Reverse Engineering Step by Step

[Vidi]

What is Reverse Engineering? :broly:

Reverse-engineering is used for many purposes: as a learning tool; as a way to make new, compatible products that are cheaper than what's currently on the market; for making software interoperate more effectively or to bridge data between different operating systems or databases; and to uncover the undocumented features of commercial products.

What is Software Cracking?

Software cracking is the modification of software to remove or disable features which are considered
undesirable by the person cracking the software, usually related to protection methods: copy protection, trial/demo version, serial number, hardware key, date checks, CD check or software annoyances like nag screens and adware. The distribution and use of cracked copies is illegal in almost every developed country.

Would you like to learn how to crack a software program ?

Tools you will need : IDA - PRO, Hexplorer or any Hex Editor, Windows Notepad, and Someknowledge of Assembly Language. How about starting withCreature Animation 1-62 Proa 64 bit Program, and was very easy to crack, or maybe
AppyGen 5-5it's a 32 Bit App and Game Creator for Mobile Phones, and was not a difficult program, taking less than an hour to crack.

Gather up your tools, and Lets get started.

Selected the AppyGen program as the 1st example as it is a 32 Bit Program. Download, and Install the Program.
On 1st start by Clickinghttp://appygen.exe/you will see a message box saying: "Please Activate your AppyGEN Copy First"., Click OK, andhttp://turboactivate.exe/will be called byhttp://appygen.exe/for Activation, and will put up an Activation box.

LESSON 1:Let's get started by getting familiar with IDA PRO by opening the files with IDA.
Start the 32bit version of IDA by clicking on the IDA Folder.

Click on File, Click on Open, and Open when IDA opens the File, at msg box select use Debug Info, but answer no when Ida says search for the Debug Info File as it won't be found,

When the Auto Analysis is finished lower left corner then save the Database,
Click on theExports Tab, and Lets take a look at the Export Functions called by
You will seeActivate, ActivateEx, IsGenuine, and IsGenuineEx,

Click on IsGenuineEx, and you will go to the Function, and see public IsGenuineEx, Select the Text "IsGenuineEx" Right Click, and Copy,
Place you mouse below ; =============== S U B R O U T I N E, and Press the ; semicolon key, and paste the text,
The Text will now show up throughout the De-compiled database in all references to the Function, and you can do the same with Labels, and DATA to have a friendly referenced name throughout by creating your own Debug Info,
Right Clickon:text:10015B81 push ebp, andSelect Add Break-point, Now when the Program is run in the Debugger it will stop on the Break-point,
You can now run the Programone step at a time by using the F7 Key, or theF8 Key theF8 Key steps over CallstheF7 key goes in, The F8 key will be the most used key, The F9 key is a let her rip, and run until reaching a break-point,

To run the program you will need to Click on Debugger, and select local Win Debugger,
You will also have to Click on Debugger, Process Options and Select the Application that starts the Program you can't run a , , because the dll is called by the exe,

DO NOT RUN THE PROGRAM BECAUSE YOU DO NOT YET HAVE THE EXPERIENCE, AND WILL NOT BE ABLE TO GET TO THE CODE IN

The code to change is in the and let's move on tho lesson 2,
Once you have the experience, and able to run you will find the following Code that will take us to Lesson 2,

Notice the00685E6C cmp byte ptr [ebp-5], 0as it's a Compare to Zero, and 0 is False, and
at00685E70 jz short loc_685E96thejzis a JUMP IF ZERO to the LINE AT ADDRESS lloc_685E96,

NOTICE THE :00685E8A mov edx, offset aAppygenActivat ; "AppyGEN Activated"
as it is a MOVE TO REGISTER edx the Address of data label :aAppygenActivat- "AppyGEN Activated"

This is what we want to do, so we don't jump, and if you were running the program the Debugger then you
could move the mouse to the Next line of code, andRight Click and set the IP to that Address,
IP is the Instruction Pointer Register which is a line Instruction counter,

