Post by £åߥ®Ñth on Jan 25, 2008 0:35:40 GMT -5
Ok, you have seen the small cracking tutorials.
Well now i will show you how the basic cracking tutorials pay off in reversing a real application.
*This is not a 100% complete step by step cracking tutorial.
It is a start, Just to show how the basic things you learn in crackmes' will apply to real world applications.
You will still have a nag screen on startup. And you will have to do a reg every time you open the file.
So technically there is no release of a crack to get anyone into trouble. But it is sort of a slap in the face to the programmers of this application.
Tools:
Ollydbg
Windows Calculator
--------------------------------------------------------------------------------------
When you run fragMOTION you will see a tooltip popup from time to time. "see the image"
Also you can see here we have a message telling use we failed at registering.
So lets now pop open this application in olly.
Right click the screen once it is loaded and select search for all referenced strings. "see image"
Once it finds all the strings, right click again and select search for text. "see image"
Remember our message box? "Registration Failed"
Well lets see if we can find the word "Regsistration"
Well look what we found. Seems familiar to the way we do some crackme's doesnt it? Thats the point!
Now click "Registration Failed" and hit F2. This will set a break point on that.
No go to the CPU window in olly.
Hit F9 or the play button. We will break on out instruction.
* I set a break point on both. But it will only break on the one that comes first and that will be the badboy. Now by looking you can see that this instruction is jumped to from something above all of this.
Lets scroll up and see where it has come from.
Agh yes, a conditional jump leading to the badboy.
Double click on this jump instruction and we will edit it to JNZ.
Jump if Not Zero instead of Jump if Equal.
Now after this instruction has been patched we can step into the code here and watch it approach out message boxes.
Notice the line is grayed out. It means the jump is not taken.
Now the message box of the good boy is displayed for use.
This 1 conditional has made the program stop displaying the tool tip nag and the count down nag you seen on startup of the application.
Now lets look in the about menu?
Well look at that crap. It says it is a demo and has 14 days left.
So the jump we corrected just got rid of the annoyance of popup nag boxes and tooltip. But it looks like the program will expire still.
Load up olly once again. Do a string reference search for "Demo".
Surely the programmer would not allow this to be there right?
Wow! Not only is it there. We see the Registered message too!.
But thats not the coolest part. Whats the %d in the message?
Could this be where the days are kept? If this is so. We can make it have as many as we want. So it would never expire!
Well hell, lets just do that so we can see if it can be done or not!
Hit F2 on the Message saying "Demo (%d days remaining)"
Run the program in olly, and go open the about menu.
*I set a break on Registered message as well.
Ok now look right about where we broke.
Looks interesting doesnt it! Push EAX <%d>
Set a break on that by hitting F2 and reset the app and run it again.
Go to the about menu, and we break. Right on Push EAX
Whats this? It says D and a number 13
I think we found our days. Also look in the little window under the instructions in the image. You see EAX = 0000000D
What is that?
Well let me start by saying that the EAX register holds the days.
D in hexadecimal is 13 in decimal. "See images"
Image D hexa:
Image 13 dec:
Ok let modify it then. Right click in the window an select. Modifiy register.
You will see a box like this.
Change it to this. Thus giving us a ridiculous amount of evaluation days.
Did it work? Wow the application has gone mad!
Well now lets just fix it instead of playing with the days.
Go back to where you can see the Registered string reference.
Set a break on the conditional jump above your message.
run the application.
Yep we break, this tells us that this jump controls if it say registered or shows days remaining.
Now double click the instruction to make the correction.
We now see the jump is not happening which will bring use to the good boy.
And there you have it!
It says registered, there will be no nags/popups. And you know you can make the evaluation give you unlimited days. I hope you had fun walking through this with me. Hope you learned a few things.
Im not a pro, just learning to reverse things just like you are.
Surly there are numerous ways to do this. But thats part of it. learning what you can do with it. Have fun........
Well now i will show you how the basic cracking tutorials pay off in reversing a real application.
*This is not a 100% complete step by step cracking tutorial.
It is a start, Just to show how the basic things you learn in crackmes' will apply to real world applications.
You will still have a nag screen on startup. And you will have to do a reg every time you open the file.
So technically there is no release of a crack to get anyone into trouble. But it is sort of a slap in the face to the programmers of this application.
Tools:
Ollydbg
Windows Calculator
--------------------------------------------------------------------------------------
When you run fragMOTION you will see a tooltip popup from time to time. "see the image"
Also you can see here we have a message telling use we failed at registering.
So lets now pop open this application in olly.
Right click the screen once it is loaded and select search for all referenced strings. "see image"
Once it finds all the strings, right click again and select search for text. "see image"
Remember our message box? "Registration Failed"
Well lets see if we can find the word "Regsistration"
Well look what we found. Seems familiar to the way we do some crackme's doesnt it? Thats the point!
Now click "Registration Failed" and hit F2. This will set a break point on that.
No go to the CPU window in olly.
Hit F9 or the play button. We will break on out instruction.
* I set a break point on both. But it will only break on the one that comes first and that will be the badboy. Now by looking you can see that this instruction is jumped to from something above all of this.
Lets scroll up and see where it has come from.
Agh yes, a conditional jump leading to the badboy.
Double click on this jump instruction and we will edit it to JNZ.
Jump if Not Zero instead of Jump if Equal.
Now after this instruction has been patched we can step into the code here and watch it approach out message boxes.
Notice the line is grayed out. It means the jump is not taken.
Now the message box of the good boy is displayed for use.
This 1 conditional has made the program stop displaying the tool tip nag and the count down nag you seen on startup of the application.
Now lets look in the about menu?
Well look at that crap. It says it is a demo and has 14 days left.
So the jump we corrected just got rid of the annoyance of popup nag boxes and tooltip. But it looks like the program will expire still.
Load up olly once again. Do a string reference search for "Demo".
Surely the programmer would not allow this to be there right?
Wow! Not only is it there. We see the Registered message too!.
But thats not the coolest part. Whats the %d in the message?
Could this be where the days are kept? If this is so. We can make it have as many as we want. So it would never expire!
Well hell, lets just do that so we can see if it can be done or not!
Hit F2 on the Message saying "Demo (%d days remaining)"
Run the program in olly, and go open the about menu.
*I set a break on Registered message as well.
Ok now look right about where we broke.
Looks interesting doesnt it! Push EAX <%d>
Set a break on that by hitting F2 and reset the app and run it again.
Go to the about menu, and we break. Right on Push EAX
Whats this? It says D and a number 13
I think we found our days. Also look in the little window under the instructions in the image. You see EAX = 0000000D
What is that?
Well let me start by saying that the EAX register holds the days.
D in hexadecimal is 13 in decimal. "See images"
Image D hexa:
Image 13 dec:
Ok let modify it then. Right click in the window an select. Modifiy register.
You will see a box like this.
Change it to this. Thus giving us a ridiculous amount of evaluation days.
Did it work? Wow the application has gone mad!
Well now lets just fix it instead of playing with the days.
Go back to where you can see the Registered string reference.
Set a break on the conditional jump above your message.
run the application.
Yep we break, this tells us that this jump controls if it say registered or shows days remaining.
Now double click the instruction to make the correction.
We now see the jump is not happening which will bring use to the good boy.
And there you have it!
It says registered, there will be no nags/popups. And you know you can make the evaluation give you unlimited days. I hope you had fun walking through this with me. Hope you learned a few things.
Im not a pro, just learning to reverse things just like you are.
Surly there are numerous ways to do this. But thats part of it. learning what you can do with it. Have fun........