Well this is a very simple, yet interesting essay about the reconstruction of a
needed keyfile. Of course there are hundred different ways to crack this target (nopping
the evil compares, reversing jumps, etcetera), yet the correct cracking technique, when dealing with
keyfile protections, is exactly this one: reconstructing the missing file... just in case.
The
target is moreover an interesting tool per se
Shareware programmers should deal with these problems implementing random checks (say
once every four or five days or once every ten runs of their program) that trigger - not immediately! - a COMPLETELY UNRELATED "real"
protection scheme if
the code has been patched or if the keyfile is corrupted or, simply enough and VERY effective, if softice and
wdasm are on the same harddisk as the target :-)
Best choice
is - as usual - an auto-crippling scheme and
an automated email once on line (this scares the hell out of a newbie :-)
No strings in this part of the protection: everything should
be build dynamically ONLY IF THE SCHEME HAS BEEN TRIGGERED. Crackers that have found
strings in the 'smoke' protection part will judge the shareware author a moron and
won't usually (unless they zen the code) seek dynamically created strings elsewhere.
.----------------------------------------------------------------------------------------------.
| INTRODUCTION |
`----------------------------------------------------------------------------------------------'
Someone asked me to crack this program. That is nothing special. I opened the program and
started to search for a registration box. But I couldn't find one!! Huh, is this a crippleware
program? Nope. When I checked the monitor.wri it said the program needed a KEYFILE!! Wow, this
IS cool. I had never cracked such a program before. There aren't many tutorial about KEYFILES
so I decided to write one (you're reading it).
This is my story about how the crack Monitor/RA v1.80 - *THE* monitoring tool.
Hope you enjoy it.
.----------------------------------------------------------------------------------------------.
| PROGRAMS |
`----------------------------------------------------------------------------------------------'
Programs I have used:
- SoftIce V3.2
- W32dasm V8.9
- Hex Workshop Version 2.5
- Monitor/RA v1.80 (http://www.envytech.co.uk/monitorra.html)
.----------------------------------------------------------------------------------------------.
| Getting the right name |
`----------------------------------------------------------------------------------------------'
OK, we know the program needs a keyfile. The first thing to do is ofcourse search for the
filename of the keyfile. Open w32dasm and click on Refs - String Data References. Look for a
filename. You should notice the monitor.key. Well I say this is the right file. Let's check it.
In the same directory as monitor.exe perform this copy command:
Copy monitor.txt monitor.key
Start Monitor.exe and the programs say the keyfile isn't an Envy Technologies keyfile.
Well, they are right about that. Our keyfile isn't from Envy Technologies YET. Let's change that.
.----------------------------------------------------------------------------------------------.
| Getting an Envy Technologies keyfile |
`----------------------------------------------------------------------------------------------'
We are going to use softice now. When do we want SoftIce to stop the program?. I would say when
it wants to read the file. Well, there are several API's for this. Here they are:
for 16-bit win apps:
GetPrivateProfileString
GetPrivateProfileInt
WritePrivateProfileString
WritePrivateProfileInt
for 32-bit win apps:
CreateFileA
GetPrivateProfileStringA
GetPrivateProfileIntA
WritePrivateProfileStringA
WritePrivateProfileIntA
ReadFile
Let's try the ReadFile first. Enter the breakpoint in Softice and start Monitor.exe.
BLAM, kicked back into SoftIce. Trace (F11 one time then F12 one time) till you get here:
:00452354 A1D4564500 mov eax, dword ptr [004556D4] ;; import from our keyfile
:00452359 E8123AFBFF call 00405D70
:0045235E 8BC3 mov eax, ebx
:00452360 BA80244500 mov edx, 00452480
:00452365 33C9 xor ecx, ecx
:00452367 8A08 mov cl, byte ptr [eax]
:00452369 41 inc ecx
:0045236A E82D05FBFF call 0040289C
:0045236F 7509 jne 0045237A
:00452371 83BB9600000000 cmp dword ptr [ebx+00000096], 00000000
:00452378 750F jne 00452389
If you type 'd eax' at 452354, you'll see a part of our KEYFILE. Well, you can't deny: our
keyfile is a mess. Get out of SoftIce and open our keyfile with notepad and remove some lines,
I removed all lines but the 1st one. Now we can go on. Start monitor.exe again and trace until
you get at 452354. The call at 452359 isn't important. If you don't believe me, check it out
yourself by tracing through it. Place a breakpoint at 45235E. Continue till you get at there.
Hmm, that compare at 45236F might be important, place a breakpoint here and continue.
BUT you never get at the compare, you get the 'wrong keyfile' error, then something must go
wrong in the call function at 45236A. So let's check out this call. Here is our call:
:0040289C 53 push ebx
:0040289D 56 push esi
:0040289E 51 push ecx
:0040289F 89CE mov esi, ecx
:004028A1 C1EE02 shr esi, 02
:004028A4 7426 je 004028CC
:004028A6 8B08 mov ecx, dword ptr [eax] ;; the 1st line of our keyfile
:004028A8 8B1A mov ebx, dword ptr [edx] ;; what the 1st line should be
:004028AA 39D9 cmp ecx, ebx ;; compare lines
:004028AC 7545 jne 004028F3 ;; jump to the
:004028AE 4E dec esi 'no Envykey' message
:004028AF 7415 je 004028C6
:004028B1 8B4804 mov ecx, dword ptr [eax+04]
:004028B4 8B5A04 mov ebx, dword ptr [edx+04]
:004028B7 39D9 cmp ecx, ebx
:004028B9 7538 jne 004028F3
:004028BB 83C008 add eax, 00000008
:004028BE 83C208 add edx, 00000008
:004028C1 4E dec esi
:004028C2 75E2 jne 004028A6
:004028C4 EB06 jmp 004028CC
At 4028A8 type 'd edx' Now we know what the first line should be. Open a hexeditor and edit our
keyfile. It should look like this:
||
\/
00000000 0745 6E76 794B 6579 0000 0000 0000 0000 .EnvyKey........
