[GloriaFine]

Would you like to learn how to Disassemble and Reverse a software program –  IDA-PRO?? Here is guide where you can understand how to do it.

Tools you will need : IDA – PRO the best Disassembler – Debugger Available, Hexplorer or any Hex Editor, Windows Notepad, and Some knowledge of Assembly Language.

I have recently posted 3 Programs on this Forum, and I can give detailed information as to how they were Reversed,
what was changed, and how the code to change was found.

I use IDA PRO VERSION 6.5 and IDA PRO is posted on this forum, and Hexplorer is available on Sourceforge.

How about starting with Creature Animation 1-62 Pro a 64 bit Program, and was very easy to crack, or maybe AppyGen 5-5 it’s a 32 Bit App and Game Creator for Mobile Phones, and was not a difficult program, taking less than an hour.

Gather up your tools, and Lets get started.

Selected the AppyGen program as the 1st example as it is a 32 Bit Program. Download, and Install the Program.

On 1st start by Clicking AppyGEN.exe you will see a message box saying: “Please Activate your AppyGEN Copy First”, Click OK, and TurboActivate.exe will be called by AppyGEN.exe for Activation, and will put up an Activation box.

LESSON 1: Let’s get started by opening, and Disassembling a file with IDA.

1. Start the 32bit version of IDA by clicking on idaq.exe in the IDA Folder, Click on File, Click on Open, and Open TurboActivate.dll, when IDA opens the File, at messagebox select use Debug Info, but answer no when Ida says search for the Debug Info File as it won’t be found. 
2. When the Auto Analysis is finished lower left corner then save the Database,
3. Click on the Exports Tab, and Lets take a look at the Export Functions called by AppyGEN.exe.  You will see Activate : ActivateEx, IsGenuine, and IsGenuineEx.
4. Click on IsGenuineEx, and you will go to the Function, and see public IsGenuineEx
5. Select the Text “IsGenuineEx” Right Click, and Copy
6. Place you mouse below S U B R O U T I N E, and Press the ; semicolon key, and paste the text
7. The Text will now show up throughout the De-compiled database in all references to the Function, and you can do the same with Labels, and DATA to have a friendly referenced name throughout by creating your own Debug Info
8. Right Click on: text:10015B81 push ebp, and Select Add Break-point, Now when the Program is run in the Debugger it will stop on the Break-point
9. You can now run the Program one step at a time by using the F7 Key, or the F8 Key the F8 Key steps over Calls, the F7 key goes in, The F8 key will be the most used key, The F9 key is a let her rip, and run until reaching a break-point.
10. To run the program you will need to Click on Debugger, and select local Win Debugger, and also Click on Debugger, Process Options and Select the Application that starts the Program AppyGEN.exe. You can’t run a dll, because the dll is called by the exe
11. DO NOT RUN THE PROGRAM BECAUSE IT IS A HASSLE TO GET TO THE CODE IN AppyGEN.exe, and we will run the Code in lesson 2

SEE THE CODE BELOW:

Notice the 00685E6C cmp byte ptr [ebp-5], 0 as it's a Compare to Zero, and 0 is False, and 
at 00685E70 jz short loc_685E96 the jz is a JUMP IF ZERO to the LINE AT ADDRESS loc_685E96, 

NOTICE THE : 00685E8A mov edx, offset aAppygenActivat ; "AppyGEN Activated" 
The code is a MOVE TO REGISTER edx the Address of data label : aAppygenActivat - "AppyGEN Activated"

We want to run this code, and not jump. To not jump while running the program in the Debugger : move the mouse to the Next line of code, Right Click, and set the IP Address to that Instruction. IP is the Instruction Pointer Register which is a line Instruction counter.

