cRACKER's n0TES - A Compilation Of Knowledge

Tips & Tricks for cracking Runtime Limits

Limited Number of Runs (adynts)

If a program has a limited number of runs, we know that there is a counter. Let's supose this counter is decremented each time. So there should be a DEC each time you use the program, so that DEC should appear often. Normally you have a 32-Bit program, so let's search in the disassembly listing for "dec dword ptr" whith grep. Using grep is important here for it allows you to see the multiples occurence of the same location.

Runtime Limit Cracking (CrackZ)

Let's say we are restricted to a limited use (e. g. 25 uses) of the program before the program 'disables' itself. So let's launch the program and note the message box which politely informs you how many times you have run the program, just relaunch the program a few times to gain a feel of what is going on.

The zen approach here (as with time trials) would be to feel how this code might be implemented (e. g. 19h = 25 dec). Maybe sniff with the HEX editor for some likely bytes - however a disassembly is most likely your best approach (I hope you remembered the text in that message box). You should easily locate something like this inside W32DASM:

CMP BYTE PTR [004628D4],00 <-- Check_1st_time_program_run JZ 0045B7D9 <-- Jump_1st_time_run CMP DWORD PTR [004628D8],1A <-- Check_times_run (1A = 26dec) JGE 0045B72A <-- Jump_bad_guy In this scheme you should easily see our 2 important flags, 004628D4 decides whether this is the programs first run, where as 004628D8 will flag the number of times the program has been run. Note that the program compares the number of times run with 26 decimal, a minor trick to fool our HEX searching. You should be able to see many ways of beating this scheme, you could for example settle for increasing 1A (26) to say FF (255), thats a fairly weak change but may help you fully evaluate the program, or you could NOP away the JGE 0045B72A, that would beat the 26 run time check altogether, or maybe you could force the JZ 0045B7D9 into a JMP. Make whichever patch serves you best! Most 'run time limit' schemes are similar in operation to this one and they are usually fairly weak location counters (although sometimes programs may increment a counter hidden inside the program file itself or a DLL), you should pay particular attention to locations being used as flags as these can be potentially malicious and be very sure to check that there isn't a mirror location checking the same flag.

The cRACKER's n0tES are divided into 10 main parts:

00. INDEX

01. Assembly for Crackers (CoRN2)

02. SoftICE (Boot Menu, Setup, Commands)

03. Breakpoints & Win API Details

04. Jump Instructions

05. SET Instructions

06. Tips & Tricks for Cracking

1 Crippled Programs

2 Dongles

3 General

4 InstallSHIELD Setups

5 Key File Protections

6 NAG Screens

7 Runtime Limits

8 Serials

9 Time Limits

10 Visual Basic 'Programs'

07. Window Messages For Crackers

08. Identifying Functions, Arguments, and Variables (Rhayader)

09. Commerical Protection Systems

10. Bitmanipulation (Cruehead)

11. General Cracking Theory

12. FAQ

+A. How to contact me

+B. What's New?