(-\/\ dRaG0n´s CrAcKinG Lesson 2 /\/-)
Tools you need :
Softice V.3.X ( get it at cracking.home.ml.org / surf.to/harvestr)
W32dasm V8.X ( get it at cracking.home.ml.org / surf.to/harvestr)
Arj Shell V1.2 ( get it at Click Here )
( get it at cracking.home.ml.org
Hi again , welcome to cracking Lesson 2 !
Now we will crack our first programm in 2
diffrent ways ...
1. with Softice, to get the real Serial...
2. W32dasm , to patch it so it takes any Serial ...
With Softice , you can get the real serials , finding the compare to our inputted serial and the right serial .. other approach is W32dasm , there you can find the protection cheme and patch it so it takes any serial we enter ...
The first way with Softice is much better cause a real serial is always better, it activates all registred functions for example ...
With the second way you have to find the registration check , sometimes Save disabled functions , unregistred msg´s , nags etc. to patch , if you have the real serial , all the things are done , because it was a real serial which autom. activates all this functions :-)
To get real Serials also sometimes much harder
, you have to find the compare btw. the calculation etc.
So , i will make both ways , to show them to you ;-)
Cracking ArjShell V1.2 using Softice :
I will do thiz in Steps , so its better to Understand :-)
Step 1 : Run Arjshl32.exe , go
to 'Preferences' , hit 'Register' ...
Write DrAgOn as name , and 77777 (my fav.) as User-ID .. Dont hit 'Register' by now.
Step 2 : Press 'Ctrl-d' to go
to Softice ! Now we want to breakpoint where all the
things happen when we press register (compare ,etc ) ... We take the most common
functions to break on !
Step 3 : Now hit 'Ctrl-d' to leave
Sice , press Register to break on the register function...
Hmmm , what´s that ?! It dont break on it , so ArjShell dont use any of the api
functions we set ...
Go back to Sice 'Ctrl-d' , type 'bc *' to delete the old breakpoints and
set a new
one on hmemcpy (works mostly) , 'Bpx Hmemcpy' !
Leave Sice 'Ctrl-d' and click on Register again ..
Step 4 : Yeah , Softice poped
up ... it breaked on hmemcpy , you see it when you look in
the command line , it sais 'Break duo BPX Hmemcpy Kernel!Hmemcpy'
Were now in the box 1 (name) , we dont want to be here , cause we want to get serial
Box where maybe our fake serial will be compared with the real one ... so press 'F5'
Step 5 : Now press 'F11' to get
back where it was called from ... but where wrong here..
We´re not in the code of ArjShell , you will notice thiz when you look at the
command line , It sais
So , press F12 ´bout 4-5 times till you see
Now were at da right place !
Step 6 : You will see something
like that asm code ... the red box displays the same as in
|:00426351 5E pop esi ; Add something to Esi|
Step 7 : We have to find
something like a Call followed by a Compare & Jxx command ...
Hit 'F10' about 23 times till you are at the following asm code :-)
mov eax, dword ptr [ebp-08] ;move Ebp-08 --> Eax
:0042F701 5A pop edx ;Add something to Edx
|:0042F702 E87D450000 call 00433C84 ; HERE !!|
Step 8 : Ok , you are with the
red box on the 'Call 00433c84' command , press 'F8'
to get into it ! We will see following ASM code now !
