(-\/\ dRaG0n´s CrAcKinG Lesson 5 /\/-)

 


 
 
 
 

Tools you need :

Softice V.3.X      ( get it at  cracking.home.ml.org & surf.to/harvestr)

W32dasm V8.X       ( get it at  cracking.home.ml.org & surf.to/harvestr)

Submit Wolf Pro    ( get it at  Click Here )

Hiew 5.xx          ( get it at  cracking.home.ml.org & surf.to/harvestr )
 

Introduction :

HeY ya ;) ... Welcome to mY cRAckInG lesSon 5 :-)

Ok .. No much to Talk about thiz target , its protection is a Name / Serial , but a little bit difficult =)

k , LetS gO foR it !

Cracking Submit Wolf Pro with Softice :

I will do thiz in Steps , so its better to Understand :-)  .. like in the other Lessons ...

Step  1 :  Run Submit Wolf Pro and go to "About/Register"

Step  2 :  Enter "dRag0n FFO98" as name and "777777" as dummy serial .. enter S-iCE ...
           Now we´ll set the most common Breakpoints .

           "Bpx GetDlgItemTextA"
           "Bpx GetWindowTextA"

           Now leave S-iCE .

Step 3  :  Press "Ok" button and let S-iCE break ... We´ll break duo ..

          "break duo to BPX GetDlgItemTextA ... "

Step 4  :  Now press "F5" to let it break again on the second (serial) box ...
           Press "F11" to go to where this has been called from ;)

           We´ll see following code now !

           :0040719F FFD7         call edi                          ; Not intresting Call
           :004071A1 8D8500FFFFFF lea eax, dword ptr [ebp+FFFFFF00] ; Value Ebp+FF00 ->Eax
           :004071A7 50           push eax                          ; Push Eax on Stack
           :004071A8 E883A0FFFF   call 00401230                     ; No intresting Call
           :004071AD 59           pop ecx                           ; Pop Ecx from Stack
           :004071AE 8D4580       lea eax, dword ptr [ebp-80]       ; Value in ebp-80 -> Eax
           :004071B1 50           push eax                          ; Push Eax on Stack
           :004071B2 E879A0FFFF   call 00401230                     ; No intresting Call
           :004071B7 59           pop ecx                           ; Pop Ecx from Stack
           :004071B8 8D4580       lea eax, dword ptr [ebp-80]       ; Value in Ebp-80-> Eax
           :004071BB 50           push eax                          ; Push Eax on Stack
           :004071BC 8D8500FFFFFF lea eax, dword ptr [ebp+FFFFFF00] ; Val. Ebp+FF00 ->Eax
           :004071C2 50           push eax                          ; Push Eax on Stack
          :004071C3 E8568D0000   call 0040FF1E                     ; Intresting Call !
           :004071C8 59           pop ecx                           ; Pop Ecx from Stack
           :004071C9 85C0         test eax, eax                     ; Test if Equal
           :004071CB 59           pop ecx                           ; Pop Ecx from Stack
           :004071CC 7518         jne 004071E6                      ; Jump if not Equal ,
                                                                    ; Changing this Jump
                                                                    ; to Jump if Equal ,
                                                                    ; would go to the good
                                                                    ; Buyer msg !

Step 5 : We saw above , that the red marked call is the important one .. You ask WhY? ..
         Cause its the last Call to some Routines before it decides the serial is right or
         wrong at the Jne command .. We´ll trace in this Call and see following code :-)

