AMU Q/95 3.10 CRACK


Courtesy of fravia's page of reverse engineering

                    AMU Q/95 3.10 CRACK BY AESCULAPIUS

Hi all. I'm going to show you in the next paragraphs how to crack AMU W/95
3.10 using the 'dead listing' approach. Off course, you'll need to read
first, the Master +ORC lesson 9.3. You'll also need a good disassembler,
like w32dasm7 (already cracked by some of the notorious +ORC students).

        AMU (automated maintenance utility) is an excellent application to
process files areas and some very useful automated messages which will
relieve the sysop's daily burden when running a BBS system. You can find
a copy of it at Install the program as usual.

Proceed to disassemble the file amuw.exe. You'll get a quite large text file.
Load it in your favorite word processor. All right, you're doing well. Now
you're able to make some Zen analysis. What to look for? AMU is protected
via two different methods, the first one, consists in a very decent
'unregistered for nn days' advice every time you run it. The first day,
the unregistered advice reads: Unregistered for (1 day). The day after,
it'll read: Unregistered for (nn) days, where 'nn' are the number of days
the programs has been used without registration. The second method is a 30
days time limit 'a lo cinderella', after which the program will stop working
(Goddamn it!). You can also deduce just by using your brain substance a
little bite more than usual, that this program is registered via an special
key file named 'amu.key'. How do I know this? By reading the users manual :).
Now that we know what we're looking for, lets load the disassembled text file
in our favorite word processor and hit the search key, typing the following
search patterns: 'amu.key' and 'Licensed'. We get a very interesting segment
of code when looking for amu.key pattern. Let's print it here:

:0041B4AC 68C0000000              push 000000C0
:0041B4B1 E8FBDD0100              call 004392B1
:0041B4B6 53                      push ebx          ; pushing registers...
:0041B4B7 51                      push ecx      
:0041B4B8 52                      push edx
:0041B4B9 56                      push esi
:0041B4BA 57                      push edi
:0041B4BB 55                      push ebp
:0041B4BC 89E5                    mov ebp, esp
:0041B4BE 81EC94000000            sub esp, 00000094
:0041B4C4 8945FC                  mov [ebp-04], eax ; Could [ebp-04] be
:0041B4C7 8B45FC                  mov eax, [ebp-04]   the memory location
:0041B4CA 057B190000              add eax, 0000197B   where the unregiste-
:0041B4CF 50                      push eax            red 'days counter' is

* Possible StringData Ref from Data Obj ->"%sAMU.KEY"

        Very interesting, but I'm not sure of anything at this point. I won't
be lying as many others I believe do, telling you: "I'm using only, and I
repeat only, the 'dead listing approach' to solve this crack and I can tell
you without any doubt what's going one here". What you're not aware of, If
that they already ran the program over softice, therefore knowing what's in
every register and every memory location. In this manner, their analysis
seems to be the one of a genius.  I had never run this program in softice,
so I could be very wrong about what I'm thinking the code is doing or what I
believe is the contents of some memory location or CPU register at some point,
but even if I'm wrong, at least I'm sincere. You can load this program in
softice and crack it with one hand on your back and one eye closed, but
that's not the point, what we're trying to probe is that the 'dead listing
approach' is the election strategy when you're dealing with NAG-screen
protections and that you don't need anything else to make a victorious crack.
Now what I think the code is doing in this first segment, is to check in the
AMU directory for an amu.key file, if it is there, then, it'll run some
mathematical sequence to validate the key. If the key is false, it'll
probably direct the execution somewhere else inside one of the calls of this
segment or maybe to a place we haven't even see yet.

        Now, let's check our next location. Hit the search button on your
word processor and look for the following pattern: 'Licensed'. This is what
we get:

:0041B679 B8E4204500              mov eax, 004520E4
:0041B67E 50                      push eax
:0041B67F 8B45FC                  mov eax, [ebp-04]
:0041B682 057B190000              add eax, 0000197B
:0041B687 50                      push eax

* Possible StringData Ref from Data Obj ->"%s%s"
:0041B688 B8E7204500              mov eax, 004520E7
:0041B68D 50                      push eax
:0041B68E 8D459C                  lea eax, [ebp-64]
:0041B691 50                      push eax
:0041B692 E81EDE0100              call 004394B5
:0041B697 83C410                  add esp, 00000010
:0041B69A BA80010000              mov edx, 00000180
:0041B69F 8D459C                  lea eax, [ebp-64]
:0041B6A2 E876DD0100              call 0043941D
:0041B6A7 8D459C                  lea eax, [ebp-64]
:0041B6AA E8A9DD0100              call 00439458
:0041B6AF 8B45FC                  mov eax, [ebp-04]
:0041B6B2 83C028                  add eax, 00000028
:0041B6B5 50                      push eax

* Possible StringData Ref from Data Obj ->"Licensed to %s"

