449 lines
23 KiB
Plaintext
449 lines
23 KiB
Plaintext
|
||
HOW TO CRACK, by +ORC, A TUTORIAL
|
||
|
||
Lesson 8.2: How to crack Windows, a deeper approach
|
||
|
||
---------------------------------------------------------
|
||
SPECIAL NOTE: Please excuse the somehow "unshaven"
|
||
character of the windows lessons... I'm cracking the
|
||
newest Windows '95 applications right now, therefore
|
||
at times I had to add "on the fly" some corrections to
|
||
the older Windows 3.1 and Windows NT findings.
|
||
"homines, dum docent, discunt".
|
||
---------------------------------------------------------
|
||
|
||
-> 1st THING TO REMEMBER
|
||
If you thought that DOS was a mess, please notice that windows
|
||
3.1 is a ghastly chaos, and windows 95 a gruesome nightmare of
|
||
ill-cooked spaghetti code. Old Basic "GOTO" abominations were
|
||
quite elegant in comparison with this concoction... One thing is
|
||
sure: This OS will not last... it's way too messy organised,
|
||
impossible to consolidate, slow and neurotic (but I must warn
|
||
you... I thought exactly the same things about DOS in 1981).
|
||
The most striking thing about windows 95 is that it is neither
|
||
meat not fish: neither 16 nor 32... you could call it a "24 bit"
|
||
operating system.
|
||
We'll never damage Microsoft interests enough to compensate for
|
||
this moronic situation... where you have to wait three minutes
|
||
to get on screen a wordprocessor that older OS (and even old DOS)
|
||
kick up in 5 seconds. I decide therefore, hic et nunc, to add an
|
||
ADDENDUM to this tutorial: Addendum 1 will be dedicated to teach
|
||
everybody how to crack ALL Microsoft programs that do exist on
|
||
this planet. I'll write it this sommer and give it away between
|
||
the "allowed" lessons.
|
||
Anyway you can rely on good WINICE to crack everything, you'll
|
||
find it on the web for free, I use version 1.95, cracked by [The
|
||
Lexicon] (do not bother me for Warez, learn how to use the search
|
||
engines on the web and fish them out yourself). Learn how to use
|
||
this tool... read the whole manual! Resist the temptation to
|
||
crack immediatly everything in sight... you 'll regret pretty
|
||
soon that you did not wanted to learn how to use it properly.
|
||
A little tip: as Winice is intended more for software developers
|
||
than for crackers, we have to adapt it a little to our purposes,
|
||
in order to make it even more effective: a good idea is to have
|
||
in the *.DAT initialization file following lines:
|
||
INIT = "CODE ON; watchd es:di; watchd ds:si;"
|
||
TRA = 92
|
||
This way you'll always have the hexadecimal notation on, two very
|
||
useful watch windows for passwords deprotection and enough buffer
|
||
for your traces.
|
||
|
||
WINDOWS 3.1. basic cracking: [ALGEBRAIC PROTECTIONS]
|
||
The most used windows protections are "registration codes",
|
||
these must follow a special pattern: have a "-" or a "+" in a
|
||
predetermined position, have a particular number in particular
|
||
position... and so on.
|
||
For the program [SHEZ], for instance, the pattern is to have a
|
||
14 bytes long alphanumeric sequence containing CDCE1357 in the
|
||
first 8 bytes.
|
||
The second level of protection is to "connect" such a
|
||
pattern to the alphanumeric contents of the NAME of the user...
|
||
every user name will give a different "access key". This is the
|
||
most commonly used system.
|
||
As most of these protections have a "-" inside the answering
|
||
code, you do not need to go through the normal cracking procedure
|
||
(described in the next lesson):
|
||
* load WINICE
|
||
* hwnd [name_of_the_crackanda_module]
|
||
* choose the window Handle of the snap, i.e, the exact
|
||
"FIELD" where the code number input arrives... say 091C(2)
|
||
* BMSG 091C WM_GETTEXT
|
||
* Run anew
|
||
* Look at the memory location(s)
|
||
* Do the same for the "Username" input FIELD. (Sometimes
|
||
linked, sometimes not, does not change much, though)
|
||
* BPR (eventually with TRACE) on the memory locations (these
|
||
will be most of the time FOUR: two NUMBERCODES and two
|
||
USERNAMES). The two "mirrored" ones are the most important
|
||
for your crack. At times there will be a "5th" location,
|
||
where the algebraic play will go on...
