School of Cracking

[tonyblair]

  @elohelomg

You want to learn and have a help and guide to crack hitman pro yourself. You are welcome and this is the good place.

I will give you tasks to achieve (step by step approach). we will move to the next task only if you pass the actual.

Don't mind if I will call that Lessons.

1st Lesson :

As you know this program is a Win32 application (windows based, in contrary to a console base). The heart of this type of application is the "Message Loop".

Microsoft definition:

The system does not send input directly to an application. Instead, it places all mouse and keyboard input from the user into a message queue, along with messages posted by the system and other applications. The application must read the message queue, retrieve the messages, and dispatch them so that the window procedure can process them.

Simply this means, you will interact with Hitman application through an interface, the  "window"  you see on you monitor. This window is an interface executed by your operating system and not by the application . If you break with your debugger when this interface is running you will land inside the code of your OS ( NTDLL.DLL, USER32.DLL ..). This is not what we want.

We want to hook the code of the application itself with our debugger (after giving a dummy activation code and click the button "activate").

Your first task is : Hook and stop Hitman application after it displays the following window. (you should land in Hitman codes)

Tell me when you succeed to do this.

Tony, i have NO idea what that means, and the sad part is, i read it like 15 times. I think im supose to load my debugger (im using ollydbg) on the window, not the app itself.

@elohelomg

Yes, you load your debugger and start debugging Hitman.exe.

then you start the process with a "stop on process entry point" in the debugger options.

Now the game is :

1- if you click on "step into" (F7) the code, you will spend days and days to reach the important routine (as there are million of codes)

    and for sure you will fell in the traps (designed to block debuggers).

2- if you click on "step over", after a few clicks the program will run (that beautiful screen of Hitman with the Handsome guy). In the mean time you discover that you do not have the control on the process. the control buttons of your debugger are grayed.

   You are in the case as if you click on the Hitman Icon on your desktop.

SO WHAT ?

heh the game is to find the right place where to put a Breakpoint in the app code. To stop it and gain control. Try to break in the codes described in my above posts #67 #68 and #69

That is what I asked you to do in the 1st Lesson.

I am sorry I can't help you for ollydbg commands as I don't use it. 

[box]

@elohelomg,

You should use the exact same programs as Tonyblair's at this point.

[MasterUploader]

lol @tonyblair,gosh this is hard for me to crack in the way you do it:)but im willing to learn how to do it your way you see:)because that will help increase my knowledge of cracking,so if a couple of methos fail,then ill be able to use the one you describe:)please could you write a basic tutorial for everyone to see,on how to crack this:)lol,because most,like me,will just want to decrpyt the file,and change the info:Pbut that is the lazy way!so i want to learn how tto do it yourway:)so please write up a tut in your spare time:)thanks

[tonyblair]

@elohelomg,

You should use the exact same programs as Tonyblair's at this point.

Thanks Box, I agree with you.

@elohelomg,

If you want to follow me (easily) in this crack, you need to have my tools :

The debugger you need is IDA PRO 5.2.

Sharecode:  /en/files/2574677

http://depositfiles.com

[tonyblair]

lol @tonyblair,gosh this is hard for me to crack in the way you do it:)but im willing to learn how to do it your way you see:)because that will help increase my knowledge of cracking,so if a couple of methos fail,then ill be able to use the one you describe:)please could you write a basic tutorial for everyone to see,on how to crack this:)lol,because most,like me,will just want to decrpyt the file,and change the info:Pbut that is the lazy way!so i want to learn how tto do it yourway:)so please write up a tut in your spare time:)thanks

It is very very hard, if not impossible to decrypt by your own .lic file.

Why?

To be able to decrypt that file you need :

A- Find with what algorithm is it encrypted ?

  Decryption Type : ?

0 = Rijndael\AES 128 (requires a 16 character Key)

1 = Rijndael\AES 192 (requires a 24 character Key)

2 = Rijndael\AES 256 (requires a 32 character Key) *Default

4 = Blowfish (key between 1 and 56 characters)

8 = TEA (requires a 16 character Key)

1024 = RC4 (Key can be any length)

 ...

Decryption Mode :?

There are three different modes available for the each of the encryption types listed above. They include: Electronic Code Book (ECB), Cipher Block Chaining (CBC), Cipher Feedback Block (CFB), and Output Feedback Block.

