The Hacks Behind Cracking, Part 1: How to Bypass Software Registration
If you've ever wondered how software pirates can take software and crack it time and time again, even with security in place, this small series is for you. Even with today's most advanced methods of defeating piracy in place, it is still relatively easy to crack almost any program in the world. This is mainly due to computer processes' ability to be completely manipulated by an assembly debugger. Using this, you can completely bypass the registration process by making it skip the application's key code verification process without using a valid key. This works because assembly allows you to speak directly to the processor and force a skip over the registration process.
In this Null Byte, let's go over how cracking could work in practice by looking at an example program (a program that serves no purpose other than for me to hack). I will not be walking you through how to actually crack a legitimate program, because I can't just crack a program for demonstration, but the techniques applied to my examples should give you the foundation needed to create your own. At that point, it's a test of your morals if you want to use your knowledge for good or bad.
- Windows (for examples only, debuggers exist across platforms)
- A debugger installed: IDA, ollydbg, etc. (ollydbg will be used in examples)
Step 1 Test the Program
First, run the program that you are attempting to reverse engineer and try to activate it with a random key to verify that you need a valid software key to proceed. This is to verify that we can come up with the keys.
Step 2 Run the Program in a Debugger
- Run ollydbg.
- Open up the program you wish to bypass with ollydbg.
- Click the play button to run the program with the debugger attached.
- Right click the CPU window, and click Search For > All intermodular calls.
- Search for high interest DLLs. GETDLGITEMTEXT, will be for dialog boxes, which get called when you try to enter a software key. By stepping into the function with the debugger, we can examine the registration specifically. SENDDLGITEM could be used as well.
- Test to see which one works to break out of the activation loop by right clicking the DLL call and setting a breakpoint for all instances of that call.
- Resume the program and enter any software key you feel like. If the debugger breaks (pauses the program's execution) after entering your key, then you know you found DLL in step 5.
- Press F8 back in the CPU window to force the next step until you get to the TEST EAX. EAX is the return of a value, which means that a check is being performed here. Upon examination, we can see that the EAX is checking for a number that is not equal to a null value. This means that if it is replaced with anything other than null, it will run.
- Right-click the EAX and change it in hex value to 1, instead of 0.
- Resume the program again, and you will have successfully activated the program.And for proof it was registered to me:
This works because you are making the process jump from one register and skip the one that verifies the key entered. To exploit the key registration algorithm, keep an eye out for part two of this tutorial on making the key generator. Hooray for assembly!