“Bypassing all Serials from same company” by XOR06

Intro

Welcome again. Nice to have you back! In this tutorial we will be cracking a registration scheme from a ‘real’
program which uses a pretty normal Serial check.

I assume that you know Olly and how to change the flags, search for constants and so on, just some basic
knowledge.I would like to thank my Friends in TPoDT (especially DMichael one of my Mentors) and Nwokiller
for the great support. Do I have to say; “This is only for learning so please: if you do like it, pay for it!”

Remember, the best way to learn is to try to Patch the program yourself first, if you don’t succeed (or if you
would like to see another approach) then read this tutorial. Have Fun!

Toolz
Olly
PE Explorer or Resource Hacker
Crackers Tools (if you like)

Target
Action! 1.8
You can find the target at http://www.mirillis.com/en/downloads/downloads_action.html

Index
Intro ................................................................................................................................................................... 1
Toolz .................................................................................................................................................................. 1
Target................................................................................................................................................................. 1
Investigate The Target ....................................................................................................................................... 2
Finding the Serial check Patch ........................................................................................................................... 3
More Challenges ............................................................................................................................................. 9
Applying the Patch........................................................................................................................................... 11
Universal Product patching .......................................................................... Fejl! Bogmærke er ikke defineret.
Final Notes ....................................................................................................................................................... 12
Thanks to: ........................................................................................................................................................ 12
 Investigate the Target

Run the target and you’ll see this:

Press this little picture in the upper right corner and this pops up:

As you can see, I only have 22 days left now (in your case it should be 30, because you’ve just downloaded it).
Click the Activate Icon and finally you’ll see this:
Input a name and a serialnumber. You need to input 35 chars, before the “Activate” button becomes active.
Click it and here you are:

That is all we need to know, let’s load the target in Olly

Finding the Serial check Patch

On this target we can’t use the “Search strings” technique, so we’ll be using the “Call stack” technique.

(You could use the Resource Hacker to find the string, but since all the strings in this program are put in a dll,
you would first have to find out which one it is. I decided it was quicker to just use the Call Stack, but if you
like to use the Resource Hacker approach, the strings are in res0409.dll)

Run the target in Olly until the badboy pops up again. Press “Pause” in Olly and open the Call stack Window
in Olly like this:
The last Procedure, made from our target “Action” was called from Action.009CBF96. Let’s go there (Double-
Click on it):

It’s in the middle of a large routine, so scroll up to the start and place a bp.

Press F9 to let Olly run again. Click the “Ok” and Click “Activate”, so Olly breaks at our bp. This is a long
routine, and I’m only going into detail with the pieces that matter to us. As you step through the code, you
will see, our code being modified. Just keep stepping until you see this:
Can you see, Olly shows us the next line works with res0409. What could that be? The line of code we are at
is a conditional jump (JNZ), so follow the jump by hitting “Enter” and now we can see where it jumps to

It jumps to a line, that prepares to Call a LoadStringW. (If you can’t guess what it does, you can look it up). On
the line we landed, it points to that res0409 and you can see it reads RsrcID D5 (213). To know what is going
on here, we need to look into, what that res0409 can be.

Open PE Explorer (or Resource Hacker) and open the folder to the target. Instead of showing the exe files,
change it, so you only see the dll files. Then you will see a dll file named res0409. Let’s open that.

In the string folder under no 14 you’ll findall the strings about registration. Can you remember, that it loaded
D5 = 213? That is the badboy!! Now we know that we do not want Olly to take that jump. Back to Olly and
change the flag, so it does not jump. Set a bp and step on. You can only step 5 times, until you see this:
If you follow this jump with “enter”, you will see this calls the badboy too. We should have changed the
conditional jump @ 009CBDEF to jump, that much we know. Click on JE @ 009CBDEF. Set a bp and let Olly
run again. Click “activate” again, and run until you are on 009CBDEF. Change the flag so it jumps. Continue
our stepping down to next JNZ command.

This one, jumps right past the jump command @ 009CBE65, is that good or bad? Try to click on the JMP @
009CBE65 and follow it. You’ll see it jumps to this

If you look D4 up in the PE Explorer, you’ll see that this is the Goodboy!! So, back to the JNZ command
@ 009CBE65. Set a bp and change the flag so it does not jump. Step through the jump and 2 more times,
until you get to the next JE. This too would like to jump out before the call. That can’t be good, because then
it does not call the Goodboy. Set a bp and Change the flag. Now it does not jump and you can just step
through the code until you’ll see this
 The Goodboy!! Click “Ok” and you are back in Olly.

