HOW TO CRACK, by +ORC, A TUTORIAL -------------------------------------------------------------- (Htocrk10.txt) Lesson 1: an approach (Htocrk20.txt) Lesson 2: tools and tricks of the trade (Htocrk31.txt) Lesson 3.1: hands on, paper protections (1) (Htocrk32.txt) Lesson 3.2: hands on, paper protections (2) (Htocrk51.txt) Lesson 5.1: disk & CD-Rom access (basics) (Htocrk61.txt) Lesson 6.1: funny tricks (Htocrk81.txt) Lesson 8.1: how to crack Windows, an approach (Htocrk82.txt) Lesson 8.2: how to crack Windows, a deeper approach (Htocrk91.txt) Lesson 9.1: how to crack Windows, hands on (Htocrka1.txt) Lesson A.1: advanced cracking: internet cracking (Unix) (Htocrkc1.txt) Lesson C.1: how to crack, cracking as an art (Htocrkc2.txt) Lesson C.2: how to crack, cracking as an art HOW TO CRACK, by +ORC, A TUTORIAL --------------------------------------------------------------------------- Lesson 1: an approach --------------------------------------------------------------------------- [Pooldemo.exe] -------------------------------------- The best way to learn cracking (i.e. understanding, broadly individuating, locating exactly and eliminating or suspending or deferring one or more protection schemes inside a software application you do not possess the source code of) is to begin your tampering experiments using OLDER applications which have OLDER protection schemes. In this way you 'll quickly grasp the base techniques of the trade. Do not forget that the evolution of the protection schemes has not been a one way road... strictly speaking it's not even an evolution: you'll eventually find some very clever new tricks, but most of the time you 'll unearth only various trite repetitions of past (and well known) tricks. This is no wonder: the REAL knowledge of the "commercial" programmers themselves (the "protectionists") is often very limited indeed: they are inclined to use the old methods (albeit somehow changed, sometimes even improved) instead of conceiving new methods. This typical "commercial" degeneration happens every time people act for money instead of doing things for the sake of it or for pleasure. This "commercial" trend is blindly encouraged by the stupid, money-oriented society we are coerced to live in. So I'll begin the "hands on" part (-> starting from lesson 3), using as examples, some "old" applications and some "old" tricks. We'll be able to come later over to the newest protection schemes in order to understand them, and you 'll learn how to defeat this kind of junk too. I'll also explain WHERE you can find a lot of programs to crack for next to no money at all, and HOW 'grossomodo', you should proceed in your work. This tutorial is for people who are getting started with cracking. Maybe you are just contemplating doing some cracking, maybe you have tried it with mixed success. If you are here to get aimed in the right direction, to get off to a good start with the cracking tricks and procedures, then you have come for the right reason. I can't promise you'll get what you want, but I'll do my best. On the other hand, if you have already turned out some working cracking code in assembler and already cracked many different protection schemes, then this tutorial is likely to be on the elementary side for you. (If you want to review a few basics and have no where else pressing to go, then by all means stay). In order to crack successfully you need four basic things: * A passing knowledge of assembler language (the more you know, the better and quicker you crack) * Some intuition * Some help from more experienced cracker * A non mercantile mind (more about this later) The applications you'll use to learn with can be divided into: 1 - Password crippled applications (the easiest to crack) 2 - applications crippled on how many times, or how many days, you use them (fairly easy to crack) 3 - applications crippled on which date you use them before (easy to crack) 4 - applications that have some functions present but disabled (sometimes easy, sometimes difficult) 5 - applications crippled on Disk access (protections schemes that are now defined as "obsolete") and applications crippled on CD-ROM presence (more or less the same methods, but - somehow- not defined as "obsolete") (very easy to crack) 6 - CRYPTOGRAFED ADDS ON (i.e. one of the previous protection schemes, but with some scrambled or self modifying code (XORring and SHRLing codes) (fairly easy to crack) 7 - None of the above (sometimes difficult to crack) WHERE TO GET THE STUFF The recent widespread appearance of "Demo"-CDROM on magazine covers is a treasure for all crackers! A short time after their release you 'll get all the copies that remain unsold for next to free. The demos on CD-ROMs will permit you to gather quickly a lot of applications -old and new- that have somehow been crippled (at times with interesting schemes). Truly a wonderful world of cracking possibilities! Gee! For next to no money you can secure on one CDROM the whole of LOTUS applications (or Microsoft or Wordperfect, or you name them) on "trial for 30 days" or "try it 20 times" editions. You'll really enjoy to crack them, to use them for ever and ever and/or graciously donate them on the Web to the poor lamers that have no money and no brain. GAMES are definitely not to be frowned upon! They are very interesting from a cracker prospective coz they are often "overprotected". With this I mean that they possess protection schemes of a relatively HIGH level hidden inside files that are relatively small. Now, see, it is much more easy, and simple, to track down and eliminate protection schemes inside a single 35.000 bytes long executable file than to locate them inside a collection of many lengthy DLLs and overlaids that could have swollen as long as 2.000.000 bytes each. The lazy bunch of "modern" programmers relies systematically for protection schemes on this "hide the sting in the wide desert" logic. As a matter of fact they are no longer able to program in assembler: they bank more and more on overbloated "fatty" atrocities like Visual Basic, Delphy or Visual C++. (Don't worry... I'll nevertheless teach you how to crack -and quickly- those huge applications too). There is another reason for employing games instead of applications as study material: often EXACTLY THE SAME protection schemes that you find in a simple (and short) shareware game will be used -without much improving- a little later in order to "protect" some huge and extremely expensive graphic application. For this reason in my tutorial we'll often crack games protection schemes, even if we'll later apply what we learn mainly in order to crack the protection schemes of commercial applications, or to crack the access protection routines to remote servers, or BBS, or even ATM (cash dispensers). Here follows an example cracking session, that will show you -I hope- the dos and donts of our art: let's crack together as introductory example a time crippled application. We'll learn later (-> LESSON 4) that all applications that are crippled on time (i.e. "how many times" you use them or "how long" you use them) rely on analogous protection schemes (albeit with a huge palette of small variations): 1- they may have a counter which "clicks" every so often: FIND IT AND DISABLE IT! 2- they may fetch the time_clock interrupts in your machine: INTERCEPT THEM YOURSELF! 3- they may compare a random_seed with a variable: NOOP IT! 4- they may check randomly the date of your other, unrelated, files on the hard disk: find this verification routine and INVERT the JUMPS! I wanted to start with a modern example of this "counter clicks" protection type, just to give you a feeling for cracking, and I have chosen a widely published demo: you should be able to find it pretty easily. In order to show you some of the problems you may encounter we'll crack this example "wrongly" (you'll learn how to crack effectively in the "HANDS ON" lessons). EXAMPLE: ARCADE POOL, Demonstration version, PC Conversion by East Point Software Ltd, (c) Team 17 Software Ltd 1994. This demo has been published by many magazines on their CDRom covers throughout 1995. What follows will be useful even if you do not have our example; nevertheless you should get a copy of this widespread demo in order to better grasp some of the following points. This nice demo of a billiard game is time-crippled. It is crippled on how long you use it: i.e., you can only play 2 minutes, afterwards a "nag" reminder of where and how you can buy the real version snaps: protectionist squalor at its best. So, how do you proceed? Where does the beginning begin? Here is what you could (but not necessarily should) do: Get [Soft-ice] and load it in your config.sys. See the TOOLS OF THE TRADE lesson (-> LESSON 2) about this debugger. Version 2.6 of [Soft-Ice] has been cracked by MARQUIS DE SOIREE and can be found on the Web for free. - vecs s (save all the vectors before loading the babe) - start [pooldemo.exe] - vecs c (vector compare, save a printing of all hooked vectors) - enter and leave Soft-ice a few times to understand what's going on and where in [pooldemo.exe] are we roaming around (you should always check MORE THAN ONCE your findings when you snoop around: nothing moves and confuses pointers in a more frenzied way than good old "inactive" DOS). - have a good look at the map of memory usage ("map") - now "snap_save" the main memory regions where [pooldemo.exe] dwells... snapping saves "photographs" of memory areas. - do not do anything, let just the seconds go by. - "snap_compare" every two or three seconds without moving anything at all on the game board (no mouse_clicking, NOTHING), so that the only changes are (hopefully) the changes caused by the time counters. - snap_compare twice in a second. - snap_compare at second 00:59 and at second 1:01. - snap_compare just before and just after the time limit and the snapping of the nag screen. - Now collect carefully your printed "snaps" data: write clearly on the various sheets the occurrences of the snaps. - now comes the graceful "zen-cracking" moment: Sit down with a dry Martini and Wodka (obviously only russian Wodka will do) and contemplate the printing of the various mutant locations. Feel, perceive, empathize! Look closely at the locations that have changed in the snap compares. Analyze, interpretate, evaluate. - Mmm! Hey! Something fishy is changing there, and there, and there! (you are lucky, few do actually change in this case: only two dozen) - breakpoint on execute at the location that you believe act as a "continuous" counter, i.e. the location that triggers the "a second went by" event when it zeroes. - Now set the occurrence counter of BPX in order to break at the moment where the location "refills" and restarts from the beginning (the equivalent of "one second" went by, let's start anew). Use the occurrence counter in order not to single-step through the program your life long! - IN THIS CASE you 'll quickly locate the refill at location 3DD0. Here follows the "refill" line: xxxx:3DCC C706F1013C00 MOV WORD PTR [01F1], 003C The "3C" byte at xxxx:3DD0 represents a counter_byte... i.e. the program "charges" 3C in this location and then DECs it step by step to 3B, 3A, 39, 38 etc... till 0. When it reaches 0: bingo! Sucker user has lost one second more of his precious two minutes. Now, you would get a first wizard level if you searched further on for the exact point where you get the "nag screen" in order to eliminate the whole witless protection, but you may think you got it already and you remember anyway that the first principle in cracking is the following: "once you can eliminate the effects of a protection, do not look further!" Most of the time this is true: you do not always need to eliminate a "whole" protection scheme (unless you are just studying it for the joy of it). It's normally easier (and quicker) to eliminate the "effects" of a given protection scheme. Unfortunately this is not true in this case. Here you believe that you have already found the way: you got the counter that charges the reverse clock that triggers the particular protection scheme of [pooldemo.exe]. Now you may think that if you could modify the refill_value... say changing "3C" to "EE" (Yeah, the maximum would be FF... but it's always good practice to avoid such extreme values when cracking) you should get four times more playtime for your game... more than enough in order to make the protection scheme useless. So you change location xxxx:3DD0 from "3C" to "EE". To work on bytes you should use a good Hexeditor like PSEDIT (Parity solutions, [Psedit.exe], brilliant shareware: see the "tool of the trade" section) but you could also work with simpler debuggers like [debug] or [symdeb] (-> see lesson 2). If you do, remember to work on a "dead" copy of your crippled [*.exe] file, i.e.: ren POOLDEMO.EXE POOLDEMO.DED symdeb POOLDEMO.DED -s (cs+0000):0 Lffff C7 06 F1 01 C3 <- this string corresponds to the refill line). cs:3E85 <- symdeb gives you two locations as answer cs:3EEA -e cs:3E85+4 EE <- refill changed from C3 to EE -w ren POOLDEMO.DED POOLDEMO.EXE Now you run your tampered pooldemo. You think you cracked it, you glee with satisfaction... but loo! Nothing at all has changed, everything's as lame as before, you still have only 2 minutes playtime. How disappointing: how comez it didn't work? Well, for a start you have not been attentive enough! The search in debug gave you TWO locations, you moron, and not just the one you just tampered with. Check and you 'll see that the second location (cs:3EEA) is a MIRROR/CONTROL location (more on this later). Some times there exist "double" locations... coz at times it's quicker to use a double routine than to use a branching if or switch structure... some times the second locations do mirror the first ones and correct them on the fly if need be. So you need to modify this too... you act as said above but this time you enter in debug a -e cs:3EEA+4 EE before writing back the dead file and then renaming it to exe and then running it... and loo! Hoow sloow! THERE YOU ARE! Your crippled POOLDEMO.EXE is now (sort of) unprotected: You think that you can now play the stupid game up to 12 minutes real time, even if the protection scheme (and the counter) "believes" that it is playing only two minutes. So you begin to play, and the seconds look veeery sloow, and everything seems OK, but -alas- NO! At screen second 28 you get the irritating "two minutes are over" nag screen! Obviously you were dead wrong: the program "knows" the time directly from the timer... you only modified the stupid counter ON THE SCREEN. So it's back to cracking, and now you are angry, and forget the quiet ways of the zen-analyze and begin the heavy cracking you should reserve -if ever- for really complicated schemes. You now start to check the hooked vectors (you did your routinely VECS_save before loading pooldemo in [Soft-ice] and your VECS_compare afterwards) and you see some findings that you believe interesting: vecs c 08 1EFD:84C6 0CD1:17AC <- the clock 09 1EFD:85EC 136A:069C <- the keyboard 22 0BCE:02B1 0BCE:017E <- the terminate That's more like it -you think. Smack at the beginning: the first hooked vector does it! It's good old interrupt_08: the timer_clicker! Some basics for those of you that do not know anything: INT_08 controls indirectly the INT_1C timer interrupt. The 8253 clock chip generates an IRQ_0 hardware interrupt at a rate of 18.2 interrupts per second. This gives control to the ISR (Interrupt Service Routine) that the INT_08 points to... and this should be at 0CD1:17AC, but has been hooked here, by pooldemo, to 1EFD:84C6. One of the actions taken by the INT_08 ISR within the BIOS is to issue a software interrupt call to INT_1C, just in case any software modules within the system have established an intercept. If no intercepts have been established, the default contents of the INT_1C vector point to an iret instruction within the BIOS, so that a null action results. Normally a protectionist would intercept INT_1C, coz at every ISR from INT_08 the CPU would fetch the contents of the corresponding interrupt vector and make an interrupt style call to the code at that address (which should contain the iret at address F000:9876 but can contain any trick they could think of). So -you think- the protectionist hooked here INT_08 directly (a pretty infrequently used protection scheme by the way): What now? A rather drastic measure would be, in such circumstances, to disable the IRQ_0 level timer interrupt, which is controlled by bit 0 of the mask register, at address I/O 0021h. When bit 0 within the mask register is set to 1, no further interrupts will be recognized for this IRQ level. This unfortunately won't work here, but it's an interesting technique per se, so you better learn it anyway, just in case you should need it elsewhere: --- Trick to disable the timer ("IRQ_0 masking" by +ORC) --- * prompt $t and hit ENTER a few times, see how the dos_clock is merrily ticking along? * enter DEBUG.COM * Assemble using the command 'a' - a in al,21 or al,1 out 21,al ret RETURN RETURN <- twice to exit immediate assembler - g 100 <- to run the tiny program. - q <- to quit debug. prompt $t is still on: hit ENTER a few times: whoa! The clock has stopped advancing! Compliments: you loaded the current mask register's contents into AL, you set the mask bit in the bit 0 position (which corresponds to IRQ_0) at then updated the value back to the mask register. When you are ready to activate IRQ_0 events again, reenter DEBUG, run the following and then reset the clock you stopped with DOS TIME command: - a in al,21 and al,fe out 21,al ret RETURN twice - g 100 - q A word of caution: with the timer click disabled some processes will not operate correctly: once you access the diskette drive, the motor will continue to run indefinitely afterwards, etcetera. ------------------------------------------------------- Unfortunately the above technique cannot work with our [pooldemo.exe], where you now are looking closely to the INT_08 hook you found, believing that it hides the protection scheme: herein you find immediately the EoI (End_of_interrupt: MOV AL,20h... OUT 20h,AL). Both controllers have a second port address at 20h (or 0a0h), from which the instructions are given. The most important is the EoI command (20h). This instruction indicates the end of the interrupt handler and frees up the corresponding controller for the next interrupt. If somebody writes a new custom interrupt handler (as many protectionists do), it's up to him to see to it that at the end of the handler the EoI command (20h) is written to either port 20h or port 0a0h. After the EoI follow the usual pushes, then some CALLS then a call that issues some OUT 40,AL that look like timer refreshing (OUT transfers data to an output port and ports 40-42 correspond to the Timer/counter). Some do_maintenance follows, then a double CALL, one more conditional CALL and then a "mysterious" call FAR CS:[AA91] on which depends a byte PTR[970C] that decides another final CALL... then the routine pops all registers and irets away. Ah! You say, and begin disassembling, reverse engineering and looking inside each suspect call (the quicker method in these cases is to breakpoint calls on entrance and see if you find the one that's only called at the awakening of the time limit protection). You work, and work, and work... and eventually find nothing at all, coz the protection of this program is NOT HERE! Back to the zen-analyze of the snap printings... we forsake it too soon, as you will see. If you watch with more attention the compare locations for the range DS:0 DS:FFFF you 'll notice that one of them changes relatively slowly from 0 to 1 to 2 to 3 and so on... the precedent location changes very quickly, and runs the complete cycle 0...FF. That's a counter, at locations DS:0009 and DS:000A! How long will it tick along? Well, we saw above that the "charge" every second is 3C, so it will be x3C*x78=x1C20, coz x78 is 120 seconds, i.e. the two minutes time limit. Now search this 1C20 value around inside the code (protections are most of the time at the beginning of the CS:offset section), and you 'll find quickly what follows: The protection in [pooldemo.exe] is at code_locations CS:0A8A 813E20A7201C CMP WORD PTR [A720], 1C20 compare location A720 with limit 1C20 CS:0A90 7C07 JL okay_play_a_little_more CS:0A92 E834FD CALL beggar_off_time_is_up BINGO!: FOUND! Now let's quickly crack it: ------------------------------------------------ CRACKING POOLDEMO.EXE (by +ORC, January 1996) ren pooldemo.exe pooldemo.ded symdeb pooldemo.ded - s cs:0 Lffff 81 3E 20 A7 20 1C xxxx:yyyy <- this is the answer of the debugger - e xxxx:yyyy+5 4C <- this time limit is much better - w - q ren pooldemo.ded pooldemo.exe ------------------------------------------------- We have done here a "weak" crack: we limited ourselves to accept a (better) time limit, changing it from 1C20 to 4C20 (4 minutes instead of two). We could obviously have done a more radical crack if we had changed the JL (jump lower) instruction in a JMP (jump anyway) instruction. In this case it would have worked, but for reasons that will be explained in lesson 4, you should choose a rather delicate approach in cracking when you deal with time-limit protection schemes. As you have seen, in this artificial cracking session we found the protection scheme after a little snooping around. But, as you will see in the hands on part, there are always MANY ways to crack a single protection scheme. You could -for instance- have found this protection the other way round: set a trace on memory range for the program, restricting the trace to the first part of it (say CS:0 to CS:1000, if you do not fetch anything you can always try the other blocks). Breakpoint at the nag screen, have a look at the last 300-400 backtraced instructions, if you did not move anything, everything will follow a repetitive pattern, until the protection snaps on: ... JL 0A99 CMP BYTE PTR [A72A],01 ... JL 0A99 CMP BYTE PTR [A72A],01 ... for ages and ages and then... ... JL 0A99 E834FD CALL 0759 <- BINGO! (CALL beggar_off_time_is_up) ... there it is, found the other way round. (But this apparently better method is unfortunately very unstable: it depends on your timing of the breaking in and on the distance between protection and nag screen, therefore the somehow more complicated, but more sure previous one should be favoured). The reason why "minimal" approaches in cracking are often more successful than heavy vector_cracking, is that the programs are hardly ever "overprotected", and therefore the protections are seldom difficult to find (and those that are really worth cracking for study reasons). Sometime you don't even need to crack anything at all! Some applications are fully functional -per se-, but have been crippled in a hurry in order to release them as demos. The commercial programmers want only money, do not even try to understand our zen ways, and do not care at all for a well done job. That means, among other things, that the hard disk of the user will be cluttered with files that the main program module never calls. A typical example of this sloppy method is the demo of [Panzer General] from SSI that appeared in the summer '95. This was in reality no less than the complete beta version of the game: you just had to substitute to one of the two "allowed" scenarios one of the 20 or more scenarios of the beta version in order to play them freely... you didn't ever need to crack! The pooldemo crack example above should not discourage you from cracking intuitively. Be careful! Perform a thoroughly zen_analyze before attempting deeper methods: do remember that you want to crack the protection scheme SOMEHOW, and not necessarily following the same line of thought that the programmer eventually WANTED YOU TO CRACK IT with. Well, that's it for this lesson, reader. Not all lessons of my tutorial are on the Web. You 'll obtain the missing lessons IF AND ONLY IF you mail me back (via anon.penet.fi) with some tricks of the trade I may not know that YOU discovered. Mostly I'll actually know them already, but if they are really new you'll be given full credit, and even if they are not, should I judge that you "rediscovered" them with your work, or that you actually did good work on them, I'll send you the remaining lessons nevertheless. Your suggestions and critics on the whole crap I wrote are also welcomed. E-mail +ORC +ORC an526164@anon.penet.fi HOW TO CRACK, by +ORC, A TUTORIAL --------------------------------------------------------------------------- Lesson 2: tools and tricks of the trade --------------------------------------------------------------------------- [INDY.EXE] -------------------------------------- LOST IN THE DARK CODEWOODS When you break into a program you end up in portions of code that are unfamiliar to you. It is also not uncommon for the breakpoints to occur outside of the confines of the program you want to crack. Getting your bearings is, in these cases, very important. One of the handiest utilities is the memory dump tool -it tells you where all the device drivers and TSR are loaded, in which memory locations the program you are cracking dwells, how much memory is left and what the next program load point is. The tools you use should report on the following: - the contents of interrupt vectors - the state of the BIOS data area, beginning at address 40:0 - internal structures within DOS, such as the MCB chain, the SFT (System File Table) chain, the chain of installed device drivers, the PSPs and memory allocations associated with installed TSRs - memory allocation statistic from XMS and EMS drivers When seeking to understand a section of foreign code, you must be especially careful to seek the real intent of the code. Consider using a profiler prior to undertaking an analysis of an unfamiliar program. This will help you by ensuring that you don't waste time studying sections of the program that aren't even involved in the protection scheme you are chasing down. Using a utility that charts a program's calling hierarchy can give you an important perspective on how your babe conducts its internal operations. YOUR DEBUGGER: YOUR FAVOURITE TOOL First and foremost, your debugger must be designed for use with resident modules (or must be itself a resident module). Trying to crack with simplistic [debug.com] is a sure way to get absolutely nowhere. We recommend Softice.exe from Nu-Mega technologies (Version 2.6 [S-Ice.exe] has been cracked by MARQUIS DE SOIREE and its vastly available on the Web). You could also use [Periscope] or [Codeview] or Borland's Turbodebugger... all these programs have been boldly cracked and/or distributed and are now on the Web for free... learn how to use YAHOO and find them. In emergency cases you could fix some quick crack using [debug] or [symdeb], but, as said above, most of the time these older debuggers won't do. I'll nevertheless ALWAYS give the final crack procedure for [debug.com], in order to permit even lusers to crack programs. When you first smell a protection, it can be tempting to immediately begin your crack using invasive types of techniques. While there is certainly nothing wrong with this approach, provided that you are fairly familiar with the protection scheme used, going in too deep too soon can be a problem when you don't have a strong hunch. Most of the time you'll end up missing important details. So first of all sit down and ponder... that's the zen-way, the only one that really works. Single-stepping is expensive, not only because of the time it requires but also because of the amount of detail with which you must contend. Your immediate goal is to home in on the protection scheme through a series of successively refined traps, your broader aim is to get an overview idea of the program's action... the wise use of breakpoints will condense these minutiae into an understandable form. The first step is to try to identify the section of the program where the protection scheme is snapping. Once you are able to isolate a certain section of a program, breakpoints can be used to gather a trace history of the program's execution. If your debugger sports a backtrace buffer, logging window, or similar feature, by all means learn how to use it. The debugger it's your best weapon, you must know all the possibilities it offers and all the capabilities it possesses. Having a debugger's display output echoed to a printer is another possibility. Using breakpoints is beneficial for two basic reasons: speed and reduction of detail. Manual single-stepping is invaluable when you are close to the protection scheme, but too much of it will bore you to death. When selecting breakpoint locations and the types of breakpoint to use, it is important to step back once more, drink a cool Martini-Wodka (use only Moskovskaja: non-russian Wodkas are appalling) and ask yourself: "What is this going to tell me?" and "What else will I need to know once the break occurs?". MOST IMPORTANT OF ALL: "Is my current cracking approach the simplest and most direct?", coz you do not want to waste precious cracking time. When devising a set of breakpoints it is wise to consider how "a trail of bread crumbs" can be left. Not allowing for an execution chronicle from the start can mean having to restart a cracking session. Setting breakpoints on certain software interrupt calls is an excellent way to get an overview of a program's operations. The INT_21 DOS services interrupt is probably the most universal useful of these, with BIOS interrupts such as the INT_13 (BIOS Disk services) and INT_16 (BIOS keyboard services) useful for specific cracking. When working with a debugger, evaluative breakpoints are usually your best shot. To avoid having to deal with a plethora of calls, you would want to have a debugger capable of being told to "break on any INT_21 call except where AH == 2C or AH == 0B". A real understanding of the working of a program is surely important, but don't overdo it! To reverse-engineer even a small program can involve many hours of analysis and documentation work. If you'll not be able to use the zen-cracking techniques described in this tutorial (sadly not everybody can) pace yourself and make sure your chair is comfortable: you'll be sitting for quite a spell. Much of the work involved in reverse-engineering consist of chasing down tentacles. In order to understand the operations of one function, you must understand what happens within each of the functions it calls- its child functions. To understand these child functions you must study their children; and so on down the calling hierarchy tree. Then there is the data. Tracing tentacles based on a program's calling hierarchy is a directed process. Each function you encounter is basically a list of other functions you must reckon with. When it comes to analyzing a function's interrelationship with the program's data structure, no such list is provided. You must have instinct, feeling and luck. Data analysis requires more of a broad-based inquisition. For each memory variable you are interested in, you must survey all functions to determine which ones read and write that variable. The use of memory conditional breakpoints and of a disassembler that builds a cross-reference table can make this task a lot easier. (Use Sourcer! It's a fairly good tool and version 4.08 of [sr.exe] has been long ago cracked and distributed on the Web). ALL SYSTEM CALLS IN ONE LOCATION Remember that if the program you are cracking was written in assembler in the first place (very unlikely knowing the laziness of to_days programmers), system calls are probably made directly from the functions which need them. But when a program is developed in a high-level language, it is more likely that common library functions will be used for many operations involving system calls. When a program makes all of its INT_21 calls from the same location, you know that this is certainly the case. Now, what happens sometimes is that the programmers write the whole application in a overbloated language like C++, but are afterwards compelled to "speed up" critical sections of the code writing them in assembler. And loo! A section where you repeatedly find assembler crafted patches is precisely the protection scheme! So you could have a program with all INT_21 calls from the same location but for one or two calls which are coming out of the section where the morons have "hidden" their protection strategy. By just "looking" at the dead code of a program, you should be capable to tell wich parts have been "added on" in a later phase. They presents themselves as unevenness and irregularities, especially if you use an utility that represents graphicallly the code of a program. Protections are often added on at the end of the development. Should you determine that the system calls relevant to your cracking are made from common library functions, all is not lost. The specific function from which these library calls were made, the function you are seeking to locate, is executing at some point in between these calls. Break in with your debugger at the end of the first system call, just where it is returning to the point of call. From there, trace through the remainder of the common library routine until it returns to its caller. In short order, you should find yourself in the function you need to see. The trick is to be able to identify it for what it is. ASCIIZ IN CODE In the interest of gaining an overall familiarity with the program you want to crack, it can be enlightening to use a hex dump utility to examine the message strings contained within the program's binary modules. If the program happens to load its message strings from separate files, your search has just been simplified. Your debugger's memory-dumping feature is one tool that can be useful for this type of exploration. You could also construct a filtering program, which would read a binary file and output all sequences of bytes that are comprised of displayable characters and are over a certain minimum length (the best cracker tools are often the ones you write yourself). When a protection scheme is marked by the issuance of a specific message on the screen, you could go into the program and locate the code that emits this message, and then determine what triggers it. A good way to start the location process is to see if a system call is used to display the string. Interrupt INT_21, INT_10 or INT_29 are usually used to display text messages to the console. When the message's display is not a result of one of these system calls, direct video writing is probably being used. If you know the screen location used, and if that part of video memory is not used for anything else at the time (a big if), a memory write breakpoint could be set on the video buffer address corresponding to the first character's position. If this won't work, use the step-over/step-around tracing technique while watching for the message to appear. Now you found it: from a disassembled listing, you locate the address of the message string and then survey the reminder of the file for any instructions that reference this address. [Sourcer] can generate labels for specific memory locations and a cross-reference table showing where these labelled locations are referenced. Otherwise, load the disassembled listing file into your editor and use its search capabilities. Manually searching for such things in a listing will make you old before your time. CODE AND DATA When stepping through code at the assembler level, watch out for interrupt calls that are followed by data. Sometimes you will find an interrupt call, typically within the range INT_34 to INT_3F, where several bytes immediately following the interrupt instruction will be data rather than code. Be especially suspicious of this type of code-and-data mixture when your debugger's disassembly output of the instructions immediately following an interrupt call doesn't make sense. Sometimes you can determine the offset of the next true instruction by inspecting the following code and data. In other cases, you will have to trace through the interrupt call to see how it accesses the data following the interrupt call instruction and how it manipulates the return address on the stack. HOOKED VECTORS Seeing what interrupt intercepts already exist within a system before running the program you want to crack, as well as what interrupt handlers are established by the target program, can provide useful clues. For example, if a protection establishes an INT_09 intercept just before the snapping of a keyboard verification routine, your range of suspects has just been narrowed significantly. To study the interrupt vector activities of an application, a vector dump map utility is useless. It can't be run while running the application you want to crack. One solution is to run the program under a debugger and watch for system calls to INT_21 functions 25h (set interrupt vector) and 35h (get interrupt vector), but in the event that the program reads and writes interrupt vectors directly, this method will not give you a complete picture. Normally you'll use a spy, trace or "step" utility. APPLYING A MEMORY WRITE BREAKPOINT TO A SPECIFIC VECTOR OR TO THE ENTIRE TABLE is another way to deal with this. Note that some sort of direct vector writing must be occurring if a vector change is detected between system calls. If a vector change is detected during a system call but it isn't function 25h of INT_21, suspect that an IRQ handler may be effecting the change. LITTLE TRICKS OF THE TRADE: * determining interrupt vector addresses **************** How do you determine the interrupt vector addresses? As example let's find the address of the INT_21 interrupt vector. Since the interrupt vector table starts at address 0000:0000 (easy to remember, isn't it?) and there are four bytes per vector, the basic process is to multiply the interrupt number four times and use the result at the offset (on segment zero). 