The Hacker's Home: The Art Of Cracking

Wednesday, August 14, 2013

The Art Of Cracking

                                           The Art Of Cracking

Introducing you to the world of Cracking, A beginner's tutorial Written by: PK

What is cracking? Cracking is how i like to say an art, an expression. Everyone can handle it. But not everyone can do the best of it. If you like to crack you`ll see that it isn't easy to understand at first but after receiving some experience and knowledge it is incredible .If you have learned the real cracking you aren't only a cracker. You are more than a cracker. With the art of cracking you`ll gain more knowledge about your PC the programs you are running on it and how they work. You`ll understand how a program works and how to manipulate it that it can be useful for you. And it doesn't mean that it`s illegal. Of course it`s not 100% legal but it can be useful for you in your later life. You have experience about the ASM-Code understand the function of programs and other applications and maybe it bring you up to a programmer.
Who knows, but at first you've to learn it step by step. I’ll help you with my tutorials and i hope you understand the way how i explain it. Excuse my English i know it's not the best but I’ll do my best. 

Step one:
What do we need to crack?
Do i need some knowledge about assembler or anything else?
No, I made this tutorial for all the beginners who don't understand anything about ASM-Code or the internal functioning of applications. Like you and everyone else i also started with cracking some time ago. And it took much of my life time to know what i know today about cracking. I think there are many tutorials which are good and i don't want to say anything against them. But i think that most of them are quick written memory killer with which you can't do anything. I always had a problem in understanding them and what do they mean. Like what is a NOP or what do terms like JE, EAX, Jump Signs, etc. mean? What they mean by jump to a bad boy and replace the jump if not equal with the jump if equal command. All these things and many more sometimes make me worry about what i want to learn. I thought that I’ll give up on cracking. Yes sometimes you`ll think that "oh man what do you mean", "it doesn't work"!
Everyone experienced this at some point of time and you're neither the first nor you'll be the last. You have to learn again and again. And then at any time you`ll see that it was good what you're doing all the time and you'll be proud of your efforts. 

The software we`ll need:
At first the only thing we`ll need is W32Dasm8.9 (a Windows disassembler) and HIEW (it’s a good Hex-Editor i think it`ll be the best for you at first).That's all. In the following tutorials I’ll explain how to work with Soft-Ice and how to handle the asm-code. But at first what you need as a beginning cracker are only two things. 

1) Getting started:
As you know it’s not very easy to handle all the ASM-codes and i think you don't know much about them. So I’ll explain the most needed commands. There we have to know that every two numbers in ASM-code are representing one byte. Like the number 75564345 = 4 bytes. The 75 is one byte the 56 is one byte the 43 is one and the 45 is one byte. So we have 4 bytes leading the command at this point. If we want to replace them later we now know that we have to replace always two numbers with two other numbers. Like the 75 (in hexadecimal stands for JNE. Jne means jump if not equal) we can change to 74 (in hexadecimal it stands for je. Je means jump if equal).This in most of times is enough to crack a game or to register a program so it`ll not say "sorry invalid password" or something else (please don’t think it’s so easy i take it as a very simply protection).Cause if we change the value of 75 (jump if not equal [means that the application is checking something like if there is a CD present in the drive or is it the same password like saved in the program and if it isn't right like there is no CD in drive or the password you entered is not valid it will jump to "Bad Boy" and the program pops up the error message] by the way "Bad Boy"  in cracker language is somewhat like the dude who calls the error message) to 74 (jump if equal so the program thinks that there is a CD in the drive or the password is valid and will jump to "Good Boy”. Good Boy is the one who makes the way clear).You've to manipulate the application so it thinks that there is a CD present or password is valid and it continues with the program. Remember that the exe runs up to down. So the commands which call the error messages are placed before the error messages. The only thing i mean is that if you found the error message (I’ll explain later how to do it) you have always look up in the ASM-code not down. It’s like you. If you read a book or a text you start on line one and read your way down. The program does the same. It checks from line one of the ASM-code to the end of the code if there is all corrects. And if it finds an error in line 9, it jumps down to the "Bad Boy”. It can’t jump up because there it checked everything and there aren't complications. So if you found the error message look up (before it) and you`ll find the command which calls the error message on the screen. OK now some things about the numbers and things you`ll see if you disassemble a exe (here are only the need fullest things you've to know at this point of time): je (hexadecimal is 74) = Jump if equal JNE (hexadecimal is 75) = Jump if not equal NOP (hexadecimal is 90) = No operation call (no random hexadecimal) = call an operation jmp (no random hexadecimal) = jump to string/operation These are the five basics we`ll need at first. The others will be explained in the later tutorials when you'd have gained more experience in ASM-code.
Ok, now we`ll take a look at what do they do in an ASM-code string. JE (Jump if equal) jumps to an operation if it has found what it was supposed to check. 

