog now and it's still locked (damn!). play around a bit and look at the help-menu. you should find an unlock...-item here. clicking this one will bring us to the same screens we saw above: looks like there is only one way to "buy" Xara officially.

get your brain going. what possibilities do we have? we could either
1 - find the right code by trying every single possible unlock-code in the universe.
2 - fake the system's date, so we never run out of those 15 days trial-period.
3 - let the prog think that whatever code we enter is the correct one.

#1 is a bad idea. actually, this technique exists, it's called "brute forcing". there are some tools that do nothing else than trying every possible code until they find the correct one. but we don't even know if Xara wants us to enter numbers or text nor do we have any idea of how long the registraion code should be. brute-forcing could take us ages to find the correct code, and by the way: that's not cracking.

#2 is a good idea for some programs, but it's definitely not for Xara. why? even if we succeeded in faking the systems date every time we start the program (there are actually tools for that, too), it would not be a clean enough method: we still had to click away the damn nag-screen every time. besides, we can do better than that, can't we?

#3 is what we're going to do. but how? get yourself another cup of coffee and read on.


behind the GUI

first thing we have to do is to understand what Xara does after we entered a code and clicked on the unlock software-button. it's very likely that the code is tested in some ways and, if it passes all the tests, will unlock the program. these tests could look something like this:

"was there any code entered?" if yes then go on, else show the "wrong code"-dialog.
"has the code the correct length?" if yes then go on, else...
...

remember the key you saw in the caption of the purchase-dialog? i think the correct code is generated from this key and then tested against the code we entered. if our code passed all the tests before and matches the one generated by the prog itself, it will do what we want it to do - unlock Xara.

all this is just guessing right now, it might as well be that the prog just compares the code we entered to a hardcoded general unlocking code and nothing else. well, we will find out.


a few more checks

we will try to disassemble X3Dd.exe now, i.e. we will convert the .exe back to assembler-code in order to view what's actually happening behind the GUI. we just have to do 2 more checks before that, which tell us if we're actually able to disassemble the exe to its correct source-code:

1 - if the .exe is packed (shrinked), we'll have to deshrink it before going on.
2 - if the prog was written in Visual Basic, we can't disassemble it. VB is not a real programming language, you know?

there are more than one ways to find out which language the prog was written in. the simplest one is to just quikview the file in the windows-explorer and look which .dlls it imports (i.e. uses). do this for X3D.exe right now.
you'll find out that the file imports (among others) Kernel32.dll and User32.dll. bingo! this one's written in C++, Delphi or else but at least NOT in VB. You can easily recognize VB-progs because they have to import the VB-runtime-DLLs, like MSVBVM50.dll. VBs usually don't use Kernel32.dll, only the languages mentioned above do that.

now how do we know if the prog was packed or not? i use a tool called File Analyzer by Vadim Tarasov. (you can get it from our tool-section). used on X3D.exe it tells us that the file is an Windows-executable written in MS VC++ 5.0 (we knew that) and that it's not packed in any way. cool. we're halfway done. they can't stop us any more. really. get yourself another cup of coffee (or a glass of martini, whatever ;) and read on.

disassembling

disassembling. aah. what a fabulous word. taking apart a program. nice.
now start up WDasm32. (this stands for Windows DisASeMbler; 32 means it can handle 32bit-code). Select "Disassembler | Open file to disassemble" from the menu and open X3d.exe. WDAsm works a litte bit and voilá: we're in! lying before us is pure and naked asm-code, helpless against our searching eyes.

allright, now we have to use our brains once more. we have 13.5mb (!) of asm code, and we can't read it line by line just until something seems suspicious to us. we will have to find the piece of code that actually test our unlocking-code and kind of disable this part. This is usually done in the following way:
go back to Xara3D and enter any dummy number as the unlock-code again, then press unlock software. Now they tell us "You entered an invalid unlock code..." and they break their necks with it. they really do.
the cool thing about WDAsm are the "String references". almost every static string used in a program is listed by this fab tool, and it even tells us WHERE this string is used. no go back to WDAsm and select Refs | String Data References from the menu.
a new window pops up, showing us a list of all the used strings in x3d.exe. now search for "You entered an.." and doubleclick on the item once found. WDAsm now jumps to the code-location where this string is used. cool. doubleclick again on the string to find out the next location where this string is referenced (i.e. used). nothing happens? good. now we know that this damn message is generated in only one place throughout the whole code.

now look at the code window: you should see something like this:

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0040F8E4(C), :0040F8F8(C), :0040F914(C), :0040F930(C), :0040F94C(C)
|:0040F968(C), :0040F984(C), :0040F9A0(C), :0040FA0D(C)
|
:0040FAC6 6AFF                    push FFFFFFFF
:0040FAC8 6A10                    push 00000010

* Possible Reference to String Resource ID=03005: "You entered an invalid unlock code.
The program has not been"
                                  |
:0040FACA 68BD0B0000              push 00000BBD
:0040FACF E8F3E70700              call 0048E2C7



look at the asm-code alone, it says:

:0040FAC6 6AFF                    push FFFFFFFF
:0040FAC8 6A10                    push 00000010
:0040FACA 68BD0B0000              push 00000BBD
:0040FACF E8F3E70700              call 0048E2C7



aha. some stuff (and our string) are pushed onto the stack and then a procedure is "call"ed. this is the way procedures with parameters are called in asm. you could read this four lines as:

showMsg("You have entered...",16,-1); (preassuming that the call of 0048E2C7 is a showMsg procedure)

allright, now look at what stands directly above this 4 lines: "Referenced by blablabla..." and 9 (!) addresses (code-locations), each marked with a "(C)". what dow this mean?
these are the addresses from where to code jumps to our showMsg-procedure if a certain condition is met. remember what we said about the testing of our unlocking code before? these ARE the tests! we're getting closer and closer...
now look at the listed code-locations and think. do you notice anything? they're all at almost the same position in the code. it is *VERY* likely that if we scroll up to the first address listed, we will find some structure like this:

if (condition 1 is met) then do the "You have entered..."-call else go on.
if (condition 2 is met) then do the "You have entered..."-call else go on.
if (condition 3 is met) then ...
...
if (condition 9 is met) then do the "You have entered..."-call else go on.

