Dead listening/Patching Tutorial ================================ |----------------------------------------------------------| |Basic Info: | |----------------------------------------------------------| |Writer: Bengaly | |date: 12/7/01 | |Author: HilgraEve's HyperTerminal 6.1 | |Protection: Register Code | |URL: * no direct links * | |Tools: | | Hex-Editor (Hview) | | W32DASM | | SoftIce 3.x+ | |Level: | | | | Beginner [ X+ ] Medium [ ] Advanced [ ] | |----------------------------------------------------------| Hello ! Welcome to my 25th tutorial, today we will talk about Patching and dead listening. alittle hard to understand, and easy to patch ;P... the author says: ------------------------------------------------------------------------------------------------ HyperTerminal Private Edition (HyperTerminal PE) is a more powerful version of HyperTerminal, which Microsoft includes with Windows 95, Windows 98, and Windows NT 4.0. Hilgraeve developed HyperTerminal for Microsoft, and began providing HyperTerminal PE free for personal use shortly after the release of Windows 95. Each successive release of HyperTerminal PE has won new awards and caused the program's following to swell. It is today one of the most popular free downloads on the Internet. ------------------------------------------------------------------------------------------------- About the protection: ------------------------------------------------------------------------------------------------ This protection is Via Nag screen that appear at ever run on the program Or u can choose HELP->ENTER AUOTHORIZED CODE... (inside the program) reg key will be saved at: RegDB Key: Software\Hilgraeve Inc\HyperTerminal PE\3.0 ------------------------------------------------------------------------------------------------- The Essay ========== Today we will learn how to crack this program in 2 posibles ways, I wanna thank +ORC for the second approach! . I will not sniff out serial, cuz it's very hard-task, this program do not use any algo to calculate any registered serial number, and are pronoused us with a REG CODE. so usually there won't be alot of serials to deal with we can max minimize it to 3-1 posible serials, best case 1 serial. ok so what we going to do today, first we explore the program ans it's elements. ======================================[1's Approach]============================================ load the program you will see a NAG SCREEN with 3 buttons "OK" / "REGISTER" / "ENTER CODE" we press the "ENTER AUTHORIZE CODE" button and we continue to our nice TextA field. Ener any code u wish.. -------------------------- Enter Code: [ 1234567890 ] -------------------------- Load Up SoftIce, and we will use the BreakPoint "GetDlgItemTextA", to break with. So set it up : BPX GetDlgItemTextA ...we are done! Leav SoftIce with F5 or X or Ctrl-D (never mind wich) Press "OK" button, SoftIce will immidiatly Breaks In..Press F12 only one time. we will be here: ====================================================================================| EAX=0000000A EBX=0063F698 ECX=800077E8 EDX=80008A58 ESI=000003F4 | EDI=00000810 EBP=0063F644 ESP=0063F624 EIP=1001B7AE o d I S z a P c | CS=0177 DS=017F SS=017F ES=017F FS=11BF GS=0000 SS:0063F62C=34333231 | ....................................................................................| 0177:1001B7A8 CALL [USER32!GetDlgItemTextA] | 0177:1001B7AE LEA EAX,[EBP-18] <= We Break Here, Get Serial From TextA | 0177:1001B7B1 PUSH EAX <= Save Entered Serial To Stack | 0177:1001B7B2 CALL 1001B835 <= Call Program's Main Check Of Code No | 0177:1001B7B7 CMP EAX,01 <= "Flag City" is EAX = Correct Code? | 0177:1001B7BA JNZ 1001B7DA <= No...Begger_Off | 0177:1001B7BC LEA EAX,[EBP-18] <= Not Important | 0177:1001B7BF PUSH EAX <= Not Important | 0177:1001B7C0 CALL 1001B3E1 <= Not Important | 0177:1001B7C5 MOV EAX,[10038718] <= Not Important | ====================================================================================| Ok let's us examin the asm code we see above. We see a CALL->CMP unsual..mostly programers will hide such thing, But seems they haven't ;P let's take it as our advantage.. Entering the CALL at offset 1001B7B2 will take us to the main Program's code checking and analayzing, note this is not an algo Since the program don't use or have it anywhere inside of it! OK we see a CMP...seems the program checks if EAX (fake serial) = 01 hm..so seems to me 01 = real serial flag. What do i mean by flag?? i mean that if we enter a fake serial then EAX=0 and if we enter a correct serial then EAX=1 so the program checks to see if we enter a correct serial by using this flag (i'll call it Flag-City). and in our case we enter "1234568790" <= bad serial, EAX=0 then we get a messagebox saying "Invalid Registration Code" Now Exit SoftIce