ACTIVATION CODE IN AppyGEN.exe

AppyGEN, exe:00685E5C ; --------------------------------------------------------------------------- 
AppyGEN, exe:00685E5C 
AppyGEN, exe:00685E5C loc_685E5C: ; CODE XREF: AppyGEN, exe:00685E1Cj 
AppyGEN, exe:00685E5C cmp byte ptr [ebp-6], 4 
AppyGEN, exe:00685E60 jnz short loc_685E6C 
AppyGEN, exe:00685E62 mov eax, offset aNoInternetConn ; "No Internet Connexion Found ! Please Co",,, 
AppyGEN, exe:00685E67 call near ptr unk_57F168 
AppyGEN, exe:00685E6C 
AppyGEN, exe:00685E6C loc_685E6C: ; CODE XREF: AppyGEN, exe:00685E60j 
AppyGEN, exe:00685E6C cmp byte ptr [ebp-5], 0 
AppyGEN, exe:00685E70 jz short loc_685E96 ; DON'T JUMP 
AppyGEN, exe:00685E72 mov eax, off_6E89E8 ; MOVE TO THIS LINE AND SET IP 
AppyGEN, exe:00685E77 mov eax, [eax+3C0h] 
AppyGEN, exe:00685E7D mov eax, [eax+288h] 
AppyGEN, exe:00685E83 xor edx, edx 
AppyGEN, exe:00685E85 call near ptr unk_56BAC4 
AppyGEN, exe:00685E8A mov edx, offset aAppygenActivat ; "AppyGEN Activated" MESSAGE DISPLAYED - BOTTOM PROGRAM WINDOW 
AppyGEN, exe:00685E8F call near ptr unk_56BA20 
AppyGEN, exe:00685E94 jmp short loc_685EE0 
AppyGEN, exe:00685E96 ; ---------------------------------------------------------------------------

LESSON 2 : HOW TO FIND THE CODE THAT ACTIVATES THE PROGRAM !

1. Start the 32bit version of IDA by clicking on idaq,exe in the IDA Folder, Click on File, Click on Open, and Open AppyGEN.exe
2. When the Auto Analysis is finished lower left corner then save the Database
3. 1st thing to do when Debugging a program is to find what to change in the Program, and set some Breakpoints to stop at when running using the F9 Key,
4. Move the Scroll Bar to the start of the Program, and also notice the Colored bar at the top, The pointer should be all the way to the left
5. The blue is the code section, the yellow brown is the library code, and data on the right side, black is nothing,
6. Click on Search, Click on Select Text, and check box Find all Occurrences,
   WHAT TO SEARCH FOR EXAMPLES: activate, Activated, trial, serial, license, and in our case Label : aAppygenActivat ; “AppyGEN Activated”
7. SEARCH FOR aAppygenActivat When the search is finished then open the Tab of the found results
8. Click on the found text, and you will go to : 00685E8A mov edx, offset aAppygenActivat ; “AppyGEN Activated“
9. Notice the text:00685E70 jz short loc_685E96 LINE above, Right Click on the Line and select Add Break-point
10. Notice the cmp [ebp+isActivated], 0 Compare Variable isActivated to 0 = false, and Jump is Zero is the next Instruction, WE DON’T WANT TO JUMP !
11. Notice the mov ecx, offset aTurboactivate_ ; “TurboActivate, exe” on Line below, we don’t want to go there as that is the Activation Box  that we saw when the program was 1ST STARTED, and the Line call @Vcl@Dialogs@ShowMessage was the pop-up message box
12. Now go to the top of the PROCEDURE, Right Click and Select text : Unit1::softwareactivate
13. Go to Line below PROCEDURE Press ; semicolon, and Paste the text into the box, Now a reference to this call will show as a ; comment throughout the entire program when it is run, RIGHT CLICK ON TOP LINE, and SELECT ADD BREAK-POINT
14. To run the Program, Click on Debugger, Select Start Process
15. The program will break when you hit the top of the Procedure Unit1::softwareactivate Break-point
16. You can Step through the code using the F8 Key, or run to the next Break point using the F9 KEY
17. When you get to the Instruction: jz short loc_685E96 then move the mouse to the next line, Right Click, and Select set the IP
18. Now hit the F9 Key and let the program run, it should start up, and display Activated on bottom of Box
19. If you get an Exception Pop up Box then Click on Pass Exception to the Program to continue

