Cr@ck Tutorial (CheckPop 1.1 for Windoze95/98/NT4 by Nevis Systems) OR <-------["01" rulez!]-------> ----==================-<[by VucoeT in 4/98]>-===================---- -URL: http://netaddress.usa.net/tpl/Attachment/ === INVESHKU/ckpop11.exe?Q=mx03-cDwuXO0901&O=853 (copy and paste it! ... thanx for upping!) -Rating: Beginner ====== (that knows, how to turn on the machine ;]) -The program: POP-email-checker, dunno details ;] =========== -Protection: Time Trial;Serial to register ========== -Tools you will need: =================== SOFTICE for Win95 3.22+ (Debugger) W32DASM 8.9+ (almost any version will do, this is the one I use) ---> get them at Lord Caligo's Fantastic World of Cracking. (http://cracking.ml.org) HEX-EDITOR (Exlpained here is HexWorkshop, but any will do) ---> get it at http://www.ursoft.com. -Best read with: Windows NOTEPAD.EXE, one of the best M$-Products! ============== or even better printed on some sheets of cellulose. ==================================================================== BEHAVIOR OF THE TARGET ====================== (after installed in Win95) OK, let's start getting an overview of the target and its behavior. When we start it, there is a weird NAG, telling us, that this Version is Shareware and when the LEGAL-use-time is over. And the good news (for us ;] ) is, that the stupid nag won't appear, once we are a re- gistered user. By changing the system time we know, that the time trial takes the actual time to compare it with the day Checkpop has been installed on your system. But that's just a side comment (another approach). OK, at the same time a help screen is opened, which tells us about the (VERY interesting;]) registration details. Errr ... both screens we don't seem to like ... but don't worry, you are not gonna see them for a long time ;]. BASICS ====== As you might know, there are functions installed in library files of Windows(DLLs; like USER(32).DLL,GDI32.DLL,...) that are uni- versal and that can be called by programs in order to use them, instead of using own functions, that have to be coded first (which is additional work). Coders are lazy, as we all are ;]. So most of the time they will use windows-own functions. The program just PUSHes the nescessary values for the function it will call, before it is executed. You could say, parameters are given from the program to (a) Windows (-function) to use Windows-own set of functions. This is good for us;], because, if we know the effect of those functions, we can easily break into the running program and stop it at the point, where a certain function is called. You may ask:"How to do that???". This is the job of the Debugger, in our case SoftIce. Ir runs in background and kind of "examines" all activities, of (in our case) Windows. The code, which runs thru (Softice and) the processor is the so called machine-code or Assembly language, which is the only language the processor can handle. Every high-leveled language will translate the code into assembly in order to make it understandable for the (Intel-)processor. That's why you maybe should bite yourself into assembly, cos it is essential. PREPARE SETTING THE BREAK ========================= OK now it gets interesting. After Checkpop is launched, we press the right button on the taskbar symbol of CheckPop and select [ABOUT]. In the window appears a button [REGISTER]. Hehehe <-THE-> button, so to speak. When you are cracking and using this kind of approach, then you have to first examine your target program to find the place, where you can enter your SERIAL- number. We found it here! (the re- gister-box at the beginning [NAG] is the same BTW.). Press the [REGISTER] button and the program wants you to enter a VALID serial-number. So we must think of something, because most of us won't have this VALID number (others, please stop here ;]). Unless you don't have a lucky guess the program won't accept your entry ;]. Note: It doesn't tell you, if your entered number was correct, but just goes on unregistered. We are about to break into the function, that is usually used to get a text from a dialog-window, such as our serial. There are 2 functions, that do (quite) the same. Functions for getting a text (string) from a Dialog-Window ========================================================== The first: GetDlgItemTextA, GetDlgItemText The second: GetWindowTextA, GetWindowText the "A" is used to call the 32bit function, while the other one (without the "A" behind) is for 16bit appz. Since our target runs in WindowsNT too, we can already guess, that it is a 32bit program. If you are not sure, just set breaks on both. So this Window gets out entered serial-number and later there will some sort of check, if it was the right one. Our aim is to find the location in the program, that checks, if it should go on