How to crack Portscan v1.2b1
(More about password xoring protection schemes)

by Hackmore Readrite


Courtesy of Fravia's page of reverse engineering

Portscan v1.2b1   Cracked by Hackmore Readrite, DataMiners Inc.
                    "Keep it FREE!"

----------------------------------------------------------------------------
  From the "Readme" file included with Portscanner...
Port Scanner is a tool that allows you to scan a group of IP addresses
looking for the presence of specific incoming TCP/IP ports. This is a 
large benefit to anyone managing a TCP/IP network, or to anyone who is 
concerned with the possible security risks that some TCP/IP tools 
present to their network.

Using an intuitive interface that allows you to specify the start and 
end addresses of a scan, you can quickly check a specific machine, a 
subnet, or an entire domain. Port Scanner comes predefined to scan for 
the most common TCP/IP services, and provides a quick way to add new 
ports to any scan. In addition, Port Scanner lets you scan a subset of 
the existing ports, and to save subsets into named groups for easy 
recall. Scan results can be easily printed or save to a file.

Port Scanner requires a WinSock compatible TCP/IP stack, and is fully 
Windows 95 compatible.
----------------------------------------------------------------------------

	This "shareware" program has a nag screen that wont let you cancel
  until it "times out" (about 30 seconds but seems like forever!) To make
  things worse, the nag screen hits you when you open the program, and then
  again when you close it! And... you are only allowed 5 ports for each
  "group" of ports you want to make.

	If you want to use this little program, you can get it at:

http://www.blueglobe.com/~cliffmcc

	Here's how I cracked it. Most of this stuff is pretty basic so
  I'll just explain whats going on until I get to the good stuff. You'll get
  to see all the code anyway when you crack it yourself.

	We load the program into SoftIce, and when the nag screen pops up,
  we push the register button. Enter a name, and (I found out later) a 25
  digit NUMBER. Since I wanted the program registered in my name, thats what
  I entered, which was also a mistake. (Hackmore Readrite is 17 characters
  so I had to loop through the math subs 34 times! Twice for each character)

	O.k. Information is entered into the boxes, so...

	ctrl-d                           ;enter SoftIce
	s ds:0 lffffffff "123,454,321"   ;search for the number I entered
	found at 0030:8028####           ;number was found, and to my
                                        ;surprise, my name was just two
                                        ;lines below the number in the
                                        ;data window!
	bpr ds:8028#### ds:8028#### rw   ;break on the number I entered
       bpr ds:8028#### ds:8028#### rw   ;break on my name
	ctrl-d                           ;enter program, push the button to
                                        ;register the program.


	Do these last three steps a bunch of times because both the "name"
  and the "number" are moved four times each befor we get to use them. Each
  time a string got moved, I deleted my old breakpoint on that string and
  set up a new breakpoint for the new location.

	Then the fun begins. Right away, we get kicked out because the first
  cmp instruction checks to see if the serial number is 25 digits. (19 hex)
  If the number has more than or equal to 25 digits, we're a good guy. Less
  than 25 digits means bye-bye.

	So after a new start, with the proper number of digits, we can move
  on. Next we do some compares (cmp) to see if there are any "$", " ", "+",
  or "-" in the string of digits. It looked to me like the program didn't
  like those characters so I didn't push the matter, I just edited memory to
  change my coma's to digits.

	The digit string checks out so its time to do some math. We start
  with the first character of the text string, move it to a new point on the
  stack for storage. Then we hop around the string, grab a character, XOR it
  to the byte we have stored, save the result at the same (storage) address,
  then pick a new character, ADD it to our stored byte, save it to the same
  storage address again, pick a new character, XOR it, save it.... you get
  the rythem, right? Each pass through this loop, we get a character, each
  even numbered pass we XOR our character to "storage", each odd numbered
  pass we ADD our character to "storage". The result is saved at "storage"
  at the end of each pass.

	This goes on until each character has been ADD'ed and XOR'ed to the
  resulting byte which is always saved to the same address. (Like I said, 34
  passes through the subroutines for "Hackmore Readrite" which ended up to
  be "C8" when all the math was through.)

	Then we do some similar (but different) stuff with the serial number.
  Skip the first eight digits, and save the next ten digits as a "seed" in
  another location. Strip the "3" off the hex numbers so they look like real
  numbers. (hex "31" ends up as "01", etc.) The neat thing here is that the
  numbers come MAINLY from the "seed", but every now and then we pick a
  number from the "original" string. After processing a bunch of the numbers,
  we end up with three numbers, which are then reduced to a single byte.
  (my number string ended up as "A9")

	This is done, so it's coding time...

  CS:384B 8A86FDFD  MOV  AL,[BP+FDFD]          ;Get the "name" byte (C8)
          3A86FCFD  CMP  AL,[BP+FDFC]          ;Cmp to the "number" byte (A9)
          7506      JNZ  3857                  ;Ohhh... Goto bad hacker!
          C646FF01  MOV  BYTE PTR [BP-01],01   ;Nice guy! no nag for him!
          EB04      JMP  385B                  ;Go past bad hacker!
          C646FF00  MOV  BYTE PTR [BP-01],00   ;bad hacker! gets nag screen!
          8F06980E  POP  WORD PTR [0E98]       ;continue program start-up

	Easy! Change "7506" (on 3rd line) to EB00 (jump to next line) so we
  automaticaly drop through to get branded as a "good guy!"

	Now of course, the "00" or "01" must be checked to verify if you need
  to wait at the nag screen, and having waited there myself a few times, I
  wanted to be sure nothing went wrong with this crack. So here's just a bit
  more code in case you also think like me.

  CS:1B51 26807D1001 CMP  BYTE PTR [ES:DI+10],01  ;Is this Good Guy?
          751F       JNZ  1b77                    ;NAG this Bad Hacker!
          6A00       PUSH 00                      ;Thank You Good Guy!
          6A15       PUSH 15                      ;On with the program
          55         PUSH BP

	Again, just break out HexEdit and change "751F" to "EB00" to drop
  through to the "Good Guy" stuff.

	And thats it! Not alot of code for you to walk through but I think
  it's easier to learn if you know whats going on, instead of clogging your
  head with source code when you don't have the whole picture. When you start
  working on the program yourself, you'll have a good idea of what you can
  expect to see, and then you can watch as much, or as little of the program
  as you want, to see how everything gets done.

	A word of advice... Don't think you can't do it. Three years ago, I
  didn't even know how to turn a computer on! Let alone how to make one work.
  I had never even touched a keyboard. I bought a computer, and trained
  myself, I have never been to ANY computer training, and I don't know any
  body who knows anything about computers. (I do know a few people who USE
  computers, but they're only doing thier "job" the way they were "trained")
  So I had no-one to get advice from. Still I learned.

	August 21st, 1996 was my first visit to the internet, "SEARCH" was
  my first command to the internet, "ASM" was my first subject, and "FRAVIA"
  was the first web page I ever visited. So I haven't even "surfed" the web
  for a whole year yet. Still I learned.

	I also quit school, and type with one finger. Still I learned. So if
  I can do it, you can! This is a TERRIBLE world we all share. We need more
  people in this world to be wise enough to outwit those who (try) to control
  us. Our good friend +ORC and his scholars tell us alot about what's
  going on around us. Listen and LEARN! YOU can do it TOO!

	Good-bye, Good Cracking, And stay safe!
                                                Hackmore Readrite


You are deep inside fravia's page of reverse engineering, choose your way out:

homepage links red anonymity +ORC students' essays tools cocktails
search_forms mailFraVia