Friday, July 01, 2005

How Vulnerable is the Serial Number Protection?

By: Zemog Xilef Sevet


Is it annoying to see “You have 15 days remaining”? or “Your evaluation period has expired. Please register soon!”? If you have this thing that pops up when you run your favorite game/ application, then you have the trial version. Some programmers do this so that after the given period, you will buy their product. This is one and most popular way of securing their application.

But is it really secured?

This article will show you that some of these security schemes that they are using are not really safe. I will provide you with the basic principles on how to tweak the application. This is for educational purpose only. There is nothing wrong knowing whether the application is secure or not, isn’t it?

There are two things that you need to know. First, learn how to read assembly language program. Next, do some homework on hex numbers or the equivalent hex numbers for the assembly language. Unfortunately, I will not provide information about these things here. So better check it yourself and come back later.

There is a variety of ways on how to set the number of times, date or time when to disable the application. However, they have the same principle.

If you only have one remaining day for your trial version, changing the system date will not work! It will even give an “early retirement” on the application.

So what to prepare?

1. Disassembler.
2. Hex Viewer
3. The application

What to do?

Some applications will tell you “The license number you entered is invalid” when you enter an incorrect number. Memorize the message. Disassemble the application using any available disassembler like W32Dasm. Once you disassemble your application, you will see a lot of lines in assembly codes and some hex numbers.

Search for the message you have earlier noted. When you have found it, usually you will locate the reference addresses for conditional (C) and unconditional (U) jumps prior to the line containing the message. It is very important that you will get the addresses of all conditional jumps. Copy all those addresses and close the disassembler.

Why are they so important? Because these are the addresses of the conditional jumps we needed.

Why are these jumps very important? Because they are our key to tweak the program

How?


This is how we usually do the conditions:

If input = license then
“don’t ask for a license anymore”
Else
“always ask for a license

So by revising our program to:

If input <> license then
“don’t ask for a license anymore”
Else
“always ask for a license

As you can see we only change the operator to its complement. Thus, if we will have less than, we change it to greater than. Simple.

In assembly, we have JE – Jump If Equal, JNE – Jump If Not Equal, JG – Jump If Greater, JNG – Jump If Not Greater, JL – Jump If Less, JNL – Jump If Not Less, etc. So to reverse the code, if its JE the reverse is JNE

Going back to our listed addresses, open the application with the Hex Viewer and start looking for the first address on the list. This will land you to a single line with lots of numbers. You need to know what number(s) you are going to change.

The table below will give you a guide:

75 or 0F85 JNE
74 or 0F84 JE
0F8F JG
0F8E JNG
0F8C JL
0F8D JNL

Now pass to the next address on your list and do the same. Save your work and run the application. See what happened.

As you can see, your security is really very easy to tweak. Whatever programming language the application is using, it will not matter since you are dealing with the program’s hex equivalent.

Again, this article is intended to teach developers how to protect their applications from being cracked. Furthermore this will tell the developers how vulnerable their application is and how to make considerations in their programs to avoid being cracked.