21h + 21h = 42h 42h + 42h = 84h The int_21 vector is located at address 0000:0084 You could also use a calculator, for instance, the address of INT_63 is 63h*4=18ch -> 0000:018C * address conversion *************************************** After a painstaking cracking session, you have finally determined that a byte of memory at address 6049:891C is the trigger. But when you isolate the offending instruction, you find that the address it is generating when the protection occur is different, being 6109:7D1C instead! How can this be? An 80x86 type CPU, when running in real or VM86 mode, uses what is known as segment:offset type addressing. One side effect of this addressing method is that one physical address can be equivalent to many different segment:offset addresses. To find the PHYSICAL ADDRESS for a given segment:offset do the following: - convert the segment portion of the address to a 1-based number by multiplying it by 16 (x10)... it's easy: add 0 at the right end of the number!... 6049 -> 60490 6109 -> 61090 now all you have to do is to add this value to the offset value 60490+891C -> 68DAC 61090+7D1C -> 68DAC <- Got it? And the other way round? If you have a physical address, say 19AC3, and you want to obtain a segment:offset address you must first of all decide in which segment you want the address... if, say, you choose segment 16CC, you proceed as follows: 16CC -> 16CC0 19AC3-16CC0 = 2E03 (offset) address for 19AC3 in segment 16CC = 16CC:2E03 TOOLS OF THE TRADE Before starting this section, for those of you that do not know anything, here is the ARCHIE way you get all the program that do EXIST on the planet: e-mail following 1) (address) archie@archie.univ-rennes1.fr I use this french archie, but you can get a worldwide list using the metacommand "servers" 2) (text) set search sub <- anywhere in string set maxhits 140 <- (100-1000) set maxhitspm 15 <- not just 1 file all over find stepdos <- search e.g. this file Wait two hours, get your post and ftp the file you wanted (and YES!, you 'll find also EVERYTHING else for free on the Web). You could, instead of using archie, also learn how to use YAHOO. [MEMSCAN.EXE] One of the most fascinating tools that I have ever seen is a (very old) program: MEMSCAN.EXE. This program was originally written in 1988 by Scott A. Mebust, running in CGA. It's a "visual" utility: it enables you to see graphically the 1-meg of PC memory in 8 kbyte chunks. It's a powerful tool in order to locate quickly bit mapped graphics and other 'objects' in memory, like program data tables, stack areas, code areas, available RAM, etc. I used this great idea to create (in C) my own tools: a "dead_programs scanner" and an ameliorate version of Memscan itself. Looking at the VISUAL STRUCTURE of a program it's a great help when you'll crack higher levels. [TRACKMEM.COM] A very good tool by James W.Birdsall, tracks memory usage of programs (EMS, XMS, conventional). [SCANCODE.COM] "THE" scancode lister, by the code_masters from clockwork software. The must utility for crackers that do not learn all scancodes by heart. [MAP.EXE] Actually "MAP2", THE memory mapper from the code_masters at clockwork software. It's a very good tool and an interesting one too, coz you get it with the "Nigel" nag screens. They are not difficult to remove (a "passletter" protection scheme, you'll learn how to find and remove it from [Map.exe] in LESSON 3.2). [FILEDUMP.COM] [HEXDUMP.COM] [TDUMP.EXE] [DUMP.EXE] There are hundred of file dump utilities, coz file dumping is one of the first exercise they learn you at C-school. Hexdump.com is 558 bytes long, Tdump.exe 120.704, pick the one you like better or write your own (even better). Filedump.com, by Daniel M.O'Brien, 1046 bytes long, it's nice. [SPRAY.COM] That's a good crack utility indeed! This 1989 program by Daniel M.O'Brien gives you a "post-mortem" picture of your memory. You redirect it to and study it at ease. It's difficult to say how many hours of cracking it did spare me (you should study the program, only 252 bytes long, and will have to modify it a bit, coz it's pretty primitive, in the original version, for instance, the redirection to the printer works only if there is NO SPACE between "spray" and ">"). [VEXE.EXE] A good EXE files analyzer, useful for windows programs too (see --> LESSON 7). Some of its functions are present in TDUMP.EXE too. This 1991 program by S.Krupa it's sometimes very useful. [SNOOP UTILITIES --> KGB.EXE INTMON.EXE INTRSPY.EXE etc...] [TRACE UTILITIES --> TRACE.EXE STEPDOS.EXE etc...] A must to study the "calling hierarchy" of an unknown program. KGB.EXE, a 1992 program by Petr Hor…k could easily be the best one, and comes with source code(!). I'll teach you how to crack without any of them (you do not need them if you zen- crack), but they can nevertheless be very useful in some situations. Stepdos.exe, by Mike Parker, is a excellent program: a pleasure to crack in order to use it for slightly different purposes :=) [SOURCERING UTILITIES] SR.EXE can be used for sourcering unknown programs. It's a fairly good sourcering tool. Version 4.08 has been cracked (it's a "ORIGINAL NUMBERCODE" protected program) and distributed on the Web, so you should easily find it. This said, you should NEVER use such a brute force approach, unless you are really desperate: I'll teach you how to crack without sourcering (you don't need to sourcer if you zen-crack). [HEXEDITORS] Every idiot has written at least one hexeditor, and you can find very bad tools everywhere (the SIMTEL collection, on the Web, lists at least 35 hexeditors). I suggest you write your own and contribute to the flood, or (better) get PSEDIT.EXE, a good 1990 program by Gary C. Crider (Parity Solutions, 1903 Pavia Ct. Arlington, TX 76006... sometimes even americans can write good programs). If you do use it (as you should) disapt the nag screen as small exercise in cracking. [DEBUGGER] Your best friend in cracking, your weapon, your hidecloak... I suggest [Softice.exe] from Nu-Mega technologies (Version 2.6 has been cracked by MARQUIS DE SOIREE and its vastly available on the Web). You could also use [Periscope] or [Codeview] or Borland's Turbodebugger... all these programs have been boldly cracked and/or distributed and are now on the Web for free... learn how to use ARCHIE and YAHOO in order to find them. Your debugger is the only tool you 'll REALLY need, believe me. So choose your weapon wisely and learn how to use backtrace ranges and (FOREMOST!) breakpoint on user written qualifications routines. You 'll be able to crack almost EVERYTHING using these features in the right way. You should get all the programs mentioned above (all the programs that EXIST for that matter) for free on the Web. Use them, but also modify them recklessly! REMEMBER THAT YOU ARE (GOING TO BE) A CRACKER! The first programs you should crack and modify are therefore your very tools! So steal the code of the best tools you find! Snatch the best routines and change them for the better! That's the whole point in cracking: a mission to IMPROVE the best accomplishments of humanity's genius :=) HOW TO CRACK, ZEN-CRACKING You 'll learn, beginning with next lesson, how to crack systematically the different protection schemes: paper & password protections, time protections, access protections. At the end of the "methodolocical" part, you'll be able to deprotect programs, but you still wont be a cracker. In order to crack higher you must use what I call (lacking a better definition) "zen- cracking". I 'll give you right now an example of this, so that you know what I'm talking about, but -unless you are already capable- you'll have to finish this tutorial part for "normal" cracking before attempting this techniques. Let's zen-crack together a password protection scheme (aka "paper protection", coz you need the original manual of the program in order to answer). This protection is based on the typing, at the nag screen, of the correct sequence of numbers. Our example is a game for the reasons explained in lesson 1, but you 'll find the SAME protection scheme in the access protection procedure of some old Tapestry networks... so do not frown upon games protections. INDIANAPOLIS 500, Papyrus software & Electronic Arts, 1989 It's a rather widespread program, you should therefore find it pretty easily. The nag screen asks for data based on the historical performances of race cars... that means that the answers will consist in two to three digits. Now, the normal way to crack such a program (described in -> lesson 3.1) embodyes following steps: - snap save program memory areas before typing your answer - snap compare after typing, say, "666" - search for the sequence 36,36,36 (i.e. 666) - breakpoint on memory range for reading - look at the program part fetching your data - find the snap procedure - disable it. The above crack it's relatively quick and should be most of the time fairly effective, but there is a better way: the "zen way", the only one that can really enable you to crack high protection schemes. - Run the program and break in at the nag screen - Answer consist of 2-3 digits? Search for "AC" (i.e. the instruction LODSB, load digit of answer in AL) in the area 500 bytes BEFORE and 500 bytes AFTER your position. You'll get some locations. (In the case of INDY 500 you get 6 such locations). - "feel" the locations (that's the tricky part). - OK, you already made it! Here is the protection strategy: 8BBF28A5 MOV DI,[BX+A528]<-- DI points to coded data area :compare_loop AC LODSB <-- load first digit of answer in AL B4FF MOV AH,FF <-- load mask in AH 2A25 SUB AH,[DI] <-- sub coded data from mask and get real answer 47 INC DI <-- ready to get next coded data 3AC4 CMP AL,AH <-- user answer = real answer ? 751A JNZ beggar_off_coz_false_answer 0AC0 OR AL,AL <-- more numbers? 75F2 JNZ compare_loop 59 POP CX <-- all OK, go on, nice guy ... And if the protection scheme had been more far away? And if you cannot "feel" the right one? And if my grandma had wheels? You'll learn it, believe me. Now let's quickly crack this crap. ------------------------------------------------ CRACKING INDY.EXE (by +ORC, January 1996) ren indy.exe indy.ded symdeb indy.ded - s (cs+0000):0 Lffff B4 FF 2A 25 47 3A C4 75 1A xxxx:yyyy <-- this is the answer of the debugger - s (cs+1000):0 Lffff B4 FF 2A 25 47 3A C4 75 1A (nothing, but you must be sure there isn't a mirror) - e xxxx:yyyy+8 00 <-- "JNZ 1A ahead" changes to "JNZ 0" - w - q ren indy.ded indy.exe ------------------------------------------------- Cracked: you just changed the JNZ beggar_off instruction in a JNZ go_ahead_anyway. Nice, isnt'it? WHY WE CRACK Strange as it may seem, the reasons for cracking are very important for the success of our task. We (at least we old crackers) crack AGAINST society, and OPPOSING laws and conventions. We usually DO NOT crack for money or for other "commercial" reasons (just sometimes, and we are expensive: I have plenty of money already and my services are VERY expensive if you need an aimed deprotection). But in general we don't care much for money and -as you can see- I am giving away the basis of what I know for free with this tutorial. The programs we crack should be made free for everybody, even if we spent some of our time deprotecting them. We could not care less of the commercial value of a given program, not to mention the holy work of the ethical programmers... we program ourselves, but only because we LIKE it... if somebody does something only in order to gain money, he does not deserve anything. It's the mind challenge that counts, NEVER the profit! (Even if you can make good use of the cracked programs and even if -as I said- there is at times a personal profit). This is an indispensable attitude! Only a non-mercantile mind can leap forward to the "satori" knowledge that you desperately need if you want to crack quickly and elegantly huge iperbloated monstruosities that somebody else wrote and protected, or if you want to gain access to some hidden information, data that you would like to snoop but that somebody declared "off limits", coz a stupid government, or useless industry sector, or money oriented programmer or dirty lobby of interest decided it. If you do accept the society where we are compelled to live, its awfully egoistic way of life and its dirty "profit" values, you may eventually learn how to disable some simple protections, but you'll never be able to crack in the "right" way. You must learn to despise money, governments, televisions, trends, opinion-makers, public opinion, newspapers and all this preposterous, asinine shit if you want to grasp the noble art, coz in order to be emphatic with the code you must be free from all trivial and petty conventions, strange as it may sound. So you better take a good look around you... you'll find plenty of reasons to hate society and act against it, plenty of sparks to crackle programs in the right way... Hope all this did not sound too cretin. Well, that's it for this lesson, reader. Not all lessons of my tutorial are on the Web. You 'll obtain the missing lessons IF AND ONLY IF you mail me back (via anon.penet.fi) with some tricks of the trade I may not know that YOU discovered. Mostly I'll actually know them already, but if they are really new you'll be given full credit, and even if they are not, should I judge that you "rediscovered" them with your work, or that you actually did good work on them, I'll send you the remaining lessons nevertheless. Your suggestions and critics on the whole crap I wrote are also welcomed. E-mail +ORC +ORC an526164@anon.penet.fi HOW TO CRACK, by +ORC, A TUTORIAL --------------------------------------------------------------------------- Lesson 3.1: hands on, paper protections (1) --------------------------------------------------------------------------- [UMS.EXE] [LIGHTSPD.EXE] [GENERAL.EXE] -------------------------------------- SOME PROBLEMS WITH INTEL's INT The INT instruction is the source of a great deal of the flexibility in the PC architecture, because the ability to get and set interrupt vectors means that system services (included DOS itself) are infinitely extensible, replaceable and MONITORABLE. Yet the Int instruction is also remarkably inflexible in two key ways: - an interrupt handler DOES NOT KNOW which interrupt number invoked it. - the int instruction itself expects an IMMEDIATE operand: you cannot write MOV AX,x21, and then INT AX; you must write INT x21. That would be very good indeed for us cracker... unfortunately many high level language compilers compile interrupts into PUSHF and FAR CALL instruction sequences, rather than do an actual INT. Another method is to PUSH the address of the handler on the stack and do RETF to it. Some protection schemes attempt to disguise interrupt calls, 1) camouflaging the code, 2) putting in substitute interrupt instructions which look harmless and modifying them "on the fly" or 3) replicating whole interrupt routines inside the code. This is particularly frequent in the various "disk access" protection schemes that utilize INT_13 (the "disk" interrupt) and will therefore be thoroughly explained in -> lesson 5. A LITTLE BASIC ASSEMBLER In order to understand the protection schemes and to defeat them, you must acquire a passing knowledge of assembler, the "machine language" code. You can find a lot of good, well explained code for free: viruses are one of the best sources for good "tight and tricky" assembler code. You can find the source code of almost all viruses on the web: oddly all the would be hackers seem to have an aberrant passion for this kind of stuff instead of studying cracking techniques. But there are millions of lines of good explained "commercial" assembler code on the net, just fish it out and study it: the more you know, the better you crack. I'll restrict myself to some observations, sprinkled throughout this tutorial. Let's start with some must_know: ------------------------ STRINGS ---------------------------- The string instructions are quite powerful (and play a great role in password protection scheme). ALL of them have the property that: 1) The source of data is described by the combination DS:SI 2) The destination of data is described by the combination ES:DI 3) As part of the operation, the SI and/or DI register(s) is(are) incremented or decremented so the operation can be repeated. ------------------------- JUMPS ----------------------------- JZ ero means what it says JNZ ero means what it says JG reater means "if the SIGNED difference is positive" JA bove means "if the UNSIGNED difference is positive" JL ess means "if the SIGNED difference is negative" JB elow means "if the UNSIGNED difference is negative" JC arry assembles the same as JB, it's a matter of aesthetic choice CRACKING PASSWORD PROTECTED PROGRAMS Refer to lesson one in order to understand why we are using games instead of commercial applications as learn material: they offer the same protection used by the more "serious" applications (or BBS & servers) although inside files that are small enough to be cracked without loosing too much time. A whole series of programs employ copy protection schemes based upon the possess of the original manual or instructions. That's obviously not a very big protection -per se- coz everybody nowadays has access to a photocopier, but it's bothering enough to motivate our cracks and -besides- you'll find the same schemes lurking in many other password protected programs. Usually, at the beginning of the program, a "nag screen" requires a word that the user can find somewhere inside the original manual, something like: "please type in the first word of line 3 of point 3.3.2". Often, in order to avoid mistakes, the program indicates the first letter of the password... the user must therefore only fill the remaining letters. Some examples, some cracks: --------------------------------------------------- UMS (Universal Military Simulator) version 1 by Dr Ezra SIDRAN (c) 1987 Intergalactic Development European Union: Rainbird Software United States: Firebird Software --------------------------------------------------- This very old EGA program is one of the first I cracked in my youth, and it's very interesting coz it employs a very basilar protection scheme (a "PRIMITIVE"! More than 80% of the protection schemes used to day (January 1996) are directly derived from one of the 12 primitives. The nag screen snaps at the beginning and keeps indefinitely asking your answer, only the use of CTRL+C will bring you out of it, back to DOS. That's a clear sign of older protection schemes: newer schemes let you in for only 3 attempts or even only one, and pop out to the OS if you fail. In UMS, besides, there is no "first letter" aid, a later improvement. The cracking procedure for password protected programs is, first of all, to find out where are stored the letters that you type in. So examine your memory map, find out where the program dwells in memory, do a snap save of these memory areas and a series of snap compares as you type your password in. Strangely enough, in the case of UMS, as you type your password there seems to be no difference at all in the memory locations where this program dwells... yet the data must be somewhere... Usually such a situation is a clear sign that an hooked interrupt is used to hide the data. Checking the hooked vectors you find out the following: vecs 00, 02, 22 are hooked where needs be vecs 34-3D are hooked at xxxx:0 vec 3E is hooked at xxxx:00CA Ha! Let's have a closer look at this bizarre 3E hook. Let's search for some words used in the nag_screen and then let's dump the area where we find them (in UMS that will be at 3E_hook address + 7656) and loo! You'll see the content of the nag screen and, immediately afterwards, ALL the passwords "in extenso", i.e. not encoded, not scrambled, nothing at all... THERE THEY ARE (that's a very old protection scheme indeed). You could now, for instance, easily patch all the different passwords to (for instance) "PASS", and this would work... it's a very primitive protection, as we said, nevertheless the use of a hooked vector as hiding place for the protection code is not yet obsolete... we'll find it elsewhere, in many "more modern" programs. Now let's go deeper and examine the "compare" mechanism, we want to crack, here, not just to patch. Password protected programs (and access protection routines for server and BBS, for that matter) have quite a lot of weak points. The most obvious one (you 'll find out the other when you'll high crack) is that they MUST compare the password of the user with the original one(s). So you do not need to steal a password, you just need to "ear" the echo of the original one in the memory locations used for the compare, or, and that's more correct, to crack the compare mechanism itself so as to make it let you in even with a totally false password. The compare mechanism of UMS can be found setting a breakpoint on the memory range that covers the three locations where the password is stored (and you 'll find these with your search capabilities and with a pair of snap compares): ES:0F8E (here you 'll see a copy of the password that the program is asking) ES:0F5C (here you 'll see a copy of the password that the user types in) INT_3E hook_address + 7656 (here are all the possible passwords in extenso). Here is how the protection scheme looks out: MOV CX,FFFF Charge MAX in CX REPNZ SCASB Scan ES:DI (the user password) NOT CX Now CX holds the number of the character that the user typed in MOV DI,SI Real password offset to DI LDS SI,[BP+0A] User password offset in SI REPZ CMPSB Compares DS:SI with ES:DI (user password and real password) then snap out at CX=0 or at char_different, whichever comes first. Nice, we found the compare schema... how do we crack it now? There are many elegant solutions, but let's remain on a basic level... you look at the code that follows the CMPSB searching the "snapping schema"... here it is immediately afterwards (that's the case in most of the primitives). Remember: we sprung out of the CMPSB check at the first different char, OR at the end of the count of the user chars. Here it is what follows: MOV AL,[SI-01] loads in AL the before_different char of the user password (should be zero) SUB AL,ES:[DI-01] subs with the before_different char of the real password (should be zero) CBW zero flag set, "TRUE", if OK_match Well let's now look for the next JZ near (it's a "74" code) CS:IP 740D JZ location no_good Wait, let's continue a little... is there another check (often you have a double check on DI)... yes there is! CS:IP 7590 JNZ location no_good Cracking such a schema is very easy: you just need to substitute 75 to 74 and 74 to 75: transform your JZ in a JNZ and the JNZ in a JZ... now you will always pass, no matter what you write, unless you exactly guess the password! Now let's quickly crack it: ------------------------------------------------ CRACKING UMS.EXE (by +ORC, January 1996) ren ums.exe ums.ded symdeb ums.ded - s (cs+0000):0 Lffff 74 0D 1E B8 C2 3F (nothing) - s (cs+1000):0 Lffff 74 0D 1E B8 C2 3F (nothing) - s (cs+2000):0 lffff 74 0D 1E B8 C2 3F xxxx:yyyy (this is the answer of the debugger) - e xxxx:yyyy 75 - e xxxx:yyyy+17 74 - w - q ren ums.ded ums.exe ------------------------------------------------- In the debug/symdeb crack above we use as search string the bytes comprising and following immediately the first JZ. I know, I know... we saw them in [Soft-ice] and we could have modified them there, but I'm teaching also pupils who may not have [Soft-ice]. Note that the program is x431A0 bytes long, and therefore has a BX=4 sectors adding to the CX=31A0 in the initial registers... that's the reason I wanted to examine all the sectors (even if I knew that the snap was in sector (cs+2000): that's good practice! If you do not find your string in the first sector you must search for it in the next sectors, till you find it, coz in many programs there may be MORE THAN ONE repetitions of the same schema (more about this double check later). That's it, pupils, that's the way to crack old [UMS.EXE]. Let's go over, now, to more elaborate and more modern password protection schemes. -------------------------------------------------------- LIGHTSPEED, from Microprose (we crack here version 461.01) -------------------------------------------------------- This program, released in 1990, operates a more "modern" variation of the previous scheme. You 'll find this variation in many access routines of remote servers (and this makes it very interesting indeed). Let's begin as usual, with our hooked vectors examination and our snap compares. Hooked vectors: 00, 08, 1B, 22, 23: nothing particular. The snap_comparisons of the main memory area -as you type the password in- gives more than six pages of changing locations... that's clearly much too much to examine. What now? Sit down, have a Martini Wodka (I'm afraid that only Moskovskaja 'll do) and meditate. Get the memory map of the program's layout. Start anew: snap_save (before typing anything in). Type as password "ABCDE". Get the print of the snap compares. Sit down, sip Martini Wodka, relax. You know that the code for A is x41, for B x42, for C x43 and so on... and in the snap_compares, that you made between letters, you 'll have only some locations with these values changing. Focus on these. You 'll soon enough find out that for LIGHTSPEED absolute location (in my computer) 404307, i.e.: relative locations (in my computer) 30BE:F857 or 4043:0007 evoke the characters you type, i.e. something like ----------------------------------------------------- F855 F856 F857 F858 F859... 41 3E first_ready_letter your_1st_letter your_2nd_one... ----------------------------------------------------- Inspecting the same prints, you 'll find out that absolute location 30C64 (imc) or relative location 30BE:F83E evokes the LAST character you typed in. The relative code line is: CS:0097 MOV AX,[BP-08] where SS:F83E = 00+letter_code Now breakpoint at these locations and investigate what's going on (for instance, the instruction that follows is CS:009A MOV [BX], AX and this means that the code of the letter you just typed in will be now copied in BX=F85A. What else can you do? Time to use a little intuition: look for an instruction "CMP AX,000D", which is the typical "IF the user hits ENTER then" instruction, coz "x1D" its the ENTER keystroke. This must be somewhere around here. Ha! You 'll soon enough find the line CS:0073 3D0D00 CMP AX,000D And now the way is open to the crack. But YOU DO NOT NEED ALL THIS! Since the password protection schemes are -as I told you- all more or less the same, I would suggest that you use first of all following trick: in the largest part of the program (use memory map to see where the program dwells) search the "F3A6" sequence, that's instruction REPZ CMPSB. In the case of Lightspd you 'll get as answer FOUR addresses with this instruction: (pgsg=program main segment) pgsg:C6F9 pgsg:E5CA pgsg:E63E pgsg:EAB0 There you are! Only four... have a short look at each of them: you 'll see that the second one (pgsg:E5CA) is the "good" one. The compare mechanism in this program of 1990 it's more or less the same as in 1987'UMS (and do believe me: the same mechanism is still in use to day (1996)! B9FFFF MOV CX,FFFF charge Max in CX F2AE REPNZ SCASB this scans ES:DI (the original password) F7D1 NOT CX so many chars in the original pw 2BF9 SUB DI,CX change DI for compare F3A6 REPZ CMPSB compares DS:SI with ES:DI (real pw with user pw) then snaps out at CX=0 or at char_differs See how easy? They all use the same old tricks the lazy bastards! Here the section is preceded by a small routine to lowercase the user password, coz the original muster is always lowercased. Now you would like, may be, to breakpoint at one of these locations, in order to stop the program "in the snap area" and inspect the snap mechanism... that WILL NOT DO with a "fixed" breakpoint, coz these locations are called by the snap with a different segment:offset numeration as the one you found (that's old dos magic). So you MUST first set a memory_read/write breakpoint on these locations, and then get at them at the snap. Now you can find out the segment:offset used by the snap and only now you'll be able to set a fixed breakpoint (for instance on the NOT CX instruction). Now run the program and breakpoint in: have a dump of the ES:DI and see the original password. How nice! We have now the original password in extenso in our memory dump window. That's the "echo". By the way, there is a whole school of cracking devoted to find and use these echoes... we work on different paths, nevertheless password fishing can be interesting: where are the password stored? From which locations do they come from? A common practice of the protectionists is to hide them in different files, far away, or in hooked vectors, or in SMC parts. This is a program of 1990, that differs in respect to UMS: the passwords are not "hidden" inside a hooked vector, coz that's a pretty stupid protection: any hexdump utility would still permit you to see them. Here the passwords are encoded (albeit in a very primitive manner): looking for them (with memory range breakpoints) you'll quickly find a section of the program code that looks like this: sg:0118 8C 91 9D 95 9B 8D 00 B8 EC 94 9B 8D 8F 8B 9B sg:0128 94 9B 8D 00 AE EC 9C 9B 8A 9B 86 00 A9 EC 91 This is a typical encoded matrix, with clear 00 fences between the encoded passwords. Ha! If all codes where so easy to crack! This is no better than children's crypt! It's a NEG matrix! And there is direct correspondence: 91=6F="o"; 92=6E="n"; 93=6D="m" and so on... Ha! Let's now leave the "hidden" passwords and proceed with our cracking... let's follow the snap procedure after the REPZ CMPSB instruction looking for the "jump to OK" instruction... F3A6 REPZ CMPSB ; compares DS:SI with ES:DI 7405 JZ preserved_AX=0000 <--- Here the first JZ 1BC0 SBB AX,AX ADFFFF SBB AX,FFFF :preserved_AX=0000 8BF3 MOV SI,BX 8BFA MOV DI,DX 5D POP BP CB RETF .... 