for now, and open up W32Dasm... Load hyperTeminal.exe (20k weird)...ok we get a dissasembly but.. Weird no String-Freferences and the code is to much small... No API calling...so i guess something wonrg...ok goto to the Program's dir "C:\Program Files\Accesories\Hyper\" We will see that there is a hiden DLL (4000k), that sound much Better to us...so the program import the data from the hiden DLL.. Heh though no one will search there?? dunno mabye, anyway Load the dll in W32Dasm...fewwwwww we get a Pure Disasembly with String-references and we also see the API imoport calling (GetDlgItemTextA, MessageBoxA and etc.), ok, we click on the Str-Refn button to get a list Of Exports and Text used by the prgoram's DLL. Search alittle bit in the end to see the requied text: "Invalid Regitration Code" Click on it so we will be on the offset that calls it. It will be here: ======================================================================================| *Referenced by a posible (U)ncoditional or (C)onditional Jump ar adress: | |:1001B7BA(C) | | | :1001B7DA 6A30 PUSH 00000030 | | *Possible StringData Ref From Data OBJ -> "HyperTeminal" | | | :1001B7DC 68FC020410 PUSH 100402FC | | *Possible StringData Ref From Data OBJ -> "Invalid Registration Code." | | | :1001B7E1 689C030410 PUSH 1004039C <= Breaks here | :1001B7E6 57 PUSH EDI | | *Reference To: User32.MessageBoxA, Ord:01C1h | ======================================================================================| OK so we got the dissasembly of the required place of the MessageBoxA called from. but! we can see that there is an (U)ncoditional or (C)onditional Jump that called to this MessagBoxA...at adress offset "1001B7BA", seems that we must check it Out..ok press SEARCH->FIND TEXT and fill in : 1001B7BA (note the direction need to be Up..tells W32dasm to look this adress at direction UP). ok we found the jump, w32dasm will break here: =========================================================================================| | *Reference To: User32.GetDlgItemTextA, Ord:0106h | | | :1001B7A8 FF1598830310 CALL dword ptr [10038398] | :1001B7AE 8D45E8 lea eax, dword ptr [ebp-18] ; Get user input | :1001B7B1 50 push eax ; Save it for later | :1001B7B2 E87E000000 CALL 1001B835 ; Program's checks | :1001B7B7 83F801 CMP eax, 00000001 ; Compare fake serial | :1001B7BA 751E JNE 1001B7DA ; Begger_Off | | =========================================================================================| OK, remmrber this code above??, yeah the same as we got from SoftIce when we breaked With GetDlgItemTexta, this prove use that the MessageBoxA is really called from here and so we are ready for Our first approch in the crack. Note: i will not enter the CALL now, i will enter it in the second approach, so we can get a better idea on the second apprach. ok so the main idea is clear, EAX = 1 if we enter correct serial else EAX=0 so what we need to do is to change the call (which is what decide the value of EAX) to a simple Instruction: MOV EAX,00000001 got the idea?? Sure u did, it's not to hard u know ;P so now it will be like this: =========================================================================================| | *Reference To: User32.GetDlgItemTextA, Ord:0106h | | | :1001B7A8 FF1598830310 CALL dword ptr [10038398] | :1001B7AE 8D45E8 lea eax, dword ptr [ebp-18] ; Get user input | :1001B7B1 50 push eax ; Save it for later | :1001B7B2 B801000000 MOV eax, 00000001 ; EAX = 01 | :1001B7B7 83F801 CMP eax, 00000001 ; Compare fake serial | :1001B7BA 751E JNE 1001B7DA ; Begger_Off | | =========================================================================================| notice the diffrent?? :=) a few byte changes and we get a full registered program to use with. Note: the patch it self is in the DLL, so load up hex editor , and load the DLL in it, and look for this adress: E87E000000 you will be drop here: |----------------------------------------| | :1001B7B2 E87E000000 CALL 1001B835 | |----------------------------------------| Now press F3 for edit, and Press F2 for ASM edit Window (Hview 6.40) you will see this window of asm edit: |===Aseembler======| | CALL 1001B835 | |==================| just change it with regular ascii to: |===Aseembler========| | MOV EAX,00000001 | |====================| Press and then ESC..to get our if Edit mode! F9 for save correct file, F10 to out of the program (hex editor). So now that we changed eax register to hold the Value flag of 01, the program think it's registered when Excuting the instruction CMP eax,01 no bad message and we cleared our way and cut some looses in fidning actual S.code run the exe again, and u enter any number, press ok...hehe program registered! no more nag screen and the HELP->ENTER AUTHORIZED CODE is now Greyed out! Job