In the Next Lesson we will learn how to locate the code that needs to be changed, and how to change it.

text:00685DA4 ; =============== S U B R O U T I N E =======================================
text:00685DA4
text:00685DA4 ; Attributes: bp-based frame
text:00685DA4
text:00685DA4 ; int __fastcall Unit1::softwareactivate(Unit1 *__hidden this)
text:00685DA4 @Unit1@softwareactivate$qqrv proc near ; CODE XREF: _TForm1_FormCreate:loc_6861ECp
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ LEFT OUT ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
text:00685E6C loc_685E6C: ; CODE XREF: Unit1::softwareactivate(void)+BCj
text:00685E6C cmp [ebp+isActivated], 0
text:00685E70 jz short loc_685E96
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~LEFT OUT~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
text:00685E8A mov edx, offset aAppygenActivat ; "AppyGEN Activated"
text:00685E8F call @Vcl@Comctrls@TStatusPanel@SetText$qqrx20System@UnicodeString ;
text:00685E9B call @Vcl@Dialogs@ShowMessage$qqrx20System@UnicodeString ;cl::Dialogs::ShowMessage(System::UnicodeString)
text:00685EA0 push 1 ; wchar_t *
text:00685EA2 push offset dword_686144 ; wchar_t *
text:00685EA7 push offset dword_686144 ; wchar_t *
text:00685EAC lea eax, [ebp+var_18]
text:00685EAF mov ecx, offset aTurboactivate_ ; "TurboActivate,exe"

LESSON 3 : HOW TO MODIFY THE FOUND CODE

The jump that we didn’t do is not the code that needs to be changed to Activate the Program
SEE CODE BELOW :

The mov al, 1 is a MOVE 1 = NUMBER 1 to REGISTER al THE NEXT INSTRUCTION IS MOVE THE 1 IN Register AL TO VARIABLE isActivated

text:00685E0F mov al, 1 
text:00685E11 loc_685E11: ; CODE XREF: Unit1::softwareactivate(void)+69j 
text:00685E11 mov [ebp+isActivated], al

1. 1 = true, and zero = false isACTIVATED must be equal a 1, or true, it is Actiated
   If the program is using this code : If isActivated then Begin ( do this list of instructions ) END ELSE Begin ( do this ) End;
2. The above example is in Pascal since this program is written in Pascal, and All programing Languages are converted to Hex Numbers by the compiler, and each number Represents an Instruction for the CPU to Process  Assembly Language is an easy to understand Instruction for each Hex Number Instruction
3. jz is JUMP IF ZERO, A cmp = compare or a test instruction sets the Flags Register, and the JUMP IF ZERO checks if the Zero Flag is set The Hex number 74 Instruction is jz = jump if zero, Hex number Instruction 74 24 is JUMP 24 BYTES AHEAD IF ZERO FLAG IS SET Hex number 75 = jnz A JUMP IF NOT ZERO
4. In order to not jump we can eliminate the Instruction 74 24 Completely by NOPing it out, the number 90 is a NOP and that stands for NO OPERATION POSSIBLE, We can replace the 74 24 with 90 90, and the CPU will skip over it to the next Instruction in the list A better way to do it is to Change 74 24 to 74 00 jump zero bytes ahead, or don’t jump, but move to the next Instruction
5. This would be a Crackers Dream, a 1 byte crack, but no such luck, because other functions may check if the isActivated Variable is a 1. So we need to do a couple of Instructions to make sure.
6. The above Instruction is a 2 byte Instruction, and if you change any Instructions then you must keep the same numbers of bytes, or The program will crash. To change an Instruction from jz, or jnz to JUMP Change the 74 or the 75 to EB which is an unconditional JUMP.
7. To change a jnz JUMP IF NOT ZER0 to a JUMP which is a ( FAR JUMP more than 256 bytes ) : EXAMPLE: 0F 85 3B 11 00 00 replace the 0F 85 with 90 E9, the 1st Byte is Noped out and the E9 is an Unconditional JUMP, the last 4 bytes is the number of bytes to jump.
8. The FAR JUMP is a 6 Byte Instruction, and if you replace it with a 2 Byte jmp Instruction then you need to replace the other 4 bytes with 90 90 90 90, or when the CPU executes the next 4 bytes the program will crash
9. In IDA click on Jump, Click on Jump to Address, and Paste 00685DF1 into the jump box, and place a Break-point on that Address  text:00685DF1 call @Turboactivateunit@TurboActivate@IsGenuine$qqruiuioo ; TurboActivate::IsGenuine
10. ALSO PLACE A BREAK-POINT ON THE LINE BELOW : WE WILL RETURN TO LINE BELOW ON EXIT OF CALL
11. This is the call that calls the IsGenuineEx External function in TurboActivate dll.
12. Run the program until it Breaks at this address, and Press the F7 Key to step into the CALL.
13. Jump to Address, or Scroll down until you see this code below, and set a break-point. We are going to change the 2 to a 1 later.