Example: A game needs a CD to start the main game. So the "jump if equal" je command check if there is a CD in the drive. If there is a CD in the drive it'll continue and give information away to the commands after it. That's an equal operation. The CD was found (equal) and it continues in ASM-code (jump if equal). Jne (Jump if not equal) jumps to an operation (most times Bad Boys that mean, to the error message you`ll receive on your screen) if it didn't find what it checked. 

Example: The game needs a CD to start the main game. So the "jump if not equal" jne command check if there is a CD present in drive. If not it’ll jump to a "Bad Boy" and you`ll receive the error message on screen like "Cannot find CD in drive. Please insert CD and click on OK." That's a "jump if not equal" operation. The check failed (because it didn't find a CD in drive) and it jumped to the "Bad Boy" and the "Bad Boy" ends the load process and let the error message be shown on your screen. NOP (no operation) command kills the current operation like checking after CD in drive or checking if the password is valid. 

Example: The game needs a CD to start the main game. It's like before because you set the NOP command. You can replace the JNE/je/call/jmp commands with a NOP command. The nop will then disable the JNE/je/call/jmp command this mean that the program don’t check if a CD is present in drive and continuous in asm-code. The game run (you can do that but it’s also a style for simply CD protections). Call (Call an operation) command do what its name say. It calls a command what can be an error message, a nag screen...This you can disable with a nop command.

Example: Jmp (Jump to a string/operation) command is like a call (not the same can say it is) it don’t call commands but it jumps to them. 

Example: The jmp jumps to a string/operation which will call an error message or to a Bad Boy...The jmp can also be disabled with a nop command. I think that’s all you’ve got to know for now about the commands in asm-code. In this tutorial we`ll handle only with these few commands.
About protection schemes:
 There are enough protection styles you`ve to learn about and to learn how to disable them. We have "normal" CD protections (a game is looking if there is a CD present if not it`ll not start the game), password protections (you've to enter a valid password [most times you find them in trial versions] if you don’t enter a valid password you can’t register or start the application), time locks (most times in trial versions. You have some time to test a program like three weeks and after the time it won’t start/show an error message/you've to enter a password to unlock it),and in unusually times you've to get a unlock software from the programmer (the program won’t work without the +software of the distributor. This kind of protection is hard to find).That are the most usual protection schemes you`ll find on your way to a real cracker. The easiest protections for us to crack are windows error message boxes (i think so). It’s a windows message box which will be shown on your screen with any text if you haven’t got a CD present or a valid password. This kind of protections you can see in EA applications like NFS/Fifa Soccer/NHL....It’s very easy to crack cause the only thing you've to do is to kill the window (most times with a nop command or change je to JNE /JNE to je).Also we can find this kind of protections at password locked applications. If you enter a invalid password you`ll receive a windows message box too which include a text like "invalid password" or something else. Then we have in game error messages which are harder to crack. Because W32Dasm show you only the windows box messages and not the in game messages. For this kind of protection we need soft-ice debugger (I’ll explain in later tutorials how to use soft-ice).This kind of protection you can see in games like Commandos/Grand TheftAuto/Descent Free space .And the time lock protections can be shown to you as a windows box and as a "in game" error message (I’ll call them NAG screens).Those kind of protection you can see in Paint Shop Pro. In this tutorial I’ll show you how to disable the windows message boxes with W32Dasm version 8.9 and with Hiew. We`ll crack WinRAR and WinRAR95 (may be a game too like Anno1602 or anything else i don’t know how much time I’ll get and if the tutorial wont be too long).
Beginning with cracking:
Now let’s start with the main thing you want to learn Cracking. I`ll show you now, how to handle the basic commands of W32Dasm89 and Hiew. We`ll now crack WinRAR95.exe (we`ll make a full registered version of the trial). 

