HOW TO CRACK, by +ORC, A TUTORIAL


Lesson 1: an approach


[Pooldemo.exe]


     The best way to learn cracking (i.e. understanding, broadly

individuating, locating exactly and eliminating or suspending or

deferring one or more protection schemes inside a software

application you do not possess the source code of) is to begin

your tampering experiments using OLDER applications which have

OLDER protection schemes. 

     In this way you 'll quickly grasp the base techniques of the

trade. Do not forget that the evolution of the protection schemes

has not been a one way road... strictly speaking it's not even

an evolution: you'll eventually find some very clever new tricks,

but most of the time you 'll unearth only various trite

repetitions of past (and well known) tricks. This is no wonder:

the REAL knowledge of the "commercial" programmers themselves

(the "protectionists") is often very limited indeed: they are

inclined to use the old methods (albeit somehow changed,

sometimes even improved) instead of conceiving new methods. This

typical "commercial" degeneration happens every time people act

for money instead of doing things for the sake of it or for

pleasure. This "commercial" trend is blindly encouraged by the

stupid, money-oriented society we are coerced to live in. 

     So I'll begin the "hands on" part (-> starting from lesson

3), using as examples, some "old" applications and some "old"

tricks. We'll be able to come later over to the newest protection

schemes in order to understand them, and you 'll learn how to

defeat this kind of junk too. I'll also explain WHERE you can

find a lot of programs to crack for next to no money at all, and

HOW 'grossomodo', you should proceed in your work.

     This tutorial is for people who are getting started with

cracking. Maybe you are just contemplating doing some cracking,

maybe you have tried it with mixed success. If you are here to

get aimed in the right direction, to get off to a good start with

the cracking tricks and procedures, then you have come for the

right reason. I can't promise you'll get what you want, but I'll

do my best. On the other hand, if you have already turned out

some working cracking code in assembler and already cracked many

different protection schemes, then this tutorial is likely to be

on the elementary side for you. (If you want to review a few

basics and have no where else pressing to go, then by all means

stay). 

     In order to crack successfully you need four basic things:

*    A passing knowledge of assembler language (the more you

     know, the better and quicker you crack)

*    Some intuition

*    Some help from more experienced cracker

*    A non mercantile mind (more about this later)

The applications you'll use to learn with can be divided into:

1    - Password crippled applications (the easiest to crack)

2    - applications crippled on how many times, or how many

     days, you use them (fairly easy to crack)

3    - applications crippled on which date you use them before

     (easy to crack)

4    - applications that have some functions present but

     disabled (sometimes easy, sometimes difficult)

5    - applications crippled on Disk access (protections schemes

     that are now defined as "obsolete") and applications

     crippled on CD-ROM presence (more or less the same methods, but

     -somehow- not defined as "obsolete") (very easy to crack)

6    - CRYPTOGRAFED ADDS ON (i.e. one of the previous protection

     schemes, but with some scrambled or self modifying code

     (XORring and SHRLing codes)or peppered with "junk" instructions

     (fairly easy to crack)

7    - None of the above (sometimes difficult to crack)



WHERE TO GET THE STUFF

     The recent widespread appearance of "Demo"-CDROM on magazine

covers is a treasure for all crackers! A short time after their

release you 'll get all the copies that remain unsold for next

to free. The demos on CD-ROMs will permit you to gather quickly

a lot of applications -old and new- that have somehow been

crippled (at times with interesting schemes). Truly a wonderful

world of cracking possibilities! Gee! For next to no money you

can secure on one CDROM the whole of LOTUS applications (or

Microsoft or Wordperfect, or you name them) on "trial for 30

days" or "try it 20 times" editions. You'll really enjoy to crack

them, to use them for ever and ever and/or graciously donate them

on the Web to the poor lamers that have no money and no brain.

     GAMES are definitely not to be frowned upon! They are

very interesting from a cracker prospective coz they are often

"overprotected". With this I mean that they possess protection

schemes of a relatively HIGH level hidden inside files that are

relatively small. Now, see, it is much more easy, and simple, to

track down and eliminate protection schemes inside a single

35.000 bytes long executable file than to locate them inside a

collection of many lengthy DLLs and overlaids that could have

swollen as long as 2.000.000 bytes each. The lazy bunch of

"modern" programmers relies systematically for protection schemes

on this "hide the sting in the wide desert" logic. As a matter

of fact they are no longer able to program in assembler: they

bank more and more on overbloated "fatty" atrocities like Visual

Basic, Delphy or Visual C++. (Don't worry... I'll nevertheless

teach you how to crack -and quickly- those huge applications

too).