In lesson 2 you will be able to run the program, and I will show you how to locate the code to change

AppyGEN, exe:00685E5C ; ---------------------------------------------------------------------------
AppyGEN, exe:00685E5C
AppyGEN, exe:00685E5C loc_685E5C: ; CODE XREF: AppyGEN, exe:00685E1Cj
AppyGEN, exe:00685E5C cmp byte ptr [ebp-6], 4
AppyGEN, exe:00685E60 jnz short loc_685E6C
AppyGEN, exe:00685E62 mov eax, offset aNoInternetConn ; "No Internet Connexion Found ! Please Co",,,
AppyGEN, exe:00685E67 call near ptr unk_57F168
AppyGEN, exe:00685E6C
AppyGEN, exe:00685E6C loc_685E6C: ; CODE XREF: AppyGEN, exe:00685E60j
AppyGEN, exe:00685E6C cmp byte ptr [ebp-5], 0
AppyGEN, exe:00685E70 jz short loc_685E96
AppyGEN, exe:00685E72 mov eax, off_6E89E8
AppyGEN, exe:00685E77 mov eax, [eax+3C0h]
AppyGEN, exe:00685E7D mov eax, [eax+288h]
AppyGEN, exe:00685E83 xor edx, edx
AppyGEN, exe:00685E85 call near ptr unk_56BAC4
AppyGEN, exe:00685E8A mov edx, offsetaAppygenActivat ; "AppyGEN Activated"
AppyGEN, exe:00685E8F call near ptr unk_56BA20
AppyGEN, exe:00685E94 jmp short loc_685EE0
AppyGEN, exe:00685E96 ; ---------------------------------------------------------------------------

ON TO LESSON 2:

LESSON 2 :HOW TO FIND THE CODE THAT ACTIVATES THE PROGRAM!
Start the 32bit version of IDA by clicking on idaq,exe in the IDA Folder, Click on File, Click on Open, and Open the Auto Analysis is finished lower left corner then save the Database,

1st thing to do when Debugging a program is to find what to change in the Program, and set some Breakpoints to stop at when running using the F9 Key,

Move the Scroll Bar to the start of the Program, and also notice the Colored bar at the top, The pointer should be all the way to the left,
The blue is the code section, the yellow brown is the library code, and data on the right side, black is nothing,

Click on Search, Click on Select Text, and check box Find all Occurrences,
WHAT TO SEARCH FOR EXAMPLES: activate, Activated, trial, serial, license, and in our case Label : aAppygenActivat ; "AppyGEN Activated"

SEARCH FORaAppygenActivatWhen the search is finished then open the Tab of the found results,
Click on the found text, and you will go to :00685E8A mov edx, offset aAppygenActivat ; "AppyGEN Activated"
Notice thetext:00685E70 jz short loc_685E96LINE above, Right Click on the Line and select Add Break-point,
Notice thecmp [ebp+isActivated], 0Compare VariableisActivatedto 0 = false, and Jump is Zero is the next Instruction,
WE DON'T WANT TO JUMP !

Notice themov ecx, offset aTurboactivate_ ; "TurboActivate, exe"on Line below, we don't want to go there as that is theActivation Box
that we saw when the program was 1ST STARTED, and the Linecall @Vcl@ thepop-up message box,

Now go to the top of the PROCEDURE, Right Click and Select text :Unit1::softwareactivate
Go to Line belowPROCEDUREPress; semicolon, and Paste the text into the box, Now a reference to this call will show as a ; comment throughout the entire program when it is run,RIGHT CLICK ON TOP LINE, and SELECT ADD BREAK-POINT,

To run the Program, Click on Debugger, Select Start Process

The program will break when you hit the top of the ProcedureUnit1::softwareactivateBreak-point,
You can Step through the code using theF8 Key, or run to the next Break point using theF9 KEY,

When you get to the Instruction:jz short loc_685E96then move the mouse to thenext line, Right Click, and Selectset the IP
Now hit the F9 Key and let the program run, it should start up, and it will display Activated on bottom of Box
If you get an Exception Pop up Box then Click on Pass Exception to the Program to continue

In the Next Lesson we will learn how to locate the code that needs to be changed, and how to change it.

text:00685DA4 ; =============== S U B R O U T I N E =======================================
text:00685DA4
text:00685DA4 ; Attributes: bp-based frame
text:00685DA4
text:00685DA4 ; int __fastcall Unit1::softwareactivate(Unit1 *__hidden this)
text:00685DA4 @ proc near ; CODE XREF: _TForm1_FormCreate:loc_6861ECp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ LEFT OUT ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
text:00685E6C loc_685E6C: ; CODE XREF: Unit1::softwareactivate(void)+BCj
text:00685E6C cmp [ebp+isActivated], 0
text:00685E70 jz short loc_685E96
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ LEFT OUT ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
text:00685E8A mov edx, offset aAppygenActivat ; "AppyGEN Activated"
text:00685E8F call @Vcl@Comctrls@TStatusPanel@SetText$qqrx20System@UnicodeString ;
text:00685E9B call @Vcl@ ;cl::Dialogs::ShowMessage(System::UnicodeString)
text:00685EA0 push 1 ; wchar_t *
text:00685EA2 push offset dword_686144 ; wchar_t *
text:00685EA7 push offset dword_686144 ; wchar_t *
text:00685EAC lea eax, [ebp+var_18]
text:00685EAF mov ecx, offset aTurboactivate_ ; "TurboActivate,exe"

LESSON 3 :HOW TO CHANGE THE CODE THAT NEEDS TO BE CHANGED TO ACTIVATE PROGRAM

The jump that we didn't do is not the code that we need to change, and if you look above text you will see the code that needs to be executed
Themov al, 1 is a MOVE a 1 = NUMBER 1 to REGISTER alTHE NEXT INSTRUCTION IS MOVE THE 1 IN Register AL TO VARIABLEisActivated

text:00685E0F mov al, 1
text:00685E11 loc_685E11: ; CODE XREF: Unit1::softwareactivate(void)+69j
text:00685E11 mov [ebp+isActivated],al

A 1 = true, and zero = falseWE WANT isACTIVATED to be equal a 1, or true, it is Actiated
If the programer is using this code : If isActivatedthen Begin (do this list of instructions) ELSE Begin (do this) End;

The above example is in Pascal since this program is written in Delphi Pascal, and All programing Languages are converted to
Hex Numbers by the compiler, and each number Represents an Instruction for the CPU to Process
Assembly Language is an easy to understand Instruction for each Hex Number Instruction

jz is JUMP IF ZERO, Acmp = compareor a test instruction sets the Flags Register, and the JUMP IF ZERO checks if the Zero Flag is set
The Hex number74 Instruction is jz = jump if zero, Hex number Instruction74 24 is JUMP 24 BYTES AHEADIF ZERO FLAG IS SET
Hex number75 = jnz A JUMP IF NOT ZERO

In order to not jump we can eliminate the Instruction 74 24 Completely by NOPing it out, the number90is a NOPand that stands for
NO OPERATION POSSIBLE, We can replace the74 24with90 90, and the CPU will skip over it to the next Instruction in the list
A better way to do it is to Change74 24 to 74 00jump zero bytes ahead, or don't jump, but move to the next Instruction
This would be a Crackers Dream, a 1 byte crack, but no such luck, because other functions may check if the isActivated Variable is a 1.
So we need to do a couple of Instructions to make sure.

