Hex WorkShop Serial Number serial key or number

Software cracking (known as "breaking" in the s^[1]) is the modification of software to remove or disable features which are considered undesirable by the person cracking the software, especially copy protection features (including protection against the manipulation of software, serial number, hardware key, date checks and disc check) or software annoyances like nag screens and adware.

A crack refers to the means of achieving, for example a stolen serial number or a tool that performs that act of cracking.^[2] Some of these tools are called keygen, patch, or loader. A keygen is a handmade product serial number generator that often offers the ability to generate working serial numbers in your own name. A patch is a small computer program that modifies the machine code of another program. This has the advantage for a cracker to not include a large executable in a release when only a few bytes are changed.^[3] A loader modifies the startup flow of a program and does not remove the protection but circumvents it.^[4][5] A well-known example of a loader is a trainer used to cheat in games.^[6]Fairlight pointed out in one of their .nfo files that these type of cracks are not allowed for warez scene game releases.^[7][4][8] A nukewar has shown that the protection may not kick in at any point for it to be a valid crack.^[9]

The distribution of cracked copies is illegal in most countries. There have been lawsuits over cracking software.^[10] It might be legal to use cracked software in certain circumstances.^[11] Educational resources for reverse engineering and software cracking are, however, legal and available in the form of Crackme programs.

History[edit]

The first software copy protection was applied to software for the Apple II,^[12]Atari , and Commodore 64 computers.^{[citation needed]}. Software publishers have implemented increasingly complex methods in an effort to stop unauthorized copying of software.

On the Apple II, unlike modern computers that use standardized device drivers to manage device communications, the operating system directly controlled the step motor that moves the floppy drive head, and also directly interpreted the raw data, called nibbles, read from each track to identify the data sectors. This allowed complex disk-based software copy protection, by storing data on half tracks (0, 1, , , 5, ), quarter tracks (0, 1, , , 5, ), and any combination thereof. In addition, tracks did not need to be perfect rings, but could be sectioned so that sectors could be staggered across overlapping offset tracks, the most extreme version being known as spiral tracking. It was also discovered that many floppy drives did not have a fixed upper limit to head movement, and it was sometimes possible to write an additional 36th track above the normal 35 tracks. The standard Apple II copy programs could not read such protected floppy disks, since the standard DOS assumed that all disks had a uniform track, or sector layout. Special nibble-copy programs such as Locksmith and Copy II Plus could sometimes duplicate these disks by using a reference library of known protection methods; when protected programs were cracked they would be completely stripped of the copy protection system, and transferred onto a standard format disk that any normal Apple II copy program could read.

One of the primary routes to hacking these early copy protections was to run a program that simulates the normal CPU operation. The CPU simulator provides a number of extra features to the hacker, such as the ability to single-step through each processor instruction and to examine the CPU registers and modified memory spaces as the simulation runs (any modern disassembler/debugger can do this). The Apple II provided a built-in opcode disassembler, allowing raw memory to be decoded into CPU opcodes, and this would be utilized to examine what the copy-protection was about to do next. Generally there was little to no defense available to the copy protection system, since all its secrets are made visible through the simulation. However, because the simulation itself must run on the original CPU, in addition to the software being hacked, the simulation would often run extremely slowly even at maximum speed.

On Atari 8-bit computers, the most common protection method was via "bad sectors". These were sectors on the disk that were intentionally unreadable by the disk drive. The software would look for these sectors when the program was loading and would stop loading if an error code was not returned when accessing these sectors. Special copy programs were available that would copy the disk and remember any bad sectors. The user could then use an application to spin the drive by constantly reading a single sector and display the drive RPM. With the disk drive top removed a small screwdriver could be used to slow the drive RPM below a certain point. Once the drive was slowed down the application could then go and write "bad sectors" where needed. When done the drive RPM was sped up back to normal and an uncracked copy was made. Of course cracking the software to expect good sectors made for readily copied disks without the need to meddle with the disk drive. As time went on more sophisticated methods were developed, but almost all involved some form of malformed disk data, such as a sector that might return different data on separate accesses due to bad data alignment. Products became available (from companies such as Happy Computers) which replaced the controller BIOS in Atari's "smart" drives. These upgraded drives allowed the user to make exact copies of the original program with copy protections in place on the new disk.

