The flag's faking approach

by Xoanon

Courtesy of Reverser's page of reverse engineering
Let's hear Xoanon's voice:
Ciao! Ti mando un piccolo txt sul crakkaggio "bruto" ... cio, come registrare un programma (ma anche altri tipi di protezioni, basta applicarsi un p) senza passare dall'enter registration number ecc... Pu sembrare banale, ma a volte ste' protezioni son proprio un casino .... quindi cosa c' di meglio che fakare i flags che dicono al prg se registrato o no? Molte volte si f parecchio prima!!!!


                            BRUTE FORCE cRACKING!
                          The flags-faking approach
                         by [>Xoanon<]/pinnacle 1997
  Well, i decided to write this little essay for everyone (especially
newbies) who does not like to spend a lot of time trying to decypher
lines and lines of (meaningless?) code "inside.class" too many protection
schemes. For example, have u ever found a serial number protected program
which u were not able to crack? I bet you have! You change a lot of bytes,
and yet it still sayd "Unregistered" and the "only for registered users"
options were still disabled. On the other hand, did the following ever
happen to you? A crippled program with some options disabled and u DO NOT
FIGURE how to enable them? Well, go to the nearest tobacconist, buy a cool
box of Marlboro Lights (or the red ones, if you prefer), choose a rainy day
(the best for cracking purposes), sit in front of your PC and load this
essay in your favourite text-editor (i use old, good dos EDIT). By the way,
i hope you'll be able to read it, coz i dunno if the +HCU will really be
interested on this piece of text.... in fact it doesn't describe any new
protection scheme, it describes merely a different approach on
cracking a lot of programs.

Ok, let's start!
I will take as example a program called "HyperCam" v1.19, sort of an AVI
recorder of what happens on your screen... really good, especially if u 
want to create an animated "cracking essay" for your new brand cool 
target :-)

To get it go to - HYPERCAM.ZIP - 251819 bytes
(i'm not really sure of the ZIP name, i found it on a CD. But I believe 
it should be right)

Well, it's nothing new from the point of view of the protection scheme, as
I said... the only thing to notice is that it uses a very very nasty
key creation algorithm, maybe not understandable by most newbie-crackers.
Also, it stores the registration infos in a file called HYPERCAM.LIC, so
it needs quite a lot of work to crack it.

Ok, but this time we don't want to crack it with the usual "BMSG xxxx

We want to try something new! Light your cigarettes, fire your SoftICE and
install a good disassembler (i use now WDasm 8 <- thanx a lot to Frog's Print
for cracking it! very good work!). The "protection" consist, basically, in
the following scheme:
1) It displays a nag screen at the beginning
2) It adds a boring "HyperCam Unregistered" to all your nice AVI creations

So, let's begin examining the "Unregistered Hypercam" add-on to the AVIs,
i.e. the nagstring: Since we want to crack it without really "registering" it,
we have to take care of the flags that the program controls in order to know
if it's registered or not. Usually, a program will store in a location a "00"
if unregistered (="FALSE)" and a "01" if it's registered (="TRUE)..." that's
most of the times NOT a protectionist choice, that's the overbloated programming
language doing it whithout ever letting them to know that this happens :-) We
have to find this "holy" location. How? In this way:

1) Load up WDasm and disassemble HYPERCAM.EXE, save the *.alf. (be sure to use
the cracked one by FrogPrint!! If you use the demo one u will not be able to
examine the textfile at leisure inside your wordprocessor!)

2) Search the nagstring it adds to all your AVIs: "Unregistered Hypercam"
YEAH!!!! FOUND IT! Examine this piece of code: (don't care about my comments
now, yu'll look at them after)

* Referenced by a Jump at Address :00401464(C)
:0040151C A1C0A34300               mov eax, [0043A3C0]   *** < Now is "0"
:00401521 85C0                     test eax, eax             < If "0"
:00401523 740F                     je 00401534           *** < You suck!
:00401525 8B0D045E4300             mov ecx, [00435E04]       < Checks again
:0040152B A1C0504300               mov eax, [004350C0]       < with another flag
:00401530 3BC8                     cmp ecx, eax          *** < Final Check
:00401532 7418                     je 0040154C               < Equal? BRAVO="!!"

Here we see that if the TEXT EAX,EAX fails at :401521 it will jump to :401534
Hmmm..... maybe DS:43A3C0 is the holy location where our flag is stored? YES!!!!

