Miscellaneous
Papers Return
to Main Indexhttp://www.webcom.com/vulcan
- Webpage.
Vulcan Notes v2.13 (Local Download)
- (248k).
http://www.posum.com -
Webpage.
WorkStation Lock v2.6 (Local
Download) - Local Download (97k).
This is a another recommended tutorial for people looking to make their very first steps with reverse engineering. I am always on the look out for small applications such as this, which are useful to help people get started. This version of Vulcan Notes is also in excess of 2 years old and therefore the publishing of this tutorial is highly unlikely to damage the author financially. Vulcan Notes uses a user name / serial # protection, this tutorial will show you how to find a valid serial # using SoftICE, when you have learnt more about ASM / reversing and key generators you can attempt to understand the mechanism.
The first thing to do is locate the registration option accessible from the Register menu. When the input box appears you should enter your own 'handle' and a fake registration code of your own choice.
The next thing we'll do is set some breakpoints, a lot of new reversers often ask "how do you know which breakpoint to use?", the answer is usually a matter of trial and error. Push Ctrl+D to enter SoftICE, type bpx Hmemcpy on the command line (press enter). Now return to Windows using Ctrl+D. As soon as you press the OK button on the registration window SoftICE will fire. On the first trigger press F11. As we have 2 dialog items to retrieve you should press Ctrl+D and F11 once again.
If you've managed this correctly you'll be inside SoftICE looking at the module User. The code should look like this below, the code segment part however (17C7) most probably will be different.
17C7:0B45 PUSH WORD PTR [DI] <-- you'll be here. 17C7:0B47 CALL KERNEL!LOCALUNLOCK 17C7:0B4C MOV AX,SI 17C7:0B4E POP SI
The objective now is to allow the code to continue until we reach the application code (vnotes95.exe) in this instance. The quick way to achieve this is by using the F12 (P RET) key which executes until it reaches a RET instruction, stopping immediately afterwards but first we need to disable our breakpoint by typing bd *. When you have reverse engineered many programs you'll get a feel for the number of F12's to press, most applications require between 6 & 12. With Vulcan Notes you'll need 6 to reach the application but a further 5 to find anything interesting (11 in total).
The reason why you need 5 extra F12's is fairly obvious, the next RET instructions on each of these breaks is never more than 5 lines away, code such as POP EDI, POP ESI is not interesting. This is the section that is interesting (once again note that the code segment (0137) may not be the same on your machine).
0137:00464FFE MOV EAX,[EBP-10] <-- 'd eax' shows serial # entered. 0137:00465001 LEA EDX,[EBP-14] 0137:00465004 CALL 00405A70 0137:00465009 MOV EAX,[EBP-14] <-- 'd eax' once again shows serial # entered. 0137:0046500C PUSH EAX <-- push the entered serial # on the stack. 0137:0046500D LEA EDX,[EBP-10] 0137:00465010 MOV EAX,[EBP-04] 0137:00465013 MOV EAX,[EAX+000001B8] 0137:00465019 CALL 00414F00 0137:0046501E MOV EAX,[EBP-10] <-- 'd eax' shows the user name. 0137:00465021 LEA EDX,[EBP-18] 0137:00465024 CALL 00464DF0 <-- this is the calculation routine. 0137:00465029 MOV EDX,[EBP-18] <-- F10 to this point. 0137:0046502C POP EAX <-- The code you entered retrieved from the stack. 0137:0046502D CALL 004036DC <-- This call will compare the codes. 0137:00465032 JNZ 00465208 <-- Check.
Now use your F10 key to single-step through the code line by line until the highlight bar reaches 0046502C.
If you now type d edx you'll be able to read the good code from the data window. This is the simplest crack you will ever do, it is known as the "snatch" technique, you obviously have gained no knowledge of how the program generated this code, you know only the result for your own handle, now try some other shareware from your archives.
[CrackZ / 747814678818532]
In your own time, try using the F8 key to trace instead of F10, this means that when you step over a call instruction you will enter the call as opposed to executing it. The algorithm requires fairly good knowledge of ASM and FPU instructions so don't be disappointed if you don't understand it. Work out how the program tracks your newly acquired registered status (RegMon may be of assistance).
Welcome to another target specifically aimed at very new reversers. WorkStation Lock is a small application which is ideal for those looking to get some practice with SoftICE. v2.6 is also an old version and thus will not damage the authors (the latest version has an improved scheme). Without further ado, launch the file wrkset.exe and locate the Register option accessible from the Help menu. You'll be confronted with a single dialog box asking for a registration number.
So just enter any number in the box (there's no set length), don't push O.K yet, you'll need to set some breakpoints on likely Windows functions used to read a value from this dialog box. You'll find that GetDlgItemTextA works well (trial and error). So set a >bpx GetDlgItemTextA in SoftICE, as soon as you click O.K and then F11 you should be looking at this code (push F10 a few times if you aren't).
:0040226A LEA EAX,[EBP-68]
:0040226D PUSH EAX
:0040226E CALL 004018EC <-- Retrieves single user license number.
:00402273 POP ECX <-- Pop single user license number.
:00402274 LEA EAX,[EBP+FFFFFF64]
:0040227A PUSH EAX
:0040227B CALL 004020B3 <-- Retrieve site license number.
:00402280 POP ECX <-- Pop site license number.
:00402289 CALL 00403490 <-- Compare user number with
single user.
:0040228E POP ECX <-- Code entered.
:0040228F TEST EAX,EAX <-- Test EAX=0.
:00402291 POP ECX <-- Good code.
:00402292 JNZ 004022A2 <-- Jump_not_single_user.
:004022AD CALL 00403490 <-- Compare user number with
site license.
:004022B2 POP ECX <-- Code entered.
:004022B3 TEST EAX,EAX <-- Test EAX=0.
:004022B5 POP ECX <-- Good code.
:004022B6 JNZ 004022E3 <-- Jump_bad_code_else_continue_site_license.
This code fragment should be fairly simple to understand, the program contains 2 hard coded registration numbers and will firstly compare your entered code to the single user license before comparing it against a site license, should you fail those checks then your code is obviously incorrect. There are several opportunities to snatch the respective good codes from the ECX register as it is popped from the stack, just type >d ecx to view them in the SoftICE data window. The registration information appears to be stored in the file kclkrw10.reg which is stored in the /WINDOWS directory.
Single User License: 2465535864435543654
Site License: 5735435434154321554
Miscellaneous
Papers Return
to Main Index