|
||
* Look at the code that performs algebraic manipulations on
|
||
these locations and understand what it does...
|
||
* Disable the routine or jump over it, or reverse it, or
|
||
defeat it with your own code... there are thousand
|
||
possibilities...
|
||
* Reassemble everything.
|
||
|
||
Uff... quite a long cracking work just to crack some miserable
|
||
program... isn'there a quicker way? OF COURSE THERE IS! Actually
|
||
there are quite a lot of them (see also the crack of Wincat Pro
|
||
below): Look at the following code (taken from SNAP32, a screen
|
||
capture utility for Windows 95, that uses a pretty recent
|
||
protection scheme):
|
||
|
||
XOR EBX,EBX ; make sure EBX is zeroed
|
||
MOV BL, [ESI] ; load input char in BL
|
||
INC ESI ; point at the next character
|
||
MOV EDI,EBX ; save the input character in EDI
|
||
CMP EBX,+2D ; input char is a "-" ?
|
||
JZ ok_it's_a_+_or_a_-
|
||
CMP EBX,+2B ; input char is a "+" ?
|
||
JNZ Jesus_it's_neither_a_minus_nor_a_plus_let's_check_it
|
||
:ok_it's_a_+_or_a_-
|
||
XOR EBX,EBX ; EBX is zeroed
|
||
MOV BL,[ESI] ; recharge BL
|
||
INC ESI ; point to next char (do not check - or +)
|
||
:Jesus_it's_neither_a_minus_nor_a_plus_let's_check_it
|
||
XOR EBP,EBP ; zero EBP
|
||
CMP DWORD PTR [boguschecker], +01
|
||
...
|
||
|
||
even if you did not read all my precedent lessons, you do not
|
||
need much more explications... this is a part of the algebraic
|
||
check_procedure inside the SNAP32 module... you could also get
|
||
here through the usual
|
||
USER!BOZOSLIVEHERE
|
||
KERNEL!HMEMCPY
|
||
USER!GLOBALGETATOMNAME
|
||
Windows wretched and detestable APIs used for copy protections,
|
||
as usual with WINICE cracking, and as described elsewhere in my
|
||
tutorial.
|
||
The above code is the part of the routine that checks for the
|
||
presence of a "+" or a "-" inside the registration number (many
|
||
protections scheme requires them at a given position, other need
|
||
to jump over them).
|
||
Now sit down, make yourself comfortable and sip a good Martini-
|
||
Wodka (invariably very useful in order to crack... but be aware
|
||
that only Moskowskaia russian Wodka and a correct "Tumball" glass
|
||
will do, do not forget the lemon)... what does this "-" stuff
|
||
mean for us little crackers?
|
||
It means that we can search directly for the CMP EBX,+2B
|
||
sequence inside any file protected with these schemes... and
|
||
we'll land smack in the middle of the protection scheme! That's
|
||
amazing... but you will never underrate enough the commercial
|
||
programmers... the only really amazing thing is how simpleton the
|
||
protectionists are! You don't believe me? Try it... you 'll get
|
||
your crack at least 4 out of 5 times.
|
||
Yes I know, to find this code is not yet to crack it... but for
|
||
this kind of copy protection (that's the reason it is so
|
||
widespread) there is no single solution... each makes a slightly
|
||
different algebraic manipulation of the alphanumeric and of the
|
||
numeric data. It's up to you to crack the various schemes... here
|
||
you can only learn how to find them and circumvene them. I'll not
|
||
give you therefore a "debug" crack solution. You'll find it
|
||
yourself using my indications (see the crack of the Wincat Pro
|
||
program below).
|
||
|
||
WHERE ARE THE CODES? WHERE ARE THE MODIFIED FILES? WHERE DO THE
|
||
PROTECTIONS KEEP COUNT OF THE PASSING DAYS?
|
||
Most of the time the protection schemes use their own *.ini files
|
||
in the c:\WINDOWS directory for registration purposes... at time
|
||
they even use the "garbage sammler" win.ini file. Let's take as
|
||
example WINZIP (versions 5 and 5.5), a very widespread program,
|
||
you'll surely have one shareware copy of it somewhere between
|
||
your files.