text:0066A12D loc_66A12D: ; CODE XREF: Turboactivateunit::TurboActivate::IsGenuine(uint,uint,bool,bool)+54j 
text:0066A12D ; Turboactivateunit::TurboActivate::IsGenuine(uint,uint,bool,bool)+60j ... 
text:0066A12D mov [ebp+var_D], 2

USE THE F8 KEY, or F9 KEY TO RUN THE PROGRAM TO RETURN TO THE LINE BELOW BREAK-POINT WHERE THE CALL WAS ENTERED

text:00685DF1 call @Turboactivateunit@TurboActivate@IsGenuine$qqruiuioo ; TurboActivate::IsGenuine
text:00685DF6 mov [ebp+var_6], al ; al was set = 2 in the call above, but we want it to = 1
text:00685DF9 cmp [ebp+var_6], 0 ; PLACE YOUR MOUSE OVER AL OR VAR_6 and YOU WILL SEE IT'S = 2
text:00685DFD jz short loc_685E0F ; WE WANT TO GO HERE
text:00685DFF cmp [ebp+var_6], 1
text:00685E03 jz short loc_685E0F
text:00685E05 cmp [ebp+var_6], 4
text:00685E09 jz short loc_685E0F
text:00685E0B xor eax, eax ; XOR sets Register EAX = ZERO, al is the Low byte Register of EAX
text:00685E0D jmp short loc_685E11 ; DON'T JUMP WE DON'T WANT TO GO THERE
-------------------------------------------------------------------------------------- ; HEX CODE FROM THE HEX VIEW-A TAB OF IDA
00685E0D EB 02 B0 01 88 45 FB 33 C0 5A 59 59 64 89 10 EB
--- EB 02 B0 01 88 45 FB 33 C0 5A 59 59 64 89 10 EB
00685E0D EB 00 - B0 01 88 45 FB 33 C0 5A 59 59 64 89 10 EB CHANGE THE EB 02 to EB 00 - Don't jump
---------------------------------------------------------------------------------------
text:00685E0F
text:00685E0F loc_685E0F: ; CODE XREF: Unit1::softwareactivate(void)+59j
text:00685E0F ; Unit1::softwareactivate(void)+5Fj ...
text:00685E0F mov al, 1 ; WE WANT AL TO BE = 1
text:00685E11
text:00685E11 loc_685E11: ; CODE XREF: Unit1::softwareactivate(void)+69j
text:00685E11 mov [ebp+isActivated], al ; NOW isActivated = 1 or TRUE It's ACTIVATED
text:00685E14 xor eax, eax
text:00685E16 pop edx
text:00685E17 pop ecx
text:00685E18 pop ecx
text:00685E19 mov fs:[eax], edx
text:00685E1C jmp short loc_685E5C ; JUMPS, AND COMES TO CODE THAT WE ORIGINALLY DIDN'T JUMP AT
text:00685E1E ; ---------------------------------------------------------------------------
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
.text:00685E6C loc_685E6C: ; CODE XREF: Unit1::softwareactivate(void)+BCj
.text:00685E6C cmp [ebp+isActivated], 0
.text:00685E70 jz short loc_685E96

