dRaG0n´s CrAcKinG Lesson 5
Tools you need
- Softice V.3.X
- W32dasm V8.X
- Submit Wolf Pro
- Hiew 5.xx
Introduction
HeY ya ;) ... Welcome to mY cRAckInG lesSon 5 :-)
Ok .. No much to Talk about thiz target , its protection is a Name / Serial , but a little bit difficult =)
k , LetS gO foR it !
Cracking Submit Wolf Pro with Softice
I will do thiz in Steps , so its better to Understand :-) .. like in the other Lessons ...
Step 1
Run Submit Wolf Pro and go to "About/Register"
Step 2
Enter "dRag0n FFO98" as name and "777777" as dummy serial .. enter S-iCE ...
Now we´ll set the most common Breakpoints .
"Bpx GetDlgItemTextA"
"Bpx GetWindowTextA"
Now leave S-iCE .
Step 3
Press "Ok" button and let S-iCE break ... We´ll break duo ..
"break duo to BPX GetDlgItemTextA ... "
Step 4
Now press "F5" to let it break again on the second (serial) box ...
Press "F11" to go to where this has been called from ;)
We´ll see following code now !
:0040719F FFD7 call edi ; Not intresting Call
:004071A1 8D8500FFFFFF lea eax, dword ptr [ebp+FFFFFF00] ; Value Ebp+FF00 ->Eax
:004071A7 50 push eax ; Push Eax on Stack
:004071A8 E883A0FFFF call 00401230 ; No intresting Call
:004071AD 59 pop ecx ; Pop Ecx from Stack
:004071AE 8D4580 lea eax, dword ptr [ebp-80] ; Value in ebp-80 -> Eax
:004071B1 50 push eax ; Push Eax on Stack
:004071B2 E879A0FFFF call 00401230 ; No intresting Call
:004071B7 59 pop ecx ; Pop Ecx from Stack
:004071B8 8D4580 lea eax, dword ptr [ebp-80] ; Value in Ebp-80-> Eax
:004071BB 50 push eax ; Push Eax on Stack
:004071BC 8D8500FFFFFF lea eax, dword ptr [ebp+FFFFFF00] ; Val. Ebp+FF00 ->Eax
:004071C2 50 push eax ; Push Eax on Stack
:004071C3 E8568D0000 call 0040FF1E ; Intresting Call !
:004071C8 59 pop ecx ; Pop Ecx from Stack
:004071C9 85C0 test eax, eax ; Test if Equal
:004071CB 59 pop ecx ; Pop Ecx from Stack
:004071CC 7518 jne 004071E6 ; Jump if not Equal ,
; Changing this Jump
; to Jump if Equal ,
; would go to the good
; Buyer msg !
Step 5
We saw above , that the red marked call is the important one .. You ask WhY? ..
Cause its the last Call to some Routines before it decides the serial is right or wrong at the Jne command .. We´ll trace in this Call and see following code :-)
:0040FF1E 55 push ebp ; Push Ebp on Stack
:0040FF1F 8BEC mov ebp, esp ; Mov Esp -> Ebp
:0040FF21 83EC30 sub esp, 00000030 ; Esp - 30
:0040FF24 8B450C mov eax, dword ptr [ebp+0C] ; Mov Value Ebp+0c -> Eax
; Eax!
; Do "d eax" to see it !
:0040FF27 53 push ebx ; Push Ebx on Stack
:0040FF28 56 push esi ; Push Esi on Stack
:0040FF29 57 push edi ; Push Edi on Stack
:0040FF2A 85C0 test eax, eax ; Test eax ^ eax are equal
:0040FF2C 7431 je 0040FF5F ; Jump if Equal
:0040FF2E 8B5D08 mov ebx, dword ptr [ebp+08] ; Mov Value Ebp+08 -> Ebx
; Thiz moves our name to
; Ebx !
; Do "d ebx" to see it !
:0040FF31 85DB test ebx, ebx ; Test Ebx^Ebx are Equal
:0040FF33 742A je 0040FF5F ; Jump if Equal
:0040FF35 803850 cmp byte ptr [eax], 50 ; HERE ! It compares the
; first value of our Serial
; with 50!
; which is "P" in Decimal
; 80 . DO " ? 50 " to see !
:0040FF38 7506 jne 0040FF40 ; Jump if first Value
; wasn´t a "P"
:0040FF3A 80780157 cmp byte ptr [eax+01], 57 ; HERE! It compares the
; second Value of our
; Serial with 57 ..
; which is "W" in Decimal ,
; do " ? 57 " to see it !
:0040FF3E 7426 je 0040FF66 ; Jump if Equal , jump if
; the first Decimal Letters
; were PW !
; Else go to wrong Serial
; msg below !
