|
Cracking Wildcat 5
When one key code works, why can't the rest of
them?
|
Not Assigned
|
|
30 October
1998
|
by
Cup of Cats
|
|
|
Courtesy of Fravia's page of reverse
engineering
|
|
fra_00xx
981030
CoC
0100
NA
PC
|
A great essay. Well explained and tackling a more and more frequent aspect of our
reversing studies: server-validation. Read it. Think about it. Work on your own.
As you will see there's no useless keygenerator in here, there are a lot of
EXPLANATIONS and quite
a lot of zen reversing as well. Enjoy!
| |
|
Quality is Job Number 2. Making
Money is Job Number 1.
-Some big car company.
|
|
|
Rating
|
( )Beginner (x)Intermediate ( )Advanced (
)Expert
|
|
I have been working on this crack for over a year. Dont you hate it
when nothing makes any
sense, you go away for a few months, come back, and everything falls
into place in 15 minutes?
Heck, it took longer to write this essay then to crack the program.
Makes you feel like an idiot.
Cracking Wildcat 5
Feeling for a
correct unlock code
Written by Cup of Cats
This takes A LOT of explaining. I have been using
Mustang Software's Wildcat BBS programs for
over 9 years now and have now turned my BBS into a small ISP. I lay
in bed at night thinking
about the money I have spent on the darn thing over the years.
Instead of buying my Wildcat INS setup (wildcat 5 with the internet
addons) directly from
Mustang, I got lucky and got them locally from another setup who moved
over to Worldgroup.
Mustang has a license transfer policy that costs $25 per program.
Imagine my complete surprise
when Mustang would not allow the seat licence that I purchased used to
be transfered under my
current license. While I have enough seats currently, I wanted the
extra seats and felt I should
have them since I did pay for them.
Well, I started last year trying to come up with a key generator for
wildcat. (anyone else
remember me asking for help with it?) After about 6 months trying to
work with SoftICE and
W32dasm, having no luck with the key generator, no luck with changing
jumps, no luck with anything
else, I finally said the heck with it.
That was up to about a week ago. I was fooling about with another
program in W32dasm and finally
opened the help file that comes with W32dasm. DUH!
I discovered how to change the registers, do
the breakpoints, and the other debugging tricks you need. I never
could get the hang of using
SoftIce and switching back and forth from windoze.
So anyway.....
W32Dasm
Your favorite Hex Editor
Mustang Software has a http://bbs.mustang.com">server
just for Wildcat.
A limited verson of Wildcat 5 with Internet addons (called Wildcat INS
or WINS) is
available for download there. (It runs 25 megs or so) The seat licence
portion
should be coded the same. The Babbages I shop in still has the 2 seat
version of
Wildcat 5 for 10 bucks and its still available from some of the on
line software
places that deal with discount software titles. Then you can download
the upgrades
(well, the older important ones anyway) for free after you register.
Also if you're
looking for a cheap proxy server with web and email servers, its not
bad.
Mustang's been around for more then 10 years. Their programs are a
bit expensive but
worth it. I have dial ups, a ftp server, an (sort of OK) email
server, a (sort of
OK) web server, a nntp server plus fido, and many other addons. Seat
licences run
15 to 30 bucks depending on the amount you buy. Worldgroup maybe a
better bbs/isp
server but with wildcat, everything's on 1 computer (well, one plus
the linux router and the
quake server) while Worldgroup would have taken 3 computers plus the
router and quake
server. Addons are also written by third party authors and thats
where it seems I
spend most of my money on. I may crack, but I fully support Shareware.
Set up: Wildcat 5 comes with the following to
activate it:
A 6 Digit Registration Code in the form of 12-3456
Your Line Count up to 256 seats
and your Registration key in the form of 1234-1234-1234-1234-1234
As I explained earlier, I have 2 working combinations. (Actually I
have a number
of them.} The problem with using another working combination is I have
a great
number of shareware addons and these are keyed to the 6 digit
registration code.
For the sake of this essay, lets say the following is the keys in
question:
My registration code: 12-3456
Line Count: 4
Product Key: 1234-1234-1234-1234-1234
(Not really mine. Just made up for this paper.)
My used Registration Code: 03-2084
Line Count: 16
Product Key: 3a58-2395-1ded-d0e1-c100 (refered to as 3a58-etc. from
now on)
(This comes from research from a USENET database and are actual
working keys. I have no idea where it
really comes from.)
Looking at the product keys, it appears they are written in
hexadecimal while
the registration codes and line counts are in normal decimal. Just
something
to remember.
