Lesson 3 : hands on, paper protections P-2

[TOP.EXE] [F19.EXE] [POPULOUS.EXE] [MAP.EXE]

You have seen in the previous lesson that the use of a passwordprotection, independently of the coding and hiding methods usedto store them in memory, implies the use of a comparing procedurewith the password that the user types in. You therefore have manyoptions to begin your cracking work: -    find the location of the user password-    find the "echo" in memory of the real password-    find the routine that compares both-    find the passwords hideout and encryption type-    find the go_ahead_nice_buyer exit or jump-    find the beggar_off_ugly_copier exit or jumpjust to name the more obvious ones. In order to make things moredifficult for us crackers, the protectionists have devised manycounter-strategies, the more obvious ones being:-    keeping the various part of the store/compare/hide routineswell apart in code (no match for zen-cracking);-    filling these routines with "bogus" compares, bogus jumpsand bogus variables, in order to make things more difficult forthe crack (no match for decent crackers);-    disseminating the code with anti-debugger tricks, like INT_3instructions or jumps in and out protected mode (no match for ourbeloved [Soft-Ice]);-    trying to eliminate the need for passwords altogetherletting the user input "one letter" or "one number" or "oneimage" as answer to some variable question. In this lesson I'llteach you how to crack these "passletters" protection techniques.Let's first resume the "uses" of a password protection:PASSWORDS AS PERMISSION TO ACCESSThese passwords serve to acknowledge that a legitimate user isusing the program. This is the type of password that you'll find,for example, protecting your user account on Compuserve, onNetworks or even in ATM machines used by banks or corporations.These require a little hardwiring to crack: ATM passnumberprotection schemes rely on an answer from the central computer(they do NOT verify only the three magnetic areas in the magneticstrip on the card). The lines between ATM's & their hosts areusually 'weak' in the sense that the information transmitted onthem is generally not encrypted in any way. (Some banks useencrypted information, but this is fairly easy to crack too).So for ATMs you should do the following 1) cross over thededicated line between the ATM and the host; 2) insert yourcomputer between the ATM and the host; 3) Listen to the "normal"messages and DO NOT INTERFERE YET; 4) Try out some operationswith a legal card, make some mistakes, take note of the variouscodes; 5) When you are ready insert a fraudulent card into theATM. Now the following happens: -    the ATM sends a signal to the host, saying "Hey! Can I givethis guy money, or is he broke, or is this funny card invalid?";-    the microcomputer intercepts the signal from the host,discards it, sends on the "there's no one using the ATM" signal;-    the host gets the "no one using" signal and sends back its"good, keep watching out if somebody comes by, and for God's sakedon't spit out any money on the street!" signal to the ATM;-    the microcomputer intercepts this signal (again), throws itaway (again), and sends the "Wow! That guy is like TOO rich! Givehim as much money as he wants. In fact, he's so loaded, give himALL the cash we have!  He is a really valued customer." signal.-    the ATM obediently dispenses cash till the cows come home.     All this should be possible, but as a matter of fact it hasnot much to do with cracking, unless there is a special softwareprotection on the line... so if you want to work on ATMs contactour fellow phreakers/hackers and learn their trade... andplease remember to hack only cash dispenser that DO NOT HAVE acontrol camera :=)PASSWORDS AS REGISTRATIONThis type of password is often used in shareware programs. Whenyou register the shareware program, you are sent a password thatyou use to upgrade your shareware program to a complete and morepowerful version. This method, used frequently for commercialapplications, has recently been used quite a lot by many windowsapplications that come "crippled" on the magazines cover CD-roms,requiring you to telephone a hot line (and paying) in order toget the "unique key" to unlock the "special protection". It's allbullshit: we'll learn in the "how to crack windows" lessons howeasy it is to disable the various routines that verify yourentry.PASSWORDS AS COPY PROTECTIONSThis type of password is often used for games and entertainmentsoftware. The password query does not usually appear any more atthe start of the program, or as the program is loading. Instead,the password query appears after one or more levels are completed(this innovation was pioneered by "EOB I" and the "Ultima"series) or when the user reloads a saved game or session.DONGLE PASSWORDS     A few extremely expensive programs use a dongle (also calledan hardware key). A dongle is a small hardware device containinga password or checksum which plugs into either a parallel or aserial port. Some specially designed