Target:	File Securer v3.54
Title:	Reversing MD5 Hash (The nasty way)
Protection:	MD5 Hash Encryption
Tools:	OllyDbg & PEiD
RE Level:	Intermediate
OS Requirement:	WinALL
Tutorial By:	MaDMAn_H3rCuL3s/ARTeam
Compiled:	June 5th, 2004

Let me begin by explaining a few things. For one this tutorial will explain how to reverse a program protected by MD5. The program has a test of AL to determine if Registered or not. So all we will do is make AL=1. Very easy. This program also has (since most programs use this now) a test at startup to ensure Registration. This is bypassed with a few extra added lines of code. Problem with this easy patch is that the program does not use the registry to write the key. So our program will remain registered to "Trial User", but be registered in all aspects. So if you think you will not learn anything here you may close out this tutorial and continue on with your life. For those who wish to learn something....Please read on. If you come across a better way (besides keygenning) please post your solution on the forum.

Okay that out of the way. I will include pictures to better guide you. Those belonging to the ARTeam tutorial email list, you will be the first ones to read this. Please join the tutorial list in order to get these tutorials as they are being uploaded. A benefit in its own worth.

Okay for those of you who make this a habit.. better on you. Okay we begin our tutorial with a simple file protection check. So start up PEiD and open up our target.

Well we have now determined our targets difficulty level. Remember people just cause it says MD5 doesn't mean you should walk away. Most of the time the Crypto is implemented really poorly. You can tell from the tutorial that it is poorly or else you wouldn't be reading one from me. :)

Alright well we now have something to go on. Go ahead and run the target outside of any tools. We will test it out, see it's weakness. So go ahead and start her up.

Again I chose the MAC OS skin. Click on the "About" tab in the lower left corner.

So now we will enter in our details and see what kind of answers the target gives us.

Okay people we have a winner..... So lets start up Olly and load target and then search for string References. So let us begin the long journey of cracking.

So we search for the string now.. I try to keep the words to a minimum. Just me I guess. :)

You will have to CTRL+L a few times. Remember this program is a File Securer, using Passwords to protect it. So you will see some strings resembling the one you are looking for. Finally we land at the correct spot. I already put a BP on this string plus one more you will see when you get there.

I don't know how you guys usually do it, but when I find a BP I usually follow it while the program is active. So you can double click the "Please input correct register code" string and end up in some code. If you trace it out. I mean look above the string, you will notice a TEST AL, AL. Very nice indeed. :)

Okay I set a BP on the Call above the TEST cause usually that decides if Registered or not.

If you were to trace this Call you will find many strings with numbers. These are all the MD5 Hash strings. Nothing really useful, at least to me. So we can tell from the picture above If AL=0 we are Unregistered... If AL=1 we are Registered. So now we need to find out how to make AL=1, if not always. Well my students...... We will add a bit of code. Thats right, ADD A BIT OF CODE. So students...follow this Call at 004B46D8.

You land at the PUSH EBP. You can go through this code if you like. Remember it's MD5 :)

As you get more and more into the code you will notice many numbers appearing on the Stack. They are not serial numbers people. They are MD5 Hashing numbers. They will Hash these numbers in some way with your input serial number. This is a little out of my league. So I will teach you to bypass the Encryption. If you follow through the code till the very end you will see where it returns to the caller, and AL=0. So in order for us to officially crack this we MUST make AL=1. The first way that came to my mind was this...Down at the very bottom before return to caller, it moves EBX to EAX. Well fucking EBX=0. So that wont work. Look below to see what I am talking about.

So the solution I came up with was to Jump to another location and INC EAX, therefore ensuring AL=1. Look below for a full picture of Patch.....

So all we did was instead of MOV EAX, EBX. We did a Jump to our code, then a Increment of EAX then jumped back to the real program. This kinda reminded me of a Inline patch. I hope you understood exactly what happened here. If you do not. I am sorry, stop by the forum and ask one of us ARTeam members and we will be happy to explain it to you. Forum is located HERE.

So after all the changes have been made here, The program will now be registered to "Trial User". The Nag is gone, and limitations are as well. So this baby is cracked. I have included the patch for this one, for those who get really lost, you can apply it and see what I have changed. Once registered the "Register" button becomes grayed and you cant enter any info in the edit boxes. So once this one is patched it is done. Well I hope you enjoyed this tutorial. It was a pleasure writing it for you. Remember to join the Mailing list to get the up to the minute tutorials. I am MaDMAn_H3rCul3s and I am out... peace.....

*Note2: If you find yourself using this program for more than the trail time you should register it. Software developers rely on this income to support their families.