Padding Mode : ? 

For Block Ciphers the String to Encrypt is padded to a multiple of the block size for the algorithm.

0 = Zeroes (NULLs) *Default

1 = Spaces (blanks)

2 = PKCS7

3 = ANSI X.923

4 = ISO 10126

B- You need the keys : they could be of two types

1- symmetric-key (for DES or AES) or 

2- public-key (for RSA). 

Symmetric-key algorithms use a single shared key; keeping data secret requires keeping this key secret. 

Public-key algorithms use a public key and a private key. The public key is made available to anyone (often by means of a digital certificate). 

A sender will encrypt data with the public key;

only the holder of the private key can decrypt this data.

C- A sample of plain text with its encrypted one  so you can try Known-plaintext attack.

Suppose that you decrypt .lic, ok but the job is not finish. You have to encrypt the modified plain text with the same algo.

-------------------------------------------------------------------------------------------------------------

Here is the first clue :  Lic is encrypted with this algorithm :AES-128  CBC  PKCS7  and it is signed.

[MasterUploader]

how did you find out this:):

Lic is encrypted with this algorithm :AES-128 CBC PKCS7 and it is signed

[tonyblair]

how did you find out this:):

Lic is encrypted with this algorithm :AES-128 CBC PKCS7 and it is signed

Very simple the program itself tell me.

When you choose the option activate 30 days trial, there was a communication between The server and the program.

The latter was asking a Lic for trial and the server provides it with an encrypted one.

And by magic, we saw the program enabled after we received by Internet that Lic file.

The question is how the program enable itself with an encrypted file?  :think:

think think think

  :idea:  oh Yes yes , because the program decrypt it .

The program is able to decrypt, so it has the means to do it. It can answer to the questions of my last post (at least some of them).

Conclusion : The only successful path is to debug the program (even if it is difficult). The fun is inside.

[MasterUploader]

lol ok,as this is quite a hard target for a beeginner,(and evn a hard target for me.lol)do you think its possible to make some sort of video tutorial or a written tutorial(pdf,notepad,word etc)that guides us through it:P?so then we can all learn what you are doing:)and use the method on another software similar to this!:D

[tonyblair]

lol ok,as this is quite a hard target for a beeginner,(and evn a hard target for me.lol)do you think its possible to make some sort of video tutorial or a written tutorial(pdf,notepad,word etc)that guides us through it:P?so then we can all learn what you are doing:)and use the method on another software similar to this!:D

I will try to make a pdf. but I can't promise it for tomorrow. (As it take time).

To close the subject, here is the good path (in green) for enabling the program in the license check routine (sub_4466C0). 

[MasterUploader]

thankyou:)take aslong as it takes to make the tutorial good and clear:D

[MasterUploader]

right ive put hitmanpro on hold for now,very hard to crack lol.

[elohelomg]

@elohelomg,

You should use the exact same programs as Tonyblair's at this point.

Thanks Box, I agree with you.

@elohelomg,

If you want to follow me (easily) in this crack, you need to have my tools :

The debugger you need is IDA PRO 5.2.

Sharecode:  /en/files/2574677

http://depositfiles.com

The installer keeps crashing on me. Gunna try updating a few things, see where that gets me.

[tonyblair]

@elohelomg,

You should use the exact same programs as Tonyblair's at this point.

Thanks Box, I agree with you.

@elohelomg,

If you want to follow me (easily) in this crack, you need to have my tools :

The debugger you need is IDA PRO 5.2.

Sharecode:  /en/files/2574677

http://depositfiles.com

The installer keeps crashing on me. Gunna try updating a few things, see where that gets me.

Hi elohelomg,

Be patient, follow and you will learn a lot.

Now I need to know about your machine:  OS?  CPU ? MEMORY? .

For the crash : please show me a picture of the pop up error window. to judge and help.

This IDA will be your precious tool for cracking. We have to make it work on your machine. :showoff2:

cheers

[elohelomg]

I updated my .net framework and all is well.

Lets begin.

[tonyblair]

So IDA is OK.?

it works?

[elohelomg]

Yes. I guess i just needed to update my .net frame work.