dongles even includecomplete program routines. Dongles can be cracked, but the amountof work involved is considerable and the trial and errorprocedure currently used to crack them via software is extremelytedious. It took me more than a week to crack MULTITERM,Luxembourger dongle protected program. The quickest method tocrack dongle protected programs, involves the use of prettycomplicated hardware devices that cannot be dealt with here. Imyself have only seldom seen them, and do not like at all tocrack dongles via software, coz it requires a huge amount of zenthinking and of luck and of time. If you want more informationon the hardware way to crack dongles, try to contact the olderones on the appropriate web sites, they may even answer you ifyou are nice, humble and really technically interested.     The obvious principle, that applies to the software passwordtypes mentioned above is the following: The better the passwordis hidden, and the better it is encrypted, the more secure theprogram will be. The password may be-    encrypted and/or-    in a hooked vector and/or-    in an external file and/or-    in a SMC (Self modifying code) part     Let's finally inspect the common "ready_made" protectionschemes (used by many programmers that do not programthemselves):*    password read in*    letters added to a key to be entered*    complement of the letters formed xoring with 255*    saved key (1 char)*    saved password (256 chars)*    saved checksum (1 char), as protection, against simple     manipulations*    generating file PASSWORD.DAT with password, to be inserted     inside a different file than the one containing the calling     routineNow the lazy programmer that wants to "protect" his programsearches first the file where the password is stored, then loadsthe key, the password and the checksum. He uses a decryptprocedure to decrypt the password and a check_checksum procedureto check whether the password was modified. All this is obviouslycrackabe in few seconds.[PASSWORD ACCESS INSIDE THE SETUP]     Some computers have a password protected access INSIDE theSetup (at the beginning), the protection scheme does not allowa boot with a floppy and does not allow a setup modify. In thesecases the only possible crack is an old hack method: *    open the PC*    find on the motherboard a small jumper (bridge) with the     words "Pw"*    take it away*    PC on*    run the setup with F1 or Del (depending from the BIOS) (the     protection will not work any more)*    deactivate inside the setup the option password*    PC off*    put the small jumper (bridge) back again*    close the PC*    PC on, cracked (if you want to be nasty you could now use     the setup to set YOUR password)     If you want to know more about access refuse and accessdenying, encryption and locking of the FAT tables, get from theweb, and study, the (very well written) code of a virus called"Monkey", that does exactly this kind of devastation. Virusstudying is, in general, very useful for cracking purposes, cozthe virus'code is at times-    very well written (pure, tight assembly)-    using concealing techniques not much different from the     protection schemes (often far superior)-    using the most recent and best SMC (self modifying code)     tricks     But, and this is very important, do not believe that theprotection schemes are very complicated! Most of the time theprotection used are incredibly ordinary: as a final example ofour paper protection schemes, let's take a program released notlong ago (1994), but with a ridiculous protection scheme: TOP(Tiger on the prowl) a simulation from HPS.Here the cracking is straightforward:-    MAP(memory_usage) and find main_sector-    type "AAAA" as password-    (s)earch main_sector:0 lffff "AAAA"-    dump L80 "AAAA" location -40 (gives you a "wide" dump),     this gives you already the "echo" of the correct password-    breakpoint on memory read & write to "AAAA" location and     backtrace the complete main_sectorit's done! Here the code_lines that do protect TOP:     8A841C12  MOV  AL,[SI+121C]   move in AL first user letter     3A840812  CMP  AL,[SI+1208]   compare with echo     7402      JZ   go_ahead_nice_buyer     EB13      JMP  beggar_off_ugly_crackerNow let's quickly crack it:------------------------------------------------CRACKING TOP.EXEren top.exe top.dedsymdeb top.ded-    s (cs+0000):0 Lffff 8A 84 1C 12 3A 84xxxx:yyyy           (this is the answer of the debugger)-    e xxxx:yyyy+2  08 (instead of 1C)-    w-    qren top.ded top.exe-------------------------------------------------And you changed the MOV  AL, [SI+121C] instruction in a MOV AL,[SI+1208] instruction... it is now reading the ECHO instead ofthe characters you typed in... no wonder that the ECHO doescompare exactly with itself... and you pass!"SOMETHING FISHY UNDER COVERS"Back to the "Passletter" type of password protected programs.Let's take as an example the protection used in a game of 1990:"F19", where the protection scheme asks you to identify aparticular plane's silhouette. This kind