Done!. =================================[Second Approach]============================================= The Second Approach is a bit more harder, since u need to enter the program's main check (CALL) at offset: 1001B7B2 From there We need to understand how the program behaves while checking our code (fake) we entered...well we know the Final conclusion (1/0), yes but how it's created is another story. so first let's enter the call and see what us awating us ;P Note: alittle big asm check routine, i will do my best to explaine :=) [Program Check Routine:] ------------------------ * Referenced by a CALL at Address: |:1001B7B2 | :1001B835 55 push ebp :1001B836 8BEC mov ebp, esp :1001B838 83EC1C sub esp, 0000001C :1001B83B 6A15 push 00000015 :1001B83D 8D45E4 lea eax, dword ptr [ebp-1C] ; get code :1001B840 6A00 push 00000000 :1001B842 50 push eax ; save :1001B843 E860BC0100 Call 100374A8 :1001B848 83C40C add esp, 0000000C ; max chars = 12 :1001B84B 8D45E4 lea eax, dword ptr [ebp-1C] ; get user serial :1001B84E FF7508 push [ebp+08] ; save chars :1001B851 50 push eax ; save stack :1001B852 E835BDFEFF call 1000758C ; xor ecx/edx :1001B857 807DE448 cmp byte ptr [ebp-1C], 48 ; first char = "H" ? :1001B85B 7404 je 1001B861 ; yes then contine ------| :1001B85D 33C0 xor eax, eax ; clear eax | :1001B85F EB51 jmp 1001B8B2 ; jump to LEAVE | :1001B861 8D45E4 lea eax, dword ptr [ebp-1C] ; we jump here if "H" <--| :1001B864 50 push eax ; save :1001B865 E80DBDFEFF call 10007577 ; get fake serial lenght :1001B86A 83F806 cmp eax, 00000006 ; compare with '6' :1001B86D 7CEE jl 1001B85D ; lower then '6'? then LEAVE :1001B86F 8A4C05E2 mov cl, byte ptr [ebp+eax-1E] ; 9'th char move to cl :1001B873 8D4405E4 lea eax, dword ptr [ebp+eax-1C] ; fake serial :1001B877 8065FE00 and byte ptr [ebp-02], 00 ; AND ebp-2 with 00 " " :1001B87B 884DFC mov byte ptr [ebp-04], cl ; last char move to ebp :1001B87E 8A48FF mov cl, byte ptr [eax-01] ; last char move to cl :1001B881 8060FE00 and byte ptr [eax-02], 00 ; AND ebp-2 with 00 " " :1001B885 8D45E4 lea eax, dword ptr [ebp-1C] ; move fake -1 char :1001B888 56 push esi ; save source :1001B889 50 push eax ; save to stack :1001B88A 884DFD mov byte ptr [ebp-03], cl ; last char move to ebp+3 :1001B88D E822BC0100 Call 100374B4 ; lengh of serial -1 :1001B892 59 pop ecx ; load ecx :1001B893 50 push eax ; save ecx :1001B894 8D45E4 lea eax, dword ptr [ebp-1C] ; fake serial :1001B897 50 push eax ; save stack :1001B898 6A00 push 00000000 ; flag? :1001B89A E817000000 call 1001B8B6 ; :1001B89F 8BF0 mov esi, eax ; esi = eax (fake serial)? :1001B8A1 8D45FC lea eax, dword ptr [ebp-04] ; fake serial :1001B8A4 50 push eax ; save stack :1001B8A5 E867000000 call 1001B911 ; :1001B8AA 2BC6 sub eax, esi ; eax-esi = -1 :1001B8AC 5E pop esi ; reload esi :1001B8AD F7D8 neg eax ; eax = -1 (negative of 1) :1001B8AF 1BC0 sbb eax, eax ; eax = -1 (ffffffff) :1001B8B1 40 inc eax ; eax = 0 <= bad_boy :1001B8B2 C9 leave ; exit :1001B8B3 C20400 ret 0004 ; return ok, got the idea?..basicly it's check for max/min chars that the serial need to be, also it check for "H" char with the first char u enter, other wise it jump to bad boy. then it's moving chars from the reg coode and play it alittle. as i said, it's very hard to get the serial, so only very high skilled asm could sniff out the serial, other wise the only way we can do is to use another patch. that patch will let us use an serial number start with "H" and need to be 6-12 long registration code. second patching approach : since after that call we have a CMP eax,01 eax need to be 01 at the end of the routine above. but most casses it will be 0 since we don't know the real serial, and used a faked one :=) here the small efficient patch: =================================| 1001B8AF 1BC0 sbb eax, eax | | To: | | 1001B8AF 33C0 xor eax, eax | =================================| Now that we set eax=0 the next instruction: |=========| | inc eax | |=========| will make eax = 1 for every "Hxxxxxx" or until 12 chars os serial number. this a small and efficient patch, that won't screw up the code. Job Done!. =============================================================================================== final notes: all the patching took place inside: hyprtrm.dll not so hard, just practice...untill next time. Have fun :=) |==================================================================| | My thanks and gratitude goes to: | |==================================================================| | -------+ORC----------;for talking to me and for the support | | ------+SandMan-------;for being a Great Cracker | | ----CoDe_InSiDe----- ;for helping in cracking | | -----BLAcKgH0sT------;for being a good friend :=) | | -------FusS----------;for the asm / keygenning help | |==================================================================|