dRaG0n´s CrAcKinG Lesson 4
Tools you need
- Softice V.3.X
- W32dasm V8.X
- Chkfiles V1.5a
- Hiew 5.xx
Introduction
Hi , welcome back to Leson 4 ;)
In thiz lesson we´ll crack Chkfiles V1.5a . A simple Name/Serial Protection :)
k .. lets go !
Cracking Chkfiles V1.5a with Softice
I will do thiz in Steps , so its better to Understand :-) .. like in the other Lessons ...
Step 1
Run Chkfiles and hit Register ....
Step 2
Enter "dRag0n FFO98" as name and "777777" as dummy serial .. enter S-iCE ...
Now we´ll set the most common Breakpoints .
"Bpx GetDlgItemTextA"
"Bpx GetWindowTextA"
Now leave S-iCE .
Step 3
Press "Ok" button and let S-iCE break ... We´ll break duo ..
"break duo to BPX GetWindowTextA ... "
Step 4
Now press "F5" to let it break again on the second (serial) box ...
Press "F11" to go to where this has been called from ;)
We´ll see following code now !
:004011F5 E823DE0100 Call 0041F01D ; Call to some other Code
:004011FA 85C0 test eax, eax ; Test eax , eax are equal
:004011FC 751D jne 0040121B ; Jump not Equal to 0040121B
; --> 0040121B
:0040121B 8D4DFC lea ecx, dword ptr [ebp-04] ; EBP-04 -> Ecx
:0040121E 51 push ecx ; Push Ecx on stack
:0040121F 8D4775 lea eax, dword ptr [edi+75] ; EDI+75 -> Eax
:00401222 50 push eax ; Push Eax on stack
:00401223 8D55C4 lea edx, dword ptr [ebp-3C] ; EBP-3C -> Edx
:00401226 52 push edx ; Push Edx on stack
:00401227 E8807D0100 call 00418FAC ; Call to : Is something entered
; or more then 20 values .. ?
:0040122C 83C40C add esp, 0000000C ; Add C -> Esp
:0040122F 48 dec eax ; Eax - 1
:00401230 741D je 0040124F ; Jump if all is right !
; --> 0040124F
:0040124F 837DFC00 cmp dword ptr [ebp-04], 00 ; Compare 00 with Ebp-04
:00401253 7520 jne 00401275 ; Jump if Equal ..
; Same equal check as above
; If u reverse this jump with
; "r fl z" then it goes to wrong
; key msg below !
:00401255 8B03 mov eax, dword ptr [ebx] ; Mov Value EBX -> Eax
:00401257 6A00 push 00000000 ; Push 00 on Stack
:00401259 6A00 push 00000000 ; Push 00 on Stack
:0040125B 8D97A800000 lea edx, dword ptr [edi+A8] ; Mov Value Edi+A8 -> Edx
:00401261 52 push edx ; Push Edx on Stack
:00401262 FF700C push [eax+0C] ;Push value Eax+0c on Stack
:00401265 FF7068 push [eax+68] ; Push val. Eax+68 on Stack
:00401268 E858CE0000 call 0040E0C5 ; Call to wrong key msg box
; --> 00401275
:00401275 8D4DE0 lea ecx, dword ptr [ebp-20 ; Mov Val. Ebp-20 -> Ecx
:00401278 51 push ecx ; Push Ecx on Stack
:00401279 E854FEFFFF call 004010D2 ; HERE ! This call calcul. the
; Real Serial .. If You trace
; "F10" over it , you´ll notice
; Eax & Edx changed ..
:0040127E 59 pop ecx ; Pop Stack -> Ecx
:0040127F 3B45FC cmp eax, dword ptr [ebp-04] ; Compare Ebp-04 ^ Eax
:00401282 7420 je 004012A4 ; Reverse this jump , would
; make it jump to the the
; Good Buyer msg ... !Step 5
So .. Trace over the Call 004010D2 , here it calculates the serial , press "F8" to see what it does ... But we dont need to trace in ... Just press "F10" to run / trace over thiz call .. You´ll notice Eax & Edx Values changed to the same Number ... hmmm .. for me it was Eax & Edx = DF9EA3D2 ...
Step 6
So a "d eax" .. points to nothing else to ?? ?? ?? ... ok ... do a
"? eax" .. and you´ll get a number .. for me it was 3751715794 ...
"bd * " to disable all breakpoints , ctrl-d to leave S-iCE ...
Step 7
Now replace our dummy serial with the decimal Value we got from Eax ( 3751715794 )
"Thank you for Registering .." BoooM , we got it =)
Last Words
So .. Now we´re finished Lesson 4. .. i hope u enjoyed thiz lesson , as much as i did writing it :-)
Ok .. 02:33 in the morning ... my Bed is calling me .. hehe ... ok .. sEE yA iN lESSON 5 !
l8rz - dRag0n FFO98
