Software Cracking Basics

Before you can begin cracking a trial, you must have some basic knowledge of assembly. If you are already familiar with it, you can skip this section. Well, you’re still here, so I guess I should start explaining. Unlike high-level programming languages (such as C++, Pascal, and Java) assembly does not rely on variables. Instead, it allows you to interact directly with the processor, and retrieve it in the same way. The places on the processor where the data is stored are called “registers”. The four most common registers are named AX, BX, CX, and DX (easy, eh?). These four registers are for general storage. The don’t have any special functions, they just store data (like variables).

In assembly, all commands look like this: COMMAND PARAMETER,PARAMETER (unless the command only uses one parameter). There are a few basic commands that you should know:

The MOV command is pretty much like using the assignment operator (“=”). It places the value of the second parameter in the first parameter. For example, MOV AX,DX moves the contents of the DX register into the AX register. You can also move numbers directly, as in MOV AX,15.

The basic math commands are ADD (addition), SUB (subtraction), MUL (multiply), and DIV (divide). Each of these commands require two parameters and store the result in the first parameter. You can also increase or decrease the value of a single register by 1, using the INC and DEC commands.

To compare values, most programs use the CMP command, which subtracts the value of the second parameter from the first. There is also a TEST command that does a bit-wise comparison. The result for each command is stored in a special area that can be accessed by functions called “conditional jumps”.

To move to another part of the code, a program will use the JMP command. The syntax is JMP (ADDRESS). If you want the program to jump only if a certain condition has been met (like the “If” statements in high-level languages), you can use these conditional jumps:

JE: Is executed if the parameters of the CMP command were equal.
JZ: Jump if zero (similar to JE).
JNE: Is executed if the parameters of the CMP command were NOT equal.
JNZ: Jump if not zero (similar to JNE).
JG: Is executed if the first parameter was greater than the second.
JL: Is executed if the first parameter was less than the second.
JGE: Is executed if the first parameter was greater than or equal to the second.
JLE: Is executed if the first parameter was less than or equal to the second.

You now know the very basics of x86 assembly. It’s time to get cracking!
(NOTE: If you want to continue learning assembly, visit http://www.emu8086.com)

Cracking the Program
_____________________

Tools needed: any good debugger (I’ll be using OllyDbg, which can be found at http://home.t-online.de/home/ollydbg)

The first step is to launch Olly (the debugger). Open the program you want to crack (cracking will be easier if the program is already expired). Olly will do some processing and analyzing, then display the code. Now, it’s time to get started. The very first thing you want to do is right-click the code and select “Search for” -> “All intermodular calls”. A window should pop up and show a big list of functions. These are all of the APIs that Olly found in the code. Towards the top of the window, there is a row of that says:

Address | Disassembly      | Destination

Click destination, so we can sort the APIs by name. Scroll down until you find a function called ollydbg”GetSystemTime“. (If there are several, you will have to follow the next steps for each one.) Click it and press F2. This will set a breakpoint so the program will automatically be pause when GetSystemTime is called. Press F9 to run the program. The program should pause before it can show you a dialog box notifying you that the trial is expired. If that happens, then go back to Olly, and press CTRL+F2 to restart the program. Find GetSystemTime again, click it, and press F2 to disable the breakpoint. Now double-click it. You should now be looking at the actual code of the program near the call to GetSystemTime. What we want to do now is look for a CMP or TEST statement, followed by a CONDITIONAL jump, such as JE or JG. The jump is there to either display a dialog and exit (if it expired), or give you access (if it hasn’t expired yet). Not all trial programs are the same, so I can’t tell you exactly what it will be like. Set a breakpoint on the jump (F2) and run the program again. If it still pauses before displaying a message or exiting, we’re almost done! (If not, you’ll need to look for another conditional jump.) The program should now be paused, and the conditional jump should be highlighted. Double-click it so you can modify it. Make it the opposite of whatever it is (change JE to JNEJG to JLet cetera…), then click the “Assemble” button. Press F9 to run the program again. Tada! Your program should work now. Right-click the code again and select “Copy to executable” -> “All modifications”, then choose “Copy all”. A new window should appear. Right-click it and choose “Save file” to save the program. Congratulations! You’re a real app cracker now!

BIOS-এর কিছু Default পাসওয়ার্ড |

বায়োসের (BIOS) কিছু দরকারী পাসওয়ার্ড

কখনও কখনও ভাইরাসের কারণে বায়োস ক্ষতিগ্রস্ত হয়ে থাকে। এক্ষেত্রে বায়োসে ব্যবহ্রত সফটওয়্যার ভার্সন এবং কোম্পানীর নামটি জানা থাকলে ভাল হয়।

সাধারনত মাদারবোর্ডে AWARD BIOS সবচেয়ে বেশি ব্যবহ্রত হয়। এছাড়াও ব্রান্ড পিসিগুলোতে এবং ল্যাপটপে নিজস্ব কোম্পানীর BIOS সফটওয়্যার ব্যবহ্রত হয়। BIOS ক্ষতিগ্রস্ত হলে আপনার বায়োস ROM চিপটি/IC টি সমমানের ROM chip ‍দিয়ে পরিবর্তন করে নিন।

BIOS পাসওয়ার্ড ভুলে গেলে:

প্রত্যেকটি BIOS সফটওয়্যার প্রস্তুতকারকতাদের নির্দিষ্ট বায়োসের জন্য Defult password ব্যবহার করে থাকেন। কোম্পানী অনুযায়ী নিচে লিখিত বায়োস পাসওয়ার্ডগুলো ব্যবহার করে দেখুন।

Award BIOS backdoor Passward

ALFAROME, ALLy, aLLy, aLLY, ALLY, aPAf, _award, BIOSTAR, CONCAT, CONDO,Condo, d8on, djonet, HLT, KDD, Lkwpeter, LKWPETER,PINT, pint, SER, SKY_FOX, ZAAADA, ZBAAACA, ZJAAADC, 01322222, 589589, 589721, 595595, AWARD_SW, AWARD?SW, AWARD SW, AWARD PW, AWKWARD, awkward, J64, J256, J262, J332, J322, SYXZ, syxz, shift+syxz, TTPTHA, 598598.

AMI BIOS backdoor passwords

AMI, AAAMMMIII, BIOS, PASSWORD, HEWITT RAND,AMI?SW, AMI SW, LKWPETER, A.M.I., CONDO.

PHOENIX BIOS backdoor passwords:

phoenix, PHOENIX, COMS, BIOS

MISC, COMMON PASSWORDS

ALFAROME, BIOSTAR, biostar, biosstar, CMOS, cmos, LKWPETER, lkwpeter, setup, SETUP, Syxz, Wodj.

OTHER BIOS PASSWORD BY MANUFACTURER

VOBIS & IBM >>>>> merlin

Dell >>>>> Dell

Biostar >>>>> Biostar

Compaq >>>>> Compaq

Enox >>>>> xo11nE

Epox >>>>>central

Freetech >>>>>Posterie

IWill>>>>>iwill

Jetway>>>>> spooml

Packard Bell >>>>> bell9

QDI >>>>> QDI

Siemens >>>>> SKY_FOX

TMC>>>>> BIGO

Toshiba>>>>> Toshiba

TOSHIBA BIOS

Most Toshiba laptops and some desktop systems willbypass the BIOS passwordif the left shift key is held down during boot.

IBM APTIVA BIOS

Press both mouse buttonsrepeatedly during the boot

Software Cracking Tutorial

If you’ve ever wondered how software pirates can take software and crack it time and time again, even with security in place, this small series is for you. Even with today’s most advanced methods of defeating piracy in place, it is still relatively easy to crack almost any program in the world. This is mainly due to computer processes’ ability to be completely manipulated by an assembly debugger. Using this, you can completely bypass the registration process by making it skip the application’s key code verification process without using a valid key. This works because assembly allows you to speak directly to the processor and force a skip over the registration process.In this Null Byte, let’s go over how cracking could work in practice by looking at an example program (a program that serves no purpose other than for me to hack). I will not be walking you through how to actually crack a legitimate program, because I can’t just crack a program for demonstration, but the techniques applied to my examples should give you the foundation needed to create your own. At that point, it’s a test of your morals if you want to use your knowledge for good or bad.

Requirements

  • Windows (for examples only, debuggers exist across platforms)
  • A debugger installed: IDAollydbg, etc. (ollydbg will be used in examples)

Step 1 Test the Program

First, run the program that you are attempting to reverse engineer and try to activate it with a random key to verify that you need a valid software key to proceed. This is to verify that we can come up with the keys.

Step 2 Run the Program in a Debugger

  1. Run ollydbg.
  2. Open up the program you wish to bypass with ollydbg.
  3. Click the play button to run the program with the debugger attached.
  4. Right click the CPU window, and click Search For > All intermodular calls.
  5. Search for high interest DLLs. GETDLGITEMTEXT, will be for dialog boxes, which get called when you try to enter a software key. By stepping into the function with the debugger, we can examine the registration specifically. SENDDLGITEM could be used as well.
  6. Test to see which one works to break out of the activation loop by right clicking the DLL call and setting a breakpoint for all instances of that call.
  7. hacks-behind-cracking-part-1-bypass-software-registration.w654
  8. Resume the program and enter any software key you feel like. If the debugger breaks (pauses the program’s execution) after entering your key, then you know you found DLL in step 5.
  9. Press F8 back in the CPU window to force the next step until you get to the TEST EAX. EAX is the return of a value, which means that a check is being performed here. Upon examination, we can see that the EAX is checking for a number that is not equal to a null value. This means that if it is replaced with anything other than null, it will run.hacks-behind-cracking-part-1-bypass-software-registration.w654(1)
  10. Right-click the EAX and change it in hex value to 1, instead of 0.
  11. Resume the program again, and you will have successfully activated the program.hacks-behind-cracking-part-1-bypass-software-registration.w654(2)
  12. And for proof it was registered to me:
  13. hacks-behind-cracking-part-1-bypass-software-registration.w654(3)

This works because you are making the process jump from one register and skip the one that verifies the key entered. To exploit the key registration algorithm, keep an eye out for part two of this tutorial on making the key generator. Hooray for assembly!