83C404 ADD SP,+04 0BC0 OR AX,AX 7509 JNZ 0276 <------ And here it is! Now, remembering the UMS crack, you would probably want to change the JZ instruction in a JNZ instruction (you tried it on the fly INSIDE [Soft-Ice] and it did work!), the "74" with a "75" also. And then you would like to change the JNZ instruction in a JZ instruction... Please feel free to try it... it will NOT work! (You will not even find the second JNZ in the program code). You should always be aware of the SMC (self modifying code) protections: parts of the code my be decrypted "on the fly", as needs arise, by the program. The code you modify while the program is running may be different from the code of the "dead" program. Here we have a small "improvement" of the primitive: the same instruction is used as "muster" for manipulation of other parts of the program... if you do change it in a JNZ you get an overlay message and the program pops out with instability! You cannot easily modify the JNZ instruction either, coz the part after the RETF will be compiled "on the fly" by lightspeed, and you would therefore have to search the decryption mechanism and modify the original encrypted byte somewhere... and may be they do encrypt it twice... and then you must hack all night long... very annoying. So do the following: back to the snap, a sip of martini- Wodka and meditate: loo! The only thing that happens after the JZ, is the setting of the AX register to flag *FALSE* (AX=1... that's what the two SBB instructions do) if the snap went out with a non-zero flag... i.e. if you did not know the password. So let's nop the 5 bytes of the two SBB instructions, or, more elegantly, let's have a INC AX, DEC AX, NOP, INC AX, DEC AX sequence instead of the two SBB! There is a good reason to use a sequence of working instructions instead of a series of NOPs: recent protection schemes "smell" patched nops inside the program and trash everything if they find more than -say- three consecutive NOPs! You should always try to choose THE LESS INTRUSIVE and MORE "CAMOUFLAGED" solution when you crack! Eliminating the two SBBs we get our crack! No need to bother with the second JNZ either... the program will work as if you got the password if you have it AND if you do not (that's better as the previous type of crack -seen for UMS- when you crack computer accesses: hereby the legitimate user will not have any suspects 'coz the system will not shut him out... everybody will access: the good guys and the bad ones... that's nice isn't it?). Now let's quickly crack LIGHTSPD: ------------------------------------------------ CRACKING LIGHTSPEED.EXE (by +ORC, January 1996) ren lightspd.exe lightspd.ded symdeb lightspd.ded - s (cs+0000):0 Lffff 2B F9 F3 A6 74 xxxx:yyyy (this is the answer of the debugger) - s (cs+1000):0 Lffff 2B F9 F3 A6 74 (nothing, but do it nonetheless, just to be sure) - s (cs+2000):0 lffff 2B F9 F3 A6 74 (nothing, just to be sure, now it's enough) - e xxxx:yyyy+6 40 [SPACE] 48 [SP] 90 [SP] 40 [SP] 48 - w - q ren lightspd.ded lightspd.exe ------------------------------------------------- All this CMPSB is very common. Some programs, nevertheless, utilize a password protection scheme that is slightly different, and does not rely on a F3A6 REPZ CMPSB instruction. Let's analyze, for instance, the protection scheme used in the first version of Perfect general I from QQP-White wolf, July 1992. When you break in, at the nag screen, you are in the middle of the BIOS procedures, coz the program expects your input (your password, that's is). You 'll quickly find out (MAP MEMORY USAGE!) that [General.exe] dwells in two main areas; Setting breakpoints on memory write you 'll find out that the memory area "queried" by the protection mechanism is xxxx:1180 to xxxx:11C0 where xxxx represents the second of the memory segments where the program dwells. Now do the following (a very common cracking procedure): * Breakpoint on memory range WRITE for the small memory area touched by the program in querying you for the password. * Breakpoint TRACE on the whole memory range of the MAIN CODE. * Run anew everything It's already done! Now it's your intuition that should work a little: Here the last 9 traces (traces [!], not instructions following on a line) before the calling of the procedure sniffing your memory area: -9 xxxx:0185 7425 JZ somewhere, not taken -8 xxxx:0187 2D1103 SUB AX,0311 -7 xxxx:018A 7430 JZ somewhere, not taken -6 xxxx:018C 2DFD04 SUB AX,04FD -5 xxxx:018F 7443 JZ next_trace, taken -4 xxxx:01D4 E85500 CALL funny_procedure -3 xxxx:022C 803E8F8C11 CMP BYTE PTR[8C8F],11 -2 xxxx:0231 750E JNZ somewhere, not taken -1 xxxx:0233 9A0A0AC33E CALL procedure_that_sniffs our_memory_area Well, the call to funny_procedure followed by a byte compare "feels" fishy from very far away, so let's immediately look at this part of the code of [General.exe] :funny_procedure 803E8F8C11 CMP BYTE PTR[8C8F],11 750E JNZ compare_byte 9A0A0AC333 CALL procedure_that_sniffs 0AC0 OR AL,AL 7405 J2 compare_byte C6068F8C2A MOV BYTE PTR [8C8F],2A :compare_byte 803E8F8C2A CMP BYTE PTR [8C8F],2A 7504 JNZ after_ret B001 MOV AL,01 C3 RET You should be enough crack-able ;=), by this lesson, to notice immediately the inconsistency of the two successive instructions MOV 2A and CMP 2A, coz there would be no sense in comparing the "2A" in order to JNZ to after_ret if you just had the 2A set with the precedent MOV instruction... but the first JNZ jumps to the compare WITHOUT putting the "2A" inside. And "2A" is nothing else as the "*" symbol, commonly used by programmer as "OK"! This protection works in the following way (this is the above code explained): - compare holy_location with 11 - jump non zero to compare holy_loc with "*" - else call sniffing protection part - or al,al (al must be zero, else) - jump zero to compare holy_loc with "*" - if al was zero mov "*" inside holy_loc - compare holy_loc with "*" - if there is a difference then JNZ beggar_off_ugly_copier - else ret_ahead_nice_buyer Now let's quickly crack it: ------------------------------------------------ CRACKING GENERAL.EXE (by +ORC, January 1996) ren general.exe general.ded symdeb general.ded - s (cs+0000):0 Lffff 8C 11 75 0E xxxx:yyyy (this is the answer of the debugger) - e xxxx:yyyy+2 EB [SPACE] 09 - w - q ren general.ded general.exe ------------------------------------------------- And in this way you changed the JNZ to the cmp "*" instruction in a JMP to the mov "*" instruction. So no more nag screens, no more protections... serene, placid, untroubled [general.exe]. Well, that's it for this lesson, reader. Not all lessons of my tutorial are on the Web. You 'll obtain the missing lessons IF AND ONLY IF you mail me back (via anon.penet.fi) with some tricks of the trade I may not know that YOU discovered. Mostly I'll actually know them already, but if they are really new you'll be given full credit, and even if they are not, should I judge that you "rediscovered" them with your work, or that you actually did good work on them, I'll send you the remaining lessons nevertheless. Your suggestions and critics on the whole crap I wrote are also welcomed. E-mail +ORC +ORC an526164@anon.penet.fi HOW TO CRACK, by +ORC, A TUTORIAL --------------------------------------------------------------------------- Lesson 3.2: hands on, paper protections (2) --------------------------------------------------------------------------- [TOP.EXE] [F19.EXE] [POPULOUS.EXE] [MAP.EXE] -------------------------------------- You have seen in the previous lesson that the use of a password protection, independently of the coding and hiding methods used to store them in memory, implies the use of a comparing procedure with the password that the user types in. You therefore have many options to begin your cracking work: - find the location of the user password - find the "echo" in memory of the real password - find the routine that compares both - find the passwords hideout and encryption type - find the go_ahead_nice_buyer exit or jump - find the beggar_off_ugly_copier exit or jump just to name the more obvious ones. In order to make things more difficult for us crackers, the protectionists have devised many counter-strategies, the more obvious ones being: - keeping the various part of the store/compare/hide routines well apart in code (no match for zen-cracking); - filling these routines with "bogus" compares, bogus jumps and bogus variables, in order to make things more difficult for the crack (no match for decent crackers); - disseminating the code with anti-debugger tricks, like INT_3 instructions or jumps in and out protected mode (no match for our beloved [Soft-Ice]); - trying to eliminate the need for passwords altogether letting the user input "one letter" or "one number" or "one image" as answer to some variable question. In this lesson I'll teach you how to crack these "passletters" protection techniques. Let's first resume the "uses" of a password protection: PASSWORDS AS PERMISSION TO ACCESS These passwords serve to acknowledge that a legitimate user is using the program. This is the type of password that you'll find, for example, protecting your user account on Compuserve, on Networks or even in ATM machines used by banks or corporations. These require a little hardwiring to crack: ATM passnumber protection schemes rely on an answer from the central computer (they do NOT verify only the three magnetic areas in the magnetic strip on the card). The lines between ATM's & their hosts are usually 'weak' in the sense that the information transmitted on them is generally not encrypted in any way. (Some banks use encrypted information, but this is fairly easy to crack too). So for ATMs you should do the following 1) cross over the dedicated line between the ATM and the host; 2) insert your computer between the ATM and the host; 3) Listen to the "normal" messages and DO NOT INTERFERE YET; 4) Try out some operations with a legal card, make some mistakes, take note of the various codes; 5) When you are ready insert a fraudulent card into the ATM. Now the following happens: - the ATM sends a signal to the host, saying "Hey! Can I give this guy money, or is he broke, or is this funny card invalid?"; - the microcomputer intercepts the signal from the host, discards it, sends on the "there's no one using the ATM" signal; - the host gets the "no one using" signal and sends back its "good, keep watching out if somebody comes by, and for God's sake don't spit out any money on the street!" signal to the ATM; - the microcomputer intercepts this signal (again), throws it away (again), and sends the "Wow! That guy is like TOO rich! Give him as much money as he wants. In fact, he's so loaded, give him ALL the cash we have! He is a really valued customer." signal. - the ATM obediently dispenses cash till the cows come home. All this should be possible, but as a matter of fact it has not much to do with cracking, unless there is a special software protection on the line... so if you want to work on ATMs contact our fellow phreakers/hackers and learn their trade... and please remember to hack only cash dispenser that DO NOT HAVE a control camera :=) PASSWORDS AS REGISTRATION This type of password is often used in shareware programs. When you register the shareware program, you are sent a password that you use to upgrade your shareware program to a complete and more powerful version. This method, used frequently for commercial applications, has recently been used quite a lot by many windows applications that come "crippled" on the magazines cover CD-roms, requiring you to telephone a hot line (and paying) in order to get the "unique key" to unlock the "special protection". It's all bullshit: we'll learn in the "how to crack windows" lessons how easy it is to disable the various routines that verify your entry. PASSWORDS AS COPY PROTECTIONS This type of password is often used for games and entertainment software. The password query does not usually appear any more at the start of the program, or as the program is loading. Instead, the password query appears after one or more levels are completed (this innovation was pioneered by "EOB I" and the "Ultima" series) or when the user reloads a saved game or session. DONGLE PASSWORDS A few extremely expensive programs use a dongle (also called an hardware key). A dongle is a small hardware device containing a password or checksum which plugs into either a parallel or a serial port. Some specially designed dongles even include complete program routines. Dongles can be cracked, but the amount of work involved is considerable and the trial and error procedure currently used to crack them via software is extremely tedious. It took me more than a week to crack MULTITERM, Luxembourger dongle protected program. The quickest method to crack dongle protected programs, involves the use of pretty complicated hardware devices that cannot be dealt with here. I myself have only seldom seen them, and do not like at all to crack dongles via software, coz it requires a huge amount of zen thinking and of luck and of time. If you want more information on the hardware way to crack dongles, try to contact the older ones on the appropriate web sites, they may even answer you if you are nice, humble and really technically interested. The obvious principle, that applies to the software password types mentioned above is the following: The better the password is hidden, and the better it is encrypted, the more secure the program will be. The password may be - encrypted and/or - in a hooked vector and/or - in an external file and/or - in a SMC (Self modifying code) part Let's finally inspect the common "ready_made" protection schemes (used by many programmers that do not program themselves): * password read in * letters added to a key to be entered * complement of the letters formed xoring with 255 * saved key (1 char) * saved password (256 chars) * saved checksum (1 char), as protection, against simple manipulations * generating file PASSWORD.DAT with password, to be inserted inside a different file than the one containing the calling routine Now the lazy programmer that wants to "protect" his program searches first the file where the password is stored, then loads the key, the password and the checksum. He uses a decrypt procedure to decrypt the password and a check_checksum procedure to check whether the password was modified. All this is obviously crackabe in few seconds. [PASSWORD ACCESS INSIDE THE SETUP] Some computers have a password protected access INSIDE the Setup (at the beginning), the protection scheme does not allow a boot with a floppy and does not allow a setup modify. In these cases the only possible crack is an old hack method: * open the PC * find on the motherboard a small jumper (bridge) with the words "Pw" * take it away * PC on * run the setup with F1 or Del (depending from the BIOS) (the protection will not work any more) * deactivate inside the setup the option password * PC off * put the small jumper (bridge) back again * close the PC * PC on, cracked (if you want to be nasty you could now use the setup to set YOUR password) If you want to know more about access refuse and access denying, encryption and locking of the FAT tables, get from the web, and study, the (very well written) code of a virus called "Monkey", that does exactly this kind of devastation. Virus studying is, in general, very useful for cracking purposes, coz the virus'code is at times - very well written (pure, tight assembly) - using concealing techniques not much different from the protection schemes (often far superior) - using the most recent and best SMC (self modifying code) tricks But, and this is very important, do not believe that the protection schemes are very complicated! Most of the time the protection used are incredibly ordinary: as a final example of our paper protection schemes, let's take a program released not long ago (1994), but with a ridiculous protection scheme: TOP (Tiger on the prowl) a simulation from HPS. Here the cracking is straightforward: - MAP(memory_usage) and find main_sector - type "AAAA" as password - (s)earch main_sector:0 lffff "AAAA" - dump L80 "AAAA" location -40 (gives you a "wide" dump), this gives you already the "echo" of the correct password - breakpoint on memory read & write to "AAAA" location and backtrace the complete main_sector it's done! Here the code_lines that do protect TOP: 8A841C12 MOV AL,[SI+121C] move in AL first user letter 3A840812 CMP AL,[SI+1208] compare with echo 7402 JZ go_ahead_nice_buyer EB13 JMP beggar_off_ugly_cracker Now let's quickly crack it: ------------------------------------------------ CRACKING TOP.EXE (by +ORC, January 1996) ren top.exe top.ded symdeb top.ded - s (cs+0000):0 Lffff 8A 84 1C 12 3A 84 xxxx:yyyy (this is the answer of the debugger) - e xxxx:yyyy+2 08 (instead of 1C) - w - q ren top.ded top.exe ------------------------------------------------- And you changed the MOV AL, [SI+121C] instruction in a MOV AL, [SI+1208] instruction... it is now reading the ECHO instead of the characters you typed in... no wonder that the ECHO does compare exactly with itself... and you pass! "SOMETHING FISHY UNDER COVERS" Back to the "Passletter" type of password protected programs. Let's take as an example the protection used in a game of 1990: "F19", where the protection scheme asks you to identify a particular plane's silhouette. This kind of protection is used in order to avoid the use of memory locations where the passwords are stored: we saw in the first part of our "passwords hands on" how easy it is to crack those schemes. To crack this kind of protection, you could try a technique know as "memory snuffing". The protected program, START.EXE, install itself first at location xxxx:0000 with a length of 6C62 bytes, but proceeds to a relocation of its modules (with some SMC, self modifying code parts) in different locations. What does all this mean? Well, this could mean quite many things... the most important one for crackers is that the protection code will probably snap way ahead of the actual user input phase. Now you 'll quickly find out that the routine determining (randomly) which plane is being chosen, leaves the progressive number of this plane in one memory location: (imc) 43CD:DADA. This brings us to the random triggering mechanism: E87FAF CALL random_seed 83C402 ADD SP,02 8946E8 MOV [BP-18],AX and ds:(BP-18) is the location you are looking for Now, every time this random triggers, you get a different number (00-x14) in this location, corresponding to the different plane the user should choose. The random seed routine, evidently, comes back with the random seed in AX... what we now need is to zero it: the user will always have to choose the same plane: "plane 0", and he will have given the correct answer. Note how elegant all this is: we do not need to interfere with the whole mouse pointing routines, nor with the actual choosing of the planes... the random seed may choose whatever plane it wishes... the memory location for this choice will always report the (legitimate) choice of zero. So, let's quickly crack this program: --------------------------------------------------- CRACKING "F19" [START.EXE] (by +ORC, January 1996) ren start.exe start.ded <- let's have a dead file symdeb start.ded <- let's debug it - s cs:O lffff 83 C4 02 89 46 E8 <- search ADD SP,02 xxxx:yyyy <- debugger's answer - e xxxx:yyyy 58 [SPACE] 31 [SPACE] C0 [SPACE] - w <- write the crack - q <- back to the OS ren start.ded start.exe <- re-write the exe ---------------------------------------------------- You just transformed the instruction you searched for 83C402 ADD SP,+02 in the following sequence: 58 POP AX <- respecting ADD SP,+02 31C0 XOR AX,AX <- xoring to zero (the POP AX instruction increments the stack pointer by 2, in order to respect the previous ADD SP,+02). Well, nice. It's getting easier, isnt'it? Now let's take as example a protection that has no "echo" in memory. (At the beginning this was a smart idea: "the cracker won't find the correct password, 'coz it's not there, ah!". We'll now therefore crack one of the first programs that used this scheme: [Populous.exe], from Bullfrog. [POPULOUS.EXE] A old example of the protection scheme "password that is not a password" can be found in [Populous.exe], from Bullfrog. It's a very widespread program, and you'll surely be able to find a copy of it in order to follow this lesson. The program asks for the identification of a particular "shield", a combination of letters of various length: the memory location were the user password is stored is easily found, but there is (apparently) no "echo" of the correct password. You should be able, by now, to find by yourself the memory location were the user password is stored. Set a breakpoint memory read & write on this area, and you 'll soon come to the following section of code: F7AE4EFF IMUL WORD PTR [BP+FF4E] <- IMUL with magic_Nø 40 INC AX 3B460C CMP AX, [BP+0C] 7509 JNZ beggar_off_ugly_copier 8B460C MOV AX, [BP+0C] A3822A MOV [2A82], AX E930FE JMP nice_buyer 817E0C7017CMP WORD PTR[BP+0C],1770 <- beggar_off I don't think that you need much more now... how do you prefer to crack this protection scheme? Would you choose to insert a MOV [BP+0C], AX and three NOPS (=6 bytes) after the IMUL instruction? Wouldn't you rather prefer the more elegant JMP to nice_buyer instruction at the place of the JNZ beggar_off? This solution has less nops: remember that newer protection schemes smell NOPs_patches!). Yeah, let's do it this way: --------------------------------------------------- CRACKING [Populous.exe] (by +ORC, January 1996) ren populous.exe populous.ded <- let's have a dead file symdeb populous.ded <- let's debug it - s cs:O lffff F7 AE 4E FF <- the imul magic_Nø xxxx:yyyy <- debugger's answer - e xxxx:yyyy+4 EB [SPACE] 03 <- JMP anyway - w <- modify ded - q <- back to the OS ren populous.ded populous.exe <- let's re-have the exe ---------------------------------------------------- This time was easy, wasnt'it? Now you are almost ready with this course... let's crack a last application, a memory utility that is very widespread, very good (the programmers at Clockwork software are Codemasters), very useful for our purposes (you'll use it later to crack a lot of TSR) and, unfortunately for Clockworkers, very easy to crack at the level you are now. But, Hey! Do not forget that you would have never done it without this tutorial, so do the following: look toward east from your window, sip a Martini-Wodka (Two blocks of ice first, 1/3 dry Martini from Martini & Rossi, 1/3 Moskovskaia Wodka, 1/3 Schweppes indian tonic) and say three times: Thank-you +ORC!. [MAP.EXE] Let's now go over to one of the best TOOLS for mapping your memory usage that exist: MAP.EXE (version 2) from the masters at Clockwork software. The usage of this tool has been recommended in Lesson 2, and you should learn how to crack it, coz it comes with an annoying nag-screen ("Nigel" screen). In [Map.exe] this ubiquitous "Nigel" screen appears at random waiting for a random amount of time before asking the user to press a key which varies every time and is also selected at random. The use of a single letter -mostly encrypted with some XOR or SHR- as "password" makes the individuation of the relevant locations using "snap compares" of memory much more difficult. But the crack technique is here pretty straightforward: just break in and have a good look around you. The INT_16 routine for keyboard reading is called just after the loading of the nag screen. You 'll quickly find the relative LODSB routine inside a routine that paints on screen the word "Press" and a box-edge after a given time delay: B95000 MOV CX,0050 2EFF366601 PUSH CS:[0166] 07 POP ES AC LODSB ... You could already eliminate the delay and you could already force always the same passletter, in order to temperate the effects of the protection... but we crack deep!: let's do the job and track back the caller! The previous routine is called from the following section of the code: 91 XCHG AX,CX 6792 XCHG AX,DX 28939193 SUB [BP+DI+9391],DL 2394AA94 AND DX,[SI+94AA] 2EC7064B880100 MOV WORD PTR CS:[884B],0001 2E803E5C0106 CMP BYTE PTR CS:[015C],06 7416 JZ ret <- Ha! jumping PUSHa & POPa! 505351525756 PUSH the lot E882F3 CALL 8870 2E3B064B88 CMP AX,CS:[884B] 7307 JAE after RET <- Ha! Not taking the RET! 5E5F5A595B58 POP the lot C3 RET ... <- some more instructions E86700 CALL delay_user BE9195 MOV SI,9591 2E8B3E255C MOV DI,CS:[5C25] 83EF16 SUB DI,+16 2E8A263D01 MOV AH,CS:[013D] 50 PUSH AH E892C7 CALL routine_LODSB <-- HERE! B42C MOV AH,2C CD21 INT 21 <- get seconds in DH 80E60F AND DH,0F 80C641 ADD DH,41 58 POP AX 8AC6 MOV AL,DH 83EF04 SUB DI,+4 AB STOSW E85A00 CALL INT_16_AH=01 B400 MOV AH,00 CD16 INT 16 24DF AND AL,DF <- code user's letter_answer 3AC6 CMP AL,DH <- pass_compare 75F3 JNZ CALL INT_16_AH=01 E807F3 go_ahead You just need to look at these instructions to feel it: I think that unnecessary code segments (in this case protections) are somehow like little snakes moving under a cover: you cannot easily say what's exactly going on yet, but you could bet that there is something fishy going on. Look at the code preceding your LODSB routine call: you find two JUMPS there: a JZ ret, that leaves a lot of pusha and popa aside, and a JAE after RET, that does not take the previous ret. If you did smell something here you are thoroughly right: The first JZ triggers the NIGEL screen protection, and the second JAE does THE SAME THING (as usual, there are always redundances, exactly as there are a lot of possibilities to disable a single protection). Now you know... you can disable this protection at different points: the two easiest blueprints being 1) to change 7416 (JZ ret) in a EB16 (JMP ret anyway) 2) to change 7307 (JAE after ret) in a 7306 (JAE ret). We have not terminated yet: if you try locating this part of the code in order to change it, you won't have any luck: it's a SMC (Self modifying code) part: it is loaded -partly- from other sections of the code (here without any encryption). You must therefore first of all set a breakpoint on memory range; find out the LODSW routine; find out the real area; dump that memory region; find out a search sequence for the "dead" code... and finally modify the "dead" program. Now let's quickly crack it: ------------------------------------------------ CRACKING MEM.EXE (version 2) (by +ORC, January 1996) ren map.exe map.ded symdeb map.ded - s (cs+0000):0 Lffff 74 16 50 53 51 52 57 xxxx:yyyy <- this is the debugger's answer - e xxxx:yyyy EB - w - q ren map.ded map.exe ------------------------------------------------- Now you have done it, NIGEL has been cracked! Well, that's it for this lesson, reader. Not all lessons of my tutorial are on the Web. You 'll obtain the missing lessons IF AND ONLY IF you mail me back (via anon.penet.fi) with some tricks of the trade I may not know that YOU discovered. Mostly I'll actually know them already, but if they are really new you'll be given full credit, and even if they are not, should I judge that you "rediscovered" them with your work, or that you actually did good work on them, I'll send you the remaining lessons nevertheless. Your suggestions and critics on the whole crap I wrote are also welcomed. E-mail +ORC +ORC an526164@anon.penet.fi HOW TO CRACK, by +ORC, A TUTORIAL --------------------------------------------------------------------------- Lesson 5.1: Disk & CD-Rom access (basics) --------------------------------------------------------------------------- [MARIO ANDRETTI] [REACH FOR THE SKY] [FS v.2.12] -------------------------------------- LESSON 5 (1) - HOW TO CRACK, HANDS ON - Disk/CDROM access (plus bypasses "on the fly") Somewhere I have to put the bypasses (loader programs) in this tutorial, allow me to put them here: Preparing a loader to bypass a protection [MARIO ANDRETTI] At time the protectionists hook vectors in order to impose a particular protection. In this (and similar) cases a good crack-way is to prepare a "loader" program, that "de-hooks" the vector used for the protection. This kind of crack can be used also for internet cracking (on some firewall configurations, see lesson A.2). As example let's take "Mario andretti racing challenge", a stupid game that uses the SAME (!) protection scheme you'll still find to day on some access routines of military servers around the witlessly called "free" world. In order to crack this cram you would prepare a loader on the following lines: loc code instruction what's going on ------------------------------------------------------- :0100 EB44 JMP 0146 ... :0142 0000 <- storing for offset of INT_21 :0144 5887 <- storing for segment of INT_21 :0146 FA CLI :0147 0E PUSH CS :0148 1F POP DS :0149 BCB403 MOV SP,03B4 :014C FB STI :014D 8C1EA901 MOV [01A9],DS <- save DS :0151 8C1EAD01 MOV [01AD],DS three :0155 8C1EB101 MOV [01B1],DS times :0159 B82135 MOV AX,3521 <- get INT_21 :015C CD21 INT 21 in ES:BX :015E 891E4201 MOV [0142],BX <- store offset :0162 8C064401 MOV [0144],ES <- store segment :0166 BA0201 MOV DX,0102 :0169 B82125 MOV AX,2521 <- set INT_21 to :016C CD21 INT 21 DS:0102 :016E 0E PUSH CS :016F 07 POP ES <- ES= current CS :0170 BBB403 MOV BX,03B4 :0173 83C30F ADD BX,+0F :0176 B104 MOV CL,04 :0178 D3EB SHR BX,CL <- BX= 3C :017A B8004A MOV AX,4A00 <- Modify memory block :017D CD21 INT 21 to 3C paragraphs :017F BA9E01 MOV DX,019E <- ds:dx=program name :0182 BBA501 MOV BX,01A5 <- es:bx = param. block :0185 B8004B MOV AX,4B00 <- load ma.com :0188 CD21 INT 21 :018A 2E8B164201 MOV DX,CS:[0142] <- reset old int_21 :018F 2E8E1E4401 MOV DS,CS:[0144] :0194 B82125 MOV AX,2521 :0197 CD21 INT 21 :0199 B8004C MOV AX,4C00 <- terminate with return :019C CD21 INT 21 code :019E 6D612E636F6D00 "ma.com" 0000 fence :01A7 B2015887 :01AB B2015887 :O1AF B2015887 0000 fence let's now prepare a routine that hooks INT_21: push all CMP AX,2500 <- go on if INT_21 service 25 JNZ ret CMP Word Ptr [0065], C00B <- go on if location 65 = C00B JNZ ret MOV Byte Ptr [0060], EB <- crack instructions MOV Byte Ptr [0061], 3C MOV Byte Ptr [0062], 40 <- INC AX MOV Byte Ptr [0063], 90 <- NOP MOV Byte Ptr [0064], 48 <- DEC AX pop all JMP FAR CS:[0142] <- JMP previous INT_21 From now on this loader will work every time that a program with location [0065] containing an 0R AX,AX instruction (0BC0: it's the case of ma.com) calls INT_21 service 25 (hook a vector), the target program will be modified on the fly and will get, at location [0060], the instruction JMP 3C locations ahead, despite the fact that it has routines capable of self checking in order to make sure it has not been modified. The most important thing is the routine that YOU write that will precede the call to INT_21 (or any other INT) service 25 (or any other service) in order to crack on the fly the offending program. I'll show you another one, this one for [Reach for the skies] (reach.com): push all CMP AH,3D <- is it service 3D? (open file) JNZ ret <- no, so ret CMP DX,13CE <- you wanna open file at 13CE? JNZ ret <- no, so ret MOV AX,[BP+04] <- in this case MOV DS,AX CMP Byte Ptr [B6DA],74 <- old instructions JNZ 015B CMP Byte Ptr [B6DB],0F <- ditto JNZ 015B CMP Byte Ptr [B6DC],80 <- ditto, now we now where we are JNZ 015B MOV Byte Ptr [B6DA],EB <- crack MOV Byte Ptr [B697],40 <- camouflaged no-opping MOV Byte Ptr [B698],48 <- cam nop MOV Byte Ptr [B699],90 <- cam nop MOV Byte Ptr [B69A],40 <- cam nop MOV Byte Ptr [B69B],48 <- cam nop MOV DX,CS:[0165] MOV DS,CS:[0167] MOV AX,2521 <- set hook INT 21 POP all JMP FAR CS:[0165] Here you did change the instruction 740F in the instruction EB0F, and you did "noop" the instructions at B697-B69B. (Well, more elegantly than "noop" them with "90" bytes, you choose a INC AX, DEC AX, NOP, INC AX, DEC AX sequence instead! There are sound reasons to use a sequence of "working" instructions instead of NOPs: recent protection schemes "smell" patched nops inside the program and trash everything if they find more than -say- three consecutive NOPs! You should always try to choose THE LESS INTRUSIVE and MORE "CAMOUFLAGED" solution when you crack!) You can apply this kind of crack, on the same lines, to many programs that perform self checking of the code and hook the vectors. REAL DISK ACCESS STUFF Now we may come to the subject of this lesson: As usual, let's begin from the beginning: history is always the key that allows an understanding of present and future, in cracking matters too. As the older 5 1/4 inch big black floppy disks were still used (the 320K/8 tracks or 360K/9 tracks ones, that were really "floppy" and have nowadays almost disappeared) one of the more common methods to protect a program, was to format the "master" (key) disk in a weird way. Old floppy disk for the PC did usually store 360K at 9 sectors per track. Some basics for those of you that do not know anything: in order to defeat this kind of cracks you need to know two things: the floppy disk parameter block (FDPB) and the interrupt routines dealing with format/read disk (basically INT_13). Most often, the protection scheme is to either format one or more sectors or tracks with sector sizes other than the standard 512 bytes, or to either give one of the sectors a wild sector number like 211 or just not format a whole track of eight/nine/15 sectors. If you, for instance, have got the same (very old) copy of VisiCalc master I do, you'll find that sector 8 on track 39 is missing entirely. The interrogation with assembly or with an "ad hoc" utility (I use the tools I wrote myself, but you 'll be able to find many such utilities in public domain, the oldest one, from 1984 (!) being the seasoned [U-ZAP] an "Ultra utility" from the "Freesoft company") will tell you which sector numbers were altered, their size in bytes, and if they were formatted with a CRC error (another not so fancy trick). The floppy disk parameters are stored in the BIOS: interrupt vector 1E contains the address of the floppy disk parameter block. The FDPB's contents are the following: Offset Function crackworthy? Example 0 Step rate & head unload no DF 1 head load time no 02 2 Motor on delay no 25 3 Number of bytes per sector yes 02 4 Last sector number yes 12 5 Gap length yes 1B 6 Data track length yes FF 7 Format gap length yes 54 8 Format byte no F6 9 Head settle time no 0F A Motor start time no 02 0) Offset #0: the left "nybble" (single digit) of this value is the step rate time for the disk drive head. The right nybble is the disk head unload time. These values are best left alone. 