Copy Link
Add to Bookmark
Report

dRaG0n´s CrAcKinG Lesson 2

eZine's profile picture
Published in 
dRaG0n CrAcKinG Lesson
 · 5 months ago

Tools you need

  • Softice V.3.X
  • W32dasm V8.X
  • Arj Shell V1.2
  • Hiew 5.xx

Introduction

Hi again , welcome to cracking Lesson 2 !

Now we will crack our first programm in 2 diffrent ways ...

  1. with Softice, to get the real Serial...
  2. W32dasm , to patch it so it takes any Serial ...

With Softice , you can get the real serials , finding the compare to our inputted serial and the right serial .. other approach is W32dasm , there you can find the protection cheme and patch it so it takes any serial we enter ...

The first way with Softice is much better cause a real serial is always better, it activates all registred functions for example ...

With the second way you have to find the registration check , sometimes Save disabled functions , unregistred msg´s , nags etc. to patch , if you have the real serial , all the things are done , because it was a real serial which autom. activates all this functions :-)

To get real Serials also sometimes much harder , you have to find the compare btw. the calculation etc.
So , i will make both ways , to show them to you ;-)

Cracking ArjShell V1.2 using Softice

I will do thiz in Steps , so its better to Understand :-)

Step 1

Run Arjshl32.exe , go to 'Preferences' , hit 'Register' ...
Write DrAgOn as name , and 77777 (my fav.) as User-ID .. Dont hit 'Register' by now.

Step 2

Press 'Ctrl-d' to go to Softice ! Now we want to breakpoint where all the
things happen when we press register (compare ,etc ) ... We take the most common functions to break on !

'Bpx GetdlgItemTextA'
'Bpx GetdlgItemText'
'Bpx GetWindowTextA'
'Bpx GetWindowText'

Step 3

Now hit 'Ctrl-d' to leave Sice , press Register to break on the register function...
Hmmm , what´s that ?! It dont break on it , so ArjShell dont use any of the api functions we set ...

Go back to Sice 'Ctrl-d' , type 'bc *' to delete the old breakpoints and set a new one on hmemcpy (works mostly) , 'Bpx Hmemcpy' !
Leave Sice 'Ctrl-d' and click on Register again ..

Step 4

Yeah , Softice poped up ... it breaked on hmemcpy , you see it when you look in the command line , it sais 'Break duo BPX Hmemcpy Kernel!Hmemcpy'
Were now in the box 1 (name) , we dont want to be here , cause we want to get serial Box where maybe our fake serial will be compared with the real one ... so press 'F5'

Step 5

Now press 'F11' to get back where it was called from ... but where wrong here..
We´re not in the code of ArjShell , you will notice thiz when you look at the command line , It sais

'-------------------User(xx)-------------------'

So , press F12 ´bout 4-5 times till you see

'-------------------ARJSHL32!CODE+xxxxxxxx-------------------'

Now were at da right place !

Step 6

You will see something like that asm code ... the red box displays the same as in
Softice :-)

:00426351 5E            pop esi        ; Add something to Esi 
:00426352 5B pop ebx ; Add something to Ebx
:00426353 C3 ret ; RETurn where this was called from.

Step 7

We have to find something like a Call followed by a Compare & Jxx command ...
Hit 'F10' about 23 times till you are at the following asm code :-)

:0042F6FE 8B45F8          mov eax, dword ptr [ebp-08]  ;move Ebp-08 --> Eax 
:0042F701 5A pop edx ;Add something to Edx

:0042F702 E87D450000 call 00433C84 ; HERE !!
:0042F707 A2D3774300 mov byte ptr [004377D3], al ;move al --> 4377D3
:0042F70C 803DD377430000 cmp byte ptr [004377D3], 00 ;compare 00 --> 4377D3
:0042F713 747F je 0042F794 ;Jump if Bad Cracker (NAG)
; else go to Good Cracker

Step 8

Ok , you are with the red box on the 'Call 00433c84' command , press 'F8' to get into it ! We will see following ASM code now !

