A Tutorial On Different Approaches To Cracking - TekFacts95 v1.40.4
.oOOo. A Tutorial On Different Approaches To Cracking - TekFacts95 v1.40.4 (8/04/97) .oOOo.
.oOOo..oOOo..oOOo. by tHATDUDE [PC & GLoW] .oOOo..oOOo..oOOo.
Program Stats:
What it is: A system util to check CPU usage, etc.
Where to get: http://ourworld.compuserve.com/homepages/deansoft or http://www.winutils.com/
Size: 583kb (zipped)
Protection: Start-up NaG, Delay, "unregistered" text in several places, Name/Code entry
Tools to crack:
- W32Dasm v8.9
- Hex editor of your choice...
OK.. I'll attempt to explain my thought processes while cracking TekFacts...
First thing I do before anything: Unzip and install! =) No install for TekFacts95, just unzip it and run the .EXE...
OK, lets run the program and take a good look. We start it up and see the NaG and time delay, then it pops us into the program and we see it has "<Unregistered Version>" in the title bar. Let's check the About box... it shows us a place to enter a registration number and first/last name. Enter a First name / Last name / Random code, and take note of the text in the box telling us our code is not correct... Alright, lets open this baby up in a hex editor. (I use UltraEdit32) Let's search for "regist" in case insensitive acsii.. Always do this before using a disassembler. It can give you many tips on how to attack the program... sometimes the registration code is hardcoded into the .exe! After taking a careful look, let's disassemble it!
So, lets start up W32Dasm (I use v8.9 - thanks Revolt! ;) and disassemble this file.
While waiting for the file to be disassembled, we can think about how we will attack the program. Since there is a name/serial entry, we can always go for the "Any name/Code" type of crack. Let's do that technique first then.
We remember that the text from the invalid registration box was "Registration Key Failed!"
In w32dasm, go to Refs|String Data References.
Scroll down the list of references until we find "Registration Key Failed!" =)
Double click on it and w32dasm will take you to the spot in the program.
(As a note, always try double clicking on the string reference more than once... often there is more than one occurence of the string in the file, in TekFacts there is only 1 string.)
Close the String Data References box and scroll up a little... we see:
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00475C56(C)
|
:00475D8A 6A30 push 00000030
* Reference To: user32.MessageBeep, Ord:0000h
|
:00475D8C E8A705F9FF Call 00406338
* Possible StringData Ref from Code Obj ->"Registration Key Failed!"
|
:00475D91 B8F05E4700 mov eax, 00475EF0
:00475D96 E8F51DFCFF call 00437B90
We see that at 00475C56 there is a Conditional jump to the bad regkey box. Scroll up some and take a look at where this conditional jump occurs.
:00475C51 E87ED0F8FF call 00402CD4
:00475C56 0F852E010000 jne 00475D8A ; Conditional jump to BAD reg
:00475C5C 8D45B7 lea eax, dword ptr [ebp-49]
:00475C5F BA545E4700 mov edx, 00475E54
:00475C64 B114 mov cl, 14
.: SNIP :.
* Possible StringData Ref from Code Obj ->"Software\Dean Software\TechFacts95"
.: SNIP :.
* Possible StringData Ref from Code Obj ->"sRegStat" ; Registry Key - Code
.: SNIP :.
* Possible StringData Ref from Code Obj ->"Config"
.: SNIP :.
* Possible StringData Ref from Code Obj ->"sUser" ; Registry Key - Name
.: SNIP :.
* Possible StringData Ref from Code Obj ->"Config"
.: SNIP :.
* Possible StringData Ref from Code Obj ->"Registration Key accepted!"
|
:00475D75 B8CC5E4700 mov eax, 00475ECC
:00475D7A E8111EFCFF call 00437B90
:00475D7F 66C70580964E000100 mov word ptr [004E9680], 0001 ; RegFlag City!
:00475D88 EB11 jmp 00475D9
That snippet from w32dasm tells us a lot! (Assuming you understand the ASM ;)
OK.. so how to crack this for any name/code? Change the conditional jump at 00475C56!
Load up TekFacts with your hex editor and change the bytes.
Original String: 0F852E010000
Change it to : 909090909090
This will prevent the program from ever going to the bad registration dialog, and it will allow the prog to continue on it's way, processing all the way to the good regbox.
While changing: 0F852E010000
to : 0F842E010000
can also work... why risk the chance of it ever jumping to the bad regbox? Sometimes more byte changes are better.
You can also change: 0F852E010000
to this instead : 489040409048
which works just as well as 909090909090.... but is a more "professional" way to do it.
Now the test! Run it and try it. Wow! It worked! =)
Always test by closing down the program all the way and re-launching it!
Still registered! Great! =)
Are we done? ... We could be, but lets take a deeper look at the program and have some more fun. ;) Take a look at the code above again. The program writes the registration info into the registry, where it reads this info on startup. (Regmon can confirm this if you don't trust me ;) Anyway, let's open up the registry and see what's there.
