SB (4) – Cracking Float Point

By +Jonathan

2002-8-8

 

Many crackers are not familiar with Float Point which is one of the ways, under computer, to handle numeric data thus as a teacher, I have to teach it to you guys~~~ Today our target is………

 

Name: MackCDRom    v 4.31

Download: www.makecdrom.com

Price:  $ 19.95

By: Killer Software LLC

 

Usually we have two ways to reverse engineer a program: (1) Live approach (SOFT-ICE) (2) Dead listing

(W32Dasm) You can use either way or you can use both of them (which is a nice approach for beginner)

 

Now open the MakeCDRom.exe and enter 12345678 as an SN (Serial Number). You might see the following:                                                            <<    Picture (1)   >>

Nice. Let fire up W32Dasm CS please~~ Open the string data:

Double click on that and here is the snip:

 

:00476806 E88952F9FF              call 0040BA94

:0047680B 6A00                           push 00000000

:0047680D 668B0D4C694700     mov cx, word ptr [0047694C]

:00476814 B202                            mov dl, 02

 

* Possible StringData Ref from Code Obj ->"MakeCDROM is now Registered.  "

                                                                     ->"Thank you for your support."

                                  

:00476816 B858694700                  mov eax, 00476958

:0047681B E8C4A4FDFF              call 00450CE4

:00476820 EB1A                             jmp 0047683C

:00476822 E86D52F9FF                call 0040BA94

:00476827 6A00                              push 00000000

:00476829 668B0D4C694700        mov cx, word ptr [0047694C]

:00476830 B201                              mov dl, 01

 

* Possible StringData Ref from Code Obj ->"Incorrect code.  Please try again."

                                  

:00476832 B89C694700                  mov eax, 0047699C

:00476837 E8A8A4FDFF                call 00450CE4

 

Now is the nearest CALL-function which is 476806 important?

Actually I did tell you to find the nearest “call” if and only if there is a “test” or “cmp” after the call!!!

Therefore the “call” on 476806 IS NOT important. But if you scroll up you will see something interesting:

 

* Possible StringData Ref from Code Obj ->"Enter the code to register."

                                 

:00476707 BA74684700                     mov edx, 00476874

 

* Possible StringData Ref from Code Obj ->"Input registration code"

                                 

:0047670C B898684700                     mov eax, 00476898

:00476711 E89AA9FDFF                  call 004510B0                                  *Tell user to enter the SN* 

:00476716 837DFC00                        cmp dword ptr [ebp-04], 00000000 *Do you type the code?*

:0047671A 0F841C010000                 je 0047683C              *Jump if you didn’t type anything*                    

:00476720 8D55F8                              lea edx, dword ptr [ebp-08]

:00476723 8B45FC                             mov eax, dword ptr [ebp-04]

:00476726 E84DC5F8FF                   call 00402C78

:0047672B 8BD0                                 mov edx, eax

:0047672D 8955F4                              mov dword ptr [ebp-0C], edx

:00476730 DB45F4                             fild dword ptr [ebp-0C]              *Load your SN*

:00476733 DB2DB0684700                fld tbyte ptr [004768B0]            *Load the REAL SN*

:00476739 DED9                                 fcompp                                       *Float-Point comparing*

:0047673B DFE0                                 fstsw ax

:0047673D 9E                                      sahf

:0047673E 0F85DE000000                 jne 00476822

 

* Possible StringData Ref from Code Obj ->"makecdrom.ini"           *Write your correct SN into “.ini” file

                                 

:00476744 B9C4684700                      mov ecx, 004768C4

:00476749 B201                                   mov dl, 01

:0047674B A1CC434500                     mov eax, dword ptr [004543CC]

:00476750 E81FDDFDFF                   call 00454474

 

*OK* the program check if you enter a SN in the first place. If you did not enter ANY number, you will be immediately kicked out and display the Picture (1).   Then the program loads your SN and the real SN. If your SN = Real SN, it will not jump. After that it will write the SN you type into .ini file which is in the location: c:\windows\mackcdrom.ini , and whenever it start it will compares the SN in the .ini file with the real SN AGAIN!! Therefore the best way is to find the real SN. Now please write down the EIP: 00476716

 

*OK again* type 12345678 and don’t press [ok] button yet.

(1) ctrl + D call SOFT-ICE out

(2)BPX getwindowtextaà doesn’t work~~~~so use BPX getwindowtextw (now press the ok button) –it break—how nice!!

(3) do BC* (clear break point)

(4) bpx 00476716

(5) press F-5 to run

(6) type the SN again and press [ok]

Now it break into the place where we want ---- 00476716

**Notice** you CAN NOT do a bpx 00476716 in the first place, since SOFT-ICE have to load the program into first. You can load the program by the API function—GetWindowText (You should be very familiar with this function) After you load it, you can simply do a BC* (clear the GetWindowText function).

 

We know that MakeCDRom use Float-Point to handle the numeric SN by seeing many instruction begun with F(fild, fld, fcompp, fstsw); hence, do a “WF” inside the Softice which can open the Float-Point window.

When you step onto the instruction:

:00476739 DED9                                 fcompp

You will see some data inside the Float-Point window which is:

 

ST1= 521702469

ST2= 12345678

 

Yes there is the code!! Finally, you get it!!

 

Name:  MakeCDRom  v4.31

Code:   521702469