1) Offset #1: again, don't fool around with these values. The left nybble is the disk head load time, and the right nybble is the direct memory access mode select. 2) Wait time until motor is turned off. Not normally of use. 3) Bytes-per-sector value: AH-HAH! If you place a "0" in this value, the PC expects all sectors to be 128 bytes long. A "1" means a sector size of 256 bytes, a "2" means 512 bytes (this is the standard DOS value), and a "3" means 1024 bytes per sector. 4) Highest sector number on a track: this is used for formatting and tells DOS how many sectors there are on each track. 5) Gap length for diskette reads: this is what you fool around with if you keep getting CRC errors when you try to read a non-standard size sector. Normally, you can just leave this alone except when formatting with a U-Format tool. 6) Data length: This contains the number of bytes in a sector when the value in table byte #4 doesn't contain a 0, 1, 2, or 3. 7) Number of bytes in the gap between sectors: this is also only used when formatting special tracks. 8) Format fill byte: When formatting, this is the initialization byte that will be placed in all new sectors. 9) Head settle time: leave this alone. A) Motor start time: don't fool with this either. In order to modify globally the number of tracks on a given disk and the number of sectors per track you can always format with the DOS command switches "/t:" and "/n:" FORMAT /t:tracks /n:sectors If you want to find out what the existing parameters are, run [Debug.exe] or [Symdeb.exe] and enter the following commands: - d 0:78 l 4 <- get FDPB address 0000:0070 22 05 00 <- debugger's likely response - d 0:522 l a <- get 10 FDPB values 0000:520 DF 02 25 02 12 1B FF... <- see preceding table Remember that all standard disk formats under DOS support a sector size of 512 bytes, therefore, for one-sided 5.25 inch floppies: 40t*8s*512b=163.840 bytes (160Kb) 40t*9s*512b=184.320 bytes (180Kb) and for two-sided 5.25 inch floppies: 40t*8s*512b*2sides=327.680 bytes (320Kb) 40t*9s*512b*2sides=368.640 bytes (360Kb) Beginning with DOS version 3.0 (Yeah, more and more history!) a new floppy disk format has been supported: The IBM AT (80286 CPU) introduced the so called "high capacity" 5.25 u- inch floppy, capable of storing 1.2M at 15 sectors per track: 80t*15s*512b*2sides=1.228.800 bytes (1.2Mb) Later on were introduced the to-day universally used 3.5 inch floppies, the ones inside a rigid small plastic cartridge, and we have, similarly: 3.5-inch double sided/double density 720K 3.5-inch double sided/quad density (HD) 1440K 3.5-inch double sided/high density 2880K [INT_13, AH=18, Set media type for format] In order to create weird layouts, the protectionists use interrupt 13h, service 18h, that specifies to the formatting routines the number of tracks and sectors per track to be placed on the media: * Registers on entry: AH=18h; CH=Nø of tracks; CL= Sectors per track; DL= Drive number (A=0; B=1;C=2... bit 7 is set if the drive is an hard disk) * Registers on Return: DI: Offset address of 11-byte parameter table; ES: Segment address of 11-byte parameter table. [INT_13, AH=2, Read disk sectors] In order to read them, they have to use INT_13, service 2, read disk sectors, with following layout: * Registers on entry: AH=2h; AL= Nø of sectors; BX= Offset address of data buffer; CH=track; CL= Sector; DH= Head (side) number; DL= Drive number; ES: Segment address of data buffer. * Registers on Return: AH= return code. If the carry flag is not set, AH=0, therefore the weird sector has been read, if on the contrary the carry flag is set, AH reports the status byte as follows: 76543210 HEX DEC Meaning 1 80h 128 Time out - drive crazy 1 40h 064 Seek failure, could not move to track 1 20h 032 Controller kaputt 1 10h 016 Bad CRC on disk read 1 09h 009 DMA error - 64K boundary crossed 1 08h 008 DMA overrun 1 04h 004 Bad sector - sector not found 11 03h 003 Write protect! 1 02h 002 Bad sector ID (address mark 1 01h 001 Bad command [Return code AH=9: DMA boundary error] One of the possible errors should be explained, coz it is used in some protection schemes: AH=9 DMA boundary error, means that an illegal boundary was crossed when the in formation was placed into RAM. DMA (Direct memory access) is used by the disk service routines to place information into RAM. If a memory offset address ending in three zeros (ES:1000, ES: 2000...) falls in the middle of the area being overlaid by a sector, this error will occur. [INT_13, AH=4 Verify disk sectors] Another possible protection interrupt is interrupt 13H, service 4, Verify disk sectors. Disk verification takes place on the disk and DOES NOT involve verification of the data on the disk against data in memory! This function has no buffer specification, does not read or write a disk: it causes the system to read the data in the designated sector or sectors and to check its computed cyclic redundancy check (CRC) against data stored on the disk. See INT_13, AH=2 registers and error report. [CRC] The CRC is a checksum, that detects general errors. When a sector is written to disk, an original CRC is calculated AND WRITTEN ALONG with the sector data. The verification service reads the sector, recalculates the CRC, and compares the recalculated CRC with the original CRC. We saw that some protection schemes attempt to disguise interrupt calls. This is particularly frequent in the disk access protection schemes that utilize INT_13 (the "disk" interrupt). If you are attempting to crack such programs, the usual course of action is to search for occurrences of "CD13", which is machine language for interrupt 13. One way or another, the protection scheme has to use this interrupt to check for the special sectors of the disk. If you examine a cross section of the program, however, you'll find programs which do not have "CD13" in their machine code, but which clearly are checking the key disk for weird sectors. How comez? There are several techniques which can be used to camouflage the protection scheme from our nice prying eyes. I'll describe here the three such techniques that are more frequent: 1) The following section of code is equivalent to issuing an INT 13 command to read one sector from drive A, side 0, track 29h, sector ffh, and then checking for a status code of 10h: cs:1000 MOV AH,02 ;read operation cs:1002 MOV AL,01 ;1 sector to read cs:1004 MOV CH,29 ;track 29h cs:1006 MOV CL,FF ;sector ffh cs:1008 MOV DX,0000 ;side 0, drive A cs:100B XOR BX,BX ;move 0... cs:100D MOV DS,BX ;...to DS register cs:100F PUSHF ;pusha flags cs:1010 PUSH CS ;pusha CX cs:1011 CALL 1100 ;push address for next instruction onto stack and branch cs:1014 COMP AH,10 ;check CRC error cs:1017 ... rest of verification code ... ... cs:1100 PUSHF ;pusha flags cs:1101 MOV BX,004C ;address of INT_13 vector cs:1104 PUSH [BX+02] ;push CS of INT_13 routine cs:1107 PUSH [BX] ;push IP of INT_13 routine cs:1109 IRET ;pop IP,CS and flags Notice that there is no INT 13 command in the source code, so if you had simply used a debugger to search for "CD13" in the machine code, you would never have found the protection routine. 2) Another technique is to put in a substitute interrupt instruction, such as INT 10, which looks harmless enough, and have the program change the "10" to "13 (and then back to "10") on the fly. A search for "CD13" would turn up nothing. 3) The best camouflage method for interrupts I have ever cracked (albeit not on a INT 13) was a jump to a section of the PROGRAM code that reproduces in extenso the interrupt code. This elegant (if a little overbloated) disguise mocks every call to the replicated interrupt. LOADING ABSOLUTE DISK SECTORS Old good [debug.com] has been called the "swiss army knife" of the cracker. It allows a lot of nice things, inter alia the loading, reading, modifying and writing of absolute sectors of the disks. The sector count starts with the first sector of track 0, next sector is track 0, second side (if double sided), then, back to the first side, track 1, and so on, until the end of the disk. Up to 80h (128) sectors can be loaded at one time. To use you must specify starting address, drive (0=A, 1=B, etc...), starting sector and number of sectors to load. - l 100 0 10 20 This instruction tells DEBUG to load, starting at DS:0100, from drive A, sector 10h for 20h sectors. This allows at times the retrieval of hidden and/or weird formatted data. If you get an error, check the memory location for that data. Often times, part of the data has been transferred before the error occurs, and the remainder can be manually entered or gathered through repetitive retries. Bear all this in mind learning the following cracks. Let's now crack an "oldie" primitive: MS Flight simulator (old version 2.12, from 1985!) This old program used -in 1985!- following beautiful protection scheme: on the disk you had only a "stub", called FS.COM with few bytes, which had following instructions: loc code instruction what's going on ------------------------------------------------------- :0100 FA CLI ;why not? :0101 33C0 XOR AX,AX ;ax=0 :0103 8ED0 MOV SS,AX ;ss=0 :0105 BCB0C0 MOV SP,C0B0 ;SP=C0B0 :0108 8EC0 MOV ES,AX ;ES=0 :010A 26C70678003001 MOV Wptr ES:[0078],0130 ;Wp 0:78=130 :0111 268C0E7A00 MOV ES:[007A],CS ;0:7A=Segment :0116 BB0010 MOV BX,1000 ;BX=1000 :0119 8EC3 MOV ES,BX ;ES=1000 :011B 33DB XOR BX,BX ;BX=0 :011D B80102 MOV AX,0201 ;AH=2 AL=1 sector :0120 BA0000 MOV DX,0000 ;head=0 drive=0 :0123 B96501 MOV CX,0165 ;track=1 sector=65 (!) :0126 CD13 INT 13 ;INT 13/AH=2 :0128 B83412 MOV AX,1234 ;AX=1234 :012B EA00000010 JMP 1000:0000 ;JMP to data we just read :0130 CF IRET ;Pavlovian, useless ret You see what's happening in this old protection scheme, don't you? Herein you can watch the same snap that happens in more recent (much more recent) protection schemes (as you'll see in the next lesson): the protection searches for a weird formatted sector and/or for particular data. That should be no problem for you any more: you should just reverse engineer everything (and that goes on pretty quickly: just watch and break on the INT_13 calls), fetch the "weird" data, tamper the whole crap and have your soup as you like it. One more word about "old" protection schemes. Be careful not to spurn them! Some of them are -- CLEVER -- STILL USED -- DIFFICULT TO CRACK... I mean, this older DOS programs had nice protections... it's pretty annoying to crack windows programs that require a registration number: as you saw in Lesson 3, you just type your name and a serial number of your choice in, say "666666666", break into the program with WINICE, search the "666666666" and search too, for good measure, your own name, set a memory read breakpoint where the number dwells and look at the code that manipulates your input. As [Chris] rightly pointed out, you can even rip the code straight out of the program and create a key generator which will produce a valid code. This code will work for any name you typed in only in the "pure maths manipulation" protection schemes, and will on the contrary be specific, following the name you typed in, the "alpha-maths manipulation" protection schemes (like MOD4WIN, see the Windows lessons), watch in this case the "pseudo-random xoring" of the letters that compose your name. -- STUNNING, coz new ideas have always been infrequent, and they are getting more and more rare in this objectionable world of lazy, incapable programmers patronizing us with ill-cooked outrages like Windows'95... yeah, as usual there is no "development" at all, quite the contrary, I would say. Take a step backward, sip a good Martini-Wodka (please remember that only Ice cubes, Dry Martini, Wodka Moskovskaja, Schweppes' "Indian tonic" a green olive from Tuskany and a maltese lemon zest will really be perfect) and watch from your balcony, with unsullied eyes, your town and the people around you: slaves everywhere, leaving home at 7.30 in the morning, stinking in a progression of identical cars, forced to interminably watch advertisement panels and endlessly listen to boorish publicity, happy to go to work (if they happen to have the "luck" to work, in this inequitable society) the whole day long in order to produce other cars in order to buy, one day, a new car with a different colour... Why people don't look at the stars, love each other, feel the winds, ban the stinking cars from the places where they live and eat, study colours... name yourself a not-consumistic activity? Why don't they read any poems any more? No poetry any more, in the grey society of the publicity-spots slaves...poetry will soon be forbidden, coz you cannot CONSUME as you read poems, and in this farce of a society you are BOUND to consume, that's the only thing they want you to do... you are CULTIVATED to consume... no books worth to read any more... stupid american conventional cram everywhere... boy, at times I'm missing some well placed neutron bombs, the ones that would kill all these useless zombies and leave noble books and good Wodka untouched. It's difficult to believe in democracy any more... if I ever did... all the useless zombie do -unfortunately- vote, and they do vote for "smiling semblances", for "conventionally minded idiots" that so act as if they would "really" be like what they "look" like and could not care less about anything else than making bucks and defend intolerant and petty patterns. The slaves choose the people they have "seen" on TV... as if the egyptians would VOTE for their pharaohs, exhilarated under the whips of publicity... sorry, at times I forget that you are here for the cracks, and could not care less about what I think... You 'll obtain the OTHER missing lessons IF AND ONLY IF you mail me back (via anon.penet.fi) with some tricks of the trade I may not know that YOU discovered. Mostly I'll actually know them already, but if they are really new you'll be given full credit, and even if they are not, should I judge that you "rediscovered" them with your work, or that you actually did good work on them, I'll send you the remaining lessons nevertheless. Your suggestions and critics on the whole crap I wrote are also welcomed. E-mail +ORC +ORC an526164@anon.penet.fi HOW TO CRACK, by +ORC, A TUTORIAL --------------------------------------------------------------------------- Lesson 6.1: Funny tricks (1) --------------------------------------------------------------------------- LESSON 6 (1) - Funny tricks. Xoring, Junking, Sliding EXERCISE 01: [LARRY in search of the King] Before the next step let's resume what you have learned in the lessons 3-5, beginning with a very simple crack exercise (again, we'll use the protection scheme of a game, for the reasons explained in lesson 1): SEARCH FOR THE KING (Version 1.1.). This old "Larry" protection sequence, is a "paper protection" primitive. It's a very widespread (and therefore easy to find) program, and one of the first programs that instead of asking meaningful passwords (which offer us the possibility to immediately track them down in memory) asked for a random number that the good buyer could find on the manual, whereby the bad cracker could not. (Here you choose -with the mouse- one number out of 5 possible for a "gadget" choosen at random). I don't need any more to teach you how to find the relevant section of code (-> see lesson 3). Once you find the protection, this is what you get: :protection_loop :C922 8E0614A3 MOV ES,[A314] ... :C952 50 0E PUSH AX & CS :C954 E81BFF CALL C872 <- call protection scheme :C957 5B POP BX twice :C959 8B76FA MOV SI,[BP-06] <- prepare store_room :C95C D1E6 SHL SI,1 <- final prepare :C95E 8942FC MOV [BP+SI-04],AX <- store AX :C961 837EFA00 CMP Word Ptr [BP-06],+00 <- good_guy? :C965 75BB JNZ C922 <- loop, bad guy :C967 8E0614A3 MOV ES,[A314] :C96B 26F606BE3501 TEST Byte Ptr ES:[35BE],01 <- bad_guy? :C971 74AF JZ C922 <- loop, bad guy :C973 8B46FC MOV AX,[BP-04]... <- go on good guy Let's see now the protection scheme called from :C954 :C872 55 PUSH BP ... :C8F7 90 NOP :C8F8 0E PUSH CS :C8F9 E87234 CALL FD6E <- call user input :C8FC 5B POP BX :C8FD 5B POP BX :C8FE 8B5E06 MOV BX,[BP+06] :C901 D1E3 SHL BX,1 :C903 39872266 CMP [BX+6622],AX <- right answer? :C907 7505 JNZ C90E <- no, beggar_off :C909 B80100 MOV AX,0001 <- yes, AX=1 :C90C EB02 JMP C910 :C90E 2BC0 SUB AX,AX <- beggar_off with AX=0 :C910 8BE5 MOV SP,BP :C912 5D POP BP :C913 CB RETF <- back to main Here follow 5 questions, please answer all of them: 1) Where in memory (in which locations) are stored the "right" passnumbers? Where in memory is the SEGMENT of this locations stored? How does the scheme get the OFFSET? 2) Would setting NOPs instructions at :C965 and :C971 crack? Would it be a good idea? 3) Would changing :C907 to JZ crack? Would it be a good idea? 4) Would changing :C907 to JNZ C909 crack? Would it be a good idea? 5) Write down (and try) at least 7 OTHER different patches to crack this scheme in spades (without using any NOP!). Uff! By now you should be able to do the above 5 exercises in less than 15 minutes WITHOUT USING THE DEBUGGER! Just look at the data above and find the right answers feeling them... (you 'll now which one are the right one checking with your debugger... score as many points as you like for each correct answer and sip a good Martini-Wodka... do you know that the sequence should ALWAYS be 1) Ice cubes 2) Martini Dry 3) Wodka Moskovskaja 4) olive 5) lemon 6) Schweppes Indian tonic? Let's now come to the subject of this lesson: -----> [Xoring] (Simple encryption methods) One easy way to encrypt data is the XOR method. XOR is a bit manipulation instruction that can be used in order to cipher and decipher data with the same key: Byte to encrypt key result FF XOR A1 5E 5E XOR A1 FF As you can see XOR offers a very easy way to encrypt or to decrypt data, for instance using the following routine: encrypt_decrypt: mov bx, offset_where_encryption/decryption_starts xor_loop: mov ah, [bx] <- get current byte xor ah, encrypt_value <- engage/disengage xor mov [bx], ah <- back where you got it inc bx <- ahead one byte cmp bx, offset_start_+_size <- are we done? jle xor_loop <- no, then next cycle ret <- back where we came from The encrypt_value can be always the same (fixed) or chosen at random, for instance using INT_21, service 2Ch (get current time) and choosing as encrypt_value the value reported in DL (but remembering to discard the eventual value 0, coz otherwise it would not xor anything at all!) random_value: mov ah,2Ch int 21h cmp dl,0 je random_value mov encrypt_value,dl The problem with XORing (and with many other encryption methods), is that the part of the code that calls the encryption routine cannot be itself encrypted. You'll somewhere have, "in clear" the encryption key. The protectionist do at times their best to hide the decrypting routine, here are some common methods: -----> JUNK FILLING, SLIDING KEYS AND MUTATING DECRYPTORS These are the more common protection method for the small decryption part of the program code. This methods, originally devised to fool signature virus scanners, have been pinched from the polymorphic virus engines of our fellows viriwriters, and are still in use for many simple decryption protection schemes. For parts of the following many thanks go to the [Black Baron], it's a real pity that so many potential good crackers dedicate so much time to useless (and pretty repetitive) virus writing instead of helping in our work. This said, virus studying is VERY important for crackers coz the code of the viri is * ULTRAPROTECTED * TIGHT AND EFFECTIVE * CLOAKED AND CONCEALED. Let's show as example of the abovementioned protection tactics the following ultra-simple decryptor: MOV SI,jumbled_data ;Point to the jumbled data MOV CX,10 ;Ten bytes to decrypt mn_loop: XOR BYTE PTR [SI],44 ;XOR (un_scramble!) a byte INC SI ;Next byte LOOP mn_loop ;Loop the 9 other bytes This small program will XOR the ten bytes at the location pointed to by SI with the value 44. Providing the ten bytes were XORed with 44 prior to running this decryptor the ten bytes will be restored to their original state. In this very simple case the "key" is the value 44. But there are several tricks involving keys, the simplest one being the use of a "sliding" key: a key that will be increased, or decreased, or multiplied, or bit-shifted, or whatever, at every pass of the loop. A possible protection can also create a true "Polymorph" decryptor, a whole decryptor ROUTINE that looks completely different on each generation. The trick is to pepper totally random amounts of totally random instructions, including JUMPS and CALLS, that DO NOT AFFECT the registers that are used for the decryption. Also this kind of protection oft uses a different main decryptor (possibly from a selection of pre-coded ones) and oft alters on each generation also all the registers that the decryptor uses, invariably making sure that the JUNK code that it generates doesn't destroy any of the registers used by the real decryptor! So, with these rules in mind, here is our simple decryptor again: MOV DX,10 ;Real part of the decryptor! MOV SI,1234 ;junk AND AX,[SI+1234] ;junk CLD ;junk MOV DI,jumbled_data ;Real part of the decryptor! TEST [SI+1234],BL ;junk OR AL,CL ;junk mn_loop: ADD SI,SI ;junk instr, but real loop! XOR AX,1234 ;junk XOR BYTE PTR [DI],44 ;Real part of the decryptor! SUB SI,123 ;junk INC DI ;Real part of the decryptor! TEST DX,1234 ;junk AND AL,[BP+1234] ;junk DEC DX ;Real part of the decryptor! NOP ;junk XOR AX,DX ;junk SBB AX,[SI+1234] ;junk AND DX,DX ;Real part of the decryptor! JNZ mn_loop ;Real part of the decryptor! As you should be able to see, quite a mess! But still executable code. It is essential that any junk code generated by the Polymorph protection is executable, as it is going to be peppered throughout the decryptor. Note, in this example, that some of the junk instructions use registers that are actually used in the decryptor! This is fine, providing the values in these registers aren't destroyed. Also note, that now we have random registers and random instructions on each generation. So, a Polymorph protection Engine can be summed up into three major parts: 1 .. The random number generator. 2 .. The junk code generator. 3 .. The decryptor generator. There are other discrete parts but these three are the ones where most of the work goes on! How does it all work? Well a good protection would * choose a random selection of registers to use for the decryptor and leave the remaining registers as "junk" registers for the junk code generator. * choose one of the compressed pre-coded decryptors. * go into a loop generating the real decryptor, peppered with junk code. From the protectionist's point of view, the advantages of this kind of method are mainly: * the casual cracker will have to sweat to find the decryptor. * the casual cracker will not be able to prepare a "patch" for the lamers, unless he locates and patches the generators, (that may be compressed) coz otherwise the decryptor will vary every time. To defeat this kind of protection you need a little "zen" feeling and a moderate knowledge of assembler language... some of the junk instructions "feel" quite singular when you look at them (->see lesson B). Besides, you (now) know what may be going on and memory breakpoints will immediately trigger on decryption... the road is open and the rest is easy (->see lessons 3-5). -----> Starting point number magic For example, say the encrypted code started at address 10h, the following could be used to index this address: MOV SI,10h ;Start address MOV AL,[SI] ;Index from initial address But sometimes you'll instead find something like the following, again based on the encrypted code starting at address 10h: MOV DI,0BFAAh ;Indirect start address MOV AL,[DI+4066h) ;4066h + 0BFAAh = 10010h (and FFFF = 10h)!! The possible combinations are obviously infinite. [BIG KEYS] (Complicated encryption methods) Prime number factoring is the encryption used to protect sensible data and very expensive applications. Obviously for few digit keys the decoding is much easier than for, say, 129 or 250 digit keys. Nevertheless you can crack those huge encryption too, using distributed processing of quadratic sieve equations (which is far superior for cracking purpose to the sequential processing methods) in order to break the key into prime numbers. To teach you how to do this sort of "high" cracking is a little outside the scope of my tutorial: you'll have to write a specific short dedicated program, linking together more or less half a thousand PC for a couple of hours, for a 250 bit key, this kind of things have been done quite often on Internet, were you can also find many sites that do untangle the mysteries (and vagaries) of such techniques. As References I would advocate the works of Lai Xueejia, those swiss guys can crack *everything*. Begin with the following: Xuejia Lai, James Massey, Sean Murphy, "Markov Ciphers and Differential Cryptanalysis", Advances in Cryptology, Eurocrypt 1991. Xuejia Lai, "On the Design and Security of Block Ciphers", Institute for Signal and Information Processing, ETH-Zentrum, Zurich, Switzerland, 1992 Factoring and primality testing is obviously very important for this kind of crack. The most comprehensive work I know of is: (300 pages with lengthy bibliography!) W. Bosma & M. van der Hulst Primality Testing with Cyclotomy Thesis, University of Amsterdam Press. A very good old book you can incorporate in your probes to build very effective crack programs (not only for BBS accesses :=) is *the* "pomerance" catalog: Pomerance, Selfridge, & Wagstaff Jr. The pseudoprimes to 25*10^9 Math. Comp. Vol 35 1980 pp. 1003-1026 Anyway... make a good search with Lykos, and visit the relevant sites... if encryption really interests you, you'll be back in two or three (or thirty) years and you'll resume cracking with deeper erudite knowledge. [PATENTED PROTECTION SYSTEMS] The study of the patented enciphering methods is also *quite* interesting for our aims :=) Here are some interesting patents, if you want to walk these paths get the complete texts: [BEST] USPat 4168396 to Best discloses a microprocessor for executing enciphered programs. Computer programs which have been enciphered during manufacture to deter the execution of the programs in unauthorized computers, must be decrypted before execution. The disclosed microprocessor deciphers and executes an enciphered program one instruction at a time, instead of on a continuous basis, through a combination of substitutions, transpositions, and exclusive OR additions, in which the address of each instruction is combined with the instruction. Each unit may use a unique set of substitutions so that a program which can be executed on one microprocessor cannot be run on any other microprocessor. Further, Best cannot accommodate a mixture of encrypted and plain text programs. [JOHNSTONE] USPat 4120030 to Johnstone describes a computer in which the data portion of instructions are scrambled and in which the data is of necessity stored in a separate memory. There is no disclosure of operating with instructions which are completely encrypted with both the operation code and the data address portion being unreadable without a corresponding key kernel. [TWINPROGS] USPat 4183085 describes a technique for protecting software by providing two separate program storages. The first program storage is a secure storage and the second program storage is a free storage. Security logic is provided to check whether an output instruction has originated in the secure store and to prevent operation of an output unit which receives output instructions from the free storage. This makes it difficult to produce information by loading a program into free storage. [AUTHENTICATOR] USPat 3996449 entitled "Operating System Authenticator," discloses a technique for authenticating the validity of a plain text program read into a computer, by exclusive OR'ing the plain text of the program with a key to generate a code word which must be a standard recognizable code word which is successfully compared with a standard corresponding code word stored in the computer. If there is a successful compare, then the plain text program is considered to be authenticated and is allowed to run, otherwise the program is not allowed to run. ELEMENTS OF [PGP] CRACKING In order to try to crack PGP, you need to understand how these public/private keys systems work. Cracking PGP seems extremely difficult, though... I have a special dedicated "attack" computer that runs 24 hours on 24 only to this aim and yet have only begun to see the light at the famous other end of the tunnel. It's hard, but good crackers never resign! We'll see... I publish here the following only in the hope that somebody else will one day be able to help... In the public key cryptosystems, like PGP, each user has an associated encryption key E=(e,n) and decryption key D=(d,n), wherein the encryption keys for all users are available in a public file, while the decryption keys for the users are only known to the respective users. In order to maintain a high level of security a user's decoding key is not determinable in a practical manner from that user's encoding (public) key. Normally in such systems, since e.multidot.d.ident.1 (mod(1 cm((p-1),(q-1)))), (where "1 cm((p-1),(q-1))" is the least common multiple of the numbers p-1 and q-1) d can be determined from e provided p and q are also known. Accordingly, the security of the system is dependent upon the ability to determine p and q which are the prime factors of n. By selecting p and q to be large primes, the resultant composite number n is also large, and correspondingly difficult to factor. For example, using known computer-implemented factorization methods, on the order of 10.sup.9 years is required to factor a 200 digit long number. Thus, as a practical matter, although a user's encryption key E=(e,n) is public, the prime factors p and q of n are effectively hidden from anyone due to the enormous difficulty in factoring n. These aspects are described more fully in the abundant publications on digital signatures and Public-Key Cryptosystems. Most public/private systems relies on a message- digest algorithm. A message-digest algorithm maps a message of arbitrary length to a "digest" of fixed length, and has three properties: Computing the digest is easy, finding a message with a given digest "inversion" is hard, and finding two messages with the same digest "collision" is also hard. Message-digest algorithms have many applications, not only digital signatures and message authentication. RSA Data Security's MD5 message-digest algorithm, developed by Ron Rivest, maps a message to a 128-bit message digest. Computing the digest of a one-megabyte message takes as little as a second. While no message-digest algorithm can yet be secure, MD5 is believed to be at least as good as any other that maps to a 128-bit digest. As a final gift, I'll tell you that PGP relies on MD5 for a secure one-way hash function. For PGP this is troublesome, to say the least, coz an approximate relation exists between any four consecutive additive constants. This means that one of the design principles behind MD4 (and MD5), namely to design a collision resistant function, is not satisfied. You can construct two chaining variables (that only differ in the most significant bit of every word) and a single message block that yield the same hashcode. The attack takes a few minutes on a PC. From here you should start, as I did. [DOS 4GW] cracking - This is only a very provisory part of this tutorial. DOS 4GW cracking will be much better described as soon as [Lost soul] sends his stuff, if he ever does. For (parts of) the following I thank [The Interrupt]. Most applications of every OS, and also of DOS 4GW, are written in C language, coz as you'll have already learned or, either, you'll learn, only C allows you to get the "guts" of a program, almost approaching the effectiveness of assembler language. C is therefore the LANGUAGE OF CHOICE for crackers, when you prepare your tools and do not directly use assembler routines. Besides... you'll be able to find VERY GOOD books about C for next to nothing in the second hand bookshops. All the lusers are throwing money away in spades buying huge, coloured and absolutely useless books on unproductive "bloated" languages like Visual basic, C++ and Delphy. Good C new books are now rare (books on assembler language have always been) and can be found almost exclusively on the second hand market. Find them, buy them, read them, use them for your/our aims. You can find a lot of C tutorials and of C material on the Web, by all means DO IT! Be a conscientious cracker... learn C! It's cheap, lean, mean and very productive (and creative) :=) Back to the point: most stuff is written in C and therefore you need to find the "main" sub-routine inside the asm. With DOS/4GW programs, search the exe file for "90 90 90 90", almost always it'll be at the start of the compiled code. Now search for an INT_21 executed with 4C in AH, the exec to dos code (if you cannot "BPINT 21 AH=4C" with your tool, then search for the sequence "b4 4c cd 21". This is the equivalent to [mov AH,4C & int 21]: it's the most direct call, but as you'll have already learned, there are half a dozen ways to put 4C in AX, try them all in the order of their frequency). A few bytes above the INT_21 service 4C, you'll find the call to the "main" subroutine: "E8 xx xx". Now place a "CC" byte a few bytes above the call in the exe and run the exe under a debugger. When the computer tries to execute the instruction you'll be throw back in the debugger coz the "CC" byte acts as INT_01 instruction. Then proceed as usual. [THE "STEGONATED" PASSWORD HIDEOUT] A last, very nice trick should be explained to every wannabe cracker, coz it would be embarrassing to search for passwords or protection routines that (apparently) are not there. They may be hidden INSIDE a picture (or a *.waw file for that matter). This is steganography, a method of disguising messages within other media. Depending on how many shades of grey or hues of colour you want to have, a pixel can be expressed using 8. 