of protection is usedin order to avoid the use of memory locations where the passwordsare stored: we saw in the first part of our "passwords hands on"how easy it is to crack those schemes.To crack this kind of protection, you could try a technique knowas "memory snuffing". The protected program, START.EXE, installitself first at location xxxx:0000 with a length of 6C62 bytes,but proceeds to a relocation of its modules (with some SMC, selfmodifying code parts) in different locations. What does all thismean? Well, this could mean quite many things... the mostimportant one for crackers is that the protection code will probably snap way ahead of the actual user input phase.Now you 'll quickly find out that the routine determining(randomly) which plane is being chosen, leaves the progressivenumber of this plane in one memory location: (imc) 43CD:DADA.This brings us to the random triggering mechanism:E87FAF    CALL random_seed83C402    ADD  SP,028946E8    MOV  [BP-18],AX     and ds:(BP-18) is the location                              you are looking forNow, every time this random triggers, you get a different number(00-x14) in this location, corresponding to the different planethe user should choose.The random seed routine, evidently, comes back with the randomseed in AX... what we now need is to zero it: the user willalways have to choose the same plane: "plane 0", and he will havegiven the correct answer. Note how elegant all this is: we do notneed to interfere with the whole mouse pointing routines, norwith the actual choosing of the planes... the random seed maychoose whatever plane it wishes... the memory location for thischoice will always report the (legitimate) choice of zero.So, let's quickly crack this program:---------------------------------------------------CRACKING "F19" [START.EXE] (by +ORC, January 1996)ren start.exe start.ded       <- let's have a dead filesymdeb start.ded              <- let's debug it- s cs:O lffff 83 C4 02 89 46 E8 <- search ADD SP,02   xxxx:yyyy                     <- debugger's answer- e xxxx:yyyy 58 [SPACE] 31 [SPACE] C0 [SPACE]- w                           <- write the crack- q                           <- back to the OSren start.ded start.exe       <- re-write the exe----------------------------------------------------You just transformed the instruction you searched for     83C402    ADD  SP,+02 in the following sequence:     58        POP  AX        <- respecting ADD SP,+02     31C0      XOR  AX,AX     <- xoring to zero(the POP AX instruction increments the stack pointer by 2, inorder to respect the previous ADD SP,+02).Well, nice. It's getting easier, isnt'it? Now let's take asexample a protection that has no "echo" in memory. (At thebeginning this was a smart idea: "the cracker won't find thecorrect password, 'coz it's not there, ah!". We'll now thereforecrack one of the first programs that used this scheme:[Populous.exe], from Bullfrog.[POPULOUS.EXE]     A old example of the protection scheme "password that is nota password" can be found in [Populous.exe], from Bullfrog. It'sa very widespread program, and you'll surely be able to find acopy of it in order to follow this lesson. The program asks forthe identification of a particular "shield", a combination ofletters of various length: the memory location were the userpassword is stored is easily found, but there is (apparently) no"echo" of the correct password. You should be able, by now, tofind by yourself the memory location were the user password isstored. Set a breakpoint memory read & write on this area, andyou 'll soon come to the following section of code:F7AE4EFF  IMUL WORD PTR [BP+FF4E]       <- IMUL with magic_Nø40        INC  AX3B460C    CMP  AX, [BP+0C]7509      JNZ  beggar_off_ugly_copier8B460C    MOV  AX, [BP+0C]A3822A    MOV  [2A82], AXE930FE    JMP  nice_buyer817E0C7017CMP  WORD PTR[BP+0C],1770     <- beggar_offI don't think that you need much more now... how do you preferto crack this protection scheme? Would you choose to insert a MOV[BP+0C], AX and three NOPS (=6 bytes) after the IMUL instruction?Wouldn't you rather prefer the more elegant JMP to nice_buyerinstruction at the place of the JNZ beggar_off? This solution hasless nops: remember that newer protection schemes smellNOPs_patches!). Yeah, let's do it this way:---------------------------------------------------CRACKING [Populous.exe]