00000010 0000 0000 0000 0000 00 .........
Note: you HAVE to use a hexedit, because you can't type the 07 in notepad.
Now continue running the program till you get here:
:0045236A E82D05FBFF call 0040289C ;; this is our last call
:0045236F 7509 jne 0045237A
:00452371 83BB9600000000 cmp dword ptr [ebx+00000096], 00000000 ;; check if keyfile
:00452378 750F jne 00452389 contains a zero
at ebx+96
Time to make our keyfile a little bigger. Something like this:
00000000 0745 6E76 794B 6579 0000 0000 0000 0000 .EnvyKey........
00000010 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000020 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000030 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000040 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000050 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000060 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000070 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000080 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000090 0000 0000 0000 FF .......
/\
||
The value at 96 may NOT contain a zero, otherwise you get an error. So fill it with FF
Now continue our running the program, till we get here:
:00452389 8D437F lea eax, dword ptr [ebx+7F]
:0045238C 8B8B8A000000 mov ecx, dword ptr [ebx+0000008A]
:00452392 66BA0200 mov dx, 0002
:00452396 E89517FFFF call 00443B30
:0045239B 3B838E000000 cmp eax, dword ptr [ebx+0000008E] ;; no problem they
:004523A1 751B jne 004523BE are the same
:004523A3 33D2 xor edx, edx
:004523A5 8A5309 mov dl, byte ptr [ebx+09]
:004523A8 8D430A lea eax, dword ptr [ebx+0A]
:004523AB 8B8B82000000 mov ecx, dword ptr [ebx+00000082]
:004523B1 E87A17FFFF call 00443B30
:004523B6 3B8392000000 cmp eax, dword ptr [ebx+00000092] ;; no problem they
:004523BC 740C je 004523CA are the same
:004523BE B8C8244500 mov eax, 004524C8 \ If not the same:
:004523C3 E894DEFDFF call 0043025C | say keyfile is
:004523C8 EB7C jmp 00452446 / corrupt
:004523CA 33D2 xor edx, edx
:004523CC 8A533D mov dl, byte ptr [ebx+3D]
:004523CF 8D433E lea eax, dword ptr [ebx+3E]
:004523D2 B9E6250200 mov ecx, 000225E6
:004523D7 E85417FFFF call 00443B30
:004523DC 3B8382000000 cmp eax, dword ptr [ebx+00000082] ;; ebx+82 must contain
:004523E2 7418 je 004523FC 0225E6 as value
ebx+82 must contain 0225E6.
Remember: values get pushed in reverse order, so your keyfile must look like this:
00000000 0745 6E76 794B 6579 0000 0000 0000 0000 .EnvyKey........
00000010 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000020 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000030 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000040 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000050 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000060 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000070 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000080 0000 E625 0200 0000 0000 0000 0000 0000 ...%............
00000090 0000 0000 0000 FF .......
Continue the program.
:004523B1 E87A17FFFF call 00443B30
:004523B6 3B8392000000 cmp eax, dword ptr [ebx+00000092] ;; A problem,
:004523BC 740C je 004523CA value must be 0225E6
:004523BE B8C8244500 mov eax, 004524C8 \ If not the same:
:004523C3 E894DEFDFF call 0043025C | say keyfile is
:004523C8 EB7C jmp 00452446 / corrupt
Notice that a problem has arisen at 4523B6, simply remove this problem
by putting this value in your keyfile. Like this:
00000000 0745 6E76 794B 6579 0000 0000 0000 0000 .EnvyKey........
00000010 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000020 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000030 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000040 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000050 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000060 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000070 0000 0000 0000 0000 0000 0000 0000 0000 ................
00000080 0000 E625 0200 0000 0000 0000 0000 0000 ...%............
00000090 0000 E625 0200 FF ...X...
Continue the program. You don't GET ANY ERRORS ANYMORE, we have CRACKED the program.
Clear all your breakpoints and start the program. YES!! WE DID IT!!!
I've attached my keyfile to this essay, I hope it is still there when you read this.
You can edit your keyfile, making a nice logo in it at the locations that Monitor/RA doesn't
use.
.----------------------------------------------------------------------------------------------.
| Final Notes: |
`----------------------------------------------------------------------------------------------'
Well, I hope you learned SOMETHING from this tutor.
If you have any comments, questions, need help or whatever, mail me at MisterE@freemail.nl
OR
look for me at EFNET => #cracking4newbies or #cracking
.----------------------------------------------------------------------------------------------.
`----------------------------------------------------------------------------------------------'
homepage
links
search_forms
+ORC
students'
essays
academy
database
reality
cracking
how to
search
javascript
wars
tools
anonymity
academy
cocktails
antismut CGI-scripts
mail_fravia+
Is reverse
engineering legal?