CRACKING§§ THE BASE (english)

programing

CRACKING§§ THE BASE (english)

Postby RAD on Fri Sep 01, 2006 3:44 am

This page contains information concerning Cracking, it has TAIT crite with a purely educatif aim in order to render comprehensible those which read it, the practical procds cracking. You your thus it only person in charge for the use of information below. RAD

Level: dbutant, no knowledge in ASM is necessary. It is very of Mrs. prfrable to have some concepts of programming.
What you need: much patience and persvrence, a brain, a dsassemblor (W32dasm), a debugger (Ice Software) and a ditor Hexa dcimal (Hiew is perfect).
The Council: a small book on the assembler too is not (for example: ASSEMBLER, a dcouverte not not with the ditions Marabout), because it east empty that only the most current functions are dtailles Ci-aprs.



Assembler , the bases ncessaires
The assembler? Ca does simply want to say what?
The assembler is the language of programming nearest to the micropressor, it is to say that it does not appeal that has instructions lmentaires, it is to say that all functions such as to post chains of caractres does not exist, it should be programmed. By consquent it is trs fast the xcution. Simply, assembler = language machine.

Note: Out of assembler one works in base 16 (hexadcimal) and not 10 (dcimale)

Registers: AX, CX, DX, EAX, EDI.... ???
It is not ncessaires of connatre all the registers to make "cracking", to know most useful are enough but all the types of registers are lists here. The registers are sites mmoires situs the intrior of the microprocessor, one them rparti into 4 catgories:

Registers of segment (will not be dvellopp here, jettez a glance in a book if you want infos supplmentaires; =)
Working registers
Registers of offset
the register FLAG
Working registers:
There exists about it of diffrentes "sizes": 8bits, 16 bits and 32 bits.
EAX is a register of 32 bits, AX of 16 bits, Al and AH two registers of 8 bits.
AX reprsente the "low" part of EAX, AH the high one of AX (H = High) et al. the low one of AX (L=low)
thus when EAX=1234abcd AX=abcd AL=cd and AH=ab.
register of 16bits = AX, BX, CX, DX
register of 32bits = EAX, EBX....
note: The registers 32bits begin tjs with an E
Of manire gnrale, AX is utilis at the time of the arythmtic oprations, CX like meter and DX for give.

Registers of offset:
IF = utilis with the chains of caractres
DI = utilis at the time of opraions on the chains of caractres
IP = register pointing the following instruction xcuter, it is thus not modifiable directly
LP = utilis for accder with give piles
SP = associ SS for accder with the last lments of the piles

the register FLAG :
It is a register of 16bits, but its value does not have any significance, because it is manipul bits bits. The register FLAG is trs useful at the time of the instructions carrying out a test or a comparison (in short all instruction ncssitant a condition uses the register FLAG). To simplify a small rcapitulatif table here:
bit Significance abrviation
0 Reserve CF
2 Parit PF
4 Auxiliary reserve AF
6 Zro ZF
7 Sign SF
8 Trap TF
9 Interruption IF
10 Direction DF
11 Overflow OF

Bits 1,5,12,13,14,15 of the registers are not utiliss

Oprandes in ASM:
Only the most current instructions of the ASM will be lists here: CALL, CMP, JMP, JZ, JNZ, JG..., MOV
Abrviations use: reg=registre, mem=une addresses mmoire, val=une value hexadcimale


CALL:
syntax:
call mem
action:
Call forces the microprocessor xcuter the instructions of under program the address "mem" before continuing

CMP:
syntax:
cmp reg, valley
cmp mem, valley
cmp mem, reg
cmp reg, mem
cmp reg, reg
action:
Cmp compares the value of right-hand side with the value of left (IE cmp A,B < = > BA then assignment of the indicators)
Cmp changes the indicators (the register flag)

JMP:
syntax:
jmp reg
jmp valley
action:
jmp carries out a jump inconditionel, thus the next instruction effectu is CS:reg or CS:val

MOV:
syntax:
mov reg, valley
mov mem, valley
mov reg, mem
mov mem, reg
mov reg, reg
action:
Mov transfre contents of the oprande of right-hand side in the oprande of left. No identifier is modifi (the register flag)

The jumps consitionnels (I, JNE...):
The conditional jumps is bases on the value of the indicators, it is one find them gnralement aprs CMP. There are 3 types of conditional jumps: the test of indicators, the test concerning the signs numbers and not signs.

