Code Reversal, Because Writing It Is Only Half The Fun

Its 5 am in the morning and I have yet to go to bed.  I’ve been up all night since the new year’s celebration reading an IDA Pro book and playing around with SoftIce.  After spending 2 hours without any success on what is probably a really easy program to crack, I was just about ready to write a failure post and catch some much needed shut-eye.

Instead, just as I was about to give up for the night I managed to crack my first program.  The target-a small program called Start Menu Cleaner, that hasn’t seen an update since the year 2000.  Seemed like a good target to start on, specially since there is a beginners tutorial on it here.  How hard could it be right?

Right off the start I figured it wasn’t going to be as simple as it seemed.  I started Start Menu Cleaner and clicked “Register” and proceeded to enter SoftIce by pressing CTRL+D.  Once inside I set a breakpoint for GetDlgItemTextA and continued to click ok repeatedly on the Start Menu Cleaner dialogue.  To my dismay nothing happened, the breakpoint was never triggered.  I figured maybe the tutorial is outdated so I decided to dig into the binary and try to figure out what functions I could break on.  For starters I knew that the program would output a “Incorrect Code” message when the serial code didn’t match the one it expected so I did a string search in IDA for that and I came up with this IDA Pro Incorrect Code.

Regardless of what this function is supposed to be doing, it is clear that it has two paths of execution, if the comparison fails it goes to the subroutine that prints “Incorrect Code” if it doesn’t, it probably takes you to the area where the cool kids go.  I figured the easiest way to figure out what the code is was to follow the execution backwards so I went into the function call that led me here and I saw the first sign of good news:  IDA Pro lstrcmpA.

lstrcmp is a good sign, it means that when the execution gets here the values for both the code I entered and the code the program expects will both be in memory and easily accessible.  The last thing to do now was to add a breakpoint on lstrcmp, trigger that function call, and browse through the stack and registers to find the value the program is expecting: SoftIce code found

So there you have it, the simplest crack known to man but we all gotta start somewhere.  I still don’t know why SoftIce wasn’t breaking on GetDlgItemTextA, since the program clearly uses it.  On a sidenote, the code I found was 1334-12386-1805-357 which is different from the tutorial’s 1254-11586-1981-389.  I don’t know why that is the case either since I downloaded the binary from the tutorial’s link as well.

Leave a Reply

Your email address will not be published. Required fields are marked *