As you can see, we're in the middle of the code which is executed when the
program runs in its registered fashion. This segment begins at :0041B679,
before this instruction, there is an unconditional jump which prevents the
programs to execute this segment without the assistance of a conditional
jump. What we need to do now is to scroll back a little to find a conditional
jump, which will direct the execution to this holy area beginning at
:0041B679 and avoiding the unconditional jump at :0041B677. Scrolling back
we find what we're looking for:

:0041B4D0 B89A204500              mov eax, 0045209A
:0041B4D5 50                      push eax
:0041B4D6 8D459C                  lea eax, [ebp-64]
:0041B4D9 50                      push eax
:0041B4DA E8D6DF0100              call 004394B5
:0041B4DF 83C40C                  add esp, 0000000C
:0041B4E2 8D559C                  lea edx, [ebp-64]
:0041B4E5 B89C394600              mov eax, 0046399C
:0041B4EA E8B1CB0000              call 004280A0
:0041B4EF 89C2                    mov edx, eax
:0041B4F1 8D857CFFFFFF            lea eax, [ebp+FFFFFF7C]
:0041B4F7 E8E9DF0100              call 004394E5
:0041B4FC 8D957CFFFFFF            lea edx, [ebp+FFFFFF7C]
:0041B502 B86E344600              mov eax, 0046346E
:0041B507 E8F666FFFF              call 00411C02
:0041B50C 8D957CFFFFFF            lea edx, [ebp+FFFFFF7C]
:0041B512 B86E344600              mov eax, 0046346E
:0041B517 E88166FFFF              call 00411B9D
:0041B51C 80BD7CFFFFFF00          cmp byte ptr [ebp+FFFFFF7C], 00 ; Flag?

:0041B523 7415                    je 0041B53A                     ; lands in
:0041B525 8D957CFFFFFF            lea edx, [ebp+FFFFFF7C]           :0041B53A
:0041B52B 8B45FC                  mov eax, [ebp-04]                 where an 
:0041B52E 83C028                  add eax, 00000028                 unconditional
:0041B531 E899DD0100              call 004392CF                     jump take us
:0041B536 85C0                    test eax, eax                     away from our
:0041B538 7502                    jne 0041B53C                      beloved                                                                       :0041B53c jump
                                                                    :0041B543 jump
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
:0041B53A EB0D                    jmp 0041B549 ; This jump drives the
                                                 program to the war zone
                                                 (unregistered segments
                                                 of the code)

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
:0041B53C 8B45FC                  mov eax, [ebp-04] ; The counter!!!
:0041B53F 80782800                cmp [eax+28], 00
:0041B543 0F8530010000            jne 0041B679 ; Our bingo jump!!!

Ok, we're almost done. What we have to do (in case you haven't figured it out
yet) is to force the execution from :0041B523 to :0041B543 and then, we
can make a victorious unconditional jump to :0041B679 where the mambo begins
to sound!!!

        Why not make a great big jump from :0041B523 to :0041B679 directly?
Because you cannot make a so big intrasegmentary jumps in assembler!!

        Lets proceed: With a good Hex editor (I prefer Hiew v. 5.50 or
PSEDIT 4.4) search for the following Hex code:

        74158D957CFFFFFF   ; and change it for:
        EB1E8D957CFFFFFF   ; this change will substitute the

        :0041B523 je 0041B53A   ; for:

	:0041B523 jmp 0041B543

        Then, search the following pattern:

        0F8530010000   ; and change it for:
        E93101000000   ; this change will substitute the instruction:

        :0041B543 jne 0041B679   ; for:
        :0041B543 jmp 0041B679

        As you can note, i've changed both conditional jumps to unconditional,
 the reason for this, is that, no matter what's the state of the counter,
 the excution will always go to the right place.

There are many more great locations of the protection scheme in this
application that we would want to check and understand. For example,

:0041B715 837DFC1E cmp [ebp-04], 0000001E
:0041B719 7F06     jg 0041B721

1E Hexadecimal is 30 decimal!!! 30 days is our unregistered free trial period
limit. This means that [ebp-04] was in fact the counter...

Soon after, at location:

:0041B728 837DFC3C                cmp [ebp-04], 0000003C
:0041B72C 7F06                    jg 0041B734
Look at this, 3C Hex is 60 decimal. This means that the program will
warn you after 30 days of continuous use, that you'd passed the permitted
free trial period limit, and after 60 days, the application will stop
working. Follow the jump to :0041B734 and you'll see what i mean...

There are thousands of ways to crack this program, so be my guess and try
your own.

After all this crap, AMU will never expire, and it will show when executed,
Registered to: Your proud name.

        I'm not a +ORC lucky student though I would like to be. It happens
that I knew of his +HCU too late. However, i can always share good cracking
knowledge with master +ORC and +his students.

If this text is published I'll write another lesson where I'll teach you 
some new cracking techniques.

			Take care, bye bye!

Aesculapius 1997. All rights reversed.

You are deep inside fravia's page of reverse engineering, choose your way out:

homepage links red anonymity +ORC students' essays academy database
tools cocktails search_forms mail_fravia
Is reverse engineering legal?