May 1999

Current Issue
Editorial Archive
PCQ Awards
Problem with CD

Search Website
Search CD

  In print
  On CD

Missing issue?

About PC Quest
PCQ Labs
PC Quest Team

Other CMIL Sites
Voice and Data

© Copyright CMIL 1998
By using this service, you agree to the terms and conditions governing it.

Click here to find out more!

PC Quest: Enhance Your Computing

hacker.jpg (19113 bytes)The Dark Art of Cracking

How programmers protect software, and how crackers get past them

Let me start this article with a standard disclaimer that one sees on sites carrying similar topics. "All material in this article is for informational and educational purposes only. Neither the author nor the publication can be held responsible for misuse of the information provided herewith."

That done, let me lead you down the dark side and tell you of the things you can do there. Well, not exactly. This article is not a step-by-step cracking guide for newbies. Nor is it a source for Web links that carry such stuff. This article introduces the methods and tools used by legitimate programmers to copy protect or limit functionality of shareware, and the methods crackers use to get rid of different types of protection schemes.

A bit of history

Cracking, as opposed to hacking, has always been on the wrong side of the law in computing circles. Hacking generally meant tweaking or understanding the software you use to a much greater extent than the average person. However, Hollywood flicks and misinformed newspaper reporters soon turned the word "hacking" into something illegal. True hackers were furious and had to curtail their activities, whereas crackers were laughing their heads off and continuing their work.

Cracking probably started with DOS-based games. If someone didn’t have enough health or lives to reach the next level even after trying for a long time, they could use programs like GameHack to directly edit the value in memory and increase it to whatever you felt like. This was a slightly complex process, which involved tracking variables in memory while the game was running and modifying them. In most cases it meant a system crash. So certain enterprising individuals came up with game trainers. Each trainer had a list of variables they could modify and their corresponding memory addresses. You simply had to select the value to modify, and presto! You’re in the final level with full health, invincibility, all weapons, the works.

Methods of protection

The advent of the shareware concept brought along a new breed of software. These are functional programs that are given free for use for a time period, after which the user has to pay up to continue using them. Shareware authors think up different ways of reminding users to pay up. Some use nag screens every time the program is run, some need a registration code to be entered, some simply expire after a certain number of days, or after a number of times the program is run.

The following are the most popular methods of protecting software:

Nag screens: The simplest form of protection in which small windows appear before a program loads up which reminds you to buy the software. This is mostly achieved by creating a window before the program’s main window is shown and providing a time- or button-based event to open the main program. Examples of programs using this are Paint Shop Pro and TextPad.

Expiration: These programs simply expire after a certain time period, or after the program has run a certain number of times. To achieve this, many different methods are used. These include the simple date checks and registry flag checks, which are easily cracked to much more complex header and file checksum related ones. For example, the FrontPage 98 trial version on the March ’98 PCQ CD expires after 45 days of installation.

User registration: This requires you to pay up after which you’ll receive an "unlock" code based on your name, e-mail address, or some such variable that you need to enter in the program for it to work. These work by passing the name entered through some algorithm and comparing the result with the entered code. If they match, the program is registered. Examples are the very popular programs WinZip and CuteFTP. Although these methods seem complex, they are quite simple to crack, as you’ll see later.

Commercial strength wrappers: Many companies are releasing software in the try-before-you-buy concept, which includes a fully working product, covered by a "wrapper" that allows online user registration after taking in user’s details like name, e-mail, phone, and credit card number. All Symantec products, like Norton Utilities, Norton AntiVirus, and Norton CrashGuard use this. There are many commercial wrappers available, like Release Software Agent, VBox, unBoxed, Techwave, Stirling, and many more. These are fairly complex routines and the cracks available for them are complete programs by themselves. The best part about cracking these programs are that once a wrapper is cracked, all programs using that wrapper are automatically cracked. That is, if you crack the DLL that the wrapper uses, installing any other program using this wrapper will get you the cracked program, without needing to crack it separately.

Dongle (hardware) protection: This is supposedly the ultimate tool to keep out crackers. Very few programs actually use this due to its complex nature and annoyances even to a legal user. A small hardware lock is provided with the program containing a unique key or even some API functions. The program checks for the existence of this lock while starting. I haven’t seen too many programs using this method, except for some versions of AutoCAD and Tally. A different version of this protection is the CD-ROM check associated usually with large games like Quake II. This method is also fairly easy to trace and get rid of.

Many programs use a combination of all these to protect themselves. However, as you will see, no protection scheme has been uncrackable yet.

Tools and methods of the dark side

The popularity of Windows and the ease of creating programs for this platform have lead to the development of thousands of shareware programs in different categories. Crackers have an enormous job ahead of them as they try and keep up with new releases everyday. Crackers usually work with the assembly code, reverse engineering it, and have an excellent grasp of the Windows APIs as well.

