HOW TO CRACK, A TUTORIAL - LESSON 3 (2) by +ORC (the old red cracker) How to crack, an approach LESSON 1 How to crack, tools and tricks of the trade LESSON 2 -> How to crack, hands on, paper protections LESSON 3 (1-2) How to crack, hands on, time limits LESSON 4 How to crack, hands on, disk-Cdrom access LESSON 5 How to crack, funny tricks LESSON 6 (1-2) How to crack, intuition and luck LESSON 7 How to crack windows, an approach LESSON 8 How to crack windows, tools of the trade LESSON 9 How to crack, advanced cracking LESSON A (1-2) How to crack, zen-cracking LESSON B How to crack, cracking as an art LESSON C How to crack INDEX LESSON 3 (2) - HOW TO CRACK, HANDS ON (3.2) Passwords, second part, and something about passletters You have seen in the previous lesson that the use of a password protection, independently of the coding and hiding methods used to store them in memory, implies the use of a comparing procedure with the password that the user types in. You therefore have many options to begin your cracking work: - find the location of the user password - find the "echo" in memory of the real password - find the routine that compares both - find the passwords hideout and encryption type - find the go_ahead_nice_buyer exit or jump - find the beggar_off_ugly_copier exit or jump just to name the more obvious ones. In order to make things more difficult for us crackers, the protectionists have devised many counter-strategies, the more obvious ones being: - keeping the various part of the store/compare/hide routines well apart in code (no match for zen-cracking); - filling these routines with "bogus" compares, bogus jumps and bogus variables, in order to make things more difficult for the crack (no match for decent crackers); - disseminating the code with anti-debugger tricks, like INT_3 instructions or jumps in and out protected mode (no match for our beloved [Soft-Ice]); - trying to eliminate the need for passwords altogether letting the user input "one letter" or "one number" or "one image" as answer to some variable question. In this lesson I'll teach you how to crack these "passletters" protection techniques. Let's first resume the "uses" of a password protection: PASSWORDS AS PERMISSION TO ACCESS These passwords serve to acknowledge that a legitimate user is using the program. This is the type of password that you'll find, for example, protecting your user account on Compuserve, on Networks or even in ATM machines used by banks or corporations. These require a little hardwiring to crack: ATM passnumber protection schemes rely on an answer from the central computer (they do NOT verify only the three magnetic areas in the magnetic strip on the card). The lines between ATM's & their hosts are usually 'weak' in the sense that the information transmitted on them is generally not encrypted in any way. (Some banks use encrypted information, but this is fairly easy to crack too). So for ATMs you should do the following 1) cross over the dedicated line between the ATM and the host; 2) insert your computer between the ATM and the host; 3) Listen to the "normal" messages and DO NOT INTERFERE YET; 4) Try out some operations with a legal card, make some mistakes, take note of the various codes; 5) When you are ready insert a fraudulent card into the ATM. Now the following happens: - the ATM sends a signal to the host, saying "Hey! Can I give this guy money, or is he broke, or is this funny card invalid?"; - the microcomputer intercepts the signal from the host, discards it, sends on the "there's no one using the ATM" signal; - the host gets the "no one using" signal and sends back its "good, keep watching out if somebody comes by, and for God's sake don't spit out any money on the street!" signal to the ATM; - the microcomputer intercepts this signal (again), throws it away (again), and sends the "Wow! That guy is like TOO rich! Give him as much money as he wants. In fact, he's so loaded, give him ALL the cash we have! He is a really valued customer." signal. - the ATM obediently dispenses cash till the cows come home. All this should be possible, but as a matter of fact it has not much to do with cracking, unless there is a special software protection on the line... so if you want to work on ATMs contact our fellow phreakers/hackers and learn their trade... and please remember to hack only cash dispenser that DO NOT HAVE a control camera :=) PASSWORDS AS REGISTRATION This type of password is often used in shareware programs. When you register the shareware program, you are sent a password that you use to upgrade your shareware program to a complete and more powerful version. This method, used frequently for commercial applications, has recently been used quite a lot by many windows applications that come "crippled" on the magazines cover CD-roms, requiring you to telephone a hot line (and paying) in order to get the "unique key" to unlock the "special protection". It's