Cracking Tutorial #4 By SiONiDE Hi fellow Crackers. I write these tutorials in short amounts of time. Therefore I apologise for any grammatical errors in this essay. Enjoy the Tut! Contents: 1: Patching Disk Pal 1.3 to enter any Name/Serial. 2: Writing a Patch for Disk Pal. Difficulty Level: Easy [ ] Medium [X] Hard [ ] Expert [ ] Toolz Required: Disk Pal v1.3.........Search for dipal13.exe in a FTP search. W32Dasm...............A good Cracking Web Site. HIEW..................A good Cracking Web Site. BYTE HUNTER V2.0......A good Cracking Web Site. Brain.................Ummm....Head maybe?? Computer..............You're on one now! 1: Patching Andy 1.3 to enter any Name/Serial. Step 1: One you have downloaded DiskPal 1.3, we will need to see what type of protection it has. Enter the program and click on "register", we notice that it asks you for a name, followed by a serial number. This shows us that it has a Name/Serial protection scheme. In the name box enter "SiONiDE [DCD]" and serial "123456". What happens??? We get an error message. Make sure you write this down, we will need it later. The message says something like Invalid Serial. Load up W32Dasm, and Dissasemble Dpal.exe. After about 4 minutes it is finished. What do we see??? A load of ASM code, abot 72 pages of it. Hmmm....that doesn't help!! But W32Dasm has a funtion called "String Data References" or "SDR", click on it in the toolbar. A list will appear, now it's time to use the earlier error message. Scroll down, about 43 lines until you find your message. Double-Click on it, twice and close the SDR window. You should see this: * Possible Reference to String Resource ID=25224: "Invalid Serial Number" :00411057 6888620000 push 00006288 :0041105C E885BC0100 call 0042CD06 Scroll up until u see this: * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0041104F(C) Now F12 (Go to Code Location) and tpye in the address above (0041104), and you should then see this: :00411D95 41 inc ecx :00411D96 E8B1CFF7FF call 00402D4C :******** 0F8532010000 jne 0041104 Now....What does this tell us??? It says that if the serial and name do not match, it will jump (jne) to the error message we just cam from. Step 2: Well, if you get the serial wrong, it will jump, if you get it right it will jump to the write location "Serial Accepted". Lets see what will happen if we reverse that process. We want it to jump to the error message only when the Name and Serial match, therefore if they don't, it will jump to the write location. To do this, we must replace "jne" will "je" (Jump if Equal), easy isn't it?? :) To do this we must change the bytes using a HEX editor (hIEW). First write down the Offset address at the bottom of W32Dasm, it should say 0000D96h, write this down. Note, you don't need the "h", this just means it is HEX. Step 3: Load up DPAL.exe with hIEW and press "ENTER" twice to enter decode mode. Press "F5" and enter the offset (0000D96). Press "F3" to change the bytes and replace 0F84 with 0F85. Press "F9" to update, then exit the program. Load up Disk Pal, click "Register" enter SiONiDE [DCD], then a random serial, E.G 6942576, What happens??? Serial Accepted, Walla you've just cracked Disk Pal v1.3!!! 2: Writing a Patch for Disk Pal 1.3 Step 1: Just use this template and edit the required parts. <=====================================Start of Patch===========================================> Uses Crt; Const A: Array[1..1] of Record <<============Number of Bytes to be Patched.>> A : Longint; B : Byte; End = ((A:$0F84;B:$84)); The Part that will be patched (0F84), then the exact byte to be Patched which is "84". Var Ch:Char; I:Byte; F:File; FN:file of byte; Size:longint; <> /\ /__\ Begin || Writeln('Name/Serial Patch for Disk Pal 1.3');writeln('Cracked + Coded by: SiONiDE [ DCD ]'); Assign(F,'dpal.exe'); <<=========Exact file name, must be default name.>> {$I-} Reset(F,1); {$I+} If IOResult <> 0 then begin writeln('dpal.exe not located!'); <<=====Error message.>> halt(1); end; For I:=1 to 1 do <<==============Number of bytes to be patched, in this case, 1.>> Begin Seek(F,A[I].A); Ch:=Char(A[I].B); Blockwrite(F,Ch,1); End; Writeln('Patch was successful, Enjoy!'); End. <======================================End of Patch============================================> This patch is for use with Turbo Pascal 7, just copy this source code and edit out any thing which is between <>. Enjoy the patch.