AMU Q/95 3.10 CRACK
BY AESCULAPIUS
Courtesy of fravia's page of reverse engineering
AMU Q/95 3.10 CRACK BY AESCULAPIUS
----------------------------------
Hi all. I'm going to show you in the next paragraphs how to crack AMU W/95
3.10 using the 'dead listing' approach. Off course, you'll need to read
first, the Master +ORC lesson 9.3. You'll also need a good disassembler,
like w32dasm7 (already cracked by some of the notorious +ORC students).
AMU (automated maintenance utility) is an excellent application to
process files areas and some very useful automated messages which will
relieve the sysop's daily burden when running a BBS system. You can find
a copy of it at http://www.isonline.com/amu. Install the program as usual.
Proceed to disassemble the file amuw.exe. You'll get a quite large text file.
Load it in your favorite word processor. All right, you're doing well. Now
you're able to make some Zen analysis. What to look for? AMU is protected
via two different methods, the first one, consists in a very decent
'unregistered for nn days' advice every time you run it. The first day,
the unregistered advice reads: Unregistered for (1 day). The day after,
it'll read: Unregistered for (nn) days, where 'nn' are the number of days
the programs has been used without registration. The second method is a 30
days time limit 'a lo cinderella', after which the program will stop working
(Goddamn it!). You can also deduce just by using your brain substance a
little bite more than usual, that this program is registered via an special
key file named 'amu.key'. How do I know this? By reading the users manual :).
Now that we know what we're looking for, lets load the disassembled text file
in our favorite word processor and hit the search key, typing the following
search patterns: 'amu.key' and 'Licensed'. We get a very interesting segment
of code when looking for amu.key pattern. Let's print it here:
:0041B4AC 68C0000000 push 000000C0
:0041B4B1 E8FBDD0100 call 004392B1
:0041B4B6 53 push ebx ; pushing registers...
:0041B4B7 51 push ecx
:0041B4B8 52 push edx
:0041B4B9 56 push esi
:0041B4BA 57 push edi
:0041B4BB 55 push ebp
:0041B4BC 89E5 mov ebp, esp
:0041B4BE 81EC94000000 sub esp, 00000094
:0041B4C4 8945FC mov [ebp-04], eax ; Could [ebp-04] be
:0041B4C7 8B45FC mov eax, [ebp-04] the memory location
:0041B4CA 057B190000 add eax, 0000197B where the unregiste-
:0041B4CF 50 push eax red 'days counter' is
stored?
* Possible StringData Ref from Data Obj ->"%sAMU.KEY"
Very interesting, but I'm not sure of anything at this point. I won't
be lying as many others I believe do, telling you: "I'm using only, and I
repeat only, the 'dead listing approach' to solve this crack and I can tell
you without any doubt what's going one here". What you're not aware of, If
that they already ran the program over softice, therefore knowing what's in
every register and every memory location. In this manner, their analysis
seems to be the one of a genius. I had never run this program in softice,
so I could be very wrong about what I'm thinking the code is doing or what I
believe is the contents of some memory location or CPU register at some point,
but even if I'm wrong, at least I'm sincere. You can load this program in
softice and crack it with one hand on your back and one eye closed, but
that's not the point, what we're trying to probe is that the 'dead listing
approach' is the election strategy when you're dealing with NAG-screen
protections and that you don't need anything else to make a victorious crack.
Now what I think the code is doing in this first segment, is to check in the
AMU directory for an amu.key file, if it is there, then, it'll run some
mathematical sequence to validate the key. If the key is false, it'll
probably direct the execution somewhere else inside one of the calls of this
segment or maybe to a place we haven't even see yet.