The above Instruction is a2 byte Instruction, and if you change any Instructions then you mustkeep the same numbers of bytes, or The program will crash. To change an Instruction from jz, or jnz to JUMP Change the 74 or the 75 to EBwhich is anunconditional JUMP.
To change a jnz JUMP IF NOT ZER0 to a JUMP which is a (FAR JUMP more than 256 bytes) : EXAMPLE:0F 85 3B 11 00 00replace the0F 85with90 E9, the 1st Byte is Noped out and theE9 is an Unconditional JUMP, the last 4 bytes is the number of bytes to jump.
TheFAR JUMP is a 6 Byte Instruction, and if you replace it with a 2 Byte jmp Instruction then youneed to replace the other 4 byteswith90 90 90 90, or when the CPU executes the next 4 bytes theprogram will crash

In IDA click on Jump, Click on Jump to Address, and Paste 00685DF1 into the jump box, and place a Break-point on that Address
text:00685DF1 call @Turboactivateunit@TurboActivate@IsGenuine$qqruiuioo ; TurboActivate::IsGenuine
ALSO PLACE A BREAK-POINT ON THE LINE BELOW : WE WILL RETURN TO LINE BELOW ON EXIT OF CALL

This is the call the calls theIsGenuineExExternal function in TurboActivate dll
Run the program until it Breaks at this address, andPress the F7 Key to step into the CALL.

Jump to Address, or Scroll down until you see this code below, and set a break-point. We are going to change the 2 to a 1 later.

text:0066A12D loc_66A12D: ; CODE XREF: Turboactivateunit::TurboActivate::IsGenuine(uint,uint,bool,bool)+54j
text:0066A12D ; Turboactivateunit::TurboActivate::IsGenuine(uint,uint,bool,bool)+60j ...
text:0066A12D mov [ebp+var_D], 2

USING THE F8 KEY TO RUN THE PROGRAM YOU WILL RETURN TO THE LINE BELOW YOUR BREAK-POINT WHERE YOU ENTERED THE CALL

text:00685DF1 call @Turboactivateunit@TurboActivate@IsGenuine$qqruiuioo ; TurboActivate::IsGenuine
text:00685DF6 mov [ebp+var_6], al ;al was set = 2 in the call above, but we want it to = 1
text:00685DF9 cmp [ebp+var_6], 0 ;PLACE YOUR MOUSE OVER AL OR VAR_6 and YOU WILL SEE IT'S = 2
text:00685DFD jz short loc_685E0F ;WE WANT TO GO HERE
text:00685DFF cmp [ebp+var_6], 1
text:00685E03 jz short loc_685E0F
text:00685E05 cmp [ebp+var_6], 4
text:00685E09 jz short loc_685E0F
text:00685E0B xor eax, eax ;XOR sets Register EAX = ZERO, al is the Low byte Register of EAX
text:00685E0D jmp short loc_685E11 ;DON'T JUMP WE DON'T WANT TO GO THERE
-------------------------------------------------------------------------------------- ;HEX CODE FROM THE HEX VIEW-A TAB OF IDA
00685E0DEB 02B0 01 88 45 FB 33 C0 5A 59 59 64 89 10 EB
--- EB 02 B0 01 88 45 FB 33 C0 5A 59 59 64 89 10 EB
00685E0DEB 00- B0 01 88 45 FB 33 C0 5A 59 59 64 89 10 EBCHANGE THEEB 02toEB 00- Don't jump
---------------------------------------------------------------------------------------
text:00685E0F
text:00685E0F loc_685E0F: ; CODE XREF: Unit1::softwareactivate(void)+59j
text:00685E0F ; Unit1::softwareactivate(void)+5Fj ...
text:00685E0F mov al, 1 ;WE WANT AL TO BE = 1
text:00685E11
text:00685E11 loc_685E11: ; CODE XREF: Unit1::softwareactivate(void)+69j
text:00685E11 mov [ebp+isActivated], al ;NOW isActivated = 1 or TRUE It's ACTIVATED
text:00685E14 xor eax, eax
text:00685E16 pop edx
text:00685E17 pop ecx
text:00685E18 pop ecx
text:00685E19 mov fs:[eax], edx
text:00685E1C jmp short loc_685E5C ;JUMPS, AND COMES TO CODE THAT WE ORIGINALLY DIDN'T JUMP AT
text:00685E1E ; ---------------------------------------------------------------------------
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.text:00685E6C loc_685E6C: ; CODE XREF: Unit1::softwareactivate(void)+BCj
.text:00685E6C cmp [ebp+isActivated], 0
.text:00685E70 jz short loc_685E96
IN THE NEXT LESSON WE WILL LEARN HOW TO CHANGE THE CODE WITH A HEX EDITOR

