L0phtCrack v2.52 - Tutorial (by Goatass)

"Well I would not have believed this unless I'd seen it for myself, the author(s) of L0phtCrack wrote a pretty complex program to brute-force M$'s LM-hash algorithm, no mean task, then when it came to protecting their software it seems as if they completely lost the plot. Goatass presents us with a nice, easy to follow tutorial for newbies, if you have a use for this program consider throwing the authors a few $, although you might decide after reading this that they just don't deserve it". "Very slightly edited by CrackZ".

http://www.l0pht.com/l0phtcrack/ - Webpage (1Mb).

Introduction

First off, L0phat Heavy Industries is one of the best hacking groups out there, that along with some others release some of the best hacking/security tools. I am a newbie but I will do my best to teach you how to crack L0phtCrack 2.52 which is the latest NT password cracking tool. This is a very simple time trial/serial number protection. An unlock code gets compared with a pre-assigned serial number. I was very surprised to find out that such a great hacking group didn't bother to protect their trademark tool very well. They are selling it for $100. OK, lets get going with the crack.

Tools

- SoftICE.
- Your eyes.

This is a memory echo crack which should be very easy for all newbies. First off, make a backup of l0phtcrack.exe in case you screw something up. Run the program and you should see a nag screen showing you how many days you have left (15 days total) and there is also a "Register" button. Click the "Register" button and you should see a dialog box with a grayed out box with the pre-assigned serial number and below it there will be a box for your unlock code. The unlock code is alphnumeric but that doesn't matter right now. Go ahead and put any number you like, I used 12345678.

Now go into SoftICE (Ctrl+D) and set a breakpoint on GetWindowTextA (BPX GetWindowTextA). The approach here is to break right after the program reads your unlock code and then uses it along with the pre-assigned serial number to generate and compare the good unlock code. Now get out of SoftICE (X) and click the OK button. SoftICE breaks, press F11 to return to the calling function, that reads in the pre-assigned serial number. Now press F5 to read your unlock code, SoftICE breaks a second time, press F11 again and now you are in the program's code. Trace through the code until you get to this part:

:00406345 MOV EAX, [EBX] <-- if you type D EAX you will see the code you entered.
:00406347 LEA ECX, [ESP+1C] <-- here is the 1st unlock code, D ECX to view it.

If you dump ECX you will see two 8 digit alphanumeric strings they are both the correct unlock codes. Why two ? you'll see in a second. Next we see the program PUSHing EAX and ECX onto the stack then comes the CALL to compare the codes.

:0040634D  CALL 00426260  <-- this is where the program compares your number and the first
                          unlock code. Since you entered the wrong code the CALL will return
		          with EAX=FFFFFFFF (-01), if the code you entered was correct it
		          would return with EAX=0.

:00406355  TEST	EAX, EAX  <-- checks to see what the CALL returned, if the code is good or not.
:00406357  JZ 004063A2	  <-- if the CALL returned 00, good code, jump to "Thank You".

Now the program gives you another try and does the exact same thing as above with the second code.

:00406359  MOV EAX, [EBX]  <-- here is the code you entered.
:0040635B  LEA EDX, [ESP+2C]  <-- and here is the second unlock code, type D EDX to see it.
....
:00406361  CALL	00426260  <-- here is that same call for comparing the codes, same as before
		 	      the program will return EAX=FFFFFFFF (-01).

I skipped some code here that does the same as above with the TEST and JZ. Since the code you entered was wrong the program proceeds to the nag screen:

:00406376 CALL 0045666B <-- this is the call to display the nag screen.

Now you can get out of SoftICE and try your new unlock code and you'll be registered. There are a few ways of going about cracking this program, the easiest would be what I have described above but if you want you can force the JMP at 00406357 by changing it from JZ to JMP but why screw with the code if you don't have to.

Another way is to use the program to create a small Keygen. By changing one of the two PUSHes before the CALL to the nag screen at 00406361 and making it display the correct code. PUSH ECX or PUSH EDX.

That's all for this tutorial, I hope I helped you better understand the memory echo concept. This was a very easy crack but keep in mind that many other programs work the same way for protection. I just want to say THANK YOU to my mentor zip for getting me started with cracking. Also great thanks goes out to EDiSON, +ORC, Fravia, CrackZ, Sandman and all the great people who reverse for knowledge, keep writing those great tutorials.

I'm out, PEACE !

Goatass

Return to Main Index

© 1999 Hosted by CrackZ. Goatass 14th April 1999.