Mar. 22, 1999
"LockDown 2000 v2.5.4"
( 'An easy crack for the first timer'  )
Win '95 PROGRAM
Win Code Reversing
 
 
by D0gBytes (Bytes)
 
 
Code Reversing For Beginners 
 
 
 
Program Details
Program Name: LockDown 2000
Program Type: Internet anti-trojan Utility
Program Location:  LockDown2000.com 
Program Size:zipped; aprox.  1,730 kb
 
      
Tools Used:
 W32Dasm disassembler and any hex editor
 
Rating
Easy ( X  )  Medium (   )  Hard (    )  Pro (    ) 
There is a crack, a crack in everything. That's how the light gets in.
 
     
 
LockDown 2000
( 'A FireWall for your PC'  )
Written by D0gBytes
 
 
 
Introduction
 
What the Authors of LockDown 2000 say:-
 
Lock Down 2000 is now the world's most effective and complete security system available for Windows 95, 98, and NT. LockDown 2000 automatically disconnects, traces and identifies unauthorized users in electronic seconds. With LockDown 2000 you will never have to worry about Hackers invading your privacy, deleting your files, attaching a virus or a trojan horse program without your knowledge
 
About this protection system
 
The protection system is probably one of the easiest that you will ever encounter; making it an excellent project for any "wanna be" cracker who is looking for a "First Time Project" to learn from.

 
The Essay 

I became involved with this project when a friend made a comment to me that he would like to crack the program, but, he was a one week old newbie to cracking and had only just downloaded some of the tools. He was not yet able to use the tools in any meaningful manner.
I jokingly said to him "just download it and crack it." He replied that the program had a $99 price tag, to which I said, "Just like a Newbie Cracker to pick a difficult protection scheme as a first project."
Little did I know how wrong I was.

After he downloaded the program and disassembled it he asked what to do next. I was thinking that this has to be a well protected program with no visible strings at that price. But, I told him he should check the string references just for practice. He should look for something to do with the word register or anything else that might seem like it had to do with the registration process. I was floored when he told me that there were several references to it with one of them being "Thank you for registering LockDown 2000."

It was at this point that I realized he had a very simple protection scheme and that it was a 5 minute crack for any newbie.

Download and install the program. Run the program enough to get a feel for how it operates. Right clicking on the LockDown 2000 icon in the task bar and selecting "Open LockDown 2000" will give you access to set any preferences and to register the program. Clicking on "View" and selecting "Register" will bring you to the Registration form. You should see that there is a "Product Serial"# (Which you only need if you are going to register the product with the author. Send it along with your check), or if you just want to practice cracking, ignore that, and enter a false number into the box labeled "Unlock Code" Any number will do, I used 999999999. Click OK and you will see that a message pops up telling you:

 
"The unlock code you have entered " "is invalid for this machine, please " "re-type the number or contact " "Harbor Telco to receive a new " "registration number."
 

 
Now, close the program by clicking the "X" and choosing "Yes" when prompted about exiting. We do not want the program "In Use" when we go to disassemble it.

Disassemble the program with W32Dasm and click on the "Strn Ref" button. Scroll down the strings until you see some of the message that we saw when we entered the 999999999 Unlock Code. Double click on any of those strings and it will take us to where it is found in the disassembled code. The following snippet is what you shouldd see:

 

 
:0047A998 E87783FBFF              call 00432D14
:0047A99D 837DFC00                cmp dword ptr [ebp-04], 00000000
:0047A9A1 742A                    je 0047A9CD---Conditional Jump
:0047A9A3 8D55FC                  lea edx, dword ptr [ebp-04]
:0047A9A6 8B86D0020000            mov eax, dword ptr [esi+000002D0]
:0047A9AC E86383FBFF              call 00432D14
:0047A9B1 8B4DFC                  mov ecx, dword ptr [ebp-04]
:0047A9B4 A1A85A4900              mov eax, dword ptr [00495AA8]
:0047A9B9 8B900C010000            mov edx, dword ptr [eax+0000010C]
:0047A9BF A1A85A4900              mov eax, dword ptr [00495AA8]
:0047A9C4 E84FF7FFFF              call 0047A118
:0047A9C9 8BD8                    mov ebx, eax
:0047A9CB EB02                    jmp 0047A9CF

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0047A9A1(C)
|
:0047A9CD 33DB                    xor ebx, ebx

