In my pervious article I discussed about the different protection schema and tools used for cracking.in this article I show u how cracker past all these protections.
There are different ways to crack. These approaches are determinate from
different knowledge, different type of cracker, different personal preferences.
An example can be more useful than thousand of words. There are three type of
approaches in cracking shareware programs that need serial number to register or have nag screens. They are
1) Serial fishing
2) Bypassing of the check also called patching
3) To make a key generator.
The first method is simplest and fastest and can be used by normal cracker. The last one is more complex. In fact, you need to understand all the serial number check routine and then u have to code a program based on this which generates the key according to input. The advantage of this method is that the serial number can be used for further versions of the program or for different computers or for different user. So, the choice is determined from the level of knowledge, the time the cracker has and his style of cracking.
Lets have a detail look on them.
1) Serial fishing: -serial fishing is supposed to be the cleanest method to crack any program. This method is also known as live cracking because in this we find the correct serial only at run time. It means we find the serial when program is executing. Serial fishing deals with finding the correct serial and then registering software using this serial number. In serial fishing we don’t have to modify the code but simply we have to inspect or analyze the code.
In serial fishing first we enter any fake i.e. wrong serial number of our choice say 123456 .now this serial number is compared with the correct serial and hence we have to only find the memory location or register where our correct serial number is stored. The general routine in high-level language to compare the serial number is as follows: -
If (entered serial=correct serial) then
Register program (do some modification in program or store the registration information)
Message box (“successfully registered”)
Else
Message box (“sorry!! Your serial number is not valid”)
And in assembly the general routine is as follows: -
In assembly all the data is stored in registers or stored in any memory location. Suppose eax register store the fake serial and ebx stores the correct serial.
Now the routine is: -
100aa : Cmp eax,ebx
100bb : Jz 100xx ßjump if our serial is correct
100cc : Mov ax,yyyy
100dd: other code….
100xx : code for message box successfully registered
100yy : code…
Where 100xx is memory locations.
Here what is happening that both serial numbers is compared using the cmp instruction and if the two serials are equal then control jumps to the message that we have entered the correct serial. Otherwise controls transfer to next statement, which is 100% sure like this “you have entered a invalid serial”
Although this is not necessary that always cmp is used. but mostly it is used to compare the serial. now the programmer uses windows APIs such as GetWindowTextA or GetDlgItemTextA to get the serial numbers.
Now as I mentioned SOFTICE allows us to set or put a breakpoint on windows API. Hence a cracker simply puts the breakpoint on such API and when after entering the serial number program breaks on this breakpoint then a cracker simply trace the disassembled code to find the correct serial. Crackers while tracing is simply search the conditional jump such as jne or jz or jae after a cmp instruction. In short they checks the routine I mentioned above and in this way a cracker can find the whole algorithm and correct key with the simple softice command such as: -
D eax
Or
? eax
Well here D eax simply display contains of the register eax in hex format. And? eax display contains of eax in ASCII format. (All these are softice commands).
And after finding correct key he can easily register the software and if he want to distribute the key for every user then he simply creates a keygenrator after analyzing the whole algorithm. Because we know that in serial number-name protection for each name there will be a different keys. Some program also uses various techniques such as appending ur hard drive serial number to the end of serial and etc in this case serial number is different for each computer and hence a cracker simply writes the key generator after analyzing the whole protection schema.
By using this technique a cracker can easily defeat the first two protections I mentioned in my previous article (hardcoded and name-serial number combination.)
2) Patching: - if a program is showing the nag screen and don’t have any option to register then we use patching. patching is also refferd as dead cracking. Using patching is not supposed to be a good cracking.most cracker avoid to use this techniqe until they don’t have other option then this. In case of nag screen programmer simply uses the windows API such as DialogBoxParam or MessageBoxa etc. now a cracker sets the breakpoint on these API calls and run the program. Now when the program calls this function then softice pauses the execution of program and a cracker have to deal with the assembly snippets. The simple structure of calling a nag screen in high-level language is as bellow: -
If (program is not registered) then
Display the nag screen
Else
Execute the program
And in assembly the structure is as follows: -
Suppose that first program checks for the registration and return the value in eax register. (If eax=1 then register and eax=0 mean unregistered)
Now this compared as
dddd: Cmp eax,1
aaaa: Jz xxxx
bbbb: Mov ax,02
cccc: Call yyyy ßthis is for calling the nag screen
Xxxx: Rest of the program…
Here aaaa ,bbbb etc are called offset or memory locations.
