xoanon2

The flag's faking approach

by Xoanon

Courtesy of Fravia's page of reverse engineering
~
Let's hear Xoanon's voice:
Ciao! Ti mando un piccolo txt sul crakkaggio "bruto" ... cioÈ, come registrare un programma (ma anche altri tipi di protezioni, basta applicarsi un pÚ) senza passare dall'enter registration number ecc... PuÚ sembrare banale, ma a volte ste' protezioni son proprio un casino .... quindi cosa c'È di meglio che fakare i flags che dicono al prg se È registrato o no? Molte volte si fý parecchio prima!!!!
Enjoy!

BRUTE FORCE cRACKING!

The flags-faking approach

by [>Xoanondifferent approach

on cracking a lot of programs.

Ok, let's start!

I will take as example a program called "HyperCam" v1.19, sort of an AVI

recorder of what happens on your screen... really good, especially if u

want to create an animated "cracking essay" for your new brand cool

target :-)

To get it go to www.hyperionics.com - HYPERCAM.ZIP - 251819 bytes

(i'm not really sure of the ZIP name, i found it on a CD. But I believe

it should be right)

Well, it's nothing new from the point of view of the protection scheme, as

I said... the only thing to notice is that it uses a very very nasty

key creation algorithm, maybe not understandable by most newbie-crackers.

Also, it stores the registration infos in a file called HYPERCAM.LIC, so

it needs quite a lot of work to crack it.

Ok, but this time we don't want to crack it with the usual "BMSG xxxx

WM_COMMAND" no?

We want to try something new! Light your cigarettes, fire your SoftICE and

install a good disassembler (i use now WDasm 8 "Unregistered HyperCam"

:0040153C 68D0504300 push 004350D0 S 22f:0 lffffffff A1 C0 A3 43 00 85 C0 74 0F 8B

if you don't find it, it's simply bcoz maybe that piece of code isn't

loaded in memory yet, it is not yet "pinpointed". So, choose the

"AVI record" option and record something. Then retry and you'll find it.

.Set a BPX now at address you found these bytes in (the beginning of

the code showed before)

for me is 22f:1ef91c, so --> BPX 22F:1EF91C

.Ok, now we have set the breakpoint, hoping the best when we reload it

and try to create an avi (or even when the program is restarted, we

don't know now if it will work or not) it should break inside softice...

TRY!

.Now examine the comments in my code, and u should see that the flag which

control all is located at DS:43A3C0. Infact if the 2 checks fails, the

PUSH 004350D0 will save in stack the "Unregistered Hypercam" string (you

can see it by dumping memory D 4350D0 as soon as you reach the push).

Well, now we know where the flag is... can we suppose that it controls

the initial nagscreen as well? yes of course! :)

Remove all the BPXs, set a new BPM DS:43A3C0 and restart the program!

Now we can see what happens to that "flag" location since the beginning...

You will land in softice 2 times, and after the 2nd time the nagscreen

will appear. So, what does this mean? Easy: the first time softice pops

up inside a piece of code which resets the flags, the second time

(our target) when the programs checks it. But look:

2nd popup:

:00404958 8BCD mov ecx, ebp

:0040495A E83C610200 call 0042AA9B

:0040495F 39BD48010000 cmp [ebp+00000148], edi Xoanon

You are deep inside fravia's page of reverse engineering,

choose your way out:

homepage

links

anonymity

+ORC

student

tools

cocktails

javascripts

search_forms

mailFraVia

Fravia 13 May 1997