Newbies Return to Main IndexDesktop Switch 1.3 - Simple nag removing.
Desktop Themes 1.87 - Simple key generator.
Muad'Dib's CrackMe #1 - Trivial removal
of a nag (tsch, tsch and he doesn't even correct the stack :-)
).
Spynet Internet Mail - Simple StringRef
cracking with a Win32 ASM patch.
File :- Muadib1.zip
- (5k).
OK...Lets get right into it...I'll assume some cracking knowledge
but you should get along fine if you don't have any. First of
all, run the program. A standard windows message box comes up.
Now, if you know anything about the windows API you'll know that
the call is MessageBoxA. Since this is a small program, I'll be
using W32Dasm. Disassemble the program and search for the function
MessageBoxA. You'll get this code :-
:004012BF PUSH 00000000
* Possible StringData Ref from Data Obj ->"Please
register!"
:004012C1 PUSH 0040302D
* Possible StringData Ref from Data Obj ->"I want your
money! Please send "
->"me $20 to get rid of this screen!"
:004012C6 PUSH 0040303E
:004012CB PUSH 00000000
* Reference To: USER32.MessageBoxA, Ord:01BBh
:004012CD CALL 00401314 <-- CALL IT!.
The part that I commented as "CALL IT!" is the important
part. All we have to do is NOP that out...Well...Here's how we
do it. 004012CD is the code address. Next to it you'll see E842000000.
That's what we need to get rid of. So open up your favourite hex
editor and search for that....It's normally smart to search for
things around it so I normally do this :-
6A00E842000000 as my search string (the PUSH 0 before it too). Change E842000000 to 909090909090 (a 90 in hex is NOP, meaning no operation). Now run the program again. Poof! No nag!.
File :- spymail.zip
- (175k)
Spynet Internet Mail is a small e-mail program that can be used
to quickly send or get e-mail. I know the programmer, but as soon
as he got recognised by software magazines, he became an asshole,
so I chose this program to do a tutorial on. This is actually
the first program I ever cracked.....ahh sweet revenge. He seems
to be a good programmer, but lacks in protecting his software.
This program comes down to reversing a single jump. First, load
the program in W32Dasm. If you don't have it, go to http://www.woodmann.com/crackz/index.html
and download it from the tools section. This is my favourite site
by the way :-). Let's get back on track. When you load it, go
into the String Data Refs section (ALT + R + S). Search for the
string "error: inc...". Wow, it's right there. This
promises to be easy. Double click it and you see this :-
* Referenced by a (U)nconditional
or (C)onditional Jump at Address:Go to the blue highlighted
address, 00409F66. You see this :
|:00409F66(C)
:00409FB1 PUSH 00000010
* Possible StringData Ref from Data Obj ->"Spynet Internet
Mail - application error"
:00409FB3 PUSH 0041C424
* Possible StringData Ref from Data Obj ->"error: incorrect
registration "
->"key."
:00409FB8 PUSH 0041CECC
:00409FBD PUSH EBP
* Reference To: USER32.MessageBoxA, Ord:01BEh
:00409FBE CALL DWORD PTR [00423810]
-Wow! This looks EXTREMELY easy :-). Let's go into
our HEX editor and change the 7449 to 9090.
This will make it go straight to "you registered". You
COULD change it to JNE, but then it would only jump if they entered
an invalid serial. Test it by running the program and entering
any serial...Wow! It works. Now to make a patch. I do everything
in Windows 32 Assembly language.
:00409F66 JE 00409FB1 (7449)
:00409F68 PUSH 00000030
* Possible StringData Ref from Data Obj ->"Spynet Internet
Mail"
|
:00409F6A PUSH 0041C450
* Possible StringData Ref from Data Obj ->"Thank you for
registering Spynet "
->"Internet Mail 1.0!"
:00409F6F PUSH 0041CEF8
:00409F74 PUSH EBP
* Reference To: USER32.MessageBoxA, Ord:01BEh
Protection: Every few times you switch virtual desktops, a nag screen comes up.
This can be rather annoying, so let's patch it :-). Open it up in W32Dasm. Look through the SDR items and try to find the dialog string "NOTIFICATION" as that comes up when it is nagging you. It seems to not show up. We know from clicking about (you did do the about box, didn't you? :-) that the one that says "ABOUTDIALOG" is actually the about box. Let's be crazy and try "SWITCH". It seems to have a call to DialogBoxParamA later on! Let's go to the menu Functions/Imports and see about this call. Double click the function DialogBoxParamA and it'll search for you.
Do this numerous times. Notice that it is called in only 2 different places! One of them has the "ABOUTDIALOG" string pushed, so that can't be it. Let's go with the one that says "SWITCH". Note the code in front of the call:
FF15F0A14000 CALL [USER32!DialogBoxParamA]
Search for this in your hex editor. We know that it will be the second call, so search twice. We get the offset 75D. Patch the whole call with NOPs (909090909090). Save it and run DesktopSwitch. You'll notice that it doesn't nag you anymore!
Now you can edit the EXE file with a resource editor to get rid of the "Register" button, or leave it intact.
http://www.lss.com.au/lss/lss_main.htm
I'll mainly be focusing on taking apart the algorithm here, so I assume you know how to find it in SoftICE and how to break and such. Pretty easy keygen here, so let's get to it. The first thing you want to break on are standard functions then trace through a bit. Eventually you'll find some code that looks like this :-
:0040570A TEST ECX, ECX ; Test length for 0.
:0040570C JBE 00405726 ; If 0 jump bad.
:0040570E MOVSX EDX, BYTE PTR [EBP+EAX-30] ; Get a letter.
:00405713 MOV EDI, EAX
:00405715 AND EDI, 1 ; Bitwise AND.
:00405718 INC EDI ; Increment.
:00405719 IMUL EDX, EDI ; Multiply.
:0040571C ADD EDX, EAX ; Add to serial.
:0040571E ADD DWORD PTR [EBP-04], EDX ; Store it.
:00405721 INC EAX ; Increment counter.
:00405722 CMP EAX, ECX ; Compare EAX with length.
:00405724 JB 0040570E ; If below continue.
:00405726 XOR DWORD PTR [EBP-04], 82644404 ; Now XOR.
:0040572D JGE 00405737
:0040572F MOV EAX, DWORD PTR [EBP-04] ; EAX = serial.
:00405732 NEG EAX ; NEG it.
That's it! Pretty simple, no?. Now just construct your key generator.
That's all for now!
-Muad'Dib
Newbies Return to Main Index