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0047A9CB(U)
|
:0047A9CF 84DB                    test bl, bl
:0047A9D1 7523                    jne 0047A9F6---Conditional Jump
:0047A9D3 6A00                    push 00000000
:0047A9D5 668B0D5CAA4700          mov cx, word ptr [0047AA5C]
:0047A9DC 33D2                    xor edx, edx

* Possible StringData Ref from Code Obj"The unlock code you have entered "
                                        ->"is invalid for this machine, please "
                                        ->"re-type the number or contact "
                                        ->"Harbor Telco to receive a new "
                                        ->"registration number."
                                        
:0047A9DE B868AA4700              mov eax, 0047AA68
:0047A9E3 E8F0ACFDFF              call 004556D8
:0047A9E8 8B86D0020000            mov eax, dword ptr [esi+000002D0]
:0047A9EE 8B10                    mov edx, dword ptr [eax]
:0047A9F0 FF92B4000000            call dword ptr [edx+000000B4]

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0047A9D1(C)
|
:0047A9F6 84DB                    test bl, bl
:0047A9F8 743F                    je 0047AA39---Conditional Jump
:0047A9FA 8D55FC                  lea edx, dword ptr [ebp-04]
:0047A9FD 8B86D0020000            mov eax, dword ptr [esi+000002D0]
:0047AA03 E80C83FBFF              call 00432D14
:0047AA08 8B55FC                  mov edx, dword ptr [ebp-04]
:0047AA0B A1A85A4900              mov eax, dword ptr [00495AA8]
:0047AA10 E8E3FBFFFF              call 0047A5F8
:0047AA15 A188414900              mov eax, dword ptr [00494188]
:0047AA1A C60001                  mov byte ptr [eax], 01
:0047AA1D 6A00                    push 00000000
:0047AA1F 668B0D5CAA4700          mov cx, word ptr [0047AA5C]
:0047AA26 B202                    mov dl, 02

* Possible StringData Ref from Code Obj ->"Thank you for registering LockDown "
                                        ->"2000!"
                                      



There are several easy ways to crack this program. With a little expirence and practice, 
they would all jump out at you. We will examine just one simple method.

looking at the code snippet above, we can see that there are three conditional jumps. 
In this case, the conditions are that you have entered the correct "Unlock Code" 
If you enter the correct "Unlock Code" on the registration screen, you would see the 
"Thank you for registering LockDown 2000!" message. 

If we think about it for a minute, we would conclude that if the conditions were the "Opposite",
we would arrive at the "Thank you for registering LockDown 2000!" message if we entered the 
wrong "Unlock Code", and would only see the "Bad Cracker" message if we accidently entered the Correct 
"Unlock Code" 

The three conditional jumps that we would need to change are:

:0047A9A1 742A                    je 0047A9CD

:0047A9D1 7523                    jne 0047A9F6

:0047A9F8 743F                    je 0047AA39


We know from looking at "Opcodes" that:

je = Jump if Equal
     and
jne = Jump if NOT Equal

Wouldn't it be great if we could just change those jumps to do the opposite of what the author 
wanted them to do......Well, YOU CAN. And it's easy. For that task we will use the Hex Editor. 
Any Hex Editor will do.


Close the W32Dasm program and save when prompted.

Open your Hex Editor and and load the LockDown2000.exe file. 
It should be in the C:\Program Files\Harbor Teleco\LockDown 2000 v2.5 folder.

We will make the following changes:


83 7D FC 00 74 2A 8D 55 (Original)
83 7D FC 00 75 2A 8D 55 (Changed to)

84 DB 75 23 6A 00 66 8B (Original)
84 DB 74 23 6A 00 66 8B (Change to)

84 DB 74 3F 8D 55 FC 8B (Original)
84 DB 75 3F 8D 55 FC 8B (Change to)

Just use "Search" in the hex editor and enter the (Original)
NOTE: USE ALL LOWER CASE... The first search would look like this:

837dfc00742a8d55

Once the hexeditor has found the code for you, just change the 
"74" to "75" or the "75" to "74" as indicated above.


We are almost done. There is a little more to the protection scheme 
that we must deal with. The program uses a hidden file for the 10 day
trial period. We must arrange for the program to ignore this hidden file.

lets look at this snippet of code.

