·¢ÐÅÈË: Tao_Chen@bbs.ustc.edu.cn (¾øµØÕ½¾¯), ÐÅÇø: cnhacker
±ê Ìâ: ½âÃÜ ½Ì³Ì 1 תÔØ
·¢ÐÅÕ¾: Öйú¿Æ´óBBSÕ¾ (Mon Feb 23 20:15:56 1998)
תÐÅÕ¾: Lilac!ustcnews!ustcbbs
·¢ÐÅÈË: gongjc (ÀϹ«), ÐÅÇø: crack
±ê Ìâ: cracking cdwizard 4.30 tutorial
·¢ÐÅÕ¾: BBS Êï¹âÕ¾ (Sat Nov 29 19:54:20 1997)
CrACKING tUTtOrIal bY nIabI[MEï97]
Tutorial Crack! 8th/07/97
=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
Program: CD Wizzard
Version: 4.30
URL: http://www.bfmsoft.com
Cracker: Niabi [Meï97/C4N]
Level: Beginner but written for Intermediate
Tools: SoftICE, W32Dasm, a Hex Editor.
Protection Type: Serial
Encrypted/DLL: No
Method: getdlgitemtexta
1st of all we do a BPX on GetWindoWtextA to see if we can get a break
if we donït get one then we try GetDlgItemTextA.
(If you want to know more of the APIïs get Win32.hlp (12 mgs)
or get our common api reference for crackers (2k) :-]) )
You should now in SoftIce.
We hit F12 a couple times till we get to the wizzard code part.
Now inside the wizzard code part whe start Tracing (hit f10).
We try and read and understand what the registers are doing.
Try a D xxxxx from time to time also try ? xxxxxxx too.
(? in SICE Shows the REAL value of a reg at that time)
Ok after a while of tracing we come to a part of the code like this :
XXXX:0041441C CALL 004151CD ; CALL CHECKING ROUTINE
XXXX:00414412 ADD ESP,0C
XXXX:00414424 TEST EAX,EAX ; IS PASSWORD OK ?
XXXX:00414426 JZ 00414444 ; NO THEN JUMP TO NOT_REGGED
XXXX:00414428 PUSH 40 ; ELSE CONTINUE GOOD BUYER
SOME_MORE CODE...
NOT_REGGED:
XXXX:0041444 XOR EAX,EAX ; Make EAX ZERO
XXXX:0041446 PUSH NAG_YOU ; PUSH NAG SCREEN NOT REGGED
Some ways to Crack this:
The first one is to just change jz 00414444 to jnz 00414444.
(in an Hexeditor, more on this later)
This will not jump to NOT_REGGED so the code is "Anything u type"
But it will if the code is the original, the program thinks that the good
code is now bad. (Not really a good Patch)
A second and better option is a lame one though.
Remove the test eax,eax, by changing them to nopïs.
Since test eax,eax uses 2 bytes and nopïs only 1
you have to add 2 nops to it so it will read like this :
XXXX:00414424 NOP
XXXX:00414425 NOP
XXXX:00414426 JZ 00414444
^^^^^^^^
(N.B. Check out the size here)
This will cause it to not jump since it never really checked the Password.
This will register the program with good or bad Serials.
Ok the third option is better it is :
Remove the test eax,eax and replace
with inc eax and a nop so it will read like this :
XXXX:00414424 INC EAX
XXXX:00414425 NOP
XXXX:00414426 JZ 00414444
This will also cause the program to register with any password cause it does
not check it either, it just assume that the password is right everytime
(it setïs the flag to 1).
Ok so now we need to hexedit it.
We enter any hexeditor (hiew, Hexworkshop or any good one) we see what the
bytes need to be changed like this D XXXX (where XXXX is the segment or reg
you want to see)
you will see something like this in the data window
XXXX:XXXXXXX 9E CA 0F 00 65 04 70-16 00 00 5C 0A 65 04 70 00
Ok so starting from 9E to the "-" is what we need to seach in the Hexeditor,
but how do i know what to change them to ? good question, ok to find out what
to change them to 1st change do a D XXXXX inside Sice you will see something
like the above numbers.
