I saw a request for someone to remove a doc check in a Mac Classic app today, to which I volunteered. This made me think back to the amount of things I've cracked code on. I thought I should document that list somewhere, and maybe a story or two.
- As explained elsewhere on this blog, I started cracking on the Commodore 64.
- Then cracked a couple of games on TRSDOS on the Radio Shack TRS-80 Model 3/4.
- Then, I sold my C-64 stuff, and bought an Amiga. I cracked a few games there.
- While at work one day, I got the opportunity to crack Empire! for my boss on DOS.
- I cracked games on Windows.
- I cracked an NLM module on Novell Netware once
- I cracked an app for the Palm Pilot, so Palm OS
- I've cracked Macintosh apps on 68k, PPC, and X86.
- I cracked a "Pay to use" sound driver for Linux. (10k1 sound driver IIRC).
- I "cracked" Super Star Wars on the SNES, as it wouldn't run on the Magicom
- I cracked/keygened a Verifone Tranz 380x2
There would be another, but I was thwarted by a hash of the data on the card. I rented a Mercedes C300 for a trip once, and when I tried to use the navigation, it told me that I needed to purchase a license for it. I also found that there was an SD card in the car with the navigation software on it. So, I took it out, WRITE PROTECTED IT, and copied the contents off to my PC. I then put the card back in the car, and returned it to the rental agency. When I got home, I looked at the navigation program that I had gotten from the card, and I was quite shocked to see that it was Windows CE based, and the registration stuff was in a .DLL. I tossed it into IDA, and finding the registration code, and finding the specific place to cause it to not CARE that it wasn't licensed, was pretty easy. I went online, and looked around, and there was, at the time, a message board dedicated to people that owned the C class, and there was a topic in it talking about the navigation, and having to buy a license. I asked if anyone would be willing to try my "modified" version, and a couple of people offered to give it a shot. I patched the .DLL, and posted a link on this board, people grabbed it, and told me that when they put it on the card, the car refused to even admit that there was anything in the card reader. So, I assume it was hashed somewhere or something. (That's how *I* would do it if I were trying to protect it). So, not having access to a head unit to pull the code from, that was the end of that investigation.
I've long been fascinated with automotive head units, and the code that runs on them. I had a rental Genesis G80 once as well, and I did the same thing. Pulled the SD Card, and copied the code from it for examination. This was much better, as it's x86 Linux running QT apps. So, something that I wanted to know. This car featured Sirius XM radio, and I wanted to see where in the code it was handled. So, I went looking, only to find that the head unit code only handled status messages sent over the DBUS interface, from what I can only assume, is a self-contained module in the head unit. So, no code to look at there. And that's a shame, as Hyundai, or whomever makes the units, didn't strip the executables, so I got function names, and some variable names as well. It was easy to disassemble, read, and understand.