16, 32 or even more bits. If the least significant bit is changed. the shade of the pixel is altered only one-256th, one-65,OOOth or even less. No human eye could tell the difference. What the protectionist does, is hijack the least significant bit in each pixel of a picture. It uses that bit to store one bit of a protection, or of a password (or of a file, or of a secret message). Because digitized pictures have lots of pixels, it's possible to store lots of data in a single picture. A simple algorithm will transfer them to the relevant parts of the program when it needs be, and there we'll intercept them. You'll need to learn very well the zen-cracking techniques to smell this kind of stuff though (-> see lesson B). Well, that's it for this lesson, reader. Not all lessons of my tutorial are on the Web. You 'll obtain the OTHER missing lessons IF AND ONLY IF you mail me back (via anon.penet.fi) with some tricks of the trade I may not know that YOU discovered. Mostly I'll actually know them already, but if they are really new you'll be given full credit, and even if they are not, should I judge that you "rediscovered" them with your work, or that you actually did good work on them, I'll send you the remaining lessons nevertheless. Your suggestions and critics on the whole crap I wrote are also welcomed. E-mail +ORC an526164@anon.penet.fi (+ORC) HOW TO CRACK, by +ORC, A TUTORIAL --------------------------------------------------------------------------- Lesson 8.1: How to crack Windows, an approach --------------------------------------------------------------------------- [WINPGP.EXE] -------------------------------------- -------------------------------------------------------- SPECIAL NOTE: Please excuse the somehow "unshaven" character of the windows lessons... I'm cracking the newest Windows '95 applications right now, therefore at times I had to add "on the fly" some corrections to the older Windows 3.1 and Windows NT findings. "homines, dum docent, discunt". --------------------------------------------------------- -> 1st THING TO REMEMBER The NE format does give every windows executable the equivalent of a debug symbol table: A CRACKER BLISS! -> UNDOCUMENTED DEBUGGING One of the many feature of Windows based on undocumented foundations is the "ability to debug". A word about undocumented functions in the MS-Operating Systems: Microsoft manipulates its rule and domination of the operating systems in use to day (MS-DOS, Windows, Windows '95) with two main wicked aims: 1) getting the concurrence completely bankrupt (that's the scope of all the using of undocumented functions and CHANGING them as soon as the concurrence uses them). The battle against Borland was fought in this way. 2) getting all future "programmers" to use windows as a "black box" that only Microsoft engineers (if ever) can master, so that everybody will have to sip the ill-cooked abominations from Microsoft without ever having a chance to alter or ameliorate them. Strange as it may seem, only the sublime cracker community fights against these intolerable plans. All stupid governments and lobbies -on the contrary- hide behind the fig-leaf of the "market" "freedom" in order to ALLOW such heinous developments (I'm speaking as if they were capable to opposing them even if they wanted, which they do not. Be assured, they couldn't anyway, "Governments" are deliberately MADE to serve Gates and all the remaining suckers, and lobbies are the shield of feudalism. You can forget "democracy", the only rule existing is a malevolent oligarchy based on money, personal connections, defect of culture, lack of knowledge and dictatorship of bad taste through television in order to keep the slaves tamed... enough now...) The windows situation is particularly reminiscent of the older situation in DOS, where for years the key "load but don't execute" function, used by debuggers, such as [DEBUG], [SYMDEB] and [CODEVIEW], was "reserved" by Microsoft. The windows debugging library, WINDEBUG.DLL, a number of undocumented functions and even the interface it provides are undocumented! The WinDebug() function is used by all available windows debuggers, including [CVW] (CodeView for Windows), [TDW] (TurboDebugger for Windows), [Multiscope] and [Quick C for Windows] (the last two are GUI, not text debuggers. The use of WinDebug() doesn't show up in MAPWIN output 'coz debuggers link to it at run-time via the amazing GetProcAddress() function. WinDebug() is a hacked 32-bit version, for the old Windows 3.0, of the poorly documented DOSPTrace() function from OS/2 1.x (study these older Operating Systems! Studying the past you'll understand EVERYTHING! Sometime I think that the only way to hack and crack correctly is to be more a software historian than a programmer... fac sapias et liber eris!). DOSPTrace is, in turn, based on the ptrace() function in Unix. Like DosPTrace(), WinDebug() takes commands such as Go, Single-Step, Write&Read Registers, Write&Read Memory. It returns to its caller either when the command completes or when a breakpoint occurs (or a DLL load). These commands and notifications appear in a large structure whose address is passed in WinDebug(). WinDebug() was renamed CVWIN.DLL (and TDWIN.DLL) for Windows 3.1., all crackers should study it and get the maximum possible documentation about it. As you will see in the following, it is worth to study also TOOLHELP.DLL (what Microsoft would like you to fiddle with) and INT_41h (the real debugging interface). Interrupt handling under Windows Interrupt handling under Windows can be tricky: you need to use Toolhelp (a rather scaring lobotomy for your programs) or to have special code for Standard vs. Enhanced modes, because the information on the stack of an interrupt or exception handler differs between the two windows modes. In addition, some handlers would be installed using INT_21h, while others are set up using DPMI services. Toolhelp has quite a bit of internal code that "cooks" the interrupts and sends them to you in an easily digestible form. Remember that Windows uses GP faults as a "hacker" method of doing ring transitions that are not allowed with legal 80x86 instructions: the virtual memory system of Enhanced mode is implemented via the page fault. Some tools for cracking windows (-> see lesson 9) ----------------- DEBUGGERS CVW and TDW (you have to know the function's segment:offset address beforehand in order to crack a function) WCB [Windows Codeback] by Leslie Pusztai (it's a really cool tool!) WDEB386 Microsoft's WDEB386 (clumsy, and requires a second monitor) Soft-Ice/Windows best (BY FAR!) windows debugger! NuMega is so good I am at times really sorry to crack their products! [WINICE] is the single, absolutely essential debugger and snooping utility for windows crackers. Get it! ----------------- POST MORTEM INSPECTORS CORONER, etc. (a lot of shareware) MS-DrWatson Old and clumsy Borland's Winspector THE BEST! It has the BUILDSYM utility that allows the creation of a debug .SYM file from an .EXE without debug information. ----------------- INSPECTORS MS-Spy Old Borland's WinSight (Best one, select "Other") MicroQuill's Windows DeMystifiers (from Jeff Richter): VOYEUR (hold SHIFT picking Message Selection), COLONEL, MECHANIC and ECOLOGIST ----------------- SNOOPERS [INFSPY.EXE], 231.424 bytes, version 2.05 28/8/1994 by Dean Software Design, may be the more complete one. [SUPERSPY.EXE], 24.576 bytes, 10,6,1994, quite handy for quick informations. [WINVIEW.EXE], 30.832 bytes, Version 3.00 by Scott McCraw, MS(c) 1990-1992, this is the old MS-Spy, distributed by MS [TPWSPY.EXE], 9.472 bytes, quite primitive, but you get the pascal source code with it. -> INSIDE A WINDOWS '95 DEBUGGER You can debug a program at the assembly-language level without any debugging information. The DOS [DEBUG] program does that, allowing breakpoints and single-stepping, all of which implies that the hardware must be cooperating. Back in the time of the 4-MHz Z-80s, you used a debugger that plugged interrupt op codes into the instruction stream to generate breakpoints. Nothing has changed. That's how you debug a program on a 80586 (=Pentium). The x86 architecture includes software interrupts. The 1-byte op code xCC is the INT_03 instruction, reserved for debuggers. You can put the INT_03 op code in place of the program instruction op code where the break is to occur and replace the original op code at the time of the interrupt. In the 80386 and later, you can set a register flag that tells the processor to generate a not-intrusive INT_01 instruction for every machine instruction executed. That device supports single stepping. The Win32SDK (Windows '95 software developer's kit) includes functions that allow one program to launch another program and debug it. The SDK's debug API takes care of how the interrupts and interrupt vectors get managed. The logical consequence of such an approach is that fewer and fewer people will be able to know what's going on inside an application. The bulk of the programmers -in few years time- will not be able any more to reverse engineer an application, unless the few that will still understand assembler-language do offer them the tools to do it. Microsoft -it is evident- would like the programmers to use a "black box" approach to programming, writing nice little "hallo world" application and leaving to the engineers in Microsoft alone the capacity to push forward (and sell) real programs that are not toy application. The Win32 documentation seems vast, almost luxurious, until you begin serious work and you discover its shortcomings, like the fact that extended error codes are not documented, and numerous APIs are documented either incorrectly or so poorly that you must burn precious time testing them. What we definitely need is to find some secret fellows inside Microsoft (like good old Prometeus) that smuggles to the outside the real documentation that the Microsoft engineers have reserved for themselves. If you are reading this and do work for Microsoft, consider the possibility of double-crossing your masters for the sake of humanity and smuggle us the secret information. In windows '95 a debugger program launches a program to be debugged by calling the _CreateProcess function, specifying in an argument that the program is to be debugged. Then the debugger program enters a loop to run the program. At the top of the loop the debugger calls _WaitForDebugEvent. Each time _WaitForDebugEvent returns it sets indicators that tell about the vent that suspended the program being debugged. This is where the debugger traps breakpoints and single-step exceptions. _WaitForDebugEvent fills in an event structure that contains among other things the address that was interrupted end the event that caused the interrupt. The debugger calls _GetThreadContext to get the running context of the debugged program, including the contents of the registers. The debugger can, as the result of cracker interaction, modify these values and the contents of the debugged program's memory. The debugger sets breakpoints by saving the op code at the instruction to be intercepted and putting the INT_03 op code at its place, it's always the same old marmalade. When the breakpoint occurs, the debugger replaces the original op code in the program's instruction memory, and decrements the interrupted program counter in the saved context so that execution resumes at the instruction that was broken. To single-step a program, the debugger sets a bit in the context's flags register that tells the processor to generate an INT_01 for every instruction cycle. When that interrupt occurs, the debugger checks to see if the interrupted address is at a new source-code line number. If not, the debugger continues execution. Otherwise, the debugger displays the new line in the IDE and waits for the cracker to take an action that resumes the program. While the debugged program is suspended, the debugger interacts with the cracker and provides full access to the debugged program's context and memory. This access permits the cracker to examine and modify part of the code. To resume the debugged program, the debugger resets the program's context by calling _SetThreadContext and calls _ContinueDebugEvent. Then, the debugger returns to the top of the loop to call _WaitForDebugEvent again. To extract debug information from a Win32 executable file, you must understand the format of that file (best thing to do, to practice yourself, would be to reverse engineer small programs). The executable file has two sections not found in other executable files: ".stab" and ".stabstr". How nice that they used names that suggest their purpose (nomen est omen). You'll find them inside a table of fixed-length entries that include entries for .text, .bss, .data and .idata. Inside these sections the compilers put different parts of a program. There are several different formats for encoding debug information in an executable file. Borland's Turbo Debugger one format. Microsoft's CodeView another. The gnu-win32 port from Cygnus the stab format, an acronym meaning "symbol table", although the table contains much more than just symbol information. The .stab section in a portable executable file is a table of fixed-length entries that represent debugging information in the stab format. The .stabstr section contains variable-length, null terminated strings into which the .stab table entries point. The documentation for the stab format is available in text format on the Cygnus ftp site (ftp.cygnus.com//pub/gnu-win32). Stabs contain, in a most cryptic format, the names and characteristics of all intrinsic and user-defined types, the memory address of every symbol in external memory and on the stack, the program counter address of every function, the program counter address where every brace-surrounded statement block starts and ends, the memory address of line numbers within source-code files, and anything else that a debugger needs. The format is complex and cryptic because it is intended to support any source-code language. It is the responsibility of a debugger program to translate the stab entries into something meaningful to the debugger in the language being debugged. Windows '95 invokes dozens of INT_21 services from 32-bit code, including KERNEL32.DLL and possess Krn32Mutex, which apparently controls access to certain parts of the kernel. Some of the functions in KERNEL32 can be blocked by the Win16Mutex, even though Microsoft says this isn't the case. SO, I WANNA CRACK, WHAT SHOULD I DO? I'll show you a simple windows crack, so easy it can be done without WINICE: let's take [WINPGP4.1.] (front-end for PGPing in windows, by Geib - I must thank "Q" for the idea to work on this crack). Using WCB you'll find out quickly that the "CONGRATULATIONS your registration number is OK" and the "SORRY, your registration number is not correct" data blocks are at the block starting at 36.38B8 (respectively at 36.38D5 and 36.3937), that relocs to 13.081B. Looking at 13.0000 and following code, you'll find a push 38D5 (68D538) and a push 3937 (683739) at 13.064D and 13.06AE. The road to the crack is now open, you just need to find and "fool" the calling routines. You'll learn the exact procedures for this kind of WINcracks in part 2 and 3 of -> Lesson 8. Let's now have a look at the protection scheme (disassembly from WCB): ... 13.0E88 660FBF46F8 movsx eax, word ptr [bp-08] 13.0E8D 668946F4 mov [bp-0C], eax 13.0E91 668B46F4 mov eax, [bp-0C] 13.0E95 6669C00A000300 imul eax, 0003000A 13.0E9C 668946F0 mov [bp-10], eax 13.0EA0 668B4606 mov eax, [bp+06] 13.0EA4 663B46F0 cmp eax, [bp-10] 13.0EA8 7505 jne 0EAF <- beggar_off 13.0EAA B80100 mov ax, 0001 <- flag 1 = "Right!" 13.0EAD EB04 jmp 0EB3 <- and go on beggar_off: 13.0EAF 33C0 xor ax,ax <- flag 0 = "Nope!" 13.0EB1 EB00 jmp 0EB3 <- and go on I want you to have a good look at this protection scheme. IT'S THE SAME OLD SOUP! You do remember lesson 3 and the protection schemes of the old DOS stupid games of the '80s, don't you? IT'S THE SAME OLD SOUP! In this "up-to-date" "new" windows application, in WINPGP version 4.1 of 1995/1996, exactly the same kind of protection is used to "conceal" the password! A) compare user input with memory echo B) beggar off if not equal with AX=0 C) go on if equal with AX=1... how boring! Besides, look at all the mov eax, and eax, moves preceding the compare! That's a typical pattern for these "number_password" protections! I wrote (years ago) a little crack utility that searches for code blocks with a "66" as first instruction_byte repeating in four or more consecutive instructions and it still allows me to crack more than half of these windows password smuts in less than three seconds flat. The IMUL instruction creates the "magic" number, and if you give a closer look at the mathematical part of the "conceal" routine, it could help you to crack analogous schemes used in order to protect the "Instant access" (c) & (tm) time_crippled software :=) Now you could crack the above code in 101 different ways, the most elegant one would probably substitute je 0EAF (or jZ 0EAF, that's the same) to the jne 0EAF at 13.0EA8. You just write a 74 at the place of the 75, like you did for the cracks in 1978... how boring: it's really the same old soup! (But you'll see some new tricks in the next lessons). Well, that's it for this lesson, reader. Not all lessons of my tutorial are on the Web. You 'll obtain the missing lessons IF AND ONLY IF you mail me back (via anon.penet.fi) with some tricks of the trade I may not know that YOU discovered. Mostly I'll actually know them already, but if they are really new you'll be given full credit, and even if they are not, should I judge that you "rediscovered" them with your work, or that you actually did good work on them, I'll send you the remaining lessons nevertheless. Your suggestions and critics on the whole crap I wrote are also welcomed. E-mail +ORC +ORC 526164@anon.penet.fi HOW TO CRACK, by +ORC, A TUTORIAL --------------------------------------------------------------------------- Lesson 8.2: How to crack Windows, a deepr approach --------------------------------------------------------------------------- [SNAP95] [WINZIP] [WINCAT] -------------------------------------- SPECIAL NOTE: Please excuse the somehow "unshaven" character of the windows lessons... I'm cracking the newest Windows '95 applications right now, therefore at times I had to add "on the fly" some corrections to the older Windows 3.1 and Windows NT findings. "homines, dum docent, discunt". --------------------------------------------------------- -> 1st THING TO REMEMBER If you thought that DOS was a mess, please notice that windows 3.1 is a ghastly chaos, and windows 95 a gruesome nightmare of ill-cooked spaghetti code. Old Basic "GOTO" abominations were quite elegant in comparison with this concoction... One thing is sure: This OS will not last... it's way too messy organised, impossible to consolidate, slow and neurotic (but I must warn you... I thought exactly the same things about DOS in 1981). The most striking thing about windows 95 is that it is neither meat not fish: neither 16 nor 32... you could call it a "24 bit" operating system. We'll never damage Microsoft interests enough to compensate for this moronic situation... where you have to wait three minutes to get on screen a wordprocessor that older OS (and even old DOS) kick up in 5 seconds. I decide therefore, hic et nunc, to add an ADDENDUM to this tutorial: Addendum 1 will be dedicated to teach everybody how to crack ALL Microsoft programs that do exist on this planet. I'll write it this sommer and give it away between the "allowed" lessons. Anyway you can rely on good WINICE to crack everything, you'll find it on the web for free, I use version 1.95, cracked by [The Lexicon] (do not bother me for Warez, learn how to use the search engines on the web and fish them out yourself). Learn how to use this tool... read the whole manual! Resist the temptation to crack immediatly everything in sight... you 'll regret pretty soon that you did not wanted to learn how to use it properly. A little tip: as Winice is intended more for software developers than for crackers, we have to adapt it a little to our purposes, in order to make it even more effective: a good idea is to have in the *.DAT initialization file following lines: INIT = "CODE ON; watchd es:di; watchd ds:si;" TRA = 92 This way you'll always have the hexadecimal notation on, two very useful watch windows for passwords deprotection and enough buffer for your traces. WINDOWS 3.1. basic cracking: [ALGEBRAIC PROTECTIONS] The most used windows protections are "registration codes", these must follow a special pattern: have a "-" or a "+" in a predetermined position, have a particular number in particular position... and so on. For the program [SHEZ], for instance, the pattern is to have a 14 bytes long alphanumeric sequence containing CDCE1357 in the first 8 bytes. The second level of protection is to "connect" such a pattern to the alphanumeric contents of the NAME of the user... every user name will give a different "access key". This is the most commonly used system. As most of these protections have a "-" inside the answering code, you do not need to go through the normal cracking procedure (described in the next lesson): * load WINICE * hwnd [name_of_the_crackanda_module] * choose the window Handle of the snap, i.e, the exact "FIELD" where the code number input arrives... say 091C(2) * BMSG 091C WM_GETTEXT * Run anew * Look at the memory location(s) * Do the same for the "Username" input FIELD. (Sometimes linked, sometimes not, does not change much, though) * BPR (eventually with TRACE) on the memory locations (these will be most of the time FOUR: two NUMBERCODES and two USERNAMES). The two "mirrored" ones are the most important for your crack. At times there will be a "5th" location, where the algebraic play will go on... * Look at the code that performs algebraic manipulations on these locations and understand what it does... * Disable the routine or jump over it, or reverse it, or defeat it with your own code... there are thousand possibilities... * Reassemble everything. Uff... quite a long cracking work just to crack some miserable program... isn'there a quicker way? OF COURSE THERE IS! Actually there are quite a lot of them (see also the crack of Wincat Pro below): Look at the following code (taken from SNAP32, a screen capture utility for Windows 95, that uses a pretty recent protection scheme): XOR EBX,EBX ; make sure EBX is zeroed MOV BL, [ESI] ; load input char in BL INC ESI ; point at the next character MOV EDI,EBX ; save the input character in EDI CMP EBX,+2D ; input char is a "-" ? JZ ok_it's_a_+_or_a_- CMP EBX,+2B ; input char is a "+" ? JNZ Jesus_it's_neither_a_minus_nor_a_plus_let's_check_it :ok_it's_a_+_or_a_- XOR EBX,EBX ; EBX is zeroed MOV BL,[ESI] ; recharge BL INC ESI ; point to next char (do not check - or +) :Jesus_it's_neither_a_minus_nor_a_plus_let's_check_it XOR EBP,EBP ; zero EBP CMP DWORD PTR [boguschecker], +01 ... even if you did not read all my precedent lessons, you do not need much more explications... this is a part of the algebraic check_procedure inside the SNAP32 module... you could also get here through the usual USER!BOZOSLIVEHERE KERNEL!HMEMCPY USER!GLOBALGETATOMNAME Windows wretched and detestable APIs used for copy protections, as usual with WINICE cracking, and as described elsewhere in my tutorial. The above code is the part of the routine that checks for the presence of a "+" or a "-" inside the registration number (many protections scheme requires them at a given position, other need to jump over them). Now sit down, make yourself comfortable and sip a good Martini- Wodka (invariably very useful in order to crack... but be aware that only Moskowskaia russian Wodka and a correct "Tumball" glass will do, do not forget the lemon)... what does this "-" stuff mean for us little crackers? It means that we can search directly for the CMP EBX,+2B sequence inside any file protected with these schemes... and we'll land smack in the middle of the protection scheme! That's amazing... but you will never underrate enough the commercial programmers... the only really amazing thing is how simpleton the protectionists are! You don't believe me? Try it... you 'll get your crack at least 4 out of 5 times. Yes I know, to find this code is not yet to crack it... but for this kind of copy protection (that's the reason it is so widespread) there is no single solution... each makes a slightly different algebraic manipulation of the alphanumeric and of the numeric data. It's up to you to crack the various schemes... here you can only learn how to find them and circumvene them. I'll not give you therefore a "debug" crack solution. You'll find it yourself using my indications (see the crack of the Wincat Pro program below). WHERE ARE THE CODES? WHERE ARE THE MODIFIED FILES? WHERE DO THE PROTECTIONS KEEP COUNT OF THE PASSING DAYS? Most of the time the protection schemes use their own *.ini files in the c:\WINDOWS directory for registration purposes... at time they even use the "garbage sammler" win.ini file. Let's take as example WINZIP (versions 5 and 5.5), a very widespread program, you'll surely have one shareware copy of it somewhere between your files. In theory, winzip should be registered per post, in order to get a "NEW" copy of it, a "registered" copy. This scares most newby crackers, since if the copy you have it's not full, there is no way to crack it and make it work, unless you get the REAL stuff. The youngest among us do not realize that the production of a real "downsized" demo copy is a very expensive nightmare for the money-infatuated commercial programmers, and that therefore almost nobody does it really... nearly all "demos" and "trywares" are therefore CRIPPLED COMPLETE PROGRAMS, and not "downsized" demos, independently of what the programmers and the protectionists have written inside them. Back to Winzip... all you need, to crack winzip, is to add a few lines inside the win.ini file, under the heading [WinZip], that has already been created with the demo version, before the line with "version=5.0". I will not help you any further with this... I'll leave it to you to experiment with the correct sequences... inside win.ini you must have following sequence (these are only template to substitute for your tries inside WINICE... you'll get it, believe me): [WinZip] name=Azert Qwerty sn=######## version=5.5 The *important* thing is that this means that you DO NOT NEED to have a "new registered version" shipped to you in order to make it work, as the protectionist sellers would like you to believe. The same applies most of the time... never believe what you read in the read.me or in the registration files... This brings me to a broader question: NEVER believe the information they give you... never believe what television and/or newspapers tell you... you can be sure that the only reason they are notifying you something is to hinder you to read or understand something else... this stupid_slaves_society can only subsist if nobody thinks... if you are really interested in what is going on, real information can be gathered, but surely not through the "conventional" newspapers and/or news_agencies (and definitely NEVER through television, that's really only for the stupid slaves)... yes, some bit of information can be (laboriously) gathered... it's a cracking work, though. HOW TO CRACK INFORMATION [WHERE WHAT] * INTERNET In the middle of the hugest junk collection of the planet, some real information can be laboriously gathered if you do learn how to use well the search engines (or if you do build your ones... my spiders are doing most of the work for me... get your robots templates from "Harvest" or "Verify" and start your "spider building" activity beginning from Martijn Koster's page). As usual in our society, in the Internet the real point is exactly the same point you'll have to confront all your life long: HOW TO THROW AWAY TONS OF JUNK, HOW TO SECLUDE MYRIADS OF USELESS INFORMATION and HOW TO FISH RARE USEFUL INFORMATION, a very difficult art to learn per se. Internet offers some information, though, mainly BECAUSE it's (still) unregulated. You want a proof? You are reading it. * SOME (RARE) NEWSPAPERS. The newspaper of the real enemies, the economic powers that rule this slaves world, are paradoxically most of the time the only ones worth studying... somewhere even the real rulers have to pass each other some bits of real information. The "Neue Zuercher Zeitung", a newspaper of the Swiss industrials from Zuerich, is possibly the best "not_conformist trend analyzer" around that you can easily find (even on the web). These swissuckers do not give a shit for ideology, nor preconcerted petty ideas, the only thing they really want is to sell everywhere their ubiquitous watches and their chocolates... in order to do it, a land like Switzerland, with very high salaries and a good (and expensive) social system, must use something brilliant... they found it: a clear vision of the world... as a consequence this newspaper is very often "against" the trend of all the other medias in the world, the ones that are used only in order to tame the slaves... If the only language you know is english (poor guy) you could try your luck with the weekly "Economist"... you'll have to work a lot with it, coz it has been tailored for the "new riches" of the Tatcher disaster, but you can (at times) fish something out of it... they do a lot of idiotic propaganda, but are nevertheless compelled to write some truth. American newspapers (at least