all bullshit: we'll learn in the "how to crack windows" lessons how easy it is to disable the various routines that verify your entry. PASSWORDS AS COPY PROTECTIONS This type of password is often used for games and entertainment software. The password query does not usually appear any more at the start of the program, or as the program is loading. Instead, the password query appears after one or more levels are completed (this innovation was pioneered by "EOB I" and the "Ultima" series) or when the user reloads a saved game or session. DONGLE PASSWORDS A few extremely expensive programs use a dongle (also called an hardware key). A dongle is a small hardware device containing a password or checksum which plugs into either a parallel or a serial port. Some specially designed dongles even include complete program routines. Dongles can be cracked, but the amount of work involved is considerable and the trial and error procedure currently used to crack them via software is extremely tedious. It took me more than a week to crack MULTITERM, Luxembourger dongle protected program. The quickest method to crack dongle protected programs, involves the use of pretty complicated hardware devices that cannot be dealt with here. I myself have only seldom seen them, and do not like at all to crack dongles via software, coz it requires a huge amount of zen thinking and of luck and of time. If you want more information on the hardware way to crack dongles, try to contact the older ones on the appropriate web sites, they may even answer you if you are nice, humble and really technically interested. The obvious principle, that applies to the software password types mentioned above is the following: The better the password is hidden, and the better it is encrypted, the more secure the program will be. The password may be - encrypted and/or - in a hooked vector and/or - in an external file and/or - in a SMC (Self modifying code) part Let's finally inspect the common "ready_made" protection schemes (used by many programmers that do not program themselves): * password read in * letters added to a key to be entered * complement of the letters formed xoring with 255 * saved key (1 char) * saved password (256 chars) * saved checksum (1 char), as protection, against simple manipulations * generating file PASSWORD.DAT with password, to be inserted inside a different file than the one containing the calling routine Now the lazy programmer that wants to "protect" his program searches first the file where the password is stored, then loads the key, the password and the checksum. He uses a decrypt procedure to decrypt the password and a check_checksum procedure to check whether the password was modified. All this is obviously crackabe in few seconds. [PASSWORD ACCESS INSIDE THE SETUP] Some computers have a password protected access INSIDE the Setup (at the beginning), the protection scheme does not allow a boot with a floppy and does not allow a setup modify. In these cases the only possible crack is an old hack method: * open the PC * find on the motherboard a small jumper (bridge) with the words "Pw" * take it away * PC on * run the setup with F1 or Del (depending from the BIOS) (the protection will not work any more) * deactivate inside the setup the option password * PC off * put the small jumper (bridge) back again * close the PC * PC on, cracked (if you want to be nasty you could now use the setup to set YOUR password) If you want to know more about access refuse and access denying, encryption and locking of the FAT tables, get from the web, and study, the (very well written) code of a virus called "Monkey", that does exactly this kind of devastation. Virus studying is, in general, very useful for cracking purposes, coz the virus'code is at times - very well written (pure, tight assembly) - using concealing techniques not much different from the protection schemes (often far superior) - using the most recent and best SMC (self modifying code) tricks But, and this is very important, do not believe that the protection schemes are very complicated! Most of the time the protection used are incredibly ordinary: as a final example of our paper protection schemes, let's take a program released not long ago (1994), but with a ridiculous protection scheme: TOP (Tiger on the prowl) a simulation from HPS. Here the cracking is straightforward: - MAP(memory_usage) and find main_sector - type "AAAA" as password - (s)earch main_sector:0 lffff "AAAA" - dump L80 "AAAA" location -40 (gives you a "wide" dump), this gives you already the "echo" of the correct password - breakpoint on memory read & write to "AAAA" location and backtrace the complete main_sector it's done! Here the code_lines that do protect TOP: 8A841C12 MOV AL,[SI+121C] move in AL first user letter 3A840812 CMP AL,[SI+1208] compare with echo 7402 JZ go_ahead_nice_buyer EB13 JMP beggar_off_ugly_cracker Now let's quickly crack it: