A Newbie Cracking tutorial useing a live approach
on Digisignature Ver 3.0 - By Bisoux
------------------------------------------
this is my first essay so bare with me and my poor inglish ;o)
Level : Newbie
Tools : Winice ver 3.xx
DigiSignature v3.0
URL:http://www.simtel.net/pub/simtelnet/win95/security/sign30.zip
Introduction
------------
This Program has 0 security a small patch and it's registered. It didn't
take me a very long time and I'm not a Master Cracker.
I assume you have Sice installed and running and that u have a basic
working knowledge of how to make it work for you, "the cracker".
To make this tut more attractive then just a dry description of the
cracking process I'll try to explain what is going on....
There will be 2 pahses the first one is for absolute beginners and
the second one will just show how easy it to find the real serial
and not to do an ugly patch
1.Doing the patch.
------------------
ok enough of bulls let's CRACK!
ok run the programe... what do u know an ugly nag screen asking for u
to register , let's register , click on the register tab and then the
dialog box will pop up.
So what do we have here : (I filled it like this but do whatever u want!)
Name: Bisoux
Company : KAC
Serial Num: 123456789 (I always use this since if not all the
numbers will be taken in the calculation
I'll know in wich position it does)
ok before pressing ok buttom let's put some break point on Sice
now let me explain here a bite what we are doing exactly since a lot
of newbies are doing it without understanding and it's a shame!!
we are going to break on a API call , now what's an API ?
API stands for Application Programing Interface , that's mean that a
lot of internal routines that are done a lot under windblows are
offered as standard services by your OS (Operating System)
e.g. drawing windows,I/O operations,memory operations etc...
But anyway U should get an API refrence if u want to b a cracker....
when standing in a dialogbox (like you are now) the API which windows is useing
to put your details in are normally the following :
GetDlgItemTextA (without A in 16bit applications)
GetWindowTextA
and for all input procedures no matter what language used : hmemcpy
This last one I use only as last resort because it often gives a "false
alert"
So know that we understand what we are doing (I hope) lets bpx on
the first two API calls mentioned.
bpx GetDlgItemTextA
bpx GetWindowTextA
Now back to our proggie ( ctrl-d ) and press the OK button!
Sice will pop saying the reason is GetWindowTextA.
That means that our first string is beeing loaded , but remember we
have 3 strings that the proggie will read (name,company and serial)
so what we want is to start tracing from the 3rd load of string
this is why we are going to press twice more F5(=ctrl+d).
Gr8 sice poped 2 more times now we r in the middle of GetWindowTextA
API call so we'll press F12 to get back to our proggie source.
Now the first thing I do when I crack a program is to take a look what
is going on, where the the compare and the jumps are.
Normally (but not always) the proggie will make some calls which mean
that it will perform some function routines and then will come back
to do a comparison with a conditional jump afterwards.
First time I'm not going to step into all the calls just to see where
and why the "Bad Boy" will pop up.
So until then what I'll do is double click on every conditional jump i'll see and that will give me a bpx on that line (thanx to Sice and it's mouse support) .
now the double click worx only if u had your sice is well configured to suppourt mouse and video driver now I persume u r allready familiar with all that , and if your not a great page about all this is :
http://server.kibla.org/lusers/mib/sice.htm (and a great site of knowledge)
anyway if u haven't got this possibilty u'll have to do a bpx on the addresse u c as a conditional jump like this :
"bpx xxxx:xxxxxxxx ".
but if your lazy like me get your mouse and video well configuered.
A conditonal jump is the assmebly way to make an "IF" like in any another programming languges.so we must understand that the bad boy window did showed up because it failed a condition.
SO continue trcaing useing F10 and double clicking on every single jump
u c.
Finally the bad boy will apear saying "wrong......" ,kewl
normally the last jump or one before here is the final jump and u have all
this in sice , great ctrl-d , bl to see the list of all you bpx's with
a little numer next to 'bd' all of the except the last one
bd 0 1 ....
that means breakpoint disable and the advantage is that the location
of all the other jumps wan't disapear just be disabeled.
Now F5 to continue put in your name etc...
press ok and sice will pop on this linge
:00408845 8BD8 mov ebx, eax
:00408847 FF37 push dword ptr [edi]
:00408849 E8C2070000 call 00409010
:0040884E 83C404 add esp, 00000004
:00408851 3BC3 cmp eax, ebx
:00408853 7411 je 00408866 <== you'll be here !!!!
* Possible Reference to String Resource ID=00016: "Select one of the user ID names in the list at left, or use "
|
:00408855 6A10 push 00000010
* Possible Reference to String Resource ID=00063: "Error Message"
|
:00408857 6A3F push 0000003F
next to where you'll land there will be a small mention in softice
saying (no jump) now what does this means?
Evry time that there is a compare or a test in assembly there is a flag
wich contains the answer you can see the flag at the top right if your
register window in softice is on (if it isn't just do 'wr' and it will pop up) now we would like to to change this right , wich will change the result of the test and make us jump instead...
so we're going to use the r command in sice that changes/display the contenets of our register.
