Serial Phishing Tutorial #1

Monday, July 10 2006 @ 08:24 AM CEST

Contributed by: Khaosgott96

Level : newbie

Serial Fishing Tutorial #1 [by: Khaosgott96] http://khaosreversing.r8.org


Hello fellow crackers and newbies. This is my VERY first tutorial I have EVER written so if u have any suggestions on making my future tutorials more informative drop me an email at: khaosgott96@gmail.com



TOOLS USED

OllyDbg 1.09d or 1.10
All tools can be found on my Forum: HERE

Target
------

Power Archiver 9.26.01 (can be found HERE)

===============================================================================================================================
Ok so first things first. Install PowerArchiver (Thats a given) and run it... a message box should pop up saying this is an evaluation version blah blah blah.....
then u have the options of clicking I agree to use it as an evaluation version or to enter the registeration information ("Enter Registraion Code...") click that and enter any name and serial into it.
I use khaosgott96 for the name and 12345678 for the registration code. Then click OK and you should get an error saying "Incorrect registration information"
So bust out a pen and paper (which, while cracking, you should always have by you) and write that error down. it is not neccessary to write the whole thing down just "Incorrect registration information" will be fine.

Now... Open up Olly and then click file/open and open up POWERARC.EXE

you should have something like the following...




next thing your gunna do is right click in the code window (See figure above) and click "Search For-----> All referenced text strings"
Next scroll up to the top and highlight the first line. then right click anywhere in that window and click "Search For Text"
now be sure to UNCHECK the case sensitive box. now type in the search "incorrect registration information" and press OK.

See Figure Below...

[image6]


now... click that line to make sure it is highlighted and press enter. you should now be taken back to the code window.
You now should have landed here... (See figure below)




Now if you scroll up a bit you'll see:


006519A9   > 55             PUSH EBP
006519AA   . 8B55 F4        MOV EDX,DWORD PTR SS:[EBP-C]
006519AD   . 8B45 F8        MOV EAX,DWORD PTR SS:[EBP-8]  


look at the picture below and compare it to the code listed above...



OK so if we take a look at the following code again we see:


006519A9   > 55             PUSH EBP
006519AA   . 8B55 F4        MOV EDX,DWORD PTR SS:[EBP-C]
006519AD   . 8B45 F8        MOV EAX,DWORD PTR SS:[EBP-8]  
so highlight the line:
  006519AD   . 8B45 F8        MOV EAX,DWORD PTR SS:[EBP-8]

and press F2 to set a breakpoint. now were ready to to catch the program by its tail right before it enters the serial generation routine.

Now press F9 to run the program. (if u get any execeptions press shift+F9 until the program runs). now keep olly open and go to PowerArchiver and click "Enter Registration Code" and enter any name for the username but remember what name u used because you will need it later.
Enter 12345678 as the registration code and click OK. Olly should break and pop up. if it didnt then you didnt set your BreakPoint right, so go back and look how to set it correctly.
Otherwise just continue with the tutorial. Now if you look in the REGISTERS window in olly you will see that EDX contains out user-entered serial "12345678", so what we are going to do is set a breakpoint on it so when the program goes to access it to compare it to the real serial it will break and there in plain text we will see the REAL serial to which it is being compared to.
So then all we have to do is write that number down close olly and reopen the program normally and enter the same name and then the REAL serial that we just fished out.
"well how the f*ck do u do that??" u may ask... well i'll tell you.

First thing you are going to do is higlight the EDX resiter by left clicking it in the REGISTERS window.
Then Right click what you just highlighted and click "Follow In Dump". Now take a look at the Hex Dump Window.
You should see you User-entered serial. in our case "12345678" or in hex "31 32 33 34 35 36 37 38". So what you need to do is highlight the first 4 bytes of our user entered serial in our hex dump window.
These bytes being "31 32 33 34" then right-click the highlighted bytes and click Breakpoint----->Hardware, On Access,------->DWORD. Now what that did was tell Olly to break when it accesses our serial again.
The next time this serial will be accessesd is then it is compared to the REAL serial generated by PowerArchiver. That being said we will see what the REAL serial for our user-entered name will be. (SEE FIGURE BELOW)




Okay.... do now you have your breakpoint set. now all you have to do is press F9 and olly should then again break. and what do we have in our register window....well we have our user-entered serial in ESI which is "12345678" and whats that right below it???....it looks like its the REAL serial that the program is checking OUR serial against. it is stored in EDI which contains "BC8097CF".... write this number down. yours will probably be different especially if you used a different name than khaosgott96.




Have that written down..??? GOOD. now exit Olly and open PowerArchiver by itself..no Olly this time....Sorry olly ur all alone this time.... now click Enter Registration Code and enter the name that you used when u fished out a serial. and use the serial that we fished out for the registration code. and click OK....YES!!! REGISTRATION ACCEPTED....congratulations you now successfully broke through PowerArchiver's protection scheme.



...................::..::..::..::..::..::..::..::............./..Greetz..////............::..::..::..::..::..::..::..::..............

BiW | ARTeam | haggar | Bor0 | TDC | Stingduk | The Old Pirate | Knight |


and anyone else who helped me laern so much as i can now teach others as others teached me.. keep up the good work and keep this knowledge flowing.

0 comments



http://www.reversing.be/article.php?story=20060630073513417