August 1998
"Cracking WS-Finger Client"
Win Code Reversing
by KLee8084 
Code Reversing For Beginners 
Program Details
Program Name: wsfinger.exe
Program Type: Internet utility
Program Location: HERE 
Program Size: 687 Kb
Tools Used:
Softice V3.2 - Debugger
Easy ( X )  Medium (  )  Hard (    )  Pro (    ) 
There is a crack, a crack in everything. That's how the light gets in.
Cracking WS-Finger Client
Written by KLee8084
WS-Finger is a nifty little utility that allows you to "finger" a person on the Internet and find out information on that person...provided, that is, that the person's ISP doesn't block finger attempts.
About this protection system
Not very much of a protection system. The password is calculated based on the name that the user enters.
The Essay 
Once you install the program, then run it. A licensing agreement window should pop up. Accept it. Ready? Let's start!
Click on File.
Click on Register.

Now, enter your Name and a fake Password.
Time to go into Softice and set a breakpoint.
Press CTRL-D  then type bpx GetDlgItemTextA 

Now, type X to return to the program.  Click on "OK".
Bang! We're back in Softice at the start of USER32!GetDlgItemTextA

Type X
Now, press F11 to return to the instruction following the call to USER32!GetDlgItemTextA.
F10 until:

:0040224B    CALL 00409048      <- Routine to put hex value of fake password in EAX

F8 into this call (you CAN, if you want, step over this call with a F10).
F10 until:

:0040904D    MOV EDX, [EBP+08]            <- Your fake password

To prove that this is your fake password, type d EDX
F10 until you return from the call.   If you type ? EAX you'll see that EAX now holds the fake password.
F10 until:

:004021C3    CALL 0040225B

Since the instruction following this CALL is a TEST, F8 into the call.  F10 until:

:00402279    CALL 004051C4
:0040227E    POP ECX
:0040227F    CMP EAX, EBX

F8 into the call at :00402279.  Hmmm...not interesting.
F10 until you return from the CALL.
F10 until you come back to the same call (are you feeling like a yo-yo yet? *grin*)

:00402279    CALL 004051C4

F10 over this call.
As a matter of fact, press F10 until EBX = EAX (:0040227F  CMP EAX, EBX). This should be the same as the length of the name that you had entered. I had entered KLee8084. Therefore, EAX was 8. EBX was incremented by 1 each time the loop was run through. (i.e., 8 iterations).
F10 until:

:0040229B    CALL 00408E14

F10 over this call (well, you CAN F8 into any of the calls, if you want to.)
F10 until:

:004022A3    CALL 00408D84

F10 over this call.

Well...look at the next instruction. Interesting, isn't it? *wink*

:004022A8    CMP EAX, [EDI+0000016E]

If you look at the value at EDI+0000016E, you'll see that it holds your fake password (hex value). What, then, does EAX hold?
Type ? EAX
See the decimal value of EAX? That is the REAL password.
Write it down.
Time to clear the breakpoint (type bc * )
Now, type X to return to the program.
Click on "OK" to get rid of the nasty message box.
Enter the number that you had written down (the decimal value of EAX).
Click on "OK".  No message box thanking you??? Nothing???
*grin* Click on Help.
Click on About...

Program cracked.
The 'Crack' 
Final Notes 
The protection of this program is very similar to the protection of Teleport Pro v1.28 (one of my other essays). Perhaps the creators of Teleport Pro ripped the routine from WS-Finger? Perhaps not.

My thanks and gratitude goes to:-
Fravia+ for providing possibly the greatest source of Reverse Engineering
knowledge on the Web.
+ORC for showing me the light at the end of the tunnel.
Ob Duh 
Do I really have to remind you all that by buying and NOT stealing the software you use will ensure that these software houses will continue to  produce even *better* software for us to use and more importantly, to continue offering even more challenges to breaking their often weak protection systems.
If your looking for cracks or serial numbers from these pages then your wasting your time, try searching elsewhere on the Web under Warze, Cracks etc.

 [ Return ] 

Essay by: KLee8084
Page Created: 17th August 1998