; save Ebp
:00433C85 8BEC mov ebp, esp ; move Esp -> Ebp
:00433C87 83C4F4 add esp, FFFFFFF4 ; Add FFFFFFF4 -> Esp
:00433C8A 53 push ebx ; save Ebx
:00433C8B 56 push esi ; save Esi
:00433C8C 57 push edi ; save Edi
:00433C8D 33C9 xor ecx, ecx ; Ecx = 0 / clear Ecx
:00433C8F 894DF4 mov dword ptr [ebp-0C], ecx ; move Ecx -> ebp-0c
:00433C92 8955F8 mov dword ptr [ebp-08], edx ; move Edx -> ebp-08
:00433C95 8945FC mov dword ptr [ebp-04], eax ; move Eax -> Ebp-04
:00433C98 8B45FC mov eax, dword ptr [ebp-04] ; move ebp-04 ->Eax
:00433C9B E84CFAFCFF call 004036EC ; unimportant call
:00433CA0 8B45F8 mov eax, dword ptr [ebp-08] ; move Ebp-8 -> Eax
:00433CA3 E844FAFCFF call 004036EC ; unimportant call
:00433CA8 33C0 xor eax, eax ; Eax = 0 / clear Eax
:00433CAA 55 push ebp ; save Ebp
:00433CAB 68F23C4300 push 00433CF2 ; save 00433CF2
:00433CB0 64FF30 push dword ptr fs:[eax] ; save fs:Eax
:00433CB3 648920 mov dword ptr fs:[eax], esp ; move Esp --> fs:Eax
:00433CB6 33DB xor ebx, ebx ; Ebx = 0 / clear Ebx
:00433CB8 8D4DF4 lea ecx, dword ptr [ebp-0C] ; Ecx = ebp-0C
:00433CBB 8B55FC mov edx, dword ptr [ebp-04] ; move ebp-04 -> Edx
:00433CBE B858171D22 mov eax, 221D1758 ; move 221D1758 -> Eax
:00433CC3 E8907CFFFF call 0042B958 ; Calculation ...
:00433CC8 8B55F4 mov edx, dword ptr [ebp-0C] ; move ebp-0C -> Edx
:00433CCB 8B45F8 mov eax, dword ptr [ebp-08] ; move Ebp-08 -> Eax
|:00433CCE E875F9FCFF call 00403648 ; !!!Here !!!|
So , trace upwards the red box till you are at 00433CCE .. You notice that
Eax changed in the registers ... do a 'D eax' and you will see our fake code...
We´re near the bitches home :-)
Step 9 : Hit 'F8' to trace into thiz call ... We see following asm Code !!
; save ebx
:00403649 56 push esi ; save esi
:0040364A 57 push edi ; save edi
:0040364B 89C6 mov esi, eax ; move eax -> esi
:0040364D 89D7 mov edi, edx ; move edx -> edi
cmp eax, edx
; !! HERE !! Thiz compares
Eax with Edx !
Yeah , we reach the compare ... trace to 40364F on the 'cmp eax,edx' and
'D eax' and see our fake serial... then do
'D edx' and what do we see here ? A number , 465766380 , write it down ,
do a 'bd *' to disable all breakpoints ... Then 'Ctrl-d' to leave Softice...
Replace the number with our fake code and hit register :-)
"You are a registered User of ArjShell now! "
YeaH , You CraCKeD yoUr (FirSt) ProgRamm !
So , close ArjSHell 32 , run regedit , do a search for 465766380 , delete
ArjShell entry and run it again , now try to do it without thiz text
with your own name :-)
It wasn´t hard at all , or ?... hehe ...
next time the Getdlgitemtexta & Getwindowtexta Breakpoints will work .. haha ...
if not , we´ll use hmemcpy again ... so lets crack / patch it with
W32dasm , but first do this again with ya name =)
Ok , its 4:48 am , i´m sooo tired ... tomorrow we do it with W32dasm...
going to bed .. :-)
Cracking ArjShell V1.2 using W32DASM :
Hi again ...
Ohh... it´s 15:46 ... haha ... slept long time , huh ? .. wHat a nIghT !?! .. ok , lets do the 2. approach cracking it with W32DASM ... aRe u ready ? Let´s RocK :-)
Step 1 : Run the programm , go
to about/register , type an any name & serial ..
You´ll see something like thiz ...
"You have entered wrong register values ! "
Write thiz msg down and disassemble ArjShl32.exe ...