|
||
In theory, winzip should be registered per post, in order to
|
||
get a "NEW" copy of it, a "registered" copy.
|
||
This scares most newby crackers, since if the copy you have
|
||
it's not full, there is no way to crack it and make it work,
|
||
unless you get the REAL stuff. The youngest among us do not
|
||
realize that the production of a real "downsized" demo copy is
|
||
a very expensive nightmare for the money-infatuated commercial
|
||
programmers, and that therefore almost nobody does it really...
|
||
nearly all "demos" and "trywares" are therefore CRIPPLED COMPLETE
|
||
PROGRAMS, and not "downsized" demos, independently of what the
|
||
programmers and the protectionists have written inside them.
|
||
Back to Winzip... all you need, to crack winzip, is to add a
|
||
few lines inside the win.ini file, under the heading [WinZip],
|
||
that has already been created with the demo version, before the
|
||
line with "version=5.0".
|
||
I will not help you any further with this... I'll leave it to
|
||
you to experiment with the correct sequences... inside win.ini
|
||
you must have following sequence (these are only template to
|
||
substitute for your tries inside WINICE... you'll get it, believe
|
||
me):
|
||
[WinZip]
|
||
name=Azert Qwerty
|
||
sn=########
|
||
version=5.5
|
||
|
||
The *important* thing is that this means that you DO NOT NEED
|
||
to have a "new registered version" shipped to you in order to
|
||
make it work, as the protectionist sellers would like you to
|
||
believe. The same applies most of the time... never believe what
|
||
you read in the read.me or in the registration files...
|
||
This brings me to a broader question: NEVER believe the
|
||
information they give you... never believe what television and/or
|
||
newspapers tell you... you can be sure that the only reason they
|
||
are notifying you something is to hinder you to read or
|
||
understand something else... this stupid_slaves_society can only
|
||
subsist if nobody thinks... if you are really interested in what
|
||
is going on, real information can be gathered, but surely not
|
||
through the "conventional" newspapers and/or news_agencies (and
|
||
definitely NEVER through television, that's really only for the
|
||
stupid slaves)... yes, some bit of information can be
|
||
(laboriously) gathered... it's a cracking work, though.
|
||
|
||
HOW TO CRACK INFORMATION [WHERE WHAT]
|
||
* INTERNET
|
||
In the middle of the hugest junk collection of the planet, some
|
||
real information can be laboriously gathered if you do learn how
|
||
to use well the search engines (or if you do build your ones...
|
||
my spiders are doing most of the work for me... get your robots
|
||
templates from "Harvest" or "Verify" and start your "spider
|
||
building" activity beginning from Martijn Koster's page). As
|
||
usual in our society, in the Internet the real point is exactly
|
||
the same point you'll have to confront all your life long: HOW
|
||
TO THROW AWAY TONS OF JUNK, HOW TO SECLUDE MYRIADS OF USELESS
|
||
INFORMATION and HOW TO FISH RARE USEFUL INFORMATION, a very
|
||
difficult art to learn per se. Internet offers some information,
|
||
though, mainly BECAUSE it's (still) unregulated. You want a
|
||
proof? You are reading it.
|
||
|
||
* SOME (RARE) NEWSPAPERS.
|
||
The newspaper of the real enemies, the economic powers that
|
||
rule this slaves world, are paradoxically most of the time the
|
||
only ones worth studying... somewhere even the real rulers have
|
||
to pass each other some bits of real information. The "Neue
|
||
Zuercher Zeitung", a newspaper of the Swiss industrials from
|
||
Zuerich, is possibly the best "not_conformist trend analyzer"
|
||
around that you can easily find (even on the web). These
|
||
swissuckers do not give a shit for ideology, nor preconcerted
|
||
petty ideas, the only thing they really want is to sell
|
||
everywhere their ubiquitous watches and their chocolates... in
|
||
order to do it, a land like Switzerland, with very high salaries
|
||
and a good (and expensive) social system, must use something
|
||
brilliant... they found it: a clear vision of the world... as a
|
||
consequence this newspaper is very often "against" the trend of
|
||
all the other medias in the world, the ones that are used only
|
||
in order to tame the slaves... If the only language you know is
|
||
english (poor guy) you could try your luck with the weekly
|
||
"Economist"... you'll have to work a lot with it, coz it has been
|
||
tailored for the "new riches" of the Tatcher disaster, but you
|
||
can (at times) fish something out of it... they do a lot of
|
||
idiotic propaganda, but are nevertheless compelled to write some
|
||
truth. American newspapers (at least the ones you can get here
|
||
in Europe) are absolute shit... one wonders where the hell do the
|
||
americans hyde the real information.
