edgyReggie is a busy guy… He has a massive workload plus a part time job at the local supermarket on the weekends, and on top of that, he has to develop his software for extra pocket money! Because of this, he does not have the time to spare to learn how to really defeat those dirty crackers and has resorted to consulting the hacking society at his university. There, he found a very keen guy by the alias of DownerDanny who was willing to help edgyReggie to protect his software and thus together, they formed edgeS0ft. There’s a slight problem though: he’s pretty new to the scene but hey, he’s volunteering so there’s no need to pay him for his work! What do you guys think of his first job?
Difficulty
Author Assigned Level: Wannabe
Community Assigned Level:
Newbie
Wannabe
Hacker
Wizard
Guru
0voters
Goal
Your goal is to achieve the “full” version of the software, i.e. removing all nags that you see and unlocking all features of the program.
Your secondary (optional) goal is to generate a working name-serial pair if possible.
Bonus points to the most elegant solutions (minimal byte patching).
Rules of Engagement
None.
Research Material
DEFINITE SPOILERS IN HERE! Don't reveal unless you're really stuck!
The solution is the same as to the last one: replace the license check with a “mov eax, 1” or change the conditional jump to an uncoditional one.
However, this time edgy’s hacker friend suggested adding some IsDebuggerPresent calls; This makes it harder for us to crack the program. Thankfully, we can pause the program before any checks take place, search for all calls to IsDebuggerPresent, and dummy them out. Afterwards the program is ours!
Ah, forgot to mention. edgy has obfuscated the string “Please wait… x seconds” in some way, so we can’t easily find where the popup is located. But, we remember that before the license check there was always a call to InitCommonControls; We can search for that instead.
Also there is regex check for serial validity. What i did is make dummy serial that follows the pattern NOREPLS-0000-0000-0000-REPLS and like you patched single instruction. At start i noped 3 bytes at 00931E01 and it worked, but putting mov al, 1; nop there is better. Three byte patch. To fix debugger i used ScyllaHide.
It’s good that you utilise plugins to automate anti-anti methods however, I encourage everyone here to disable them so that they can actually understand the process and learn from it. Should there come a time where new anti techniques emerge, reliance on plugins should not be a problem.
I try to write an easy to follow solution, so that everyone, even beginners, can benefit from these .
What’s the first step? Yep, run the program! You’ll see it’s not that easy this time… Our debugger just tells us that the process has terminated:
Is this termination program-related? Test it out, just run the exe as you would normally do outside of your debugger; you’ll see it works like a charm… Also you’ll see this annoying nag in front of you which just makes you keen on cracking it…
So, what could that be? Probably the program doesn’t like to be run in a debugger! There has to be a check somewhere in the code which checks whether it runs in a debugger. The approach to find it is pretty straightforward: Begin at the program’s entry point and go through the code step-by-step (F8); when the program terminates the last call was probably a bad one . When you find a terminating call, rerun the program and dig in the call, continuing our previous strategy.
You’ll get here:
If you run this little loop the program terminates; dig into them, you’ll see the highlighted call is responsible for exiting. Interestingly, it is harmless the first time we call it, but the second time it kills us; sweet…
Open it - hold in mind that the second run is required to get to the right part of the code! - and have a look at it:
You see the call to “IsDebuggerPresent”? As the name suggests this call checks whether the program is run in a debugger or not. If EAX is 1 it terminates -> call to “ExitProcess”.
So we have multiple ways to fix this:
change the call to MOV EAX, 0 (or XOR EAX, EAX; uses less space )
change JE to JMP
NOP out the PUSH 0 and the call to ExitProcess
Feel free to take the way you prefer… I recommend patching the jump, because it takes only one byte. Anyway, now you can start the real reversing!
I won’t cover the process of cracking the program; same as last time .
Instead of stepping through the binary we could have searched for a call to IsDebuggerPresent; it’s the easiest way of identifying a debugger, so it was guessable that it’s used here. But there are many other ways which don’t rely on this call (Probably @dtm - sorry, edgyS0ft - is already on it…), so you shouldn’t rely on it, too!
(same as last time)
