Ok

By continuing your visit to this site, you accept the use of cookies. These ensure the smooth running of our services. Learn more.

Sunday, May 06, 2007

Cracking mIRC

Introduction

First of all Reversing(or Cracking) is generally considered illegal, well, is not illegal if u are doing it for educational or knowledge purposes.It can still be considered illegal, Who Cares!! cool.gif

Cracking mIRC 5.6

We will be cracking mIRC 5.6, as an example.  Its Internet Relay Chat, used for Chatting Obviously...Download its trial version from their site. There are newer versions too, but we will start with an older version wink.gif


Time Required/Skill Level
15 Minutes/Beginner

Tools Needed

  • DEBUGGER (I'll use SoftICE 3.25, since it's the best debugger around(arguably!). You can also use OllyDebugger, it aint bad either)
  •  DISASSEMBLER (my choice is W32DASM 8.9, excellent 16/32 bit disassembler.)
  • HEX-EDITOR (I use Hex Workshop 2.54, but you can use HIEW too or XVI32)
P.S.-if you want the links to these tools, write down and i will give it to you. wink.gif

THE REAL STUFF STARTS  tongue.gif

First download and install mIRC to your hard-disk(Do i need to tell you?). After that make a backup copy of MIRC32.EXE. Run mIRC, in its HELP menu choose REGISTER, enter your name, enter anything in the REGISTRATION CODE field and press REGISTER button. An error message occurs. This message is very valuable to us, so write it down if you cannot remember it.
Now close mIRC and run W32DASM(Remember it??). In the DISASSEMBLE menu select OPEN FILE TO DISASSEMBLE. Find MIRC32.EXE and double-click on it. The disassembly will now begin. In the meantime you can go to the toilet, or fetch yourself a vodka or martini. biggrin.gif
When the disassembly is finished you see a bunch of words and numbers, probably meaning nothing to you. But, that's not important right now. The important thing is that we have an inside look at the mIRC 5.6.
Now, in the REFS menu, select STRING DATA REFERENCES. After a second or two, a list of all strings in program will appear. Scroll down and find that error message you wrote down (or remembered). Double click on it and you'll find yourself on the place where the message box is called to present the error. Now you think to yourself: IF I ONLY COULD BYPASS THE MESSAGE BOX... And you can, indeed. Scroll up a bit (approx. one screen) and you will see:


____________________________________________________________________________
 
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004394D9(C)
|
:0043957A 6A00                    push 00000000

____________________________________________________________________________ 


Well, as you can see, this is the beginning of the message box that we want to bypass. You can also see, that the message box is referenced by a conditional jump at address 4394D9h. Scroll up a bit more until you reached the address 4394D9h. You can see the following:

 

_____________________________________________________________________________ 

* Reference To: USER32.SendDlgItemMessageA, Ord:0000h
                                   |
:004394C3 E848C50900              Call 004D5A10; ---------------------
:004394C8 68CB544E00              push 004E54CB; This is currently not
:004394CD 68E4504E00              push 004E50E4;  importatnt to us...
:004394D2 E8DD370600              call 0049CCB4; ---------------------

:004394D7 85C0                            test eax, eax; If the number doesn't
                                                             ; match the correct serial

:004394D9 0F849B000000            je 0043957A; jump to ERROR MESSAGE

_____________________________________________________________________________

Click on the address 4394D9h until the highlight bar is over it. In the status bar you will see "@OFFSET 00038AD9 in File: mirc32.exe". Write down that offset, because you'll need it when you use the hex-editor. Now save your
disassembly text (DISASSEMBLER -> SAVE DISASSEMBLY TEXT FILE...) and close the W32DASM. Open MIRC32.EXE using your hex-editor and go to offset you wrote down (38AD9h). Change the bytes from "0F 84 9B 00 00 00" to "90 90 90 90 90 90".
90h is NOP (no operation).
That means that we overwritten the jump with NOPs (they do nothing) so that the program won't jump to the error message even if the serial is not correct. Now save the changes, close the hex-editor and run MIRC32.EXE. Go to HELP menu and select REGISTER. Enter your name and any number/serial. Press the REGISTER button and POOF! You registered the program! Now close mIRC, run it again and go to HELP -> ABOUT.
WTFFFF?!?! Unlicensed? But
I just registered it! Well, it seems that the program checks the registry for the registration information when starting. Hmmm... What do we do now? It's simple... Let's just crack the registry check!

In SEARCH menu of W32DASM, select FIND and enter "RegQueryValueA" (without the quotes). Press the FIND NEXT button a few times, until you get to this point:

 

_____________________________________________________________________________________ 
 
* Possible StringData Ref from Data Obj ->"code"; opens a value "CODE" in
                                   |; the registry
:0049CE26 68DFEF4D00              push 004DEFDF
:0049CE2B 8B4C240C                mov ecx, dword ptr [esp+0C]
:0049CE2F 51                              push ecx

* Reference To: ADVAPI32.RegQueryValueA, Ord:0000h
                                   |
:0049CE30 E873840300              Call 004D52A8
:0049CE35 85C0                        test eax, eax; checks the code
:0049CE37 7565                        jne 0049CE9E; jump if not correct
:0049CE39 6A02                        push 00000002
:0049CE3B 68CB544E00              push 004E54CB
:0049CE40 E85346FAFF              call 00441498
:0049CE45 68CB544E00              push 004E54CB
:0049CE4A 55                              push ebp
:0049CE4B E864FEFFFF              call 0049CCB4
:0049CE50 85C0                        test eax, eax; check the code again
:0049CE52 744A                        je 0049CE9E; jump if not correct
:0049CE54 8B0424                  mov eax, dword ptr [esp]
:0049CE57 50                          push eax
 
 ____________________________________________________________________________________
 
Write down the offsets of addresses 49CE37h (offset 9C437h) and 49CE52h (offset 9C452h), because we'll need them when we patch the file with the hex-editor. What should we do now? We should change the bytes "75 65" at
offset 9C437h into "90 90" and bytes "74 4A" at offset 9C452h into "90 90". "90" Stands for 'No Operation'. So, close W32DASM, open your hex-editor, and do it! Save the file, run mIRC and try to register... When you registered, restart mIRC and POOF! It's still registered! Well, I hope you've learned something from this... 

The above procedure may seem a bit difficult to you if you are doing it for first time.  Keep Practicing... cool.gif

Please Note the above information is for educational purposes only, I cannot be held responsible for whatsoever damages done by it. Developers should spent more time in the security of their softwares, or else they will be Cracked like always.

 

REY!

 

The comments are closed.