There is no one modus operandi to crack a program. Depending upon the program and the kind of protection it has, crackers employ different techniques to get into the program. But there are some common tools that crackers employ to start cracking the program. These programs are perfectly legal and useful by themselves.

The most popular tool for crackers is a Windows debugger named SoftIce from Numega Corporation. This enables developers to set "breakpoints"—points in the program code where the program pauses while variables are checked to see whether they match expected values, in Windows programs. You can trace through the assembly code to debug problems if they occur. But SoftIce in the hands of a cracker is like a Kalashnikov with a terrorist. For example, if a cracker wants to get rid of a nag screen that comes up every time a program is started, he simply sets a breakpoint on a Windows API call, ShowWindow() in SoftIce. He then calls up the program. The moment the nag screen is shown, SoftIce pauses the program and dumps the cracker into the piece of assembly code that shows the screen. It also shows a large amount of important information like values of many registers in memory and byte offsets in the EXE, or DLL. In fact, SoftIce is so powerful that the shareware version of SoftIce was used to crack itself and make it the full version. Numega now has many restrictions on its use and users need to prove that they need the program for legitimate purposes before being able to obtain a copy.

But SoftIce does not help patch the file itself. You don’t want to set a breakpoint every time you want to start the program, do you? So you need to "patch" the program itself. For this, read the Byte offset value for the part of the program you wish to crack. Then open the program (EXE or DLL) in a hex editor (trusty old Norton DiskEdit will do, but there are Windows versions around too), go to that offset and patch it with the hex equivalent of the assembly code you used in memory. If this sounds complex, as I said earlier, you need to have a good grasp of assembly for getting into this stuff.

Another method for which SoftIce is popular is to obtain "reg codes" from programs that require registration. When prompted for a user name and registration code, enter anything you wish, while keeping a breakpoint on an API call like GetDlgItemA(), which is used to extract the contents of a text box in Windows. The moment you press "OK" you get dumped in SoftIce. Now you know that some variable holds the registration value you just entered. The program logically calculates the real code from the user name and compares the two. If they are the same, the program is registered. So all you need to do is trace the code till you see a comparison being done and check the value of the variables. You’ve got the reg code for the name you entered! You can actually use this method to crack some very popular programs.

Another favorite tool of crackers is W32DASM, the Win32 DisAssembler, a shareware program used to disassemble code to trace code jumps. For example, you may have seen programs that check for the existence of its CD-ROM in the drive before continuing. If it doesn’t exist, it gives you an error message and exits. With W32DASM, simply search for the string that is shown when quitting. The place where the string is found, you also find the reference in memory where this was called from. Trace back to the procedure that called it and disable it. (For assembly aficionados, change a JNE instruction—Jump if Not Equal, to a JE—Jump if Equal, or even better, simply NOP it.)

Protection schemes

Commercial strength protection schemes like Release Software Agent (the one used by Symantec in all Norton products), Vbox, Unboxed, and many others employ much more sophisticated routines for protecting the software. However, none of these protection schemes have really been able to stop crackers from breaking into the program and using the software for more time than it was meant to be. Crack programs like PC_RSAG6 help you crack these programs by simply pointing to the EXE file of the program. But this does not mean that the protection schemes are weak. These schemes are very powerful and secure when used to legally purchase the product. That is, you are not in danger of broadcasting your credit card number on the Internet when using the wrapper to buy the program. The crack works at your end of the line, so that you do not have to enter anything at all and can fool the program into believing that it has been purchased.

The only programs that seem to have thwarted the crackers are the ones that employ some sort of Internet-based authentication, each time it’s run. Ironically, most of these programs are from the same area that started the trend of cracking—games. Programs like GameSpy and Kali are shareware programs that allow users to play online games on commercial sites for a limited period. After which the user needs to register at the site to continue playing. Although crackers have been able to crack the program itself, users cannot use the program to connect to any server as no account exists for them until they pay up.

As the world turns towards the Internet for almost everything, so will the software. This will make server authentication the trend for program registration. But knowing how resourceful crackers are, I’m sure they’ll find ways of circumventing these checks too. Already cracking groups like Phrozen Crew, United Cracking Force, the Exterminators, and others are working toward this goal. The first successful Internet program crack I know of was the release of an alpha version of ICQ 99, which was released on many Warez sites. Although I’ve not seen the uncracked version of this alpha, which is supposed to use a different authentication server method, the cracked version works just fine, with all the new features enabled.

Cracking is truly an art, even if it is a dark one. Ask any programmer who has had to understand code written by someone else without any documentation or comments, about what a nightmare it can be. Crackers, on the other hand, thrive on this, and many crackers, like tKC(founder of Phrozen Crew) and Saltine (who first cracked the commercial wrapper RS Agent), have become legends in their own right.

To end this article on cracking, I cannot but use the tagline of one of the most popular cracking groups around, Phrozen Crew. This explains the psychology of the cracker in one simple line, "We always get what we want!"

Vinod Unny