LESSON 4 :HOW TO CHANGE THE CODE WITH A HEX EDITOR

We need to make 2 changes to the program to make sure it is Activated Correctly
One change is to set the Variable isActivated to a 1 = true, and the 2nd change is to Function called because it may be called by other parts of program,
We want the functionunit@TurboActivate@IsGenuineto return a 1, since the2 is Not Activated
The code at addresstext:00685DF9checks Var 6 for 0, 1, 2, 4, and we sure as hell don't want to jump to685E11afterxor eax, eaxbecause al = 0, andIsActivated will be set to a 0 = not activated,
Zero is probably trial, 1 = Activated, 2 = Not Activated, and only the programer knows what the hell a 4 is,

NOW YOU WILL FIND OUT ABOUT NOTEPAD: With Mouse Select text fromtext:00685DA4 ; =============== S U B R O U T I N E
TO : text:00685F08 retn
Copy and Paste the text into a File Named DEBUG,TXT

Place mouse on Following Line and Click:text:00685E0D jmp short loc_685E11
Click on IDA's Hex View-A Tab, and open the Hex view for Address00685E0D
Select thewhole line, and Press theCTRL-C Keyto copy the Line, and
Paste it below thetext:00685E0D jmp short loc_685E11Paste it 3 times

The top line is the original Hex code, the 2nd line is the Hex Code we will search for, and the 3rd line is the changed Hex Code,
Now remove the address from the 2nd line, and also remove all spaces this is the Hex Code we will search for with Hexplorer.

CHANGE 1 :

text:00685E0D jmp short loc_685E11 ;DON'T JUMP WE DON'T WANT TO GO THERE
-------------------------------------------------------------------------------------- ;HEX CODE FROM THE HEX VIEW-A TAB OF IDA
00685E0DEB 02B0 01 88 45 FB 33 C0 5A 59 59 64 89 10 EB
EB 02 B0 01 88 45 FB 33 C0 5A 59 59 64 89 10 EB
00685E0DEB 00- B0 01 88 45 FB 33 C0 5A 59 59 64 89 10 EBCHANGE THEEB 02toEB 00- Don't jump
---------------------------------------------------------------------------------------

CHANGE 2:

text:0066A12D mov [ebp+var_D], 2 ; jumptable 0066A070 default case
-----------------------------------------------------------
0066A12DC6 45 F3028A 45 F3 8B E5 5D C2 08 00 8B C0 55
C645F3028A45F38BE55DC208008BC055
0066A12DC6 45 F301- 8A 45 F3 8B E5 5D C2 08 00 8B C0 55
-----------------------------------------------------------

To find the Hex Code open Hexplorer, open File AppyGEN,exe with Hexplorer
Click onEdit, Click onFind,and paste theHex Code from Line 2 only the numbersinto theHex Box
Hit F3 to make sure it's not found more than 1 time, if it is then add the next line of Hex Code to the First, and search again,

Another way to do it is: Open the Hex calculator in Hexplorer, and select Hex,
Enter the 1st Change IDA FILE OFFSET INTO THE CALCULATOR00685E0D, and Substract400C00from the offset to get the File Offset,
Click on View, Click on go to Address, and enter this value into the Box,
Verify you have the correct Hex Code to change, and then change it, Do this for both the Changes,

Always save a copy of the File you are changing so you don't have to Re-Install in case you screw up,
Save theDebug.txt, and theIDA Databasefor reference as you may want to do the next version,
As you watch the code while running a program in the Debugger you will learn, and get better at cracking,

Congratulations, you have CRACKED your 1st Program, and it is a2 byte Crack!

This manual is not from my autorship! But it is uncomplicated!

Keep trying and you will be a Broly soon!