Cracking Wildcat 5
When one key code works, why can't the rest of them?
student
Not Assigned
30 October 1998
by Cup of Cats
Courtesy of Fravia's page of reverse engineering
fra_00xx
981030
CoC
0100
NA
PC
A great essay. Well explained and tackling a more and more frequent aspect of our reversing studies: server-validation. Read it. Think about it. Work on your own. As you will see there's no useless keygenerator in here, there are a lot of EXPLANATIONS and quite a lot of zen reversing as well. Enjoy!
Quality is Job Number 2. Making Money is Job Number 1.
-Some big car company.
Rating
( )Beginner (x)Intermediate ( )Advanced ( )Expert

I have been working on this crack for over a year. Dont you hate it when nothing makes any sense, you go away for a few months, come back, and everything falls into place in 15 minutes? Heck, it took longer to write this essay then to crack the program. Makes you feel like an idiot.

Cracking Wildcat 5
Feeling for a correct unlock code
Written by Cup of Cats


Introduction
This takes A LOT of explaining.  I have been using
Mustang Software's Wildcat BBS programs for
over 9 years now and have now turned my BBS into a small ISP.  I lay
in bed at night thinking
about the money I have spent on the darn thing over the years.
Instead of buying my Wildcat INS setup (wildcat 5 with the internet addons) directly from Mustang, I got lucky and got them locally from another setup who moved over to Worldgroup. Mustang has a license transfer policy that costs $25 per program. Imagine my complete surprise when Mustang would not allow the seat licence that I purchased used to be transfered under my current license. While I have enough seats currently, I wanted the extra seats and felt I should have them since I did pay for them.
Well, I started last year trying to come up with a key generator for wildcat. (anyone else remember me asking for help with it?) After about 6 months trying to work with SoftICE and W32dasm, having no luck with the key generator, no luck with changing jumps, no luck with anything else, I finally said the heck with it.
That was up to about a week ago. I was fooling about with another program in W32dasm and finally opened the help file that comes with W32dasm. DUH! I discovered how to change the registers, do the breakpoints, and the other debugging tricks you need. I never could get the hang of using SoftIce and switching back and forth from windoze.

So anyway.....



Tools required
W32Dasm
Your favorite Hex Editor

Target's URL/FTP
Mustang Software has a http://bbs.mustang.com">server just for Wildcat. A limited verson of Wildcat 5 with Internet addons (called Wildcat INS or WINS) is available for download there. (It runs 25 megs or so) The seat licence portion should be coded the same. The Babbages I shop in still has the 2 seat version of Wildcat 5 for 10 bucks and its still available from some of the on line software places that deal with discount software titles. Then you can download the upgrades (well, the older important ones anyway) for free after you register. Also if you're looking for a cheap proxy server with web and email servers, its not bad.
Program History
Mustang's been around for more then 10 years. Their programs are a bit expensive but worth it. I have dial ups, a ftp server, an (sort of OK) email server, a (sort of OK) web server, a nntp server plus fido, and many other addons. Seat licences run 15 to 30 bucks depending on the amount you buy. Worldgroup maybe a better bbs/isp server but with wildcat, everything's on 1 computer (well, one plus the linux router and the quake server) while Worldgroup would have taken 3 computers plus the router and quake server. Addons are also written by third party authors and thats where it seems I spend most of my money on. I may crack, but I fully support Shareware.

Essay

Set up: Wildcat 5 comes with the following to activate it:
A 6 Digit Registration Code in the form of 12-3456
Your Line Count up to 256 seats
and your Registration key in the form of 1234-1234-1234-1234-1234

As I explained earlier, I have 2 working combinations. (Actually I have a number of them.} The problem with using another working combination is I have a great number of shareware addons and these are keyed to the 6 digit registration code.
For the sake of this essay, lets say the following is the keys in question:

My registration code: 12-3456
Line Count: 4
Product Key: 1234-1234-1234-1234-1234
(Not really mine. Just made up for this paper.)

My used Registration Code: 03-2084
Line Count: 16
Product Key: 3a58-2395-1ded-d0e1-c100 (refered to as 3a58-etc. from now on)
(This comes from research from a USENET database and are actual working keys. I have no idea where it really comes from.)

Looking at the product keys, it appears they are written in hexadecimal while the registration codes and line counts are in normal decimal. Just something to remember.