If u have any problems with sice command just type in "help r" or what ever command you want to figure out and sice will give a small description of it.
all that rest to do is change the no jump into jump
u do this by typing 'r fl z' wich means toggle the zero flag.
Now this will change the (no jump) into (jump)
F5 (wich is the same as ctrl-d) and booommmmm!!!!!! Your registred!!!
congratulationsa u just cracked another proggie!!
now this proggie is has 0 protection beacuse if it had something more
elaborated (like most prorams have) it will recheck your serial every
time you load it, BUT not this baby!!!!
2.Finding the right code (thanx to MisterE)
------------------------
Now that u know how to patch it you are really close to getting the right
code.
what has happened the u had :
:00408851 3BC3 cmp eax, ebx
:00408853 7411 je 00408866
that means a comparison between the registers eax and ebx,now u can do a lot
of things here just bpx on 00408851 and you will have the answer but I will
like to demonstrate the normal useuel way of finding your correct serial.
So first of all unregiter the program , you'll do this by deleting the registery
on HKEY_local_machine/softwares/thunderbyte/digisign/code
Anyway for cracking u'll have to knoww and undesrtand the registery....
a lot of very good info can be obtained at _mammon's page on:
http://www.eccentrica.org/Mammon/
After unregistering run the programme you'll have it like new , register ,
put your details , get into softice , bpx getwindowtexta (remeber the api call..)
get back to the program , push the ok button , and your in soft-ice once again
2 more times f5 (remeber it has to load your 3 strings) f12 to get to your
prorame , ok , let's look for our string in memory how ? simple...
s 0 l ffffffff '123456789' (or whatevere bougie number you put in)
these means s - search from address 0 l-length to ffffffff the string
'Your_String' .
sice will answer you: match has been found in xxxx:xxxxxxxx
gr8 now we want that evry time the programme will touch thise memory addresse
it will tell us (that means break).
so will do a bpr wich means break point on range , just like this :
bpr xxxx:xxxxxxxx xxxx:xxxxxxxx+9 rw
that means bpr from the addresse sice found until the same address plus our
string's length , rw means read/write
if u r lazy enough like me , u'll find that right clicking on a address and
the choosing cut&paste will speed up things and will prevent unwanted copy
mistakes.
now that u have done this ,f5 to continue the programe , sice will pop up
when your string is beeing manipulated , we saw b4 that this do not happen
in the principal program but within a call of it so a F12 will get u back
to where the call was from
u'll land here :
:0040883C FF1538404100 Call dword ptr [00414038]
:00408842 83C404 add esp, 00000004 <=== u're here
:00408845 8BD8 mov ebx, eax
:00408847 FF37 push dword ptr [edi]
:00408849 E8C2070000 call 00409010
:0040884E 83C404 add esp, 00000004
:00408851 3BC3 cmp eax, ebx
:00408853 7411 je 00408866
looks familiar ? sure is now what do u c?
eax moved to ebx wich get compared some instructions later..
let do a "d eax" (or right click on it and choose display)
this will show us what eax contains .
we c nothing bad , let us check what valus it conatins by doing "? eax"
this will give 3 values decimal hexadecimal and it's value in ascii.
so know u understand what the call is all about it put the value of your string
in eax , this is a methode used not to show any echoes in the memory for crackers
to look for....
ok we c this value is stored in ebx , not pushed for the next call(I wonder what
this call is ;o) ) and then immidatly after the call get compared with eax ,
will f10 until there type "? ebx" u get your serial
? eax --> bingo your correct serial !!!
now disable all the break points get back try it!
u have won the jackpot !!! :)))
easy no ?
Final Words
-----------
Now offcourse there r many more ways to crack this baby but in this method
u'll do it in no more then 5 minutes , you can try to make a keygenerator now
just step into the call 00409010 and figure out what it does or for the newbie
try the deadlist methode it will worl easily as well.
"Hope you learned something from this" (as someone said b4;) ) and that it
will initiate u the newbie to the live approach , soft - ice is a very powerfull weapon that should be fully explored.......
If u have any problems with this do not hesitate to contact me on:
bisoux10@hotmail.com
Thanx
-----
Tillety - my aussie brother that corrected my inglish
MisterE = great tut writer that helped me with this one
Vizion for baring my newbie questions,
Quantico,HalVarand all the rest from #C4N a great channel indeed a lot of nice pepole that will help you with any question you
have ,so a very big thank you to nIabi ant Mexelite for this great channel of information.
MindCrush for asking me to write this.
Pj (off course)
Tetsuo (the linux expert) for beeing a good friend.
Improtant links
---------------
Fravia.org --> a must for any cracker GREAT knowledge site!!!!
cracking.home.ml.org <--- caligo's page evrything u'll ever need
(hope it will not go down soon)
from those 2 links u'll discover the wonderfull world of cracking :)
Bisoux
------