the ones you can get here in Europe) are absolute shit... one wonders where the hell do the americans hyde the real information. On the "non-capitalistic" side of information there is a spanish newspaper "El Pais" that seems to know about what's going on in South America, but it's so full of useless propaganda about irrelevant Spanish politics that it's not really worth reading. The monthly "Le Monde diplomatique" offers something too... this one exaggerates a little on the pauperistic "third world" side, but has a lot of useful information. See what you can do with all this information (or disinformation?) [BELIEVE THE COUNTRARY] Another good rule of thumb in choosing your medias is the following... if all medias around you assure, for instance, that "the Serbians are evil"... the only logical consequence is that the Serbians are not so evil at all and that "the Croats" or some other Yugoslavian shits are the real culprits. This does not mean at all that the Serbians are good, I warn you, it means only what I say: something is surely hidden behind the concerted propaganda you hear, the best reaction is to exaggerate in the other direction and believe the few bit of information that do say the countrary of the trend. This rule of thumb may be puerile, but it works somehow most of the time... if somewhere everybody writes that the commies are bad then THERE the commies must not be so bad at all and, conversely, if everybody in another place writes that the commies are all good and nice and perfect (like the Soviet propaganda did) then THERE the commies are surely not so good... it's a matter of perspective, much depends on where you are, i.e. whose interests are really at stake. There is NEVER real information in this society, only propaganda... if you still do not believe me do yourself a little experiment... just read the media description of a past event (say the Vietnam war) as written AT THE MOMENT of the event and (say) as described 10 years later. You'll quickly realize how untrustworthy all newspapers and medias are. * SEMIOTICS You'll have to study it (as soon as you can) to interpret what they let you believe, in order to get your bearings. A passing knowledge of ancient RHETORIC can help quite a lot. Rhetoric is the "Softice" debugger you need to read through the propaganda medias: concentrate on Periphrasis, Synecdoche, Antonomasia, Emphasis, Litotes and Hyperbole at the beginning... you'll later crack higher with Annominatio, Polyptoton, Isocolon and all the other lovely "figurae sententiae". Enough, back to software cracking. HOW A REGISTRATION CODE WORKS [WINCAT] Let's take as an example for the next crack, a Username- algebraic registration code, WINCAT Pro, version 3.4., a 1994 shareware program by Mart Heubel. It's a good program, pretty useful to catalogue the millions of files that you have on all your cd-roms (and to find them when you need them). The kind of protection Wincat Pro uses is the most utilized around: the username string is manipulated with particular algorithms, and the registration key will be made "ad hoc" and depends on the name_string. It's a protection incredibly easy to crack when you learn how the relevant procedures work. [WINCAT Pro] is a good choice for cracking studies, coz you can register "over your registration" one thousand times, and you can herefore try for this crack different user_names to see all the algebrical correspondences you may need to understand the protection code. In this program, when you select the option "register", you get a window where you can input your name and your registration number (that's what you would get, emailed, after registering your copy). If you load winice and do your routinely hwnd to individuate the nag window, and then breakpoint on the appropriate memory ranges you'll peep in the working of the whole bazaar (this is completely useless in order to crack these schemes, but it'll teach you a lot for higher cracking, so you better do it also with two or three other programs, even if it is a little boring): a series of routines act on the input (the name) of the user: the User_name_string (usn). First of all the usn_length will be calculated (with a REPNZ SCASB and a following STOSB). Then various routines store and move in memory the usn and the registration_number (rn) and their relative lengths. In order to compare their lengths and to check the correct alphanumeric correspondence between usn and rn, the program first uppercases the usn and strips all eventual spaces away. Here the relevant code (when you see an instruction like SUB AL,20 you should immediately realize that you are in a uppercasing routine, which is important for us, since these are mostly used for password comparisons)... here the relevant Winice unassemble and my comments: 253F:00000260 AC LODSB <- get the usn chars 253F:00000261 08C0 OR AL,AL <- check if zero 253F:00000263 740F JZ 0274 <- 0: so usn finished 253F:00000265 3C61 CMP AL,61 <- x61 is "a", man 253F:00000267 72F7 JB 0260 <- not a lower, so loop 253F:00000269 3C7A CMP AL,7A <- x7A is "z", what else? 253F:0000026B 77F3 JA 0260 <- not a lower, so loop 253F:0000026D 2C20 SUB AL,20 <- upper it if it's lower 253F:0000026F 8844FF MOV [SI-01],AL<- and hyde it away 253F:00000272 EBEC JMP 0260 <- loop to next char 253F:00000274 93 XCHG AX,BX ... The instruction MOV [SI-01],AL that you see here is important at times, coz it points to the location of the "pre-digested" usn, i.e. the usn formatted as it should be for the number comparison that will happen later. In some more complicated protection schemes the reasoning behind this formatting is the following: "Stupid cracker will never get the relation algorhitm usn <-> rn, coz he does not know that usn AND rn are slightly changed before comparing, ah ah... no direct guessing is possible". Here is only "polishing": you have to "polish" a string before comparing it in order to concede some mistakes to the legitimate user (too many spaces in the name, upper-lower case mismatch, foreign accents in the name etc.) You just need to know, for now, that this checking is usually still 5 or 6 calls ahead of the real checking (it's what we call a "green light"). You should in general realize that the real checking of the algebrical correspondence follows after a whole series of memory operations, i.e.: cancelling (and erasing) the previous (if ever) attempts; reduplicating the usn and the rn somewhere else in memory; double checking the string lengths (and saving all these values somewhere... be particularly attentive when you meet stack pointers (for instance [BP+05]): most of the programs you'll find have been written in C (what else?). C uses the stack (SS:SP) to pass parameters or to create local variables for his procedures. The passwords, in particular, are most of the time compared to data contained within the stack. If inside a protection a BP register points to the stack you have most of the time fished something... remember it pupils: it will spare you hours of useless cracking inside irrelevant routines. Back to our CATWIN: another little check is about the "minimal" length allowed for a user name, in our babe, for instance, the usn must have at least 6 chars: 230F:00003483 3D0600 CMP AX,0006 230F:00003486 730F JAE 3497 <- go to nice_name :too_short 230F:00003488 BF9245 MOV DI,4592 <- no good: short After a lot of other winicing you'll finally come across following section of the code: 2467:00000CA3 B90100 MOV CX,0001 2467:00000CA6 03F1 ADD SI,CX 2467:00000CA8 2BC1 SUB AX,CX 2467:00000CAA 7213 JB 0CBF 2467:00000CAC 40 INC AX 2467:00000CAD 368B4F04 MOV CX,SS:[BX+04] <- here 2467:00000CB1 0BC9 0R CX,CX 2467:00000CB3 7D02 JGE 0CB7 2467:00000CB5 33C9 XOR CX,CX 2467:00000CB7 3BC1 CMP AX,CX 2467:00000CB9 7606 JBE 0CC1 2467:00000CBB 8BC1 MOV AX,CX 2467:00000CBD EB02 JMP 0CC1 2467:00000CBF 33C0 XOR AX,AX 2467:00000CC1 AA STOSB <- and here 2467:00000CC2 8BC8 MOV CX,AX 2467:00000CC4 F3A4 REPZ MOVSB <- and here! 2467:00000CC6 8EDA MOV DS,DX 2467:00000CC8 FC RETF 0008 This is obviously the last part of the checking routine (I'll not delve here with the mathematical tampering of it, if you want to check its workings, by all means, go ahead, it's quite interesting, albeit such study is NOT necessary to crack these schemes). The important lines are obviously the MOV CX,SS:[BX+04], the STOSB and the REPZ MOVSB (as usual in password protection schemes, you do remember lesson 3, don't you?). You should be enough crack-able :=) by now (if you have read all the precedent lessons of my tutorial), to find out easily, with these hints, how the working of the protection goes and where dwells in memory the ECHO of the correct rn (passkey) that matches the name you typed in. Remember that in these kind of cracks the ECHO is present somewhere (90% of the cases). There are obviously one thousand way to find such ECHOs directly, without going through the verificayions routines... for instance you could also find them with a couple of well placed snap_compares, it's a "5 minutes" cracking, once you get the working of it. I leave you to find, as interesting exercise, the routine that checks for a "-" inside the rn, a very common protection element. In order to help you understand the working of the protection code in [Wincat Pro] I'll give you another hint, though: if you type "+ORC+ORC+ORC" as usn, you'll have to type 38108-37864 as rn, if you usn as usn "+ORC+ORC" then the relative rn will be 14055-87593. But these are my personal cracks... I have offered this information only to let you better explore the mathematical tampering of this specific program... you'll better see the snapping mechanism trying them out (going through the routines inside Winice) alternatively with a correct and with a false password. Do not crack Wincat with my combination! If you use a different usn than your own name to crack a program you only show that you are a miserable lamer... no better than the lamers that believe to "crack" software using huge lists of serial numbers... that is really software that they have stolen (Yeah: stolen, not cracked). You should crack your programs, not steal them... "Warez_kids" and "serial#_aficionados" are only useless zombies. I bomb them as soon as I spot them. YOU ARE (gonna be) A CRACKER! It makes a lot of a difference, believe me. Well, that's it for this lesson, reader. Not all lessons of my tutorial are on the Web. You 'll obtain the missing lessons IF AND ONLY IF you mail me back (via anon.penet.fi) with some tricks of the trade I may not know that YOU discovered. Mostly I'll actually know them already, but if they are really new you'll be given full credit, and even if they are not, should I judge that you "rediscovered" them with your work, or that you actually did good work on them, I'll send you the remaining lessons nevertheless. Your suggestions and critics on the whole crap I wrote are also welcomed. "If you give a man a crack he'll be hungry again tomorrow, but if you teach him how to crack, he'll never be hungry again" E-mail +ORC an526164@anon.penet.fi HOW TO CRACK, by +ORC, A TUTORIAL --------------------------------------------------------------------------- Lesson 9 (1): How to crack Windows, Hands on --------------------------------------------------------------------------- [Winformant][Snap32] -------------------------------------- THE [DATA_CONSTRAINT] TRICK - [WINFORMANT 4] I have chosen an older windows application for Win 3.1. (WIN4MANT.EXE, 562271 bytes, Version 1.10, by Joseph B. Albanese; you'll find it searching the web with the usual tools, see how to do it at the end of this lesson), in order to show you how to use a nice little trick, at times really useful in cracking password protected programs: [data_constraint]. Inside almost all protection routines, as you have already learned, there is a moment when on the stack the ECHO of the real, "correct" passnumber or password appears. The location of this ECHO varies, but most of the time it'll be in a range of +- 0x90 bytes from one of the locations where the user input dwells. This is due to datadump windows constraints inside the tools used by the protectionists... but this use is bound to diminish... especially after this lesson :=) [WINFORMANT CRACKING] This application is -per se- crappy, I doubt you'll ever use it... but its curious (and pretty rare) "deactivate" mode is nevertheless very interesting for us: you can "unregister" Winformant on the fly if you feel the need to. This feature is pretty useful for scholars that like to investigate password algorithms with valid and invalid codes without having to reinstall every time to delete a valid code. For your cracking exercises choose programs that have "REVERSIBLE" protections (rare) or that can be re-registered a billion times (more frequent). Programs that keep the valid registration on *.ini or special files will also do the job: you just change a couple of lines to "unregister" them. The trick of this lesson: [data_constraint], or "password proximity", bases on the protectionist's need to keep an eye on the protection "working" when he assembles it. He must "see" the relationships between USER INPUT NUMBER, USER INPUT TRANSFORMED and the CORRECT NUMBER ANSWER (in our jargon: the "Bingo"). These relationships must be constantly checked In order to debug the protection code. Mostly they will dwell TOGETHER inside a small stack area, allowing them to be "seen" in the SAME watchwindow. Most of the time, therefore, the "ECHO" will "materialize" shortly not very far away from one of the locations of the USER INPUT. Let's crack: * Fire Winice and then Winformant * Choose HELP and then choose REGISTRATION * Fill the registration fields with "+ORC+ORC" as "Registrant" and "12121212" as "Activation" code (use whatever you fancy). CTRL+D ;switch to Winice :task ;let's see what's the name of this crap TaskName SS:SP StackTop StackBot StackLow TaskDB hQueue Events WINWORD 1AD7:85F2 4A52 8670 7532 1247 122F 0000 PROGMAN 1737:200A 0936 2070 1392 066F 07F7 0000 DISKOMAT *2C5F:6634 1D3C 6AC6 5192 2CB7 2C9F 0000 :hwnd DISKOMAT ;which window is getting the input? WinHandle Hqueue QOwner Class Name Window Procedure 0EB4(0) 2C9F DISKOMAT #32769 04A7:9E6B 0F34(1) 2C9F DISKOMAT #32768 USER!BEAR306 365C(1) 2C9F DISKOMAT #32770 2C3F:0BC6 36BC(2) 2C9F DISKOMAT Button 2C3F:1CEA 3710(2) 2C9F DISKOMAT Edit 2C3F:24BE ... and many more irrelevant windows. Let's pinpoint the code, here the relevant window is the first "Edit" one, for obvious reasons (more on this later). :bmsg 3710 wm_gettext ;set breakpoint CTRL+D ;run the babe until you get: Break Due to BMSG 3710 WM_GETTEXT C=01 Hwnd=3710 wParam=0050 lParam=2C5F629A msg=000D WM_GETTEXT 2C3F:000024BE B82F2C MOV AX,2C2F So! Now we have "pinpointed" the babe (more on "pinpointing" later). Let's snoop around a little: look at the stack to fetch your babe's last call (if it does not show immediately, just keep pinpointing, for instance on GetWindowText() or do a BPRW diskomat (very useful), and then try and retry the stack... should this too fail to work, search for your input in memory (in the 30:0 lffffffff selector, as usual) and breakpoint range on it with ReadWrite, and then stack, stack, stack... until you get the "real" list of calls coming from your babe's protection. :stack ; let's see USER(19) at 073F:124C [?] through 073F:1239 CTL3D(02) at 2C3F:0D53 [?] through 2C3F:0D53 DISKOMAT(01) at 2C97:20B9 [?] through 2C97:20B9 DISKOMAT(01) at 2C97:3D94 [?] through 2C97:3D94 DISKOMAT(01) at 2C97:49E2 [?] through 2C97:4918 DISKOMAT(04) at 2C7F:EA20 [?] through 2C7F:EA20 USER(01) at 04A7:19BE [?] through USER!GETWINDOWTEXT == CTL3D(02) at 2C3F:24BE [?] through 04A7:3A3Cæ Beautiful stack fishing! Do immediately a BPX on babe:EA20. 2C7F:EA35 9A25ABA704 CALL USER!GETWINDOWTEXT 2C7F:EA3A 8D46AE LEA AX,[BP-52] ;load ptr "+ORC+ORC" 2C7F:EA3D 16 PUSH SS ;save pointer segment 2C7F:EA3E 50 PUSH AX ;save pointer offset 2C7F:EA3F 9A768D872C CALL 2C87:8D76; get strlen "ORC+ORC" 2C7F:EA44 83C404 ADD SP,+04 2C7F:EA47 3D2800 CMP AX,0028 2C7F:EA4A 762C JBE EA78 ... 2C7F:EA97 8D46AE LEA AX,[BP-52] ;load ptr "+ORC+ORC" 2C7F:EA9A 16 PUSH SS ;various algors on input 2C7F:EA9B 50 PUSH AX ;follow here, we do not ... ;need to care 2C7F:EAB2 0F851101 JNE EBC7 2C7F:EAB6 8D8E5CFF LEA CX,[BP+FF5C] ;ptr "12121212" 2C7F:EABA 16 PUSH SS 2C7F:EABB 51 PUSH CX 2C7F:EABC 9A768D872C CALL 2C87:8D76 ;get strlen "12121212" 2C7F:EAC1 83C404 ADD SP,+04 2C7F:EAC4 50 PUSH AX 2C7F:EAC5 8D865CFF LEA AX,[BP+FF5C] ;ptr "12121212" HERE! 2C7F:EAC9 16 PUSH SS 2C7F:EACA 50 PUSH AX ...etc, various algors on input follow here OK, it's enough: now obviously follows the code that "algorithmize" the number string, and then, somewhere, you'll have the hideous compare that divides good guys and bad crackers. You could examine, and crack, and search... BUT NOW IT'S THE "MAGIC MOMENT" OF THE ECHO! We know and *feel* it: The echo must be somewhere... how do we find it? Searching "12121212" in memory fishes at least 10 different locations... :s 30:0 lffffffff '12121212' Pattern Found at 0030:0005AD6A .... (7 more) Pattern Found at 0030:80509D6A Pattern Found at 0030:8145AD6A Should we look for all occurrences of string '12121212', starting with the two at 80000000, dumping +-0x90 around it... until we find the echo? We could, and it would work, but that's not zen... that's boring! In other protections these locations could proliferate on purpose, to deter the casual cracker. There must be some other way... And lo and behold! YES! There is a quicker way... THE LAST loading of the numeric input string in the code (the one after the strlen count) is the "right" one for our cracking purposes, coz protections follow (mostly) this pattern (remember: we are inside a "stack-heavy" section of the code... if you want to crack higher I suggest you read some good literature about stack working, stack tricks and stack magics with the Intel processors): LOAD NAMEString - COUNT NAMEStringLen LOAD NAMEString - TRANSFORM NAMEString LOAD CODEString - COUNT CODEStringLen LOAD CODEString *ECHO must be here* TRANSFORM CODEString *ECHO must be here* COMPARE TRANSFORMED_NAMEString WITH TRANSFORMED_CODEString This means that at line 2C7F:EAC5 8D865CFF LEA AX,[BP+FF5C] ;ptr "12121212" you'll already have your echo somewhere... just dump the memory around the pointer [BP+FF5C]: :d 2c5f:61e8 ;these numbers will differ in your computer 02 62 2F 06 02 00 26 2E-A3 4E A3 4E 01 00 38 30 .b/...&..N.N..80 33 37 2D 36 34 36 2D 33-38 33 36 00 01 06 02 00 37-646-3836..... 2F 06 75 62 C3 2E B7 04-F2 24 2F 06 CE 6E 2F 06 /.ub.....$/..n/. 49 00 5A 00 01 00-04 2C 2F 06 AE 24 36 62 00 00 I.Z......,/..$6b 74 62 7A 2E B7 04 36 62-01 00 C2 62 2F 2C 26 2E tbz...6b...b/,&. 03 01 BA 0F AE 24 5F 02-C9 01 5E 02 BA 01 5F 02 .....$_...^..._. 31 32 31 32 31 32 31 32-00 0C 00 BC 02 00 00 00 12121212........ 00 49 00 BA 0F-AE 24 F2 24 2F 06 00 00 00 00 00 ....I....$.$/... AF 17 00 E2 5F-7A 62 FE FF 79 1B BA 0F 00 00 00 ......._zb..y... 96 0B 01 00 02 4E 00-37 01 8A 62 D2 0F 8F 17 00 .....N..7..b.... 2F 06 00 37 01-98 62 20 10 16 03 2F 06 00 00 00 /.....7..b .../. C2 62 2B 4F 52 43 2B 4F-52 43 00 0D AE 24 2F 06 .b+ORC+ORC...... Look at this dump: everybody is there! The stack pointers points in the middle, at string "12121212". 0x50 bytes before it you'll find our good old ECHO (i.e. the CORRECT passnumber) and 0x50 bytes afterwards you'll see your handle: here "+ORC+ORC". It's cracked! The code for my "+ORC+ORC" is 8037-646-3836... Now begin your assignments: if you rally want to learn cracking: - "Unregister" and find anew your own code for your own handle. *DO NOT* use serial numbers with any other name that your own handle, that's miserable stealing, not cracking. I'll begin to punish the serial#_aficionados on the Web, coz I like real outlaws, but I detest stupid pickpockets. - Study the two coding algorithms, the one for the input name and the one for the input number, this will be very useful for your future cracking sessions. - Find the "Compare", i.e. the code that sets the two usual flags "good guy, you may move on" and "bad cracker, beggar off", and - Create a "real" crack for this protection, that will allow anybody you think deserves it, with any name and any password number, to get through. [CRACKING SNAP 32] Snap 32 (SNAP32.EXE 356.352 bytes, 24/11/95, Version 2.54, by Greg Kochaniak) is a "snapshot" shareware program for Windows 95, that allows users to save the screen, parts of it, or a single window. It's a very common 'try before you buy' program, limited to 30 days use. You'll find it everywhere on the Web. If you do not know how to search the Web (poor guy!), learn at the end of this lesson the correct procedure to find all the files you need on the Net and get them automatically emailed to you (that's something you should learn: SEARCHING! It's even more important than cracking!). Snap32 is not very interesting (I don't think I used it more than a couple of times), but its protection is: in order to (try to) deter casual crackers it does not compare strings, it compares a "magic" sum (from Namestring) with another magic sum (from Numberstring). And: * SUMS magics inside the GDI, not inside its own code; * USES a look_up table for input validation instead of "plain" code; * COMPARES the "magic" manipulation from input NUMBER with the "magic" manipulation from input NAME. The cracking procedure for most of these windows programs is pretty simple and relatively straightforward: 1) SEE THE NAME OF YOUR BABE AND ITS QUEUE SELECTOR :task ;This is the Winice95 command you type after firing snap32 and getting at the "Enter License" nag window: TaskName SS:SP StckTp StckBt StckLw TaskDB Hqueue Events Snap32 0000:0000 006 AC000 006B0000 270E D27 0000 OK, the babe is Snap32,it's HQUEUE is 0xD27, it's TaskDB is 0x27OE, orright. 2) SEE THE MODULES OF YOUR BABE: :map32 snap32 ;Your command Owner Obj Name Obj# Address Size Type SNAP32 .text 0001 0137:00401000 00043000 CODE RO SNAP32 .rdata 0002 013F:00444000 00002E00 IDATA RO SNAP32 .data 0003 013F:00447000 00009000 IDATA RW SNAP32 .idata 0004 013F:00471000 00001C00 IDATA RW SNAP32 .rsrc 0005 013F:00473000 00001600 IDATA RO SNAP32 .reloc 0006 013F:00475000 00004C00 IDATA RO OK, so the code is in selector 137:(as usual), and you have there 43000 bytes of code from 401000 to 401000+43000; the DATA, ReadWrite and ReadOnly, are in selector 13F: (as usual). 3) SEE THE HANDLE OF THE PROTECTION "NAG" WINDOW :hwnd snap32 ;Your command Window Handle Hqueue SZ Qowner Class Name Window Procedure 0350(1) 0D27 32 SNAP32 #02071 144F:0560 0354(2) 0D27 32 SNAP32 #02071 17CF:102E ... and many more windows that we do not care of. OK, so, for our cracking purposes, it's Handle 0x350. Most of the times the "nag" window you want to crack will be the first one in the hwnd listing (coz it was the last one to appear). Watch the number in parentheses that follows the Whandle: (1) is a mother, (2) are "children" windows. At times you'll find under "Class Name" something like "Edit" (see before the Winformant cracking)... SNIFF THERE! At times the "Window Procedure" code location in a list of more than twenty, will be slightly different for one or two windows... SNIFF THERE! 4) BREAKPOINT MESSAGE WM_GETTEXT (or any other WM_ that you can think of in order to "pinpoint" the code of our babe). "Pinpointing" the code is extremely important in windows cracking... this idiotic OS moves code, data and stack out and inside the pages all the time... so you'll keep getting on "INVALID" sections without a correct pinpointing. Good Pinpointing points are in general: BMSG xxxx WM_GETTEXT (good for passwords) BMSG xxxx WM_COMMAND (good fro OK buttons) BPRW *your babe* TW (good for tracking) u USER!GETWINDOWTEXT (u and then BPX inside the code) u GETDLGITEM (for the Hwnd of an Item inside a Dialog Box) CSIP NOT GDI (if you have too many interferences) u USER!SHOWWINDOW (bpx with counter occurrence to get to the "right" window) u GETSYSTEMTIME (for "time-crippled" software) and many others pinpointing points you'll learn. If you are really desperate for pinpointing, just do a BMSG xxxx WM_MOVE and then move the nag window, this will always work. Let's go on: :bmsg 350 wm_gettext ;Your command OK, so the code is ready to be pinpointed. 5)RUN THE PROGRAM TO THE BREAKPOINT: CTRL+D ;Your command to exit Winice and run until it pops out at breakpoint OK, now you pop out inside Winice somewhere... (look at the stack to know where) so the code has been pinpointed. 6) SEARCH THE DATA AREA for your input string (4 Gigabytes from 30:0... remember that DATA are *always* in 30:0 to 30:FFFFFFFF and CODE is *always* in 28:0 to 28:FFFFFFFF). In most protection the "registration_number" string must match the "username" string, which cannot be constrained, in order to allow users to choose whatever stupid name they fancy. Some protections requires fixed symbols inside the "username" string, though... in these rare eventualities, just apply to the "username" string what we'll do here with the "registration_number" string. The point to remember is: begin always with the protection fumbling your number, crack only if necessary the protection that fumbles your name. Let's search now. :s 30:0 lffffffff '12121212' ;Your command Pattern Found at 0030:80308612 80000000 is good. Lower era videos, mirrors and BIOS, higher (around C0000000) you have the OS dustbins... the point to remember is: investigate always FIRST the 80000000 locations. 7) BREAKPOINT ON MEMORY RANGE ON THIS STRING. By the way: prepare a watch window dex 3 es:di, you'll soon see how useful such an automated watchwindow is in password cracking. :bpr 30:80308612 30:80308612+8 RW ;Your command OK Now we'll begin to dig out the relevant parts of the code. Remember that you must breakpoint *every* copy of the string that protection generates. A typical copy routine, very frequently used in windows copy protection schemes, dwells inside KERNEL!HMEMCPY (+0076): 0117:9E8E 66C1E902 SHR ECX,02 0117:9E92 F36766A5 REPZ MOVSD ;makes a copy in es:di 0117:9E96 6659 POP ECX 0117:9E98 6683E103 AND ECX,+03 0117:9E9C F367A4 REPZ MOVSB 0117:9E9F 33D2 XOR DX,DX In fact, this piece of copying code is so often used for password verifications that sometimes you just need to bpx on 0117:9E92 to get the correct stack sequence... but let's, for now, continue without such little tricks: just keep on BPRring (Breakpoint on memory range) all copies that protection makes. 8) LET THE BABE RUN, it will breakpoint on all manipulations of your input string. One of them will lead to the magic. 8.1.) VALIDATION phase There are many routines that check and "validate" your inputs. The most common ones check that your numbers ARE really numbers, i.e. in the range 0x30-0x39. Usually this is done with: CMP EAX,+30 JB no_number CMP EAX,+39 JA no_number At times the protectionists use TABLES instead... The number itself is used as a pointer to a "ready made" table where the relevant magic can be used as a protection. Imagine that a number 4 in your input points to a code section that throws you immediately outside the validation routine... or imagine that a number 7, if found in your input, fetches a magic code that removes the whole program from your harddisk (or worse): "Ah, ah! Stupid cracker will never know that he should not have used number 4... and definitely not number 7! Next time he'll learn..." Yes, tables have been used for such nasty tricks. Here the relevant code for the "validation" part of our protection (still checking my favourite input string '12121212'): :check_if_valid 0137:4364AE 8A16 MOV DL,[ESI] ;load license number 0137:4364B0 33C0 XOR EAX,EAX ;zero AX 0137:4364B2 668B0451 MOV AX,[ECX+2*EDX] ;look table for 84 0137:4364B6 83E008 AND EAX,+08 ;OK if AND'S TO zero 0137:4364B9 85C0 TEST EAX,EAX ;and therefore 0137:4364BB 7403 JZ 004364C0 ;go on 0137:4364BD 46 INC ESI ; ready for next number 0137:4364BE EBCD JMP 0043648D :strip_-_&_+_signs 0137:4364C0 33DB XOR EBX,EBX ;clean BX 0137:4364C2 8A1E MOV BL,[ESI] ;load license number 0137:4364C4 46 INC ESI ;ready for next 0137:4364C5 8BFB MOV EDI,EBX ;save copy 0137:4364C7 83FB2D CMP EBX,+2D ;is it a "-"? 0137:4364CA 7405 JZ 004364D1 0137:4364CC 83FB2B CMP EBX,+2B ;is it a "+"? 8.2.) MANIPULATION (summing magic numbers) Your wisely set breakpoints on memory range for the occurrence of the string "12121212" will pop you out, inter alia, inside following piece of code (note how this part of protection dwells inside GDI, and NOT inside the code selector of snap32): 0557:11BD 33C0 XOR EAX,EAX ;zero AX 0557:11BF 66648B06 MOV AX,FS:[ESI] ;load number 0557:11C3 83C602 ADD ESI,+02 ;point to next 0557:11C6 66833C4700 CMP WORD PTR [EDI+2*EAX],+00 0557:11CB 0F8424010000 JE 000012F5 0557:11D1 668B0442 MOV AX,[EDX+2*EAX] ;load from magic table 0557:11D5 03D8 ADD EBX,EAX ;save sum in EBX 0557:11D7 49 DEC ECX ;till we are done 0557:11D8 75E5 JNZ 000011BF ;loop along Interesting, isn't it? Protection is using this GDI routine to create a SUM (through pointers to another table) that depends on your very input numbers. We are now very near to the crack... can you *feel* it? If not, prepare yourself a good Martini Vodka! This is the correct way to do it: * Get a "highball" glass; * Put some ice cubes inside it (2 or 3); * Add Martini Dry (From Martini & Rossi). Fill to 1/3; * Add Moskowskaja Wodka (the only real Vodka). Fill to 2/3; * Add a zest of lemon (From Malta or Southern France); * Add a green "sound" olive (from Italy or Israel); * Add Schweppes Indian Tonic. Fill to the brim. Sit deeper and relax, sip slowly and *feel* where the code of the protection scheme you are cracking "moves"... It's like a current... a slow tide. If you still do not believe me, just try it. We'll now find out where protection stores the "magic" sum (and now you'll pop out inside the very own snap32 code, this is the "real" protection part): 8.3.) The ludicrous "HIDING" of the magic sum 0137:40437E 83C404 ADD ESP,+04 0137:404381 8B4DE8 MOV ECX,[EBP-18] 0137:404384 8945F0 MOV [EBP-10],EAX ;***HERE!*** 0137:404387 68FF000000 PUSH 000000FF 0137:40438C 8D8574FBFFFF LEA EAX,[EBP+FFFFFB74] ;load string 0137:404392 50 PUSH EAX ;push it 0137:404393 E886410100 CALL 0041851E ;manipulate 0137:404398 8D8574FBFFFF LEA EAX,[EBP+FFFFFB74] ;load string 0137:40439E 50 PUSH EAX ;push it 0137:40439F E88C210300 CALL 00436530 ;manipulate As you can see, the protection is very simple: The "magic" sum is hidden only two lines before the further manipulations of the input string. We have found location 137:404384, here, in the CORRECT way, through bprring of the string that has been manipulated in the GDI, but actually, we could have found it quickly just checking superficially what's happening "around" all manipulations of the input string. Do we really need to follow all manipulations of our registration_number and eventually also all manipulation of our username? NO, not at all: we just set a BPR on the stack location where protection hides the sum [EBP-10] and we'll see what happens: 90% of these protections just create two sums, a sum from your username and a sum from your registration_number... somewhere there will be a compare that must use this location (or a copy of it... we'll see). 8.4.) COMPARING THE MAGICS FROM THE TWO INPUT STRING Breakpoint on memory range on the sum location [EBP-10] that you saw in the previous code and you'll land at this piece of code: 0137:404412 E82F050000 CALL 00404946 0137:404417 83C40C ADD ESP,+0C 0137:40441A 3B45F0 CMP EAX,[EBP-10] ;comp AX & magicsum 0137:40441D 740F JZ 0040442E 0137:40441F 68C0874400 PUSH 004487C0 0137:404424 E8149E0000 CALL 0040E23D 0137:404429 83C404 ADD ESP,+04 0137:40442C EB5B JMP 00404489 0137:40442E 893DA0714400 MOV [004471A0],EDI 0137:404434 85FF TEST EDI,EDI That's it, you have made it! We found the compare between the "username" magic number (for my "+ORC+ORC" string that's here 0x7C25621B) in AX (we do not need to know how this landed there... it's irrelevant!) and the "license_number" '12121212' (whose magic is here 0x00B8F47C) stored in [pointer-10.] How do we find now the correct INPUT number for +ORC+ORC? Well, it's easy... the "magic number" must be the same... therefore: Cracked=Dec(0x7C25621B) Cracked=2082824731 That was it. Old Snap32 has been cracked. You could now prepare a crack in order to distribute this program around without its simple protection. Good cracked applications should be given free (i.e. cracked) to all the people that NEED them and do not have the money to buy them. Don't forget that in this intolerable society the 0,5% of the citizens own the 56% of the industrial capital and the 63% of the propaganda machines (data from US researchers... therefore suspect... the real situation is probably even worser) effectively conditioning the destiny of millions of slaves, moronized by television watching. So crack the applications and give them to the people you care and the peolple that need them, but for the others... just EXPLAIN everybody how you did it... this is real help: giving knowledge, not wares. DO NOT use my handle and my codes to crack this program, get yours, I gave you mine only as an help for this cracking lesson. I have showed you the way enough... THIEFS, not crackers, use the codes that others have found. You are (gonna be) CRACKERS! Remember it, look straight ahead, crack accurately and keep your tommy in. HOW TO SEARCH THE INTERNET FOR FILES WITHOUT MOVING A FINGER It's amazing: most of the people roaming around inside Internet DO NOT know how to use effectively the web. I'll be very altruistic and explain how to fetch the very example of Snap32, the babe we cracked in this lesson. 