At first we start the program we’re in. What can we see? At first we can see on top of the window "WinRAR (unregistered version)".  That’s very good for us because the "unregistered version" status behind the "WinRAR" tell us that it is unregistered and that it`ll be not shown if it registered. Now we click on "Options" and then on "Register". Now you can see a windows box (these kind of boxes i mean which are easy to crack for us).Now enter in the text boxes what you want like as a name "Test" and as a number "12345" and click on ok. You`ll hear a sound and another windows box pops up which tell you "Registration Failed". That’s all we want to know. Close WinRAR95 and go to your Ms-Dos box. Now in Norton Commander (you can use windows commander too) make from your WinRAR95.exe two copies. One of them named WinRAR95.w32 (for W32Dasm89) and one named WinRAR95.exe (a saved copy if you change wrong bytes). Now I’ll explain why we do these copies. Its very easy. If you disassemble a exe like WinRAR95 and you`re working in W32Dasm89 you can’t run the WinRAR95.exe as the same time in Hiew or in Windows Explorer. You make a second copy named WinRAR95.w32 (you can call it like you want no matter but it’s good that you see its for W32Dasm89).This copy you`ll disassemble with W32Dasm89 and you can every time start the original exe in Windows or change the bytes in Hiew. The second copy WinRAR95.exx is only a save recovery copy. If you change wrong bytes in Hiew or anything else so that it won’t run you can rename the WinRAR95.exe with WinRAR95.exx.And try it again (remember its always "try and error" technique).Ok if you make the two copies start W32Dasm89.Now click on the first button on the top (or click on Disassembler and then on "Open file to disassemble". A window pops up and you can choose the file you want to be disassembled. Change your directory to your WinRAR directory and click on WinRAR95.w32. Now W32Dasm starting the disassembling process (if you have low system memory or low HD memory it`ll take some time).You can always click on the button in the middle of the screen called "Cancel Disassembly" which will abort the disassembling process. If the exe is disassembled it may be that you see no "normal" signs but WinDings written lines. Don’t worry you can change your font. Click on "Disassembler" then on "Font" and at least on "Select Font". Now you can chose the font you`ll use in W32Dasm89.I think the best one is Arial. Change the font. Now you have your selected font present in W32Dasm89.Click a second time on "Disassembler" "Font" and then on "Save default Font" (if you don’t do that at your next disassembling file you`ve to change the font a second time).Now you see the asm-code. It will not tell you much cause you don’t know what all the commands mean. Now click on the button next to the "Print" button called "Strn Ref" (String Data References).A window pops up. Now you can see all the error messages you can receive from the exe.Do you remember what does WinRAR said if you entered the wrong code? It said "Registration Failed”. Now look at the text and search for the message. Got it? Double click on it. In W32Dasm you`ll be warped to the position in the ASM-code where it let pops up the error message you`ll receive on your screen when you entered the wrong code. If you make it right you've to look at a screen like this: 

:00413A8F 6A6A                                                                    push 0000006A 
:00413A91 E863640000                                                         call 00419EF9 
:00413A96 59                                                                          pop ecx 
:00413A97 50                                                                          push eax 

:00413A98 FF7508                                                                 push [ebp+08] 

No comments:

Post a Comment