saying: "Thanks soo much for registering" or "Get away silly gambler!" ;], of course the expression used in applications will be different ... SOFTICE CONFIGURATION ===================== I already assume you have been working a bit with softice, installed it propperly and are ready to set the break. If not see HTTP://FRAVIA.ORG for tuts on installing Softice. Don't forget to make softice load the DLLs, which contain the functions, we want to break on. Do this by eding the WINICE.DAT file in your softice dir and remove the ";" in front of the Exports (DLLs): -------------------------------------------------------------------- EXP=c:\win95\system\kernel32.dll EXP=c:\win95\system\user32.dll ;Library file of our function EXP=c:\win95\system\gdi32.dll (your pathnames may differ ... EXP=C:\windows\...) -------------------------------------------------------------------- (near the end of WINICE.DAT, this is how it should look) SETTING THE BREAK ================= OK now, remember, that we are still on our registration window, with Softice running. Enter some Serial, but dont confirm it yet. Activate Softice by pressing F5 or CTRL-D. OK, this is the debugger. Just enter: "bpx getdlgitemtexta" You have to guess, which of the two functions discussed b4 it is, but I prefer trying this one first and it is the right one here. It can be, that any of it will break, too. After setting this break- point go back to the Serial-Entry (again CTRL-D). Enter something and confirm your entry by hitting [OK] ... BOOM! ;] ======== OK, what you see now is: Softice has detected, that a program wants to call the function, we set a breakpoint on before. We are now in- side the DLL, at the beginning of that function (indicated by a seperator looking like this:------------USER32!.TEXT...). We want to go to the location in our program, where it was called from. By pressing [F11] we can. Look at the piece of code below. (normally you should write down the location of the break here to find it later in W32DASM, but I did that for you, as I am a nice person ;]) -------------------------------------------------------------------- * Reference To: USER32.GetDlgItemTextA, Ord:00F5h | :0040C2F4 FF15D0344200 Call dword ptr [004234D0] ;the call! :0040C2FA 8D542408 lea edx, dword ptr [esp+08]; :0040C2FE B968144200 mov ecx, 00421468 ; :0040C303 52 push edx ; :0040C304 E8C7A6FFFF call 004069D0 ;Hmmm ... :0040C309 E8F2000000 call 0040C400 ;Is-the-serial-valid? Read on to see why! :0040C30E 6A01 push 00000001 ; :0040C310 56 push esi ; * Reference To: USER32.EndDialog, Ord:00B4h ;End Dialog! | :0040C311 FF15B0344200 Call dword ptr [004234B0] :0040C317 E9BE000000 jmp 0040C3DA (after ";" its my comments) -------------------------------------------------------------------- (WDASM Disassembly piece of the code. Easier for me to paste here!;]) So here we are! This is the piece of code, where our serial is read. After that we can see two calls ... (Hmmm?). Later we find USER32.EndDialog, which as you might guess ends the dialog ... ;]. So most likely the determination, whether the serial we entered was the right or wrong one will be in one of those 2 calls. Can you follow? OK, the job of Softice is done for now. To prevent it from popping up again, enter "BC*", which means "Clear all breakpoints". DISASSEMBLE WITH W32DASM ======================= Now that we know the location, we can open W32DASM and disassemble the file checkpop.exe (disassemble -> get the assembler code). Since it is not too big, it will be done quickly. So now search for the location in W32DASM, that we got B4 on the break. I think you will be able to find it easily and then see the piece of code above. The key must be in those 2 CALLs ... (usually a routine is done, which checks, if the entered code is valid). OK, what is always done, when you want to crack a program to make it registered is, you try fishing for strings, that W32DASM fortunately seperates (Refs-String Data Reference). What strings could that be? Of course some which appear to have a clear connection with a (hidden) routine, that checks, if the program is registered or not. The only text we find is "Registered", which as we might guess will show up somewhere, after we entered the valid serial. Go, where this string is used in the assembled listing, by double clicking on it. Sometimes there is more than one occurence of a string, so always try to double click it more than once ... If we do so we land here: -------------------------------------------------------------------- * Reference To: USER32.SetWindowTextA, Ord:0221h | :004011A5 FF15A8344200 Call dword ptr [004234A8] :004011AB E850B20000 call 0040C400 ;Is-the-serial-valid? ;In our case, whatever ;happenes in the call ;it will at least move ;something into EAX, ;which is NOT 01, since ;we entered a