|
||
On the "non-capitalistic" side of information there is a
|
||
spanish newspaper "El Pais" that seems to know about what's going
|
||
on in South America, but it's so full of useless propaganda about
|
||
irrelevant Spanish politics that it's not really worth reading.
|
||
The monthly "Le Monde diplomatique" offers something too... this
|
||
one exaggerates a little on the pauperistic "third world" side,
|
||
but has a lot of useful information. See what you can do with all
|
||
this information (or disinformation?)
|
||
|
||
[BELIEVE THE COUNTRARY]
|
||
Another good rule of thumb in choosing your medias is the
|
||
following... if all medias around you assure, for instance, that
|
||
"the Serbians are evil"... the only logical consequence is that
|
||
the Serbians are not so evil at all and that "the Croats" or some
|
||
other Yugoslavian shits are the real culprits. This does not mean
|
||
at all that the Serbians are good, I warn you, it means only what
|
||
I say: something is surely hidden behind the concerted propaganda
|
||
you hear, the best reaction is to exaggerate in the other
|
||
direction and believe the few bit of information that do say the
|
||
countrary of the trend. This rule of thumb may be puerile, but
|
||
it works somehow most of the time... if somewhere everybody
|
||
writes that the commies are bad then THERE the commies must not
|
||
be so bad at all and, conversely, if everybody in another place
|
||
writes that the commies are all good and nice and perfect (like
|
||
the Soviet propaganda did) then THERE the commies are surely not
|
||
so good... it's a matter of perspective, much depends on where
|
||
you are, i.e. whose interests are really at stake. There is NEVER
|
||
real information in this society, only propaganda... if you still
|
||
do not believe me do yourself a little experiment... just read
|
||
the media description of a past event (say the Vietnam war) as
|
||
written AT THE MOMENT of the event and (say) as described 10
|
||
years later. You'll quickly realize how untrustworthy all
|
||
newspapers and medias are.
|
||
|
||
* SEMIOTICS You'll have to study it (as soon as you can) to
|
||
interpret what they let you believe, in order to get your
|
||
bearings. A passing knowledge of ancient RHETORIC can help quite
|
||
a lot. Rhetoric is the "Softice" debugger you need to read
|
||
through the propaganda medias: concentrate on Periphrasis,
|
||
Synecdoche, Antonomasia, Emphasis, Litotes and Hyperbole at the
|
||
beginning... you'll later crack higher with Annominatio,
|
||
Polyptoton, Isocolon and all the other lovely "figurae
|
||
sententiae".
|
||
|
||
Enough, back to software cracking.
|
||
|
||
HOW A REGISTRATION CODE WORKS [WINCAT]
|
||
Let's take as an example for the next crack, a Username-
|
||
algebraic registration code, WINCAT Pro, version 3.4., a 1994
|
||
shareware program by Mart Heubel. It's a good program, pretty
|
||
useful to catalogue the millions of files that you have on all
|
||
your cd-roms (and to find them when you need them).
|
||
The kind of protection Wincat Pro uses is the most utilized
|
||
around: the username string is manipulated with particular
|
||
algorithms, and the registration key will be made "ad hoc" and
|
||
depends on the name_string. It's a protection incredibly easy to
|
||
crack when you learn how the relevant procedures work.
|
||
[WINCAT Pro] is a good choice for cracking studies, coz you
|
||
can register "over your registration" one thousand times, and you
|
||
can herefore try for this crack different user_names to see all
|
||
the algebrical correspondences you may need to understand the
|
||
protection code.