In the registry we see some very interesting stuff...:
[HKEY_CURRENT_USER\Software\Dean Software\TechFacts95\Config]
"sRegStat"="TFIETPBJJ7200"
"sUser"="tHATDUDE Phrozen"
I entered this info:
First Name: tHATDUDE
Last Name : Phrozen
RegKey : 32441234342 (just hit a bunch of keys =)
"Are you thinking what I'm thinking??"
"Yeah.. Alicia Silverstone has a great ass!"
"DOH!"
=)
Anyway.. We're thinking the program stores the *CORRECT* reginfo! (actually we would know this if we followed the ASM carefully...) Anyway.. restore a clean .EXE and test it.. it still runs regged! Now we can export those regkeys and release that as a .REG file! (Export them by selecting them, then going to Registry|Export registry file...) The advantage of this is that it would most likely work with a new version or build.
So now we have 2 cracks. 1 to use any name/code, and 1 to merge the reginfo into the registry.
Are we done? ... Well, let's take yet another approach to cracking this program. Remember the "<Unregistered Version>" text in the title bar of the program when unregistered? This is a bad idea by the author because it is another attack point. (Why another attack point? Because we know it will not be shown when registered!)
In w32dasm, go to Refs|String Data References. Scroll down the list of references until we find "<Unregistered Version>" ... Double click on it and take a look at the code around it:
:0048E3B1 66833D80964E0000 cmp word ptr [004E9680], 0000 ; Doesn't this look familiar?
:0048E3B9 7522 jne 0048E3DD ; if 004E9680 is NOT 0, it will jump
:0048E3BB B201 mov dl, 01
:0048E3BD 8B83C4010000 mov eax, dword ptr [ebx+000001C4]
:0048E3C3 E8348BF8FF call 00416EFC
* Possible StringData Ref from Code Obj ->"<Unregistered Version>"
|
:0048E3C8 BAD0E44800 mov edx, 0048E4D0
:0048E3CD 8B83E0010000 mov eax, dword ptr [ebx+000001E0]
:0048E3D3 E8F88BF8FF call 00416FD0
:0048E3D8 E9C7000000 jmp 0048E4A4
What can we conclude from the code above? That the program works on a RegFlag system.
A RegFlag is a 0 or a 1, which the program checks against to see if it is registered or not.
If we toggle this flag to our favor, we can crack it and not rely on the user to be smart enough to enter any name/code. <G> It will just run registered. It works well for this program, especially since it does not display any name or serial of any sort anywhere in the program.
Remember that at address 00475D7F, I commented with "RegFlag City!"
* Possible StringData Ref from Code Obj ->"Registration Key accepted!"
|
:00475D75 B8CC5E4700 mov eax, 00475ECC
:00475D7A E8111EFCFF call 00437B90
:00475D7F 66C70580964E000100 mov word ptr [004E9680], 0001 ; RegFlag City!
:00475D88 EB11 jmp 00475D9B
Do you see why? When registration is successful, 1 is moved into [004E9680]. But... we want to find a place to shove 1 into [004E9680] without the user having to do anything.
So, search for 004E9680 in w32dasm.
We notice several compare's and we see that if the flag is set it will jump past all the icky stuff we don't like =) We finally end here...:
* Possible StringData Ref from Code Obj ->"TechFacts 95" ; Program Starts...
|
:004C81F5 BAD0864C00 mov edx, 004C86D0
:004C81FA 8B45FC mov eax, dword ptr [ebp-04]
:004C81FD E8CEEDF4FF call 00416FD0
:004C8202 B88C000000 mov eax, 0000008C
:004C8207 E8E4D3FAFF call 004755F0
:004C820C 84C0 test al, al
:004C820E 750B jne 004C821B
:004C8210 66C70580964E000000 mov word ptr [004E9680], 0000 ; Moves in 0 to set default
as UNREGISTERED...
:004C8219 EB09 jmp 004C8224
"Are you thinking what I'm thinking??"
"Yeah.. but how are we gonna get enough Jello to fill the whole pool?"
"DOH!@"
=)
Change : 66C70580964E000000
To this : 66C70580964E000100
And it now moves 1 into 004E9680 as default... Run it.. regged!! =)
So... We can now crack TekFacts in *3* different ways. (Assuming you didn't start zoning after the first few lines.. =) So does this mean you can now crack every program out there?? err.. no, but it's a start. =) Don't be afraid to poke around with a program... tinkering around in SoftICE or W32Dasm *and* using your brain can teach you much more than anyone can ever teach you through a tutorial.
"Are you thinking what I'm thinking??"
"Huh? Did you say something? I wasn't listening.."
"DOH!@# =))))"
tHATDUDE [PC / GLoW]
Greetz to:
tKC, [madmax], Baloosh, Saltine, Archimede, AlieN, n00dles, STaRDoGG, |mb|, BLiTZ, AquA, Durk, Byte Ripper, cH, eMX, Giraffe, G-RoM, Jestrz, Killer+Bee, Plushmm, Reformed, Tail Gunner, daze, TeRaPhY, XLogic, Fingers, Rayf00, tasm, Saga, jes, lgb, NinJak, taylor^, razzia, FXer, LordByte, SuperChic, Fryguy_, Cool-Hand, everyone in PC!! =)
"Are you thinking what I'm thinking??"
"Yeah.. you have too many greets!"
"DOH@!$!"