What we want to do: Just so we're all clear, the
point of this crack is to
have the Wildcat server accept my registration code, (12-3456) the
higher line
count, (16) and the used Product Key. (3a58-etc) Instead of trying to
change the
program to accept any line count, I want the program to work for a
specific line
count that I feel I have a license for. (Jumping the gun a bit, read
the essay.
It turns out we are able to work out a crack but I discovered that by
accident so
i'll cover that later on.)
Looking at the program: To set the Wildcat server up
with its codes, you run
a program called wcreg.exe. Fire it up and you get a windows box with
3 fill-in-
the-blanks, 1 for the registration code, 1 for the line count, and one
for the
product key. Lets just try it with the 12-3456 code, 16 line count,
and the 3a58
product key. Hey, we might get lucky!
No dice. We get a box that says: 'The key you typed is not
correct.' But we do now
have something to look for when we decompile. Fire up W32dasm,
decompile wcreg.exe,
save it as a project file, and do a search for some part of the error
phrase. We find
the phrase in 3 different places. The following sections cover those
3 locations.
Since I am not writing a key generator any more, I am only including
those portions
of code that we actually need to look at, understand what is being
tested, and change
if needed.
Debugging Part 1: The first test is to make sure the
codes entered are of the
right type, they are the correct lengths, etc. Since all the codes we
are using are
of the correct format, we should be passing this test. I've included
the test code
below just for reference. In messing with this program, I have yet to
see esi not
equal 1 in line 004017B2 as long as you don't do something silly like
using non hex
digits like 'R' and 'W' in the product key, use the wrong code
lengths, or put the
hyphens in the wrong place in the product key.
* Referenced by a Jump at Addresses:0040179D(C), :004017A8(C)
:004017AC 47 inc edi
:004017AD 83FF18 cmp edi, 18 ;18h=24d have we finished with all the digits?
:004017B0 7C9D jl 0040174F ;go back if we havent and do it again.
* Referenced by a Jump at Address:0040174B(U)
|
:004017B2 85F6 test esi, esi ;is everything ok? esi=1 if ok
:004017B4 7519 jne 004017CF ;go on to the next part if ok
:004017B6 6A00 push 0
:004017B8 6A00 push 0
* Possible StringData Ref from Data Obj ->"The key you typed is not correct."
Debugging Part 2: The next portion uses the product
key, breaks it down by character,
does it's computation, determines the correct line count for that
specific product key,
and compares it with the line count you entered when you ran the
program. If you put a
breakpoint on line 00401893, you can see this comparison. (We will
talk about this breakpoint
later on so keep it in mind.) When we first ran wcreg, we entered line
counts of 16. The
Product Key we are using is also for a line count of 16. Both esi and
eax have the values
of '10' which is hex for 16 in decimal.
:00401886 0954243C or dword ptr [esp+3C], edx
:0040188A FF4C2410 dec [esp+10]
:0040188E 758E jne 0040181E
:00401890 8B4364 mov eax, dword ptr [ebx+64]
:00401893 3BF0 cmp esi, eax ;test if the computed number equals the line count
:00401895 7419 je 004018B0 ;we entered earlier. if equal, then move on.
:00401897 6A00 push 0 ;error messages start here.
:00401899 6A00 push 0
* Possible StringData Ref from Data Obj ->"The key you typed is not correct."
Do we need to do anything here? Not really. When we ran wcreg and
entered the data, we used a line count of
16. The Product Key we used computes to 16 also. The cmp statement
on line 00401893 works so we move on.
Debugging Part 3: The third portion is where we need
to do our work. It takes the Registration Code
and the Line Count you entered and does a computation, takes the
Product Key and does a computation, and
then compares the two. This is where we need to modify the program.
The code that we need to look at is
as follows:
:0040196A 684C25494D push 4D49254C
:0040196F E82CFDFFFF call 004016A0
:00401974 83C40C add esp, 0000000C
:00401977 3BE8 cmp ebp, eax ;Do the 2 computations match?
:00401979 7419 je 00401994 ;If they match, move on.
:0040197B 6A00 push 0 ;Else its bad code, go error codes.
:0040197D 6A00 push 0
* Possible StringData Ref from Data Obj ->"The key you typed is not correct."
The line 00401977 is where we need to look at. We need to make these
match. eax is the computation code
for the Registation code and line count while ebp is the computation
total for the Product key we entered.
To make this patch work, the easiest method I discovered was to change
the line into either:
cmp eax, eax (#1)
or
cmp ebp, ebp (#2)
Patch #2 does not work and causes the program to crash. Patch #1 does
work and is how we change the program.
