LinkBack URL
About LinkBacks
Basic Cracking for Fun and Profit
Basic Cracking for Fun and Profit
v1.0 - Biomechanica
With this guide I hope to provide new comers with an easy-to-understand introduction into the world of reverse engineering and software cracking. Software cracking is both an art and as well as a great hobby. It combines a low level understanding of computer code along with an analytic, perhaps even detective-like, mindset. The algorithms behind list of computer generated assembly instructions, already abstract by nature and often further obfuscated by encryption or packing techniques, are translated into understandable code. So cracking, reversing and writing keygens make for fun hobbies, expanding your knowledge about computers but also serving a practical purpose. Don't you just hate not being able to find a crack for a specific application? Why not make your own...
While reverse engineering itself is not illegal, software cracking to aid piracy is. So here's a little disclaimer:
I, Biomechanica, cannot be held responsible for any crimes committed with the knowledge provided in this guide. By reading this guide, you agree to take full responsibility for your actions. If you do not, please stop reading here.
Note: This is strictly not against the rules of the tutorials section, but if any admin decides this is violating site rules, I'll delete the post. However, that would be pretty ironic on a site dedicated to sharing invites for warez sites, now wouldn't it? :')
Now, gentlemen, it's time to get started.
For this guide, I have cracked a trial of Nidesoft LG Video Converter (version 2.3.56 to be exact). I chose this program because it was not packed, encrypted or obfuscated in any way. This means it's relatively easy to crack, making for a great program to write a basic tutorial such as this one about. Note that the program was cracked, no keygen has even been attempted. This is because cracking is generally easier, requiring less detailed analysis of a binary. I may write a keygenning tutorial sometime, or I may not. Time will tell.
A couple of assumptions are made regarding your knowledge on this subject:
- A basic understanding of assembly language.
Though you do not need to be fluent in assembly for this tutorial, but basic understanding of the most basic commands will most certainly be required to understand what is going on.- A basic understanding of how computers handle memory and how registers are used.
In the end, all a program does is manipulate and execute data in memory, registers hold information currently of importance: ranging from a simple value of a counter to the location in memory of a serial. Therefore, this understanding is required to fully comprehend what is going on in your program. Again, you do not need to know the more advanced stuff, but you should at least be aware of how registers are used in a program and exactly what the heap and the stack is and how they are used.- Terminology
I'm not going into basic terms such as 'packers', 'crypters', 'debuggers', 'disassembly', et cetera. These are easy to look up and would just make this guide unnecessarily long and complicated while a quick Google search could probably provide you with better information than I could ever give you without going into too much details.- A basic understanding of OllyDbg/Immunity Debugger
As with the terminology, you should know what all of Olly's windows mean, like the register window and and shortcuts like F8 to step over a command or F9 to execute till return. I will explain some things throughout this tutorial, but it surely helps to know most things in advance as I won't really go into details here. Again, Google will provide you with all the info you need.
For this crack, only two tools were used:
- PEiD
PEiD is used to detect packers, compilers and crypters. This makes life a lot easier, giving you a clear idea of exactly how the code is obfuscated, if at all. This will make your life a lot easier during the actual reversing process. Consider this to be a recon-tool. PEiD can be found right here: PEiD.- Immunity Debugger
Immunity debugger is essentially a modified version of OllyDbg. OllyDbg is a debugger that is used for binary code analysis, when source code is not available. It can be used to trace registers, can detect string and API calls, constants et cetera. Programs are disassembled to the pure assembly code being executed by the CPU, allowing you to step through it, monitor any changes to registers and memory and see exactly what happens.
The reason I chose Immunity Debugger over OllyDbg is Immunity's support for Python code along with the better colour scheme (though this can be set in Olly as well).
You can download Immunity Debugger here: IMMUNITY : Knowing You're Secure.
You can use Olly if you want to, they're essentially the same program so nothing should change really for this tutorial.
Let's start by actually installing the trial. After the installer has finished, open the application. We are greeted by a nice nag screen:
Now let's see what happens when we enter some random stuff..
There we go, an error prompt. We can use this text later on to see where the actual checking is being done.
Time to check if our program is packed. Open the executable in PEiD. Here's the output:
No packers or crypters have been detected! Riveting news, chap! This makes our task a lot easier.
Open up the program in Immunity Debugger and start running it (F9). Don't worry about any exceptions, we just want to perform a last check to see if our debugger detects the code as being packed/obfuscated and whether it has any anti-debugging features.
It runs as expected, so we can assume there won't be any features in place to hinder our reversing process.
Now, remember that nag screen and how it said our serial is invalid? Well, let's pick a string from that pop up that's not too common. This way we can be fairly sure it only shows up in the code actually related to the serial check. I chose 'correct'.
