                                  


                         How to crack MixVibes 2.02 using Win32Dasm
                                          by uZzi



                     Hi dudes! This lesson is dedicated to all newbies.



   TOOLS YOU NEED: W32Dasm 8.93 (sometimes a great tool for a cracker)
                   A heXeditor (I use HexWorkshop32)
   YOU CAN FIND ALL OF THEM AT WWW.CRACSTORE.COM 


   Install the program and then run it. You will see a nag screen where you can register the 
  program. Put in the dialog boxes your name and serial number you wish for example: UzziEST as
  name and 12333 as serial number, then click ok. You will get a message :"the program wasn't well
  installed".
   Now is time to fire up Win32Dasm. But first, make a copy of  mixvibes.exe, and load it in 
  W32Dasm. Done ? Now click on Search. Type in the error message. You will land at this piece of
  code: 


:0041BB32 E8C1B30600              call 00486EF8
:0041BB37 8B4004                  mov eax, dword ptr [eax+04]
:0041BB3A 57                      push edi
:0041BB3B 8BC8                    mov ecx, eax
:0041BB3D E81EAF0100              call 00436A60
:0041BB42 85C0                    test eax, eax
:0041BB44 7546                    jne 0041BB8C <<here

* Possible Reference to Dialog: DialogID_0086, CONTROL_ID:00FF, ""
                                  |
:0041BB46 6AFF                    push FFFFFFFF
:0041BB48 6A10                    push 00000010

* Possible Reference to String Resource ID=30468: "the program wasn't 
well installed"
                                  |
:0041BB4A 6804770000              push 00007704---<<you lend here
:0041BB4F E81BD90500              call 0047946F
:0041BB54 8B4D64                  mov ecx, dword ptr [ebp+64]

   Look a few lines up. You will find a conditonal jump at the adress 0041BB44. In order to make
 the proggie to get any serial # you may reverse the jne 0041BB8C to je 0041BB8C.Place the green
 bar on the jump and write the offset  (1AF44).  In your favorite hexeditor go to this offset and
 change 75 (Jne=jump if not zero) to EB (JMP anyway). Save and run . Write a name and a serial #
 and click ok. You won’t get any error message. WoW! I’m registered! , do you think. Not so fast.
 Check the About dialog and you will see that you aren’t register .: “What’s this kind of SHIT?!
 are you thinking. Close the program and run it again. You will see again that nag-screen. 
 EH... Goto W32Dasm again and serch this time for the caption of the nagscreen :
 "Unregistered version". You will find this:

Name: DialogID_00C0, # of Controls=010, Caption:"Unregistered 
version", ClassName:""
     001 - ControlID:0001, Control Class:"BUTTON" Control Text:"&OK" 
     002 - ControlID:0002, Control Class:"BUTTON" Control 
Text:"&Cancel" 
     003 - ControlID:0921, Control Class:"BUTTON" Control 
Text:"&Register" 
     004 - ControlID:0922, Control Class:"BUTTON" Control 
Text:"&Order" 
     005 - ControlID:0927, Control Class:"BUTTON" Control 
Text:"&License" 
     006 - ControlID:FFFF, Control Class:"STATIC" Control Text:"Thank 
you for trying the shareware MixVibes"


   Now you enter in the search box the dialog id & number : DialogID_00C0 
  and check the  match case mode. The code you reach is: 

  
* Referenced by a CALL at Address:
|:00435D48   
|
:0041C8C0 8B442404                mov eax, dword ptr [esp+04]
:0041C8C4 56                      push esi
:0041C8C5 50                      push eax
:0041C8C6 8BF1                    mov esi, ecx

* Possible Reference to Dialog: DialogID_00C0 <<you are here
                                  |
:0041C8C8 68C0000000              push 000000C0
:0041C8CD E86C470500              call 0047103E
:0041C8D2 33C0                    xor eax, eax
:0041C8D4 C706A86A4900            mov dword ptr [esi], 00496AA8
:0041C8DA 89465C                  mov dword ptr [esi+5C], eax
:0041C8DD 894660                  mov dword ptr [esi+60], eax
:0041C8E0 8BC6                    mov eax, esi
:0041C8E2 5E                      pop esi
:0041C8E3 C20400                  ret 0004

  If you look up you can see that this code is called from   00435D48. Click Cdloc button and type
 this adress to see the code around the call to this routine:


* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00435CDF(C)
|
:00435CF0 8B9598FDFFFF            mov edx, dword ptr [ebp+FFFFFD98]
:00435CF6 83BA8C01000000          cmp dword ptr [edx+0000018C], 
00000000
:00435CFD 0F8545010000            jne 00435E48
:00435D03 6A00                    push 00000000

* Possible StringData Ref from Data Obj ->"uTu"
                                  |
:00435D05 681C504C00              push 004C501C

* Possible StringData Ref from Data Obj ->"Settings"
                                  |
:00435D0A 6898484C00              push 004C4898
:00435D0F 8B8D98FDFFFF            mov ecx, dword ptr [ebp+FFFFFD98]
:00435D15 E8AA140500              call 004871C4
:00435D1A 8945AC                  mov dword ptr [ebp-54], eax
:00435D1D 6A00                    push 00000000