Step 2 : Once it´s disassembled , goto Search/Find Text , take
"You have entered wrong"
as search string .. :-)
Step 3 : Found it ? k ... Now you are
, where it displays the wrong serial msg to
the screen .. !
To find the location , where it decides , compare something ,
you have to scroll up a bit , (mostly on any other progs, too) till the first jump
command (can be Jne,Je,Jnz,Jz,Jg etc. , not JMP)
... always starts with 'J' , which decides for ex.:
- If entered wrong , go to bad cracker , else go to good buyer -
Step 4 : We found something like thiz .. :
* Possible StringData Ref from Code Obj ->"You have entered wrong register"
mov edx, 0042F8BC ; Move 0042F8BC->
:0042F79E E86565FDFF call 00405D08 ; Call to something..
:0042F7A3 6A30 push 00000030 ; Save 30 / Push to Stack
Step 5 : Ok , thats not intresting ...
go up from now and search for the first Jump command ..
You will find something like thiz here ...
:0042F707 A2D3774300 mov byte ptr [004377D3], al
:0042F70C 803DD377430000 cmp byte ptr [004377D3], 00 ; Cmp .. we could
change 00 to 01 and
we have the same effect
Note : The computer only knows 00,01 .. where
00 is for wrong values and 01
for the right msg or 01 bad and 00 good ... so if we change thiz , it goes
to "Good Buyer when
enetered wrong values .. understand ? =:-)
; HERE! .. it decides
to jump to good buyer
or bad cracker !
lea edx, dword ptr [ebp-04] ; Edx = Ebp-04
:0042F718 8B83B4010000 mov eax, dword ptr [ebx+000001B4] ;Move Ebx+1b4 - Eax
:0042F71E E8492CFEFF call 0041236C ; Some Routines ..
Step 6 : Sooo .. we found the Jump ... double
click on it ..
You will see something below now .. in the task list ... for me it sais :
Line 110233 Pg ... bla bla ... @OFFSET : 0002EB13h ...
The numbers I underlined red is important .. thats the Offset where to
change the jump
we found ... now close ArjShell and make a backup copy of ArjShl32.exe ..
Step 7 : Run hiew at dos prompt like thiz
.. "hiew arjshl32.exe" ... When you are in ,
press "F4" four times to go to Asm Code Listing .. now press "F5" for go to Offset ..
and enter the values we get in W32Dasm (2EB13) and press enter ..
Now you would see something like thiz :
arjshl32.exe R.L .0002F713 a32 -------- 280576 ¦ Hiew 5.91 (c)SEN.
.0002F713: 747F je .00002F794 -------- (1)
Thiz is the jump we searched for ... now press "F3" to change the code
We wanne change "JE" to "JNE" ..
Now overwrite the 747F to 757F ... It will change to JNE .. press F9 now to change it.
( Or just use TAB to edit easier )
Leave Hiew now and run the prog. , go to register .. type in any dummy
*BOOM* , Registered ... ! .. Now go back to the main screen .. Whats that ? , if you
click the Save or Load button it sais , it´s only avaible in the Registered Version
... hmmm... i said this before , that sometimes u must patch other things
Save Disabled functions too...
But no prob =) .. We´re gonna get tHiZ too ;) hehehe...
Step 8 : Go back to W32Dasm and search for
"Sorry" .. You will find 3 matches for 3 diffrent
msg´s .. Cause one for Sorry but ... cant .. Save As / loaDing / SAve button .. =) ...
Now its up to you , you know what to do ... NO ? .. just look above how
The register thing ... Just search for the string , look above for an Jump .. change
it with Hiew , and test it ;) ... I know u can do that .. hehhehe =)
A little hint , JNE is 75 , JE is 74 ... now there will be no probs ;)
Last Words :
So .. that was the Lesson 2 ... crAcking ArjSHell in 2 diffrent ways .. wasn that hard , or ?
Ok , dudes ... see ya soon in Lesson 3 ;)
L8r .. DraG0n FFO´98