1) Choose an archie from this list (I will not explain you what an archie is, you should know it... if you do not, be ashamed): archie.univie.ac.at 131.130.1.23 Austria archie.belnet.be 193.190.248.18 Belgium archie.funet.fi 128.214.6.102 Finland archie.univ-rennes1.fr 129.20.254.2 France archie.th-darmstadt.de 130.83.22.1 Germany archie.ac.il 132.65.16.8 Israel archie.unipi.it 131.114.21.10 Italy archie.uninett.no 128.39.2.20 Norway 2) Email a message to your archie: To: archie.univie.ac.at (for instance) Subject: (nothing on this field) Body: set search sub (substrings too) set maxhits 140 (max 140 hits) set maxhitspm 9 (not the same file all over) find snap32 (we want this) 3) After a while you'll get (per email) your answer: Here the answer from the Austrian archie Host ftp.wu-wien.ac.at (137.208.8.6) Last updated 17:48 9 Aug 1995 Location: /pub/systems/windows.32/misc FILE -rw-r----- 128957 bytes 15:59 16 Jun 1995 snap32.zip Host space.mit.edu (18.75.0.10) Last updated 00:45 4 Mar 1996 Location: /pub/mydir FILE -rw-r--r-- 407040 bytes 11:55 28 Nov 1995 snap32.exe 4) ftpmail your file (Browsing is no good: too busy and lame). Again, I will not explain you what an FTPMAIL server is: learn it by yourself... choose a good one from this list (there are many more... you'll learn): bitftp@vm.gmd.de (Germany) ftpmail@ieunet.ie (Ireland) bitftp@plearn.edu.pl (Poland) ftpmail@ftp.sun.ac.za (South Africa) ftpmail@ftp.sunet.se (Sweden) ftpmail@ftp.luth.se (Sweden) ftpmail@src.doc.ic.ac.uk (United Kingdom) To: ftpmail@ftp.sun.ac.za. (for instance) Subject: (leave blank) Body: open space.mit.edu (the last occurrence that the archie sent) cd/pub/mydir (get the correct subdir) bin (prepare for BINARY) get snap32.exe (I want this) quit (bye) 5) Your FTPMAIL server will first notice you a receipt: FTP EMAIL response... ftpmail has received the following job from you: reply-to +ORC open space.mit.edu +ORC@now.here get snap32.exe ftpmail has queued your job as: 1834131821.5514 Your priority is 1 (0 = highest, 9 = lowest) Requests to sunsite.doc.ic.ac.uk will be done before other jobs. There are 14 jobs ahead of this one in the queue. 4 ftpmail handlers available. To remove send a message to ftpmail containing just: delete 1834131821.5514 After a while you'll get a second message, with your file uuencoded inside... everything has been done. YESSIR! there is absolutely no need to loose time on the WWW, "surfing" idiotically from a junk site to the next or waiting hours to download some slow file from an instable server! Wasting time of your own LIFE, that you could use to read poetry, to make love, to look at the stars, to sail slowly between the Aegean islands or to start a nice cracking session. What's the point of wasting your time when machines can perform all the searches you need better, more productively and faster than you ever could... YESSIR! You can get *everything* on the Web, and without paying your Internet provider more than a couple of dimes... Nice, isn't it? By now, if you have followed all my lessons, you should be able to crack relatively quickly "normal" applications. There are some new projects for 1997: a cracking "university", that will allow us to prepare for the divine war against Microsoft repulsive dominion. If you do not have already chosen your handle (your "cracker" name, that's it), you may consider choosing an handle with a "+" somewhere inside it or, eventually, add a "+" to your handle. This sign is used by me and by friends that have studied and/or contributed. But a "+" in your handle ("official +ORC cracker") will mean even more: 1) allows support from me personally (on a "do ut des" basis) 2) allows pupils to identify each other (good for joining forces) 3) will open you (eventually) the doors to the "higher" cracking university I'll set up on the Web in 1997. (I'm not getting megalomaniac... In reality I only need a "quick" method to know on which (anonymous) people I can count on for the next phase). Well, that's it for this lesson, reader. Not all lessons of my tutorial are on the Web. You 'll obtain the missing lessons IF AND ONLY IF you mail me back (via anon.penet.fi) with some tricks of the trade I may not know that YOU discovered. Mostly I'll actually know them already, but if they are really new you'll be given full credit, and even if they are not, should I judge that you "rediscovered" them with your work, or that you actually did good work on them, I'll send you the remaining lessons nevertheless. Your suggestions and critics on the whole crap I wrote are also welcomed. E-mail +ORC +ORC an526164@anon.penet.fi HOW TO CRACK, by +ORC, A TUTORIAL --------------------------------------------------------------------------- Lesson A.1: Advanced Cracking: Internet Cracking (Unix) --------------------------------------------------------------------------- -------------> INTERNET CRACKING: FIREWALLS With each new company that connects to the "Information Superhighway" new frontiers are created for crackers to explore. Site administrators (Siteads) have implemented various security measures to protect their internal networks. One of these is xinetd, covered later. A more general solution is to construct a guarded gateway, called a [Firewall], that sits between a site's internal network and the wild and woolly Internet where we roam. In fact only one third of all Internet connected machines are already behind firewalls. Most information services have to deal with the same problem we have: getting OUT through a local firewall or GETTING INTO a service through their Firewall. There lays also the crack_solution. ------------> What is a Firewall? The main purpose of a Firewall is to prevent unauthorized access between networks. Generally this means protecting a site's inner network from the Internet. If a site has a firewall, decisions have been made as to what is allowed and disallowed across the firewall. These decisions are always different and always incomplete, given the multiplicity of Internet, there are always loopholes where a cracker can capitalize on. A firewall basically works by examining the IP packets that travel between the server and the client. This provides a way to control the information flow for each service by IP address, by port and in each direction. A firewall embodies a "stance". The stance of a firewall describes the trade-off between security and ease-of-use. A stance of the form "that which is not expressly permitted is prohibited" requires that each new service be enabled individually and is seldom used, coz very slow and annoying. Conversely, the stance "that which is not expressly prohibited is permitted" has traded a level of security for convenience. It will be useful to guess the stance of the firewall you are cracking when making probe decisions. A firewall has some general responsibilities: * First and foremost if a particular action is not allowed by the policy of the site, the firewall must make sure that all attempts to perform the action will fail. * The firewall should log suspicious events * The firewall should alert internal administration of all cracking attempts * Some firewall provide usage statistics as well. ------------> Types of Firewall In order to avoid head-scratching, it's a good idea to know the TOPOLOGY of "your" firewall -and its limitations- before attempting to get through it. Discussed below are two popular firewall topologies. Although other types exist, the two below represent the basic forms; most other firewalls employ the same concepts and thus have -luckily- the same limitations. 1) THE DUAL-HOMED GATEWAY A dual-homed Gateway is a firewall composed of a single system with at least two network interfaces. This system is normally configured such that packets are not directly routed from one network (the Internet) to the other (the internal net you want to crack). Machines on the Internet can talk to the gateway, as can machines on the internal network, but direct traffic between nets is blocked. In discussing firewalls, it's generally accepted that you should think of the inner network as a medieval castle. The "bastions" of a castle are the critical points where defence is concentrated. In a dual-homed gateway topology, the dual-homed host itself is called the [BASTION HOST]. The main disadvantage of a dual-homed gateway, from the viewpoints of the users of the network and us crackers alike, is the fact that it blocks direct IP traffic in both directions. Any programs running on the inner network that require a routed path to external machines will not function in this environment. The services on the internal network don't have a routed path to the clients outside. To resolve these difficulties, dual-homed gateways run programs called [PROXIES] to forward application packets between nets. A proxy controls the conversation between client and server processes in a firewalled environment. Rather than communicating directly, the client and the server both talk to the proxy, which is usually running on the bastion host itself. Normally the proxy is transparent to the users. A proxy on the bastion host does not just allow free rein for certain services. Most proxy software can be configured to allow or deny forwarding based on source or destination addresses or ports. Proxies may also require authentication of the requester using encryption- or password-based systems. The use of proxy software on the bastion host means that the firewall administrator has to provide replacements for the standard networking clients, a nightmare in heterogeneous environments (sites with many different operating systems platforms, PC, Sun, IBM, DEC, HP...) and a great burden for administrator and users alike. 2) THE SCREENED HOST GATEWAY A screened host gateway is a firewall consisting of at least one router and a bastion host with a single network interface. The router is typically configured to block (screen) all traffic to the internal net such that the bastion host is the only machine that can be reached from the outside. Unlike the dual- homed gateway, a screened host gateway does not necessarily force all traffic through the bastion host; through configuration of the screening router, it's possible to open "holes" in the firewall to the other machines on the internal net you want to get into. The bastion host in a screened host firewall is protected from the outside net by the screening router. The router is generally configured to only allow traffic FROM SPECIFIC PORTS on the bastion host. Further, it may allow that traffic only FROM SPECIFIC EXTERNAL HOSTS. For example the router may allow Usenet news traffic to reach the bastion host ONLY if the traffic originated from the site's news provider. This filtering can be easily cracked: it is relying on the IP address of a remote machine, which can be forged. Most sites configure their router such that any connection (or a set of allowed connections) initiated from the inside net is allowed to pass. This is done by examining the SYN and ACK bits of TCP packets. The "start of connection" packet will have both bits set. If this packets source address is internal... or seems to be internal :=) the packet is allowed to pass. This allows users on the internal net to communicate with the internet without a proxy service. As mentioned, this design also allows "holes" to be opened in the firewall for machines on the internal net. In this case you can crack not only the bastion host, but also the inner machine offering the service. Mostly this or these machine/s will be far less secure than the bastion host. New services, for instance recent WEB services, contain a lot of back doors and bugs, that you'll find in the appropriate usenet discussion groups, and that you could use at freedom to crack inner machines with firewall holes. Sendmail is a good example of how you could crack in this way, read the whole related history... very instructive. The rule of thumb is "big is good": the bigger the software package, the more chance that we can find some security related bugs... and all packages are huge nowadays, 'coz the lazy bunch of programmers uses overbloated, buggy and fatty languages like Visual Basic or Delphy! Finally, remember that the logs are 'mostly) not on the bastion host! Most administrators collect them on an internal machine not accessible from the Internet. An automated process scan the logs regularly and reports suspicious information. 3) OTHER FIREWALL TOPOLOGIES The dual-homed gateway and the screened host are probably the most popular, but by no mean the only firewall topologies. Other configurations include the simple screening router (no bastion host), the screened subnet (two screening routers and a bastion host) as well as many commercial vendor solutions. ------------> Which software should we study? Three popular unix software solutions allow clients inside a firewall to communicate with server outside: CERN Web server in proxy mode, SOCKS and the TIS Firewall toolkit. 1) The CERN Web server handles not only HTTP but also the other protocols that Web clients use and makes the remote connections, passing the information back to the client transparently. X-based Mosaic can be configured for proxy mode simply by setting a few environment variables. 2) The SOCKS package (available free for anonymous ftp from ftp.nec.com in the file /pub/security/socks.cstc/socks.cstc.4.2.tar.gz includes a proxy server that runs on the bastion host of a firewall. The package includes replacements for standard IP socket calls such as connect(), getsockname(), bind(), accept(), listen() and select(). In the package there is a library which can be used to SOCKSify your crack probes. 3) The Firewall Toolkit The toolkit contains many useful tools for cracking firewall and proxy server. netacl can be used in inetd.conf to conceal incoming requests against an access table before spawning ftpd, httpd or other inetd-capable daemons. Mail will be stored in a chroot()ed area of the bastion for processing (mostly by sendmail). The Firewall toolkit is available for free, in anonymous ftp from ftp.tis.com in the file /pub/firewalls/toolkit/fwtk.tar.Z The popular PC firewall solution is the "PC Socks Pack", for MS- Windows, available from ftp.nec.com It includes a winsock.dll file. The cracking attempts should concentrate on ftpd, normally located on the bastion host. It's a huge application, necessary to allow anonymous ftp on and from the inner net, and full of bugs and back doors. Normally, on the bastion host, ftpd is located in a chroot()ed area and runs as nonprivileged user. If the protection is run from an internal machine (as opposing the bastion host), you could take advantage of the special inner-net privileges in hostp.equiv or .rhosts. If the internal machine "trusts" the server machine, you'll be in pretty easily. Another good method, that really works, is to locate your PC physically somewhere along the route between network and archie server and "spoof" the firewall into believing that you are the archie server. You'll need the help of a fellow hacker for this, though. Remember that if you gain supervisor privileges on a machine you can send packets from port 20, and that in a screened host environment, unless FTP is being used in proxy mode, the access filters allow often connections from any external host if the source port is 20 and the destination port is greater than 1023! remember that NCSA Mosaic uses several protocols, each on a different port, and that -if on the firewall no proxy Web server is operating- each protocol must be dealt with individually, what lazy administrators seldom do. Be careful for TRAPS: networking clients like telnet and ftp are often viciously replaced with programs that APPEAR to execute like their namesake, but actually email an administrator. A fellow cracker was almost intercepted, once, by a command that simulated network delays and spat out random error messages in order to keep me interested long enough to catch me. Read the (fictions) horror story from Bill Cheswick: "An evening with Berferd in which a cracked is lured, endured and studied", available from ftp.research.att.com in /dist/internet_security/berferd.ps As usual, all kind of traps can be located and uncovered by correct zen-cracking: you must *FEEL* that some code (or that some software behaviour) is not "genuine". Hope you believe me and learn it before attempting this kind of cracks. ------------> How do I crack Firewalls? Some suggestions have been given above, but teaching you how to crack firewalls would take at least six complete tutorial lessons for a relatively unimportant cracking sector, and you would almost surely get snatched immediately, 'coz you would believe you can crack it without knowing nothing at all. So, for your sake, I'll teach you HOW TO LEARN IT, not HOW TO DO IT (quite a fascinating difference): First Text, then the software above. For text, start with Marcus Ranum's paper "Thinking about Firewalls", available from ftp.tis.com in the file/pub/firewalls/firewalls.ps.Z and do an archie search for newer literature. Join the firewall discussion list sending a message to majordomo@greatcircle.com, you'll get a message with instructions, as usual, lurk only... never show yourself to the others. You can find for free on the web quite a lot of early versions of proxy software. Study it, study it and then study it again. The cracking efforts on your copies, and your machines, before attempting anything serious, are MANDATORY if you do not want to be immediately busted on the Internet. When you feel ready to try serious cracking, you must OBLIGATORY start with a small BBS which uses a firewall version you already studied very well (sysops are not firewall administrators, and many of them do not know nothing about the software they use). As soon as you gain access to the bastion host, remember to subvert entirely the firewall itself before entering the inner net. If you feel ready and everything went well so far, if your zen- cracking abilities are working well... then take a moment for yourself... prepare yourself a good Martini-Wodka (you should only use Moskovskaia), take a deep breath and by all means go ahead! You will then be able to try your luck on the Cyberspace and get quickly busted (if you did not follow my admonitions and if you cannot zen-crack) or, may be, fish quite a lot of jewels... :=) -------------> INTERNET CRACKING: XINETD [Xinetd] a freely available enhanced replacement for the internet service daemon inetd, allows just those particular users to have FTP or Telnet access, without opening up access to the world. Xinetd can only protect the system from intrusion by controlling INITIAL access to most system services and by logging activities so that you can detect break-in attempts. However, once a connection has been allowed to a service, xinetd is out of the picture. It cannot protect against a server program that has security problems internally. For example, the finger server had a bug several years ago that allowed a particularly clever person to overwrite part of its memory. This was used to gain access to many systems. Even placing finger under the control of xinetd wouldn't have helped. Think of the secured firewall system as a fortress wall: each service that is enabled for incoming connections can be viewed as a door or window in the walls. Not all these doors have secure and reliable locks. The more openings are available, the more opportunities are open for us. -------------> What xinetd does Xinetd listens to all enabled service ports and permits only those incoming connection request that meet authorization criteria. - Accept connections from only certain IP addresses - Accept connections only from authorized users - Reject connections outside of aithorized hours - Log selected service when connections are accepted or rejected, capturing following informations: * Remote Host Address * User ID of remote user (in some cases) * Entry and Exit time * Terminal type Support login, shell, exec and finger -------------> SERVICES TO CRACK & UNWITTING INSIDE COMPLICES In this order the easy services: FTP TELNET LOGIN (rlogin) SHELL (rcmd) EXEC In this order the more difficult ones: MOUNT TFT FINGER NFS(Network File System) DNS(Domain Name Service) Remember that sendmail (SMTP), by default, accepts a message from any incoming connection. The "sender" of such a message can appear to have originated anywhere, therefore your claim of identity will be accepted! Thus you can forge a message's originator. Most of the recipients inside the protected (firewalled) net will take your claim at face value and send you (to the "return address" you provide) all the sensitive information you need to crack the system. Finding unwitting inside complices is most of the time pretty easy. By far the best method, for entering xinetd, is to get the real version from panos@cs.colorado.edu, modify the system files in order to have some backdoors, and then distribute them to the mirror servers on the WEB. Each time a new administrator will download "your" version of xinetd, you'll have an easy access to the "protected" system. On the Nets, it's important to conceal your identity (they will find you out pretty quickly if you do not). The best method is to obtain the IP address of a legitimate workstation during normal hours. Then, late at night, when the workstation is known to be powered-off or disconnected from a dialup PPP link, a different node on the network can be configured to use the counterfeit IP address. To everyone on the network, it will appear that the "legitimate" user is active. If you follow this strategy, you may want to crack somehow more negligently... the search for the cracker will go on -later- in the false confidence that a sloppy novice (the legitimate user) is at work, this will muddle the waters a little more. Well, that's it for this lesson, reader. Not all lessons of my tutorial are on the Web. You 'll obtain the missing lessons IF AND ONLY IF you mail me back (via anon.penet.fi) with some tricks of the trade I may not know that YOU discovered. Mostly I'll actually know them already, but if they are really new you'll be given full credit, and even if they are not, should I judge that you "rediscovered" them with your work, or that you actually did good work on them, I'll send you the remaining lessons nevertheless. Your suggestions and critics on the whole crap I wrote are also welcomed. E-mail +ORC +ORC an526164@anon.penet.fi HOW TO CRACK, by +ORC, A TUTORIAL --------------------------------------------------------------------------- LESSON C (1) - How to crack, Cracking as an art --------------------------------------------------------------------------- [BARCODES] [INSTANT ACCESS] -------------------------------------- [BARCODES] First of all, let me stress the importance of cracking in our everyday life. Cracking it's not just about software, it's about information, about all patterns of life. To crack is to refuse to be controlled and used by others, to crack is to be free. But you must also be yourself free from petty conventions in order to crack properly. You must learn to discerne cracking possibilities all around yourself, and believe me, the development of this ghastly society brings every day new codes, protections and concealing mechanismes. All around us grows a world of codes and secret and not so secret patterns. Codes that are at times so familiar and common that we do not even notice them any more... and yet they are there to fool us, and yet they offer marvellous cracking possibilities. Let's take as an striking example BARCODES... those little lines that you see on any book you buy, on any bottle you get, on any item around you... do you know how they work? If you do not you may be excused, but you cannot be excused if you never had the impulse to understand them... crackers are curious by nature... heirs of an almost extinct race of researchers that has nothing in common with the television slaves and the publicity and trend zombies around us. Cracker should always be capable of going beyond the obvious, seek knowledge where others do not see and do not venture. [BARCODE HISTORY] Let's begin with a little history. Universal Product Code (UPC) was adopted for commercial use by the grocery industry in the USA. Among the advantages were a rapid, accurate and reliable way of entering stock information into a computer and the possibility to sack a lot of workers and to do more profit. The early success led to the development of the European Article Numbering System (EAN), a symbology similar to UPC, that is widely used in Europe and in the rest of the World. I'll teach you to crack this one, since I do not -fortunately- live in the States. Keep in mind, anyway, that there are different barcode symbologies, each with its own particular pattern of bars. The UPC/EAN code used on retail products is an all-numeric code; so is the Interleaved 2 of 5 Code. Code 39 includes upper case letters, digits, and a few symbols. Code 128 includes every printable and unprintable ASCII character code. The most new one is a 2-D code. These are special rectangular codes, called stacked barcodes or matrix codes. They can store considerably more information than a standard barcode. They require special readers which cost more than a standard scanner. The practical limit for a standard barcode depends on a number of factors, but 20 to 25 characters is an approximate maximum. For applications that need more data, matrix codes are used. For example, the next time you receive a package from United Parcel Service look for a small square label with a pattern of dots and a small bullseye in the centre. This is a MaxiCode label, and it is used by UPS for automatic destination sortition. The manufacturer's ID number on the barcode uniquely identifies products. These numbers are managed by the Uniform Code Council in Dayton, Ohio for the States and Canada and by the EAN authority (Internationale Article Numbering Association) in Bruxelles, for Europe and the rest of the World. The manufacturer's ID number accounts for some digits of the code, which leaves other digits to be assigned in any way the producer wants. He provides retail outlets with a list of his products and their assigned codes so that they can be entered in the cash register system. Many codes are NOT on the products and are added by the supermarkets on the fly, using an internal code schema that may be non standard. Now it's enough... let's crack. BARCODES are the only thing an automated casher needs to see on a product to calculate its price and automatically catalogate the sold merchandise... imagine (just imagine it :=) coz it would be extremely illegal to act in this way) somebody would fasten an adhesive home-made codebar label direct on the top of the supermarket/mall/retail store label, say on a bottle of Pomerol (that's a very good but unfortunately very expensive french wine). The new label would mean for the casher something like "cheap wine from Bordeaux, France, cost so and so, everything it's OK, do not worry"... do you think that anybody would come to the idea that there is something wrong with the label, with the bottle or with you? I have been codebaring for years and had only once a problem, coz my printer was running out of ink and the scanner in the supermarket could not read it... so what? Act uninterested, always wear jackets of the utmost quality, shetland pullovers and beautiful expensive shoes... (all articles that you may codebar too, by the way), in this society appearance and look count much more than substance and knowledge... LET'S USE THIS TO OUR ADVANTAGE! Nobody will ever come to the idea that you may actually really know the working of the scheme... coz codebar is pretty complicated and not exactly exceptionally public. On the Web there are a lot information about it, but most of them are useless, unless you know how to search most of the time you'll find only sentences like this one: "The calculated check digit is the twelfth and final digit in the U.P.C.code. It is calculated based on a specific algorithm, and is necessary to ensure that the number is read or key-entered correctly." But good +ORC will now explain you everything you need to crack: [THE 13 BAR "CODES"] Each barcode label has 13 values, from #0 to #12 (that's the EAN code, the UPC american one has only 12, from #0 to #11). #0 and #1 indicate the origin of the product. #2 to #11 give the article code #12 (the last and 13th one) is a checksum value, that verifies the validity of all the other numbers. How is it calculated? #12 is calculated in 4 steps VALUE A: You sum odd position numbers (#0+#2+#4+#6+#8+#10) VALUE B: You sum even position numbers and multiply by 3 ((#1+#3+#5+#7+#9+#11)*3) VALUE C: You sum value A and value B VALUE D: You mod value C (you divide by 10 and only keep the remaining units, a very widespread checking scheme as you'll see in the software part of this lesson) If the result is not zero, you subtract it from 10. Now look at a barcode label, get some books or other barcoded items and *watch* it... Bar codes are supposed to have "quiet zones" on either side of the symbol. Quiet zones are blank areas, free of any printing or marks,typically 10 times the width of the narrowest bar or space in the bar code. Failure to allow adequate space on either side of the symbol for quiet zones can make it impossible to read the bar code. On the barcode there are two "borders", left and right, and a "middle" longer line. These three lines are longer than the others and are used to "regulate" the scanner to whatever dimension has been used for the barcode. #0 dwells left of the first (left) border and has a special meaning, the other 12 numbers are written "inside" the code and are divided in two "groups" by the middle bar. Each value is coded through SEVEN bars: black=1 and White=0. These form two couples of "optic" bars of different widths. We come now to the "magic" part: In order to bluff the simpletons, barcode uses three different SETS of characters to represent the values 0-9. This should make it impossible for you to understand what's going on, as usual, in this society, slaves should not need to worry with the real functioning of things. Here are the graphic codes of the three graphic sets: CODE A CODE B (XOR C) CODE C (NOT A) 0: 0001101 (13) 0100111 (39) 1110010 (114) 1: 0011001 (25) 0110011 (51) 1100110 (102) 2: 0010011 (19) 0011011 (27) 1101100 (108) 3: 0111101 (61) 0100001 (33) 1000010 (066) 4: 0100011 (35) 0011101 (29) 1011100 (092) 5: 0110001 (49) 0111001 (57) 1001110 (078) 6: 0101111 (47) 0000101 (05) 1010000 (080) 7: 0111011 (59) 0010001 (17) 1000100 (068) 8: 0110111 (55) 0001001 (09) 1001000 (072) 9: 0001011 (11) 0010111 (23) 1110100 (116) Borders: 101 Centre: 01010 - The C graphic set is a "NOT A" graphic set. - The B graphic set is a "XOR C" graphic set. - each value has two couples of bars with different widths Now watch some labels yourself... see the difference between the numbers left and the numbers right? The first "half" of the barcode is coded using sets A and B, the second "half" using set C. As if that were not enough, A and B are used inside the first "half" in a combination that varies and depends from value #0, following 10 different patterns: #1 #2 #3 #4 #5 #6 0 A A A A A A 1 A A B A B B 2 A A B B A B 3 A A B B B A 4 A B A A B B 5 A B B A A B 6 A B B B A A 7 A B A B A B 8 A B A B B A 9 A B B A B A "Ah! Stupid buyer will never understand why the same values gives different bars! Nothing is as reliable as barcodes!" :=) Let's take as example the codebar for Martini Dry: BARCODE: 8 0 00570 00425 7 Let's see: we have a 8 0 0 = booze Then a 000570 as ABABBA and a 004257 as C "Even" sum: 8+0+5+0+0+2 = 15 (even sum) Then a 0+0+7+0+4+5= 16 and 16 *3 = 48 (odd sum) Then a 15+48=63 63 === 3 10 - 3 = 7 = checksum Pattern = 8 = ABABBA CCCCCC OK, one more example: Osborne Windows programming series Volume 2 General purpose API functions (always here on my table)... BARCODE: 9 7 80078 81991 9 Let's see: we have a 9 7 8 = book Then a 780078 as ABBABA and a 819919 as C "Even" sum: 9+8+5+8+8+4 = 42 (even sum) Then a 7+1+5+2+4+4= 23 and 23 * 3 = 69 (odd sum) Then a 42+69=111 111 === 1 10 - 1 = 9 = checksum Pattern = 9 = ABBABA Well... what's the point of all this? The point, my pupils, is that who DOES NOT KNOW is taken along on a boat ride, who KNOWS and LEARNS can use his knowledge in order to try to beat blue and black the loathsome consumistic oligarchy where we are compelled to live. Try it out for yourself... if you crack correctly and wisely your supermarket, mall and library bills will be cut to almost zero. Write a small program to print whichever codebar you fancy (or whichever your mall uses) in whichever size on whichever sort of label you (or better your targets) fancy... it's quickly done with Visualbasic or Delphy... but you'll