I made a Serial Number Program, lets see if anyone can crack it

Printable View

Sep 23rd, 2000, 09:36 PM
dimava

I made a Serial Number program, and I wanna see if anyone can crack it. Feel free to use any hex editors, decompliers, what ever you want. here's the url:

http://members.fortunecity.com/dimava/Serial.exe

Note: if an error comes up, please copy and paste the url into a new browser window

if you get it right a message box will come up with a secret password, so if you get the secret password, post it here.

I made this for a company, so unless someone cracks it, I'm not going to give out a serial number

BTW there is over 1550 diffrent serial numbers that are avalible
Sep 23rd, 2000, 10:19 PM
HarryW

Actually that's a point - know where I can get a simple hex editor? Don't think I've got one any more.

What do you mean when you say 1550 serials available? That how many combos or something?
Sep 23rd, 2000, 10:21 PM
dimava

yea, thats how many combos there are you can get one at download.com (thats where I got mine)
Sep 24th, 2000, 11:24 AM
dimava

corrcet, now please post the combination that you entered
Sep 24th, 2000, 12:07 PM
Yonatan

ABCDE ABCDE ABCDE ABCDE ABCDE

Oh, by the way, before entering the combination, I cracked your program and made it so that any combination works. :D

People:
Will you please stop asking me on ICQ how I cracked it? It's driving me crazy! :rolleyes:
Sep 24th, 2000, 12:09 PM
dimava

That is not a valid Combination (which I programmed)

and what program did you use to change it and how?
Sep 24th, 2000, 12:51 PM
Yonatan

I cracked it!
What program did I use?
My own! :rolleyes:

Code:

Option Explicit ' By changing just the constants and the two functions, ' this crack can be applied to many programs! Const PathOfEXEToCrack = "C:\Windows\Desktop\" Const NameOfEXEToCrack = "Serial.exe" Const NameOfBackupEXE = "Backup.exe" ' Set to vbNullString to not back up Const CrackDescription = "accepts any combination" Function WhatToLookFor() As String ' For dimava's program: ' Looking for: jne 00406369 ' EXE alias: 0F8501170000 WhatToLookFor = Chr(&HF) & Chr(&H85) & Chr(&H1) & Chr(&H17) & Chr(&H0) & Chr(&H0) End Function Function WhatToReplaceItWith() As String ' For dimava's program: ' Replacing with: 6 nops ' EXE alias: 909090909090 WhatToReplaceItWith = String(6, &H90) End Function Sub Main() Dim btFileNum As Byte, sFile As String, lPos As Long ' Check crack sizes If Not Len(WhatToLookFor) = Len(WhatToReplaceItWith) Then Call MsgBox("Error: Invalid crack sizes.", vbCritical) Exit Sub End If ' Back up, if needed If Not NameOfBackupEXE = vbNullString Then Call FileCopy(PathOfEXEToCrack & NameOfEXEToCrack, PathOfEXEToCrack & NameOfBackupEXE) Call MsgBox(NameOfEXEToCrack & " has been backed up." & vbCrLf & _ "The original file was backed up, and is now called " & NameOfBackupEXE & ".", _ vbExclamation) End If ' Read file btFileNum = FreeFile Open PathOfEXEToCrack & NameOfEXEToCrack For Binary As btFileNum sFile = Input(LOF(btFileNum), btFileNum) Close btFileNum ' Find item to crack in file lPos = InStr(sFile, WhatToLookFor) If lPos = 0 Then Call MsgBox("Error: Invalid data.", vbCritical) Exit Sub End If ' Crack it! Mid(sFile, lPos) = WhatToReplaceItWith ' Save the data to the file btFileNum = FreeFile Open PathOfEXEToCrack & NameOfEXEToCrack For Binary As btFileNum Put #btFileNum, , sFile Close btFileNum ' Finished Call MsgBox("Successfully cracked " & NameOfEXEToCrack & "!" & vbCrLf & _ "Now, " & NameOfEXEToCrack & " " & CrackDescription & ".", vbInformation) End Sub

Enjoy! :rolleyes:
Sep 24th, 2000, 03:38 PM
dimava

when I tried it, it didn't work
Sep 24th, 2000, 03:53 PM
Yonatan

Aww :(
You'll get over it. :rolleyes:
But the fact is I cracked it.
Sep 24th, 2000, 03:55 PM