wrong serial. ;What it is, is not really ;interesting here. :004011B0 83F801 cmp eax, 00000001 :004011B3 7522 jne 004011D7 ; Jump, if 1 not equals eax ; the BAD jump, which will ; override our "Registered" ; to go the way of the wrong ; entered serial. BTW here ; there is no Window telling ; us, that we have entered ; a wrong number ... * Possible StringData Ref from Data Obj ->"Registered" | :004011B5 6850C04100 push 0041C050 -------------------------------------------------------------------- OK, do you remember the call 0040C400 (Is-the-serial-valid?). You al- ready seen it before. When? Well after we broke in with Softice. One of those calls we saw, seeing the code after the break. This is confirmed thou (this CALL (routine) is the check, if the program is registered). If you wanted to find out, how the real number is calculated then take a look at this call. But this is more advanced. Let's take a resumée. What will happen, if we enter the wrong serial is, that the "Is-the-serial-valid?"-CALL will return something different than "01" to EAX. If the returned value inequals 01, then it will jump away from our beloved "Registered", otherwise it will go on. So whats our aim? We want the prog not to take the BAD jump and the way, where the program is gonna go is set in this routine, by making EAX "00" or "01". WHAT TO CHANGE? =============== So the returned value must be "01" in order to make the program think we are registered users. What we will do is the following: We go to the beginning of the CALL. We already found out, that it will GOOD- jump later, if the returned value is "01". So we just use the be- ginning of the called function to apply our code to move "01" into EAX. The following will move "01" into EAX and then return. The "01" is the only thing we need from this CALL ... =) ... the Assembly- commands for this are: - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - PUSH 00000001 ; put "01" into the stack POP EAX ; put the stack value into EAX (EAX=01) RET ; Return to where it was called from in HEX (with what we will overwrite later) it is: "640158C3" - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - OK, so far so good. You may ask, why we didnt just disable the jump somehow (NOP). Well the "01" is the sign here (and maybe elsewhere, which is very important!!!) for registered version. And this sign maybe used elsewhere too and it is, as you know. Just check inside the CALL. WDASM32 shows you, which addresses called this function: -------------------------------------------------------------------- * Referenced by a CALL at Addresses: |:004011AB , :004050A0 , :0040BF41 , :0040C309 ; 3 more! | :0040C400 64A100000000 mov eax, dword ptr fs:[00000000] -------------------------------------------------------------------- :LOCATION HEX-CODE OF THIS -----> ASM COMMAND -------------------------------------------------------------------- So what we can say now is, that 2 other locations (beside our 004011AB and 0040C309) check this routine, if the program is registered. CHANGE OF "CHECKPOP.EXE" ======================== To change it in "checkpop.exe" first make a backup-copy of it. Then open it with your hex-editor and find the offset-address of the code we see in the status-bar of W32DASM before (Offset XXXXXXX in file: checkpop.exe) Found the code? Search for it or scroll, whatever you prefer. The location should be B800h ("h" means HEX). Now overwrite the "64A10000" with "6A0158C3". Changes done? Save the file and launch it to see, what is the effect of the changes! - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Note:If you cannot save the file in the Hexeditor, then be sure to have checkpop closed, while applying the changes. You cannot save to the file, if it is running! - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - AFTER THE FIRST CHANGE ====================== OK, well we start it, the help-screen still pops up. Ergh! We think: All for nothing! But continuing to the about-window, the program tells us, that we are a registered user (and unable to enter a serial now). Thats good! Even if we change the System time to one month later, it still works, without showing the "EXPIRED ... "- screen (just play around with the ORIGINAL file, too). We even know (now), where our search-string "registered" is located. It is the Name of the button, we cannot press ... So to get to the point. The program behaves like an registered one now, but there is still this help screen, which of course won't show up telling us registration details, if we had the REAL registered version running. Hmmm ... - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - NOTE: If you take a look at the registry in : HKEY_CURRENT_USER/SOFTRARE/Nevis Systems/Checkpop/1.1/ It stores the time it was installed first there, too. So if you are