not find much on the Web Alternatively you could also write, as I did long ago, a short c program in dos, using a modified upper char set... and there you are, have labels... see the world. A small word of caution... crack only ONE item at time and try it out first with the SAME label for the same product... i.e. the correct code for that item, but on your own label. If it goes through your program works good, if not, nobody will ever be able to harm you. Anyway it never happens anything, never: the bar code reading equipments have great tolerance, coz the scanners must be able to recognize barcodes that have been printed on many different medias. You should choose labels similar to the ones effectively used only in order not to arise human suspects, coz for all the scanner itself cares, your label could be pink with green stripes and with orange hand-written, numbers. Mind you, we are still just academically imagining hypothetical situations, coz it would be extremely illegal to act in such an inconsiderate manner. CRACKING POWER! It's true for barcodes, for Telecom bills, for Compuserve accounts, for Amexco cards, for banking cheques (do you know what MICR is? Magnetic Ink Character Recognition... the stylized little printing on the lower left of new cheques... there is a whole cracking school working on it), for registration numbers... you name it, they develope it, we crack it... Begin with barcodes: it's easy, nice and pretty useful! Live in opulence, with the dignity and affluence that should always distinguish real crackers. Besides... you should see the assortment of 'Pomerols' in my "Cave-a-vin" :=) [INSTANT ACCESS] The (c) Instant access routines are a commercial protection scheme used to "unlock" complete commercial applications that have been encrypted on CD- ROMs which are distributed (mostly) through reviews. This is an ideal cracking target: it's commercial software, complete, uncrippled and of (relatively) prominent quality, that you can get in tons for the price of a coke. Obviously this kind of protection represents an ideal subject for our lessons. This fairly intricate protection scheme has not yet been cracked by anybody that I am aware of, anyway not publicly, therefore it's an ideal candidate for a "strainer" to my university. I'll teach you here how to crack it in three lessons, C.1, C.2 and C.3. I warn you... it's a difficult cracking session, and this protection represents quite an intellectual challenge. But if you are seriously interested in our trade you will enjoy these lessons more than anything else. This cracking is intended as an "assignment" for my +HCU "cracking university": you'll find inside lessons C.1 and C.2 a relatively deep "introduction" to Instant access cracking. This will teach you a lot anyway, and spare you hours of useless roaming around, bringing you straight to the cracking point. But I'll release the third part of this session, with the complete solution (lesson C.3) on the Web only in october 1996, not a day before. All the students that would like to apply to the Higher Cracking University, opening on the web 01/01/1997, should work in July, August and September (three months is more than enough time) on this assignment. They should crack completely the instant access scheme and send me their solutions, with a good documentation of their cracking sessions, before 30/09/1996 (WATCH IT! You can crack this scheme in -at least- three different paths, be careful and choose the *best* one. WATCH IT! Some of the informations) in lesson C.1 and C.2 are slightly incorrect: check it!). There are four possibilities: 1) The candidate has not found the crack or his solution is not enough documented or not enough viable... the candidate is therefore not (yet) crack-able, he will not be admitted to the +HCU 1997 curses, better luck in 1998; 2) The cracking solution proposed by the candidate is not as good as mine (you'll judge for yourself in october) but it works nevertheless... he'll be admitted at the 1997 courses; 3) The cracking solution of the candidate is more or less equal to mine, he'll be admitted, personally monitored, and he'll get all the material he needs to crack on higher paths; 4) The cracking solution of the candidate is better than mine, he'll be admitted, get all the material he wishes and asked to teach us as well as study with us: "homines, dum docent, discunt". [Cracking Instant access] The user that wants to "unlock" a software application protected with (c) Instant Access must enter first of all a REGISTRATION number string, which through a series of mathematical manipulations gives birth to a special "product" code. On the basis of this "product code" the user is asked to phone the commercial protectors (and pay) in order to get a special "unlock code" that will allow him to decrypt the relevant software. This kind of "passnumber" protection routines are widely used for software unlocking, BBS access, server access, backdoor opening and many other protection schemes. We have already seen password cracks in different lessons of this tutorial (in particular Lessons 3.1 and 3.2 for DOS and Lessons 8.1, 8.2 and 9.1 for WIN) albeit on a more simplistic scale: there it did mostly not matter very much *HOW* you passed the protection: once passed, you could have access to the application. This is not the case with (c) Instant Access. Face it: it's a little boring, but important that you learn how to defeat intricate protection routines (you'll meet them often in the next years) and I believe that the following example will give you a "feeling" for the right cracking approach. In this case we must not only "crack" this protection scheme but also study it thoroughly in order to achieve our blessed aims. This is a very good exercise: reverse disassembling will teach you a lot of little tricks that you'll be able to use in your other future cracking sessions. Instant access (c) is a exceptionally widespread protection scheme, and it should be relatively easy for you to gather some encrypted software that has been protected with this method... *DO IT QUICKLY!!* After the Web publishing of this lessons (I am sending C.1 to 8 pages and 4 usenet groups on 25/06/1996) this protection is obviously as dead as a Dodo. The "Accessors" guys will have to conceive something smarter if they want to keep selling "protections" to the lamer producers of "big" software. BTW, if you are reading this and are working for some commercial "protection" company, consider the possibility to double cross your masters! Deliver me anonymously all the future projects you are working on! That will amuse me, speed up the advent of a true altruistic society and earn you the respect of the better part of humanity. As I said, many "huge" application are still protected with this "Instant access" system. I have personally bought at least 7 or 8 "second hand" CD-ROMs packed full with Microsoft, Lotus, Norton, Symantec, you name it, applications all "protected" through this crap. The cost of this bunch of CD-ROMs was the equivalent of a bottle of Dry Martini, maybe less. The same software is sold, unlocked, to zombies and lusers for ludicrous amounts of money. Never buy CD-ROMs magazines when they appear! Be cool! Buy them two or three months after the publishing date! Buy "remainders" or "second hand" CD-ROM magazines "at kilo price"... Come to think of it, never buy *anything* when it appears or when some (paid) advertiser tells you to... remember that "trends", "vogues", "fashions" and "modes" are only different names for the whips that drill and chain the dull-witted slaves of this loathsome society: "clever crackers consider cool, crack cheap, cheat customary culture" (a rhetorical figure: an "Alliteration". To defend yourself learn rhetoric... it's a more powerful and more useful weapon than Kung-fu). The "triple" password protection routine in (c) Instant Access is very interesting from a cracker point of view. It's a relatively complex scheme: I'll teach you to crack it in two phases: First of all you must find the "allowed" registration code, the one that "ignites" the "product code". We must crack and understand this re_code first if we want to crack the rest. Just for the records, I am cracking here (c) Action Instant access version 1.0 (CD-ROM found on a old copy of "Personal Computer World" of August 1994, packed full with encrypted Lotus, Symantec, Claris and Wordperfect applications. Just to be sure I crosschecked my results with another CD-ROM which also has applications protected with (c) Instant Access: Paragon Publishing's PC OFFICE: the protection scheme remains the same). I am focusing for this lesson on the cracking of the specific protection for the encrypted Symantec's Norton Utilities v.8.0. Please refer to the previous lessons for the basic techniques used in order to find the protection routine inside our babe... for "low" cracking purposes you -basically- type a number (in this case, where the input gets 10 numbers, we'll use "1212-1212-12"), do your search inside the memory (s 30:0 lffffffff "your_string") and then set memory breakpoints on all the relevant memory locations till winice pops (I know, I know, buddies... there are more effective ways... but hold your mouth: for now we'll keep them among us: let's make things a little harder for the protectionists who read this... Besides: the old approach works here flawlessly). After getting the Registration window on screen the Winice standard procedure is: :task ; how :heap IABROWSE ; where & what :hwnd IABROWSE ; get the Winhandle :bpx [winhandle] WM_GETTEXT ; pinpoint code :bpx GetProcAddress ; in case of funny routines :dex 0 ds:dx ; let's see their name :gdt ; sniff the selectors :s 30:0 lffffffff "Your_input_string" ; search in 4 giga data :bpr [all memory ranges for your string that are above 80000000] and so on. (continued in lesson C.2) Well, that's it for this lesson, reader. Not all lessons of my tutorial are on the Web. You 'll obtain the missing lessons IF AND ONLY IF you mail me back (via anon.penet.fi) with some tricks of the trade I may not know that YOU discovered. Mostly I'll actually know them already, but if they are really new you'll be given full credit, and even if they are not, should I judge that you rediscovered them with your work, or that you actually did good work on them, I'll send you the remaining lessons nevertheless. Your suggestions and critics on the whole crap I wrote are also welcomed. E-mail +ORC +ORC an526164@anon.penet.fi HOW TO CRACK, by +ORC, A TUTORIAL --------------------------------------------------------------------------- LESSON C (2) - How to crack, Cracking as an art --------------------------------------------------------------------------- [INSTANT ACCESS] -------------------------------------- cracking Instant Access (2) - strainer for the +HCU [SEE LESSON C.1 for the first part of this cracking session] Here follow the relevant protection routines for the first (The "Registration") number_code of Instant Access, with my comments: you have to investigate a little the following code. Later, when you'll crack on your own, try to recognize the many routines that fiddle with input BEFORE the relevant (real protection) one. In this case, for instance, a routine checks the correctness of the numbers of your input: This_loop_checks_that_numbers_are_numbers: 1B0F:2B00 C45E06 LES BX,[BP+06] ; set/reset pointer 1B0F:2B03 03DF ADD BX,DI 1B0F:2B05 268A07 MOV AL,ES:[BX] ; get number 1B0F:2B08 8846FD MOV [BP-03],AL ; store 1B0F:2B0B 807EFD30 CMP BYTE PTR [BP-03],30 1B0F:2B0F 7C06 JL 2B17 ; less than zero? 1B0F:2B11 807EFD39 CMP BYTE PTR [BP-03],39 1B0F:2B15 7E05 JLE 2B1C ; between 0 & 9? 1B0F:2B17 B80100 MOV AX,0001 ; no, set flag=1 1B0F:2B1A EB02 JMP 2B1E ; keep flag 1B0F:2B1C 33C0 XOR AX,AX ; flag=0 1B0F:2B1E 0BC0 OR AX,AX ; is it zero? 1B0F:2B20 7507 JNZ 2B29 ; flag NO jumps away 1B0F:2B22 8A46FD MOV AL,[BP-03] ; Ok, get number 1B0F:2B25 8842CC MOV [BP+SI-34],AL ; Ok, store number 1B0F:2B28 46 INC SI ; inc storespace 1B0F:2B29 47 INC DI ; inc counter 1B0F:2B2A C45E06 LES BX,[BP+06] ; reset pointer 1B0F:2B2D 03DF ADD BX,DI ; point next number 1B0F:2B2F 26803F00 CMP BYTE PTR ES:[BX],00 ; input end? 1B0F:2B33 75CB JNZ 2B00 ; no:loop next num You now obviously understand that the "real" string is stored inside memory location [BP+SI-34]... set a memory breakpoint on this area to get the next block of code that fiddles with the transformed input. Notice how this routine "normalizes" the input, strips the "-" off and puts the 10 numbers together: user input: 1 2 1 2 1 2 1 2 1 2 End 1E7F:92E2 31 32 31 32 31 32 31 32 31 32 00 45 AF 1F 70 9B Stack ptr: 0 1 2 3 4 5 6 7 8 9 A B C D E F Let's now look at the "real" protection routine: the one that checks these numbers and throw you out if they are not "sound". Please pay attention to the following block of code: check_if_sum_other_9_numbers_=_remainder_of_the_third_number: :4B79 8CD0 MOV AX,SS ; we'll work inside the stack... :4B7B 90 NOP :4B7C 45 INC BP :4B7D 55 PUSH BP ; save real BP :4B7E 8BEC MOV BP,SP ; BP = stackpointer :4B80 1E PUSH DS ; save real Datasegment :4B81 8ED8 MOV DS,AX ; Datasegment = stacksegment :4B83 83EC04 SUB SP,+04 :4B86 C45E06 LES BX,[BP+06] ; BX points input_start :4B89 268A07 MOV AL,ES:[BX] ; load first number :4B8C 98 CBW ; care only for low :4B8D C45E06 LES BX,[BP+06] ; reset pointer :4B90 50 PUSH AX ; save 1st number :4B91 268A4701 MOV AL,ES:[BX+01] ; load 2nd number :4B95 98 CBW ; only low :4B96 8BD0 MOV DX,AX ; 2nd number in DX :4B98 58 POP AX ; get 1st number :4B99 03C2 ADD AX,DX ; sum with second :4B9B C45E06 LES BX,[BP+06] ; reset pointer :4B9E 50 PUSH AX ; save sum :4B9F 268A4707 MOV AL,ES:[BX+07] ; load 8th number :4BA3 98 CBW ; only low :4BA4 8BD0 MOV DX,AX ; 8th number in DX :4BA6 58 POP AX ; old sum is back :4BA7 03C2 ADD AX,DX ; sum 1+2+8 :4BA9 C45E06 LES BX,[BP+06] ; reset pointer :4BAC 50 PUSH AX ; save sum :4BAD 268A4703 MOV AL,ES:[BX+03] ; load 4rd number :4BB1 98 CBW ; only low :4BB2 8BD0 MOV DX,AX ; #4 in DX :4BB4 58 POP AX ; sum is back :4BB5 03C2 ADD AX,DX ; sum 1+2+8+4 :4BB7 C45E06 LES BX,[BP+06] ; reset pointer :4BBA 50 PUSH AX ; save sum :4BBB 268A4704 MOV AL,ES:[BX+04] ; load 5th number :4BBF 98 CBW ; only low :4BC0 8BD0 MOV DX,AX ; #5 in DX :4BC2 58 POP AX ; sum is back :4BC3 03C2 ADD AX,DX ; 1+2+8+4+5 :4BC5 C45E06 LES BX,[BP+06] ; reset pointer :4BC8 50 PUSH AX ; save sum :4BC9 268A4705 MOV AL,ES:[BX+05] ; load 6th number :4BCD 98 CBW ; only low :4BCE 8BD0 MOV DX,AX ; #6 in DX :4BD0 58 POP AX ; sum is back :4BD1 03C2 ADD AX,DX ; 1+2+8+4+5+6 :4BD3 C45E06 LES BX,[BP+06] ; reset pointer :4BD6 50 PUSH AX ; save sum :4BD7 268A4706 MOV AL,ES:[BX+06] ; load 7th number :4BDB 98 CBW ; only low :4BDC 8BD0 MOV DX,AX ; #7 in DX :4BDE 58 POP AX ; sum is back :4BDF 03C2 ADD AX,DX ; 1+2+8+4+5+6+7 :4BE1 C45E06 LES BX,[BP+06] ; reset pointer :4BE4 50 PUSH AX ; save sum :4BE5 268A4708 MOV AL,ES:[BX+08] ; load 9th number :4BE9 98 CBW ; only low :4BEA 8BD0 MOV DX,AX ; #9 in DX :4BEC 58 POP AX ; sum is back :4BED 03C2 ADD AX,DX ; 1+2+8+4+5+6+7+9 :4BEF C45E06 LES BX,[BP+06] ; reset pointer :4BF2 50 PUSH AX ; save sum :4BF3 268A4709 MOV AL,ES:[BX+09] ; load 10th # :4BF7 98 CBW ; only low :4BF8 8BD0 MOV DX,AX ; #10 in DX :4BFA 58 POP AX ; sum is back :4BFB 03C2 ADD AX,DX ; 1+2+8+4+5+6+7+9+10 :4BFD 0550FE ADD AX,FE50 ; clean sum to 0-51 :4C00 BB0A00 MOV BX,000A ; BX holds 10 :4C03 99 CWD ; only AL :4C04 F7FB IDIV BX ; remainder in DX :4C06 C45E06 LES BX,[BP+06] ; reset pointer :4C09 268A4702 MOV AL,ES:[BX+02] ; load now # 3 :4C0D 98 CBW ; only low :4C0E 05D0FF ADD AX,FFD0 ; clean # 3 to 0-9 :4C11 3BD0 CMP DX,AX ; remainder = pampered #3? :4C13 7407 JZ 4C1C ; yes, go on good guy :4C15 33D2 XOR DX,DX ; no! beggar off! Zero DX :4C17 33C0 XOR AX,AX ; and FLAG_AX = FALSE :4C19 E91701 JMP 4D33 ; go to EXIT let's_go_on_if_first_check_passed: :4C1C C45E06 LES BX,[BP+06] ; reset pointer :4C1F 268A4701 MOV AL,ES:[BX+01] ; now load #2 anew :4C23 98 CBW ; only low :4C24 05D7FF ADD AX,FFD7 ; pamper adding +3 :4C27 A38D5E MOV [5E8D],AX ; save SEC_+3 :4C2A 3D0900 CMP AX,0009 ; was it < 9? (no A-F) :4C2D 7E05 JLE 4C34 ; ok, no 0xletter :4C2F 832E8D5E0A SUB WORD PTR [5E8D],+0A ; 0-5 if A-F :4C34 C45E06 LES BX,[BP+06] ; reset pointer :4C37 268A07 MOV AL,ES:[BX] ; load 1st input number :4C3A 98 CBW ; only low :4C3B 05C9FF ADD AX,FFC9 ; pamper adding +7 :4C3E A38F5E MOV [5E8F],AX ; save it in FIR_+7 :4C41 0BC0 OR AX,AX ; if #1 > 7 :4C43 7D05 JGE 4C4A ; no need to add 0xA :4C45 83068F5E0A ADD WORD PTR [5E8F],+0A ; FIR_+7 + 0xA now_we_have_the_sliders_let's_prepare_for_loop: :4C4A C45E0E LES BX,[BP+0E] ; Set pointer to E :4C4D 26C747020000 MOV WORD PTR ES:[BX+02],0000 ; 0 flag :4C53 26C7070000 MOV WORD PTR ES:[BX],0000 ; 0 flag :4C58 C706975E0900 MOV WORD PTR [5E97],0009 ; counter=9 :4C5E E99500 JMP 4CF6 ; Jmp check_counter loop_8_times: :4C61 C45E06 LES BX,[BP+06] ; reset pointer :4C64 031E975E ADD BX,[5E97] ; add running counter :4C68 268A07 MOV AL,ES:[BX] ; load # counter+1 :4C6B 98 CBW ; only low :4C6C 50 PUSH AX ; save 10th number :4C6D A18D5E MOV AX,[5E8D] ; ld SEC_+3 down_slider :4C70 BA0A00 MOV DX,000A ; BX holds 0xA :4C73 F7EA IMUL DX ; SEC_+3 * 0xA :4C75 03068F5E ADD AX,[5E8F] ; plus FIR_+7 up_slider :4C79 BAA71E MOV DX,1EA7 ; fixed segment :4C7C 8BD8 MOV BX,AX ; BX = Lkup_val=(SEC_+3*10+FIR_+7) :4C7E 8EC2 MOV ES,DX ; ES = 1EA7 :4C80 268A870000 MOV AL,ES:[BX+0000] ; ld 1EA7:[Lkup_val] :4C85 98 CBW ; only low: KEY_PAR :4C86 8BD0 MOV DX,AX ; save KEY_PAR in DX :4C88 58 POP AX ; repops 10th number :4C89 03C2 ADD AX,DX ; RE_SULT=KEY_PAR+#10 :4C8B 05D0FF ADD AX,FFD0 ; polish RE_SULT :4C8E 99 CWD ; only low: RE_SULT :4C8F 8956FC MOV [BP-04],DX ; save here KEY_PAR [9548] :4C92 8946FA MOV [BP-06],AX ; save here RE_SULT [9546] :4C95 0BD2 OR DX,DX ; KEY_PAR < 0? :4C97 7C0F JL 4CA8 ; yes: KEY_PAR < 0 :4C99 7F05 JG 4CA0 ; no: KEY_PAR > 0 :4C9B 3D0900 CMP AX,0009 ; KEY_PAR = 0 :4C9E 7608 JBE 4CA8 ; no pampering if RE_SULT < 9 :4CA0 836EFA0A SUB WORD PTR [BP-06],+0A ; else pamper :4CA4 835EFC00 SBB WORD PTR [BP-04],+00 ; and SBB [9548] :4CA8 C45E0E LES BX,[BP+0E] ; reset pointer to E :4CAB 268B4F02 MOV CX,ES:[BX+02] ; charge CX [958C] :4CAF 268B1F MOV BX,ES:[BX] ; charge BX slider [958A] :4CB2 33D2 XOR DX,DX ; clear DX to zero :4CB4 B80A00 MOV AX,000A ; 10 in AX :4CB7 9A930D2720 CALL 2027:0D93 ; call following RO_routine This is the only routine called from our protection, inside the loop (therefore 8 times), disassembly from WCB. Examining this code please remember that we entered here with following configuration: DX=0, AX=0xA, CX=[958C] and BX=[958A]... 1.0D93 56 push si ; save si 1.0D94 96 xchg ax, si ; ax=si, si=0xA 1.0D95 92 xchg ax, dx ; dx=0xA ax=dx 1.0D96 85C0 test ax, ax ; TEST this zero 1.0D98 7402 je 0D9C ; zero only 1st time 1.0D9A F7E3 mul bx ; BX slider! 0/9/5E/3B2... 1.0D9C >E305 jcxz 0DA3 ; cx=0? don't multiply! 1.0D9E 91 xchg ax, cx ; cx !=0? cx = ax & ax = cx 1.0D9F F7E6 mul si ; ax*0xA in ax 1.0DA1 03C1 add ax, cx ; ax= ax*0xA+cx = M_ULT 1.0DA3 >96 xchg ax, si ; ax=0xA; si evtl. holds M_ULT 1.0DA4 F7E3 mul bx ; ax= bx*0xA 1.0DA6 03D6 add dx, si ; dx= dx_add 1.0DA8 5E pop si ; restore si 1.0DA9 CB retf ; back to caller with two parameters: DX and AX Back_to_main_protection_loop_from_RO_routine: :4CBC C45E0E LES BX,[BP+0E] ; reset pointer :4CBF 26895702 MOV ES:[BX+02],DX ; save R_DX par [958C] :4CC3 268907 MOV ES:[BX],AX ; save R_AX par [958A] :4CC6 0346FA ADD AX,[BP-06] ; add to AX RE_SULT [9546] :4CC9 1356FC ADC DX,[BP-04] ; add to DX KEY_PAR [9548] :4CCC C45E0E LES BX,[BP+0E] ; reset pointer :4CCF 26895702 MOV ES:[BX+02],DX ; save R_DX+KEY_PAR [958C] :4CD3 268907 MOV ES:[BX],AX ; save R_AX+RE_SULT [958A] :4CD6 FF0E8D5E DEC WORD PTR [5E8D] ; down_slide SEC_+3 :4CDA 7D05 JGE 4CE1 ; no need to add :4CDC 83068D5E0A ADD WORD PTR [5E8D],+0A ; pamper adding 10 :4CE1 FF068F5E INC WORD PTR [5E8F] ; up_slide FIR_+7 :4CE5 A18F5E MOV AX,[5E8F] ; save upslided FIR_+7 in AX :4CE8 3D0900 CMP AX,0009 ; is it over 9? :4CEB 7E05 JLE 4CF2 ; no, go on :4CED 832E8F5E0A SUB WORD PTR [5E8F],+0A ; yes, pamper -10 :4CF2 FF0E975E DEC WORD PTR [5E97] ; decrease loop counter check_loop_counter: :4CF6 833E975E03 CMP WORD PTR [5E97],+03 ; counter = 3? :4CFB 7C03 JL 4D00 ; finish if counter under 3 :4CFD E961FF JMP 4C61 ; not yet, loop_next_count loop_is_ended: :4D00 C45E06 LES BX,[BP+06] ; reset pointer to input :4D03 268A4701 MOV AL,ES:[BX+01] ; load 2nd number (2) :4D07 98 CBW ; only low :4D08 05D0FF ADD AX,FFD0 ; clean it :4D0B BA0A00 MOV DX,000A ; DX = 10 :4D0E F7EA IMUL DX ; AX = SEC_*10 = 14 :4D10 C45E06 LES BX,[BP+06] ; reset pointer :4D13 50 PUSH AX ; save SEC_*10 :4D14 268A07 MOV AL,ES:[BX] ; load 1st number (1) :4D17 98 CBW ; only low :4D18 8BD0 MOV DX,AX ; save in DX :4D1A 58 POP AX ; get SEC_*10 :4D1B 03C2 ADD AX,DX ; sum SEC_*10+1st number :4D1D 05D0FF ADD AX,FFD0 ; clean it :4D20 99 CWD ; only low :4D21 C45E0A LES BX,[BP+0A] ; get pointer to [9582] :4D24 26895702 MOV ES:[BX+02],DX ; save 1st (1) in [9584] :4D28 268907 MOV ES:[BX],AX ; save FINAL_SUM (15) [9582] :4D2B 33D2 XOR DX,DX ; DX = 0 :4D2D B80100 MOV AX,0001 ; FLAG TRUE ! :4D30 E9E6FE JMP 4C19 ; OK, you_are_a_nice_guy EXIT: :4D33 59 POP CX ; pop everything and :4D34 59 POP CX ; return with flag :4D35 1F POP DS ; AX=TRUE if RegNum OK :4D36 5D POP BP ; with 1st # in [9584] :4D37 4D DEC BP ; with FINAL_SUM in [9582] :4D38 CB RETF Let's translate the preceding code: first of all the pointers: At line :4B86 we have the first of a long list of stack ptrs: LES BX,[BP+06] This stack pointer points to the beginning of the input string, which, once polished from the "-", has now a length of 10 bytes, concluded by a 00 fence. At the beginning, before the main loop, 9 out of our 10 numbers are added, all but the third one. Notice that protection has jumped # 3 (and added # 8 out of the line). The rest is straightforward. Now, at line :4BFD we have our first "cleaning" instruction. You see: the numbers are hexadecimal represented by the codes 0x30 to 0x39. If you add FE50 to the minimum sum you can get adding 9 numbers (0x30*9 = 0x160) You get 0. The maximum you could have adding 9 numbers, on the contrary is (0x39*9=0x201), which, added to FE50 gives 0x51. So we'll have a "magic" number between 0x0 and 0x51 instead of a number between 0x160 and 0x201. Protection pampers this result, and retains only the last ciffer: 0-9. Then protection divides this number through 0xA, and what happens? DX get's the REMAINDER of it. If we sum the hexcodes of our (1212-1212-12) we get 0x1BE (we sum only 9 out of then numbers: the third "1" -i.e. "31"- does not comes into our count); 0x1BE, cleaned and pampered gives E. Therefore (0xE/0xA = 1) We get 1 with a remainder of 4. You may observe that of all possible answers, only sums finishing with A, B, C, D, E or F give 1 (and rem=0,1,2,3,4 or 5). Sums finishing 0 1 2 3 4 5 6 7 8 or 9 give 0 as result and themselves as reminder. The chance of getting a 0,1,2,3 or 4 are therefore bigger as the chance of getting a 5, 6, 7, 8 or 9. We are just observing... we do not know yet if this should play a role or not. Now this remainder is compared at :4C11 with the third number polished from 0x30-0x39 to 0-9. This is the only protection check for the registration number input: If your third number does not match with the remainder of the sum of all the 9 others numbers of your input you are immediately thrown out with FLAG AX=FALSE (i.e. zero). To crack the protection you now have to MODIFY your input string accordingly. Our new input string will from now on be "1242-1212- 12": we have changed our third number (originally a "2") to a "4" to get through this first strainer in the correct way. Only now protection starts its mathematical part (We do not know yet why it does it... in order to seed the random product number? To provide a check for the registration number you'll input at the end? We'll see). - Protection saves the second number of your input (cleaned with FFD7) in SEC_+3 [5E8D], pampering it if it is bigger than 9 (i.e. if it is 0xA-0xF). Here you'll have therefore following correspondence: 0=7 1=8 2=9 3=0 4=1 5=2 6=3 7=4 8=5 9=6. The second number of your input has got added +3. This is value SEC_+3. In (lengthy) C it would look like this: If (RegString(2)is lower than 7) RegString(2) = RegString(2)+3 Else Regstring(2) = ((RegString(2)-10)+3) - Protection saves your first number in FIR_+7 [5E8F] with a different cleaning parameter (FFC9). The next pampering adds 0xA if it was not 7/8/9 therefore you have here following correspondence 7=0 8=1 9=2 0=3 1=4 2=5 3=6 4=7 5=8 6=9). This is value FIR_+7. In (lengthy) C it would look like this: If (RegString(1) is lower than 3) RegString(1) = RegString(1)+7 Else Regstring(1) = ((RegString(1)-10)+7) So protection has "transformed" and stored in [5E8D] and [5E8F] the two numbers 1 and 2. In our RegString: 1242-1212-12 the first two numbers "12" are now stored as "94". These will be used as "slider" parameters inside the main loop, as you will see. Only now does protection begin its main loop, starting from the LAST number, because the counter has been set to 9 (i.e. the tenth number of RegString). The loop, as you'll see, handles only the numbers from 10 to 3: it's an 8-times loop that ends without handling the first and second number. What happens in this loop?... Well, quite a lot: Protection begins the loop loading the number (counter+1) from the RegString. Protection then loads the SEC_+3 down_slider parameter (which began its life as second number "transformed"), multiplies it with 0xA and then adds the up_slider parameter FIR_+7 (at the beginning it was the first number transformed). This sum is used as "lookup pointer" to find a parameter inside a table of parameters in memory, which are all numbers between 0 and 9. Let's call this value Lkup_val. Protection looks for data in 1EA7:[Lkup_val]. In our case (we entered 1242-1212-12, therefore the first SEC_+3 value is 9 and the first FIR_+7 value is 4): [Lkup_val] = 9*0xA+4; 0x5A+4 = 0x5E. At line :4C80 therefore AL would load the byte at 1EA7:005E (let's call it KEY_PAR), which now would be ADDED to the # counter+1 of this loop. In our case KEY_PAR at 1EA7:005E it's a "7" and is added to the pampered 0x32=2, giving 9. Let's establish first of all which KEY_PAR can possibly get fetched: the maximum is 0x63 and the minimum is 0x0. The possible KEY_PARs do therefore dwell in memory between 1EA7: and 1EA7:0063. Let's have a look at the relative table in memory, where these KEY_PARs are stored ("our" first 0x5Eth byte is underlined): 1EA7:0000 01 03 03 01 09 02 03 00-09 00 04 03 08 07 04 04 1EA7:0010 05 02 09 00 02 04 01 05-06 06 03 02 00 08 05 06 1EA7:0020 08 09 05 00 04 06 07 07-02 00 08 00 06 02 04 07 1EA7:0030 04 04 09 05 09 06 00 06-08 07 00 03 05 09 00 08 1EA7:0040 03 07 07 06 08 09 01 05-07 04 06 01 04 02 07 01 1EA7:0050 03 01 08 01 05 03 03 01-02 08 02 01 06 05 07 02 1EA7:0060 05 09 09 08 02 09 03 00-00 04 05 01 01 03 08 06 1EA7:0070 01 01 09 00 02 05 05 05-01 07 01 05 08 07 01 09 1EA7:0080 08 07 07 04 04 08 03 00-06 01 09 08 08 04 09 09 1EA7:0090 00 07 05 02 03 01 03 08-06 05 07 06 03 07 06 07 1EA7:00A0 04 02 02 05 02 04 06 02-06 09 09 01 05 02 03 04 1EA7:00B0 04 00 03 05 00 03 08 07-06 04 08 08 02 00 03 06 1EA7:00C0 09 00 00 06 09 04 07 02-00 01 01 01 01 00 01 FF 1EA7:00D0 00 FF FF FF FF 00 FF 01-00 00 00 00 00 00 00 00 An interesting table, where all the correspondences are between 0 and 9... are we getting some "secret" number here? But, hey, look there... funny, isn't it? Instead of only 0-0x63 bytes we have roughly the DOUBLE here: 0-0xC8 bytes (the 01 sequence starting at CA "feels" like a fence). We'll see later how important this is. At the moment you should only "perceive" that something must be going on with a table that's two time what she should be. As I said the result of KEY_PAR + input number is polished (with a FFDO) and pampered (subtracting, if necessary, 0xA). Therefore the result will be the (counter+1) input number + KEY_PAR (let's call it RE_SULT], in our case, (at the beginning of the loop) a 9. Now (DX=0 because of the CWD instruction) DX will be saved in [9548] and RE_SULT in [9546]. Now Protection prepares for the RO_routine: resets its pointer and charges CX and BX from [958C] and from [958A] respectively, charges AX with 0xA and sets DX to zero. The routine performs various operations on AX and DX and saves the results in the above mentioned locations [958A] and [958C]. Now KEY_PAR and RE_SULT are added respectively to the DX and AX value we got back from the RO_routine call, and saved once more in the last two locations: AX+RE_SULT in [958A] and DX+KEY_PAR in [958C] Now the value in SEC_+3 is diminished by 1 (if it was 9 it's now 8, if it was zero it will be pampered to 9). It's a "slider" parameter (in this case a down_slider), typically used in relatively complicated protections to give a "random" impression to the casual observer. The value in FIR_+7, on the contrary, is augmented by one, from 4 to 5... up_sliding also. Protection now handles the next number of your input for the loop. In our case this loop uses following protection configuration with our "sliding" parameters: Input # pamp_2nd pamp_1st Lookup value KEY_PAR # RE_SULT # 10 = 2, SEC_+3= 9, FIR_+7= 4, Lkup_val = 0x5E, KEY=7 +2 = 9 # 9 = 1, SEC_+3= 8, FIR_+7= 5, Lkup_val = 0x55, KEY=3 +1 = 4 # 8 = 2, SEC_+3= 7, FIR_+7= 6, Lkup_val = 0x4C, KEY=4 +2 = 6 # 7 = 1, SEC_+3= 6, FIR_+7= 7, Lkup_val = 0x43, KEY=7 +1 = 7 # 6 = 2, SEC_+3= 5, FIR_+7= 8, Lkup_val = 0x3A, KEY=0 +2 = 2 # 5 = 1, SEC_+3= 4, FIR_+7= 9, Lkup_val = 0x31, KEY=4 +1 = 5 # 4 = 2, SEC_+3= 3, FIR_+7= 0, Lkup_val = 0x1E, KEY=5 +2 = 7 # 3 = 4, SEC_+3= 2, FIR_+7= 1, Lkup_val = 0x15, KEY=2 +4 = 5 Notice how our "regular" input 21212124 has given an "irregular" 94672575. You may legitimately ask yourself what should all this mean: what are these RE_SULTs used for? Well they are used to slide another parameter: this one inside the called routine... this is what happens to AX and DX inside the routine, and the lines after the called routine: :4CBF 26895702 MOV ES:[BX+02],DX ; save R_DX par [958C] :4CC3 268907 MOV ES:[BX],AX ; save R_AX par [958A] :4CC6 0346FA ADD AX,[BP-06] ; add to AX RE_SULT [9546] :4CC9 1356FC ADC DX,[BP-04] ; add to DX KEY_PAR [9548] :4CCC C45E0E LES BX,[BP+0E] ; reset pointer to E :4CCF 26895702 MOV ES:[BX+02],DX ; save R_DX+KEY_PAR [958C] :4CD3 268907 MOV ES:[BX],AX ; save R_AX+RE_SULT [958A] :4CC6 :4CC9 :4CCF Odd_DX :4CD3 slider_sum RE_SULT [958A] [958C] [958C] [958A] 0 0 0 0 0 9 5A 0 0 9 4 3AC 0 0 5E 6 24F4 0 0 3B2 7 71CE 1 1 24FB 2 7220 4 E 71D0 5 7572 4 90 7225 7579 Now the loops ends, having handled the input numbers from tenth to third. Protection loads the second number and multiplies it by 10 (let's call this result SEC_*10), in our case 2*0xA=14. Protection loads the first number and adds it to the multiplication, in our case 1+0x14=0x15 (FINAL_SUM]. Now everything will be added to FFDO to "clean" it. Pointer will now be set to the end of the input number. DX, zeroed by CDW, will be saved as parameter in [9584] and the cleaned and pampered sum will be saved in [9582]. FLAG is set to true and this routine is finished! No parameter are passed and the only interesting thing is what actually happens in the locations [9582], [9584], [958A] and [958C], i.e.: FINAL_SUM, 0, slider_sum, odd_dx. In the next lesson we'll crack everything, but I'll give you already some hints here, in case you would like to go ahead on your own: we'll see how the scheme used for the third (the registration) number show analogies and differences with the scheme we have studied (and cracked) here for the first number. Our 3434-3434-3434-3434-34 input string for the registration number will be transformed in the magic string 141593384841547431, but this will not work because the "magic" 12th number: "1" will not correspond to the remainder calculated inside this check through the previous locations of the other checks. Here the things are more complicated because every little change in your input string transforms COMPLETELY the "magic" string... therefore in order to pass the strainer you'll have to change 3434-3434-3434-3434-34 in (for instance) 7434-3434-3434- 3434-96. The "magic" string 219702960974498056 that this registration input gives will go through the protection strainer. Only then we'll be able to step over and finally crack the whole protection... it's a pretty complicated one as I said. Now crack it pupils... you have three months time. From this crack depends your admission to the Uni, there will be no other admission text till summer 1997 (it's a hell of work to prepare this crap)... work well. Well, that's it for this lesson, reader. Not all lessons of my tutorial are on the Web. You 'll obtain the missing lessons IF AND ONLY IF you mail me back (via anon.penet.fi) some tricks of the trade I may not know but YOU've discovered. I'll probably know most of them already, but if they are really new you'll be given full credit, and even if they are not, should I judge that you "rediscovered" them with your work, or that you actually did good work on them, I'll send you the remaining lessons nevertheless. Your suggestions and critics on the whole crap I wrote are also welcomed. E-mail +ORC +ORC an526164@anon.penet.fi