API Monitor---------------Using API Monitor to crack copy protected software

For this tutorial we'll be the using mirial softphone which is a HD video conferencing application. This tutorial are for educational purposes only, so please do not use this to create or distribute a cracked copy of the so Ftware.

When you install the application, it prompts a license file. After installing the license, you have the evaluate the application. The expiration date is displayed on this screen; It is March 15, 2011.

Step 1

Trial applications usually store license information in either the registry or on the file system. Since This application prompted us to a license file, we know that it uses the file system. Start up the 32-bit version of API Monitor and enable API's from the File Management category.

Step 2

Select Hook Process from the File, menu to start monitoring the application.

API Monitor would start monitoring and displaying API calls. The application should now display a message indicating that it's an evaluation version. Hit Cancel to quit the application.

Step 3

Now it has captured the API calls made by the application and we need to find the one, the reads file. Scan through the calls in the API summary view until your find the right one.

The application is reading from Mirial.lic file. The name suggests that it might is a license file, so let's open it up.

We ' ve located the license file and it has the expiration date in it.

Step 4

Modify the expiration date in the license file to 2012-03-15 and save the file. Now launch the application again. The application should now display a error indicating that the license is invalid. Hit Cancel to quit the application.

Step 5

Our next step was to start debugging the application right after it had read the license file. From Step 3, we know this application uses Createfilea to open the file and ReadFile to read the file. Setup a breakpoint on Createfilea and launch the application in API Monitor. The breakpoint'll be hit multiple times; Continue until you reach the one that opens the license file.

Switch back to API Monitor and enable a Post-call breakpoint on the ReadFile API and disable the Createfilea breakpoint. Now hits Continue to let the application run. API Monitor should now display the ReadFile breakpoint.

Now hits the break button to has API Monitor generate a breakpoint in the application. You should now is able to attach to the application using a debugger.

Step 6

Your Debugger should now display disassembled instructions from the application

If you are on the call stack, you'll notice the current frame is in Apimonitor-drv-x86.sys. Use the debugger-step out until your reach code in the application.

Step 7

The debugger is currently at a location right after the application have finished reading the license file and before it CH Ecks the validity of the license. We need to locate the code, performs this check and disable it.

The most common software crack are the modification of an application's binary to cause or prevent a specific key branch in The program ' s execution. This was accomplished by reverse engineering the compiled program code using a debugger such as SoftICE, ollydbg, GDB, or M Acsbug until the software cracker reaches the subroutine that contains the primary method of protecting the software (or b Y disassembling an executable file with a program such as IDA). The binary is then modified using the debugger or a hex editor in a manner that replaces a prior branching opcode with its Complement or a NOP opcode so the key branch would either always execute a specific subroutine or skip over it. –wikipedia

Stepping though some of the code, we come across this location which looks like a possible match to the code we ' re looking For.

Step 8

The value of register EAX is 0, right after the function call. Let's modify the value to 1 and continue running the application. The application displays a different error message this time; Instead of an invalid license, the application are telling us that it's unable to locate the file.

Step 9

Now and we have pinpointed the location where the application checks for a valid license, all we need to do are to play AR Ound with the values and JMP instructions to find one, that works. In this case, inverting the "Jump instruction" from JE to Jne tells the application, which it has a valid license file. Running the application with the modified code displays our new expiration date of March 15, 2012.

Discuss this article here:http://www.rohitab.com/discuss/topic/37059-using-api-monitor-to-crack-copy-protected-software/

API Monitor---------------Using API Monitor to crack copy protected software