On the Commodore 64, several methods were used to protect software. For software distributed on ROM cartridges, subroutines were included which attempted to write over the program code. If the software was on ROM, nothing would happen, but if the software had been moved to RAM, the software would be disabled. Because of the operation of Commodore floppy drives, one write protection scheme would cause the floppy drive head to bang against the end of its rail, which could cause the drive head to become misaligned. In some cases, cracked versions of software were desirable to avoid this result. A misaligned drive head was rare usually fixing itself by smashing against the rail stops. Another brutal protection scheme was grinding from track 1 to 40 and back a few times.

Most of the early software crackers were computer hobbyists who often formed groups that competed against each other in the cracking and spreading of software. Breaking a new copy protection scheme as quickly as possible was often regarded as an opportunity to demonstrate one's technical superiority rather than a possibility of money-making. Some low skilled hobbyists would take already cracked software and edit various unencrypted strings of text in it to change messages a game would tell a game player, often something considered vulgar. Uploading the altered copies on file sharing networks provided a source of laughs for adult users. The cracker groups of the s started to advertise themselves and their skills by attaching animated screens known as crack intros in the software programs they cracked and released. Once the technical competition had expanded from the challenges of cracking to the challenges of creating visually stunning intros, the foundations for a new subculture known as demoscene were established. Demoscene started to separate itself from the illegal "warez scene" during the s and is now regarded as a completely different subculture. Many software crackers have later grown into extremely capable software reverse engineers; the deep knowledge of assembly required in order to crack protections enables them to reverse engineerdrivers in order to port them from binary-only drivers for Windows to drivers with source code for Linux and other free operating systems. Also because music and game intro was such an integral part of gaming the music format and graphics became very popular when hardware became affordable for the home user.

With the rise of the Internet, software crackers developed secretive online organizations. In the latter half of the nineties, one of the most respected sources of information about "software protection reversing" was Fravia's website.

Most of the well-known or "elite" cracking groups make software cracks entirely for respect in the "Scene", not profit. From there, the cracks are eventually leaked onto public Internet sites by people/crackers who use well-protected/secure FTP release archives, which are made into full copies and sometimes sold illegally by other parties.

The Scene today is formed of small groups of skilled people, who informally compete to have the best crackers, methods of cracking, and reverse engineering.

+HCU[edit]

The High Cracking University (+HCU), was founded by Old Red Cracker (+ORC), considered a genius of reverse engineering and a legendary figure in RCE, to advance research into Reverse Code Engineering (RCE). He had also taught and authored many papers on the subject, and his texts are considered classics in the field and are mandatory reading for students of RCE.^[13]

The addition of the "+" sign in front of the nickname of a reverser signified membership in the +HCU. Amongst the students of +HCU were the top of the elite Windows reversers worldwide.^[13] +HCU published a new reverse engineering problem annually and a small number of respondents with the best replies qualified for an undergraduate position at the university.^[13]

+Fravia was a professor at +HCU. Fravia's website was known as "+Fravia's Pages of Reverse Engineering" and he used it to challenge programmers as well as the wider society to "reverse engineer" the "brainwashing of a corrupt and rampant materialism". In its heyday, his website received millions of visitors per year and its influence was "widespread".^[13]

Nowadays most of the graduates of +HCU have migrated to Linux and few have remained as Windows reversers. The information at the university has been rediscovered by a new generation of researchers and practitioners of RCE who have started new research projects in the field.^[13]

Methods[edit]

The most common software crack is the modification of an application's binary to cause or prevent a specific key branch in the program's execution. This is accomplished by reverse engineering the compiled program code using a debugger such as SoftICE,^[14]x64dbg, OllyDbg,^[15]GDB, or MacsBug until the software cracker reaches the subroutine that contains the primary method of protecting the software (or by disassembling an executable file with a program such as IDA). The binary is then modified using the debugger or a hex editor or monitor in a manner that replaces a prior branching opcode with its complement or a NOPopcode so the key branch will either always execute a specific subroutine or skip over it. Almost all common software cracks are a variation of this type. Proprietary software developers are constantly developing techniques such as code obfuscation, encryption, and self-modifying code to make this modification increasingly difficult. Even with these measures being taken, developers struggle to combat software cracking. This is because it is very common for a professional to publicly release a simple cracked EXE or Retrium Installer for public download, eliminating the need for inexperienced users to crack the software themselves.

