*************************************************************************************************TITLE: Cracking tutorial for CD Catalog Expert version 8.00 with Windows XP using Point H method ************************************************************************************************* BEST VIEWED: Notepad with word wrap enabled, and in restored window mode ************************************************************************************************* TOOLS USED: Ollydbg v1.09d *************************************************************************************************TARGET: cdc.exe *************************************************************************************************LOCATION OF TOOLS AND PROGRAM: Ollydbg v1.09d http://grinders.withernsea.com/tools/odbg109d.rar CD Catalog Expert version 8.00 http://grinders.withernsea.com/tools/CD_Catalog_Expert_v8.00.zip Point H tutorial by Ricardo Narvaja (optional) http://grinders.withernsea.com/tutorials/punto_h_english.zip Cruehead Crackme 2 (Optional) http://grinders.withernsea.com/tools/Cruehead_Crackmes.zip ************************************************************************************************* CONTACT INFORMATION: vinceandjane@hotmail.com ************************************************************************************************* TUTORIAL WRITTEN: 7/02/2004 ************************************************************************************************* AUTHOR: Pompeyfan ************************************************************************************************* This is my first cracking tutorial, so hopefully i have learnt enough to be able to explain things clearly enough for people to follow. If you don't altready know it, you will need to first determine point H (XP equivalent of hmemcpy) for your computer, some excellent articles have been written on this, particularly by Ricardo Narvaja who is a member of both Exetools forum and the Ollydbg forum, I'll try and summarise how to find it as follows, if you want a more detailed explanation, then try this tutorial by Ricardo http://home.tiscali.cz:8080/robocop/files/punto_h_english.zip 1).Download Cruehead Crackme 2 at http://grinders.withernsea.com/tutorials/Cruehead_Crackmes.zip and open it in Olly. 2).Search for name (label) in current module and choose API TranslateMessage 3).Once on this API, right click, and choose CONDITIONAL LOG BREAKPOINT ON IMPORT 4).IN condition type in "MSG==201", Expression should show "MSG", Decode value of expression as should show "Assumed by expression", all without quotation marks, Change Pause program to On condition. 5). Press run 6). Put in name and serial, then hit ok 7). Olly stops at the breakpoint, hit ALT & M top activate the Memory map window, enter your serialin the ASCII box, click ok 8). The dump window comes up, and you will see your serial, highlight it, right click, breakpoint/memory on access, then hit run. 9).You should then be at point H, in my case: 77D5DEBB F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS> OKay, down to business,lets attack or target, open Olly, and if you haven't done so already, to make things easier for yourself, right click, select appearance/highlighting/jumps'n'calls, makes things so much easier to follow. Open cdc.exe in Olly, and you land here: 004C1214 >/$ 55 PUSH EBP Press F9 run Click on cdc in your tray to bring up the registration dialogue box Enter your name and fake serial, I'll use Pompeyfan and 47806, don't press enter yet Right click/go to/expression Enter the address of point H for your computer, in my case 77D5DEBB, hit okay and you land here: 77D5DEBB F3:A5 REP MOVS DWORD PTR ES:[EDI],DWORD PTR DS> 77D5DEBD 8BC8 MOV ECX,EAX 77D5DEBF 83E1 03 AND ECX,3 77D5DEC2 F3:A4 REP MOVS BYTE PTR ES:[EDI],BYTE PTR DS:[> 77D5DEC4 E8 04F9FFFF CALL user32.77D5D7CD Right click Breakpoint/memory on access Now click on CDC to bring registration screen back up again, and hit register button. Olly breaks at the above address Select follow address in dump for the EDI register, Click once on 77D5DEBB then press F8 down to the call, your username will be loaded into the dump window, highlight it, right click/breakpoint/memory on access Press F9 or run, and you land here: 00408B0D |. 807C1F FF 20 |CMP BYTE PTR DS:[EDI+EBX-1],20 00408B12 |.^76 F4 \JBE SHORT cdc.00408B08 00408B14 |> 3BF3 CMP ESI,EBX 00408B16 |. 7D 0A JGE SHORT cdc.00408B22 00408B18 |. 8BC5 MOV EAX,EBP 00408B1A |. E8 11BBFFFF CALL cdc.00404630 00408B1F |. EB 17 JMP SHORT cdc.00408B38 00408B21 |> 4E /DEC ESI 00408B22 |> 807C37 FF 20 CMP BYTE PTR DS:[EDI+ESI-1],20 00408B27 |.^76 F8 \JBE SHORT cdc.00408B21 00408B29 |. 55 PUSH EBP 00408B2A |. 8BCE MOV ECX,ESI 00408B2C |. 2BCB SUB ECX,EBX 00408B2E |. 41 INC ECX 00408B2F |. 8BD3 MOV EDX,EBX 00408B31 |. 8BC7 MOV EAX,EDI 00408B33 |. E8 08C0FFFF CALL cdc.00404B40 00408B38 |> 5D POP EBP 00408B39 |. 5F POP EDI 00408B3A |. 5E POP ESI 00408B3B |. 5B POP EBX 00408B3C \. C3 RETN Press F8 several times to trace through the code, you will see your user name and fake seial appear a few times, then eventually when you get here: 004B35F2 . 8B55 E8 MOV EDX,DWORD PTR SS:[EBP-18] Then if you look down in the dump window you will see the correct serial for your user name, in my case 6601-3030. Close Olly, start up cdc.exe, enter your user name and the serial you obtained using Olly, and voila! Well done cracker!!! And remember, if you use the program, buy it ,software developers rely on the income from sales to keep going, if nobody buys, no new software would be developed. ************************************************************************************************* SHOUTZ AND GREETZ: To exetools forum, tsrh forum, Ollydbg forum, Ricardo Narvaja, Nilrem & Ferarri whoose tuts have helped me more than any others , Ollydbg, and the authors of CD Catalog Expert *************************************************************************************************