Courtesy of fravia's page of reverse engineering
~
A very intersting essay (the target is absolute crap, though): how to crack
a protection where some key files are
missing, using more your logic than your debugger! (Note also the
"social engineering" touch :-)
Let's hear Hackmore himself about it:
...I did not go into "coding" details in this crack in an effort to get
people to try cracking themselves. I know many people who shiver in
their boots when they see assembly code. Especially when they see alot of
it, as sometimes happens in these tutorials. I think if people see how
easy it is, they might try it, and "gradually" figure things out!
NetWorker
Cracked by Hackmore Readrite
Available at http://www.mlmsoft.com
This is, in my opinion, probably the best database for anyone who makes a
living by the "Christmas Tree" method. That's when you sell a product to
someone, then they re-sell it to two (or more) other people, who each re-sell
it to two (or more) people, etc. And as the number of products sold
increases, so do your profits, since a portion of each sale filters it's way
back up to the top of the "tree", which is you.
Naturaly, in a system like this, you want to keep track of all the people
who have purchased, and all the people who have sold, so you can count all
of the money you'll be raking in on your next pay-check.
What a terible way to make a living! It has produced some very rich people
though, the ones who supply the product!
I decided to crack this program because it was missing a file. What better
challenge than one without an answer. After all, if all of the pieces of the
puzzle are not there, the puzzle can not be assembled, right? Wrong!
I will not bore you with assembly code in this lesson for several reasons.
The first, because this is a small company just trying to etch out a living
in the overbloated jungle of code Microsoft has created. The second reason,
as you will see, the crack is so simple anyone can do it! Yet, because of a
missing file, MOST people would be too intimidated to even try. "Scare them
to death and they'll leave us alone." Like +ORC said, "DO NOT BELIEVE THEM!"
And lastly, I do NOT like sitting on top of a mountain of slaves, feeding off
their hard work.
Before we even begin to crack this, we'll unpack the zip file and have a
look at the pieces we DO have. When unzipped, we have three folders, (disk1,
disk2, and disk3) plus a "readme.txt", which say's...
-----------------------------------------------------------------------------
Congratulations! This release of Networker has been widely accepted by
Network Marketers.
We have one reported problem that occurs on some windows machines:
"Error in Critical System File"
If this error is encountered be sure that you copy the ntworker.key
file found on disk 3, to your windows\system directory.
Enjoy your trial version of Networker.
-----------------------------------------------------------------------------
Looking inside the folders, we find "install.txt" in the "disk3" folder.
Reading this, we find the following information...
-----------------------------------------------------------------------------
Diskette 1 required files:
setup.arv
setup.exe
setupmn.arv - archive of primary files
Diskette 2 required files:
Setup.a02 - archived primary files.
Diskette 3 required files:
final - initializes Networker for first time use. Called by setup.exe
license.txt - license agreement
ntworker.dis - Distribution file enabling you to receive royalties
ntworker.key - Networker license file
Setup.a03 - remainder of archived primary files.
-----------------------------------------------------------------------------
Not alot of info, but very important as we crack. We now understand that
the file "ntworker.key" must be placed in the C:\windows\system directory,
and "final.exe" is a file we can "suspect" in our evaluation, just a "zen"
feeling:... the description (above) for "final.exe" seems a little "bloated"
to me, like they're making excuses for its existance. Why?
Take a look at "ntworker.key"... It's a file comprised of 55 lines of
numbers, each number is 3 digits long, and each line has 46 numbers in it.
Thats 2500 numbers! The very last line begins with an "S", which is the ONLY
alpha character in the entire file. Hmm...
Time to install. Double click on "setup.exe" in the "disk1" folder, and
watch the install go it's merry way, but there's no indication that the
"final.exe" program ever ran. Start the program, and we get slapped in the
face with the error message described above. Copy "ntworker.key" to the
C:\windows\system directory, and re-start the program. This time, we get
slapped in the face with a "nag" screen that KNOWS we are an "unregistered"
user befor the program even gets on screen.
After a slight delay for the "nag" screen, the program comes up, with its
"user info" screen ready to fill in, but our "name" is already "unregistered
copy" and we are not allowed to change it. A new "readme" file tells us we
are limited to only 10 entries, although the licence clearly states we are
limited to 20 entries, and if you read the licence further, it says we can
have 30 entries! So there's some type of limitation on the number of entries,
we just have to guess how many. Shut the program down, another slap with the
"nag" screen. This time they even make us press a button! They'll never
learn! And I'll try the easy stuff first.
A quick look at the "about" on the help menu, and I see the programs
serial number, the same number as the first four groups of numbers on the
last line of the "ntworker.key" file, begining with "S". May be a clue?
A double click on the "final.exe" file icon and I get an error message...
"can't find file 'setup.syx'"
And my usual "social engineering" with the people who want my money,
teaches me that they WILL lower the price if I'm a "hard sell", and when I
do send them money, they will send me another program, (the missing file)
that will register my copy. Time to go to work.
Just out of curiosity, I deleted the program from my hard drive, then
re-unzipped it. But before I re-installed it, I deleted the "final.exe" file
from the "disk3" folder. As expected, install went fine, even without the
(now TWO) missing files. I guess they LIED in the file list above!
