BEGINNERS: KeyGenerator for AddItem:
- Turning a *NAG* in to a keygen!

student
Not Assigned

12 February 1998

by Jon

Courtesy of Fravia's page of reverse engineering

 
fra_00E4
980212
Jon
0000
NA
XX

Well, as anyone knows we are not so much favourable to the publishing of key generators, why the hell should we allow all lamers of the planet to use stolen software? Yet in this case it's the protection scheme itself that is 'reversed' (changing a SINGLE byte) and used as a keygenerator... a nice essay for beginners, by Jon. Very useful for those among you that DO NOT KNOW how to work with Softice in order to fish simple echos. A useful lesson for shareware programmers as well, clearly the idea of pushing a "not valid registered number" location that can be turned into a "valid registered number" location changing a single byte is ludicrous to say the least.
This is an essay for beginners (almost for NEWBYES) yet it may be enjoyed by any reverser

Related:

+prog cor
Programmers'
corner
 

There is a crack, a crack in everything That's how the light gets in

 

Rating

(x)Beginner ( )Intermediate ( )Advanced ( )Expert


Useful for beginners, who haven't discovered the ease of "fishing" serials with SoftIce yet. I'll also show how to crack "creative": Turning a *NAG* in to a key-gen!


KeyGenerator for AddItem:
- Turning a *NAG* in to a keygen!

Written by Jon

Introduction

Greetings, all!



Today, I'll crack several nice little programs, all made by the shareware 

programmer Firas El-Hasan. His programs are all nice Window$-utilities,

that are pretty useful. But unfortunately they all have a *NAG* at launch,

which is really annoying, considering that the programs are probably all

made within a couple of hours...

The programs are:



SysDate - A program which shows you the day of the month in the system tray.

StartClean - Cleans shortcuts, that points to nonexisting files.

SysLaunch - A "lite" version of the start menu, for fast access of your

favorite apps.

QuickDesk - Minimizes all the windows with ALT+TAB, or by a click on the

tray icon.

HotCorners - Starts your screensaver, when you leave the mouse-pointer in

one of the desktop corners (nice!).

DirectNet - Automatically dials your ISP, and launches an Internet-app. of

your choice (useful?).

AddLink - Allows you to right-click on a program, and add it to the

start-menu.

Also: DOS-Explore and DialMSN (MSN??? Yucchh!!!), but they are freeware,

so no cracking is needed :-)



I'll use two different approaches to cracking the protection-schemes:

1. Using SoftIce to "Hear the echo".

2. Using SoftIce/HIEW to turn the program in to a key-gen.



As a template, I'll use AddLink, which is one of the most useful of them.

Actually, StartClean is the most useful, but a dude named Qapla has already

made a tutorial for that program (good work, BTW). 

I'll describe the crack in a way, that'll make it easy apply the same 

approach on the other programs. And I'll also describe, if there's 

something that you should take note of, when using the same approach on the

other programs...

Tools required

SoftIce 3.22 for Win95/NT (any version is useful, though).
HIEW 5.66 (or whatever hex-editor you prefer).

Target's URL/FTP

You can fetch the apps. at the authors homepage:
http://users.aol.com/felhasan/

Program History

None that I know of (I stumbled over the apps. by coincidence)... Check out the authors homepage, for more info.

Essay

So let's begin!



Start by installing AddLink (or one of the apps., that you wish to crack).

Start AddLink by right-clicking on any file, select Send To -->  Start Menu.

A nasty *NAG* will show, and remind you to "pay" for the program. Go in to 

SoftIce (CTRL+D) and

BPX Lstrcmp

Press F5 to get out of SoftIce...

Select Register...

Enter your name (in my case): -=[JON!]=-

And a fake serial: 1212121212 (Copyright © +ORC)

Hit ENTER...

Now, SoftIce BREAKS at Lstrcmp!

Type:

BC *

To clear the breakpoint.

Press F11 to go back, where it was CALLed from, scroll up a little, and you

see this:



CALL   00401BB0           ;Calculate valid code.

LEA    EAX,[ESP+18]       ;Copy your code to EAX.