Write them down on a piece of paper ( what ? u to lazy to do it?) the change
them inside Softice like this A XXXX:XXXXXXXX u will get something like this
XXXX:XXXXXXXXX <== u type here what u whant to change
like letïs say you want to change JZ 0414444 to JNZ 00414444 you would do :
1.- D 00414426
we see the code whe write it down
2.- A 00414426
XXXX:00414426 jnz 00414444 <= we type this in sice
When we hit enter another line follows just hit enter again to get out of
the assembly mode, now do a d 00414426 and you will see that the code has
changed. Now write down the new one. Now you have the old (what we searched
for) and the new ( what we change it to ), so now in the hexeditor,
search for the old one and when we find it we change it to the new one
(beware that you need to search in hex and not in ascii).
Run the program register it and Boom! its yours. Thank you very much.
Exit... and restart
shit what is this !! nag screen again ! it is not registered !! wtf !,
k so we now know that the program does 2 checks one at input and one at the
begining.
This is the output that i get from w32dasm (Great tool BTW)
* Possible StringData Ref from Data Obj ->"Password" <-- this is where
my password resides ?
:00401BD6 68D4364300 push 004336D4
:00401BDB 56 push esi
:00401BDC 889A18BD4300 mov [edx+0043BD18], bl
* Reference To: KERNEL32.GetPrivateProfileIntA, Ord:010Ch
|
:00401BE2 FF1570464400 Call dword ptr [00444670]
:00401BE8 50 push eax
:00401BE9 66A3D0A84300 mov [0043A8D0], ax
:00401BEF FF750C push [ebp+0C]
:00401BF2 68C0B34300 push 0043B3C0 ; push my name to the stack
:00401BF7 E8D1350100 call 004151CD ; Call REAL password checking
; routine
:00401BFC 83C40C add esp, 0000000C
:00401BFF 85C0 test eax, eax ; Was the password correct ?
:00401C01 0F84A2000000 je 00401CA9 ; no then bug off bad cracker !
:00401C07 68C0B34300 push 0043B3C0 ; push my name again
:00401C0C 895D14 mov [ebp+14], ebx
* Referenced by a CALL at Addresses:
|:00401BF7
:004151CD 837C240808 cmp [esp + 08], 00000008 ; is the paswword 8
; charaters long ?
:004151D2 7D03 jge 004151D7 ; yes then go on
:004151D4 33C0 xor eax, eax ; no then bug off with
; Z flag
:004151D6 C3 ret
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004151D2(C)
|
:004151D7 FF742408 push [esp + 08]
:004151DB FF742408 push [esp + 08]
:004151DF E8B3FFFFFF call 00415197
:004151E4 6BC00B imul eax, eax, 0000000B ; mutiply eax by 0bh
; sounds to me like a
; keygen
:004151E7 59 pop ecx
:004151E8 0FB7C0 movzx word ptr eax, eax
:004151EB 59 pop ecx
:004151EC 6A07 push 00000007
:004151EE 99 cdq
:004151EF 59 pop ecx
:004151F0 F7F9 idiv ecx
:004151F2 33C9 xor ecx, ecx
:004151F4 663944240C cmp [esp + 0C], ax
:004151F9 0F94C1 sete al
:004151FC 8BC1 mov eax, ecx
:004151FE C3 ret
ok when we restarted CD wizzrd whe got the not regged about box,
so ok then whe set a new BPX in Si to point at GetPrivateProfileIntA or
Getprivateprofilestringa (the 1st one works better in CD wizzard), ok if we
set a bpx on it whe will land in some others whe try and understand wich them
are they we do a trace and read and understand what the program is doing do
a D xxxx once in a while... ok after some breaks on GetprivatePrifeliIntA
whe will soon land in here :
:00401BE2 FF1570464400 Call dword ptr [00444670]
:00401BE8 50 push eax
:00401BE9 66A3D0A84300 mov [0043A8D0], ax
:00401BEF FF750C push [ebp+0C]
:00401BF2 68C0B34300 push 0043B3C0 ; push my name to the stack
:00401BF7 E8D1350100 call 004151CD ; call REAL password checking
; routine
:00401BFC 83C40C add esp, 0000000C
:00401BFF 85C0 test eax, eax ; Was the password correct ?