It worked for me,
maybe your just stupid...
Sep 24th, 2000, 03:56 PM
dimava

is that all that you have to put on a forms code to get it to work? or do you need to call the produdures and stuff?
Sep 24th, 2000, 04:16 PM
Yonatan

No forms at all.
Make sure your project has nothing but a module in it, and then paste the code in the module.
Never seen Sub Main() before? :rolleyes:
Sep 24th, 2000, 10:27 PM
kb244

Take my philosophy, in time nothing is uncrackable
Sep 25th, 2000, 12:32 AM
Dim

lol

Sorry i just had to laught at 1337 dimava. :)
j/j man.
Sep 27th, 2000, 01:37 AM
Yonatan

Explanation to anyone who cares

First of all, I disassembled the program.

Quote:

Feel free to use any hex editors, decompliers, what ever you want.

I noticed something like this in the assembly code:

Code:

mov ax,[the first textbox of the five] add ax,[the second textbox] jo <somewhere> ; this means, if overflow, jump to the error line <somewhere> add ax,[the third] jo <somewhere> add ax,[the fourth] jo <somewhere> add ax,[the fifth] jo <somewhere> cmp ax,0019 ; compare ax to 19h jne 00406369 ; if ax <> 19h, jump to 00406369 ; (otherwise stay where you are!) ; code for "success" msgbox goes here 00406369: ; code for "wrong serial" msgbox goes here

Also, the code told me that the only jump to 00406369 was that jne line.
So that is the only place which could cause an "error" MsgBox.
According to the disassembler, the line jne 00406369 looked in the EXE like this: 0F 85 01 17 00 00
Now, I do not want to jump. If I disabled this jump, the error MsgBox could never be reached, but instead, it would show the success MsgBox either way.
So the solution is to replace it with nop (no-operation).
Now as you saw, jne 00406369 takes up 6 bytes of the EXE.
And the EXE alias for nop is 90. (1 byte)
So we have to put exactly 6 nop codes to skip the jump.

This is what the program does. :rolleyes:

Here's how the serial-checking routine in the cracked serial.exe looks like.

Code:

mov ax,[the first textbox of the five] add ax,[the second textbox] jo <somewhere> ; this means, if overflow, jump to the error line <somewhere> add ax,[the third] jo <somewhere> add ax,[the fourth] jo <somewhere> add ax,[the fifth] jo <somewhere> cmp ax,0019 ; compare ax to 19h nop ;do nothing nop ;do nothing nop ;do nothing nop ;do nothing nop ;do nothing nop ;do nothing ; Success MsgBox code goes here 00406369: ; Wrong Serial MsgBox code goes here ; But in the cracked EXE, it cannot be reached

Another solution would be to change it from jne to je. Then, wrong serials will give you the "correct" MsgBox, and correct serials will give you the "wrong" MsgBox.
But there's no reason, so let's not do it and say we did. :rolleyes:
Sep 27th, 2000, 04:02 AM
FantastichenEin

Hi

For those that didn't know.
jne = Jump (if) Not Equal
je = Jump (if) Equal

Yonatan,
What does ax refer to?
Also what does 19h refer to?

What Dissassmbler do you use, I have used wdasm and softice but I prefer wdasm as it doesn't fettle your system like softice.

Cheers
Sep 27th, 2000, 06:57 AM
Yonatan

AX is the accumulating register.
In this code, it is the sum of five numbers.
The five numbers are generated from the TextBoxes in dimava's serial program. (I'm not sure about the connection between the text in the TextBox and the number generated)
With dimava's algorithm, if ax = 19h, then the serial number is valid.
I don't know why, I didn't dig into this. :rolleyes:
The point is, skip this jump and the program is cracked!

I use wdasm - it is more fun! :rolleyes:
Sep 27th, 2000, 07:21 AM
kovan

too much time

you guyz got way too much time on your hands (points to Yonatan)
:)
Sep 27th, 2000, 01:08 PM
HarryW

Aha :) Thanks for the explanation.
Sep 27th, 2000, 01:12 PM
kb244

Reverse Engerneering and Assembly

It's a software cracker's dream tools, hehe.