QUICK BATCH FILE CRACKING Compiler V2.1.5.0
By X-Bite
Published: October 23, 2007
Hi all .. meet again with my X-Bite in the tutorial to me ... 2 If you are a member jasakom, maybe you have never read the name of the program ... Yup .. remember
the article made by our friend tomplix see the title "Making Viruses
With CMD Command", which we use this program as the compiler ... Please
note, this software version may have been updated, because these
programs have long been entrenched in my hard drive:) (since 2006), but
I think the protection techniques that are used more or less the same
...
About Target:
Quick Batch File compiler converts your batch files into actual programs (EXE format) in one click. This program may be run on Windows 95/98/Millenium/2000/2003/XP without any limitations. Content of your batch file will be encripted and protected from changes.
-------------------------------------------------- --------------------------------------------------------
Main features
Protects contents of a batch file from the non-authorized change.
Hides contents of a batch file from viewing. Keep your secrets!
It is not necessary to be the programmer to create the program.
It is very useful to installation and automation tasks.
Can compile any batch file to exe format compatible with Win95/98/Me/2000/XP/2003.
Protection:
1. Serial Number
2. Nag on the compiler
Tools:
1. PEID 0.94; functionality to the "investigation" exe file. can be downloaded at www.peid.has.id
2. Ollydbg v.1.10; debugger coolest, most of our weapons primary:)
3. ImpREC; rebuilder, search on google because I forgot the address;)
4. A little logic;:)
Program Evaluation:
1. Quickbfc install, and run the program to look at this software protection ... you'll
see the "Unregistered COPY": (status bar at bottom right. Just click on
help>> register .. fill in the name of X-Bite and License Key and
click Register 1111222233334444 ... Opsss .. nothing happened, even
warning error (invalid) or the like does not appear ... .. enough to cover the program ...
2. Open the program in PEiD, you will see if this program using packer "UPX 0.89.6 - 1:02 / 1:05 to 1:24 -> Markus & Laszlo"
and if we open the crypto plugin PEiD Analizer on, we will see that this program is also encrypted.
Unpacking programs:
1. Ollydbg
Run, and then open the file quickbfc.exe, because this program in
packing, then first we need to do is open packingnya (because if the
program in the pack, we will be hard to read the program and create a
breakpoint:)), the following is the usual way used
to dismantle the program from packernya:), (info: packing principle is
the same exe file with winrar or winzip), how to press f8 (trace over)
so that the value of ESP changes .. then right click on the ESP>> follow in dump.
We'll be taken to the dump 0012FFA4 address window on the left below. then
blocks on 4-byte hardware address breakpoint given by right
click>> breakpoint>> hardware, on access>> dword.
After that press F9 (run), we will stop at this address
00563A23 - E9 3811F4FF JMP 004A4B60
This
jump is a jump to the OEP (original entry point), (info: OEP is the
beginning of the program that has been in unpack in the memory). press f8 again, then we are in the EOP program, remember the address. (info: on your computer probably is not the same address)
From
here, we can make a dump of the program that has been in the memory to
unpack the exe files with the help of plugins OllyDump .... how to right click>> dump debugged process ... dialog box will appear like this ...
uncheck
rebuild import (because we're going to do with ImpREC and also because
ollydump often gave unsatisfactory results:)), then click dump ... just
give name and save ... dump.exe (info: now this dump.exe will not run properly:))
2. Open
ImpREC, then click on attach to an active process, select the file
quickbfc.exe (info: quickbfc currently running on ollydbg) .. then
fill EOP addresses the program (because Olly run on 400,000 virtual
address then we must subtract EOP addresses with 400,000 = 00,400,000 =
004A4B60-000A4B60, click IAT auto search, then click get imports, and
click fix dump ... select the file dump.exe .. now this has dump.exe files can run properly on file dump_.exe (info: delete dump.exe because we do not use it anymore:))
Patching Program:
Finally we arrived at the event that we've been waiting for the cracking program ... open the file and then dump_.exe was F9 (run).