Tests of indicators
Instruction condition action
JZ ZF=1 jump yew zero
I ZF=1 jump yew equal
JNZ ZF=0 jump yew not zero
JNE ZF=0 jump yew not equal
JC CF=1 jump yew curry
JNC CF=0 jump yew not curry
JS SF=1 jump yew sign
JNS SF=0 jump yew not sign
OJ OF=1 jump yew overflow
JNO OF=0 jump yew not overflow




Tests of numbers not signs
Instruction condition action
JNBE or JA CF=0 and ZF=0 jump yew above (A>B)
JNB or JAE or JNC CF=0 jump yew above gold equal (A>=B)
JBE or JNA (CF=1 and ZF=1) or (CFZF) jump yew not above (A<=B)
JB or JNAE or JC CF=1 jump yew below (A
JE ou JZ ZF=1 jump if zero (A=B)
JNE ou JNZ ZF=0 jump if not zero (A<>B)




Tests of signs numbers
Instruction condition action
JG ou JNLE jump yew below (A jump yew greater (A>B)
JGE or JNL SF=OF jump yew greater gold equal (A>=B)
JNG or JLE (ZF=0 and SF=OF) or (ZF=1 and SF=OF) or (ZF=0 and SFOF) jump yew less gold equal (A<=B)
JNGE or JL SFOF jump yew less (A
JE ou JZ ZF=1 jump if zero
JNE ou JNZ ZF=0 jump if not zero


ADD, SUB, GOLD, XOR, AND, ROLL... : instruction dont le nom est assez clair. (see your book ;)



Les logiciels ncessaires:
Like it has T called in the introduction, it is necessary 3 software for you:

un dsassembleur : W32dasm8.93
un debugger : Soft Ice 3.25 de Numega
un diteur hexa dcimal : Hiew6.04
W32dasm8.93 and Hiew6.04 are trs easy to use. Par contre Soft ICE ncessite un petit tutorial ;=).
Once Software Ice install redmarrer your computer (Your file autoexec.bat has T modifi, C normal). Une fois de retour sous windows, appuyer sur CTRL+D vous passez alors en mode debugger, pour retourner windows appuyer nouveau sur CTRL+D.

Keys to know:
F1 = assistance, quivalent to type help in line of order
F2 = activates dsactive the fentre registers
F4 = Windows return but the xcution is stopp (photo of notch)
F5 = Windows return, quivalent CTRL+D
F7 = xcute the instructions until A the place or this finds the cursor
F8 = trace the program (xcution not not, returns the intrior of the call)
F9 = in the Windows code: set has breakpoint one the instruction on/off.
F10 = xcution not not but does not return in the call
F12 = leaves the xcution of the DLL of Windows and return to the debuggage of the prg debugger

instructions in line of orders:
D reg, D mem... post the contents mmoire
E mem: said the mmoire
S mem: seek in the memory
R: modify the registers
wx, wc, wl,wd: active et dsactive des fentres, essayez ;=)

Breakpoints:
Les breakpoints sont des points d'arrts, c'est vous qui les posez, lorsque soft ice rencontre un BreakPoint (BP) il arrte l'xcution et passe en mode debuggeur.
2 great types of LP:
BPX: LP at the time of a xcution (by ex: BPX getwindowtexta will stop the xcution of the prg when that Ci appeals the API getwindowtexta)
BPM: LP on an address mmoire when that Ci is read or modifies

Wholesale Voil the operation of SOFT-ICE, the page will be complte the future.

Prt ? then one left:
Instead of working in the blur and the gnral, I prfre to make this tutorial on an example. We thus will occupy we of the case of CDRLABEL v4.1 which you will find on the site of the author: http://www.ziplabel.com/ . N'oubliez pas que crackez un logiciel est illgal, ainsi si vous utilisez CDRLABEL v4.1 n'oubliez pas de rmunrer son auteur !
CDRLABEL v4.1 est un petit logiciel shareware permettant de crer rapidement des jaquettes pour les CDR, comme tout shareware il est protg par un classique Srial Number. Several solutions offer us for the cracker. La plus rapide est d'arriver rcuprer le S/N que le shareware demande (pour cela utiliser soft ice), la seconde et de patcher le logiciel afin qu'il soit en version complte. Cette dernire solution est de loin la moins bonne, car beaucoup plus longue mettre en place, mais nous effectuerons celle-ci, ben oui quoi on est l pour apprendre ;=)
What let us have itself to make?
In version shareware, CDRlabel prohibits the change of the "customize initials" (finely spine), we thus will have to authorize it. De plus il faut afficher "Thanks for registering" dans le menu About et enlever le nag screen qui apparait alatoirement lors de l'impression d'une jaquette.
Rcapitulatif, we must:

to authorize the change of the "customize initials"
to post "thanks for registering"
to remove the nag screen
1st slap:

Launch CDRlabel, and will reprez what one must modify. Dans le menu SPINE "customize initial" nous est interdit, une boite de message apparait "sorry ...", un nag screen apparait alatoirement c'est aussi une messagebox, puis il faut enlever "this program is a shareware ... "in the small butt.
Dsassembler ensuite CDRlabel avec w32dasm, recherchez dans les String Data Reference, le texte des messagebox prcdentes: "sorry .." "thanks for registering" "this program ..." etc ..
Regarder ensuite quelles fonctions extrieures (les API) CDRlabel fait appel, on remarque qu'il fait appel MESSAGEBOXA (on va s'en servir avec soft ice)

2me tape: Activation de "customize initial"

to launch SoftIce (support on CTRL+D simultanment) and put a BPX on messageboxa (to type BPX messageboxa). To launch CDRlabel and clickez on custmize initial. Soft Ice prend la main, vous vous trouvez dans le code de l'API, on s'en fou;) appuyez sur F12 pour aller dans le code de CDRlabel. Ok good now in the code, you go up see this:

Code ASM extracted by W32DASM

` Reference To: USER32.DialogBoxParamA, Ord:008Eh
|
:004134CC FF1590664500 Call dword ptr [ 00456690 ]
:004134D2 E9CA1C0000 jmp 004151A1
:004134D7 8B150C2D4500 mov edx, dword ptr [ 00452D0C ]
:004134DD A1082D4500 mov eax, dword ptr [ 00452D08 ]
:004134E2 8D4C2410 lea ecx, dword ptr [ esp+10 ]
:004134E6 51 push ecx
:004134E7 52 push edx
:004134E8 50 push eax
:004134E9 E8B2B30000 call 0041E8A0
:004134EE 83C40C add esp, 0000000C
:004134F1 85C0 test eax, eax <--- test
:004134F3 7518 jne 0041350D <--- to replace the jne in I for eviter the jump:004134F5 6A10 push 00000010

` Possible StringData Ref from Data Obj ->"Registration Error"
|
:004134F7 68E0904300 push 004390E0

` Possible StringData Ref from Data Obj ->"Sorry, only registered users may "
->"access this function"
|
:004134FC 68A8904300 push 004390A8
:00413501 53 push ebx

` Reference To: USER32.MessageBoxA, Ord:0195h
|
:00413502 FF15A8664500 Call dword ptr [004566A8] <--- C la que Soft ICE prend la main
:00413508 E9941C0000 jmp 004151A1

C here that cdrlable makes its test:
:004134F1 85C0 test eax, eax
L according to the rsultat it sends towards 004134F3 7518
it is thus enough to take the ngation of the jne to activate the function, to replace the jne in I!
Retouner under Ice Software like dcris prcdement (the place of the messagebox) and to type this:
E 4134f3 (C for diter the address 4134f3)
to replace the 75 (jne) by one 74 (I)
and to pass by again under cdrlabel, you can change the initial ones

Remarque: pour faire le patch il faudra donc rechercher la chaine 85 C0 75 18 et la remplacer par 85 C0 74 18

3me tape: Affichage de "Thanks for registering"

For that one uses that code ASM, the assistance of the string dated reference to locate "thanks for registering". You obtain the following code:

` Reference To: USER32.SetDlgItemTextA, Ord:01F2h
|
:00403AF0 FF1568664500 Call dword ptr [ 00456668
:00403AF6 6820074400 push 00440720
:00403AFB 56 push esi
:00403AFC E89FE4FFFF call 00401FA0
:00403B01 A10C2D4500 mov eax, dword ptr [ 00452D0C ]
:00403B06 8B0D082D4500 mov ecx, dword ptr [ 00452D08 ]
:00403B0C 83C408 add esp, 00000008
:00403B0F 8D542414 lea edx, dword ptr [ esp+14 ]
:00403B13 52 push edx
:00403B14 50 push eax
:00403B15 51 push ecx
:00403B16 E885AD0100 call 0041E8A0
:00403B1B 83C40C add esp, 0000000C
:00403B1E 85C0 test eax, eax <-- le test ;)
:00403B20 7415 je 00403B37 <-- the jump, is thus enough to replace it je(74 )en jne(75)

` Possible StringData Ref from Data Obj ->"Thanks for registering!"
|
:00403B22 6804814300 push 00438104
:00403B27 6A00 push 00000000
:00403B29 6A0C push 0000000C