* Possible StringData Ref from Data Obj ->"uNu"
                                  |
:00435D1F 6818504C00              push 004C5018

* Possible StringData Ref from Data Obj ->"Settings"
                                  |
:00435D24 6898484C00              push 004C4898
:00435D29 8B8D98FDFFFF            mov ecx, dword ptr [ebp+FFFFFD98]
:00435D2F E890140500              call 004871C4
:00435D34 8945A4                  mov dword ptr [ebp-5C], eax
:00435D37 8D45A8                  lea eax, dword ptr [ebp-58]
:00435D3A 50                      push eax
:00435D3B E85C570300              call 0046B49C
:00435D40 6A00                    push 00000000
:00435D42 8D8D34FFFFFF            lea ecx, dword ptr [ebp+FFFFFF34]
:00435D48 E8736BFEFF              call 0041C8C0
:00435D4D C645FC02                mov [ebp-04], 02
:00435D51 8B4DA4                  mov ecx, dword ptr [ebp-5C]
:00435D54 51                      push ecx
:00435D55 8D4D98                  lea ecx, dword ptr [ebp-68]
:00435D58 E8E30A0000              call 00436840

   Look up a few lines to find any conditional jump. You can see a  jne 00435E48 at :00435CFD 
  0F8545010000 (this adresses are available on my computer; on yours these will be not the same,
  but the offset should be the same). Put the green bar on 00435CFD to get the offset (350FD).
  To kill the nag, you may change the jne to je . In the heXeditor goto  the offset and change
  0F8545010000 to 0F8445010000(je).

  Save . Run the program . No nag-screen. Check again the About menu. The program is not
 registered yet. Search in W32Dasm the string "UNREGISTERED VERSION PLEASE REGISTER": stop at
 this:

:00436E6A C644242C01              mov [esp+2C], 01
:00436E6F 83F801                  cmp eax, 00000001
:00436E72 0F852C010000            jne 00436FA4
:00436E78 6A00                    push 00000000

* Possible Reference to Dialog: DialogID_006E, CONTROL_ID:0927, "&License"
                                  |
:00436E7A 6827090000              push 00000927
:00436E7F 8BCE                    mov ecx, esi
:00436E81 E86CA60300              call 004714F2
:00436E86 8BC8                    mov ecx, eax
:00436E88 E8B6A80300              call 00471743
:00436E8D 6A00                    push 00000000

* Possible Reference to Dialog: DialogID_006E, CONTROL_ID:0922, "&Order"
                                  |
:00436E8F 6822090000              push 00000922
:00436E94 8BCE                    mov ecx, esi
:00436E96 E857A60300              call 004714F2
:00436E9B 8BC8                    mov ecx, eax
:00436E9D E8A1A80300              call 00471743
:00436EA2 6A00                    push 00000000

* Possible Reference to Dialog: DialogID_006E, CONTROL_ID:0921, "&Register"
                                  |
:00436EA4 6821090000              push 00000921
:00436EA9 8BCE                    mov ecx, esi
:00436EAB E842A60300              call 004714F2
:00436EB0 8BC8                    mov ecx, eax
:00436EB2 E88CA80300              call 00471743
:00436EB7 6A00                    push 00000000

* Possible Reference to Dialog: DialogID_006E, CONTROL_ID:0929, "UNREGISTERED VERSION PLEASE REGISTER"
                                  |
:00436EB9 6829090000              push 00000929 <<you are here
:00436EBE 8BCE                    mov ecx, esi
:00436EC0 E82DA60300              call 004714F2
:00436EC5 8BC8                    mov ecx, eax
:00436EC7 E877A80300              call 00471743

* Possible Reference to String Resource ID=30483: "the program is licensing to %s
registration number %s"
                                  |
:00436ECC 6813770000              push 00007713
:00436ED1 8D4C2414                lea ecx, dword ptr [esp+14]

  Usually, you will try to find a conditional jump a few lines up.
  
  Look carefuly! Did you find these?
  
:00436E6F 83F801                  cmp eax, 00000001
:00436E72 0F852C010000            jne 00436FA4

  Now think about the consecvences of this compare: it means "If User is registered don't show
 buttons Order, Register, License or string UNREGISTERED... else beggar off you cracker!"
  Get the offset (36272) and in the heXeditor you'll have to change 0F852C010000 (jne) to
 0F842C010000 (je) and then save.
  


  Run the program and -WoW!- it's registered on your name and favourite serial #. You made it !
  You cracked the program. 


  Greetz go to :     heXcrasher : lz0 is BETON ;)   (lz0)
 
                     Flashkid (lz0)

                     3D iDA (lz0)

                     +ORC, fravia, YOSHi 

                     All the crackers in #lz0 (undernet) and all crackers from RoMaNiA


    If you have any question you can write me at uzziest@yahoo.com, or you can find me at #lz0
   (undernet)

   See you on the next tutor!