         :0040FF1E 55             push ebp                          ; Push Ebp on Stack
         :0040FF1F 8BEC           mov ebp, esp                      ; Mov Esp -> Ebp
         :0040FF21 83EC30         sub esp, 00000030                 ; Esp - 30
         :0040FF24 8B450C         mov eax, dword ptr [ebp+0C]       ; Mov Value Ebp+0c -> Eax
                                                                    ; Eax!
                                                                    ; Do "d eax" to see it !
         :0040FF27 53             push ebx                          ; Push Ebx on Stack
         :0040FF28 56             push esi                          ; Push Esi on Stack
         :0040FF29 57             push edi                          ; Push Edi on Stack
         :0040FF2A 85C0           test eax, eax                     ; Test eax ^ eax are equal
         :0040FF2C 7431           je 0040FF5F                       ; Jump if Equal
         :0040FF2E 8B5D08         mov ebx, dword ptr [ebp+08]       ; Mov Value Ebp+08 -> Ebx
                                                                    ; Thiz moves our name to
                                                                    ; Ebx !
                                                                    ;  Do "d ebx" to see it !
         :0040FF31 85DB           test ebx, ebx                     ; Test Ebx^Ebx are Equal
         :0040FF33 742A           je 0040FF5F                       ; Jump if Equal
        :0040FF35 803850         cmp byte ptr [eax], 50            ; HERE ! It compares the
                                                                    ; first value of our Serial
                                                                    ; with 50!
                                                                    ; which is "P" in Decimal
                                                                    ; 80 . DO " ? 50 " to see !
         :0040FF38 7506           jne 0040FF40                      ; Jump if first Value
                                                                    ; wasn´t a "P"
         :0040FF3A 80780157       cmp byte ptr [eax+01], 57         ; HERE! It compares the
                                                                    ; second Value of our
                                                                    ; Serial with 57 ..
                                                                    ; which is "W" in Decimal ,
                                                                    ; do " ? 57 " to see it !
         :0040FF3E 7426           je 0040FF66                       ; Jump if Equal , jump if
                                                                    ; the first Decimal Letters
                                                                    ; were PW !
                                                                    ; Else go to wrong Serial
                                                                    ; msg below !

--> Bad Serial Msg code below

         :0040FF40 8A4801                 mov cl, byte ptr [eax+01]
         :0040FF43 80F934                 cmp cl, 34
         :0040FF46 741E                   je 0040FF66
         :0040FF48 80F945                 cmp cl, 45
         :0040FF4B 7419                   je 0040FF66
         :0040FF4D 8325D840420            and dword ptr [004240D8], 00000000
         :0040FF54 803853                 cmp byte ptr [eax], 53
         :0040FF57 7506                   jne 0040FF5F
         :0040FF59 80780157               cmp byte ptr [eax+01], 57
         :0040FF5D 7411                   je 0040FF70
         :0040FF5F 33C0                   xor eax, eax
         :0040FF61 5F                     pop edi
         :0040FF62 5E                     pop esi
         :0040FF63 5B                     pop ebx
         :0040FF64 C9                     leave
         :0040FF65 C3                     ret

Step 6 : Ok ... Now press "Ctrl-D" to leave Sice .. Replace Serial 777777 with PW777777
         and hit OK.

         Press "F5" to go to Serial Box and then "F11" to go where it was called from !
         Now .. Step into the call again , trace to the JE , behind the Compare with 50 & 57...
         It will now jump over the Bad Msg box to a second check ...

         You´ll see something like this :

         :0040FF70 50                     push eax                 ; Push Eax on Stack
         :0040FF71 8D45E4             lea eax, dword ptr [ebp-1C]  ; Mov Value in Ebp-1c -> Eax
         :0040FF74 50                     push eax                 ; Push Eax on Stack
         :0040FF75 E856370000             call 004136D0            ; No intresting Call
         :0040FF7A 59                     pop ecx                  ; Pop Ecx from Stack
         :0040FF7B 8D45E4             lea eax, dword ptr [ebp-1C]  ; Mov Value Ebp-1C -> Eax
         :0040FF7E 59                     pop ecx                  ; Pop Ecx from Stack
         :0040FF7F 6A2D                   push 0000002D            ; Push 2D on Stack ..
                                                                   ; This is interesting .. It
                                                                   ; pushes 2D to Stack .. do
                                                                   ; "? 2D" you´ll see that 2D
                                                                   ; is "-" .
         :0040FF81 50                     push eax                 ; Push Eax on Stack
         :0040FF82 E8D9300000             call 00413060          ; This checks iF there´s a "-"
                                                                 ; in the third part of the
                                                                 ; Serial .

