• 标 题:Cracking Mpeg TV player (4千字)
  • 作 者:jsjyt
  • 时 间:2001-6-22 19:24:39
  • 链 接:http://bbs.pediy.com

Introduction
Mpeg TV player is a decent mpeg player for linux, which plays mpegs a lot better than xanim or ubc mpegplay do. It is available at www.mpegtv.com.

Tools Needed
dasm.pl - disassembler for Linux, which relies on objdump
You will need a C compiler to make the crack, but you probably already have that.

Cracking it
The first thing you need to do is disassemble the file "mtv" with dasm.pl
Cacophony:~/cracking/dasm.pl mtv mtv-listing
Now browse through the listing, I just type "less mtv-listing", but you can use whatever you like. Let's search for the string "UNREGISTERED" (in less, or vi, type "/UNREGIST"). You'll arrive at a "Possible reference to string: UNREGISTERED" part of the listing, and directly above that you'll see a "Referenced from jump at 0804cddc;". Go up to 0x0804cddc and you'll see this:


Referenced from call at 0804d1e0 ; 0804e646 ; 0805043e ;

0x0804cdcd subl  $0x100,%esp
0x0804cdd3 movl  0x8074144,%ecx
0x0804cdd9 pushl  %ebx
0x0804cdda testl  %ecx,%ecx
0x0804cddc je    0x0804cdfe



This code simply moves the value of 0x8074144 into ecx, and if ecx is 0, jumps to the unregistered part. So if 0x8074144 was 1, we might be registered (if you look below this code a little bit you will see other things to worry about, but lets ignore them at first and see what happens). So now search for 0x8074144 in your editor, but dont stop until you find where 0x8074144 is being set to a value, not being used to set a register - basically whenever you see it in a movl arg1,arg2, we want to find it after the comma, as arg2, if that makes sense. We end up here:


0x08050258 pushl  %ebp
0x08050259 call  0x08058bcc
0x0805025e movl  %eax,0x8074144



You can tell right away the function at 0x08058bcc is a registration check, and sets eax to 0 and returns if you aren't registered, but makes eax = 1 if you are. So now go to 0x08058bcc in your listing. Looking through the code at 0x08058bcc, you'll see things like "reference to string: /home/tristan/mpeg/dec/challenge.c", which makes me thing maybe there are assert macros in the code for this program? Either way, it sure sounds like a registration function to me. Scroll down through this function (which is probably worth taking a look at if we were going to try to get a working serial number, which is better then a crack but oh well) until you get to the very end. You will see the usual pop's and ret, and right above that, a xorl eax,eax. XOR'ing a register by itself makes it zero, so we dont want that to happen. Write down the location this occurs at, 0x8058fe9, and now you can exit the listing. xor eax,eax takes two bytes, and we need to make eax = 1 (or greater). If we changed the code into a INC EAX and a NOP, that would guarentee eax is at least 1, and fit just perfectly. So now, in order to make the crack, we need to figure out the hex bytes to search for in the file "mtv". Run the command "objdump -d --show-raw-insn mtv | grep 8058fe". You'll see the bytes we need to change, and the bytes around it to give us a better string to search for in out hex editor. We are going to search for "83 c4 08 31 c0 5b 5e". In your hex editor (dont have one? go to freshmeat.net and get hexer, it has a vi like interface). Search for our string (in hexer, while in command mode type "/\x83\xc4\x08\x31\xc0\x5b\x5e". Notice you are at 00010fe0, just count the number of spaces over until you reach 31, then add that to 10fe0, thats the offset for the bytes we need to change (0x10fe9). Now we will make a small program in c for the crack, and we will be done (the bytes we need to change are 31 c0 into 40 90 (0x40 is the opcode for inc eax, 0x90 is the opcode for NOP). Attached the end of this document is the source for the crack, copy it to a file, save it (I named it mtv-crack.c), type "gcc -o mtv-crack mtv-crack.c", then run mtv-crack in the directory mtv is in.

I just wanted to add that GDB really doesn't compare to soft-ice, luckily its open source, anyone thought of adding features, like assembling code in memory to try cracks out without having to build a crack? I think thats something to look into, along with a decent hex editor for linux, although maybe I just need to look around a little bit more.


--------mtv-crack.c - cut here----------
/* Crack for MpegTV - www.mpegtv.com by vipvop@punkrocker.co.uk
  compile - "gcc -o mtv-crack mtv-crack.c"
  this is meant for the glibc version */
#include <stdio.h>

char *filen="mtv";

int crackit(long int location)
{
  FILE *tocrack;
  unsigned char x[2];

  x[0]=0x40;
  x[1]=0x90;
  tocrack = fopen(filen, "r+");
  if(!tocrack)
  {
    printf("Cant open %s\n",filen);
    exit(-1);
  }
  fseek(tocrack,location,SEEK_SET);
  fwrite(x,2,1,tocrack);
  fseek(tocrack,0,SEEK_END);
  fclose(tocrack);
  return 0;
}
int main()
{
  crackit(0x00010fe9);
}