TNT!Crackers presents:
a DzA kRAKER production ...
WINHACK 2 REVERSING
sorry for my BAD english , i hope u will understand something.....
about the target:Win Hack 2 is the best memory cheating tool on the
SHAREWARE market (coz tmk,magic trainer r freeware
hehe).This tool includes many search modes(the
classical ones-exact value , decrease,increase,
no change,change...)and also the ability to
create a trainer (a shity trainer , coz will not
work 50% of time).Anyway,a good tool,it deserves
the download time,but not the money the author wannts
for a registered version.
limitations : Almost everything is limited in the shareware version
of winhack2...only 1 search mode is available from
11 , u cannot make a trainer (hum,so what?),in tag
list functions like "poke all" and "freeze all"
are disabled,and they added also a 30 days time limit.
Tools u need: softice 3.x>,win32dasm,hex editor,procdump,pewizard
Ok, now u know that this porgram deserves to be cracked...let's
rock!
Every time u try 2 acces a crippled function a dialog says "registered version only"!.Well , this is not a regular messagebox
or dialog box,so breakpoints like "bpx dialogboparama","bpx messageboxa" will fail...we could trace that dialog but this is not the
easyest way.We will use win32dasm to disassemble the target exe,
win32dasm will crash,probably a encrypted exe.Use pewizard by ST!LLS0N
to find out if the exe is encrypted or not (pew -cl <target dir>/winhack2.exe) , pewizard will detect shrinker3.3 encryption.
Now use a shrinker3.3 unpacker (i used procdump1.5) to unpack
the real target.Now disassemble the real,unpacked exe,win32dasm
will not crash anymore...Now don't try to search for "registered version only"
string...u will get nothing.Try to look in string data references....
Stepping trough the strings u will see a string called "created by:
unregistered version",double click that string and u will see the
folowing code lines:
:00481171 E8B628F8FF call 00403A2C
:00481176 8B8670020000 mov eax, dword ptr [esi+00000270]
:0048117C E83342FFFF call 004753B4----the "magic" call
:00481181 84C0 test al, al
:00481183 741F je 004811A4--jump to reverse
* Possible StringData Ref from Code Obj ->"Created By: YourName Here"
|
:00481185 BAE8134800 mov edx, 004813E8
:0048118A 8B8640050000 mov eax, dword ptr [esi+00000540]
:00481190 E89FD7F9FF call 0041E934
:00481195 B201 mov dl, 01
:00481197 8B8640050000 mov eax, dword ptr [esi+00000540]
:0048119D E8FAD6F9FF call 0041E89C
:004811A2 EB1D jmp 004811C1
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00481183(C)
|
* Possible StringData Ref from Code Obj ->"Created By: Unregistered version "
->"of WinHack v2.00"
|
:004811A4 BA0C144800 mov edx, 0048140C
:004811A9 8B8640050000 mov eax, dword ptr [esi+00000540]
:004811AF E880D7F9FF call 0041E934
:004811B4 33D2 xor edx, edx
:004811B6 8B8640050000 mov eax, dword ptr [esi+00000540]
:004811BC E8DBD6F9FF call 0041E89C
Make a copy of the unpacked exe,and rename it crack.exe,
this is the exe that u will modify.Use hiew or another hex editor.
i won't teach u how to use them (read a really newbie tut)
Go to 481183 , and replace 74,1f with 75,1f (this will allow u
2 enter yer name , instead of "unregistered version" when u make
a trainer(but u cannot make trainers yet).Notice that call i marked
before the jump , this is the call we will trace.Now select go to/go to code start in
win32dasm and click search,and type 004753B4 ,now u will find about 14-15 adresses
where that adress is called...all calls to that adress r like this:
call 004753B4
test or cmp ...,...
jnz ,jz (jumps to "registered version only!")-must always reverse
Reversing any of those jumps will unlock a feature (decrease search mode,increase...etc.)
U could also put a breakpoint in soft ice on that adress (004753b4),when u will
try 2 use any of the crippled functions with this bpx set,softice will pop,now press f11
2 return to the caller,and write down the adress to reverse.
U r done reversing all the jumps?Now try to start win hack and use it...Oh shit!
win hack exits without sayng bye!!!!he just exits giving us no error message(this always
makes the job easyer,not our case).
Yeah,this looks difficult,but it isn't...look another time in string data reference
in win32dasm....notice the string c:\m.dmp (what the hell this means?...maybe memory dump?...
yesss!).Look in c:\ drive , u will not see any file called m.dmp,now start winhack2,m.dmp
file gets created in c:\...and the program exits again...well,it's obvious that winhack
compares the m.dmp file,wich contains the original code, with our modifyed exe,if difference---> jump to api closehandle or whatever.U will notice that win hack calls createfilea always
at a timer delay of 4-5 seconds,to prevent a memory patcher.....
Well,if winhack will not create that m.dmp file then he will never exit...what is the
api function for creating files in windows?....of course createfilea...let's try to set a
breakpoint on createfilea,type bpx createfilea in softice,AFTER the program is loaded,
but before it exits.Softice will normaly break,press f12 until u r in winhack.exe in softice,
u will see something like this:
xxxx:xxxxxxx push eax (50)
xxxx:xxxxxxx call kernel32!createfilea
Now write the adress of that push eax,in win32dasm go to that adress and write
down the offset u will use in your hexeditor,the only thing u need to do to stop winhack
create that m.dmp file is noping the push eax (replace byte 50 with 90).Now start winhack...
,look in your c:\ drive ,u will not see c:\m.dmp file again , and winhack will not exit...
Win hack 2 is totaly reversed!.
http://kickme.to/tnt
http://elitetoplist.com/tntcrack
http://tnt.educations.net