Crackme 1 - CD Protection - By Joe Prolo

Crackme 1 - Cracking CD Protection

Tools: OllyDbg(Click here) Includes: crackme.zip Things to know: These two examples are of how one would crack a game.exe to run fully from hard drive without the need of the actual game disk. I mean common...you paid for it and all the files are on your computer (in most cases) why should you need the disk in order to play it? This is mostly a protection measure made by the company that made said game to protect themselves from people copying and either reselling it or sharing it with other people. Please Note 1: The two files I have provided (crackme1.exe and crackme2.exe) are unencrypted and unpacked. I have supplied the source code to these two files as well (done in visual basic v6.0). If you feel uncomfortable running my .exe examples than you can compile/look at the code yourself to verify that it is clean and not suspicious. Please Note 2: When actually using these methods to crack a game.exe Ollydbg may give some sort of an error in actually opening the game.exe you wish to crack for the first time. This is because there are SEVERAL protection measures, in most cases, put in the game.exe to protect it from crackers making these No-CD patches. I will write a tutorial on how break and circumvent these protection measures at a later time. Last Note: Since now a day most users are on a 64bit OS like windows 7. A different program must be used for cracking 64 bit programs. Instead of Ollydbg some users might want to check out a program called IDA pro. Here we go: There is nothing more annoying that borrowing a game from a friend or downloading it off the net and realizing you need the CD to play it. This type of protection is the EASIEST form a protection to bypass. I started the lessons with this because it is so common and it's fairly easy to crack. Step 1: Run the program so you know what the problem is. In this case a message comes up saying you need the cd. Remember what the message says you will need to recall it later. Step 2: Open crackme1.exe in Ollydbg. It should be disassembled pretty easily with no problems at all, because the crackme1.exe is not encrypted or packed. Step 3: Ok you are probably wondering what you do from here! Don't panic even the most advanced cracker can't understand all those weird lines of coding. Click the green/turquois button which says 'C' on it(circled in blue on the pic), in the bar along the top of the screen. This will take you to the CPU Main thread window. This is the CORE of the program. Maximizing this window will help you navigate the code a lot easier so do it now. The screen should be roughly split up into 4 squares. The area circled in red is the main thread remember its name.

file:///C|/Users/Ninexunix/Desktop/Crackme.htm[7/9/2011 1:34:24 PM]

Crackme 1 - CD Protection - By Joe Prolo

Step 4: Right click the main thread window. A menu will appear select 'Search for --> All referenced text strings'. A new window will come up displaying; you guessed it all the strings in this program. Remember how you viewed these strings because you will need to do it in almost every program you are trying to crack. Step 5: Remember in step 1 I told you to remember the message that came up when we ran crackme1.exe well this is why. In the window that came up in the last step look for the message. The message was: Please enter the CD Once you find it in this list double click it. This will take you back to the main thread and a line will be highlighted. ASM CODE

00401D9C 00401D9F 00401DA2 00401DA4 00401DAA 00401DAF 00401DB2 00401DB5 00401DBC 00401DBF 00401DC1

. 894D B8 . 8945 B0 . 75 6D . 8B35 80104000 . BB 08000000 . 8D55 80 . 8D4D C0

MOV DWORD PTR SS:[EBP-48],ECX MOV DWORD PTR SS:[EBP-50],EAX JNZ SHORT crackme1.00401E11 MOV ESI,DWORD PTR DS:[<&MSVBVM60.__vbaVa>; MOV EBX,8 LEA EDX,DWORD PTR SS:[EBP-80] LEA ECX,DWORD PTR SS:[EBP-40] UNICODE "Error..." MSVBVM60.__vbaVarDup

. C745 88 C81A40>MOV DWORD PTR SS:[EBP-78],crackme1.00401>; . 895D 80 . FFD6 . 8D55 90 MOV DWORD PTR SS:[EBP-80],EBX CALL ESI LEA EDX,DWORD PTR SS:[EBP-70] ;

