New 2 Cracking
~~~~~~~~~~~~~~
Turorial Type    : Specific Tutorial
Tutorial Topic   : Some Ways to Crack a program
Utilities        : SoftIce, W32Dasm, Hiew(Hacker's View)
Music            : Your Choice
Written by       : Invoker
Date             : Nov. 27th, 2001
Remarks          : http://www.bigfoot.com/~birla/software/maniac.html



In The Beginning There Was...
-==--==--==--==----==--==--==-

Okay, first of all welcome to my first tutorial...
We are going to discuss here some ways to crack a program... which among there are: patching one little
jump in order to 'register' the program with our own Name/Serial combination, getting a valid serial, 
and after that we're going to make the program give us the serial (in other words modify the program into 
it's own keygennerator).
The program i've chosen is named Internet Maniac ver 1.2b. This is a little program that has some nice
features that i'll let you discover.
Some of you might know some of the things presented here. My aim here is the complete newbie, the one who 
is just starting off now. This is why I'll describe all I do in detail.  

The Crack...
-==--==--==-
Method no. 1 
~-~-~-~-~-~-~
Ok first run the program and try to understand it. If you'll look in Help you'll see a Register menu. Try 
to fill the fields. Unless  you are very lucky (in other words your serial is the correct one) you should 
receive an error message "Incorrect registration code!".
Before really beginning make a backup of the .exe. We'll see why later.
Open W32Dasm and choose Disassembler -> Open File to Disassemble.Now select the path to Internet
Maniac.exe and choose open.
This shouldnt take too long, depending on your computer.
When the file is fully disassembled click on String Data References (choose it form the Refs menu or 
click on the button near the printer icon) and look for the error message you got when trying to register 
the program. Found it? Ok double click on it... It takes you to a code area. Now double click on it 
again...Nothing happents (this is a good thing actually, cause if we had more than one place it took us 
it would have been a little more difficult). We now see "*Possible StringData Ref from Data Obj 
->"Incorrect registration code!"".  	
	Below it we see:

*Refference to: USER32.MessageBoxA, Ord: 01BEh

MessageBox is an Windows API, the A meaning it's 32 bit. This is a good thing to know as we shall see in 
Part II. The caracteristics of MessageBox are: It has one button, is small box and it has some nice 
pistures on the left side. Look at the MessageBox we got in Internet Maniac when entering fake code and 
you'll see what i mean.	

This means that the nag screen (the error message we got) will appear when the program executes this 
piece of code. But how will the program decide to give us the Go_Away_Cracker message Or the 
Oh_You_Are_So_Kind_To_Register mesage? Well...it compares our serial with a one generated using our name. 
If they match the program will jump the Goodboy msg, otherwise we'll get Back_off_Cracker. Our goal here 
is to make the program think that we've entered a valid serial. So what we have to do is modify the 
conditions  of the jump. The easyest way to do this is to reverse the conditions. Ofcourse if we do so 
and then enter a valid serial we'll get BadBoy. But if we knew a valid serial we wouldnt patch jumps, 
would we?

Ok back to our program. 
We now have to find the conditional jump (the one that 'decides' how we are: good or evil :o)). 
To do so we just have to look for a line like :
  
*Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:xxxxxxxx(C)

Now what does this mean? It means that in W32Dasm the conditional jumps are more easy to spot 
(just look for an line line the above one). We see some references to conditional jumps below the 
starting point. Lets check them out. Choose GoTo Code Location and write the address before the (C),
that means the xxxxxxxx. For example lets take the 1st reference beow the starting point:

*Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00405164(C)

We get to a line like:

:00405164 0F84C6000000            je 00405230
   (1)         (2)                    (3)

Let's see what we're looking at: 
(1)-address of the instruction, 
(2)-Hex...opcode,
(3) the assembly instruction.
Let's see what happents if we change the Je to Jne. Time to Learn: Je means Jump is Equal
and jne means Jumps if Not Equal. 
Back...
When the Je line is highlighted green look on the bottom of the screen and look for something like : 

Line:8886 Pg 178 and 699 Code Data @:00405164 @Offset 00005164h in file :Internet Maniac.exe                                                              (*)

Now go to Hiew dir and use its internal browser to locate the .exe you wish to edit. Btw Hiew (Hacker's 
View) is a dos like hex editor...with some nice features, the most important is the integrated asm 
interpretor. Now in Hiew press F4 and choose Decode. Then F5 and type in the offset number 
(in our case 00005164). You can enter it without the zero's in the front. We should see the line we got 
in W32Dasm. Now press F3, F3 being edit. We could modify 84 which is for Je after OF into 85 which is for 
Jne, but we dont know that do we? So instead of typing that we'll press F2 and we have the posibility to 
enter any asm command we want...but we want to enter Jne so we do it...

After entering new command press Return and then Esc. 
Then when we see our change is made F9 (Update) and F10 (Quit). 
Now we have patched a jump. Let's test if it was the right one...Launch the patched .exe and try to 
register it. What is this? System Error? Well I guess it isn't the right jump to patch :o). 
Why did we fail? Well let's try to understand what we're doing. Go again in StringRef and double click 
the error message. Let's find other Refencences to Conditional Jumps. We see another one below: 


*Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040513F(C)

Now GoTo Code Location at that address and we're at: 

:0040513F 0F84F7000000            je 0040523C

Let's execute the jump and see where it gets us.
We're at:

:0040523C 8B8C248C000000          mov ecx, dword ptr [esp+0000008C]

Scroll a bit up and we see we're in the MessageBox that gave us the bad message. Now this is not good because it means that the initial parameters that MessageBox operates with have already been entered. 
