Web
: http://mxb.cjb.net
Contact Me : [email protected] or [email protected]
My First Lesson
Courtesy : PCQuest
This is my first lesson ... which made me a cracker ...so enjoy it ....
The Dark Art of Cracking
How programmers protect software, and how crackers get past them
Let me start this article with a standard disclaimer that one sees on sites
carrying similar topics.
"All material in this article is for informational and educational purposes
only. Neither the author nor the
publication can be held responsible for misuse of the information provided herewith."
That done, let me lead you down the dark side and tell you of the things you
can do there. Well, not exactly.
This article is not a step-by-step cracking guide for newbies. Nor is it a source
for Web links that carry such
stuff. This article introduces the methods and tools used by legitimate programmers
to copy protect or limit
functionality of shareware, and the methods crackers use to get rid of different
types of protection schemes.
A bit of history
Cracking, as opposed to hacking, has always been on the wrong side of the law
in computing circles. Hacking
generally meant tweaking or understanding the software you use to a much greater
extent than the average
person. However, Hollywood flicks and misinformed newspaper reporters soon turned
the word "hacking" into
something illegal. True hackers were furious and had to curtail their activities,
whereas crackers were laughing
their heads off and continuing their work.
Cracking probably started with DOS-based games. If someone didn’t have enough
health or lives to reach the
next level even after trying for a long time, they could use programs like GameHack
to directly edit the value in
memory and increase it to whatever you felt like. This was a slightly complex
process, which involved tracking
variables in memory while the game was running and modifying them. In most cases
it meant a system crash. So
certain enterprising individuals came up with game trainers. Each trainer had
a list of variables they could modify
and their corresponding memory addresses. You simply had to select the value
to modify, and presto! You’re in
the final level with full health, invincibility, all weapons, the works.
Methods of protection
The advent of the shareware concept brought along a new breed of software. These
are functional programs that
are given free for use for a time period, after which the user has to pay up
to continue using them. Shareware
authors think up different ways of reminding users to pay up. Some use nag screens
every time the program is
run, some need a registration code to be entered, some simply expire after a
certain number of days, or after a
number of times the program is run.
The following are the most popular methods of protecting software:
Nag screens: The simplest form of protection in which small windows appear
before a program loads up which
reminds you to buy the software. This is mostly achieved by creating a window
before the program’s main window
is shown and providing a time- or button-based event to open the main program.
Examples of programs using this
are Paint Shop Pro and TextPad.
Expiration: These programs simply expire after a certain time period,
or after the program has run a certain
number of times. To achieve this, many different methods are used. These include
the simple date checks and
registry flag checks, which are easily cracked to much more complex header and
file checksum related ones.
For example,the FrontPage 98 trial version on the March ’98 PCQ CD expires after
45 days of installation.
User registration: This requires you to pay up after which you’ll receive
an "unlock" code based on your name,
e-mail address, or some such variable that you need to enter in the program
for it to work. These work by passing
the name entered through some algorithm and comparing the result with the entered
code. If they match, the
program is registered. Examples are the very popular programs WinZip and CuteFTP.
Although these methods seem
complex, they are quite simple to crack, as you’ll see later.
Commercial strength wrappers: Many companies are releasing software in
the try-before-you-buy concept,
which includes a fully working product, covered by a "wrapper" that allows online
user registration after taking
in user’s details like name, e-mail, phone, and credit card number. All Symantec
products, like Norton Utilities,
Norton AntiVirus, and Norton CrashGuard use this. There are many commercial
wrappers available, like Release
Software Agent, VBox, unBoxed, Techwave, Stirling, and many more. These are
fairly complex routines and the
cracks available for them are complete programs by themselves. The best part
about cracking these programs
are that once a wrapper is cracked, all programs using that wrapper are automatically
cracked. That is, if you
crack the DLL that the wrapper uses, installing any other program using this
wrapper will get you the cracked
program, without needing to crack it separately.
Dongle (hardware) protection: This is supposedly the ultimate tool to
keep out crackers. Very few programs
actually use this due to its complex nature and annoyances even to a legal user.
A small hardware lock is provided
with the program containing a unique key or even some API functions. The program
checks for the existence of
this lock while starting. I haven’t seen too many programs using this method,
except for some versions of
AutoCAD and Tally. A different version of this protection is the CD-ROM check
associated usually with large games
like Quake II. This method is also fairly easy to trace and get rid of.
Many programs use a combination of all these to protect themselves. However,
as you will see, no protection
scheme has been uncrackable yet.
Tools and methods of the dark side
The popularity of Windows and the ease of creating programs for this platform
have lead to the development of
thousands of shareware programs in different categories. Crackers have an enormous
job ahead of them as they
try and keep up with new releases everyday. Crackers usually work with the assembly
code, reverse engineering
it, and have an excellent grasp of the Windows APIs as well.
There is no one modus operandi to crack a program. Depending upon the program
and the kind of protection it
has, crackers employ different techniques to get into the program. But there
are some common tools that crackers
employ to start cracking the program. These programs are perfectly legal and
useful by themselves.
