Networker, The mistery of the missing file
(how to crack logically, without too much listing)

by Hackmore Readrite, 28 May 1997


Courtesy of fravia's page of reverse engineering
~
A very intersting essay (the target is absolute crap, though): how to crack a protection where some key files are missing, using more your logic than your debugger! (Note also the "social engineering" touch :-)


Let's hear Hackmore himself about it:
 ...I did not go into "coding" details in this crack in an effort to get
people to try cracking themselves. I know many people who shiver in
their boots when they see assembly code. Especially when they see alot of
it, as sometimes happens in these tutorials. I think if people see how
easy it is, they might try it, and "gradually" figure things out!

NetWorker Cracked by Hackmore Readrite Available at http://www.mlmsoft.com This is, in my opinion, probably the best database for anyone who makes a living by the "Christmas Tree" method. That's when you sell a product to someone, then they re-sell it to two (or more) other people, who each re-sell it to two (or more) people, etc. And as the number of products sold increases, so do your profits, since a portion of each sale filters it's way back up to the top of the "tree", which is you. Naturaly, in a system like this, you want to keep track of all the people who have purchased, and all the people who have sold, so you can count all of the money you'll be raking in on your next pay-check. What a terible way to make a living! It has produced some very rich people though, the ones who supply the product! I decided to crack this program because it was missing a file. What better challenge than one without an answer. After all, if all of the pieces of the puzzle are not there, the puzzle can not be assembled, right? Wrong! I will not bore you with assembly code in this lesson for several reasons. The first, because this is a small company just trying to etch out a living in the overbloated jungle of code Microsoft has created. The second reason, as you will see, the crack is so simple anyone can do it! Yet, because of a missing file, MOST people would be too intimidated to even try. "Scare them to death and they'll leave us alone." Like +ORC said, "DO NOT BELIEVE THEM!" And lastly, I do NOT like sitting on top of a mountain of slaves, feeding off their hard work. Before we even begin to crack this, we'll unpack the zip file and have a look at the pieces we DO have. When unzipped, we have three folders, (disk1, disk2, and disk3) plus a "readme.txt", which say's... ----------------------------------------------------------------------------- Congratulations! This release of Networker has been widely accepted by Network Marketers. We have one reported problem that occurs on some windows machines: "Error in Critical System File" If this error is encountered be sure that you copy the ntworker.key file found on disk 3, to your windows\system directory. Enjoy your trial version of Networker. ----------------------------------------------------------------------------- Looking inside the folders, we find "install.txt" in the "disk3" folder. Reading this, we find the following information... ----------------------------------------------------------------------------- Diskette 1 required files: setup.arv setup.exe setupmn.arv - archive of primary files Diskette 2 required files: Setup.a02 - archived primary files. Diskette 3 required files: final - initializes Networker for first time use. Called by setup.exe license.txt - license agreement ntworker.dis - Distribution file enabling you to receive royalties ntworker.key - Networker license file Setup.a03 - remainder of archived primary files. ----------------------------------------------------------------------------- Not alot of info, but very important as we crack. We now understand that the file "ntworker.key" must be placed in the C:\windows\system directory, and "final.exe" is a file we can "suspect" in our evaluation, just a "zen" feeling:... the description (above) for "final.exe" seems a little "bloated" to me, like they're making excuses for its existance. Why? Take a look at "ntworker.key"... It's a file comprised of 55 lines of numbers, each number is 3 digits long, and each line has 46 numbers in it. Thats 2500 numbers! The very last line begins with an "S", which is the ONLY alpha character in the entire file. Hmm... Time to install. Double click on "setup.exe" in the "disk1" folder, and watch the install go it's merry way, but there's no indication that the "final.exe" program ever ran. Start the program, and we get slapped in the face with the error message described above. Copy "ntworker.key" to the C:\windows\system directory, and re-start the program. This time, we get slapped in the face with a "nag" screen that KNOWS we are an "unregistered" user befor the program even gets on screen. After a slight delay for the "nag" screen, the program comes up, with its "user info" screen ready to fill in, but our "name" is already "unregistered copy" and we are not allowed to change it. A new "readme" file tells us we are limited to only 10 entries, although the licence clearly states we are limited to 20 entries, and if you read the licence further, it says we can have 30 entries! So there's some type of limitation on the number of entries, we just have to guess how many. Shut the program down, another slap with the "nag" screen. This time they even make us press a button! They'll never learn! And I'll try the easy stuff first. A quick look at the "about" on the help menu, and I see the programs serial number, the same number as the first four groups of numbers on the last line of the "ntworker.key" file, begining with "S". May be a clue? A double click on the "final.exe" file icon and I get an error message... "can't find file 'setup.syx'" And my usual "social engineering" with the people who want my money, teaches me that they WILL lower the price if I'm a "hard sell", and when I do send them money, they will send me another program, (the missing file) that will register my copy. Time to go to work. Just out of curiosity, I deleted the program from my hard drive, then re-unzipped it. But before I re-installed it, I deleted the "final.exe" file from the "disk3" folder. As expected, install went fine, even without the (now TWO) missing files. I guess they LIED in the file