|
||
In this program, when you select the option "register", you
|
||
get a window where you can input your name and your registration
|
||
number (that's what you would get, emailed, after registering
|
||
your copy). If you load winice and do your routinely hwnd to
|
||
individuate the nag window, and then breakpoint on the
|
||
appropriate memory ranges you'll peep in the working of the whole
|
||
bazaar (this is completely useless in order to crack these
|
||
schemes, but it'll teach you a lot for higher cracking, so you
|
||
better do it also with two or three other programs, even if it
|
||
is a little boring): a series of routines act on the input (the
|
||
name) of the user: the User_name_string (usn). First of all the
|
||
usn_length will be calculated (with a REPNZ SCASB and a following
|
||
STOSB). Then various routines store and move in memory the usn
|
||
and the registration_number (rn) and their relative lengths. In
|
||
order to compare their lengths and to check the correct
|
||
alphanumeric correspondence between usn and rn, the program first
|
||
uppercases the usn and strips all eventual spaces away.
|
||
Here the relevant code (when you see an instruction like
|
||
SUB AL,20 you should immediately realize that you are in a
|
||
uppercasing routine, which is important for us, since these are
|
||
mostly used for password comparisons)... here the relevant Winice
|
||
unassemble and my comments:
|
||
253F:00000260 AC LODSB <- get the usn chars
|
||
253F:00000261 08C0 OR AL,AL <- check if zero
|
||
253F:00000263 740F JZ 0274 <- 0: so usn finished
|
||
253F:00000265 3C61 CMP AL,61 <- x61 is "a", man
|
||
253F:00000267 72F7 JB 0260 <- not a lower, so loop
|
||
253F:00000269 3C7A CMP AL,7A <- x7A is "z", what else?
|
||
253F:0000026B 77F3 JA 0260 <- not a lower, so loop
|
||
253F:0000026D 2C20 SUB AL,20 <- upper it if it's lower
|
||
253F:0000026F 8844FF MOV [SI-01],AL<- and hyde it away
|
||
253F:00000272 EBEC JMP 0260 <- loop to next char
|
||
253F:00000274 93 XCHG AX,BX
|
||
...
|
||
The instruction MOV [SI-01],AL that you see here is important
|
||
at times, coz it points to the location of the "pre-digested"
|
||
usn, i.e. the usn formatted as it should be for the number
|
||
comparison that will happen later. In some more complicated
|
||
protection schemes the reasoning behind this formatting is the
|
||
following: "Stupid cracker will never get the relation algorhitm
|
||
usn <-> rn, coz he does not know that usn AND rn are slightly
|
||
changed before comparing, ah ah... no direct guessing is
|
||
possible". Here is only "polishing": you have to "polish" a
|
||
string before comparing it in order to concede some mistakes to
|
||
the legitimate user (too many spaces in the name, upper-lower
|
||
case mismatch, foreign accents in the name etc.) You just need
|
||
to know, for now, that this checking is usually still 5 or 6
|
||
calls ahead of the real checking (it's what we call a "green
|
||
light").
|
||
You should in general realize that the real checking of the
|
||
algebrical correspondence follows after a whole series of memory
|
||
operations, i.e.: cancelling (and erasing) the previous (if ever)
|
||
attempts; reduplicating the usn and the rn somewhere else in
|
||
memory; double checking the string lengths (and saving all these
|
||
values somewhere... be particularly attentive when you meet stack
|
||
pointers (for instance [BP+05]): most of the programs you'll find
|
||
have been written in C (what else?). C uses the stack (SS:SP) to
|
||
pass parameters or to create local variables for his procedures.
|
||
The passwords, in particular, are most of the time compared to
|
||
data contained within the stack. If inside a protection a BP
|
||
register points to the stack you have most of the time fished
|
||
something... remember it pupils: it will spare you hours of
|
||
useless cracking inside irrelevant routines. Back to our CATWIN:
|
||
another little check is about the "minimal" length allowed for
|
||
a user name, in our babe, for instance, the usn must have at
|
||
least 6 chars:
|
||
230F:00003483 3D0600 CMP AX,0006
|
||
230F:00003486 730F JAE 3497 <- go to nice_name
|
||
:too_short
|
||
230F:00003488 BF9245 MOV DI,4592 <- no good: short
|
||
After a lot of other winicing you'll finally come across
|
||
following section of the code:
|
||
2467:00000CA3 B90100 MOV CX,0001
|
||
2467:00000CA6 03F1 ADD SI,CX
|
||
2467:00000CA8 2BC1 SUB AX,CX
|
||
2467:00000CAA 7213 JB 0CBF
|
||
2467:00000CAC 40 INC AX
|
||
2467:00000CAD 368B4F04 MOV CX,SS:[BX+04] <- here
|
||
2467:00000CB1 0BC9 0R CX,CX
|
||
2467:00000CB3 7D02 JGE 0CB7
|
||
2467:00000CB5 33C9 XOR CX,CX
|
||
2467:00000CB7 3BC1 CMP AX,CX
|
||
2467:00000CB9 7606 JBE 0CC1
|
||
2467:00000CBB 8BC1 MOV AX,CX
|
||
2467:00000CBD EB02 JMP 0CC1
|
||
2467:00000CBF 33C0 XOR AX,AX
|
||
2467:00000CC1 AA STOSB <- and here
|
||
2467:00000CC2 8BC8 MOV CX,AX
|
||
2467:00000CC4 F3A4 REPZ MOVSB <- and here!
