Computer security and hacking has always been an interest of mine. I am a game developer and I find game hacking very interesting. I thought I might as well share some knowledge with you guys. I will mostly be concentrating on game cheats and piracy. This is strictly for educational purposes. A lot of you are creating games, I think its helpful to know how users are going to be cheating or cracking any copyright protection you might have.
For the first tutorial I will concentrate on cracking games. If you want to get into this field there is many websites that release small programs called "Crack Me's". These programs are typically small with a single button that requires the user to enter a serial key or register the program. While these programs are a lot smaller then a full AAA game, the core concept of how to break the protection is the same. Real programs will most likely have multiple layers of protection and checks for if they are being debugged (I might go into how to get past that in a later tutorial).
Skills Needed (You do not need these but they will help).
A general knowledge of programming and how software works in general will help
Basics of reading assembly
For this tutorial I will be using a crackme that dtm created from https://0x00sec.org/t/crackme-norepls-part-1/2974. Go ahead and download this program. So when you open the program you will notice that the save functionality is disabled. The window bar also shows that is in currently unregistered.
Are goal is to unlock the full version of this program. If you go to "About -> Register" You will get the following window.
This is normally where you would go to the website of the game or the program and buy the software to get the key to put in below. But of course we are not going to be buying any software. So lets look into how we are going to crack this.
This is what we call a dynamic debugger. It allows us to run a program while viewing the assembly and modifying it.
Lets Crack it!
So open up X32 dbg and you should see the following. (Make sure you dont open X64 dbg by accident).
Go "File -> Open" and select the Crack Me that you downloaded. It should be called "NoREpls1.1.exe". Your screen should now look like this:
What happening is that X32dbg has run your program and set a breakpoint in the start of the program. What you are seeing is the assembly of the running program. While this is interesting, it is a lot to digest and if like me you cannot fluidly read assembly code we probably want to narrow it down a bit instead of reading the entire program. So we want to keep running the program and not get interrupted anymore to do this press the "Execute till return" button. This will allow our program to run freely until we tell it to stop.
Once you do this you should see the program has now launched, switch to the CrackMe and go back to the register menu.
We want to see what happens when this button is pressed, as the program should run the logic to check if the serial key is valid. So go ahead and leave the serial key box blank and press "Register". You should now see the following dialog box.
Looks like our serial number wasn't good. Which makes sense as we did not enter anything. Ok, so now we know the flow. You press the register button it (presumably) checks if the serial key is valid and then pops a message box telling you it is not. So now that we have this information we can go ahead and modify the program to accept our blank serial. We can now narrow down what we are looking for. We know that the check is done when you are in the Registration menu. We see a "Registration Failed" message. So lets search the assembly code to see if we can find that string anywhere, if we can this is probably the section of code that handles the registration.
Go back in 32dbg and right click on the assembly window and search for "String References"
Wait for the new screen to finish loading (Loading bar on bottom of window). We want to search for the string "Registration Failed". Do this by typing those words into the search field at the bottom. Once you have put in your search it should the main window to show you your results. Notice that we only have 1 result with "Registration Failed". That is great! We have found the section of assembly that shows that we had a bad serial.
Once you see this window, double click on the "push norepl1..." text indicated by the 3rd red box above. You should now see this window.
Notice that the assembly window is now showing you the code that has to do with the registration failing. This is great! We have narrowed down our search a bit. But this is for the failure case. I wonder if we can find the success case. Try scrolling up a bit to see if anything handles the success clause.
Great! It looks like just a tiny bit up we see the text "Registration Successful". I have highlighted the logic that handles checking whether the serial key is valid or not. This is the point where knowing a bit of assembly is nice to know. It looks like if call something called "test al,al". This checks to see if the values match if they do not match it will set ZF to 1. You can see more about this command here:
You can see in the examples that it checks a value and then runs a JE operation.
This jumps to the value given if ZF is equal to 1. This means if the test call does not match the values correctly it will jump to the address "1014B9". I have highlighted the jump below.
So if we look at this we see that if the two values passed to test do not match it runs the registration failed code. Interesting, we know that the test call is not going to pass because we do not know the correct serial key. There is many ways that we can make it go into the success case instead.
We could switch the jump statement to jump to the address "001014BC" instead on failure. This is the success path. This way when we fail it will actually run the success code. A even simple way is reading the JE instruction. It says "Jump if equal". If we look at the same page we can see another command "Jump if not equal". This means that it will jump only if the serialize matches instead of when it doesnt match. This means that every case will pass except for the correct values. That sounds great! So lets change it.
To do this we double click on the jump line and change the instruction from JZ to JNE then hit Ok.
Hit cancel on the next box that pops up with the push value. You should now see that the instruction is changed.
Great! So now when we click the Register box it should succeed with any value but the correct one. Lets try it out, go back to the CrackMe put any value in the input box and press "Register"
Looks like it worked! It will now except any value for the serial and has unlocked the full version.
You can now save files and use the full version functionality,
So we have unlocked the full program, but we do not want to go through this process every time that we run it. We may also want to give the unlocked version to other people. To do this go to "Plugins -> Scylla"
Once in this window, select the program that you are running then press the "Dump" button to save the exe.
You can now write the new executable and replace the old one. You can now give out a version that will accept any serial!
Done with this and want to do more? Try making the application register on startup instead of going into the menu.
Try playing with other ways to unlock the serial other then the JNE instruction.
Try changing the messages or text in the program!
Try a different crack me! The site linked has plenty.