

 888'88,    d'8b          888          888'88b  d8b            888'88e
 888  88b ,88  88, 888,8, 888 ee       888  88P 888    888 888 888
 888  88B e88'888e 888 "  888 P        888 ee;  888    888 888 888'8B
 888  88b 888  888 888    888 b        888  88b 888    888 888 888
 888,e88' 888  88B 888    888 8b d888b 888,88P  88888e  "8 8'8 888,88e


DArK_BLuE - Cracking Tutorial #1

1. Introduction:
~~~~~~~~~~~~~~~~
Welcome to my first cracking tutorial!

In this tutorial I will show you how to modify a program to make its
own Key Generator ;) We will use the messagebox that usually shareware
programs use when the serial number is wrong! (eg."Invalid Serial #",
"Registration Failed", etc.") I will use the program named Start Clean
v1.2 for example. I know Qapla wrote a tutorial about cracking this
program, but I wanted to show you how to have a Key Generator without
writing your own ;) Let go working!

2. Tools:
~~~~~~~~~
1. Softice 3.x (I used 3.2)
2. Windasm 8.x (I used 8.9)
3. Your favourite Hex Editor (mine is HexWorkshop 2.50)

3. About Program:
~~~~~~~~~~~~~~~~~
This program is very simple (and small 31KB =>31.744 bytes), removes
the shotcuts those don't point to anything on the Start Menu. It's a
nice tool.

4. Let's Crack:
~~~~~~~~~~~~~~~

1. If you didn't already configurated your winice.dat let's do it now.
   Remove the ";" signs in front of the dll exports, just after this:

   "Examples of export symbols that can be included for Windows 95"
      "Change the path to the appropriate drive and directory"	

   Now save winice.dat and restart your computer with Soft-ice loaded.

2. Let's open Start Clean. There is a screen with command buttons "OK"
   and "Register". We choose "Register". It asks for a name and a code.
   Enter a name and a fake serial. Click "OK" and see what happens: a  
   messagebox with an "Incorrect Code" message.

3. Press "Ctrl + D". You are in soft-ice know. We will put BreakPoint 
   on Execute (bpx) on GetDlgitemtexta and GetWindowTextA (Programs  
   usually use these API's to get data from a textbox). Write bpx    
   GetWindowTextA [Enter] and bpx GetDlgItemTextA [Enter]. Let's press
   Ctrl + D and on Registration Window press "OK". 

4. BooM! Back in Soft-ice. Press Ctrl + D  again. Now you are in 
   soft-ice again and in GetDlgItemTextA API. Let's push F11 and you
   are in STARTCLN (Start Clean 's code). Do you see there is two    
   pushes and a call (?). If you display those addresses you will see 
   one of them is offset of your Name and the other one looks like a    
   Serial Code (offset 00406030)
  
5. Let's trace over the call by pressing F10 until the highlighted    
   bar is after the call. There is two pushes and a call to lstrcmp
   API. "Push eax" pushes our fake serial's offset and "Push 00406030" 
   pushes the Valid Serial's offset to stack so lstrcmp can compare 
   them. 
6. Again press F10 to trace over the lstrcmp API.There is "test eax,eax".
   If your Serial Code is wrong eax is 1, if it is true it is 0. We could
   change the jump just after the test with nop's but it wouldn't work
   because program  writes the Name and Serial Code to Registry and 
   checks it everytime program starts. 

7. So we trace with F10 until we see call to MessageBoxA. The pushes   
   before MessageBoxA configurate the messagebox. Example third points to 
   the offset of string "Incorrect code!"(offset:004063ac). 

8. Let's change it to 00406030 (offset of correct Serial Number). First 
   try it in soft-ice. Write a (code address of third push).Eg a 004027c5 
   then write push (address of Valid Serial: 00406030) [Enter]. Look at 
   the hex code for new push it is: 6830604000. Now trace the code by 
   pressing F10. When you are out of the softice look at the messagebox; 
   it gives the real Serial Code. 

5. Patch it:
~~~~~~~~~~~~

1. Run w32dasm and dissassemble Startcln.exe. Then select StrnRef from the
   tool menu. Find "Incorrect code!" Don't choose MessageBoxA, it isn't 
   the one we want.

2. Now bring the highlight bar on the "push 004063AC" do you see the 
   @offset 00001BC5h? It is the place where we are going to patch the
   program.

3. Run your favourite Hex Editor and on offset 00001BC5 change 68AC634000 
   to 6830604000. Save the file and run the program. Enter your name and 
   for Code enter anything you like. Press "OK" and WOW! you have a 
   KeyGenerator! (After you register, if you want to unregister again
   just open regedit and delete string values name and code at; 
   HKEY_CURRENT_USER\Software\Start Clean\Configuration\

	Name: DArK_BLuE
	Code: 1596-15006-1519-305

6. Greetz:
~~~~~~~~~~

   Greetz to tKC, +ORC, Razzia, BuL_LeT for their excellent tuts.
   Greetz to Qapla for his tutorial and his tut style (eg. ascii font style
   at the top of the tutorial!)

7. Contacting Me:
~~~~~~~~~~~~~~~~~
  E-MAIL: If you have anything to ask, if you want to make critism about 
	  me or this tutorial, mail me: dark_blue@pmail.net

  IRC: I usually enter Turkish servers. Most of the guys chat on those 
       servers know English. If you want addresses are: 

       *irc.aidata.net.tr* and *irc.raksnet.net.tr*

See you on the next Tut!
Turquoise

NOTE: Sorry for any grammatical or spelling mistakes. My English is not good.
      ( I don't like the lessons also )