<&MSVBVM60.__vbaVarDup>

file:///C|/Users/Ninexunix/Desktop/Crackme.htm[7/9/2011 1:34:24 PM]

Crackme 1 - CD Protection - By Joe Prolo

00401DC4 00401DC7 00401DCE 00401DD1 00401DD3 00401DD6 00401DD9 00401DDA 00401DDD 00401DDE 00401DDF 00401DE2 00401DE4 00401DE5 00401DEB 00401DEE 00401DF1 00401DF2 00401DF5 00401DF6 00401DF9 00401DFA 00401DFB 00401DFD 00401E03 00401E06 00401E0C 00401E11 00401E16 00401E19 00401E1C 00401E23 00401E26 00401E2C 00401E32 00401E3C 00401E3E 00401E40 00401E43 00401E49 00401E4A cracked" 00401E4F 00401E51 00401E54

. 8D4D D0

LEA ECX,DWORD PTR SS:[EBP-30] UNICODE "Please enter the CD"

. C745 98 9C1A40>MOV DWORD PTR SS:[EBP-68],crackme1.00401>; . 895D 90 . FFD6 . 8D55 A0 . 8D45 B0 . 52 . 8D4D C0 . 50 . 51 . 8D55 D0 . 6A 10 . 52 . FF15 2C104000 . 8D45 A0 . 8D4D B0 . 50 . 8D55 C0 . 51 . 8D45 D0 . 52 . 50 . 6A 04 . FF15 08104000 . 83C4 14 . FF15 0C104000 . E9 E3000000 > BB 08000000 . 8D55 90 . 8D4D C0 MOV DWORD PTR SS:[EBP-70],EBX CALL ESI LEA EDX,DWORD PTR SS:[EBP-60] LEA EAX,DWORD PTR SS:[EBP-50] PUSH EDX LEA ECX,DWORD PTR SS:[EBP-40] PUSH EAX PUSH ECX LEA EDX,DWORD PTR SS:[EBP-30] PUSH 10 PUSH EDX CALL DWORD PTR DS:[<&MSVBVM60.#595>] LEA EAX,DWORD PTR SS:[EBP-60] LEA ECX,DWORD PTR SS:[EBP-50] PUSH EAX LEA EDX,DWORD PTR SS:[EBP-40] PUSH ECX LEA EAX,DWORD PTR SS:[EBP-30] PUSH EDX PUSH EAX PUSH 4 CALL DWORD PTR DS:[<&MSVBVM60.__vbaFreeV>; ADD ESP,14 CALL DWORD PTR DS:[<&MSVBVM60.__vbaEnd>] ; JMP crackme1.00401EF4 MOV EBX,8 LEA EDX,DWORD PTR SS:[EBP-70] LEA ECX,DWORD PTR SS:[EBP-40] ;

MSVBVM60.rtcMsgBox

MSVBVM60.__vbaFreeVarList

MSVBVM60.__vbaEnd

. C745 98 841B40>MOV DWORD PTR SS:[EBP-68],crackme1.00401>; . 895D 90 . FF15 80104000 . 8B3D 1C104000 . 68 E01A4000 . FFD7 . 8BD0 . 8D4D E4 . FF15 88104000 . 50 . 68 1C1B4000 . FFD7 . 8D4D A0 . 8945 D8 MOV DWORD PTR SS:[EBP-70],EBX CALL DWORD PTR DS:[<&MSVBVM60.__vbaVarDu>; MOV EDI,DWORD PTR DS:[<&MSVBVM60.__vbaSt>; PUSH crackme1.00401AE0 CALL EDI MOV EDX,EAX LEA ECX,DWORD PTR SS:[EBP-1C] CALL DWORD PTR DS:[<&MSVBVM60.__vbaStrMo>; PUSH EAX PUSH crackme1.00401B1C CALL EDI LEA ECX,DWORD PTR SS:[EBP-60] MOV DWORD PTR SS:[EBP-28],EAX ; ; ;