Here are the steps ive done, and seems like i got it to work. I made a new pe thingy, opened up hitmanpro.exe

Started teh debugger, allowing all exceptions until i get to the activate key part.

Seems like i know what im doing, but i have NO idea. (though it does seem to be right)

p.s congrats on your vip!

I just started school, and as you can see, im time deprived.

[tonyblair]

Yes. I guess i just needed to update my .net frame work.

Here are the steps ive done, and seems like i got it to work. I made a new pe thingy, opened up hitmanpro.exe

Started teh debugger, allowing all exceptions until i get to the activate key part.

Seems like i know what im doing, but i have NO idea. (though it does seem to be right)

Waou you are fast!

I was preparing this text to help you disassemle the program :

1-click on IDA Pro 32bit Icon

2-a small window "Welcome to IDA!" will pop up

3-click "New" Disassemble a new file

4-in the "New disassembly database" window click "PE Executable"

5-in the "Select PE Executable to disassemble" browse in the folders c:\Program files\Hitman Pro 3.5\HitmanPro35.exe

6-click open

and look how it is magic

[elohelomg]

Yes. I guess i just needed to update my .net frame work.

Here are the steps ive done, and seems like i got it to work. I made a new pe thingy, opened up hitmanpro.exe

Started teh debugger, allowing all exceptions until i get to the activate key part.

Seems like i know what im doing, but i have NO idea. (though it does seem to be right)

Waou you are fast!

I was preparing this text to help you disassemle the program :

1-click on IDA Pro 32bit Icon

2-a small window "Welcome to IDA!" will pop up

3-click "New" Disassemble a new file

4-in the "New disassembly database" window click "PE Executable"

5-in the "Select PE Executable to disassemble" browse in the folders c:\Program files\Hitman Pro 3.5\HitmanPro35.exe

6-click open

and look how it is magic

I've done all that. Way ahead of you. haha. Now, im at the part where its asking for my key (for some reason, hitman pro is expired).

What would be needed to do here?

[tonyblair]

What is needed is to break the program inside the License check routine.

and move step by step to understand the blocks I posted in the picture above.

To do that you need to add some breakpoints in the good address (inside this routine).

You have to solve the problem of relocation of the start address of the program each time you restart the debugger.

You have to look up in text mode the starting address and note it in a piece of paper. We have to synchronize.

This change is in fact easy : it adds 00 92 00 00  to 00 40 00 00 or something like that to be calculated with Microsoft

calculator (it handle hexa calculation) :

here I begin in 00 D4 10 00

[tonyblair]

As the start adress  begin in 00 D4 10 00  (it will be different for you)

The License check routine is located in this address : 00 D8 66 CO

[elohelomg]

Few questions.

Where exactly do you put the breaks and why?

How do you know those are the keys you need to change?

(Im do not know binary and all that jazz, so, yea...lol)

sorry to put you on hold. but, i'm being forced to help the world with their problems. i shall come back later on today.

congrats again on your VIP

[tonyblair]

You add a Breakpoint here at the beginning of this routine (you have to calculate its address as below

 License check routine address = Your starting address + 456C0 )

[tonyblair]

Few questions.

Where exactly do you put the breaks and why?

How do you know those are the keys you need to change?

(Im do not know binary and all that jazz, so, yea...lol)

sorry to put you on hold. but, i'm being forced to help the world with their problems. i shall come back later on today.

congrats again on your VIP

Thanks.

I cracked this pgm so I know what to do to patch it (and you will do it with me).

Ok Now I have to go to bed.

See you tomorrow.

[CODYQX4]

@tonyblair: Is IDA Pro better than OllyDbg FOFF edition?

I have messed with both, although I don't know how to use either one, and like IDA better. Olly always crashes on me.

[tonyblair]

@tonyblair: Is IDA Pro better than OllyDbg FOFF edition?

I have messed with both, although I don't know how to use either one, and like IDA better. Olly always crashes on me.

I can just elaborate about my own experience: IDA Pro is a must when you master it.

Cracking is a game of solving a quiz for fun. Like finding the way out in a Labyrinth . It needs a lot of "thinking" , tactics and strategy. IDA with its graphics helps to do that.

Commenting is also very important : call sub_0415B2F1 tell you nothing, but call Licence_check is more understandable. IDA do that. and and..