|
(-\/\ dRaG0n´s CrAcKinG Lesson 6 /\/-)
|
Tools you need :
Softice V.3.X ( get it at cracking.home.ml.org & surf.to/harvestr)
W32dasm V8.X ( get it at cracking.home.ml.org & surf.to/harvestr)
MP3toExE v1.01 ( get it at Click Here )
Hiew 5.xx
( get it at cracking.home.ml.org
& surf.to/harvestr
)
Introduction :
bAck , doooods ;) ... jUst AnotHa lesSOn ..
hOpe yA enJoy it .. hehe ! k .. lEt´s daNcE =)
Cracking MP3 to EXE with Softice :
I will do thiz in Steps , so its better to Understand :-) .. like in the other Lessons ...
Step 1 : Run MP3 to EXE and go to "Register/Enter the RegistrationCode"
Step 2 : Enter "DrAg0n" as name
, "[FFO]" serial , and "77777" as dummy regnum. .
.. enter S-iCE ...
Now we´ll set the most common Breakpoints .
"Bpx GetDlgItemTextA"
"Bpx GetWindowTextA"
Now leave S-iCE .
Step 3 : Press "Ok" , nOthing
comes up .. hmm .. lets try hmemcpy , go back to SiCE and do
"Bpx hmemcpy" , leave SiCE and hit Ok .. ;-)
"break duo to BPX Kernel!Hmemcpy ... "
Step 4 : Now press "F5" three
times, cause at the third time it brakes last ... Press "F11"
Now you´ll see that we arent in the right place, see "USER(03)" ..
K .. Hit "F10"
till you are in the "MP3TOEXE!CODE+xxxxxxx" section ...
If you trace a bit (F10) , you´ll see that there are only many ret
commands here ,
so trace as long , till you´re at the right code ... on Location
xxxx:4545Ab ..
You´ll see following code from there , the only you´ll need :
From now i wont describe all the ASM code for ya , only if needed or new
commands...
If you need help on them , the ASM tut of Corn2 in Lesson 1 ! =)
004545AB 8B45F8
mov eax, dword ptr [ebp-08]
004545AE 50
push eax
004545AF DB2E
fld tbyte ptr [esi]
; I dunno , sorry..
004545B1 E872E4FAFF
call 00402A28
; No intresting Call
004545B6 8D4DDC
lea ecx, dword ptr [ebp-24]
004545B9 BA08000000
mov edx, 00000008
004545BE E8991AFBFF
call 0040605C
; No intresting Call
004545C3 8D45DC
lea eax, dword ptr [ebp-24]
004545C6 50
push eax
004545C7 DB2B
fld tbyte ptr [ebx]
; what is thiz ?
004545C9 E85AE4FAFF
call 00402A28
; No intresting Call
004545CE 8D4DD8
lea ecx, dword ptr [ebp-28]
004545D1 BA08000000
mov edx, 00000008
004545D6 E8811AFBFF
call 0040605C
; No intresting Call
004545DB 8B55D8
mov edx, dword ptr [ebp-28]
004545DE 58
pop eax
004545DF E82CF1FAFF
call 00403710
; Intresting , cause
; its the second
; Call b4 the jnz
; command where it go to
; Bad cracker / Good
; Buyer !
004545E4 8B55DC
mov edx, dword ptr [ebp-24] ; After the Call and this
; Command are executed ,
; do a "d edx" & you´ll
; see a number ...
; Write it down!
004545E7 58
pop eax
004545E8 E82BF2FAFF
call 00403818
; No intresting Call
004545ED 0F8591000000 jnz 00454684
; Good Buyer / Bad Cracker
Step 5 : Ok ... After the call
calculates the Serial and "mov edx..." moved it to Edx , do a
"d edx" .. you´ll notice a new number .. Write it down ..
For me it was 14FE7A6E4B9A6E49 ... do "bd * " , leave SiCE and replace
our dummy
serial "77777" with the code we got ... and Hit Register ...
k , no box came up and sais , wrong serial , so restart the prog and goto
About.. you´ll see :
Registered to
: DrAg0n
Serial
: [FFO]
*Boooom* , Regged
;-)
Last Words :
Ok , that was another Name/Serial prog. , my favourites :-)
Just tell me if you know what "fld tbyte ptr [ebx]" or so means , i will add this to this Tut then ;)
thx , c ya in next Lesson (7) sooooon , hehe
l8rz dRAg0n
.. wHats tHat VoiCe sAyinG my Name ? .. HmmM
.. .. ... aHHH .. My bEd :-D