--> Bad Serial Msg code below
:0040FF40 8A4801 mov cl, byte ptr [eax+01]
:0040FF43 80F934 cmp cl, 34
:0040FF46 741E je 0040FF66
:0040FF48 80F945 cmp cl, 45
:0040FF4B 7419 je 0040FF66
:0040FF4D 8325D840420 and dword ptr [004240D8], 00000000
:0040FF54 803853 cmp byte ptr [eax], 53
:0040FF57 7506 jne 0040FF5F
:0040FF59 80780157 cmp byte ptr [eax+01], 57
:0040FF5D 7411 je 0040FF70
:0040FF5F 33C0 xor eax, eax
:0040FF61 5F pop edi
:0040FF62 5E pop esi
:0040FF63 5B pop ebx
:0040FF64 C9 leave
:0040FF65 C3 ret
Step 6
Ok ... Now press "Ctrl-D" to leave Sice .. Replace Serial 777777 with PW777777 and hit OK.
Press "F5" to go to Serial Box and then "F11" to go where it was called from !
Now .. Step into the call again , trace to the JE , behind the Compare with 50 & 57...
It will now jump over the Bad Msg box to a second check ...
You´ll see something like this :
:0040FF70 50 push eax ; Push Eax on Stack
:0040FF71 8D45E4 lea eax, dword ptr [ebp-1C] ; Mov Value in Ebp-1c -> Eax
:0040FF74 50 push eax ; Push Eax on Stack
:0040FF75 E856370000 call 004136D0 ; No intresting Call
:0040FF7A 59 pop ecx ; Pop Ecx from Stack
:0040FF7B 8D45E4 lea eax, dword ptr [ebp-1C] ; Mov Value Ebp-1C -> Eax
:0040FF7E 59 pop ecx ; Pop Ecx from Stack
:0040FF7F 6A2D push 0000002D ; Push 2D on Stack ..
; This is interesting .. It
; pushes 2D to Stack .. do
; "? 2D" you´ll see that 2D
; is "-" .
:0040FF81 50 push eax ; Push Eax on Stack
:0040FF82 E8D9300000 call 00413060 ; This checks iF there´s a "-"
; in the third part of the
; Serial .
-> Some code of call 00413060
.....
:0041306C 8B542408 mov edx, dword ptr [esp+08] ; Move dummy Serial to Edx
; its PW77777 !
:00413070 F7C203000000 test edx, 00000003 ; Here it checks the
; third value
; of the serial is a "-" ..
:00413076 7413 je 0041308B ; Jump Equal .. else go to Bad
; Cracker msg box ;) ....
-> End of of call
:0040FF87 8BF0 mov esi, eax ; Mov Eax -> Esi
:0040FF89 59 pop ecx ; Pop Ecx from Stack
:0040FF8A 85F6 test esi, esi ; Test Esi ^ Esi are Equal
:0040FF8C 59 pop ecx ; Pop Ecx from Stack
:0040FF8D 89750C mov dword ptr [ebp+0C], esi ; Mov Esi --> Ebp-0C
:0040FF90 74CD je 0040FF5F ; Jump Equal .. else go to
; Bad Cracker msg bpx !
Step 7
Ok ... Go out "ctrl-d" and replace PW77777 to PW-77777 !
Hit Ok again and press "F5" to go to Serial Box and "F11" to go to where it was called from ..
Now you´ll see thiz code again !
:0040719F FFD7 call edi ; Not intresting Call
:004071A1 8D8500FFFFFF lea eax, dword ptr [ebp+FFFFFF00] ; Value Ebp+FF00 ->Eax
:004071A7 50 push eax ; Push Eax on Stack
:004071A8 E883A0FFFF call 00401230 ; No intresting Call
:004071AD 59 pop ecx ; Pop Ecx from Stack
:004071AE 8D4580 lea eax, dword ptr [ebp-80] ; Value in ebp-80 -> Eax
:004071B1 50 push eax ; Push Eax on Stack
:004071B2 E879A0FFFF call 00401230 ; No intresting Call
:004071B7 59 pop ecx ; Pop Ecx from Stack
:004071B8 8D4580 lea eax, dword ptr [ebp-80] ; Value in Ebp-80-> Eax
:004071BB 50 push eax ; Push Eax on Stack
:004071BC 8D8500FFFFFF lea eax, dword ptr [ebp+FFFFFF00] ; Val. Ebp+FF00 ->Eax
:004071C2 50 push eax ; Push Eax on Stack
:004071C3 E8568D0000 call 0040FF1E ; We had thiz Call b4 !
:004071C8 59 pop ecx ; Pop Ecx from Stack
:004071C9 85C0 test eax, eax ; Test if Equal
:004071CB 59 pop ecx ; Pop Ecx from Stack
:004071CC 7518 jne 004071E6 ; Jump if not Equal ,
; Changing this Jump
; to Jump if Equal ,
; would go to the good
; Buyer msg !
Step 8
Now after you have traced over the Call 0040FF1E , do a "d edx" to see the real Serial
For me it was 197298 ... Now our Serial would be PW-197298 ...
You could also follow the whole steeping into Call 0040FF1E... but i think this is much faster Cause the prog dont remove the serial after calculation it .. So we could easily do " d edx" to see the serial ... ;-)
Ok , do "bd * " to clear all serials and replace PW-7777 to PW-197298 ...
BoooM , NoW yoU´rE a ReGGeD uSeR ! =)
Last Words
I think thiz was a bit harder ... but not sooo hard at all ;) ...
So ... I hope i Will c yA in LeSSon 6 some time .. hehe
L8r - dRag0n FFO98 -