ADD    ESP,08

PUSH   EAX                ;PUSH your code.

PUSH   004051C8           ;PUSH valid code.

CALL   [Kernel32!lstrcmp] ;Compare strings.

TEST   EAX,EAX            ;Are you registered?

JNZ    00401BA5           ;If not, JMP to *NAG*!



Now, to retrieve the valid code, you'll need to set a breakpoint on the line

where your code is PUSHed. To do this, simply double-click on that line. 

(If you have mouse disabled, do a BPX XXXX:YYYYYYYY, where XXXX:YYYYYYYY is

the memory location). Now, go out of SoftIce and enter the name and a bogus

code again. Press OK, and SoftIce breaks again. Type:

BD *

to temporarily disable the breakpoint (it will be used later).

Type:

D 004051C8

And you discover that the valid code for the name -=[JON!]=- is:

14621-136061-2316-6752.

But why stop here? Why not make a key-gen? To do so, UNREGISTER the program,

by deleting its registry-entries (HKEY_CURRENT_USER\SOFTWARE\ADDLINK).

Now that it's unregistered, start the program, go in to SoftIce and enable

your breakpoint once again:

BE *

Enter something fake and press OK. SoftIce breaks once again, where the

valid code is PUSHed. 

Clear your breakpoint:

BC *

Now, write down the HEX-numbers for the PUSH function: 68C8514000


68C8514000 PUSH 004051C8 ;PUSH valid code.
Keep pressing F10, until you see these lines of code: PUSH 00 PUSH 00 PUSH 004051B4 ;PUSH the text "Incorrect code!" PUSH ESI CALL [USER32!MessageBoxA] ;CALL the *NAG* dialog. MOV EAX,00000001 ;Set EAX=1 (unregistered). Now, type: E XXXX:YYYYYYYY Where XXXX:YYYYYYYY is the memory-location of PUSH 004051B4 Enter the hex-digits you've written down (68C851400). Press F5 to get out of SoftIce, and what shows before your eyes?! A *NAG* with the valid code for your name!!! Cool, huh? To make the crack permanent: HIEW ADDLINK.EXE Search, F7: 6A006A0068B451400056 ^^ Replace : 6A006A0068C851400056 Save (F9) and exit (F10), and you've got yourself a working key-generator!
6A006A0068B451400056 ;push incorrect code has been changed into 6A006A0068C851400056 ;push correct code
This can be applied to all the other apps. (some minor differences, of course), with the exception of QuickDesk and SysLaunch. This is because, the memory location in which the valid serial is stored is overwritten before the *NAG* is shown :-( But you can, of course still "fish" a serial, using the same method described above.

Final Notes

What have we learned?

1.If Lstrcmp is used the compare the codes, it's easy to locate the right 

one, since it has already been calculated!

2. If the programmer hasn't cleared the valid code before the "Incorrect

code!" *NAG*, we can in most cases turn our worst enemy in to a key-gen!

3. The shareware programmers should make the protection-schemes different 

if they have more that one product!

4. SoftIce is the best debugger!

5. Cracking rulez!



Greetings:

+ORC, The +HCU, Fravia+, +Gthorne, all (+)crackers, all the cool cracking 

groups, all those who have killed a spammer, and of course to you, reader of

this essay!



Have Fun! :-)



By Jon, February 9th, 1998.
PS:

If you have any comments on this crap (good or bad), don't hesitate to

e-mail me at: jon101514(at)cyberjunkie(point)com

Ob Duh

I wont even bother explaining you that you should BUY these target programs if you intend to use them for a longer period than the allowed one. Should you want to STEAL this software instead, you don't need to crack its protection schemes at all: you'll find it on most Warez sites, complete and already regged, farewell.


You are deep inside fravia's page of reverse engineering, choose your way out:
student
redhomepage redlinks redsearch_forms red+ORC redstudents' essays redacademy database
redreality cracking redhow to search redjavascript wars
redtools redanonymity academy redcocktails redantismut CGI-scripts redmail_fravia+
redIs reverse engineering legal?