A specific example of this technique is a crack that removes the expiration period from a time-limited trial of an application. These cracks are usually programs that alter the program executable and sometimes the .dll or .so linked to the application. Similar cracks are available for software that requires a hardware dongle. A company can also break the copy protection of programs that they have legally purchased but that are licensed to particular hardware, so that there is no risk of downtime due to hardware failure (and, of course, no need to restrict oneself to running the software on bought hardware only).

Another method is the use of special software such as CloneCD to scan for the use of a commercial copy protection application. After discovering the software used to protect the application, another tool may be used to remove the copy protection from the software on the CD or DVD. This may enable another program such as Alcohol %, CloneDVD, Game Jackal, or Daemon Tools to copy the protected software to a user's hard disk. Popular commercial copy protection applications which may be scanned for include SafeDisc and StarForce.^[16]

In other cases, it might be possible to decompile a program in order to get access to the original source code or code on a level higher than machine code. This is often possible with scripting languages and languages utilizing JIT compilation. An example is cracking (or debugging) on the .NET platform where one might consider manipulating CIL to achieve one's needs. Java'sbytecode also works in a similar fashion in which there is an intermediate language before the program is compiled to run on the platform dependent machine code.

Advanced reverse engineering for protections such as SecuROM, SafeDisc, StarForce, or Denuvo requires a cracker, or many crackers to spend much time studying the protection, eventually finding every flaw within the protection code, and then coding their own tools to "unwrap" the protection automatically from executable (.EXE) and library (.DLL) files.

There are a number of sites on the Internet that let users download cracks produced by warez groups for popular games and applications (although at the danger of acquiring malicious software that is sometimes distributed via such sites).^[17] Although these cracks are used by legal buyers of software, they can also be used by people who have downloaded or otherwise obtained unauthorized copies (often through P2P networks).

Trial reset[edit]

Many commercial programs that can be downloaded from the Internet have a trial period (often 30 days) and must be registered (i.e. be bought) after its expiration if the user wants to continue to use them. To reset the trial period, registry entries and/or hidden files that contain information about the trial period are modified and/or deleted. For this purpose, crackers develop "trial resetters" for a particular program or sometimes also for a group of programs by the same manufacturer.
A method to make trial resets less attractive is the limitation of the software during the trial period (e.g., some features are only available in the registered version; pictures/videos/hardcopies created with the program get a watermark; the program runs for only 10–20 minutes and then closes automatically). Some programs have an unlimited trial period, but are limited until their registration.

See also[edit]

References[edit]

Reversing Cracking

by Andreas Venieris

Everything published in this article is just for educational purposes and for “white” knowledge, that is the knowledge used only for defense. Respect the programmers’ work. In general, use the knowledge you get from resources like this, to create more robust programs or better protecting tools.

According to Wikipedia: Software cracking is the modification of software to remove or disable features which are considered undesirable by the person cracking the software, usually related to protection methods: (copy protection, protection against the manipulation of software), trial/demo version, serial number, hardware key, date checks, CD check or software annoyances like nag screens and adware. (cromwellpsi.com)

What You Will See

In this article you will learn what is required in order to start thinking as a cracker. I will show the least elementary steps needed for cracking simple programs.

I am going to give you two examples of how to crack a “home-made” program just to take the idea of what is behind in both parts: the cracker and the programmer. Next, I will show how to crack a small and simple commercial program. This program is no longer available (at least in the version that it was when it was cracked).

In general, you will learn:

• What we think when we crack.

• What knowledge we have to have.