:00401C01 0F84A2000000 je 00401CA9 ; no then bug off bad cracker !
:00401C07 68C0B34300 push 0043B3C0 ; push my name again
:00401C0C 895D14 mov [ebp+14], ebx
we can go futher inside the calls, how do i go futher u ask, ok is easy
just see what the call is heading to and set a bpx on it like lets say
CALL 004151CD if we want to go futher we do a BPX 004151CD ( easy eh?)
Another VERY esy way to do this is by instead of hitting f10 hit f8
ok if we go inside the call we will see this :
:004151CD 837C240808 cmp [esp + 08], 00000008 ; is the paswword 8
; charaters long ?
:004151D2 7D03 jge 004151D7 ; yes then go on
:004151D4 33C0 xor eax, eax ; no then bug off with
; Z flag
:004151D6 C3 ret
Right here i can crack it because if you check the line in 00401BFF u can see
it tests eax to check if its 0. If its 0 then bug off bad cracker happens
but if its not 0 then go on nice buyer, so we can do this:
:004151CD 837C240808 cmp [esp + 08], 00000008 ; is the paswword 8
; charaters long ?
:004151D2 90 NOP ; I dont care if its 8
:004151D3 40 INC EAX ; Increment EAX by 1
:004151D4 48 DEC EAX ; Decrement EAX by 1
004151D5 40 INC EAX ; Increment EAX by 1
:004151D6 C3 ret ; Return With REGGED Flag S
so what we did there it was some flag changing we donït even go futher inside
the check we just make the program assume that it did and that the password
was a good one.
since EAX was 0 when we got into the call we 1st did a nop because if we had
done an INC EAX or a DEC EAX we would have found out that it would work ;).
This is the second part of the crack or we can go for another,
One less byte changing than this one.
(you whant to change the fewer bytes u can).
ok, after the RET from the real password check is done whe land exactly here:
:00401BFF 85C0 test eax, eax ; Was the password correct ?
:00401C01 0F84A2000000 je 00401CA9 ; no then bug off bad cracker !
what whe do here is really easy u maybe know it by now.
:00401BFF 90 nop
:00401C00 40 inc eax ; set flag to 1 <== good password
:0401C01 0F84A2000000 je 00401CA9
easy eh? so we did it we completely cracked CD wizard the last part is doing
the hex editing which u have to know by now if ya read my first part ;)
i will give the exact bytes to change:
741C6A40C705B8BC change it to 40906A40C705B8BC <== Reg Check
85C00F84A2000000 change it to 40900F84A2000000 <== nag removed
if we do the last crack by itself u will find out that doing the reg check
crack is useless see for yourself, if you do only the second crack
(a.k.a nag removed) u will find out that is regged and fully working.
ok i hope u enjoyed this tutorial i know it is hard to understand in some
parts but u can figure it out till nex time.
--
/^\ /^\ ÎÒÊÇ¿ìÀÖµÄϣ˼è !
( b (^a^) d )
\ " *B* " / makeiTRUNning (tm)
( 'O'"'O' ) WWW: 202.38.73.141/Persons/TaoChen
#==-W-==# EM : bADbOY97@usa.net
( y )
¡ù À´Ô´: Öйú¿Æ´óBBSÕ¾ [bbs.ustc.edu.cn]
Powered by KBS BBS 2.0 (http://dev.kcn.cn)
Ò³ÃæÖ´ÐÐʱ¼ä£º204.923ºÁÃë