|
|
Win Code Reversing |
|
|
|
|
|
|
Program Details Program Name: pro.exe Program Type: Web Robot Program Location: HERE Program Size: 1.6 meg |
||
Softice V3.2 - Debugger |
||
|
|
There is a crack, a crack in everything. That's how the light gets in. |
Cracking Teleport Pro v1.28
Written by KLee8084
|
Teleport Pro is a very useful program.
You feed it a url to start from and it will crawl over that site and any
other sites that are linked to it, retrieving files (of the type that you
specify) or the names of files. Officially it is classified as an offline
browser, but it is great for searching for that special program that you
just KNOW is to be found at a particular url. How about inputting the url
of a warez site?
|
This program calculates a registration code based on the user name that
you enter.
|
Enter your Name, Company, and fake Registration Code (if you need to access the registration window, click on Help and then click on Register...).
Press CTRL-D to go into Softice.
Now, we want to set a breakpoint. Let's try bpx GetWindowTextA (that is what the program uses, actually).
Type X to return to the program.
Click on "OK".
Bang! We are now in Softice at the start of USER32!GetWindowTextA.
Since the program is going to get the text 3
times (Name, Company, and Registration Code), we want to do this:
Type X
Type X
Press F11 to step out of the function call.
Type bc * to kill your breakpoints, as they will no longer be needed.
We should now be at the instruction following the call to USER32!GetWindowTextA.
:00449D80
CALL [USER32!GetWindowTextA] <- get what is in the
<- Registration Code text box
:00449D86
MOV ECX, [EBP+10]
<- fake registration code
:00449D89
PUSH FF
:00449D8B
CALL 004430CA
:00449D90
JMP 00449D9D
F10 over the call at 00449D8B (you can
F8
into it, but it is not very interesting).
F10 until:
:004246D2 PUSH DWORD PTR [ESI+000000DD]
If you type d esi+dd you'll see this in your data window:
:006FFA2D 1C 2B D3 00 50 41 00 .....
Do you see the first 3 pairs of numbers (1C 2B
D3)? Reverse them and type:
d D32B1C
Ahhh...your fake registration code.
Below this PUSH instruction you'll find:
:004246D8
CALL 0042A960
:004246DD
MOV EBP, EAX
:004246DF
MOV EAX, [00484C5C]
:004246E4
ADD ESP, 0C
:004246E7
CMP [EAX+0000029F], BL
:004246ED
JZ 0042482A
Doesn't look very interesting, does it? No dramatic test of EAX right after the call, etc...
This call, therefore, most likely does not check the fake registration code against the real registration code.
F10 over the call at 004246D8
Just out of curiosity, check out EAX by typing ? EAX
Look at the decimal value of EAX. Ahhh....the fake registration code.
F10 until:
:004246F3 CMP EBP, EBX
If you type ? EBP you'll see that it holds the hex value of the fake registration code. EBX holds nothing.
F10 some more until:
:004246FC PUSH DWORD PTR [ESI+000000D5]
If you check the value at this location (00D32AEC), you'll see the name that you had entered. So, the next instruction:
:00424702 CALL 00424FAF
must do something with your name, eh? Perhaps it calculates the real registration code?
Right after the call at 00424702 is something very interesting: a CMP instruction.
:00424707 CMP EBP, EAX
F10 until you reach this CMP instruction (:00424707).
If you type ? EBP you'll see that it holds
the hex value of your fake registration code.
Notice that EBP is being compared with EAX. I
wonder what EAX holds?
Type ? EAX
See the decimal value of EAX? Write it down. That's the real registration code.
Type X to return to the program.
Now, click on "OK" (nasty message box!).
Ready? Enter in the number that you had written
down and click on "OK".
Congratulations!
Program cracked.
|
None.
|
This essay is meant to show a little of how to use intuition when reverse-engineering a program. If there are no tests or compares right after a call, chances are that the call was not critical to your cracking. If, however, there IS a test or compare, it might be wise to step into the call. It might be wise, too, to periodically check on the decimal values that the registers hold. When I first tried to crack this program as a newbie, I failed to check the values of EAX and EBP. Needless to say, I wasn't able to crack it.
This is an excellent program to use when searching for an app or web
page. Very easy to mirror a web site to your hard drive. The company that
created this program deserves to be paid for it.
My thanks and gratitude goes to:-
Fravia+ for providing possibly the greatest
source of Reverse Engineering
knowledge on the Web.
+ORC for showing me the light at the end
of the tunnel.
|
Do I really have to remind you all that by buying and NOT stealing the software you use will ensure that these software houses will continue to produce even *better* software for us to use and more importantly, to continue offering even more challenges to breaking their often weak protection systems.
If your looking for cracks or serial numbers from these pages then your wasting your time, try searching elsewhere on the Web under Warez, Cracks etc.
[ Return ] |