Open up your hex editor, do a search for 83C40C3BE8 and change the
3BE8 into 39ED. Save everything, run wcreg,
enter the Registration code 12-3456, the needed line count 16, and the
used Product Key 3258-etc. You get a
registration info saved message and the program ends. When you look
further down the dead listing, you discover
wcreg puts the codes into the windoze registry. A quick search for
the Registration Code turns it and the
product key up.
When I first tried to patch this program, I tried changing that je
statement into a jmp always. The program
reported saving the registration data but it never worked when i tried
to start wcserver.
Finished? So, we're done, right? Let's see. To
start Wildcat, you run a program called wcserver.exe.
We fire it up and get the error message 'Wildcat requires a
Registration Code to run.' So even though wcreg
accepted the codes and saved them to the registry, wcserver won't
accept them. So we now have to take a look
at wcserver. As always, fire up W32dasm and decompile wcserver.exe.
Do a search for where in the program
Registry is opened and the codes are loaded into memory. What follows
from that point on is code that looks
an awful lot like Debugging Part 3 up above. By
stepping through one line at a time, we are even able to
find that same compare lines as above:
:0043DF8E 83C40C add esp, 0000000C
:0043DF91 3BD8 cmp ebx, eax
:0043DF93 7503 jne 0043DF98
Again, the line 0043DF91 is where we have to look at. Again we need
to make these match. eax is the memory
location of what we need with the Registration code and the line
count, ebx is the computation code we get
with that product key. So again we have to rewrite that line as one
of the following:
cmp ebx, ebx (#3)
or
cmp eax, eax (#4)
Patch #3 causes crashes. Patch #4 does work and is what we need to
change it to. Open up your hex editor,
do a search for 83C40C3BD8, change 3BD8 into 39C0, and we should be
set. Run wcserver and it comes up. Run
wcconfig, the set up program, and you discover you have your 16 nodes.
Finished? Part 2: We have a minor problem. The
versions of wcreg and wcserver are dated March 11, 1996, and
have been updated since then. The memory locations have been changed
due to changes in the program. (and
*MANY* bug fixes) I decompiled the newer versions to
discover the code segments look about the same. Do
your searches as above, make the necessary changes, and you'll be set.
There have been no changes in
Registration codes and the computation coding looks the same, just
different memory locations.
Add On: While mucking around with the program, I
tried using different product keys
and different line counts. I got an interesting result when I used
the following product key:
Product Key: 0101-0101-0101-0101-0101
On running wcreg, the program stopped on the cmp line found in
Debugging Part 2. It turns out that the
Product Key is acceptable for a 257d or 101h seat system. If you use
that Product Key, 257 Line Counts, and
an acceptable Registration Code, with the above patch, things work,
and you get your 257 seats. With more
experimenting, you discover that if you translate your needed seats
into hex code, repeat it 5 times like above,
it will work. So if you want 70 seats, you use the following product
key:
Product Key: 0046-0046-0046-0046-0046
where 46h = 70d = 70 seats
What does that mean? We actually have a patch now that will allow us
to use whatever 6 digit Registration
Code we want and whatever amount of seats we want as long as:
1.) All enter codes are in the correct format.
2.) The hex numbers entered into the product key are equal to the
decimal number of the seats we also use.
Please encuse me if what I have written is a bit confused. Its been a
long time since I've written any form
of paper such as this one. I never could get used to looking at other
people's coding, debugging it, and then
trying to explain it. Proving other people's proofs in math class
never worked either for me.
So what have we learned with this debugging? The big
thing is to know your tools. I feel kind of foolish
admitting that if I had read the W32Dasm help files, I would have made
this patch over a year ago. While I
have been able to debug with SoftIce, I found the W32Dasm interface a
lot easier to deal with and was able to
understand more of what was going on in the program.
I guess I'm one of those people who need windoze no matter how many
times it crashes every day here.
Sick, isn't it?
Any comments or suggestions can be directed to me at
cupocat(at)yahoo(dot)com.
I wont even bother explaining you
that you should BUY this target program if you intend to use it
for a longer
period than the allowed one. Should you want
to STEAL this software instead, you don't need to crack its
protection
scheme at all: you'll
find it on most Warez sites, complete and already regged,
farewell.
My comment: Actually the warez version you will find is the pre
release version that was very buggy.
You are deep inside fravia's page of reverse
engineering, choose your way out:
homepage
links
search_forms
+ORC
students' essays
academy database
reality cracking
how to search
javascript wars
tools
anonymity academy
cocktails
antismut CGI-scripts
mail_fravia+
Is reverse engineering
legal?