` Possible Reference to Dialog: DialogID_006E, CONTROL_ID:0451, "This program is SHAREWARE, please see th"
|
:00403B2B 6851040000 push 00000451
:00403B30 56 push esi

voil, pour une petite vrification ditez 403b37 ;) et essayez

4me tape: Le nag screen

The nag screen is a messagebox, therefore to locate it in code ASM one will use softice.
Pose a bpx on messageboxa and clickez on the button printer of cdrlabel. Softice returns the hand, apuyer on F12 to leave the API one. Once of return to the code, to note the address or you are, and pass under W32dasm

the BPX messagebox has point on 414b1d which sends to us towards 414ae1


` Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00414AE1(C),:00414AF6(C),:00414B1D(C)
|
:00414C3E 6A00 push 00000000
:00414C40 E87B94FFFF call 0040E0C0
:00414C45 83C404 add esp, 00000004
:00414C48 E954050000 jmp 004151A1
:00414C4D 8B0D082D4500 mov ecx, dword ptr [ 00452D08 ]

3 saut modifier: :00414AE1(C), :00414AF6(C), :00414B1D(C)

` Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00414A9B(C),:00414AB4(C)
|
:00414AC5 8B150C2D4500 mov edx, dword ptr [ 00452D0C ]
:00414ACB A1082D4500 mov eax, dword ptr [ 00452D08 ]
:00414AD0 8D4C2410 lea ecx, dword ptr [ esp+10 ]
:00414AD4 51 push ecx
:00414AD5 52 push edx
:00414AD6 50 push eax
:00414AD7 E8C49D0000 call 0041E8A0
:00414ADC 83C40C add esp, 0000000C
:00414ADF 85C0 test eax, eax
:00414AE1 0F8557010000 jne 00414C3E <-- le premier saut
:00414AE7 E8E4790100 call 0042C4D0
:00414AEC 99 cdq
:00414AED 33C2 xor eax, edx
:00414AEF 2BC2 sub eax, edx
:00414AF1 3DAA2A0000 cmp eax, 00002AAA
:00414AF6 0F8C42010000 jl 00414C3E <-- le second saut
:00414AFC 8B0D803E4500 mov ecx, dword ptr [ 00453E80
:00414B02 6A23 push 00000023

` Possible StringData Ref from Data Obj ->"Unregistered User"
|
:00414B04 68FC874300 push 004387FC

` Possible StringData Ref from Data Obj ->"cdrLabel is shareware. Would "
->"you like registration information?"
|
:00414B09 68B8874300 push 004387B8
:00414B0E 51 push ecx
:00414B0F FFD6 call esi
:00414B11 83F802 cmp eax, 00000002
:00414B14 0F8487060000 I 004151A1
:00414B1A 83F807 cmp eax, 00000007
:00414B1D 0F841B010000 je 00414C3E <-- le 3 jump
:00414B23 8B2D803E4500 mov ebp, dword ptr [ 00453E80 ]

And voil one prcde of Mrs. manire, to replace the conditional jump by its ngation, I->jne, jne->je, jl->jnl

5me tape: Modification dfinitive de l'EXE avec HIEW604

good with Soft Ice there is modifi the jumps but in a temporary way, if cdrlabel is left and that it is started again the jumps does not walk more; (.
Rcapitultaif: one needs patcher in:

4134F3 offset: 128F3
403B20 offset: 02F20
414AE1 offset: 13EE1
414AF6 offset: 13EF6
414B1D offset: 13F1D
Remarque: Pour obtenir la valeur de l'offset pointer sur l'adresse avec w32dasm, l'offset est crit tout en bas (dans la barre d'tat).

First of all to launch Hiew604 then open the file exe. Once the open exe to support on F4 then F3 in order to post the exe in ASM. Then to support on F5 (goto) and enter the offset which you will dsirez to modify. When you point on the offset to modify ditez the assistance of the F3 key. Et voil le tour et jouer ;)

6me tape: Cration du patch ! Finally!!

We will use Byte Hunter 2.0 here (Launch BH (xcutez make.bat). Fill the fields texts (Ace Title and Cracked by), then enter the name of the exe cracker, the chains hexa to modify, and the chains hexa modifies.
Example:
Pour le Thanks for registering, la chaine Hexa modifier est : 85 C0 74 15, il faut la remplacer par 85 C0 75 15.

RAD :twisted: :roll:

♠ - ω Comment is CLOSED for This POST ω - ♠
RAD

Image La plus grande erreur que puisse faire un homme est d'avoir peur d'en faire une.
User avatar
RAD
Administrateur - Site Admin
 
Posts: 532
Joined: Thu Aug 31, 2006 12:02 am

Return to PROGRAMING

Who is online

Users browsing this forum: No registered users and 1 guest

cron