ren populous.exe populous.ded      <- let's have a dead filesymdeb populous.ded                <- let's debug it-    s cs:O lffff F7 AE 4E FF      <- the imul magic_Nøxxxx:yyyy                          <- debugger's answer-    e xxxx:yyyy+4  EB [SPACE] 03  <- JMP anyway-    w                             <- modify ded-    q                             <- back to the OSren populous.ded populous.exe      <- let's re-have the exe----------------------------------------------------This time was easy, wasnt'it?      Now you are almost ready with this course... let's crack alast application, a memory utility that is very widespread, verygood (the programmers at Clockwork software are Codemasters),very useful for our purposes (you'll use it later to crack a lotof TSR) and, unfortunately for Clockworkers, very easy to crackat the level you are now. But, Hey! Do not forget that you would have never done it withoutthis tutorial, so do the following: look toward east from yourwindow, sip a Martini-Wodka (Two blocks of ice first, 1/3 dryMartini from Martini & Rossi, 1/3 Moskovskaia Wodka, 1/3Schweppes indian tonic) and say three times: Thank-you +ORC!. [MAP.EXE]     Let's now go over to one of the best TOOLS for mapping yourmemory usage that exist: MAP.EXE (version 2) from the masters atClockwork software. The usage of this tool has been recommendedin Lesson 2, and you should learn how to crack it, coz it comeswith an annoying nag-screen ("Nigel" screen). In [Map.exe] thisubiquitous "Nigel" screen appears at random waiting for a randomamount of time before asking the user to press a key which variesevery time and is also selected at random.     The use of a single letter -mostly encrypted with some XORor SHR- as "password" makes the individuation of the relevantlocations using "snap compares" of memory much more difficult.But the crack technique is here pretty straightforward: justbreak in and have a good look around you.     The INT_16 routine for keyboard reading is called just afterthe loading of the nag screen. You 'll quickly find the relativeLODSB routine inside a routine that paints on screen the word"Press" and a box-edge after a given time delay:     B95000         MOV  CX,0050     2EFF366601     PUSH CS:[0166]     07             POP  ES     AC             LODSB     ...You could already eliminate the delay and you could already forcealways the same passletter, in order to temperate the effects ofthe protection... but we crack deep!: let's do the job and trackback the caller! The previous routine is called from thefollowing section of the code:     91             XCHG AX,CX     6792           XCHG AX,DX     28939193       SUB  [BP+DI+9391],DL     2394AA94       AND  DX,[SI+94AA]     2EC7064B880100 MOV  WORD PTR CS:[884B],0001     2E803E5C0106   CMP  BYTE PTR CS:[015C],06     7416           JZ   ret       <- Ha! jumping PUSHa & POPa!     505351525756   PUSH the lot     E882F3         CALL 8870     2E3B064B88     CMP  AX,CS:[884B]     7307           JAE  after RET <- Ha! Not taking the RET!     5E5F5A595B58   POP  the lot     C3             RET     ...                                <- some more instructions     E86700         CALL delay_user     BE9195         MOV  SI,9591     2E8B3E255C     MOV  DI,CS:[5C25]     83EF16         SUB  DI,+16     2E8A263D01     MOV  AH,CS:[013D]     50             PUSH AH     E892C7         CALL routine_LODSB  <-- HERE!     B42C           MOV  AH,2C     CD21           INT  21             <- get seconds in DH     80E60F         AND  DH,0F          80C641         ADD  DH,41     58             POP  AX     8AC6           MOV  AL,DH     83EF04         SUB  DI,+4     AB             STOSW     E85A00         CALL INT_16_AH=01     B400           MOV  AH,00     CD16           INT  16     24DF           AND  AL,DF     <- code user's letter_answer     3AC6           CMP  AL,DH     <- pass_compare     75F3           JNZ  CALL INT_16_AH=01     E807F3         go_ahead     You just need to look at these instructions to feel it: Ithink that unnecessary code segments (in this case protections)are somehow like little snakes moving under a cover: you cannoteasily say what's exactly going on yet, but you could bet thatthere is something fishy going on. Look at the code precedingyour LODSB routine call: you find two JUMPS there: a JZ ret, thatleaves a lot of pusha and popa aside, and a JAE after RET, thatdoes not take the previous ret. If you did smell something hereyou are thoroughly right: The first JZ triggers the NIGEL screenprotection, and the second JAE does THE SAME THING (as usual,there are always redundances, exactly as there are a lot ofpossibilities to disable a single protection). Now you know...you can disable this protection at different points: the twoeasiest blueprints being 1)   to change 7416 (JZ ret) in a EB16 (JMP ret anyway) 2)   to change 7307 (JAE after ret) in a 7306 (JAE ret).     We have not terminated yet: if you try locating this partof the code in order to change it, you won't have any luck: it'sa SMC (Self modifying code) part: it is loaded -partly- fromother sections of the code (here without any encryption). Youmust therefore first of all set a breakpoint on memory range;find out the LODSW routine; find out the real area; dump thatmemory region; find out a search sequence for the "dead" code...and finally modify the "dead" program.Now let's quickly crack it:------------------------------------------------CRACKING MEM.EXE (version 2) ren map.exe map.dedsymdeb map.ded-    s (cs+0000):0 Lffff 74 16 50 53 51 52 57xxxx:yyyy           <- this is the debugger's answer-    e xxxx:yyyy    EB-    w-    qren map.ded map.exe-------------------------------------------------Now you have done it, NIGEL has been cracked!