* Referenced by a Jump at Address :00401523(C)
:00401534 8B1534A14300             mov edx, [0043A134]       < not equal ?
:0040153A 6A15                     push 00000015             < NISBA! (italian)

* Possible StringData Ref from Data Obj>"Unregistered HyperCam"
:0040153C 68D0504300               push 004350D0            < the Unregistered
:00401541 6A00                     push 00000000            < string is added
:00401543 6A00                     push 00000000            < to your AVIs
:00401545 52                       push edx
(lines tagged with a "***" will be the targets of our crack)

We found something interesting nah? Well, fire your ice (eh... i mean Winice!),
run the program and set a BPX which let us return the debugger after doing
something.... for example, i often use KERNEL!HMEMCPY and choose an option
in which i can enter some strings.... but it's only an example, you could do
it in a lot of other ways.... Well, .BPX KERNEL!HMEMCPY .CTRL-D and select
now an option in which you can enter some text (for example, the "License"
option). After entering, you will land in Winice again. Now hit F12 (trace-back)
until you reach the code "of.class" HYPERCAM

Remember to remove first the KERNEL!HMEMCPY breakpoint! .Reached? ok, search
now in this segment the first bytes of our code for me is 22f, so>

S 22f:0 lffffffff A1 C0 A3 43 00 85 C0 74 0F 8B
if you don't find it, it's simply bcoz maybe that piece of code isn't  loaded
in memory yet, it is not yet "pinpointed". So, choose the "AVI
record" option and record something. Then retry and you'll find it.
Set a BPX now at address you found these bytes in (the beginning of
the code showed before)
for me is 22f:1ef91c, so --> BPX 22F:1EF91C
Ok, now we have set the breakpoint, hoping the best when we reload it and try
to create an avi (or even when the program is restarted, we don't know now if
it will work or not) it should break inside softice... 

Now examine the comments in my code, and u should see that the flag which
control all is located at DS:43A3C0. Infact if the 2 checks fails, the
PUSH 004350D0 will save in stack the "Unregistered Hypercam" string (you
can see it by dumping memory D 4350D0 as soon as you reach the push).
Well, now we know where the flag is... can we suppose that it controls
the initial nagscreen as well? yes of course! :)
Remove all the BPXs, set a new BPM DS:43A3C0 and restart the program!
Now we can see what happens to that "flag" location since the beginning...
You will land in softice 2 times, and after the 2nd time the nagscreen 
will appear. So, what does this mean? Easy: the first time softice pops 
up inside a piece of code which resets the flags, the second time 
(our target) when the programs checks it. But look:
2nd popup:
:00404958 8BCD                     mov ecx, ebp
:0040495A E83C610200               call 0042AA9B
:0040495F 39BD48010000             cmp [ebp+00000148], edi    < you will land here
:00404965 750D                     jne 00404974               < if not equal jump
:00404967 6AFF                     push FFFFFFFF              < if not.....
:00404969 57                       push edi                   < after some calls
:0040496A 688B000000               push 0000008B              < the nag pops up!
:0040496F E886270200               call 004270FA

as u have noticed, EBP+148 is our "flag" location : 43A3C0 !!! We are finished
now! Change
.CMP [EBP+148],EDI with .MOVE BYTE PTR [EBP+148],1            < move always 1
.JNE 404974             .JMP 404974                           < in our flag Back to 401530,

change also the JE 40154C to JMP 40154C to fool completely the protection scheme.

Note that you have to change all of these, 'coz only removing the nag or the
string doesn't work. You can check this yourself examining the code....
Ah.... a little side effects of this kind of approach *MAY BE* that the program
still say it isn't registered... even if all the options are now cracked and enabled
and even if the nag screens has been removed. This is what happens in HyperCam... but
could happen in other programs too ('bcoz obviously you don't register them normally,
with this approach you don't enter any name/serial, you only fool the program to
*THINK* it's registered...). But who cares? The main thing is to have a fully working
version nah? Well, i hope this little piece of txt could help you... it is often easier
and faster to handle (read crack) the flags than trying to bypass the "real" number
check or whatever the protection scheme does... also you can apply this approach to
nearly every kind of protection... the main steps you should follow are:

1) Search references to the nag/unregistered/ecc. things in the code
2) Correctly identify the flags
3) BPM their locations and examine the code which refers to them.
4) Modify them to let the program think it's registered/deprotected.

CIAO! by [>Xoanon<]/pinnacle 1997

You are deep inside reverser's page of reverse engineering, choose your way out:

homepage links red anonymity +ORC student
tools cocktails javascripts search_forms mailFraVia

Reverser 13 May 1997