Well I worked on another good target for newbies (maybe too simple for anyone but the utmost newbie). The program in question is Filescavenger 2.0c. I cracked it in two ways so far. First a simple byte patch and then by simply getting the valid serial. I also am pretty sure I have the whole generate key routine so that it can be keygenned, however I do not have the skills to keygen it .... yet (that's why I am studying C). That is my next aim. If anyone else wants to look at it I would be glad to help if you get stuck.

// cHeCksUm

Well Im the utmost newbie (been learning about 3 days now). I know some basic asm, how to use W32Dasm, SoftICE etc. I then read this and thought I may aswell give it a shot. I disassembled it and looked through the string refs buts thats as far as I've really got. I can see a lot of strings that could lead to something but Im not sure which one would do what. I used knowledge from another tut and just tried nop ing out a je but hiew wouldnt let me change it because its read only.

Could you guide me in the right direction please?

Well since I posted I got a bit further

I got hiew working properly now.
I also found the Invalid License code string. This however only has a bit of code associated with it, no jumps. Just:

* Possible StringData Ref from Data Obj ->"Invalid license code."
|
:0040FAB5 6800264600 push 00462600
:0040FABA B9F8884600 mov ecx, 004688F8
:0040FABF E819980200 call 004392DD

From there I followed the call to 004392E7. There was a jne there so Ive tried changing that to je but it didnt seem to work. The program ran but with blank spaces in various places. Also with that jne changed to je, the Invalid License Code box is now a blank box with no text in lol. Think I went down the wrong path there.

i didn't try it, but i assume you have to look before the string reference you found.

because at this point you are likely to be already in the "bad guys area".

I will post some help as sooon as I get into work .

// cHeCksUm

now I'm at work.... so this is what I did. I loaded up the app in OllyDebug and set a breakpoint just before I entered a code (hint use the following form: 5-4-5-5-5 [i.e. # of digits between "-"]). Then when I pressed OK. Bang I am in the code... now simply trace over until you get the pesky "Invalid Serial" box. Now just examine the code above and you should, providing you keep a close eye on the code, be able to pretty much figure out where to patch (hint: much easier not to patch actually). If you need more help just hollar.

// cHeCksUm

Fade,
You do not need to change instructions to NOP's or change JNE's to JE's, etc. That usually would be your last step when you are sure you found the right place to patch, and only if you know what you are actually changing (i.e. changing one instruction does not always only effect that one instruction). Instead you should set your breakpoint in Softice on the jump you want to test and then just toggle the flag that is being used for the test (type "r fl z" in softice for the zero flag (without the quotes)), then exit softice and see if you got the result that you expected. When you do finally find the right jump, etc, I also would not change the jump instruction, but instead the compaison instruction (depending on the case), so that the comparison always gives the result you want (this way it works all the time, whereas changing the jump instruction, would make it fail when the right serial is used, etc.).

Example:
84C0 test al, al
0F8477010000 je 0044C275 ;jump if bad serial

The Test instruction AND's the values and sets flags based on result. As it is AND'ing a register with itself there are only 2 possible results.
0 and 0 = 0 or
1 and 1 = 1
What we want here is to never take the jump (the jump is basically, jump if the result is zero), so we need the result to always be 1 and not zero.
So if we change the code to this:
0C01 or al, 1
0F8477010000 je 0044C275 ;jump if bad serial

The possible results are this:
0 or 1 = 1 or
1 or 1 = 1
Thus always resulting in 1, and never taking the jump.
In addition to this, the OR instruction takes this form:
or dest, source ;dest := dest or source
Thus the destination register is assigned the result of the OR comparison, and in this case is set to 1 as it should be (as it would be if the correct serial was entered).

Anyway, that is just an example...

When dealing with easier protections, your best bet is to try and see where the serial number you entered is compared with the real serial number (if there is such a comparison being done, i.e. easy protections), then you do not have to patch the software at all, as you will always know where to find the correct serial number to use for whatever name you use (and then you are on your way to making your first keygen).

5-4-5-5-4 was right on my machine....

/Manko

Okay, thanks to cHeCksUm and NE1. I didnt realise that I should be using softiCE to crack this app, I was just browsing through code in Wdasm and hiew and modifying some je and cmp's. I should be able to do it from here, thanks for the help

Hmm, I got filescav.exe open in Ollydbg but Im not sure where to place the breakpoint. Bear with me as Im still learning debuggers

Would you find the serial code or just run the app, type the serial then breakpoint so it traces...

The only thing I dont get is the interaction with debuggers and programs. Do you run the debugger first, set BP's then run the program or vice versa??