UNICODE "Congratulations"

MSVBVM60.__vbaVarDup MSVBVM60.__vbaStrCat UNICODE "The CD has been found" <&MSVBVM60.__vbaStrCat>

MSVBVM60.__vbaStrMove

UNICODE "Congratulation this CD protection is now

Step 6: Don't panic it's not as bad as it seems. I will explain all, take a deep breath and relax. The green line is what should be highlighted in Ollydbg. The blue line is where we want to be as it says the cd has been found, yes yes I know, in a real program it wouldn't say that but Im going to explain how i got to that line being where we want to be. The purple line is the most important line in the protection.

file:///C|/Users/Ninexunix/Desktop/Crackme.htm[7/9/2011 1:34:24 PM]

Crackme 1 - CD Protection - By Joe Prolo

00401DA2

. 75 6D

JNZ SHORT crackme1.00401E11

That is why I copied it again. 00401DA2 is the address of this command. 75 6D is the hex for the command. JNZ SHORT crackme1.00401E11 is the command itself. The J is for JUMP, NZ is the condition. You will often see JMP, JME, JGE they all do a jump. if(myname = "joeprolo") then do this else do this end if It's basically an if but in ASM. So if the condition of the if passes then it will jump to somewhere else in the code, or it will just go onto the next line of code. The command was JNZ SHORT crackme1.00401E11. The numbers/letters in bold are where it will jump to. If you select this line in Ollydbg and press enter it will do the jump for you. It will take you to the black line(look in the code in this document). Hey look that black line is 3 lines above the line with congratulations is. Thats because this is the else in the if. Yeah i know that was a little confusing hopefully this table will clear things up. The only way to find this purple line is by following the jumps from any jump command above the got cd message. Usually there will be no messages in programs, you will just have to memorize something that happens and go off that like maybe it tells you the time at which point you could find the time call and start cracking from there. That will be covered in a later tutorial. VB
If nocd = True Then MsgBox "Please enter the CD", vbCritical, "Error..." Else MsgBox "The CD has been found" & vbCrLf & "Congratulation this CD protection is now cracked", vbCritical, "Congratulations" End If

ASM
00401DA2 . 75 6D JNZ SHORT crackme1.00401E11 00401DC7 . C745 98 9C1A40>MOV DWORD PTR SS:[EBP68],crackme1.00401>; UNICODE "Please enter the CD" 00401E11 > BB 08000000 MOV EBX,8 00401E32 . 68 E01A4000 PUSH crackme1.00401AE0 ; UNICODE "The CD has been found"

Step 7: Go to the purple line in Ollydbg again. Press ctrl+g then enter the address of the call in this case it is 00401DA2. Ok we are now at the purple line in Ollydbg we want it to take the else in the if every time double click on the command itself 'JNZ SHORT crackme1.00401E11'. A box will come up with the command in now change JNZ to JMP. JMP is JUMP so it will take the jump every time. Then click assemble. Then click cancel. Now hit F9 to run the program. It should say successfully cracked. Click on then close the proggy. Unfortunately, all the ASM in cpu main thread has changed so hit ctrl+f2, and we get the original ASM back. We now have to crack it all over again but the lines we changed last time are in a light gray shade so it's easy. Crack it again but don't run it this time. Step 8: So you just changed the command to a JMP now high light that line then right click it and select 'copy to executable file'. A new window will come up hit the cross in the corner (to close it); it should ask if you want to save the dump click YES and save the file as 'cracked crackme1.exe' so you can redo this tutorial later without a re-download. If it doesn't ask to save completely close Ollydbg re-crack the file without running it then when you click copy to executable it should save.