So whats happening here is that first program checks that if it is registered .the registration status of program is put in to eax. Now this eax is compared with 1 if eax is one then program is registered and we don’t have to show the nag screen else we have to show the nag screen.
So we have to only reverse the jump (jz to jnz). So that the nag screen does not appear. In this case we use hex editor such as hiew to patch the exe file of programs.
Patching is also used to remove the time trial protections. Suppose we have a program, which expires after 30 executions. Now it is clear that when we run the program it compare that is 30 executions are over or not. If not then it increases the number of total execution by 1 and store this value somewhere but if 30 executions are over then it shows the message that ur program has expired.
The structure is same as the nag screen: -
aaaa : cmp eax,1e ß (1E in hex=30 in decimal)
bbbb : jea xxxx ßjump if greater then or equal to 30
cccc : ax,02
dddd: call yyyy ßthis is for calling the nag screen
eeee: ret ßstop execution and exit
Xxxx: Rest of the program…
Here whats the program is doing is that it comparing the number of times we use with 30 if it is equal or above then it display the message and exit. so what we do here is simply change the jea to jmp. so that program always jump irrespective of that if it is registered or not.
3)Key generator:-this technique is supposed a little harder. in this technique a cracker need to understand all the serial number check routine and understand all the conditions. such as a serial number can contain ‘–‘ symbol or size of serial number must be 11 character long or user name must not be blank etc. this techniques simply needs that a cracker must understand the assembly language very well and analyzes the code very carefully. he must be careful to analyze each line of code. because a small mistake in understanding the code can result in unexpected results.
Now lets see how crackers past the commercial protection.
Well today many of the commercial protection are using different techniques to fool the tools of cracking such as anti dissembler code. Anti softice tricks and etc. hence this protections are harder to crack for a newcomer. First lets see how this program protects the software: -
There are common dll or say binary file for all the software which uses a particular commercial protection such as all the macromedia product uses the same protection ‘vbox’ and all the files related with vbox is stored in the c:\programfiles\comman\vbox directory. Now when a user runs the program then first the vbox files are executed. Which check that if program is registered or not. If program is not registered then it check the 30 days trial period and if trial not expired then executes the program. Commercial protection included many checks so a cracker cannot easily patch the program. The most popular trend in between the cracker is that they simply BYPASS this kind of protection. it means as I mentioned that the vbox changed the header of exe file and for this reason all files related with vbox is executed before the actual exe file of program is executed. Now what a cracker does is simply find the original entry point of the exe. It means a cracker only have to find that from which point the original program starts its execution. For this a cracker puts breakpoint on windows API such as GetProcAddress etc and then run the program. Now when program executed then first vbox code is executed and therefore vbox calls the API GetProcAddress and SOFTICE pauses the execution of program. Now a cracker have the assembly snippest. The rest is purely depends on a crackers ability and experience. After tracing some lines from the vbox files a cracker can find the original program entry point.
After finding the entry point a cracker simply modify the exe header and IAT.
So now onwards program has nothing to deal with commercial protection because cracker has bypassed the protection!!!!
For each commercial protection there is a different way to crack. The method I discussed here is only related with vbox protection.
So this are all the techniques genrally used in cracking world. Nowadays there are several cracking groups specialized in reverse web scripts. There is nothing of new in this because the web pages are written in java or CGI scripts or something else. So, they can be considered as small programs. Consequently, this is only another type of crack.
The web cracker usually reverses the protection schemes of web pages creating
cracked passwords, which are distributed on the web.
To end this article I would like to mention this lines of a cracker:-
“ There is a crack, a crack in every thing. That is how the light gets in.”
hope it tells the psychology of a cracker.