In our debugger, right click in the code screen (upper left window) and select Search for -> All referenced text strings. A new window will pop up. Right click in this window, select 'Search for text' and enter your search term. And look at that, I found the string I was looking for:
This also seemed interesting:Text strings referenced in VideoCon:.text, item 653
Address=004208EC
Disassembly=PUSH VideoCon.004371FC
Text string=ASCII "Register code not correct,please check it!"
The second string appears to be the result of a valid serial. However, you should also note the two addresses (0x004208EC and 0x00420850) are close together. Let's take a closer look at this. Press enter to see where the string is used in the code itself. I ended up here:Text strings referenced in VideoCon:.text, item 651
Address=00420850
Disassembly=PUSH VideoCon.00437228
Text string=ASCII "Registration Successful"
As you can see, two checks are performed:00420835 |. 85C0 TEST EAX,EAX
00420837 |. 5D POP EBP
00420838 |. 0F86 A7000000 JBE VideoCon.004208E5
0042083E |. 3D 9F860100 CMP EAX,1869F
00420843 |. 0F83 9C000000 JNB VideoCon.004208E5
00420849 |. 6A 40 PUSH 40
0042084B |. 68 40724300 PUSH VideoCon.00437240 ; ASCII "Nidesoft"
00420850 |. 68 28724300 PUSH VideoCon.00437228 ; ASCII "Registration Successful"
00420855 |. 8BCE MOV ECX,ESI
00420857 |. E8 285F0000 CALL <JMP.&MFC42.#4224>
0042085C |. 8D8C24 E804000>LEA ECX,DWORD PTR SS:[ESP+4E8]
00420863 |. C786 5C5E0300 >MOV DWORD PTR DS:[ESI+35E5C],1
0042086D |. E8 3E3AFEFF CALL VideoCon.004042B0
00420872 |. 8D8424 0406000>LEA EAX,DWORD PTR SS:[ESP+604]
00420879 |. 6A 00 PUSH 0
0042087B |. 50 PUSH EAX
0042087C |. 8D8C24 F004000>LEA ECX,DWORD PTR SS:[ESP+4F0]
00420883 |. C68424 8817000>MOV BYTE PTR SS:[ESP+1788],0A
0042088B |. E8 C03AFEFF CALL VideoCon.00404350
00420890 |. 8D4C24 0C LEA ECX,DWORD PTR SS:[ESP+C]
00420894 |. 6A 10 PUSH 10
00420896 |. 51 PUSH ECX
00420897 |. 8D8C24 F004000>LEA ECX,DWORD PTR SS:[ESP+4F0]
0042089E |. E8 ED3BFEFF CALL VideoCon.00404490
004208A3 |. 8D8C24 E804000>LEA ECX,DWORD PTR SS:[ESP+4E8]
004208AA |. E8 F13AFEFF CALL VideoCon.004043A0
004208AF |. 8D96 A8010000 LEA EDX,DWORD PTR DS:[ESI+1A8]
004208B5 |. 8D8E A4010000 LEA ECX,DWORD PTR DS:[ESI+1A4]
004208BB |. 52 PUSH EDX
004208BC |. E8 695B0000 CALL <JMP.&MFC42.#858>
004208C1 |. 8B46 20 MOV EAX,DWORD PTR DS:[ESI+20]
004208C4 |. 6A 01 PUSH 1 ; /Erase = TRUE
004208C6 |. 6A 00 PUSH 0 ; |pRect = NULL
004208C8 |. 50 PUSH EAX ; |hWnd
004208C9 |. FF15 A4C64200 CALL DWORD PTR DS:[<&USER32.InvalidateRe>; \InvalidateRect
004208CF |. 8D8C24 E804000>LEA ECX,DWORD PTR SS:[ESP+4E8]
004208D6 |. C68424 8017000>MOV BYTE PTR SS:[ESP+1780],0
004208DE |. E8 2D3AFEFF CALL VideoCon.00404310
004208E3 |. EB 13 JMP SHORT VideoCon.004208F8
004208E5 |> 6A 40 PUSH 40
004208E7 |. 68 40724300 PUSH VideoCon.00437240 ; ASCII "Nidesoft"
004208EC |. 68 FC714300 PUSH VideoCon.004371FC ; ASCII "Register code not correct,please check it!"