Step one time and you are at a JNZ command @ 009CBF9B. This one will jump almost to the end of the
routine. More importantly it will jump past a GetWindowText Call (a call that will get the some text from our
reg. box) and the “LicenseHolder” @ 009CBFCF . Could this call read our name and put it into this
“LicenseHolder”? Set a bp on JNZ @ 009CBF9B and on the JE command on 009CBFA7. Now step through
them and change the flags, so they don’t jump. After that let Olly run.
 Yes we did it!! If you click on “Ok”, we will be back here:

Now you can see that the small picture changed to . If you click it, you will see this:
 More Challenges

Well that is all good, but if you try to save your changes to a file and run the program, you will discover that it
have not saved your registration (or just try to restart the target in Olly). We have to fix that. Did you notice
that in the Information box the “Activation” tab is gone when regged? Let’s attack that!!.

(If the program is regged, the “activation” tab should not be loaded. If we can find where it loads that, the
check must be before that)

Open the exe file in PE Explorer and open the Bitmap folder. And why this folder you may ask. That is
because this target is drawing the dialogs piece by piece.

Just step down through the bitmaps, until you find the picture for the “Activation” tab.

On 520 and 521 you’ll see the picture (there are more than one, because it have various looks depending on
whether it is in focus or not). There must be a place in the code, where 520 and 521 get pushed. Let’s do a
search for the constants in Olly. No matter which one you are searching for, keep searching until you see this
This is the only place in the code, where it pushes both 208 (520) and 209 (521),so this must be it. Look at the
two JE commands @ 009CA7F0 and @ 009CA7FE, both of these jump past the pushes. Take a look at the
command “CMP DWORD PTR DS:[D4359C],0” just before the JE @ 009CA7F0. Could this be the pointer?

Set a bp on that and restart. Click on and Olly breaks.

If you look in the information window in Olly, you can see that the pointer is 9 and it should be 0. (If it is Zero,
it jumps paste the pushes. If you want to be sure that this is the pointer, you can try to zero it and run).

This can’t be the first place, it checks the pointer, because it first checks when you press the reg button.
Therefore let’s “find references” to “addressed constant” and set a breakpoint on every command.
Restart Olly.

Olly now breaks here:

This looks good. This is before the target is fully loaded and it is the first time it uses the pointer. If you look
in the information window in Olly, you can see it will mov 9 into the pointer. If you set a bp before the call
@ 009E72DF, you will see that before EAX is zero this call sets EAX. If you step into the call, you’ll see that
now you are outside the Main and Olly have not analyzed it jet. This is where it checks the serial, why not just
NOP that call? Try setting a bp on the Call @ 009E72E8 restart Olly and NOP it.

Yes!! Now it runs with no problems, so all the other patches we made, are not needed, as long as we NOP
the Call @ 009E72E8.
 Applying the Patch

Okay, applying this patch is a little different from our normal way, but don’t worry we’ll make it in a hurry.
Restart Olly (if you are not on the bp @ 009E72E8). Olly breaks at the bp @ 009E72E8, NOP it and select
“copy to executable “and choose “selection”and you’ll see this:

Press the “Yes” button and take a look at this

“C” (the one at the top)is the one you just run and “D” (the other one) is the one you are about to save.
Because Olly has adjusted the fixups these are not the same!! In this case it is ok because the changed byte
does not mean anything, but this will change every time you restart your pc, and load it in to Olly.

If Olly’s fixups end up with a code that gives meaning you have to restart your computer and change it again.

(Another easy way to work around this problem is to make a “search and replace” loader. If you’d like to do
that but don’t know how, please read my tut “Bypassing a keyfile by XOR06” you can get it here
http://thelegendofrandom.com/blog/ )

Universal Product patching

If you download the rest of the programs from that company, you will find that they use the same
protection. You can now go right to finding the constant 521 = 209 where it is pushed together with 208. Go
up to the pointer and find reference to address constant and set a breakpoint on every command. Restart
Olly and you’ll break, 2- 4 lines up you have the Call you should NOP out. Just remember to check if EAX is
zero before the call. If it isn’t you have to change 2 bytes of the NOPs to “xor eax,eax”.
 Final Notes

There you go, now you can patch every program from that company. I hope you can see the problem when
programmers are lazy and just use the same way to protect all their programs. This was very simple to patch,
but I hoped you learn something about using bitmaps for finding the patch and a little about masked
problems.

For questions and discussionregarding this tutorial and other interesting stuff go to R4ndom’s forum:

http://www.thelegendofrandom.com/forum/index.php

Thanks for now..

-XOR06

Thanks to:

Random for showing me the light again

NwoKiller for all his help
DMichael for sharing his wisdom
The TPoDT team

Without these guys this wouldn’t be possible.