Tutorial Crack! 8th/07/97 =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-= Program: CD Wizzard Version: 4.30 URL: http://www.bfmsoft.com Cracker: Niabi [Me'97/C4N] Level: Beginner but written for Intermediate Tools: SoftICE, W32Dasm, a Hex Editor. Protection Type: Serial Encrypted/DLL: No Method: getdlgitemtexta 1st of all we do a BPX on GetWindoWtextA to see if we can get a break if we don't get one then we try GetDlgItemTextA. (If you want to know more of the API's get Win32.hlp (12 mgs) or get our common api reference for crackers (2k) :-]) ) You should now in SoftIce. We hit F12 a couple times till we get to the wizzard code part. Now inside the wizzard code part whe start Tracing (hit f10). We try and read and understand what the registers are doing. Try a D xxxxx from time to time also try ? xxxxxxx too. (? in SICE Shows the REAL value of a reg at that time) Ok after a while of tracing we come to a part of the code like this : XXXX:0041441C CALL 004151CD ; CALL CHECKING ROUTINE XXXX:00414412 ADD ESP,0C XXXX:00414424 TEST EAX,EAX ; IS PASSWORD OK ? XXXX:00414426 JZ 00414444 ; NO THEN JUMP TO NOT_REGGED XXXX:00414428 PUSH 40 ; ELSE CONTINUE GOOD BUYER SOME_MORE CODE... NOT_REGGED: XXXX:0041444 XOR EAX,EAX ; Make EAX ZERO XXXX:0041446 PUSH NAG_YOU ; PUSH NAG SCREEN NOT REGGED Some ways to Crack this: The first one is to just change jz 00414444 to jnz 00414444. (in an Hexeditor, more on this later) This will not jump to NOT_REGGED so the code is "Anything u type" But it will if the code is the original, the program thinks that the good code is now bad. (Not really a good Patch) A second and better option is a lame one though. Remove the test eax,eax, by changing them to nop's. Since test eax,eax uses 2 bytes and nop's only 1 you have to add 2 nops to it so it will read like this : XXXX:00414424 NOP XXXX:00414425 NOP XXXX:00414426 JZ 00414444 ^^^^^^^^ (N.B. Check out the size here) This will cause it to not jump since it never really checked the Password. This will register the program with good or bad Serials. Ok the third option is better it is : Remove the test eax,eax and replace with inc eax and a nop so it will read like this : XXXX:00414424 INC EAX XXXX:00414425 NOP XXXX:00414426 JZ 00414444 This will also cause the program to register with any password cause it does not check it either it just assume that the password is right everytime (it set's the flag to 1). Ok so now we need to hexedit it. We enter any hexeditor (hiew, Hexworkshop or any good one) we see what the bytes need to be chenged like this D XXXX (where XXXX is the segment or reg you want to see) you will see something like this in the data window XXXX:XXXXXXX 9E CA 0F 00 65 04 70-16 00 00 5C 0A 65 04 70 00 Ok so starting from 9E to the "-" is what we need to seach in the Hexeditor, but how do i know what to change them to ? good question, ok to find out what to change them to 1st change do a D XXXXX inside Sice you will see something like the above numbers. Write them down on a piece of paper ( what ? u to lazy to do it?) the change them inside Softice like this A XXXX:XXXXXXXX u will get something like this XXXX:XXXXXXXXX <== u type here what u whant to change like let's say you want to change JZ 0414444 to JNZ 00414444 you would : 1.- D 00414426 we see the code whe write it down 2.- A 00414426 XXXX:00414426 jnz 00414444 <= we type this in sice When we hit enter another line follows just hit enter again to get out of the assembly mode, now do a d 00414426 and you will see that the code has changed. Now write down the new one. Now you have the old (what we searched for) and the new ( what we change it to), so now in the hexeditor, search for the old one and when we find it we change it to the new one (beware that you need to search in hex and not in ascii). Run the program register it and Boom! its yours. Thankyou very much. Exit... and restart shit what is this !! nag screen again ! it is not registered !! wtf !, k so we now know that the program does 2 checks one at input and one at the begining. This is the output that i get from w32dasm (Great tool BTW) I commented it a little. * Possible StringData Ref from Data Obj ->"Password" <-- this is where my password resides ? | :00401BD6 68D4364300 push 004336D4 :00401BDB 56 push esi :00401BDC 889A18BD4300 mov [edx+0043BD18], bl * Reference To: KERNEL32.GetPrivateProfileIntA, Ord:010Ch | :00401BE2 FF1570464400 Call dword ptr [00444670] :00401BE8 50 push eax :00401BE9 66A3D0A84300 mov [0043A8D0], ax :00401BEF FF750C push [ebp+0C] :00401BF2 68C0B34300 push 0043B3C0 ; push my name to the stack :00401BF7 E8D1350100 call 