|
||
2467:00000CC6 8EDA MOV DS,DX
|
||
2467:00000CC8 FC RETF 0008
|
||
|
||
This is obviously the last part of the checking routine
|
||
(I'll not delve here with the mathematical tampering of it, if
|
||
you want to check its workings, by all means, go ahead, it's
|
||
quite interesting, albeit such study is NOT necessary to crack
|
||
these schemes). The important lines are obviously the MOV
|
||
CX,SS:[BX+04], the STOSB and the REPZ MOVSB (as usual in password
|
||
protection schemes, you do remember lesson 3, don't you?).
|
||
You should be enough crack-able :=) by now (if you have read
|
||
all the precedent lessons of my tutorial), to find out easily,
|
||
with these hints, how the working of the protection goes and
|
||
where dwells in memory the ECHO of the correct rn (passkey) that
|
||
matches the name you typed in. Remember that in these kind of
|
||
cracks the ECHO is present somewhere (90% of the cases). There
|
||
are obviously one thousand way to find such ECHOs directly,
|
||
without going through the verificayions routines... for instance
|
||
you could also find them with a couple of well placed
|
||
snap_compares, it's a "5 minutes" cracking, once you get the
|
||
working of it. I leave you to find, as interesting exercise, the
|
||
routine that checks for a "-" inside the rn, a very common
|
||
protection element.
|
||
In order to help you understand the working of the protection
|
||
code in [Wincat Pro] I'll give you another hint, though: if you
|
||
type "+ORC+ORC+ORC" as usn, you'll have to type 38108-37864 as
|
||
rn, if you usn as usn "+ORC+ORC" then the relative rn will be
|
||
14055-87593. But these are my personal cracks... I have offered
|
||
this information only to let you better explore the mathematical
|
||
tampering of this specific program... you'll better see the
|
||
snapping mechanism trying them out (going through the routines
|
||
inside Winice) alternatively with a correct and with a false
|
||
password. Do not crack Wincat with my combination! If you use a
|
||
different usn than your own name to crack a program you only show
|
||
that you are a miserable lamer... no better than the lamers that
|
||
believe to "crack" software using huge lists of serial numbers...
|
||
that is really software that they have stolen (Yeah: stolen, not
|
||
cracked). You should crack your programs, not steal them...
|
||
"Warez_kids" and "serial#_aficionados" are only useless zombies.
|
||
I bomb them as soon as I spot them. YOU ARE (gonna be) A CRACKER!
|
||
It makes a lot of a difference, believe me.
|
||
|
||
Well, that's it for this lesson, reader. Not all lessons of my
|
||
tutorial are on the Web.
|
||
You 'll obtain the missing lessons IF AND ONLY IF you mail
|
||
me back (via anon.penet.fi) with some tricks of the trade I may
|
||
not know that YOU discovered. Mostly I'll actually know them
|
||
already, but if they are really new you'll be given full credit,
|
||
and even if they are not, should I judge that you "rediscovered"
|
||
them with your work, or that you actually did good work on them,
|
||
I'll send you the remaining lessons nevertheless. Your
|
||
suggestions and critics on the whole crap I wrote are also
|
||
welcomed.
|
||
|
||
"If you give a man a crack he'll be hungry again
|
||
tomorrow, but if you teach him how to crack, he'll
|
||
never be hungry again"
|
||
|
||
an526164@anon.penet.fi
|
||
|