• What tools we can use.

What you should know

• Basic knowledge of Assembly language (cromwellpsi.com).

• An idea of how debuggers and disassemblers work and specially Olly debugger (Figure 1 and cromwellpsi.com).

• Hex editors (you have to know at least what it is – cromwellpsi.com).

• Basic knowledge of Machine Registers (cromwellpsi.com).

• Also, welcome (and many times required) is the knowledge of PE executables internal structure (cromwellpsi.com).

• Programming skills are always welcome ;)

Figure 1. Olly: A well-known PE executable’s debugger

Let’s Crack

Everything published in this article is just for educational purposes and for “white” knowledge, that is the knowledge used only for defense. Respect the programmers’ work. In general, use the knowledge you get from resources like this, to create more robust programs or better protecting tools.

Target #1: The “un-pressable” Button

Our first target is a program that programmers used to create for fun. A window appears and prompts the user to press a specific button, but when the mouse pointer comes over, the button becomes disabled (Figure 2).

Figure 2. Press the button… if you can!

Sometimes, programmers used this trick when they realize that a user use the program in a not legitimate manner (unregistered, illegal copy etc.). Thus, the existed button “Start” (in every application’s welcome screen) becomes disabled when the user try to press it!

The key here, for the cracker, is how to find a way to fool the application in order to allow the user to press the button before (or after…?) the program disable it. Here, we need some programming knowledge, a hex editor and (as always) some… tricky thoughts.

The method that we are going to use is the following: From elementary Windows programming we know that if we prefix any letter of any Caption Text Component with the ampersand symbol (&) the current letter becomes a shortcut to activate the component! Well…, this is the trick. We will change the caption “Press Me” of the main button of the application to “Press&Me”. This means that the user will see the caption as “PressMe” which means that the letter M is a shortcut for this button, which means that if he/she pressed the keys Alt+M is the same thing as he/she pressed the button itself.

The question now is how to change the caption of the button without access to the source code of the program. The answer is a Hex Editor. We open the executable program with a hex editor (Figure 3).

Figure 3. Using a hex-editor we can see the machine instruction of a program as hexadecimal numbers

What we see here can be divided into three parts that corresponds to the three columns that the cracker sees. The 1^st column is the address of the current machine instruction, the 2^nd column is the machine instruction itself in hexadecimal format and the 3^rd column is (again) the machine instruction in raw text format or better, its text representation.

In Figure 3 you can see my first step, which is to find the text “Me!” in the text representation column. What is needed is to change the words “Press Me” (see the 3^rd column) to “Press&Me”, and save the file (using the same name – or in a different name if you want to keep a backup).

Let’s now run the program and press Alt+M (Figure 4). So easy, huh?

Figure 4. Press Alt+M and voila, the buttons is pressed without touching it ;)

Target #2: My Sweet Little Piano

It is time now to go a step further. We are going to bypass the registration control of a simple commercial application: the “Sweet Little Piano”. The actual executable file is called Swlipiexe. This application converts our keyboard to a piano. The “problem” is that it requires a small amount of money in order to release all of its features.

When the program starts, asks for a password and (in addition) it displays a banner with some financial requirements of how to order, etc. (Figure 5).

Figure 5. The welcome screen of the Sweet Little Piano

I press OK without entering any password, I get an error message: “Not a valid password!”. This message is the key of my method to bypass the protection. What I am going to do is:

• I will use the Olly Debugger to open the program.

• I find the machine instructions that correspond to the command that display the message “Not a valid password!”

• Near to the display command a check for a correct password must exist.

• I will modify the password check instruction in order to skip this check and…

• That’s it!

Ok, nice with the theory, let’s do the real thing now.

I use File | Open in Olly and I load the executable Swlipiexe. My first job then is to locate the string “Not a valid password!” (Figure 1). But wait, before proceed please let me explain to newcomers to Olly Debugger what we see in this Figure 1. The Olly window is divided into 4 parts:

• The top-left part shows the assembly instructions of the program.

• The top-right part displays the value of the machine registers.