Now, let's check our next location. Hit the search button on your
word processor and look for the following pattern: 'Licensed'. This is what
we get:
:0041B679 B8E4204500 mov eax, 004520E4
:0041B67E 50 push eax
:0041B67F 8B45FC mov eax, [ebp-04]
:0041B682 057B190000 add eax, 0000197B
:0041B687 50 push eax
* Possible StringData Ref from Data Obj ->"%s%s"
|
:0041B688 B8E7204500 mov eax, 004520E7
:0041B68D 50 push eax
:0041B68E 8D459C lea eax, [ebp-64]
:0041B691 50 push eax
:0041B692 E81EDE0100 call 004394B5
:0041B697 83C410 add esp, 00000010
:0041B69A BA80010000 mov edx, 00000180
:0041B69F 8D459C lea eax, [ebp-64]
:0041B6A2 E876DD0100 call 0043941D
:0041B6A7 8D459C lea eax, [ebp-64]
:0041B6AA E8A9DD0100 call 00439458
:0041B6AF 8B45FC mov eax, [ebp-04]
:0041B6B2 83C028 add eax, 00000028
:0041B6B5 50 push eax
* Possible StringData Ref from Data Obj ->"Licensed to %s"
As you can see, we're in the middle of the code which is executed when the
program runs in its registered fashion. This segment begins at :0041B679,
before this instruction, there is an unconditional jump which prevents the
programs to execute this segment without the assistance of a conditional
jump. What we need to do now is to scroll back a little to find a conditional
jump, which will direct the execution to this holy area beginning at
:0041B679 and avoiding the unconditional jump at :0041B677. Scrolling back
we find what we're looking for:
:0041B4D0 B89A204500 mov eax, 0045209A
:0041B4D5 50 push eax
:0041B4D6 8D459C lea eax, [ebp-64]
:0041B4D9 50 push eax
:0041B4DA E8D6DF0100 call 004394B5
:0041B4DF 83C40C add esp, 0000000C
:0041B4E2 8D559C lea edx, [ebp-64]
:0041B4E5 B89C394600 mov eax, 0046399C
:0041B4EA E8B1CB0000 call 004280A0
:0041B4EF 89C2 mov edx, eax
:0041B4F1 8D857CFFFFFF lea eax, [ebp+FFFFFF7C]
:0041B4F7 E8E9DF0100 call 004394E5
:0041B4FC 8D957CFFFFFF lea edx, [ebp+FFFFFF7C]
:0041B502 B86E344600 mov eax, 0046346E
:0041B507 E8F666FFFF call 00411C02
:0041B50C 8D957CFFFFFF lea edx, [ebp+FFFFFF7C]
:0041B512 B86E344600 mov eax, 0046346E
:0041B517 E88166FFFF call 00411B9D
:0041B51C 80BD7CFFFFFF00 cmp byte ptr [ebp+FFFFFF7C], 00 ; Flag?
:0041B523 7415 je 0041B53A ; lands in
:0041B525 8D957CFFFFFF lea edx, [ebp+FFFFFF7C] :0041B53A
:0041B52B 8B45FC mov eax, [ebp-04] where an
:0041B52E 83C028 add eax, 00000028 unconditional
:0041B531 E899DD0100 call 004392CF jump take us
:0041B536 85C0 test eax, eax away from our
:0041B538 7502 jne 0041B53C beloved :0041B53c jump
:0041B543 jump
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041B523(C)
|
:0041B53A EB0D jmp 0041B549 ; This jump drives the
program to the war zone
(unregistered segments
of the code)
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0041B538(C)
|
:0041B53C 8B45FC mov eax, [ebp-04] ; The counter!!!
:0041B53F 80782800 cmp [eax+28], 00
:0041B543 0F8530010000 jne 0041B679 ; Our bingo jump!!!
Ok, we're almost done. What we have to do (in case you haven't figured it out
yet) is to force the execution from :0041B523 to :0041B543 and then, we
can make a victorious unconditional jump to :0041B679 where the mambo begins
to sound!!!
Why not make a great big jump from :0041B523 to :0041B679 directly?
Because you cannot make a so big intrasegmentary jumps in assembler!!
Lets proceed: With a good Hex editor (I prefer Hiew v. 5.50 or
PSEDIT 4.4) search for the following Hex code:
74158D957CFFFFFF ; and change it for:
EB1E8D957CFFFFFF ; this change will substitute the
instruction:
:0041B523 je 0041B53A ; for:
:0041B523 jmp 0041B543
Then, search the following pattern:
0F8530010000 ; and change it for:
E93101000000 ; this change will substitute the instruction:
:0041B543 jne 0041B679 ; for:
:0041B543 jmp 0041B679
As you can note, i've changed both conditional jumps to unconditional,
the reason for this, is that, no matter what's the state of the counter,
the excution will always go to the right place.
There are many more great locations of the protection scheme in this
application that we would want to check and understand. For example,
:0041B715 837DFC1E cmp [ebp-04], 0000001E
:0041B719 7F06 jg 0041B721
1E Hexadecimal is 30 decimal!!! 30 days is our unregistered free trial period
limit. This means that [ebp-04] was in fact the counter...
Soon after, at location:
:0041B728 837DFC3C cmp [ebp-04], 0000003C
:0041B72C 7F06 jg 0041B734
Look at this, 3C Hex is 60 decimal. This means that the program will
warn you after 30 days of continuous use, that you'd passed the permitted
free trial period limit, and after 60 days, the application will stop
working. Follow the jump to :0041B734 and you'll see what i mean...
There are thousands of ways to crack this program, so be my guess and try
your own.
After all this crap, AMU will never expire, and it will show when executed,
Registered to: Your proud name.
I'm not a +ORC lucky student though I would like to be. It happens
that I knew of his +HCU too late. However, i can always share good cracking
knowledge with master +ORC and +his students.
If this text is published I'll write another lesson where I'll teach you
some new cracking techniques.
Take care, bye bye!
Aesculapius...
aesculapius@cyberjunkie.com
Aesculapius 1997. All rights reversed.
You are deep inside fravia's page of reverse engineering,
choose your way out:
homepage
links
anonymity
+ORC
students' essays
academy database
tools
cocktails
search_forms
mail_fravia
Is reverse engineering legal?