Copy Link
Add to Bookmark
Report

dRaG0n´s CrAcKinG Lesson 4

eZine's profile picture
Published in 
dRaG0n CrAcKinG Lesson
 · 5 months ago

Tools you need

  • Softice V.3.X
  • W32dasm V8.X
  • Chkfiles V1.5a
  • Hiew 5.xx

Introduction

Hi , welcome back to Leson 4 ;)

In thiz lesson we´ll crack Chkfiles V1.5a . A simple Name/Serial Protection :)

k .. lets go !

Cracking Chkfiles V1.5a with Softice

I will do thiz in Steps , so its better to Understand :-) .. like in the other Lessons ...

Step 1

Run Chkfiles and hit Register ....

Step 2

Enter "dRag0n FFO98" as name and "777777" as dummy serial .. enter S-iCE ...
Now we´ll set the most common Breakpoints .

"Bpx GetDlgItemTextA"
"Bpx GetWindowTextA"

Now leave S-iCE .

Step 3

Press "Ok" button and let S-iCE break ... We´ll break duo ..

"break duo to BPX GetWindowTextA ... "

Step 4

Now press "F5" to let it break again on the second (serial) box ...
Press "F11" to go to where this has been called from ;)

We´ll see following code now !

           :004011F5 E823DE0100      Call 0041F01D           ; Call to some other Code 
:004011FA 85C0 test eax, eax ; Test eax , eax are equal
:004011FC 751D jne 0040121B ; Jump not Equal to 0040121B
; --> 0040121B
:0040121B 8D4DFC lea ecx, dword ptr [ebp-04] ; EBP-04 -> Ecx
:0040121E 51 push ecx ; Push Ecx on stack
:0040121F 8D4775 lea eax, dword ptr [edi+75] ; EDI+75 -> Eax
:00401222 50 push eax ; Push Eax on stack
:00401223 8D55C4 lea edx, dword ptr [ebp-3C] ; EBP-3C -> Edx
:00401226 52 push edx ; Push Edx on stack
:00401227 E8807D0100 call 00418FAC ; Call to : Is something entered
; or more then 20 values .. ?
:0040122C 83C40C add esp, 0000000C ; Add C -> Esp
:0040122F 48 dec eax ; Eax - 1
:00401230 741D je 0040124F ; Jump if all is right !
; --> 0040124F
:0040124F 837DFC00 cmp dword ptr [ebp-04], 00 ; Compare 00 with Ebp-04
:00401253 7520 jne 00401275 ; Jump if Equal ..
; Same equal check as above
; If u reverse this jump with
; "r fl z" then it goes to wrong
; key msg below !
:00401255 8B03 mov eax, dword ptr [ebx] ; Mov Value EBX -> Eax
:00401257 6A00 push 00000000 ; Push 00 on Stack
:00401259 6A00 push 00000000 ; Push 00 on Stack
:0040125B 8D97A800000 lea edx, dword ptr [edi+A8] ; Mov Value Edi+A8 -> Edx
:00401261 52 push edx ; Push Edx on Stack
:00401262 FF700C push [eax+0C] ;Push value Eax+0c on Stack
:00401265 FF7068 push [eax+68] ; Push val. Eax+68 on Stack
:00401268 E858CE0000 call 0040E0C5 ; Call to wrong key msg box
; --> 00401275
:00401275 8D4DE0 lea ecx, dword ptr [ebp-20 ; Mov Val. Ebp-20 -> Ecx
:00401278 51 push ecx ; Push Ecx on Stack
:00401279 E854FEFFFF call 004010D2 ; HERE ! This call calcul. the
; Real Serial .. If You trace
; "F10" over it , you´ll notice
; Eax & Edx changed ..
:0040127E 59 pop ecx ; Pop Stack -> Ecx
:0040127F 3B45FC cmp eax, dword ptr [ebp-04] ; Compare Ebp-04 ^ Eax
:00401282 7420 je 004012A4 ; Reverse this jump , would
; make it jump to the the
; Good Buyer msg ... !

Step 5

So .. Trace over the Call 004010D2 , here it calculates the serial , press "F8" to see what it does ... But we dont need to trace in ... Just press "F10" to run / trace over thiz call .. You´ll notice Eax & Edx Values changed to the same Number ... hmmm .. for me it was Eax & Edx = DF9EA3D2 ...

Step 6

So a "d eax" .. points to nothing else to ?? ?? ?? ... ok ... do a

"? eax" .. and you´ll get a number .. for me it was 3751715794 ...

"bd * " to disable all breakpoints , ctrl-d to leave S-iCE ...

Step 7

Now replace our dummy serial with the decimal Value we got from Eax ( 3751715794 )

"Thank you for Registering .." BoooM , we got it =)

Last Words

So .. Now we´re finished Lesson 4. .. i hope u enjoyed thiz lesson , as much as i did writing it :-)

Ok .. 02:33 in the morning ... my Bed is calling me .. hehe ... ok .. sEE yA iN lESSON 5 !

l8rz - dRag0n FFO98

← previous
next →
loading
sending ...
New to Neperos ? Sign Up for free
download Neperos App from Google Play
install Neperos as PWA

Let's discover also

Recent Articles

Recent Comments

Neperos cookies
This website uses cookies to store your preferences and improve the service. Cookies authorization will allow me and / or my partners to process personal data such as browsing behaviour.

By pressing OK you agree to the Terms of Service and acknowledge the Privacy Policy

By pressing REJECT you will be able to continue to use Neperos (like read articles or write comments) but some important cookies will not be set. This may affect certain features and functions of the platform.
OK
REJECT