We need a Conditional Jump that pops us to before the:

*Refference to: USER32.MessageBoxA, Ord: 01BEh

Go again in StringRef and double click the error message. Let's look above the starting point for a 
Refference to Conditional Jump. Oh yes we see one at 004051C1. Lets GoTo it and see what happents. 
Let's execute it and we see it brings us just before the bad MessageBox. 
Hmm i think we have something here. Get the offset and patch the jump in Hiew. 
If you dont know how, read above :o). 
Lets try our program now. Wheeee we're registered...That was hard :o)  
But wait...what's this? 
When we start our program again it diplays the "UNREGISTERED" message. :o( 
Well we could patch the program again...this time good, but i wanted to show you that patching isn't
always good, especially when you can sniff a serial, a valid one.



Just remember: this method will work on many programs but not all, most on the programs that don't check everytime when executed if you have the right info. 



Conclusions:
~-~-~-~-~-~-~

So we saw how to force the program in accepting ANY name/serial combination we enter as valid. 
I think it would be nice to get our own valid serial. Proceed...   


Method no. 2
~-~-~-~-~-~-~

In this part we'll try to obtain our own valid serial. To do so we'll use NuMega's SoftIce. 
SoftIce is a debugger, in other words it lets us debug bugs :o). 
We could use the W32Dasm debugger approach, 
but i chose SoftIce. 
To learn how to use W32Dasm debugger read ParaBytes's tutorial. 
How to get it? Look at the end of the tutorial.
I will describe in detail everything there is to be done. 
You should succeed. The only probelm you should have is that your SoftIce is not configured good.
Lets start. Fire up the program and fill the fields with Name and Serial. 
Note: be sure to run the UNPATCHED .exe . 
Get into SoftIce (Ctrl-d). Ussually we'll put breakpoints on : 
GetDlgItemTexta ,MessageBoxA, GetWindowTextA. 
These are the most common breakpoints that you'll use. 
To put a breakpoint you should type 
'bpx MessageBoxA' <RETURN>, 
'bpx GetDlgItemTextA' <RETURN>, 
'bpx GetWindowTextA' <RETURN>. 
But in this case we'll only need the GetDlgItemTextA breakpoint. 
Get out of SoftIce (Ctrl-d, x <RETURN>, or F5). 
Press regiter and SoftIce breaks at GetDlgItemTextA. 
Since we have 2 fields : Name and Serial we'll let SoftIce process the 1st (Name) one,
so we press Ctrl-d (while in SoftIce) once. 
To get to where the function was called let's press F11.
Now we should see:

0167:004051AD  8D542448  lea edx, dword ptr [esp+48]
0167:004051B1  8D442408  lea eax, dword ptr [esp+08]
0167:004051B5  52    push edx    {if we do "d edx" we'll see the serial we entered}
0167:004051B6  50    push eax    {in eax we have our name}

Let's think about this for a second. So it pushes into memory our Name and Serial.
Hmm...
Just below this we see a call: 

0167:004051B7  E8142E0000    call 00407FD0

This means that the Name and Serial are pushed into memory and then there is a call to be executed. 
Let's get into that call and see what's inside it. 
Press F8 while the call line is highlighted. 
We should be here:

0167:00407FD0  83EC20   Sub  ESP,20

We are not interested in this part...
yet (I'm still trying to get the algho of this program so i can code my first keygen...
when i'll do maybe i'll write a tut about it). 
So let's press F10 until we come to this part:

0167:0040801A  FF154414100   call [USER32!wsprintfA]

Now let's look at the code in the call:

0167:00408020  8B542440        mov edx, dword ptr [esp+40] {it moves into edx a value from esp}
0167:00408024  83C414          add esp, 00000014 {esp<-esp+14}
0167:00408027  8D442404        lea eax, dword ptr [esp+04] {it moves into eax another value from esp}
0167:0040802B  52              push edx {pushes something into memory.
                                         Now do "d edx" and we see our serial}
0167:0040802C  50              push eax {Do "d edx".Hmm... 
                                         strange string. Write it down on a piece of paper.}

Now let get out of the call...Press F10 until you pass over a "ret" 
instruction...Look through te code ...Nothing interesting ...
We get to a call to MessageBoxA (press F10 further) and we see that our code is incorrect. 
What now? I guess we failed.
Hey wait..but we still have that strange string we wrote down 
(I hope u did :o)). 
Lets try that... 
Wheeeee it works ... :o)
Ok this was an easy example...
Dont know if you understood why I did what i did...
but the code differs from program to program... 
and so do the steps, but remember the idea is basicly the same... 
and after some more programs cracked you'll start seeing patterns in the code... 
So i've been said, until now I've only saw blue and pink dots...
But who knows... :o)   

Preety nice huh?



Greetz:
+++++++
ParaBytes - thanks for helping me the most, being there where i had something to ask, 
            and for showing me the way.. :o) (and for editing this tut =)_ )
zestboy,asmonaut,code_inside - its good to have someone to ask when u have something unclear... 
ParaBytes (yeah, again),Anvile,PhANt0m,d4d0,ChibiHime - the N2C staff..Insight crew...

ASTAGA-great tutor,
DarkMoon-nice gfx, 
all guys on N2C chan...

all the tut writers...
all the crackers in the world...
all the newbies who start now...
in other words all who know me and i know of...

Invoker out...


Contacted at:
++++++++++++

E-Mail  : Invoker@email.ro
IRC     : EFNet - #New2Cracking


Note: We publishing our tutorials over many tutorials sites and archives, check for tKC's tutorials,
      here is the address : http://www.ciafiles.visionz.eu.org/main.htm