edgyReggie has looked over the previous thread once again and has thought that using such an easy encoding method just isn’t going to cut it. He has created a new serial number and obfuscated it yet again, and is confident that nobody can find it. He has also noticed that people have been complaining about the lack of persistence of the registration and has addressed the issue. One thing that edgyReggie is very concerned about is that crackers are defacing his software and removing his name, thus destroying even his reputation on top of his earnings! He will be thinking very hard for a solution to fix this problem…
Difficulty
Author Assigned Level: Newbie
Community Assigned Level:
Newbie
Wannabe
Hacker
Wizard
Guru
0voters
Goal
Your goal is to achieve the “full” version of the software, i.e. removing all nags that you see and unlocking all features of the program.
Your secondary (optional) goal is to discover the new serial number.
Bah, I already started cracking the old one the proper way
Upon starting, a dialog box shows up, which makes us wait for 5 seconds before the program actually starts. Same thing happens when you try to close it. Let’s find the string “Please wait… 5 seconds”.
It appears two times as expected. Let’s follow the first one:
Looks like this is the function which pops up the dialog and starts the timer. We can search for references to 013B1680:
Again appears two times, we shall follow the first one again:
Going up the call chain again:
Now this is interesting. There’s a function call to something in the program, a test instruction, and a jump over the assembly which creates our wait dialog. The license check must be happening in “sub_D219E0”!
Bingo! The function opens a file called “License.lic” and reads it’s contents!
If that files does not exist, execution jumps to the end of the function and we get the annoying popup. Let’s make that file and see what happens.
The code goes through a few functions until we arrive at this. Looks suspicious. We could attempt to decode it and check if it looks like a serial number…
…Or let the program do it for us. It appears edgyReggie has craftily hidden the serial by XORing it. Sneaky!
The serial is: NOREPLS-809J-NAS9-83H0-3NS9
After that the code goes deeper but I frankly can’t be bothered to follow it. Let’s get to patching!
We need remove that call to the license check.
A simple MOV fits snugly. At last, the full version is ours, permanently!
I just figure out the mechanism behind checking the serial number, but for now I have no luck with cracking your license key. So I have modified your binary for accepting my serial number. Sorry, edgyReggie
Yes, the serial number provided by user during registration is hashed by MD5 and result is compared with value “deab67dde2001dc1a078456015765ed6”. So I replace this value with my own:
Edit: added another modification for accepting all the serial keys.
During validation of registration there is a call to function strncmp at address “0x4028c0” (highlighted in the picture). This function returns 0 if both the strings are equal and 1 otherwise. So I modified the later case by replacing instruction “or eax, 1” with “and eax, 0” at address “0x405dd2” (highlighted in the bottom picture).
After this patch all the license key are valid and after first registration there is created file “License.lic” with entered serial number. After each restart serial key from License.lic is validating and compared using our patched strncmp, so this patch achieve permanent full version of software after first registration with any serial number.
Like always, some string editing.
Also small patch to change the “JNE” to “JMP”. (That’s the point where the program does stuff depending on licence file existence and correctness, so this modification basically makes existing and non-existing and correct and not-correct license accepted => licence checking disabled)
Patch position (just search for the intermodular call DialogBoxParamW, also ShowWindow is pretty close ):
[spoiler]I managed to crack it with a single byte change.
Changing the “test eax, eax” to “test edi, eax” forced the application to accept incorrect serials as it invalidated the test.
I spent a good deal of time trying to figure out the encryption, but I couldn’t figure it out unfortunately.
With a License.lic file containing “SERIAL=NOREPLS-0000-0000-0000-0000” it starts up in registered mode.
[/spoiler]
Hello, this post seems really really old but hope you will see this and reply. I’m new with re and currently using IDA pro. I’m curious which dissasembler do you use? and how were you able to get decrypt version of license. Since as I understand it encrypts the user input and compares it to deab67dde2001dc1a078456015765ed6. Your answer would really help :). thanks in advance.
Hiya, I use x64dbg with the xAnalyzer plugin. As to revealing the serial, I just kinda stepped through the code and it popped up at some point. Got lucky I guess.
Having fun with these. They’re a good exercise for learning about how dialogs and windows works in Windows since there are so many popups.
I used strings and saw a pretty obvious md5 hash and verified that it was the hashed serial key in xdbg. I tried for a while to see if maybe where was some kind of second serial in a more easily recovered format somewhere but couldn’t find anything. Since I don’t want to spend a few days bruteforcing the hash (though I’m pretty sure I know the format of it since it’s likely the same as for the previous licenses), I instead just went to the function that handles startup license checks and changed a single byte to invert the logic check on the serial (sete ==> setne), so rather than checking that they’re equal it checks that they’re not equal. So now it just accepts anything except the real serial in the License.lic file.