What we want to do: Just so we're all clear, the point of this crack is to have the Wildcat server accept my registration code, (12-3456) the higher line count, (16) and the used Product Key. (3a58-etc) Instead of trying to change the program to accept any line count, I want the program to work for a specific line count that I feel I have a license for. (Jumping the gun a bit, read the essay. It turns out we are able to work out a crack but I discovered that by accident so i'll cover that later on.)

Looking at the program: To set the Wildcat server up with its codes, you run a program called wcreg.exe. Fire it up and you get a windows box with 3 fill-in- the-blanks, 1 for the registration code, 1 for the line count, and one for the product key. Lets just try it with the 12-3456 code, 16 line count, and the 3a58 product key. Hey, we might get lucky!

No dice. We get a box that says: 'The key you typed is not correct.' But we do now have something to look for when we decompile. Fire up W32dasm, decompile wcreg.exe, save it as a project file, and do a search for some part of the error phrase. We find the phrase in 3 different places. The following sections cover those 3 locations.
Since I am not writing a key generator any more, I am only including those portions of code that we actually need to look at, understand what is being tested, and change if needed.

Debugging Part 1: The first test is to make sure the codes entered are of the right type, they are the correct lengths, etc. Since all the codes we are using are of the correct format, we should be passing this test. I've included the test code below just for reference. In messing with this program, I have yet to see esi not equal 1 in line 004017B2 as long as you don't do something silly like using non hex digits like 'R' and 'W' in the product key, use the wrong code lengths, or put the hyphens in the wrong place in the product key.
* Referenced by a Jump at Addresses:0040179D(C), :004017A8(C)

:004017AC 47                      inc edi
:004017AD 83FF18                  cmp edi, 18       ;18h=24d have we finished with all the digits?
:004017B0 7C9D                    jl 0040174F       ;go back if we havent and do it again.

* Referenced by a Jump at Address:0040174B(U)
|
:004017B2 85F6                    test esi, esi     ;is everything ok? esi=1 if ok
:004017B4 7519                    jne 004017CF      ;go on to the next part if ok
:004017B6 6A00                    push 0
:004017B8 6A00                    push 0

* Possible StringData Ref from Data Obj ->"The key you typed is not correct."

Debugging Part 2: The next portion uses the product key, breaks it down by character, does it's computation, determines the correct line count for that specific product key, and compares it with the line count you entered when you ran the program. If you put a breakpoint on line 00401893, you can see this comparison. (We will talk about this breakpoint later on so keep it in mind.) When we first ran wcreg, we entered line counts of 16. The Product Key we are using is also for a line count of 16. Both esi and eax have the values of '10' which is hex for 16 in decimal.
:00401886 0954243C  or dword ptr [esp+3C], edx
:0040188A FF4C2410  dec [esp+10]
:0040188E 758E      jne 0040181E
:00401890 8B4364    mov eax, dword ptr [ebx+64]
:00401893 3BF0      cmp esi, eax  ;test if the computed number equals the line count
:00401895 7419      je 004018B0   ;we entered earlier.  if equal, then move on.
:00401897 6A00      push 0        ;error messages start here.
:00401899 6A00      push 0

* Possible StringData Ref from Data Obj ->"The key you typed is not correct."
Do we need to do anything here? Not really. When we ran wcreg and entered the data, we used a line count of 16. The Product Key we used computes to 16 also. The cmp statement on line 00401893 works so we move on.

Debugging Part 3: The third portion is where we need to do our work. It takes the Registration Code and the Line Count you entered and does a computation, takes the Product Key and does a computation, and then compares the two. This is where we need to modify the program. The code that we need to look at is as follows:
:0040196A 684C25494D              push 4D49254C
:0040196F E82CFDFFFF              call 004016A0
:00401974 83C40C                  add esp, 0000000C
:00401977 3BE8                    cmp ebp, eax        ;Do the 2 computations match?
:00401979 7419                    je 00401994         ;If they match, move on.
:0040197B 6A00                    push 0              ;Else its bad code, go error codes.
:0040197D 6A00                    push 0

* Possible StringData Ref from Data Obj ->"The key you typed is not correct."
The line 00401977 is where we need to look at. We need to make these match. eax is the computation code for the Registation code and line count while ebp is the computation total for the Product key we entered. To make this patch work, the easiest method I discovered was to change the line into either:
cmp eax, eax (#1)
or
cmp ebp, ebp (#2)
Patch #2 does not work and causes the program to crash. Patch #1 does work and is how we change the program.