-> Some code of call  00413060

         .....
         :0041306C 8B542408            mov edx, dword ptr [esp+08] ; Move dummy Serial to Edx
                                                                   ;  its PW77777 !
         :00413070 F7C203000000        test edx, 00000003          ; Here it checks the
                                                                   ; third value
                                                                   ; of the serial is a "-" ..
         :00413076 7413                je 0041308B               ; Jump Equal .. else go to Bad
                                                                 ; Cracker msg box ;) ....

-> End of of call

         :0040FF87 8BF0                mov esi, eax                ; Mov Eax -> Esi
         :0040FF89 59                  pop ecx                     ; Pop Ecx from Stack
         :0040FF8A 85F6                test esi, esi               ; Test Esi ^ Esi are Equal
         :0040FF8C 59                  pop ecx                     ; Pop Ecx from Stack
         :0040FF8D 89750C              mov dword ptr [ebp+0C], esi ; Mov Esi --> Ebp-0C
         :0040FF90 74CD                je 0040FF5F                 ; Jump Equal .. else go to
                                                                   ; Bad Cracker msg bpx !

Step 7 : Ok ... Go out "ctrl-d" and replace PW77777 to PW-77777 !
         Hit Ok again and press "F5" to go to Serial Box and "F11" to go to where
         it was called from ..

         Now you´ll see thiz code again !

         :0040719F FFD7                call edi                    ; Not intresting Call
         :004071A1 8D8500FFFFFF  lea eax, dword ptr [ebp+FFFFFF00] ; Value Ebp+FF00 ->Eax
         :004071A7 50                  push eax                    ; Push Eax on Stack
         :004071A8 E883A0FFFF          call 00401230               ; No intresting Call
         :004071AD 59                  pop ecx                     ; Pop Ecx from Stack
         :004071AE 8D4580              lea eax, dword ptr [ebp-80] ; Value in ebp-80 -> Eax
         :004071B1 50                  push eax                    ; Push Eax on Stack
         :004071B2 E879A0FFFF          call 00401230               ; No intresting Call
         :004071B7 59                  pop ecx                     ; Pop Ecx from Stack
         :004071B8 8D4580              lea eax, dword ptr [ebp-80] ; Value in Ebp-80-> Eax
         :004071BB 50                  push eax                    ; Push Eax on Stack
         :004071BC 8D8500FFFFFF  lea eax, dword ptr [ebp+FFFFFF00] ; Val. Ebp+FF00 ->Eax
         :004071C2 50                  push eax                    ; Push Eax on Stack
         :004071C3 E8568D0000          call 0040FF1E               ; We had thiz Call b4 !
         :004071C8 59                  pop ecx                     ; Pop Ecx from Stack
         :004071C9 85C0                test eax, eax               ; Test if Equal
         :004071CB 59                  pop ecx                     ; Pop Ecx from Stack
         :004071CC 7518                jne 004071E6                ; Jump if not Equal ,
                                                                   ; Changing this Jump
                                                                   ; to Jump if Equal ,
                                                                   ; would go to the good
                                                                   ; Buyer msg !

Step 8 : Now after you have traced over the Call 0040FF1E , do a "d edx" to see the real Serial

         For me it was 197298 ... Now our Serial would be PW-197298 ...
         You could also follow the whole steeping into Call 0040FF1E... but i think this is
         much faster Cause the prog dont remove the serial after calculation it .. So we could
         easily do " d edx" to see the serial ... ;-)

         Ok , do "bd * " to clear all serials and replace PW-7777 to PW-197298 ...
         BoooM , NoW yoU´rE a ReGGeD uSeR ! =)

Last Words :

I think thiz was a bit harder ... but not sooo hard at all ;) ...

So ... I hope i Will c yA in LeSSon 6 some time .. hehe

L8r - dRag0n FFO98 -