     There is another reason for employing games instead of

applications as study material: often EXACTLY THE SAME protection

schemes that you find in a simple (and short) shareware game will

be used -without much improving- a little later in order to

"protect" some huge and extremely expensive graphic application.

     For this reason in my tutorial we'll often crack games

protection schemes, even if we'll later apply what we learn

mainly in order to crack the protection schemes of commercial

applications, or to crack the access protection routines to

remote servers, or BBS, or even ATM (cash dispensers). 

     Here follows an example cracking session, that will show you

-I hope- the dos and donts of our art: let's crack together as

introductory example a time crippled application. We'll learn

later (-> LESSON 4) that all applications that are crippled on

time (i.e. "how many times" you use them or "how long" you use

them) rely on analogous protection schemes (albeit with a huge

palette of small variations): 

1-   they may have a counter which "clicks" every so often: FIND

     IT AND DISABLE IT!

2-   they may fetch the time_clock interrupts in your machine:

     INTERCEPT THEM YOURSELF!

3-   they may compare a random_seed with a variable: NOOP IT!

4-   they may check randomly the date of your other, unrelated,

     files on the hard disk: find this verification routine and

     INVERT the JUMPS!

I wanted to start with a modern example of this "counter clicks"

protection type, just to give you a feeling for cracking, and I

have chosen a widely published demo: you should be able to find

it pretty easily. In order to show you some of the problems you

may encounter we'll crack this example "wrongly" (you'll learn

how to crack effectively in the "HANDS ON" lessons).

     EXAMPLE: ARCADE POOL, Demonstration version, PC Conversion

by East Point Software Ltd, (c) Team 17 Software Ltd 1994. This

demo has been published by many magazines on their CDRom covers

throughout 1995.

     What follows will be useful even if you do not have our

example; nevertheless you should get a copy of this widespread

demo in order to better grasp some of the following points.

     This nice demo of a billiard game is time-crippled. It is

crippled on how long you use it: i.e., you can only play 2

minutes, afterwards a "nag" reminder of where and how you can buy

the real version snaps: protectionist squalor at its best. 

     So, how do you proceed? Where does the beginning begin? 

Here is what you could (but not necessarily should) do:



     Get [Soft-ice] and load it in your config.sys. See the TOOLS

OF THE TRADE lesson (-> LESSON 2) about this debugger. Version

2.6 of [Soft-Ice] has been cracked by MARQUIS DE SOIREE and can

be found on the Web for free.

-    vecs s (save all the vectors before loading the babe)

-    start [pooldemo.exe]

-    vecs c (vector compare, save a printing of all hooked

     vectors)

-    enter and leave Soft-ice a few times to understand what's

     going on and where in [pooldemo.exe] are we roaming around

     (you should always check MORE THAN ONCE your findings when

     you snoop around: nothing moves and confuses pointers in a

     more frenzied way than good old "inactive" DOS).

-    have a good look at the map of memory usage ("map")

-    now "snap_save" the main memory regions where

     [pooldemo.exe] dwells... snapping saves "photographs" of

     memory areas.

-    do not do anything, let just the seconds go by.

-    "snap_compare" every two or three seconds without moving

     anything at all on the game board (no mouse_clicking,

     NOTHING), so that the only changes are (hopefully) the

     changes caused by the time counters. 

-    snap_compare twice in a second.

-    snap_compare at second 00:59 and at second 1:01.

-    snap_compare just before and just after the time limit and

     the snapping of the nag screen.

-    Now collect carefully your printed "snaps" data: write

     clearly on the various sheets the occurrences of the snaps.

-    now comes the graceful "zen-cracking" moment: Sit down with

     a dry Martini and Wodka (obviously only russian Wodka will

     do) and contemplate the printing of the various mutant

     locations. Feel, perceive, empathize! Look closely at the

     locations that have changed in the snap compares. Analyze,

     interpretate, evaluate.

-    Mmm! Hey! Something fishy is changing there, and there, and

     there! (you are lucky, few do actually change in this case:

     only two dozen)

-    breakpoint on execute at the location that you believe act

     as a "continuous" counter, i.e. the location that triggers

     the "a second went by" event when it zeroes.