We know the program knows we're unregistered befor we ever get to see the
user screen, and there's no way to input our personal information, and there
is something important about "ntworker.key" so we'll assume the information
we're looking for is near the start of the program. We'll also assume the
"nag" screen is triggered by something in the ".key" file
Break out SoftIce, load up the program "ntworker.exe", and when SoftIce
pops up at the program entry line, we see the first 21 lines of code are
CALLs to sub routines. What a great place to start. To narrow down the field
a bit, I went about half way down the list and entered a "here" command,
while watching the screen for a "nag", but nothing showed up. Then I went to
the line just past the last call, entered "here", and still no "nag" screen.
A few lines of code, and another CALL, a few more lines of code, and yet
another CALL, a few more lines of code, and another CALL - this CALL painted
a grey box on the "user screen", and finaly, a few more lines of code, and
the CALL I was looking for, the "nag" screen was painted.
Now I'm at CS:000000C9, with 25 calls behind me, and ONE of those CALLs
must have accessed the ".key" file. Which one? It would likely be near the
CALLs that draw the "nag" screen.
I shut down the program, took a quick look at the ".key" file to write
down the serial number, then re-loaded the program. I went past the first 21
CALLs, and entered a "here" command. Then I searched memory for the serial
number. No luck. Go past the next sub-routine CALL, enter "here", search
memory, no luck. But on my THIRD try, at CS:000000A9, I found the entire
".key" file loaded into memory.
Re-start the program, this time I went to the offending CALL to place my
"here" command on CS:000000A9, then I traced ("t") into the call. Once
inside, I placed a breakpoint on HMemCpy (bpx hmemcpy) and then "ctrl-d" to
let the program run. A couple of breaks later, and the first line of the
".key" file was moved into ES:DI, with a 3 digit number (910) appended at the
beginning of the number sequence. I followed this number string through,
using the "t" command, but the whole string was just ignored, and I found
myself back at HMemCpy.
I thought this was just loading the ".key" file into memory, so I pressed
"ctrl-d" each time the program broke back into SoftIce, expecting to follow
things through after the whole file had been copied. Then, on the 8th time
around, I noticed the line being copied from the ".key" file had "910" as
it's third group of numbers. I decided to follow this string, and it branched
off of the normal path, as I had hoped.
The program runs us through a few CMPs to see if it has located a "$",
or a "+" or a "-" sign. Then our number is converted to a hexadecimal number,
and finaly, the hexadecimal number is run through a whole bunch of CMPs. Here
lies our "crack", because IF the hexadecimal number matches one of the CMPs,
a "different" hexadecimal number is stored in memory. And all of these
"different" numbers just happen to coincide with the hexadecimal eqivalents
to the characters of the alphabet!
Nothig realy important happens with the 910 number, so we continue on,
until the 18th number string from the ".key" file. This time the number "735"
is appended to the begining of the number string. The string also contains a
"735", so I follow it. I find the number "735" gets converted to a hex "02DF"
which CMPs to "U". The next time around, the number appended to the SAME
number string is "479", which gets converted to hex "01DF", then CMPs to "N",
etc. That whole nasty word "UNREGISTERED" is on this SAME number string line!
This continues until the entire ".key" file has been read.
The crack, you ask? Isn't it obvious? Just go to the long string of CMPs,
copy down the hexadecimal number on the CMP line of code, along with the
letter of the alphabet that corresponds to the hexadecimal number that will
be placed in memory if the CMP proves true. Then convert the hexadecimal
number to its digital form, this will give you the "alphabet" used in the
"ntworker.key" file. Now just go to the line that holds the numbers that
spell "UNREGISTERED" and replace these numbers with the numbers that match
the letters of your first name. THEN find the line that has the numbers
pertaining to "COPY", and do the same thing, like this...
-----------------------------------------------------------------------------
".key" file "640,...735,479,235,190,429,684,499,440,190,235,190,838,455,..."
converted to hex 2DF 1DF 0EB 0BE 1AD 2AC 1F3 1B8 0BE 0EB 0BE 346
puts into memory 55 4E 52 45 47 49 53 54 45 52 45 44
which spells U N R E G I S T E R E D
I want my name H A C K M O R E
put into memory 48 41 43 4B 4D 4F 52 45
so I need to CMP to 0DC 18F 32E 142 1E4 17B 0EB 0BE
which in decimal is 220 399 814 322 484 379 235 190
".key" file "640,...220,499,814,322,484,379,235,190,455,235,190,838,455,..."
-----------------------------------------------------------------------------
The string you want to print (your name) MUST end with a number which does
NOT match any of the CMPs. Thats the signal to the computer to stop reading
the current number string. I've used "455" in this example. Also, each number
string MUST contain 46 numbers, if not, you'll get an error message.
Yes, I could give you the whole crack and tell you which lines need to be
changed to complete your task, and I could give you the entire alphabet, but
that would take all the fun out of learning how to do it yourself. Simply
changing the "UN" above will crack this program, if you're lazy.
Now, fully registered, we can assume the missing file "setup.syx" only
contains the alphabet conversion tables, maybe with some offset information
for the "ntworker.key" file. And when you pay for your copy, they send you
"setup.syx", then you run "final.exe" to paste the "user info" into the
"ntworker.key" file.
So if you want, you could write your own "setup.syx", or just convert the
"ntworker.key" file by hand. Either way you'll know that just because they
used the "missing file" scare tactic on you doesn't mean the program cannot
be cracked!
Happy Crackin'
Hackmore Readrite
DataMiners Inc.
homepage