• At bottom left and

• At Bottom right are the contents of the current running program’s memory (heap, stack) that we are not going to use (at least) in this article.

To find the string “Not a valid password!”, I right click on the Top Left Part of the Olly window and I select “Search For -> All Reference Text Strings”. Olly will respond with a new window with all machine instructions found containing the above string. The window has three columns: the Address, the Dissasembly and the Text String column. I am interested on the last one. So, I found the line (below):

Address Disassembly Text string

PUSH Swlipi ASCII “Not a valid password!”

I double Click on this line and Olly redirects me to the program’s corresponding instructions, here:

. 68 PUSH Swlipi ; |Title = “Sweet Little Piano”

74 2B JE SHORT Swlipi

. 68 PUSH Swlipi ; |Text = “Thanks for registering! Please

E . 56 PUSH ESI ; |hOwner

F . FF15 A CALL DWORD PTR DS:[<&USERMessageBoxA>>; MessageBoxA

. 6A 01 PUSH 1 ; /Result = 1

. 56 PUSH ESI ; |hWnd

. C 88BA >MOV DWORD PTR DS:[41BA88],1 ; |

. FF15 CALL DWORD PTR DS:[<&USEREndDialog>] ; EndDialog

. B8 MOV EAX,1

D . 5E POP ESI

E . 83C4 60 ADD ESP,60

. C2 RETN 10

> 68 PUSH Swlipi ; |Text = “Not a valid password!”

. 56 PUSH ESI ; |hOwner

A . FF15 A CALL DWORD PTR DS:[<&USERMessageBoxA>>; MessageBoxA

. 6A 01 PUSH 1 ; /Result = 1

. 56 PUSH ESI ; |hWnd

. C 88BA >MOV DWORD PTR DS:[41BA88],0 ; |

D . FF15 CALL DWORD PTR DS:[<&USEREndDialog>] ; EndDialog

A3 . B8 MOV EAX,1

A8 . 5E POP ESI

A9 . 83C4 60 ADD ESP,60

The line (or better, the address) is responsible for displaying the message of password failure:

> 68 PUSH Swlipi ; |Text = “Not a valid password!”

The current message of failure could be the start of our success ;) If you check a few addresses above, at address , you can see a very interesting message: “Thanks for registering! Please “.

. 68 PUSH Swlipi ; |Text = “Thanks for registering! Please

The program here Thanks the user for registering. It is very possible that very near a “jump to an address” is located that the program redirects the user, after a successful registration. Indeed there is such instruction, at address

74 2B JE SHORT Swlipi

If case you wonder what the above instruction means in English then read this:

IF THIS = THAT THEN GOTO ADDRESS

We know (from above) that the address is the address of a wrong password. So, in pure English, we have the following situation here:

IF THE PASSWORD IS WRONG THEN DISPLAY ERROR MESSAGE.

I will make the following trick: I will change the above logic to:

IF THE PASSWORD IS CORRECT THEN DISPLAY ERROR MESSAGE.

This means that if the password is WRONG, the program will skip this instruction and will continue execution to the immediate next instruction, meeting the address which is the address “Thanks for registering”! To do this I will change the instruction at address from JE (Jump If Equal) to JNZ (Jump if Not Equal):

74 2B JΝΖ SHORT Swlipi

I am Double-Click to instruction “JE SHORT Swlipi” and Olly displays a window with the current instruction. I just change the JE to JNZ and I press Assemble. This means that when the user enters a wrong password the programs will behave as it was correct! This situation has a funny side-effect: If we are so… “unlucky” and the password we enter is the real one, then we get an error message…! Well, in such case try another password and/or go to play in an online lottery as well… ;)

But, we are not finish yet! The registration form still appears when the application starts (even it gives us now all of its features). We should get rid of this annoying form. Hmm… if you are observant enough (and you should be if you want to be a good reverser) you will realize that the order form located in a file with the name cromwellpsi.com. So, let’s start search for the word “cromwellpsi.com” in the Olly Debugger. I found it, at this address:

C0 /$ 8B4C24 04 MOV ECX,DWORD PTR SS:[ESP+4]

