edgyReggie is very thankful for those very, very, very few people (probably his parents ) who bought him some coffee to get him through his days in university. As a means of saying Thanks!, he has implemented something that shows the customerās name on the software after it has been registered. Something thatās really been frustrating him is how people keep managing to tamper with his serial numbers so hardcoding them is no longer an option and believes that his new validation method will be harder with which to mess around. The more complex the validation, the harder to crack, right? But by the looks of things, heās in a state of conflict and has doubts that just changing the verification method will not be enough to stop crackers from pirating his softwareā¦
Difficulty
Author Assigned Level: Newbie
Community Assigned Level:
Newbie
Wannabe
Hacker
Wizard
Guru
0voters
Goal
Your goal is to achieve the āfullā version of the software, i.e. removing all nags that you see and unlocking all features of the program.
Your secondary (optional) goal is to generate a working name-serial pair if possible.
Bonus points to the most elegant solutions (minimal byte patching).
EDIT: Holy crap, Windows troubleshooter fixed it o_O
Double edit: Nope, crashes again. And my color scheme has switched to about 2.5 colors, what have you done
Oh baby, a triple edit: ay, it works again
My aim was to patch your program with up to two bytes and create āvalidā License.lic file for this patch.
Function (0x00401d20) for validating serial key and name combination is expected to returns value 1 for valid license. So I change it in that way. Below is code executed for invalid combinations:
0x00401daa mov ecx, dword [ebp+var_4]
0x00401dad xor al, al
0x00401daf pop edi
0x00401db0 pop esi
0x00401db1 xor ecx, ebp
0x00401db3 pop ebx
0x00401db4 call sub_402273 ;stack smashing protecton
0x00401db9 mov esp, ebp
0x00401dbb pop ebp
0x00401dbc ret
0x00401dbd db 3 dup (0xcc)
I want to set eax=1. Because I decided to patch up to two bytes, I would like to put instruction āinc eaxā somewhere in this code. With all functionality and stack protection working, I can use āfreeā space after return (INT3 instructions, 0xcc bytes), so I move ret instruction by one byte and put āinc eaxā instead of original āretā. So the patched code looks like:
0x00401dbc inc eax
0x00401dbd ret
0x00401dbe db 2 dup (0xcc)
Patching the program was easy, same solution as the last one, but whoever wrote that serial checking code needs to get a holy water IV and seek the nearest pope because an exorcist will only make things worse.
Iām a bit late here but I thought this would be interesting to add. I looked into the serial checking code as well and it seems that the serial check completely ignores the contents of the given serial. It only performs a ton of complicated operations on the username. It ends up putting the result of these operations in the ebx register. The ebx register is then compared with an arbitrary number. When ebx is larger than that number, the registration is successful. So, as long as the serial has the correct format, everything is fine. The only thing that matters is if the username is correct. At least, this is what I found after digging around in the code. It could very well be that I missed something very obvious.
By jumping the loop setup after incorrectly inputting a key
Found the initial point of the loop, set to jnz return_equal therefore allowed access. This in turn created the Licence.lic with the key for me with the 'accepted key 'inside.
Not a very manipulated way or pretty Cracked <3 (Always love that), but this āseriesā has taught me more about reversing in the last hour than Iāve ever dreamt of before. Just gotta find how to add that in!
Every day is a school day, even when you donāt know any programming language!