Anti Cracking tricks by woody^drn

Okay :) it's time for more anti cracking tricks .... This time with a more nasty one than the other tricks I've wrote about before :)

I've made a file to show you how it's done, it's called anti#1.exe. The hole idea behind this trick, is to crypt the engine that register the program with the right serial, but never calculate the real serial in anyway. Lets say our serial is 'woody' .. and the register engine is a nag screen.


:0040100D 6A00                    push 00000000

* Possible StringData Ref from Data Obj ->"AntiCracking for Vaczine #5"
                                  |
:0040100F 6800304000              push 00403000

* Possible StringData Ref from Data Obj ->"Make the right nag popup :)"
                                  |
:00401014 681C304000              push 0040301C
:00401019 6A00                    push 00000000

* Reference To: USER32.MessageBoxA, Ord:01BBh
                                  |
:0040101B E846000000              Call 00401066

Like this one .. here we have a nag screen, it takes 19 bytes. So what we do here is xor these bytes with our serial 'woody' 3 times, that should be enough. That's 15 xor'ed bytes, but we reveal the last 4 bytes .. who cares ;)

First thing we do is to check the hex for 'woody' that is : 77 6F 6F 64 79. So we say 77+6f+6f+64+79 and that's : 232h. Now all you have to do is make a edit box, where the user can type the serial. multiply those and check if it's equal to 232h, if not .. it's the wrong serial. Now the serial isn't hardcoded or shown anywhere in the .exe file, so the cracker don't know what it is ;) all he can see is that it has to be 232h in total. But that could be allot of different characters.

The cracker can reverse the program as much as he will, cause the register engine is xor'ed with the real serial, and he doesn't know how the program will register itself, or what opcodes is real.

What you do is, make a procedure that runs the serial (that the user typed ofcause) through the xor'ed engine 3 times ... now if the user typed the right serial, the new xor'ed code will be correct - else it will be garbage. After this jump to the new code to execute it .. that is if the user typed the right serial.

Like this:

1) Check if the serial entered is 232h in total
2) Is it 232h ? okay run the serial though the xor'ed code 3 times ... and execute the new xor'ed code.
3) It's not 232h ... say "wrong serial" ..

No matter what the cracker does, he has to write the real serial in order to get the real code. or else he have to make it all up himself .. not many people can do this ;) You can do this xor'ing with all the registered functions ... so even if the cracker just patches everything, it still doesn't work :)

This is the idea behind this annoying anti cracking method :)
Lets run through the anti#1.exe code:


* Possible StringData Ref from Data Obj ->"Yer .. exchange this with real "
                                        ->"serial"
                                  |

//******************** Program Entry Point ********
:00401000 B856304000              mov eax, 00403056
:00401005 85C0                    test eax, eax
:00401007 7419                    je 00401022

Okay first it moves the text "Yer .. exchange this with real serial" into eax. Checks if eax is zero, but it's not ... so it doesn't jump to 401022


:00401009 90                      nop
:0040100A 90                      nop
:0040100B 90                      nop
:0040100C 90                      nop
:0040100D 6A00                    push 00000000

* Possible StringData Ref from Data Obj ->"AntiCracking for Vaczine #5"
                                  |
:0040100F 6800304000              push 00403000

* Possible StringData Ref from Data Obj ->"Make the right nag popup :)"
                                  |
:00401014 681C304000              push 0040301C
:00401019 6A00                    push 00000000

* Reference To: USER32.MessageBoxA, Ord:01BBh
                                  |
:0040101B E846000000              Call 00401066
:00401020 EB37                    jmp 00401059

It just shows the wrong nag screen, so what we do is to nop the second instruction, and make the third jump. Then change the text at 403056 to the real serial .. but what is it ?? ;) heh you can try changed it to 'woody rules',00 ... aren't you curious is that's the real serial ?? try it out :)

Lets check what's going on at 401022


:00401022 A352304000              mov dword ptr [00403052], eax
:00401027 B912000000              mov ecx, 00000012
:0040102C 8B1D52304000            mov ebx, dword ptr [00403052]
:00401032 BA7C304000              mov edx, 0040307C

First it moves the value of eax into [403052], So now the value at [403052] is 403056 because 403056 was moved into eax in the first instruction. As you know ecx is mostly used as a counter for stuff, so now it moves 12h into ecx. 12h in decimal is 18.

Then it moves the value at 403052 into ebx, so ebx is now 403056. and edx is now 40307c.


* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401044(C)
|
:00401037 8A03                    mov al, byte ptr [ebx]
:00401039 8A22                    mov ah, byte ptr [edx]
:0040103B 32C4                    xor al, ah
:0040103D 8802                    mov byte ptr [edx], al
:0040103F 43                      inc ebx
:00401040 42                      inc edx
:00401041 49                      dec ecx
:00401042 85C9                    test ecx, ecx
:00401044 75F1                    jne 00401037
:00401046 E931200000              jmp 0040307C

Here it moves the value at [ebx] which was where our serial was, and if you typed 'woody rules' al should now hold the hex value of 'w'. Then it moves the value at [edx] (40307c) into ah. Then it xor al with ah ... xor the first char of our serial with the char at 40307c. then it replaces the value at [edx] with al. increases ebx and edx, and decreases ecx. Checks if ecx is zero if so - jump to 40307c, but if not jump to 401037. Ecx was 12h so it will do this 18 times. As you probably (hopefully) can see, is that it xors the new code at 40307c to 40307c+12h, when it's done it jumps to execute the new code .. which should be and register engine or so ...

Now try it out ... can you do it .. you know how to make a messagebox if you read some of the older Vaczine mags :) come on :) mail me when you found the right serial. it's easy ... but only because it's a messagebox!

that's all :)

-wOODY^dRN