:00433C84 55              push ebp                     ; save Ebp 
:00433C85 8BEC mov ebp, esp ; move Esp -> Ebp
:00433C87 83C4F4 add esp, FFFFFFF4 ; Add FFFFFFF4 -> Esp
:00433C8A 53 push ebx ; save Ebx
:00433C8B 56 push esi ; save Esi
:00433C8C 57 push edi ; save Edi
:00433C8D 33C9 xor ecx, ecx ; Ecx = 0 / clear Ecx
:00433C8F 894DF4 mov dword ptr [ebp-0C], ecx ; move Ecx -> ebp-0c
:00433C92 8955F8 mov dword ptr [ebp-08], edx ; move Edx -> ebp-08
:00433C95 8945FC mov dword ptr [ebp-04], eax ; move Eax -> Ebp-04
:00433C98 8B45FC mov eax, dword ptr [ebp-04] ; move ebp-04 ->Eax
:00433C9B E84CFAFCFF call 004036EC ; unimportant call
:00433CA0 8B45F8 mov eax, dword ptr [ebp-08] ; move Ebp-8 -> Eax
:00433CA3 E844FAFCFF call 004036EC ; unimportant call
:00433CA8 33C0 xor eax, eax ; Eax = 0 / clear Eax
:00433CAA 55 push ebp ; save Ebp
:00433CAB 68F23C4300 push 00433CF2 ; save 00433CF2
:00433CB0 64FF30 push dword ptr fs:[eax] ; save fs:Eax
:00433CB3 648920 mov dword ptr fs:[eax], esp ; move Esp --> fs:Eax
:00433CB6 33DB xor ebx, ebx ; Ebx = 0 / clear Ebx
:00433CB8 8D4DF4 lea ecx, dword ptr [ebp-0C] ; Ecx = ebp-0C
:00433CBB 8B55FC mov edx, dword ptr [ebp-04] ; move ebp-04 -> Edx
:00433CBE B858171D22 mov eax, 221D1758 ; move 221D1758 -> Eax
:00433CC3 E8907CFFFF call 0042B958 ; Calculation ...
:00433CC8 8B55F4 mov edx, dword ptr [ebp-0C] ; move ebp-0C -> Edx
:00433CCB 8B45F8 mov eax, dword ptr [ebp-08] ; move Ebp-08 -> Eax

:00433CCE E875F9FCFF call 00403648 ; !!!Here !!!
:00433CD3 7502 jne 00433CD7 ; Jump if not Equal
:00433CD5 B301 mov bl, 01 ; move 01 -->01

So , trace upwards the red box till you are at 00433CCE .. You notice that Eax changed in the registers ... do a 'D eax' and you will see our fake code...
We´re near the bitches home :-)

Step 9

Hit 'F8' to trace into thiz call ... We see following asm Code !!

:00403648 53              push ebx                     ; save ebx 
:00403649 56 push esi ; save esi
:0040364A 57 push edi ; save edi
:0040364B 89C6 mov esi, eax ; move eax -> esi
:0040364D 89D7 mov edi, edx ; move edx -> edi

:0040364F 39D0 cmp eax, edx ; !! HERE !! Thiz compares
Eax with Edx !
:00403651 0F848F000000 je 004036E6 ; Jump if equal ...

Yeah , we reach the compare ... trace to 40364F on the 'cmp eax,edx' and do 'D eax' and see our fake serial... then do 'D edx' and what do we see here ? A number , 465766380 , write it down , do a 'bd *' to disable all breakpoints ... Then 'Ctrl-d' to leave Softice...

Replace the number with our fake code and hit register :-)

"You are a registered User of ArjShell now! "

YeaH , You CraCKeD yoUr (FirSt) ProgRamm !

So , close ArjSHell 32 , run regedit , do a search for 465766380 , delete the ArjShell entry and run it again , now try to do it without thiz text with your own name :-)

It wasn´t hard at all , or ?... hehe ...
next time the Getdlgitemtexta & Getwindowtexta Breakpoints will work .. haha ...
if not , we´ll use hmemcpy again ... so lets crack / patch it with W32dasm , but first do this again with ya name =)

Ok , its 4:48 am , i´m sooo tired ... tomorrow we do it with W32dasm... going to bed .. :-)

l8ter

-DrAgOn FFO98-

Cracking ArjShell V1.2 using W32DASM

Hi again ...

Ohh... it´s 15:46 ... haha ... slept long time , huh ? .. wHat a nIghT !?! .. ok , lets do the 2. approach cracking it with W32DASM ... aRe u ready ? Let´s RocK :-)

Step 1

Run the programm , go to about/register , type an any name & serial ..
Hit 'REGISTER'

You´ll see something like thiz ...

"You have entered wrong register values ! "

Write thiz msg down and disassemble ArjShl32.exe ...


Step 2 : Once it´s disassembled , goto Search/Find Text , take

"You have entered wrong"

as search string .. :-)

Step 3

Found it ? k ... Now you are , where it displays the wrong serial msg to the screen .. !