(btw: this jump is called a bad guy jump. i will use this term from now on, allright?)


the protection scheme

let's see if we were right - scroll up to address 0040F8E4 and look at the code. you should see something like this:

:0040F8E1 3958F8                  cmp dword ptr [eax-08], ebx
:0040F8E4 0F85DC010000            jne 0040FAC6



aha. the dword stored at address [eax-08] is compared to the value of ebx. (first line).
then we have a "jne 0040FAC6", which means "Jump to 0040FAC6 if Not Equal" - the bad guy jump, the first test. now what can we do? wouldn't it be great if we could tell the program to "Jump to 0040FAC6 if Equal", i.e. to make the "jne" to a "je"? yes, this would be great... ;)

scroll down a little bit and you will see 8 more "jne"s and "je"s to 0040FAC6 - all of them do the bad guy jump if our Unlock-Code doesn't pass a test. (a test is actually performed between two jumps).

allright, we're almost finished because we know what to do: we change the "jne"s to "je"s and vice versa. the bad guy jump will therefore only be made if the code we entered actually passes a test successfully, and that's very unlike.

changing the jumps is quite easy. scoll up again to the first "jne" at address 40F8E4. the line should be green-highlighted now. look at WDAsm's statusbar, it says:

Line 27671 pg 334 of 3912 Code Data : 0040F8E4 Offset 0000ECE4h in File X3D.exe



the interesting part is "Offset 0000ECE4h" which tells us the exact position of the first "jne" in X3d.exe. remember this offset.


cracking (finally)

first, backup X3d.exe to X3d.bak (or whatever else), and then start up Hiew at the dos-prompt:
"hiew \path to xara\x3d.exe"

once in Hiew, press F4 and select Decode as the display mode (we don't want to see the file as raw hex, right?), then press F5 (goto) and enter the offset WDasm told us: ECE4. you should see something like this now:

 0000ECE1: 3958F8                       cmp       [eax][-0008],ebx
 0000ECE4: 0F85DC010000                 jne       00000EEC6   -------- (2)
 0000ECEA: 0FBE10                       movsx     edx,b,[eax]
 0000ECED: 52                           push      edx
 0000ECEE: E88D7C0500                   call      000066980   -------- (3)
 0000ECF3: 83C404                       add       esp,004
 0000ECF6: 85C0                         test      eax,eax
 0000ECF8: 0F84C8010000                 je        00000EEC6   -------- (4)
 0000ECFE: 8B842440010000               mov       eax,[esp][000000140]
 0000ED05: 0FBE4801                     movsx     ecx,b,[eax][00001]
 0000ED09: 51                           push      ecx
 0000ED0A: E8717C0500                   call      000066980   -------- (5)
 0000ED0F: 83C404                       add       esp,004
 0000ED12: 85C0                         test      eax,eax
 0000ED14: 0F84AC010000                 je        00000EEC6   -------- (6)
 0000ED1A: 8B942440010000               mov       edx,[esp][000000140]
 0000ED21: 0FBE4202                     movsx     eax,b,[edx][00002]
 0000ED25: 50                           push      eax
 0000ED26: E8557C0500                   call      000066980   -------- (7)
 0000ED2B: 83C404                       add       esp,004
 0000ED2E: 85C0                         test      eax,eax



do you recgnize the code? it's the beginning of the bad guy jumps we just saw in WDAsm...
look at the line at adress ECE4, it says:

 0000ECE4: 0F85DC010000                 jne       00000EEC6   -------- (2)



this means that "0F85DC010000" is interpreted by your PC as "jne 0000EEC6", or, to be even more exact: "0F85" ist the "jne" and "DC010000" means "0000EEC6". nice. now if "0F85" means "jne", how is "je" coded? look at the line ECF8 - you'll find a "je" here, coded as "0F84".

cool. we just have to change "0F85" to "0F84" and vice versa to make the prog belive it has to perform a bad guy jump only if the unlock-code is correct! let's crack:

press F3 to enter Edit-Mode and change the first "jne" at ECE4 to "je". now press F9 to save your changes and do the same with the next 8 bad guy jumps (the ones that jump to EEC6).
now press F10 to exit Hiew and start up the cracked version of Xara3D. click on Purchase, enter any code (i used '123') and click on Unlock Software.

success!
no more "you entered an invalid..."-message!
no more Unlock...-entry in the help-menu!
we're regged!
we're bad!

now tap yourself on the shoulder or jump around a little bit, do whatever you want. you should be able to crack most of the serial-number-protected shareware out there by now. be happy and keep on trying. i'm sure you have some similar protected shareware installed - go get it. right now.


last words

allright folks, thanx alot for reading! i'd really appreciate any comment on this tutorial. c'mon guys & girls, it took quite a lot of time to bring this to you, whereas writing a mail with your opinion about it isn't that damn hard, is it? here's the email-adress: dr.seneca@gmx.net.
feedback, guys & girls, feedback!

oh, i almost forgot this very important stuff:

the coders at Xara Ltd. had a lot of work making Xara3D and they absolutely have my respect for this. it's not ok to get their shareware, crack it and then use it any longer than you are allowed to.
if you like the program then get your ass moving and buy it! allright? thanks.

keep on learning,

                           seneca