It was 6 years back when i cracked the first exe in my life, it was an application i programmed that had a window form skin component “TSkin” maybe, that gives your application window themes or shapes (non necessarily rectangular).
The thing was, the skin is loaded, but whenever i ran my application, it showed a message that this is a demo version of the skin, so i had to crack it, just to remove that message.
So what is a Crack and how Crackers do it?
Quoting Wikipedia:
“The most common software crack is the modification of an application’s binary to cause or prevent a specific key branch in the program’s execution. This is accomplished by reverse engineering the compiled program code using a debugger such as SoftICE, OllyDbg, GDB, or MacsBug until the software cracker reaches the subroutine that contains the primary method of protecting the software (or by disassembling an executable file with a program such as IDA). The binary is then modified using the debugger or a hex editor in a manner that replaces a prior branching opcode with its complement or a NOP opcode so the key branch will either always execute a specific subroutine or skip over it”
A simple example:
I wrote this simple program using C++ builder:
#include <iostream.h>
void main (){
int a,b;
cout<<"Enter the first Integer"<<endl;
cin>>a;
cout<<"Enter the second Integer"<<endl;
cin>>b;
if(a>5 || b>5){
cout<<"Trial version can't sum numbers more than 5"<<endl;
return;
}
cout<<"Sum of A + B ="<<a+b;
return;
}
This program simply asks for two integers as input, and output the summation of them; but if any of the operands were greater than 5, the program outputs a message that this is trial version, then returns.
I will be using Ollydbg in order to debug this exe and view its assembly code, you can get ollydbg from here http://www.ollydbg.de/
Step 1: load the exe into the debugger
Step 2: look for assembly code that makes sense.
Step 3: Analyze
you need sufficient assembly language knowledge in order to understand this step.
Step 4: do your alteration:
There are many ways to do this, i can’ recall two:
- Reveres the condition (so that if the number is more than 5 it will summ it)
- Fill the condition and it’s following branch code with nop’s (no operation assembly instruction which actually does nothing)
The filling NOP method is more accurate, as you can completely have the functional program without limitations.
I’ll go with the NOP’s, while someone can ask why to fill with NOP’s, why don’t you just delete that portion of code?
You simply can’t for a couple of reasons:
1. Sometimes the program do a CRC check of its self, deleting portion of codes (and thus binary data) will result in a different CRC.
2. It will result into pointing to different segment of code.
Step 5: save your changes and export the .exe binary.
Step 6: test the cracked .exe
Elite crackers use more professional tools, mostly tools of their own; sometimes there is a windows kernel level of debugging to have more information about how to crack the software.
of course this tutorial is useful of you are dealing with an application that has a single .exe file, sometimes you have also to crack the .dll file in order to bypass the restriction.
Assembly terms used:
JMP: jump to specific address and starts executing
CMP: compare two registers, or register with value
JG: jump if greater than
JLE: jump if less or equal to
NOP: no operation, idle CPU instruction
CALL: call a function located at a specific address, pushes current registers to stack
PUSH: save registers to stack
POP: retrieves registers from stack
Hope it was helpful.
Hi,
your article very usefull , i hope next time you release more about reverse enginering,
Regards
Dumpper,