:0049248A E8B991FEFF              call 0047B648
:0049248F 8BF0                    mov esi, eax
:00492491 A188414900              mov eax, dword ptr [00494188]
:00492496 803800                  cmp byte ptr [eax], 00
:00492499 7546                    jne 004924E1 <========Conditional Jump
:0049249B A164414900              mov eax, dword ptr [00494164]
:004924A0 803800                  cmp byte ptr [eax], 00
:004924A3 743C                    je 004924E1  <========Conditional Jump
:004924A5 6A00                    push 00000000
:004924A7 668B0D14264900          mov cx, word ptr [00492614]
:004924AE B202                    mov dl, 02

* Possible StringData Ref from Code Obj ->"Your evaluation period has ended. "
                                        ->" Please Register LockDown 2000."
                                  |
:004924B0 B820264900              mov eax, 00492620
:004924B5 E81E32FCFF              call 004556D8
:004924BA 8B0DC8404900            mov ecx, dword ptr [004940C8]
:004924C0 8B03                    mov eax, dword ptr [ebx]
:004924C2 8B15F4A64700            mov edx, dword ptr [0047A6F4]
:004924C8 E88FCEFBFF              call 0044F35C
:004924CD A1C8404900              mov eax, dword ptr [004940C8]
:004924D2 8B00                    mov eax, dword ptr [eax]
:004924D4 8B10                    mov edx, dword ptr [eax]
:004924D6 FF92CC000000            call dword ptr [edx+000000CC]
:004924DC E9FC000000              jmp 004925DD

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00492499(C), :004924A3(C)
|
:004924E1 33C9                    xor ecx, ecx<==== Jumps go here if executed



By changing the two conditional jumps above, we can bypass the routine that 
would give us the "Your evaluation period has ended" screen and 
place the program in an expired mode. 

We know from looking at Opcodes that the hex equivilent of EB is
jmp. jmp means jump. Period. There are NO conditions. 
It will jump every time. This is what we would want it to do.
Jump over the routine that checks the expiration file every time. 

Using the hex editor again, enter the search parameters using 
some of the hex code from the lines above and below each jump.


80 38 00 75 46 A1 64 41 (Original)
80 38 00 EB 46 A1 64 41 (Change To)

80 38 00 74 3C 6A 00 66 (Orginal)
80 38 00 EB 3C 6A 00 66 (Change To)

again enter the search in lower case:
8038007546a16441  for  the first one.

803800743c6a0066 for the second one.





After you have made the changes, close the hex editor and choose 
Save when prompted, to make the changes permanent. You should also 
select to "Back Up" if asked by the hex editor.

Now, restart the "LockDown 2000 program. Again, bring up the registration 
screen and enter 999999999 as the "Unlock Code". Click "OK" and you should 
see the GOOD CRACKER message, "Thank you for registering LockDown 2000!"

Congratulations, Cracker!!



 
Captain's Log 
 
The actual purpose of this tut is to give the Newbie Cracker some hands on experience with W32Dasm and a Hex Editor. So often today, Newbie Crackers get swept up with trying to learn how to use SoftIce and other tools, on their first attempts at cracking, that they may make the crack seem much harder then it really is. I will probably do another tut, on this same program, explaining in much more detail how the protection scheme works and the many other ways to crack it. Comments to: d0gbytes@hotmail.com
 
My Thanks 
 
I would like to say "Thanks" to McCodeMan,and the entire Tres2000 Team, for allowing me to present this essay to you, The Sandman for showing me the light that radiates from the Cracks. Also to My friend Jeff who has provided my inspiration in learning to crack. If it were not for The Sandman, jeff and their Newbie Cracking Forums, and the great time I had participating with The Snake and others in the "projects," I would not have learned what it takes to be a Cracker. Also to Ozz da Man, Thanks for showing me the program.  


Regards,
D0gBytes


 

 
Ob Duh 
 
Do I really have to remind you all that by buying and NOT stealing the software you use will ensure that these software houses will be encouraged to producing even *better* software for us to use and enjoy.

Ripping off software through serials and cracks is for lamers..
 
If your looking for cracks or serial numbers from these pages then your wasting your time, try searching elsewhere on the Web under Warze, Cracks etc.
 
For more info on using W32Dasm, Click Here to go to the Sandmans' Essay on Dead Listings
 


 
 
 Back 
 


Essay by:          D0gBytes (Bytes)
Page Created: Mar 22, 1999