EC |.^75 F7 JNZ SHORT Copy_of_E5

EE |> 6A 01 PUSH 1 ; /IsShown = 1

F0 |. 8D 04 LEA EDX,DWORD PTR SS:[ESP+4] ; |

F4 |. 52 PUSH EDX ; |DefDir

F5 |. 6A 00 PUSH 0 ; |Parameters = NULL

F7 |. 68 PUSH Copy_of_ ; |FileName = “cromwellpsi.com”

FC |. 68 PUSH Copy_of_ ; |Operation = “open”

|. 6A 00 PUSH 0 ; |hWnd = NULL

|. C 19 00 MOV BYTE PTR SS:[ESP+EAX+19],0 ; |

|. FF15 CALL DWORD PTR DS:[<&SHELLShellExecuteA>] ; ShellExecuteA

E |. 81C4 ADD ESP,

. C3 RETN

The above code fragment is called subroutine. It is a set of one or more machine instructions that is called from one or more callers, i,e, memory addresses on the same program. The specific subroutine starts from address C0. This means that somewhere in the program there is another machine instruction, the caller, in the form:

CALL SwlipiC0 (i.e. GOTO C0).

Indeed if you search a bit we will find this:

C E8 3FF1FFFF CALL SwlipiC0

What I want to do here is to make the program to ignore this instruction. But how? The answer to my problem is called (in assembly language terms) NOP, which means No OPeration (cromwellpsi.com). I am going to replace the current instruction with one or more NOPs. At the end, the instruction of the address will be:

C . 90 NOP

D . 90 NOP

E . 90 NOP

F . 90 NOP

. 90 NOP

In case that you wonder, why our initial one instruction becomes five instructions, please note that we must always keep the size of the initial instruction when we replace. Since each NOPs requires just 2 bytes and the initial instruction was 10 bytes long then we had to repeat the NOP, five times! Clever huh? To be honest, such specific tasks (nowadays) performed automatically by all good debuggers and of course Olly is one of them! Our final task is to save my changes to a new executable, the cracked one. So, I press Right Click | Copy to executable | All Modifications: A new window appear, I just press Copy All. A new window appears (again) that shows our modified assembly code. I close this window and a new one appears (again!! – I promise this is the last one!) that prompts me to enter the new executable filename. I enter “Swlipi32_cromwellpsi.com” and then OK! That’s it! When I start the application I see the desired results (Figure 6).

Figure 6. Our cracked Sweet Little Piano

Please note that this specific method in reverse engineering world is called patching (cromwellpsi.com). It is considered as the most quick and dirty way to overcome a protection. From the “reversing science” point of view it is also considered as the less knowledgeable method, since it does not require a lot of effort (or knowledge). Nevertheless it is a required elementary step in order to be a good reverser.

As you see, we just scratch the iceberg’s tip. Nowadays cracking is a lot more difficult even with the excellent cracking tools of the net or of the dark-net. Companies and programmers (hopefully!) are now more suspicious about cracking. New methods have been invented and new protections (packers, interrupt checkers, obfuscators etc). On the other hand, remember that what locks can be unlocked…

About the Author

Andreas holds a MSc in Artificial Intelligence from department of Computer Science from Queen Mary College – University of London and a BSc in Statistics from University of Piraeus. He was a PhD candidate with a scholarship in Department of Informatics of University of Piraeus in thesis “Architecture of an intelligent and secure database record”.

He has contributed to the design and implementation of several management information systems for both commercial, industrial and web fields, for more than 10 years. He has worked in Software houses as well as Information Consultant Companies such as: ABC Professional Services (at Piraeus Bank), IMS Informatics (at Τoyota Greece), Industrial Technologies SA, Greek Telecommunication Organization (OTE) and currently he is IT Director of Care Direct SA – a BTL Advertising & Digital Marketing Company. He is a member of the Economic Chamber Of Greece as well as the Greek Organization Of Scientists and Professionals of Informatics and Telecommunications. He likes programming and he is a computer security hobbyist and enthusiast.