IN THE NEXT LESSON WE WILL LEARN HOW TO CHANGE THE CODE WITH A HEX EDITOR

LESSON 4 : HOW TO CHANGE THE AppyGEN.exe CODE WITH A HEX EDITOR

1. We need to make 2 changes to the program to make sure it is Activated Correctly
   One change is to set the Variable isActivated to a 1 = true, and the 2nd change is to Function called because it may be called by other parts of program.
2. We want the function unit@TurboActivate@IsGenuine to return a 1, since the 2 is Not Activated
3. The code at address text:00685DF9 checks Var 6 for 0, 1, 2, 4, and we sure as hell don’t want to jump to 685E11 after xor eax, eax because al = 0, and IsActivated will be set to a 0 = not activated. Zero is probably trial, 1 = Activated, 2 = Not Activated, and only the programer knows what the hell a 4 is.
4. NOW YOU WILL FIND OUT ABOUT NOTEPAD :
   With Mouse Select text from text:00685DA4 ; =============== S U B R O U T I N E TO : text:00685F08 retn
5. The retn is a Return near, the end of the Function
6. Copy and Paste the text into a File Named DEBUG,TXT
7. Place mouse on Following Line and Click: text:00685E0D jmp short loc_685E11 Click on IDA’s Hex View-A Tab, and open the Hex view for Address 00685E0D
8. Select the whole line, and Press the CTRL and C Key to copy the Line, and Paste it below the text:00685E0D jmp short loc_685E11 Paste it 3 times
9. The top line is the original Hex code, the 2nd line is the Hex Code we will search for, and the 3rd line is the changed Hex Code
10. Now remove the address from the 2nd line, and also remove all spaces this is the Hex Code we will search for with Hexplorer

CHANGE 1 :

text:00685E0D jmp short loc_685E11 ; DON'T JUMP WE DON'T WANT TO GO THERE
-------------------------------------------------------------------------------------- ; HEX CODE FROM THE HEX VIEW-A TAB OF IDA
00685E0D EB 02 B0 01 88 45 FB 33 C0 5A 59 59 64 89 10 EB
EB 02 B0 01 88 45 FB 33 C0 5A 59 59 64 89 10 EB
00685E0D EB 00 - B0 01 88 45 FB 33 C0 5A 59 59 64 89 10 EB CHANGE THE EB 02 to EB 00 - Don't jump

CHANGE 2:

text:0066A12D mov [ebp+var_D], 2 ; jumptable 0066A070 default case
-----------------------------------------------------------
0066A12D C6 45 F3 02 8A 45 F3 8B E5 5D C2 08 00 8B C0 55
C645F3028A45F38BE55DC208008BC055
0066A12D C6 45 F3 01 - 8A 45 F3 8B E5 5D C2 08 00 8B C0 55
-----------------------------------------------------------

1. To find the Hex Code open Hexplorer, open File AppyGEN,exe with Hexplorer
   Click on Edit, Click on Find, and paste the Hex Code from Line 2 only the numbers into the Hex Box
2. Hit F3 key to make sure it’s not found more than 1 time. If it is then reopen IDA Hex View-A, and Copy – Paste, and add the next line of Hex Code to the First, remove the spaces, and search again for 32 bytes of code.
3. Another way to find .exe File Offset : Open the Hex calculator in Hexplorer, and select Hex
4. Enter change 1 – IDA FILE OFFSET INTO THE CALCULATOR 00685E0D, and Subtract 400C00 from the offset to get the File Offset,
5. do the same for change 2 subtract 400C00 from the IDA offset.
6. Click on View, Click on go to Address, and enter this value into the Box
7. Verify you have the correct Hex Code to change, and then change it, Do this for both the Changes
8. Always save a copy of the File you are changing so you don’t have to Re-Install in case you screw up
9. Save the Debug.txt file, and the IDA Database for reference as you may want to do the next version.
10. As you watch the code while running a program in the Debugger you will learn, and get better at cracking.

Congratulations, you have Reversed your 1st Program, and it only took 2 bytes !