-    Now set the occurrence counter of BPX in order to break at

     the moment where the location "refills" and restarts from

     the beginning (the equivalent of "one second" went by,

     let's start anew). Use the occurrence counter in order not

     to single-step through the program your life long!

-    IN THIS CASE you 'll quickly locate the refill at location

     3DD0. Here follows the "refill" line:

     xxxx:3DCC C706F1013C00   MOV  WORD PTR [01F1], 003C

The "3C" byte at xxxx:3DD0 represents a counter_byte... i.e. the

program "charges" 3C in this location and then DECs it step by

step to 3B, 3A, 39, 38 etc... till 0. When it reaches 0: bingo!

Sucker user has lost one second more of his precious two minutes.

     Now, you would get a first wizard level if you searched

further on for the exact point where you get the "nag screen" in

order to eliminate the whole witless protection, but you may

think you got it already and you remember anyway that the first

principle in cracking is the following: "once you can eliminate

the effects of a protection, do not look further!"

     Most of the time this is true: you do not always need to

eliminate a "whole" protection scheme (unless you are just

studying it for the joy of it). It's normally easier (and

quicker) to eliminate the "effects" of a given protection scheme.

Unfortunately this is not true in this case.

     Here you believe that you have already found the way: you

got the counter that charges the reverse clock that triggers the

particular protection scheme of [pooldemo.exe]. Now you may think

that if you could modify the refill_value... say changing "3C"

to "EE" (Yeah, the maximum would be FF... but it's always good

practice to avoid such extreme values when cracking) you should

get four times more playtime for your game... more than enough

in order to make the protection scheme useless.

     So you change location xxxx:3DD0 from "3C" to "EE". To work

on bytes you should use a good Hexeditor like PSEDIT (Parity

solutions, [Psedit.exe], brilliant shareware: see the "tool of

the trade" section) but you could also work with simpler

debuggers like [debug] or [symdeb] (-> see lesson 2). If you do,

remember to work on a "dead" copy of your crippled [*.exe] file,

i.e.:

     ren POOLDEMO.EXE POOLDEMO.DED

     symdeb POOLDEMO.DED

     -s (cs+0000):0 Lffff C7 06 F1 01 3C <-  this string

                                             corresponds to the

                                             refill line).

     cs:3E85   <- symdeb gives you two locations as answer

     cs:3EEA

     -e cs:3E85+4 EE     <- refill changed from 3C to EE

     -w

     ren POOLDEMO.DED POOLDEMO.EXE

Now you run your tampered pooldemo. You think you cracked it, you

glee with satisfaction... but loo! Nothing at all has changed,

everything's as lame as before, you still have only 2 minutes

playtime. How disappointing: how comez it didn't work?

     Well, for a start you have not been attentive enough! The

search in debug gave you TWO locations, you moron, and not just

the one you just tampered with. Check and you 'll see that the

second location (cs:3EEA) is a MIRROR/CONTROL location (more on

this later). Some times there exist "double" locations... coz at

times it's quicker to use a double routine than to use a

branching if or switch structure... some times the second

locations do mirror the first ones and correct them on the fly

if need be. 

     So you need to modify this too... you act as said above but

this time you enter in debug a

     -e cs:3EEA+4 EE 

before writing back the dead file and then renaming it to exe and

then running it... and loo! Hoow sloow! THERE YOU ARE! Your

crippled POOLDEMO.EXE is now (sort of) unprotected: You think

that you can now play the stupid game up to 12 minutes real time,

even if the protection scheme (and the counter) "believes" that

it is playing only two minutes.

     So you begin to play, and the seconds look veeery sloow, and

everything seems OK, but -alas- NO! At screen second 28 you get

the irritating "two minutes are over" nag screen! Obviously you

were dead wrong: the program "knows" the time directly from the

timer... you only modified the stupid counter ON THE SCREEN.

     So it's back to cracking, and now you are angry, and forget

the quiet ways of the zen-analyze and begin the heavy cracking

you should reserve -if ever- for really complicated schemes. You

now start to check the hooked vectors (you did your routinely

VECS_save before loading pooldemo in [Soft-ice] and your

VECS_compare afterwards) and you see some findings that you

believe interesting:

          vecs c

          08   1EFD:84C6 0CD1:17AC <- the clock

          09   1EFD:85EC 136A:069C <- the keyboard

          22   0BCE:02B1 0BCE:017E <- the terminate

     That's more like it -you think. Smack at the beginning: the

first hooked vector does it! It's good old interrupt_08: the

timer_clicker!

