首页
社区
课程
招聘
TekFacts95 v1.40.4 (8/04/97)
发表于: 2007-2-21 18:53 1829

TekFacts95 v1.40.4 (8/04/97)

2007-2-21 18:53
1829
.oOOo. A Tutorial On Different Approaches To Cracking - TekFacts95 v1.40.4 (8/04/97) .oOOo.
.oOOo..oOOo..oOOo. by tHATDUDE [PC & GLoW] .oOOo..oOOo..oOOo.

Program Stats:
What it is: A system util to check CPU usage, etc.
Where to get: http://ourworld.compuserve.com/homepages/deansoft or http://www.winutils.com/
Size: 583kb (zipped)
Protection: Start-up NaG, Delay, "unregistered" text in several places, Name/Code entry

Tools to crack:
W32Dasm v8.9
Hex editor of your choice...

OK.. I'll attempt to explain my thought processes while cracking TekFacts...
First thing I do before anything: Unzip and install! =)  No install for TekFacts95, just
unzip it and run the .EXE...

OK, lets run the program and take a good look. We start it up and see the NaG and time delay,
then it pops us into the program and we see it has "<Unregistered Version>" in the title bar.
Let's check the About box... it shows us a place to enter a registration number and
first/last name. Enter a First name / Last name / Random code, and take note of the text in
the box telling us our code is not correct... Alright, lets open this baby up in a hex editor.
(I use UltraEdit32) Let's search for "regist" in case insensitive acsii.. Always do this before
using a disassembler. It can give you many tips on how to attack the program... sometimes the
registration code is hardcoded into the .exe! After taking a careful look, let's disassemble it!

So, lets start up W32Dasm (I use v8.9 - thanks Revolt! ;) and disassemble this file.
While waiting for the file to be disassembled, we can think about how we will attack the
program. Since there is a name/serial entry, we can always go for the "Any name/Code"
type of crack. Let's do that technique first then.

We remember that the text from the invalid registration box was "Registration Key Failed!"
In w32dasm, go to Refs|String Data References.
Scroll down the list of references until we find "Registration Key Failed!" =)
Double click on it and w32dasm will take you to the spot in the program.
(As a note, always try double clicking on the string reference more than once... often there
is more than one occurence of the string in the file, in TekFacts there is only 1 string.)
Close the String Data References box and scroll up a little... we see:

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00475C56(C)
|
:00475D8A 6A30                    push 00000030

* Reference To: user32.MessageBeep, Ord:0000h
                                  |
:00475D8C E8A705F9FF              Call 00406338

* Possible StringData Ref from Code Obj ->"Registration Key Failed!"
                                  |
:00475D91 B8F05E4700              mov eax, 00475EF0
:00475D96 E8F51DFCFF              call 00437B90

We see that at 00475C56 there is a Conditional jump to the bad regkey box. Scroll up some
and take a look at where this conditional jump occurs.

:00475C51 E87ED0F8FF              call 00402CD4
:00475C56 0F852E010000            jne 00475D8A                   ; Conditional jump to BAD reg
:00475C5C 8D45B7                  lea eax, dword ptr [ebp-49]
:00475C5F BA545E4700              mov edx, 00475E54
:00475C64 B114                    mov cl, 14

.: SNIP :.

* Possible StringData Ref from Code Obj ->"Software\Dean Software\TechFacts95"

.: SNIP :.

* Possible StringData Ref from Code Obj ->"sRegStat"             ; Registry Key - Code

.: SNIP :.

* Possible StringData Ref from Code Obj ->"Config"

.: SNIP :.

* Possible StringData Ref from Code Obj ->"sUser"                ; Registry Key - Name

.: SNIP :.

* Possible StringData Ref from Code Obj ->"Config"

.: SNIP :.

* Possible StringData Ref from Code Obj ->"Registration Key accepted!"
                                  |
:00475D75 B8CC5E4700              mov eax, 00475ECC
:00475D7A E8111EFCFF              call 00437B90
:00475D7F 66C70580964E000100      mov word ptr [004E9680], 0001  ; RegFlag City!
:00475D88 EB11                    jmp 00475D9B

That snippet from w32dasm tells us a lot! (Assuming you understand the ASM ;)
OK.. so how to crack this for any name/code? Change the conditional jump at 00475C56!
Load up TekFacts with your hex editor and change the bytes.

Original String: 0F852E010000
Change it to   : 909090909090
This will prevent the program from ever going to the bad registration dialog, and it
will allow the prog to continue on it's way, processing all the way to the good regbox.

While changing: 0F852E010000
to            : 0F842E010000
can also work... why risk the chance of it ever jumping to the bad regbox? Sometimes more
byte changes are better.

You can also change: 0F852E010000
to this instead    : 489040409048
which works just as well as 909090909090.... but is a more "professional" way to do it.

Now the test! Run it and try it. Wow! It worked! =)
Always test by closing down the program all the way and re-launching it!
Still registered! Great! =)

Are we done? ... We could be, but lets take a deeper look at the program and have some
more fun. ;) Take a look at the code above again. The program writes the registration info
into the registry, where it reads this info on startup. (Regmon can confirm this if you don't
trust me ;) Anyway, let's open up the registry and see what's there.

In the registry we see some very interesting stuff...:
[HKEY_CURRENT_USER\Software\Dean Software\TechFacts95\Config]
"sRegStat"="TFIETPBJJ7200"
"sUser"="tHATDUDE Phrozen"

I entered this info:
First Name: tHATDUDE
Last Name : Phrozen
RegKey    : 32441234342  (just hit a bunch of keys =)

"Are you thinking what I'm thinking??"
"Yeah.. Alicia Silverstone has a great ass!"
"DOH!"

