L0phtCrack 2.52 - Cracking tutorial by Goatass

L0phtCrack 2.52 for Win95/NT  -  Cracking Tutorial by Goatass
--------------------------------------------------------------
  BEGINNER (X) - NEWBIE () - INTERMEDIATE () - ADVANCED ()


	First off, L0phat Heavy Industries is one of the best
hacking groups out there today along with some others that release
some of the best hacking/security tools. I am a newbie but I will
do my best to teach you how to crack L0phtCrack 2.52 which is the
latest NT password cracking tool.


About this protection:
-----------------------
This is a very simple time trial/serial number protection. An unlock
code gets compared with a pre-assigned serial number.  I was very
surprised to find out that such a great hacking group didn't bother
to protect their trademark tool very well. They are selling it for $100.

Ok well lets get going with the crack.



What you will need:
--------------------

- L0phtCrack 2.52    (http://www.l0pht.com/l0phtcrack/)

- SoftIce

- your eyes



The crack:
-----------

This is a memory echo crack which should be very easy for all newbies.
First off, make a backup of l0phtcrack.exe incase you screw something up.
Run the program and you should see a nag screen showing you how many days
you have left (15 days total) and there is also a "Register" button. 
Click the "Register" button and you should see a dialog box with a 
grayed out box with the pre-assigned serial number and below it there 
will be a box for your unlock code.  The unlock code is alphnumeric but
that doesn't matter right now. Go ahead and put any number you like, I 
used 12345678 for my unlock code.

Now go into SoftIce (CTRL+D) and set a breakpoint on GetWindowTextA
(BPX GetWindowTextA). The approach here is to break right after the
program reads your unlock code and then uses it along with the 
pre-assigned serial number to generate and compare the good unlock code.
Now get out of SoftIce (X) and click the OK button. SoftIce breaks, 
press F11 to return to the calling function, that read in the 
pre-assigned serial number. Now press F5 to read your unlock code, 
SoftIce breaks a second time, press F11 again and now you are in the
program's code. Trace through the code until you get to this part:

:406345	MOV	EAX, [EBX]         <-- if you type D EAX you will see 
				       the code you entered.
:406347	LEA	ECX, [ESP+1C]      <-- here is the unlock code,  D ECX
				       to see it.

If you dump ECX you will see two 8 digit alphanumeric strings they are
both the correct unlock codes. Why two ? you'll see in a second.

Next we see the program PUSHing EAX and ECX onto the stack then comes
the CALL to compare the codes.


:40634D	CALL	00426260           <-- this is where the program compares
				       your number and the first unlock
				       code. Since you entered a wrong 
				       code the CALL will return with 
				       EAX=FFFFFFFF (-01), if the code 
				       you entered was correct it would
				       return with EAX=00000000
:406355	TEST	EAX, EAX	   <-- checks to see what the CALL returned,
				       if the code is good or not.
:406357	JZ	004063A2	   <-- if the CALL returned 00, good code,
				       jump to "Thank You"

Now the program gives you another try and does the exact same thing as
above with the second code.

:406359	MOV	EAX, [EBX]	   <-- here is your the code you entered
:40635B	LEA	EDX, [ESP+2C]      <-- and here is the second unlock code,
 				       type D EDX to see the 2nd code
....
:406361	CALL	00426260	   <-- here is that same call for comparing
				       the codes, same as before the 
				       program will return EAX=FFFFFFFF (-01)
....

I skipped some code here that does the same as above with the TEST and 
JZ. Since the code you entered was wrong the program proceeds to the 
nag screen:

:406376	CALL	0045666B           <-- this is the call to display the nag
			               screen.

Now you can get out of SoftIce and try your new unlock code and you'll 
be registered.

There are a few ways of going about cracking this program, the easiest
would be what I have described above but if you want you can force the
jump at 406357 by changing it from JZ to JMP but why screw with the code
if you don't have to.

Another way is to use the program to create a small KeyGen. By changing
one of the two PUSHes before the CALL to the nag screen at 406361 and
making it display the correct code,  PUSH [ESP+1C] or PUSH [ESP+2C].



The End:
---------

That's all for this tutorial I hope I helped you better understand the
memory echo concept. This was a very easy crack but keep in mind that 
many other programs use the same way for protection.

I just want to say THANK YOU to my mentor zip for getting me started 
with cracking. Also great thanks goes out to EDiSON, +ORC, Fravia, 
CrackZ, Sandman and all the great people who reverse for knowledge, 
keep writing those great tutorials.

I'm out, PEACE !

Goatass