     Some basics for those of you that do not know anything:

INT_08 controls indirectly the INT_1C timer interrupt. The 8253

clock chip generates an IRQ_0 hardware interrupt at a rate of

18.2 interrupts per second. This gives control to the ISR

(Interrupt Service Routine) that the INT_08 points to... and this

should be at 0CD1:17AC, but has been hooked here, by pooldemo,

to 1EFD:84C6.

     One of the actions taken by the INT_08 ISR within the BIOS

is to issue a software interrupt call to INT_1C, just in case any

software modules within the system have established an intercept.

If no intercepts have been established, the default contents of

the INT_1C vector point to an iret instruction within the BIOS,

so that a null action results. 

     Normally a protectionist would intercept INT_1C, coz at

every ISR from INT_08 the CPU would fetch the contents of the

corresponding interrupt vector and make an interrupt style call

to the code at that address (which should contain the iret at

address F000:9876 but can contain any trick they could think of).

     So -you think- the protectionist hooked here INT_08 directly

(a pretty infrequently used protection scheme by the way): What

now?

     A rather drastic measure would be, in such circumstances,

to

disable the IRQ_0 level timer interrupt, which is controlled by

bit 0 of the mask register, at address I/O 0021h. When bit 0

within the mask register is set to 1, no further interrupts will

be recognized for this IRQ level. This unfortunately won't work

here, but it's an interesting technique per se, so you better

learn it anyway, just in case you should need it elsewhere:



--- Trick to disable the timer ("IRQ_0 masking" by +ORC) ---

*    prompt $t and hit ENTER a few times, see how the dos_clock

     is merrily ticking along?

*    enter DEBUG.COM

*    Assemble using the command 'a'

- a

in al,21

or al,1

out 21,al

ret

RETURN

RETURN    <- twice to exit immediate assembler

- g 100   <- to run the tiny program.

- q       <- to quit debug.



prompt $t is still on: hit ENTER a few times: 

whoa! The clock has stopped advancing!



     Compliments: you loaded the current mask register's contents

into AL, you set the mask bit in the bit 0 position (which

corresponds to IRQ_0) at then updated the value back to the mask

register.



When you are ready to activate IRQ_0 events again, reenter DEBUG,

run the following and then reset the clock you stopped with DOS

TIME command:

- a

in al,21

and al,fe

out 21,al

ret

RETURN twice

- g 100

- q 



A word of caution: with the timer click disabled some processes

will not operate correctly: once you access the diskette drive,

the motor will continue to run indefinitely afterwards, etcetera.

-------------------------------------------------------



     Unfortunately the above technique cannot work with our

[pooldemo.exe], where you now are looking closely to the INT_08

hook you found, believing that it hides the protection scheme:

herein you find immediately the EoI (End_of_interrupt: MOV

AL,20h... OUT 20h,AL). Both controllers have a second port

address at 20h (or 0a0h), from which the instructions are given.

The most important is the EoI command (20h). This instruction

indicates the end of the interrupt handler and frees up the

corresponding controller for the next interrupt. If somebody

writes a new custom interrupt handler (as many protectionists

do), it's up to him to see to it that at the end of the handler

the EoI command (20h) is written to either port 20h or port 0a0h.

     After the EoI follow the usual pushes, then some CALLS then

a call that issues some OUT 40,AL that look like timer refreshing

(OUT transfers data to an output port and ports 40-42 correspond

to the Timer/counter). Some do_maintenance follows, then a double

CALL, one more conditional CALL and then a "mysterious" call FAR

CS:[AA91] on which depends a byte PTR[970C] that decides another

final CALL... then the routine pops all registers and irets away.

     Ah! You say, and begin disassembling, reverse engineering

and looking inside each suspect call (the quicker method in

these cases is to breakpoint calls on entrance and see if you

find the one that's only called at the awakening of the time

limit protection). 

     You work, and work, and work... and eventually find nothing

at all, coz the protection of this program is NOT HERE!



     Back to the zen-analyze of the snap printings... we forsake

it too soon, as you will see.

     If you watch with more attention the compare locations for

the range DS:0 DS:FFFF you 'll notice that one of them changes

relatively slowly from 0 to 1 to 2 to 3 and so on... the

precedent location changes very quickly, and runs the complete

cycle 0...FF. That's a counter, at locations DS:0009 and DS:000A!