The most popular tool for crackers is a Windows debugger named SoftIce from
Numega Corporation. This enables
developers to set "breakpoints"—points in the program code where the program
pauses while variables are
checked to see whether they match expected values, in Windows programs. You
can trace through the assembly
code to debug problems if they occur. But SoftIce in the hands of a cracker
is like a Kalashnikov with a terrorist.
For example, if a cracker wants to get rid of a nag screen that comes up every
time a program is started, he
simply sets a breakpoint on a Windows API call, ShowWindow() in SoftIce. He
then calls up the program. The
moment the nag screen is shown, SoftIce pauses the program and dumps the cracker
into the piece of assembly
code that shows the screen. It also shows a large amount of important information
like values of many registers in
memory and byte offsets in the EXE, or DLL. In fact, SoftIce is so powerful
that the shareware version of SoftIce
was used to crack itself and make it the full version. Numega now has many restrictions
on its use and users need
to prove that they need the program for legitimate purposes before being able
to obtain a copy.
But SoftIce does not help patch the file itself. You don’t want to set a breakpoint
every time you want to start
the program, do you? So you need to "patch" the program itself. For this, read
the Byte offset value for the part
of the program you wish to crack. Then open the program (EXE or DLL) in a hex
editor (trusty old Norton DiskEdit
will do, but there are Windows versions around too), go to that offset and patch
it with the hex equivalent of the
assembly code you used in memory. If this sounds complex, as I said earlier,
you need to have a good grasp of
assembly for getting into this stuff.
Another method for which SoftIce is popular is to obtain "reg codes" from programs
that require registration. When
prompted for a user name and registration code, enter anything you wish, while
keeping a breakpoint on an API
call like GetDlgItemA(), which is used to extract the contents of a text box
in Windows. The moment you press
"OK" you get dumped in SoftIce. Now you know that some variable holds the registration
value you just entered.
The program logically calculates the real code from the user name and compares
the two. If they are the same,
the program is registered. So all you need to do is trace the code till you
see a comparison being done and check
the value of the variables. You’ve got the reg code for the name you entered!
You can actually use this method
to crack some very popular programs.
Another favorite tool of crackers is W32DASM, the Win32 DisAssembler, a shareware
program used to disassemble
code to trace code jumps. For example, you may have seen programs that check
for the existence of its CD-ROM
in the drive before continuing. If it doesn’t exist, it gives you an error message
and exits. With W32DASM, simply
search for the string that is shown when quitting. The place where the string
is found, you also find the reference
in memory where this was called from. Trace back to the procedure that called
it and disable it. (For assembly
aficionados, change a JNE instruction—Jump if Not Equal, to a JE—Jump if Equal,
or even better, simply NOP it.)
Protection schemes
Commercial strength protection schemes like Release Software Agent (the one
used by Symantec in all Norton
products), Vbox, Unboxed, and many others employ much more sophisticated routines
for protecting the software.
However, none of these protection schemes have really been able to stop crackers
from breaking into the program
and using the software for more time than it was meant to be. Crack programs
like PC_RSAG6 help you crack these
programs by simply pointing to the EXE file of the program. But this does not
mean that the protection schemes
are weak. These schemes are very powerful and secure when used to legally purchase
the product. That is, you
are not in danger of broadcasting your credit card number on the Internet when
using the wrapper to buy the
program. The crack works at your end of the line, so that you do not have to
enter anything at all and can fool
the program into believing that it has been purchased.
The only programs that seem to have thwarted the crackers are the ones that
employ some sort of Internet-based
authentication, each time it’s run. Ironically, most of these programs are from
the same area that started the trend
of cracking—games. Programs like GameSpy and Kali are shareware programs that
allow users to play online games
on commercial sites for a limited period. After which the user needs to register
at the site to continue playing.
Although crackers have been able to crack the program itself, users cannot use
the program to connect to any
server as no account exists for them until they pay up.
As the world turns towards the Internet for almost everything, so will the software.
This will make server
authentication the trend for program registration. But knowing how resourceful
crackers are, I’m sure they’ll find
ways of circumventing these checks too. Already cracking groups like Phrozen
Crew, United Cracking Force, the
Exterminators, and others are working toward this goal. The first successful
Internet program crack I know of was
the release of an alpha version of ICQ 99, which was released on many Warez
sites. Although I’ve not seen the
uncracked version of this alpha, which is supposed to use a different authentication
server method, the cracked
version works just fine, with all the new features enabled.
Cracking is truly an art, even if it is a dark one. Ask any programmer who has
had to understand code written by
someone else without any documentation or comments, about what a nightmare it
can be. Crackers, on the other
hand, thrive on this, and many crackers, like tKC(founder of Phrozen Crew) and
Saltine (who first cracked the
commercial wrapper RS Agent), have become legends in their own right.
To end this article on cracking, I cannot but use the tagline of one of the
most popular cracking groups around,
Phrozen Crew. This explains the psychology of the cracker in one simple line,
"We always get what we want!"
Vinod Unny