004151CD ;call REAL password checking routine :00401BFC 83C40C add esp, 0000000C :00401BFF 85C0 test eax, eax ; Was the password correct ? :00401C01 0F84A2000000 je 00401CA9 ; no then bug off bad cracker ! :00401C07 68C0B34300 push 0043B3C0 ; push my name again :00401C0C 895D14 mov [ebp+14], ebx * Referenced by a CALL at Addresses: |:00401BF7 ; Real Password Checking routine :004151CD 837C240808 cmp [esp + 08], 00000008 ; is the paswword 8 charaters long ? :004151D2 7D03 jge 004151D7 ; yes then go on :004151D4 33C0 xor eax, eax ; no then bug off with Z flag :004151D6 C3 ret * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004151D2(C) | :004151D7 FF742408 push [esp + 08] :004151DB FF742408 push [esp + 08] :004151DF E8B3FFFFFF call 00415197 :004151E4 6BC00B imul eax, eax, 0000000B ; mutiply eax by 0bh <-- sounds to me like a keygen :004151E7 59 pop ecx :004151E8 0FB7C0 movzx word ptr eax, eax :004151EB 59 pop ecx :004151EC 6A07 push 00000007 :004151EE 99 cdq :004151EF 59 pop ecx :004151F0 F7F9 idiv ecx :004151F2 33C9 xor ecx, ecx :004151F4 663944240C cmp [esp + 0C], ax :004151F9 0F94C1 sete al :004151FC 8BC1 mov eax, ecx :004151FE C3 ret ok when we restarted CD wizzrd whe got the not regged about box, so ok then whe set a new BPX in Si to point at GetPrivateProfileIntA or Getprivateprofilestringa (the 1st one works better in CD wizzard), ok if we set a bpx on it whe will land in some others whe try and understand wich them are they we do a trace and read and understand what the program is doing do a D xxxx once in a while... ok after some breaks on GetprivatePrifeliIntA whe will soon land in here : 00401BE2 FF1570464400 Call dword ptr [00444670] :00401BE8 50 push eax :00401BE9 66A3D0A84300 mov [0043A8D0], ax :00401BEF FF750C push [ebp+0C] :00401BF2 68C0B34300 push 0043B3C0 ; push my name to the stack :00401BF7 E8D1350100 call 004151CD ; call REAL password checking routine :00401BFC 83C40C add esp, 0000000C :00401BFF 85C0 test eax, eax ; Was the password correct ? :00401C01 0F84A2000000 je 00401CA9 ; no then bug off bad cracker ! :00401C07 68C0B34300 push 0043B3C0 ; push my name again :00401C0C 895D14 mov [ebp+14], ebx we can go futher inside the calls, how do i go futher u ask, ok is easy just see what the call is heading to and set a bpx on it like lets say CALL 004151CD if we want to go futher we do a BPX 004151CD ( easy eh?) ok if we go inside the call we will see this : :004151CD 837C240808 cmp [esp + 08], 00000008 ; is the paswword 8 charaters long ? :004151D2 7D03 jge 004151D7 ; yes then go on :004151D4 33C0 xor eax, eax ; no then bug off with Z flag :004151D6 C3 ret Right here i can crack it because if you check the line in 00401BFF u can see it tests eax to check if it's 0. If it's 0 then bug off bad cracker happens but if it's not 0 then go on nice buyer, so we can do this: :004151CD 837C240808 cmp [esp + 08], 00000008 ; is the paswword 8 charaters long ? :004151D2 90 NOP ; I don't care if it's 8 :004151D3 40 INC EAX ; Increment EAX by 1 :004151D4 48 DEC EAX ; Decrement EAX by 1 004151D5 40 INC EAX ; Increment EAX by 1 :004151D6 C3 ret ; Return With REGGED Flag SET so what we did there it was some flag changing we don't even go futher inside the check we just make the program assume that it did and that the password was a good one. since EAX was 0 when we got into the call we 1st did a nop because if we had done an INC EAX or a DEC EAX we would have found out that it would work ;). This is the second part of the crack or we can go for another. One less byte changing than this one ( you whant to change the fewer bytes u can). ok, after the RET from the real password check is done whe land exactly here : :00401BFF 85C0 test eax, eax ; Was the password correct ? :00401C01 0F84A2000000 je 00401CA9 ; no then bug off bad cracker ! what whe do here is really easy u maybe know it by now. :00401BFF 90 nop :00401C00 40 inc eax ; set flag to 1 <== good password :00401C01 0F84A2000000 je 00401CA9 easy eh? so we did it we completely cracked CD wizard the last part is doing the hex editing which u have to know by now if ya read my first part ;) i will give the exact bytes to change: 741C6A40C705B8BC change it to 40906A40C705B8BC <== Reg Check 85C00F84A2000000 change it to 40900F84A2000000 <== nag removed if we do the last crack by itself u will find out that doing the reg check crack is useless see for yourself, if you do only the second crack (a.k.a nag removed) u will find out that is regged and fully working. ok i hope u enjoyed this tutorial i know it is hard to understand in some parts but u can figure it out till nex time. nIabI [C4N/ME'97]