After
running the program, go to the registration in the program to help
quickbfc>> register, fill in the name of X-Bite and License Key
1111222233334444, do not push Regiter first. Olly back on the right-click>> search for>> all referenced text strings .... then scroll up and right click search for text "Registration Successful!" (info:
words that appear when the registration is successful, I know because
I've tried it:)) double click on the text of the find we will be thrown
into the assembler code to program the body ..
004A2FAE. 8B15 D0B14A00 MOV EDX, DWORD PTR DS: [4AB1D0]
004A2FB4. A1 CCB14A00 MOV EAX, DWORD PTR DS: [4AB1CC]
004A2FB9. E8 7EF9FFFF CALL 004A293C; call that determines the value of al
004A2FBE. 84C0 TEST AL, AL; test whether valid or not
004A2FC0. 74 35 JE SHORT 004A2FF7
004A2FC2. 6A 00 PUSH 0; / Arg1 = 00000000
004A2FC4. 66:8 B0D FC2F4A00 MOV CX, WORD PTR DS: [4A2FFC]; |
004A2FCB. B2 02 MOV DL, 2; |
004A2FCD. B8 08304A00 MOV EAX, 004A3008; | ASCII "Registration Successful!" ; we are here
004A2FD2. E8 4D05F9FF CALL 00,433,524; \ dump_.00433524
004A2FD7. 8B83 70030000 MOV EAX, DWORD PTR DS: [EBX +370]
004A2FDD. 8B80 08020000 MOV EAX, DWORD PTR DS: [EAX +208]
004A2FE3. BA 01000000 MOV EDX, 1
004A2FE8. E8 1FDEF9FF CALL 00440E0C
004A2FED. BA 2C304A00 MOV EDX, 004A302C; ASCII "Registered version"
004A2FF2. E8 71DDF9FF CALL 00440D68
004A2FF7> 5B POP EBX
Unlike
the previous tutorial, this time we will try to wander more in the call
4A293C (info: we can see if the call was called four times to address
"Local calls from 004A091B, 004A2FB9, 004A3AC1, 004A427E") so if we had
nop a
conditional jump, we have to do patching on the 4th call the 4), we
will use other, more efficient :)... where we will change the value of
al which determines whether or not valid licensi program we provide in
the call, so call 4 the call will receive al = 1 (registered) ... set a breakpoint (F2) at 004A2FB9 address .. back quickbfc program, push the register (the program may have tired of waiting at the register:) ).... Hups ... break the program at this address .. signed F7 (step into) to enter into the call 4A293C ...
004A293C / $ 55 PUSH EBP; call 4a293c
004A293D |. 8BEC MOV EBP, ESP
004A293F |. 33C9 XOR ECX, ECX; between 004A29D5 address 004A293F until I cut off because too much:)
004A29D5. CE15F6FF ^ E9 JMP 00403FA8
004A29DA. ^ EB E3 JMP SHORT 004A29BF
004A29DC 8BC3 MOV EAX, EBX; al is set here, where the ebx value 0
004A29DE. 5E POP ESI
004A29DF. 5B POP EBX
004A29E0. 8BE5 MOV ESP, EBP
004A29E2. 5D POP EBP
004A29E3. C3 RET
When
I trace over (F8) and through several long loop:), I find that the
register AL set to address 004A29DC (MOV EAX, EBX) where the value of
EBX is 0 ..... so how do I make AL a 1 so that we become registered users ???.. how easy .. assemble (space) have become the program mov al, 1 (2 bytes) ... note here mov eax, ebx only 2 bytes so that if we replace the mov eax, 1 (5 byte) command will be crushed underneath .. and the program will hang or error ...
After changing MOV EAX, EBX into MOV AL, 01 ... try to push F9 (run) .. then we will get the message "Registration Successful!" (still
remember this message?:)) we will also see signs Unregistered COPY on
the bottom right corner has been a Registered Version ... LOL: D
To
save the changes that we do, right click>> Copy to
executable>> All modifications>> copy all>> right
click>> save file>> give the name Quickbfc.exe>> save
... Olly close our dear:)
Run the program, click help>> register
Registered Version ... The program is Cracked
4.1.10
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment