edgyReggie and DownerDanny of edgeS0ft have reviewed the results of the cracking attempts in the previous thread and are quite happy that there is progress in deterring crackers’ attempts at pirating the software. edgyReggie has also noticed that people have been able to share registration information amongst each other to unlock the full program so as a response to this, he has removed the use of the licensing file entirely. Meanwhile, DownerDanny has been looking further into different ways he could protect easily recognisable and potentially information-sensitive information.
Difficulty
Author Assigned Level: Wannabe
Community Assigned Level:
Newbie
Wannabe
Hacker
Wizard
Guru
0voters
Goal
Your goal is to achieve the “full” version of the software, i.e. removing all nags that you see and unlocking all features of the program.
Your second goal is to ensure that your unlocked program works on different machines.
Your third (optional) goal is to generate a working name-serial pair if possible.
Bonus points to the most elegant solutions (minimal byte patching).
Rules of Engagement
Not really a rule but it would be a better learning experience if you disable all anti-anti plugins. I’m not forcing this onto you but I’d recommend leaving them until later.
Research Material
DEFINITE SPOILERS IN HERE! Don't reveal unless you're really stuck!
You have to talk to edgyReggie! Right now he is forcing his potential customers to crack his software, because there can not be a valid name-serial pair.
No matter what name-serial pair is passed to the verification function, you can tell it will always return false when you look at how the return value is computed: return Acc % 10 > 105;
Instead of calling IsDebuggerPresent, the program checks the BeingDebugged field of the Process Environment Block SPOILER![spoiler]by itself. Here is the responsible function:
After that we gotta find the license check. All strings seem to be obfuscated and InitCommonControls is gone so instead I opted to find DialogBoxParamW:
Right above that we see the familiar CALL, TEST, JNE. We patch it out using our preferred method and the program is cracked!
[/spoiler] @dtm: Do you have some plan of these challenges or do you make them up as you go along?
Hm only have little time at the moment, got it working but it isn’t looking correct.
I guess I have to search for all the anti debugging and anti modification code later!
CPU Disasm
Address Hex dump Command Comments
013818D9 |> \8B35 98603901 MOV ESI,DWORD PTR DS:[<&KERNEL32.GetMod ; Case 110 (WM_INITDIALOG) of switch NoREpls2_1.13817C6
013818DF |. 6A 00 PUSH 0 ; /Count = 0
013818E1 |. 68 B8F53901 PUSH OFFSET 0139F5B8 ; |Buffer = ""
013818E6 |. 6A 75 PUSH 75 ; |StringID = 117. => 'NoREpls - Version 2.1 (demo version)'
013818E8 |. 6A 00 PUSH 0 ; |/ModuleName = NULL
013818EA |. FFD6 CALL ESI ; |\KERNEL32.GetModuleHandleW
013818EC |. 8B3D C8613901 MOV EDI,DWORD PTR DS:[<&USER32.LoadStri ; |
013818F2 |. 50 PUSH EAX ; |hInst
013818F3 |. FFD7 CALL EDI ; \USER32.LoadStringW
013818F5 |. FF35 B8F53901 PUSH DWORD PTR DS:[139F5B8] ; /Text = NULL
013818FB |. 53 PUSH EBX ; |hWnd
013818FC |. FF15 90613901 CALL DWORD PTR DS:[<&USER32.SetWindowTe
01381902 |. C705 B8F53901 MOV DWORD PTR DS:[139F5B8],0
0138190C |. E8 8F190000 CALL 013832A0
01381911 |. 84C0 TEST AL,AL
01381913 74 18 JNZ SHORT 0138192D ; patch this to JZ and you will get a working version
I don’t like double posting, but whatever. Thanks dtm!
Jumped over mean anti-debugger code in a trial and error approach.
I then NOPed the ExitProcess code that CRCed the StringTable to be able to modify it.
Now I applied the patch from my previous comment.
The program crashed for some reason, so I had fixed that as well.
Interesting further reading I found but not necessary directly connected to this:
Guys some of you go about it in a very complex way, it is actually very easy.
Solution is exactly same as part 4. At VA 0342FE8 just patch it to mov al, 1; nop. It is serial verification function. With the patch you can enter any name and serial provided it follows regex NOREPLS-%d-%d-%d-%d and it will be accepted. License file was removed but w/e, license data is saved to registry. Same proc is used to verify key from registry so it will remain cracked on relaunch.
@Joe_Schmoe another easy way to find license check function is to put breakpoint on MessageBoxW and let license check fail. We can see where from it is called and find license check easily.
