{"id":238,"date":"2017-05-04T14:31:46","date_gmt":"2017-05-04T14:31:46","guid":{"rendered":"http:\/\/www.max-sperling.bplaced.net\/?p=238"},"modified":"2024-02-16T10:16:58","modified_gmt":"2024-02-16T10:16:58","slug":"software-cracking-example-1","status":"publish","type":"post","link":"http:\/\/www.max-sperling.bplaced.net\/?p=238","title":{"rendered":"Software Cracking (Example 1)"},"content":{"rendered":"

0. Building<\/strong>
\nThe following crackme sourcecode got build with the C compiler from MinGW as PE x86.<\/p>\n

\r\n#include <stdio.h>\r\n#include <string.h>\r\n\r\nint main()\r\n{\r\n    char strLicense[] = "l_i_c_e_n_s_e";\r\n    int intLenLicense = sizeof(strLicense)\/sizeof(strLicense[0]);\r\n\r\n    char strInput[intLenLicense];\r\n    fputs("Enter the license:", stdout);\r\n    fgets(strInput, intLenLicense, stdin);\r\n\r\n    if(strncmp(strInput, strLicense, intLenLicense) != 0) {\r\n        fputs("Trial version", stdout);\r\n        return 1;\r\n    }\r\n    else\r\n        fputs("Full version", stdout);\r\n\r\n    return 0;\r\n}\r\n<\/pre>\n
 <\/p>\n
1. Reverse Engineering<\/strong>
\nFor the reverse engineering of the build program is OllyDbg used. The interesting section is shown in the following assembler code.<\/p>\n
\r\n0040166E  MOV DWORD PTR SS:[ESP],a.00404044      ; ||||ASCII "License:"\r\n00401675  CALL <JMP.&msvcrt.fwrite>              ; |||\\fwrite\r\n0040167A  MOV EAX,DWORD PTR DS:[<&msvcrt._iob>]  ; |||\r\n0040167F  MOV EDX,EAX                            ; |||\r\n00401681  MOV EAX,DWORD PTR SS:[EBP-14]          ; |||\r\n00401684  MOV DWORD PTR SS:[ESP+8],EDX           ; |||\r\n00401688  MOV EDX,DWORD PTR SS:[EBP-C]           ; |||\r\n0040168B  MOV DWORD PTR SS:[ESP+4],EDX           ; |||\r\n0040168F  MOV DWORD PTR SS:[ESP],EAX             ; |||\r\n00401692  CALL <JMP.&msvcrt.fgets>               ; ||\\fgets\r\n00401697  MOV EDX,DWORD PTR SS:[EBP-C]           ; ||\r\n0040169A  MOV EAX,DWORD PTR SS:[EBP-14]          ; ||\r\n0040169D  MOV DWORD PTR SS:[ESP+8],EDX           ; ||\r\n004016A1  LEA EDX,DWORD PTR SS:[EBP-22]          ; ||\r\n004016A4  MOV DWORD PTR SS:[ESP+4],EDX           ; ||\r\n004016A8  MOV DWORD PTR SS:[ESP],EAX             ; ||\r\n004016AB  CALL <JMP.&msvcrt.strncmp>             ; |\\strncmp\r\n004016B0  TEST EAX,EAX                           ; |\r\n004016B2  JE SHORT a.004016E3                    ; |\r\n004016B4  MOV EAX,DWORD PTR DS:[<&msvcrt._iob>]  ; |\r\n004016B9  ADD EAX,20                             ; |\r\n004016BC  MOV DWORD PTR SS:[ESP+C],EAX           ; |\r\n004016C0  MOV DWORD PTR SS:[ESP+8],0D            ; |\r\n004016C8  MOV DWORD PTR SS:[ESP+4],1             ; |\r\n004016D0  MOV DWORD PTR SS:[ESP],a.0040404D      ; |ASCII "Trial version"\r\n004016D7  CALL <JMP.&msvcrt.fwrite>              ; \\fwrite\r\n004016DC  MOV EAX,1\r\n004016E1  JMP SHORT a.00401710\r\n004016E3  MOV EAX,DWORD PTR DS:[<&msvcrt._iob>]  ; |\r\n004016E8  ADD EAX,20                             ; |\r\n004016EB  MOV DWORD PTR SS:[ESP+C],EAX           ; |\r\n004016EF  MOV DWORD PTR SS:[ESP+8],0C            ; |\r\n004016F7  MOV DWORD PTR SS:[ESP+4],1             ; |\r\n004016FF  MOV DWORD PTR SS:[ESP],a.0040405B      ; |ASCII "Full version"\r\n00401706  CALL <JMP.&msvcrt.fwrite>              ; \\fwrite\r\n<\/pre>\n
 <\/p>\n
2. Solution<\/strong>
\nPatch<\/u>
\nThe easiest solution is to patch the program. The conditional jump for that is at 004016B2 below the important string comparison. Replace this conditional jump with an unconditional jump, cause a jump there leads to the “Full version”.<\/p>\n
Serial<\/u>
\nAnother solution is to find out the requested license key. Set a breakpoint, above the important string comparison, at 004016A8 and start the debugger. The ASCII value in EDX is the license key and the ASCII value in EAX is the entered string.<\/p>\n","protected":false},"excerpt":{"rendered":"
0. Building The following crackme sourcecode got build with the C compiler from MinGW as PE x86.   1. Reverse<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false},"categories":[39],"tags":[],"_links":{"self":[{"href":"http:\/\/www.max-sperling.bplaced.net\/index.php?rest_route=\/wp\/v2\/posts\/238"}],"collection":[{"href":"http:\/\/www.max-sperling.bplaced.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.max-sperling.bplaced.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.max-sperling.bplaced.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.max-sperling.bplaced.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=238"}],"version-history":[{"count":1,"href":"http:\/\/www.max-sperling.bplaced.net\/index.php?rest_route=\/wp\/v2\/posts\/238\/revisions"}],"predecessor-version":[{"id":16718,"href":"http:\/\/www.max-sperling.bplaced.net\/index.php?rest_route=\/wp\/v2\/posts\/238\/revisions\/16718"}],"wp:attachment":[{"href":"http:\/\/www.max-sperling.bplaced.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=238"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.max-sperling.bplaced.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=238"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.max-sperling.bplaced.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=238"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}