Learning the basics of cracking games (reverse engineering for idiots)
As a working adult I buy every videogame I play. However, as a child, the only way to play some high-budget pc masterpieces was to crack them. I, of course, had no idea how they worked, as far as I was concerned, they were foul black magick embedded into a nifty .exe. Now as a security fella in training I was drawn into learning more about the inner workings of these Robin-Hood-esque pieces of software. But since going to jail was not on my foreseeable ambitions I looked for a very simple program emulating some very typical protections found in real software.
Enter FAKE.exe.
This very simple program has a registration via serial number, a classic among videogames. The usual way to bypass this protection is to reverse engineer the key verification algorithm, however we’re going to analyse the program first, using a debugger. Since I’ve learned how to exploit these simple windows programs using OllyDbg that’s what I’m going to use.
Typing a random serial will result in the program informing us that it is indeed incorrect, time to disassemble!
The interface may look outdated and intimidating but Olly is actually quite easy to use. The first step is to list the strings found in the program looking for clues that might help us.
As we can see the, already known to us, “That serial is incorrect” message is present. However, more interestingly, there’s a “That serial is correct!!!!!” message.Getting to that message will be our objective. Double clicking on that line will reveal its position on the disassembled code.
Marked in red are three jump instructions that will lead to the greyed instruction, the “serial is incorrect” message. It is on our best interest that these jumps will not be triggered
On regular use upon inputting a random serial, the “Z” flag will be set to 0 which will trigger the JNZ operation. To avoid this we will set breakpoints on these jumps and change this flag in runtime.
Let’s now run the program with the breakpoints in place.
And after flipping the Z flag on the right time we trigger the awaited message.
On the future I’d like to apply this basic knowledge to exploit a commercially available product while not being arrested. Thanks for reading :)