desperate and don't want to crack it, you can also just delete the registry-entry "Nevis Systems" or just "1.1". You will have 14 more days of use ... but that's of course NOT our aim. - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - FINDING THE HELP SCREEN ======================= We don't want this help screen !!! Maybe there is a check before the help screen, that checks somewhere, if we are registered users. So we need to break or get to the CALL of this Help-nag-screen. There are 2 possibilities: Since it is most likely (just a feeling ;]), that it will be the first call for winhelp in this .exe file, we can just search in W32DASM for "winhelp" (16bit) or again "winhelpa" (32bit). Both will lead you to the right spot. Just go to the start of the disassembly listing in W32DASM and do a search for "winhelp" or "winhelpa". It will first break on the imported function list, which is of course not, what we are looking for. But the next break is BINGO!. Another possibility of course is, to set a breakpoint in Softice for "winhelpa" (bpx winhelpa), after it breaks F11, then note the address of the CALL and find it again in W32DASM. Both will lead you to this: -------------------------------------------------------------------- * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00405003(C) | :0040500A B968144200 mov ecx, 00421468 :0040500F E84C1C0000 call 00406C60 ;in there the value of EAX is set (ob- viously) :00405014 85C0 test eax, eax ;if EAX equals 0 then don't jump (which means: execute the winhelp-call) :00405016 0F8584000000 jne 004050A0 :0040501C 68B0040000 push 000004B0 :00405021 6A01 push 00000001 * Possible StringData Ref from Data Obj ->"checkpop.hlp" | :00405023 6828CB4100 push 0041CB28 :00405028 53 push ebx * Reference To: USER32.WinHelpA, Ord:025Eh ;THIS IS THE BREAK! | :00405029 FF1528354200 Call dword ptr [00423528] ; BAD!!! :0040502F 53 push ebx :00405030 53 push ebx -------------------------------------------------------------------- Most interesting for us is again another call, which seems to de- termine the value of EAX, since it is TESTed right after the call and the result of this TEST is responsible for it overriding the winhelp- CALL or executing it (TEST just sets a flag depending on the value of EAX; for a deeper inside in Assembly either read more tuts about it or buy a book (the bigger the better ;])). THE 2ND (LAST) CHANGE ===================== The solution is again the same. Best is to change the CALL, so that the returned EAX-value is (again) "01". So everything we have to do again, is get to the start inside the call and change it, that it just puts 01 into EAX and then RETURNS. It will be the same code as in the first change we made. So again we start our HEX-Editor, search for the offset (status bar in W32DASM;6060h) and change it to "6A0158C3", like before. And now launch -[Checkpop 100% Cracked]- by you! ;] ABOUT THE CALL ============== Actually the CALL before the HELP-screen reads something out of the registry which makes the program show the help-screen. What that is is not important for the crack. We ask ourselfes, how to make the consequences look like, as if it read the VALID things out of the registry. So the CALL just gives back an "Valid" or an "Invalid", here its either a "01" or a "00". You might say a good value or a bad value. Don't ask me, what is happening inside the CALL. It is not really important for cracking this target. If you are interested what happens inside, just follow the CALLS and see what they are doing ... ;] LAST WORDS ========== I hope this tutorial helped at least a bit to understand the way you have to approach a target showing similar signs of protection. This is my first tut, so if you have questions, comments or of course if you have something to critizise, then join ... "#cracking4newbies"-Channel on IRC (EFNET) and tell me your sorrows. I will be glad to change things in here, that you think are wrong or difficult to understand (if I think that too ;]). Hope you had fun reading and cr@cking and watch out for more to come! Of course this is for EDUCATIONAL purpose only. To help under- standing, what the difference between registered and unregistered version is. As you saw, not much ... "01" rulez here ... and besides 14 days are too short to evaluate ... ;] GREETZ & THANKZ(no order) ========================= CoRN2, Vizion(some Beer?;]), ___mP(!), Wink,|caligo|, _masta_, sauron, ^pain^, sentinel^, Ghostrdr, Skater, Technoid, Slashing, Kurnitoz, LordVader and the whole [RTA], _random, axxess, |Fresh|, _ryder_, Intruder, i_magnus, Quantico, Raimi, RaimIO!, Raytrace, Bulldozer, Tin, _RudeBoy_, teraphy, fravia+, +ORC (tutes) and the whole MEX! the whole #cracking4newbies! Be there or don't! --------------------------<[-VucoeT98-]>----------------------------