Home    Training    Downloads    Tutorials    Arbitary    Get Fate    Proxy Info
 
Training session 7: Program Cracking
Difficulty: Medium
Learn how to crack a simple program
Creator: m101


First download the following tools and the target program HERE

Win32DASM
Hackers View

First thing to do is run samctrl2.exe and find out what it does and what type of protection it has. You should find it is a commercial keylogger that uses a serial protection scheme. So go to 'Register' and type a bogus code into the field like 'm101 0wnz j00' and press register and see what happens:

Window Title: No valid registration code entered!

Window Contents: Wrong registration code entered.

So now close SAM and make a copy of it called samctrl2.exx you do this because now if we make a mistake we can just replace the file and its back to normal.

Now open up Win32DASM. Go to Disaseembler >> Open File to Disassemble and then open up samctrl2.exx

The program should load without any errors. Now goto Refs >> String Data References and scroll down the list till you get to the window contents we retrieved earlier "Wrong registration code entered." double click this message and clse the dialog box. You should see the message on the screen, if not go back and do it again.

You have now found the error message saying your registration code is incorrect, scroll up a bit and you should see:

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00405548
|
:00405563 6A30 push 00000030

* Possible StringData Ref from Data Obj - >"No valid registration code entered "


Notice the 00405548 is the address that called our little error. So scroll up till you get to 00405548.

Now just by looking at this we see that it compares two value with 'cmp' and if they are not equal 'jne' it sends us to our little message, but if you read the Dialog messages below it says "You registered me already.... Thanks " So this is obviously not what we are after, so scroll up a bit and you will notice two references, 004054A1(C) and 004054BB(C)

The (C) tells us it was a conditional jump, in other words it compared two values and if they were correct it showed us this message, so scroll up to the first call 004054A1


:00405499 FF1588904000 Call dword ptr [00409088]
:0040549F 85C0 test eax, eax
:004054A1 0F8594000000 jne 0040553B
:004054A7 8B8DA4FDFFFF mov ecx, dword ptr [ebp+FFFFFDA4]
:004054AD 81C15C010000 add ecx, 0000015C
:004054B3 E8E8CEFFFF call 004023A0
:004054B8 83F809 cmp eax, 00000009
:004054BB 7E7E jle 0040553B
:004054BD 6A40 push 00000040

* Possible StringData Ref from Data Obj ->"Registration"
|
:004054BF 68C0C94000 push 0040C9C0

* Possible StringData Ref from Data Obj ->"SAM is now successfully registered "
->"- Thank you ! "


Now take a look at the two calls, first call is a simple test and jump if the test fails 'jne' and the second test compares the length of the string to see if it is larger than nine characters, so we have to patch both of these dont we. So put the green bar in Win32DASM over 004054A1 and look down in the status bar, you should see @offset 000048A1h

The 'h' in 000048A1h means hexidecimal so ignore it. Open up hiew (hackers view) and open up samctrl2.exe

Press F4 then F3 to get into ASM mode. Press F5 and type in 000048A1. You should see the line you saw in Win32DASM

0F8594000000 jne 0040553B

Ok, now the 'oF85' refers to the 'jne' and the 94000000 tells us that it will jump 94 bytes foward, and ofcourse this isnt what we want, so press F3 and change that line to:

0F8500000000 jne 004054A7

Notice that the new address to jump to is now the following line, the protection has been defeated, but we still have the problem that it checks the size of the code entered, so just do the same thing for this call:

7E7E jle 0040553B

Change to:

7E00 jle 004054BD

Press F9 to save the changes and then F10 to quit.

Now if you have followed the steps correctly you should now be able to enter any serial into SAM and it should accept it!

The following is a list of diferent jumps and what they mean:



JCC - Jump if Condition Is Met
77 cb		JA rel8			Jump short if above (CF=0 and ZF=0)
73 cb		JAE rel8		Jump short if above or equal (CF=0)
72 cb		JB rel8			Jump short if below (CF=1)
76 cb		JBE rel8		Jump short if below or equal (CF=1 or ZF=1)
72 cb		JC rel8			Jump short if carry (CF=1)
E3 cb		JCXZ rel8		Jump short if CX register is 0
E3 cb		JECXZ rel8		Jump short if ECX register 0
74 cb		JE rel8			Jump short if equal (ZF=1)
7F cb		JG rel8			Jump short if greater (ZF=0 and SF=OF)
7D cb		JGE rel8		Jump short if greater or equal (SF=0F)
7C cb		JL rel8			Jump short if less (SF<>OF)
7E cb		JLE rel8		Jump short if less or equal (ZF=1 or SF<>OF)
76 cb		JNA rel8		Jump short if not above (CF=1 or ZF=1)
72 cb		JNAE rel8		Jump short if not above or equal (CF=1)
73 cb		JNC rel8		Jump short if not carry (CF=0)
75 cb		JNE rel8		Jump short if not equal (ZF=0)
7E cb		JNG rel8		Jump short if not greater (ZF=1 or SF<>OF)
7C cb		JNGE rel8		Jump short if not greater or equal (SF<>OF)
7D cb		JNL rel8		Jump short if not less (SF=OF)
7F cb		JNLE rel8		Jump short if not less or equal (ZF=0 and SF=OF)
71 cb		JNO rel8		Jump short if not overflow (OF=1)
7B cb		JNP rel8		Jump short if not parity (PF=1)
79 cb		JNS rel8		Jump short if not sign (SF=0)
75 cb		JNZ rel8		Jump short if not zero (ZF=0)
70 cb		JO rel8			Jump short if overflow (OF=1)
7A cb		JP rel8			Jump short if parity (PF=1)
7A cb		JPE rel8		Jump short if parity even (PF=1)
7B cb		JPO rel8		Jump short if parity odd (PF=0)
78 cb		JS rel8			Jump short if sign (SF=1)
74 cb		JZ rel8			Jump short if zero (ZF=0)


0F 87 cw/cd	JA rel16/32		Jump near if above (CF=0 and ZF=0)
0F 83 cw/cd	JAE rel16/32		Jump near if above or equal (CF=0)
0F 82 cw/cd	JB rel16/32		Jump near if below (CF=1)
0F 86 cw/cd	JBE rel16/32		Jump near if below or equal (CF=1 or ZF=1)
0F 82 cw/cd	JC rel16/32		Jump near if carry (CF=1)
0F 84 cw/cd	JE rel16/32		Jump near if equal (ZF=1)
0F 84 cw/cd	JZ rel16/32		Jump near if 0 (ZF=1)
0F 8F cw/cd	JG rel16/32		Jump near if greater (ZF=0 and SF=OF)
0F 8D cw/cd	JGE rel16/32		Jump near if greater or equal (SF=OF)
0F 8C cw/cd	JL rel16/32		Jump near if less (SF<>OF)
0F 8E cw/cd	JLE rel16/32		Jump near if less or equal (ZF=1 or SF<>OF)
0F 86 cw/cd	JNA rel16/32		Jump near if not above (CF=1 or ZF=1)
0F 82 cw/cd	JNAE rel16/32		Jump near if not above or equal (CF=1)
0F 83 cw/cd	JNB rel16/32		Jump near if not below (CF=0)
0F 87 cw/cd	JNBE rel16/32		Jump near if not below or equal (CF=0 and ZF=0)
0F 83 cw/cd	JNC rel16/32		Jump near if not carry (CF=0)
0F 85 cw/cd	JNE rel16/32		Jump near if not equal (ZF=0)
0F 8E cw/cd	JNG rel16/32		Jump near if not greater (ZF=1 or SF<>OF)
0F 8C cw/cd	JNGE rel16/32		Jump near if not greater or equal (SF<>OF)
0F 8D cw/cd	JNL rel16/32		Jump near if not less (SF=OF)
0F 8F cw/cd	JNLE rel16/32		Jump near if not less or equal (ZF=0 and SF=OF)
0F 81 cw/cd	JNO rel16/32		Jump near if not overflow (OF=0)
0F 8B cw/cd	JNP rel16/32		Jump near if not parity (PF=0)
0F 89 cw/cd	JNS rel16/32		Jump near if not sign (SF=0)
0F 85 cw/cd	JNZ rel16/32		Jump near if not zero (ZF=0)
0F 80 cw/cd	JO rel16/32		Jump near if overflow (OF=1)
0F 8A cw/cd	JP rel16/32		Jump near if parity (PF=1)
0F 8A cw/cd	JPE rel16/32		Jump near if parity even (PF=1)
0F 8B cw/cd	JPO rel16/32		Jump near if parity odd (PF=0)
0F 88 cw/cd	JS rel16/32		Jump near if sign (SF=1)
0F 84 cw/cd	JZ rel16/32		Jump near if 0 (ZF=1)




JMP - Jump
EB cb		JMP rel8		Jump short, relative, displacement rel to next instruct
E9 cw		JMP rel16		Jump near, relative, displacement rel to next instruct
FF /4		JMP r/m16		Jump near, absolute indirect, address given in r/m16
FF /4		JMP r/m32		Jump near, absolute indirect, address given in r/m32
EA cb		JMP ptr16:16		Jump far, absolute, address given in operand
EA cb		JMP ptr16:32		Jump far, absolute, address given in operand
FF /5		JMP m16:16		Jump far, absolute indirect, address given in m16:16
FF /5		JMP m16:32		Jump far, absolute indirect, address given in m16:32
 




Name

URL or Email

Message