How long will it tick along? Well, we saw above that the "charge"

every second is 3C, so it will be x3C*x78=x1C20, coz x78 is 120

seconds, i.e. the two minutes time limit.

     Now search this 1C20 value around inside the code

(protections are most of the time at the beginning of the

CS:offset section), and you 'll find quickly what follows:

The protection in [pooldemo.exe] is at code_locations



CS:0A8A   813E20A7201C   CMP  WORD PTR [A720], 1C20

                         compare location A720 with limit 1C20

CS:0A90   7C07           JL   okay_play_a_little_more

CS:0A92   E834FD         CALL beggar_off_time_is_up



     BINGO!: FOUND!



Now let's quickly crack it:

------------------------------------------------

CRACKING POOLDEMO.EXE (by +ORC, January 1996)



ren pooldemo.exe pooldemo.ded

symdeb pooldemo.ded

-    s cs:0 Lffff 81 3E 20 A7 20 1C

xxxx:yyyy           <- this is the answer of the debugger

-    e xxxx:yyyy+5 4C  <- this time limit is much better

-    w

-    q

ren pooldemo.ded pooldemo.exe

-------------------------------------------------

     We have done here a "weak" crack: we limited ourselves to

accept a (better) time limit, changing it from 1C20 to 4C20 (4

minutes instead of two). We could obviously have done a more

radical crack if we had changed the JL (jump lower) instruction

in a JMP (jump anyway) instruction. In this case it would have

worked, but for reasons that will be explained in lesson 4, you

should choose a rather delicate approach in cracking when you

deal with time-limit protection schemes.

     As you have seen, in this artificial cracking session we

found the protection scheme after a little snooping around. But,

as you will see in the hands on part, there are always MANY ways

to crack a single protection scheme. You could -for instance-

have found this protection the other way round: set a trace on

memory range for the program, restricting the trace to the first

part of it (say CS:0 to CS:1000, if you do not fetch anything you

can always try the other blocks). Breakpoint at the nag screen,

have a look at the last 300-400 backtraced instructions, if you

did not move anything, everything will follow a repetitive

pattern, until the protection snaps on:

       ... 

       JL 0A99 

       CMP BYTE PTR [A72A],01

       ...

       JL 0A99 

       CMP BYTE PTR [A72A],01

       ...

       for ages and ages and then...

       ... 

       JL 0A99 

E834FD CALL 0759           <- BINGO! (CALL beggar_off_time_is_up)



... there it is, found the other way round. (But this apparently

better method is unfortunately very unstable: it depends on your

timing of the breaking in and on the distance between protection

and nag screen, therefore the somehow more complicated, but more

sure previous one should be favoured).

     The reason why "minimal" approaches in cracking are often

more successful than heavy vector_cracking, is that the programs

are hardly ever "overprotected", and therefore the protections

are seldom difficult to find (and those that are really worth

cracking for study reasons). 

     Sometime you don't even need to crack anything at all! Some

applications are fully functional -per se-, but have been

crippled in a hurry in order to release them as demos. The

commercial programmers want only money, do not even try to

understand our zen ways, and do not care at all for a well done

job. That means, among other things, that the hard disk of the

user will be cluttered with files that the main program module

never calls. A typical example of this sloppy method is the demo

of [Panzer General] from SSI that appeared in the summer '95.

This was in reality no less than the complete beta version of the

game: you just had to substitute to one of the two "allowed"

scenarios one of the 20 or more scenarios of the beta version in

order to play them freely... you didn't ever need to crack! 

     The pooldemo crack example above should not discourage you

from cracking intuitively. Be careful! Perform a thoroughly

zen_analyze before attempting deeper methods: do remember that

you want to crack the protection scheme SOMEHOW, and not

necessarily following the same line of thought that the

programmer eventually WANTED YOU TO CRACK IT with. 



Well, that's it for this lesson, reader. Not all lessons of my

tutorial are on the Web.



     You 'll obtain the missing lessons IF AND ONLY IF you mail

me back (via anon.penet.fi) with some tricks of the trade I may

not know that YOU discovered. Mostly I'll actually know them

already, but if they are really new you'll be given full credit,

and even if they are not, should I judge that you "rediscovered"

them with your work, or that you actually did good work on them,

I'll send you the remaining lessons nevertheless. Your

suggestions and critics on the whole crap I wrote are also

welcomed.


E-mail +ORC

+ORC an526164@anon.penet.fi