=)

Anyway..  We're thinking the program stores the *CORRECT* reginfo! (actually we would know
this if we followed the ASM carefully...) Anyway.. restore a clean .EXE and test it.. it still
runs regged! Now we can export those regkeys and release that as a .REG file! (Export them
by selecting them, then going to Registry|Export registry file...) The advantage of this is
that it would most likely work with a new version or build.

So now we have 2 cracks. 1 to use any name/code, and 1 to merge the reginfo into the registry.
Are we done? ... Well, let's take yet another approach to cracking this program. Remember the
"<Unregistered Version>" text in the title bar of the program when unregistered? This is a
bad idea by the author because it is another attack point. (Why another attack point? Because
we know it will not be shown when registered!)

In w32dasm, go to Refs|String Data References. Scroll down the list of references until we
find "<Unregistered Version>" ... Double click on it and take a look at the code around it:

:0048E3B1 66833D80964E0000        cmp word ptr [004E9680], 0000    ; Doesn't this look familiar?
:0048E3B9 7522                    jne 0048E3DD              ; if 004E9680 is NOT 0, it will jump
:0048E3BB B201                    mov dl, 01
:0048E3BD 8B83C4010000            mov eax, dword ptr [ebx+000001C4]
:0048E3C3 E8348BF8FF              call 00416EFC

* Possible StringData Ref from Code Obj ->"<Unregistered Version>"
                                  |
:0048E3C8 BAD0E44800              mov edx, 0048E4D0
:0048E3CD 8B83E0010000            mov eax, dword ptr [ebx+000001E0]
:0048E3D3 E8F88BF8FF              call 00416FD0
:0048E3D8 E9C7000000              jmp 0048E4A4

What can we conclude from the code above? That the program works on a RegFlag system.
A RegFlag is a 0 or a 1, which the program checks against to see if it is registered or not.
If we toggle this flag to our favor, we can crack it and not rely on the user to be smart
enough to enter any name/code. <G> It will just run registered. It works well for this program,
especially since it does not display any name or serial of any sort anywhere in the program.

Remember that at address 00475D7F, I commented with "RegFlag City!"

* Possible StringData Ref from Code Obj ->"Registration Key accepted!"
                                  |
:00475D75 B8CC5E4700              mov eax, 00475ECC
:00475D7A E8111EFCFF              call 00437B90
:00475D7F 66C70580964E000100      mov word ptr [004E9680], 0001  ; RegFlag City!
:00475D88 EB11                    jmp 00475D9B

Do you see why? When registration is successful, 1 is moved into [004E9680]. But... we
want to find a place to shove 1 into [004E9680] without the user having to do anything.
So, search for 004E9680 in w32dasm.

We notice several compare's and we see that if the flag is set it will jump past all the
icky stuff we don't like =)  We finally end here...:

* Possible StringData Ref from Code Obj ->"TechFacts 95"             ; Program Starts...
                                  |
:004C81F5 BAD0864C00              mov edx, 004C86D0
:004C81FA 8B45FC                  mov eax, dword ptr [ebp-04]
:004C81FD E8CEEDF4FF              call 00416FD0
:004C8202 B88C000000              mov eax, 0000008C
:004C8207 E8E4D3FAFF              call 004755F0
:004C820C 84C0                    test al, al
:004C820E 750B                    jne 004C821B
:004C8210 66C70580964E000000      mov word ptr [004E9680], 0000      ; Moves in 0 to set default
                                                                       as UNREGISTERED...
:004C8219 EB09                    jmp 004C8224

"Are you thinking what I'm thinking??"
"Yeah.. but how are we gonna get enough Jello to fill the whole pool?"
"DOH!@"

=)

Change  : 66C70580964E000000
To this : 66C70580964E000100

And it now moves 1 into 004E9680 as default... Run it.. regged!! =)
So... We can now crack TekFacts in *3* different ways. (Assuming you didn't start zoning after
the first few lines.. =)  So does this mean you can now crack every program out there??
err.. no, but it's a start. =)  Don't be afraid to poke around with a program... tinkering
around in SoftICE or W32Dasm *and* using your brain can teach you much more than anyone can
ever teach you through a tutorial.

"Are you thinking what I'm thinking??"
"Huh? Did you say something? I wasn't listening.."
"DOH!@# =))))"

tHATDUDE [PC / GLoW]

Greetz to:
tKC, [madmax], Baloosh, Saltine, Archimede, AlieN, n00dles, STaRDoGG, |mb|, BLiTZ, AquA, Durk,
Byte Ripper, cH, eMX, Giraffe, G-RoM, Jestrz, Killer+Bee, Plushmm, Reformed, Tail Gunner, daze,
TeRaPhY, XLogic, Fingers, Rayf00, tasm, Saga, jes, lgb, NinJak, taylor^, razzia, FXer, LordByte,
SuperChic, Fryguy_, Cool-Hand, everyone in PC!! =)

"Are you thinking what I'm thinking??"
"Yeah.. you have too many greets!"
"DOH@!$!"

[培训]内核驱动高级班,冲击BAT一流互联网大厂工作,每周日13:00-18:00直播授课

上传的附件:
收藏
免费 0
支持
分享
最新回复 (0)
游客
登录 | 注册 方可回帖
返回
//