Crackme 2 - Cracking CD Protection 2

Things to know: This is the second example of how one would crack games for NO-CD. Step 1: Run the program so you know what the problem is. In this case a message comes up saying you need the cd. Remember what the message says you will need to recall it later. Step 2: Open crackme2.exe in Ollydbg. It should be disassembled pretty easily with no problems at all, because the crackme2.exe is not encrypted or packed. Step 3: Get to the main thread. I taught you this in crackme 1. Reread crackme 1 if you can't remember how to get to the main thread. Step 4: Ok we have to do the same as last time look through the 'User defined text strings'. I also told you how to do this in crackme 1, but if you have forgotten here is how to do it. Quote crackme1: Right click the main thread window. A menu will appear select 'Search for --> All referenced text strings'. A new window will come up displaying; you guessed it all the strings in this program. Remember how you viewed these strings because you will need to do it in almost every program you are trying to crack. End Quote

Step 5: Once again we are looking for the CD Found message. Once you have found it double click on it. It will highlight the line 00401DC9. You want to see where the 'Please enter the CD' message is. In this case it's a little further down in the main thread. Its line number is 00401EB0

file:///C|/Users/Ninexunix/Desktop/Crackme.htm[7/9/2011 1:34:24 PM]

Crackme 1 - CD Protection - By Joe Prolo

We have now worked out the if. if(cd is found)then msgbox "Yay we found the CD" else msgbox "Bugger off I need the CD" end if Press ctrl+g and enter 00401EB0 in the box and click ok. This will take us to the 'Please insert CD' message. 5 lines above is the line containing 'Error...' that was the title on the message box line 00401E9E. Scroll up some more. Wait a min look at this: 00401E8B . EB 68 JMP SHORT crackme2.00401EF5. I wonder what this jump is doing here. Go to this line and hit enter on it. This will take the jump. Look it does straight past the 'Please insert CD' message only by a few lines. That is because it's the last statement in the first part of the if. It's jumping over the else. This means that line 00401E8D is the first line in the else statement of the if. Step 6: Press ctrl+g and enter 00401E8D in the box. As you know this will take you that that line. Right click it and select Find references to --> Selected Command or press ctrl+r. This will bring up a new window listing anything which has a reference to its line number 00401DA2. Two lines have come up the second command is the actually command on the line. Look at the one above it (line is selected on pic).

00401DA2 0F85 E5000000 JNZ crackme2.00401E8D Is the command/line we are looking at. JNZ is a jump with a condition(an if basically) we saw it in crackme1. This line has the potential to jump to line 00401E8D select this line and hit enter it will take you to the same command in the main thread. We have seen line 00401E8D before it is the 1st line of the else in our if. It will either jump to line 00401E8D or go to the next line of code depending on, if the if is true or false. Step 7: Look back at the asm in the program and where the congratulation and need CD messages are. Do we want this if to fail and take the jump or pass and not take the jump? We want it to pass! There is no way of making it pass though unless we get the CD hehe or do ALOT of advanced stuff. Go to line

file:///C|/Users/Ninexunix/Desktop/Crackme.htm[7/9/2011 1:34:24 PM]

Crackme 1 - CD Protection - By Joe Prolo

00401DA2. Double click on the ASM. A box will come up allowing us to edit the ASM on this line. Put a check in the box that says fill with nop's. Now change the asm to 'NOP' and hit assemble.

NOP translates into No Operation at Point. This basically means do nothing. If you do nothing then the next line of code will be run. Step 8: Ok now hit F9 to see if you successfully cracked the proggy. It should have worked. Now all you have to do is copy the asm to the executable like I taught you in crackme1. Modified Quote crackme1: Step 8: So you just changed the asm command to your command now high light that line then right click it and select 'copy to executable file'. A new window will come up hit the cross in the corner(to close it); it should ask if you want to save the dump click YES and save the file as 'cracked crackme2.exe' so you can redo this tutorial later without a re-download. If it doesn't ask to save completely close Ollydbg re-crack the file without running it then when you click copy to executable it should save. End Quote

file:///C|/Users/Ninexunix/Desktop/Crackme.htm[7/9/2011 1:34:24 PM]