@ NE1
>>You do need need to change instructions to NOP's or change >>JNE's to JE's, etc

No I do not agree with that as the correct serial can be found (easily) thus rendering a patch useless, as you suggest later on as well.

@ NE1:
>>I also would not change the jump instruction, but instead the >>compaison instruction (depending on the case), >>so that the comparison always gives the result you want (this way it works all the time, whereas changing >>the jump instruction, would make it fail when the right serial is used, etc.).

I do not agree completely with the above. What if you change a JNE or JE to a JMP or NOP. Then this will always work no matter if you enter a correct serial or not. However I do agree that it could be better in certain circumstances. For example if the program has multiple checks and uses the value for multiple other things. Then changing the compare so that the value always ended up as TRUE/FALSE would be preferable. I like to patch as little as possible.

@ Manko

Ooops... Careless of me.... I thought (or rather didn't think) that all it was 5-4-5-5-5 for all systmes . One should be careful what one says so as not to mislead the seeker of the advice.... my bad.

@#FadE

Softice or OllyDebug. Whichever you prefer. I find OllyDebug nicer to work with as it has a better "overview" of all the data. However I would suppose more experianced crackers would appreciate softice more as it seems more resiliant and stable (by resiliant I am refering to the problems with breakpoint checks I had with OllyDebug in a previous crack exercise). Just hollar if you need more help.

// cHeCksUm

You need to set the breakpoint before you click on the ok button. However some programs you can break on by just typing the number... so no need to press the ok. If you set it before you start the application you will get tons of breaks as the program runs... and your not interested in those (now anyhow). In every case though you need to first set the breakpoint. Some more useful tips are:

To set a breakpoint in OllyDebug on a certain instruction simply highlight that instruction in the code view screen (ALT-C) and press F2. To highlight an import (MessageBoxA, GetDlgItemTextA, HMEMCPY etc.) Press CTRL-N when you have opened the program in OllyDebug and are on the code view screen. To later enable or disable certain breakpoints go to the breakpoint window (ALT-B) and right click on the breakpoints (or simply press space).

There are several "good" functions to break on when searching for serials. The above are just three examples. You really need to read some more tutorials on cracking and you'll quickly learn when and what to use.

When you break on a function you need to understand somewhat what it is doing. For example if you break on a string compare function you might land in/near the serial itself and might not need to trace so far. If you set on for example MessageBoxA you will most likely need to trace to and through the first RET call so as to land closer to the good/bad boy JMPS or compares etc. This I find is one of the harder parts of cracking (exept for understanding what the assembly lang. is telling you) as sometimes you do not fully understand why or when a certain function is called. Hope this helps you some more. Good luck cracking.

// cHeCKsUm

cHeCksUm,
Ooops, that is supposed to read:
You do NOT need to change instructions to NOP's or change >>JNE's to JE's, etc

I will edit it, and correct it, so as not to confuse people.

As for changing the comparison routine, as I said, it depends on the specific case. As for NOP's, yes they do work, as long as you know how to use them correctly. In my example: I exchanged a 2 byte instruction with a 2 byte instruction, and therefore no other lines of code are affected. That seems better to me then changing a 6 byte conditional jump to a 1 byte NOP (or 6 NOP's).
I guess as long as you know what you are doing, it does not make that much of a difference. I mainly wanted to offer another option, as most tutorials just tell you to NOP away, and often don't even bother to explain to you how to do this, and what effects it might have on the rest of the code. With tools like Ollydbg (which wasn't around when I first starting learning this stuff), which fills the NOP's for you, it is not as bad as it used to be (i.e. Doing it inside Softice, when you are still learning and are not completely sure of the consequences of changing the instruction to a NOP, and then watching all the lines below change, and then the program crashes, and you don't know what you did worng, etc, etc). Anyway, you make a good point as well, and all options should be considered, and anyone of them can be better than another depending on the situation.

FADE
Ollydbg is fine. I only mentioned Softice because you mentioned it in your first post.

Hi
At first i couldn't belive it, but i keygened some by my self.
The tutorials i used was written By ShAdE, and can be found at my site, at "Shades memorial section". All needed tools are there as well.
Also, all the keygens at my site includes all the resoueces etc needed to get the idea. You can see the original asm code from program plus the changes i've made.


Can be found here (http://snakepage.cjb.net)


Download the tuts, learn them, do the exsample, and you're almost there.

You can do it

ok... thanks for the tip. I'll have a look at it later as at the moment I have enough new stuff to learn . Also I am learning to code C properly (need some new *nix stuff sowhy not code it myself..).

// cHeCksUm