Now, let's analyze exactly what is going on here:00420835 |. 85C0 TEST EAX,EAX
00420838 |. 0F86 A7000000 JBE VideoCon.004208E5
0042083E |. 3D 9F860100 CMP EAX,1869F
00420843 |. 0F83 9C000000 JNB VideoCon.004208E5
00420835 |. 85C0 TEST EAX,EAX
TEST - Test For Bit Pattern
Performs a logical AND of the two operands updating the flags
register without saving the result.00420838 |. 0F86 A7000000 JBE VideoCon.004208E5
JBE/JNA - Jump Below or Equal / Jump Not Above0042083E |. 3D 9F860100 CMP EAX,1869F
CMP - Compare
Subtracts source from destination and updates the flags but does
not save result. Flags can subsequently be checked for conditions.As you can see, both jumps will land you here:00420843 |. 0F83 9C000000 JNB VideoCon.004208E5
JAE/JNB - Jump Above or Equal / Jump on Not Below
It should now be clear this is the code that checks whether a serial is valid or not. We could investigate the checks further to see what exactly is being checked, but we just want to make a quick and basic crack. So instead, let's fill in the code with NOPs. NOP stands for No Operation, meaning any code there will not be executed. This allows us to skip the jumps.004208E5 |> 6A 40 PUSH 40
004208E7 |. 68 40724300 PUSH VideoCon.00437240 ; ASCII "Nidesoft"
004208EC |. 68 FC714300 PUSH VideoCon.004371FC ; ASCII "Register code not correct,please check it!"
Select the jump instructions and press space, you can now enter NOP for the new instruction, as shown below:
Time to do a quick test run and enter some random stuff for our serial. OH SNAP SON, it works!
Now, let's save our changes. Right click in the code window again -> Copy to executable -> All Modifications and select Copy All. A new window will open up with your modified code. Right click here and select 'Save file'.
Time to test our new executable. It works, but it didn't seem to save it's new registered state anywhere. If you close the program and start it again, it will just prompt for a serial. My suspicion is it saves a registry key containing a serial and checks this key each time the program starts. However, we don't really care too much about this,
we just want a crack. Time for a new solution...
Notice how the title bar of the program contains the text '(Unregistered)', which disappears if the program is actually registered? Let's take a closer look at that.
Again, search for the string as we did before. Look what I found..
Follow this value, we end up here:
More checks huh?00420AFD |. 85C0 TEST EAX,EAX
00420AFF |. 76 25 JBE SHORT VideoCon.00420B26
00420B01 |. 3D 9F860100 CMP EAX,1869F
00420B06 |. 73 1E JNB SHORT VideoCon.00420B26
00420B08 |. 8D86 A8010000 LEA EAX,DWORD PTR DS:[ESI+1A8]
00420B0E |. 8D8E A4010000 LEA ECX,DWORD PTR DS:[ESI+1A4]
00420B14 |. 50 PUSH EAX
00420B15 |. C786 5C5E0300 >MOV DWORD PTR DS:[ESI+35E5C],1
00420B1F |. E8 06590000 CALL <JMP.&MFC42.#858>
00420B24 |. EB 45 JMP SHORT VideoCon.00420B6B
00420B26 |> 8D8E A8010000 LEA ECX,DWORD PTR DS:[ESI+1A8]
00420B2C |. 68 4C724300 PUSH VideoCon.0043724C ; ASCII "(Unregistered)"
As you can see, these jmp's actually jump to the code that adds the "(Unregistered)" string to the title bar. If these jumps are not taken, the code will run untill it hits JMP SHORT VideoCon.00420B6B. As you can see, this will jump to 0x00420B6B, which skips the code adding the "(Unregistered)" string to the titlebar. Let's NOP these checks,00420AFD |. 85C0 TEST EAX,EAX
00420AFF |. 76 25 JBE SHORT VideoCon.00420B26
00420B01 |. 3D 9F860100 CMP EAX,1869F
00420B06 |. 73 1E JNB SHORT VideoCon.00420B26
test our modifications and save them to a new executable.
We're now no longer prompted for a serial, nor does the '(Unregistered)' string show up. WIN!
Save your changes and give it a final test. We can now finally convert movies longer than 2 minutes (the limit imposed by the trial)..
There it is, a fully working crack. That wasn't too hard, now was it? As you certainly can tell, this was a very basic example. The point of this guide was for you to get acquainted with a debugger and to get used to the mindset you need when cracking software. Now go ahead and explore the possibilities! I suggest doing some crackmes. Those are programs coded for the sole purpose of being cracked. It's legal and a great way to learn new stuff. A lot of these crackmes can be found here: http://crackmes.de.
Only two tools were needed this time, but some other tools you may want to look into are hex editors, disassemblers and unpackers. Also, note that there are a lot of plug ins for Immunity Debugger and OllyDbg which can greatly enhance your experience and help out in a number of cases.
If you feel I missed something important or have found a mistake, please let me know. I'll fix it and give you credit of course.
~ Biomechanica EDIT: Just found this thread: http://www.torrent-invites.com/tutor...l-out-app.html Though a lot of aspects of both tuts are similar, they're not quite the same. Supertorrz's tutorial focuses on so-called 'serial fishing' whereas mine focuses on general cracking/EXE patching. I just wanted to make this clear in case anyone would claim a tutorial like this already exists.
EDIT 2: Changed the code-boxes with quotes, should be more readable now.
Reply With Quote
Originally Posted by rexxx2k
![[SIGPIC]](/signaturepics/sigpic10409_1.gif)
