Tutor #1 written by night.in.gale, member of O.C.G. target : BakeHead 1.30 tools needed : SoftIce, WDasm, HView Essay : this is my very first tutor and i decided to do it in english because i think every cracker should know at least enough english to understand this simple tutor. english is the language of the web and you surely wonīt get very far without it ! ok, here we go... download the program somewhere ( i didnīt include a download adress, but it should be no problem to get the file ), install it and run it to gather some information. although the "real" cracking process didnīt even start, this is maybe the most important part of cracking a program : make notes !! write down all you think is important about regging/cracking the program, i.e. nag screens, time limits, limited functions etc. having done this with BakeHead, there are some things you should have on your paper now : - nag screen at the beginning, telling us that this is an unregistered version, bla bla.... - the "save/save as" features are disabled - in the register dialog box, there is a pre-calculated Reg Code, you have to enter the right password for this code - entering the wrong code ( unless youīre good enough to guess the right code, of course ;) just letīs the dialog disappear, no "wrong code" window or any other clue for us... :( - in the "password" field, thereīs a 0 given by the program now on to the interesting part : we disassemble the BakeHead.exe file with WDasm and look for interesting string references ( and there are some to be found ;) there are 3 string refs that might bring us further, namely : "This is an unregistered version" "This version of Bakehead is not" "\config.dat" looking at our notes, we see that the first string ref is the beginning of our start nag screen. letīs go to the code and see if we can find out some more. so whatīs that 4 lines above our str.ref. , a compare and then a conditional jump beyond our error message. the program might check here if the "registered flag" is set and if so, jump right over the nag routine. would be too easy, wouldnīt it ? give it a try, fire up hview, change the je instruction to a jne or jmp, save and run the program ( but make a backup copy of your original bakehead.exe file, youīll need it ;) and see there : no nag screen ! "wonderful" you might think, but thatīs exactly all weīve done : we stopped the nagscreen, the program is still being far from registered... at this point just some short explanation. some of you might ask "why donīt we just take softice and sniff out the right password ?" think again, the program seems to build an own reg. code for every installation, our password would just work on our machine, but not on any other ! now itīs your turn, take a look at the code before our "This is an unreg...." string. see if you can find out something interesting, take a look at the jumps and compares, what is stored where, etc... try to get a feeling for the code, thatīs always something very important i think. and when youīre shortly before getting a nerve breakdown, read on, because here comes the solution : as you might have noticed, thereīs no actual way ( at least none a newbie could find ) to set a "registered" flag to tell the program that itīs already registered in this case ! but remembering the string references we find that config.dat file to be important in some way. letīs take a look at it : hmmm, empty... 4 bytes long, all of them 00h. again, we need our notes and see that in our password field, thereīs a 0 given by the program. does that ring a bell ?? letīs just try it out and write a 4 digit password in our config.dat file, open bakehead and look at the registration screen. strange, in the password field thereīs a long number that seems to have nothing to do with our fake from the config.dat file. and the program isnīt registered either. shit. thinking again, the four hex codes in our config.dat file resemble a decimal number as well and entering those four hex values in a hex/dec converter shows us that the number from the config.dat file and the number from the password field are the same, just in other formats... very well, so bakehead seems to open the config.dat file at program start and compares the number with the right password. the right password is being stored in the config.dat file when itīs entered in the registration dialogue. letīs take a look at this in WDasm, double-clicking on the "\config.dat" string ref brings us to memory location 00405776 and now the situation is completely clear ! at 00405772 bakehead compares our entered password (eax) with the real password (edx) and if theyīre not equal, it jumps over the config.dat part, because the file need not be opent to save the right pass. all we have to do now, is to change the mov eax, dword ptr [esp+0C] into a mov eax, edx instruction, so that the right code is always stored in the config.dat file, no matter what we entered in the password field. :)) i think this is the best way to crack this program, thereīs also the possibility to make a keygen, but that would be far too much work if you ask me... my first tutor for O.C.G. is done, hope you donīt find it too confusing... ;) if there are any questions left, contact me at night.in.gale@gmx.net or ICQ# 26116176 greetz and thanx to +Sandman, +Fravia, Laxity and all fellow Outsiders memberz night.in.gale, may 2000