To find the location , where it decides , compare something , you have to scroll up a bit , (mostly on any other progs, too) till the first jump command (can be Jne,Je,Jnz,Jz,Jg etc. , not JMP)

... always starts with 'J' , which decides for ex.:

- If entered wrong , go to bad cracker , else go to good buyer -

Step 4

We found something like thiz .. :

* Possible StringData Ref from Code Obj ->"You have entered wrong register" 

:0042F799 BABCF84200 mov edx, 0042F8BC ; Move 0042F8BC-> EDX
:0042F79E E86565FDFF call 00405D08 ; Call to something..
:0042F7A3 6A30 push 00000030 ; Save 30 / Push to Stack

Step 5

Ok , thats not intresting ... go up from now and search for the first Jump command ..
You will find something like thiz here ...

:0042F702 E87D450000            call 00433C84 
:0042F707 A2D3774300 mov byte ptr [004377D3], al
:0042F70C 803DD377430000 cmp byte ptr [004377D3], 00 ; Cmp .. we could
change 00 to 01 and
we have the same effect

Note : The computer only knows 00,01 .. where 00 is for wrong values and 01 for the right msg or 01 bad and 00 good ... so if we change thiz , it goes to "Good Buyerwhen enetered wrong values .. understand ? =:-)

:0042F713 747F                  je 0042F794                 ; HERE! .. it decides 
to jump to good buyer
or bad cracker !

:0042F715 8D55FC lea edx, dword ptr [ebp-04] ; Edx = Ebp-04
:0042F718 8B83B4010000 mov eax, dword ptr [ebx+000001B4] ;Move Ebx+1b4 - Eax
:0042F71E E8492CFEFF call 0041236C ; Some Routines ..

Step 6

Sooo .. we found the Jump ... double click on it ..
You will see something below now .. in the task list ... for me it sais :
Line 110233 Pg ... bla bla ... @OFFSET : 0002EB13h ...

The numbers I underlined red is important .. thats the Offset where to change the jump
we found ... now close ArjShell and make a backup copy of ArjShl32.exe ..

Step 7

Run hiew at dos prompt like thiz .. "hiew arjshl32.exe" ... When you are in , press "F4" four times to go to Asm Code Listing .. now press "F5" for go to Offset .. and enter the values we get in W32Dasm (2EB13) and press enter ..

Now you would see something like thiz :

arjshl32.exe  R.L      .0002F713 a32 --------   280576 ¦ Hiew 5.91 (c)SEN. 

----------------------------------------------------------------------------------------
.0002F713: 747F je .00002F794 -------- (1)

Thiz is the jump we searched for ... now press "F3" to change the code ..
We wanne change "JE" to "JNE" ..

Now overwrite the 747F to 757F ... It will change to JNE .. press F9 now to change it.

( Or just use TAB to edit easier )

Leave Hiew now and run the prog. , go to register .. type in any dummy strings ..
*BOOM* , Registered ... ! .. Now go back to the main screen .. Whats that ? , if you
click the Save or Load button it sais , it´s only avaible in the Registered Version

... hmmm... i said this before , that sometimes u must patch other things like Save Disabled functions too...

But no prob =) .. We´re gonna get tHiZ too ;) hehehe...

Step 8

Go back to W32Dasm and search for "Sorry" .. You will find 3 matches for 3 diffrent msg´s .. Cause one for Sorry but ... cant .. Save As / loaDing / SAve button .. =) ...

Now its up to you , you know what to do ... NO ? .. just look above how we patched
The register thing ... Just search for the string , look above for an Jump .. change it with Hiew , and test it ;) ... I know u can do that .. hehhehe =)

A little hint , JNE is 75 , JE is 74 ... now there will be no probs ;)

Last Words

So .. that was the Lesson 2 ... crAcking ArjSHell in 2 diffrent ways .. wasn that hard , or ?

Ok , dudes ... see ya soon in Lesson 3 ;)

L8r .. DraG0n FFO´98

← previous
next →
loading
sending ...
New to Neperos ? Sign Up for free
download Neperos App from Google Play
install Neperos as PWA

Let's discover also

Recent Articles

Recent Comments

Neperos cookies
This website uses cookies to store your preferences and improve the service. Cookies authorization will allow me and / or my partners to process personal data such as browsing behaviour.

By pressing OK you agree to the Terms of Service and acknowledge the Privacy Policy

By pressing REJECT you will be able to continue to use Neperos (like read articles or write comments) but some important cookies will not be set. This may affect certain features and functions of the platform.
OK
REJECT