Open up your hex editor, do a search for 83C40C3BE8 and change the 3BE8 into 39ED. Save everything, run wcreg, enter the Registration code 12-3456, the needed line count 16, and the used Product Key 3258-etc. You get a registration info saved message and the program ends. When you look further down the dead listing, you discover wcreg puts the codes into the windoze registry. A quick search for the Registration Code turns it and the product key up.

When I first tried to patch this program, I tried changing that je statement into a jmp always. The program reported saving the registration data but it never worked when i tried to start wcserver.

Finished? So, we're done, right? Let's see. To start Wildcat, you run a program called wcserver.exe. We fire it up and get the error message 'Wildcat requires a Registration Code to run.' So even though wcreg accepted the codes and saved them to the registry, wcserver won't accept them. So we now have to take a look at wcserver. As always, fire up W32dasm and decompile wcserver.exe. Do a search for where in the program Registry is opened and the codes are loaded into memory. What follows from that point on is code that looks an awful lot like Debugging Part 3 up above. By stepping through one line at a time, we are even able to find that same compare lines as above:
:0043DF8E 83C40C                  add esp, 0000000C
:0043DF91 3BD8                    cmp ebx, eax
:0043DF93 7503                    jne 0043DF98
Again, the line 0043DF91 is where we have to look at. Again we need to make these match. eax is the memory location of what we need with the Registration code and the line count, ebx is the computation code we get with that product key. So again we have to rewrite that line as one of the following:
cmp ebx, ebx (#3)
or
cmp eax, eax (#4)
Patch #3 causes crashes. Patch #4 does work and is what we need to change it to. Open up your hex editor, do a search for 83C40C3BD8, change 3BD8 into 39C0, and we should be set. Run wcserver and it comes up. Run wcconfig, the set up program, and you discover you have your 16 nodes.

Finished? Part 2: We have a minor problem. The versions of wcreg and wcserver are dated March 11, 1996, and have been updated since then. The memory locations have been changed due to changes in the program. (and *MANY* bug fixes) I decompiled the newer versions to discover the code segments look about the same. Do your searches as above, make the necessary changes, and you'll be set. There have been no changes in Registration codes and the computation coding looks the same, just different memory locations.

Add On: While mucking around with the program, I tried using different product keys and different line counts. I got an interesting result when I used the following product key:

Product Key: 0101-0101-0101-0101-0101

On running wcreg, the program stopped on the cmp line found in Debugging Part 2. It turns out that the Product Key is acceptable for a 257d or 101h seat system. If you use that Product Key, 257 Line Counts, and an acceptable Registration Code, with the above patch, things work, and you get your 257 seats. With more experimenting, you discover that if you translate your needed seats into hex code, repeat it 5 times like above, it will work. So if you want 70 seats, you use the following product key:

Product Key: 0046-0046-0046-0046-0046

where 46h = 70d = 70 seats

What does that mean? We actually have a patch now that will allow us to use whatever 6 digit Registration Code we want and whatever amount of seats we want as long as:

1.) All enter codes are in the correct format.
2.) The hex numbers entered into the product key are equal to the decimal number of the seats we also use.

Final Notes
Please encuse me if what I have written is a bit confused.  Its been a
long time since I've written any form
of paper such as this one.  I never could get used to looking at other
people's coding, debugging it, and then
trying to explain it.  Proving other people's proofs in math class
never worked either for me.

So what have we learned with this debugging?  The big
thing is to know your tools.  I feel kind of foolish
admitting that if I had read the W32Dasm help files, I would have made
this patch over a year ago.  While I
have been able to debug with SoftIce, I found the W32Dasm interface a
lot easier to deal with and was able to
understand more of what was going on in the program.

I guess I'm one of those people who need windoze no matter how many
times it crashes every day here.

Sick, isn't it?

Any comments or suggestions can be directed to me at
cupocat(at)yahoo(dot)com.


Oh Duh
I wont even bother explaining you that you should BUY this target program if you intend to use it for a longer period than the allowed one. Should you want to STEAL this software instead, you don't need to crack its protection scheme at all: you'll find it on most Warez sites, complete and already regged, farewell.

My comment: Actually the warez version you will find is the pre release version that was very buggy.


You are deep inside fravia's page of reverse engineering, choose your way out:

redhomepage redlinks redsearch_forms red+ORC redstudents' essays redacademy database
redreality cracking redhow to search redjavascript wars
redtools redanonymity academy redcocktails redantismut CGI-scripts redmail_fravia+
redIs reverse engineering legal?