list above! We know the program knows we're unregistered befor we ever get to see the user screen, and there's no way to input our personal information, and there is something important about "ntworker.key" so we'll assume the information we're looking for is near the start of the program. We'll also assume the "nag" screen is triggered by something in the ".key" file Break out SoftIce, load up the program "ntworker.exe", and when SoftIce pops up at the program entry line, we see the first 21 lines of code are CALLs to sub routines. What a great place to start. To narrow down the field a bit, I went about half way down the list and entered a "here" command, while watching the screen for a "nag", but nothing showed up. Then I went to the line just past the last call, entered "here", and still no "nag" screen. A few lines of code, and another CALL, a few more lines of code, and yet another CALL, a few more lines of code, and another CALL - this CALL painted a grey box on the "user screen", and finaly, a few more lines of code, and the CALL I was looking for, the "nag" screen was painted. Now I'm at CS:000000C9, with 25 calls behind me, and ONE of those CALLs must have accessed the ".key" file. Which one? It would likely be near the CALLs that draw the "nag" screen. I shut down the program, took a quick look at the ".key" file to write down the serial number, then re-loaded the program. I went past the first 21 CALLs, and entered a "here" command. Then I searched memory for the serial number. No luck. Go past the next sub-routine CALL, enter "here", search memory, no luck. But on my THIRD try, at CS:000000A9, I found the entire ".key" file loaded into memory. Re-start the program, this time I went to the offending CALL to place my "here" command on CS:000000A9, then I traced ("t") into the call. Once inside, I placed a breakpoint on HMemCpy (bpx hmemcpy) and then "ctrl-d" to let the program run. A couple of breaks later, and the first line of the ".key" file was moved into ES:DI, with a 3 digit number (910) appended at the beginning of the number sequence. I followed this number string through, using the "t" command, but the whole string was just ignored, and I found myself back at HMemCpy. I thought this was just loading the ".key" file into memory, so I pressed "ctrl-d" each time the program broke back into SoftIce, expecting to follow things through after the whole file had been copied. Then, on the 8th time around, I noticed the line being copied from the ".key" file had "910" as it's third group of numbers. I decided to follow this string, and it branched off of the normal path, as I had hoped. The program runs us through a few CMPs to see if it has located a "$", or a "+" or a "-" sign. Then our number is converted to a hexadecimal number, and finaly, the hexadecimal number is run through a whole bunch of CMPs. Here lies our "crack", because IF the hexadecimal number matches one of the CMPs, a "different" hexadecimal number is stored in memory. And all of these "different" numbers just happen to coincide with the hexadecimal eqivalents to the characters of the alphabet! Nothig realy important happens with the 910 number, so we continue on, until the 18th number string from the ".key" file. This time the number "735" is appended to the begining of the number string. The string also contains a "735", so I follow it. I find the number "735" gets converted to a hex "02DF" which CMPs to "U". The next time around, the number appended to the SAME number string is "479", which gets converted to hex "01DF", then CMPs to "N", etc. That whole nasty word "UNREGISTERED" is on this SAME number string line! This continues until the entire ".key" file has been read. The crack, you ask? Isn't it obvious? Just go to the long string of CMPs, copy down the hexadecimal number on the CMP line of code, along with the letter of the alphabet that corresponds to the hexadecimal number that will be placed in memory if the CMP proves true. Then convert the hexadecimal number to its digital form, this will give you the "alphabet" used in the "ntworker.key" file. Now just go to the line that holds the numbers that spell "UNREGISTERED" and replace these numbers with the numbers that match the letters of your first name. THEN find the line that has the numbers pertaining to "COPY", and do the same thing, like this... ----------------------------------------------------------------------------- ".key" file "640,...735,479,235,190,429,684,499,440,190,235,190,838,455,..." converted to hex 2DF 1DF 0EB 0BE 1AD 2AC 1F3 1B8 0BE 0EB 0BE 346 puts into memory 55 4E 52 45 47 49 53 54 45 52 45 44 which spells U N R E G I S T E R E D I want my name H A C K M O R E put into memory 48 41 43 4B 4D 4F 52 45 so I need to CMP to 0DC 18F 32E 142 1E4 17B 0EB 0BE which in decimal is 220 399 814 322 484 379 235 190 ".key" file "640,...220,499,814,322,484,379,235,190,455,235,190,838,455,..." ----------------------------------------------------------------------------- The string you want to print (your name) MUST end with a number which does NOT match any of the CMPs. Thats the signal to the computer to stop reading the current number string. I've used "455" in this example. Also, each number string MUST contain 46 numbers, if not, you'll get an error message. Yes, I could give you the whole crack and tell you which lines need to be changed to complete your task, and I could give you the entire alphabet, but that would take all the fun out of learning how to do it yourself. Simply changing the "UN" above will crack this program, if you're lazy. Now, fully registered, we can assume the missing file "setup.syx" only contains the alphabet conversion tables, maybe with some offset information for the "ntworker.key" file. And when you pay for your copy, they send you "setup.syx", then you run "final.exe" to paste the "user info" into the "ntworker.key" file. So if you want, you could write your own "setup.syx", or just convert the "ntworker.key" file by hand. Either way you'll know that just because they used the "missing file" scare tactic on you doesn't mean the program cannot be cracked! Happy Crackin' Hackmore Readrite DataMiners Inc.

You are deep inside fravia's page of reverse engineering, choose your way out:

homepage links red anonymity +ORC student tools cocktails search_forms mailFraVia
Is reverse engineering illegal?

Fravia 28 May 1997