Before you can begin cracking a trial, you must have some basic knowledge of assembly. If you are already familiar with it, you can skip this section. Well, you’re still here, so I guess I should start explaining. Unlike high-level programming languages (such as C++, Pascal, and Java) assembly does not rely on variables. Instead, it allows you to interact directly with the processor, and retrieve it in the same way. The places on the processor where the data is stored are called “registers”. The four most common registers are named AX, BX, CX, and DX (easy, eh?). These four registers are for general storage. The don’t have any special functions, they just store data (like variables).

In assembly, all commands look like this: COMMAND PARAMETER,PARAMETER (unless the command only uses one parameter). There are a few basic commands that you should know:

The MOV command is pretty much like using the assignment operator (“=”). It places the value of the second parameter in the first parameter. For example, MOV AX,DX moves the contents of the DX register into the AX register. You can also move numbers directly, as in MOV AX,15.

The basic math commands are ADD (addition), SUB (subtraction), MUL (multiply), and DIV (divide). Each of these commands require two parameters and store the result in the first parameter. You can also increase or decrease the value of a single register by 1, using the INC and DEC commands.

To compare values, most programs use the CMP command, which subtracts the value of the second parameter from the first. There is also a TEST command that does a bit-wise comparison. The result for each command is stored in a special area that can be accessed by functions called “conditional jumps”.

To move to another part of the code, a program will use the JMP command. The syntax is JMP (ADDRESS). If you want the program to jump only if a certain condition has been met (like the “If” statements in high-level languages), you can use these conditional jumps:

JE: Is executed if the parameters of the CMP command were equal.
JZ: Jump if zero (similar to JE).
JNE: Is executed if the parameters of the CMP command were NOT equal.
JNZ: Jump if not zero (similar to JNE).
JG: Is executed if the first parameter was greater than the second.
JL: Is executed if the first parameter was less than the second.
JGE: Is executed if the first parameter was greater than or equal to the second.
JLE: Is executed if the first parameter was less than or equal to the second.

You now know the very basics of x86 assembly. It’s time to get cracking!
(NOTE: If you want to continue learning assembly, visit http://www.emu8086.com)

Cracking the Program
_____________________

Tools needed: any good debugger (I’ll be using OllyDbg, which can be found at http://home.t-online.de/home/ollydbg)

The first step is to launch Olly (the debugger). Open the program you want to crack (cracking will be easier if the program is already expired). Olly will do some processing and analyzing, then display the code. Now, it’s time to get started. The very first thing you want to do is right-click the code and select “Search for” -> “All intermodular calls”. A window should pop up and show a big list of functions. These are all of the APIs that Olly found in the code. Towards the top of the window, there is a row of that says:

Address | Disassembly      | Destination

Click destination, so we can sort the APIs by name. Scroll down until you find a function called ollydbg”GetSystemTime“. (If there are several, you will have to follow the next steps for each one.) Click it and press F2. This will set a breakpoint so the program will automatically be pause when GetSystemTime is called. Press F9 to run the program. The program should pause before it can show you a dialog box notifying you that the trial is expired. If that happens, then go back to Olly, and press CTRL+F2 to restart the program. Find GetSystemTime again, click it, and press F2 to disable the breakpoint. Now double-click it. You should now be looking at the actual code of the program near the call to GetSystemTime. What we want to do now is look for a CMP or TEST statement, followed by a CONDITIONAL jump, such as JE or JG. The jump is there to either display a dialog and exit (if it expired), or give you access (if it hasn’t expired yet). Not all trial programs are the same, so I can’t tell you exactly what it will be like. Set a breakpoint on the jump (F2) and run the program again. If it still pauses before displaying a message or exiting, we’re almost done! (If not, you’ll need to look for another conditional jump.) The program should now be paused, and the conditional jump should be highlighted. Double-click it so you can modify it. Make it the opposite of whatever it is (change JE to JNEJG to JLet cetera…), then click the “Assemble” button. Press F9 to run the program again. Tada! Your program should work now. Right-click the code again and select “Copy to executable” -> “All modifications”, then choose “Copy all”. A new window should appear. Right-click it and choose “Save file” to save the program. Congratulations! You’re a real app cracker now!

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s