|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
iNTORdUCTION :
Hi there and welcome to another tutorial ...
In this tutorial i have alot of things to say for the ppl who claim that crackers do not crack without there toolz in other
words the toolz make the cracker , or if u don't have the crackerz toolz u can't crack .....
Maybe some of it is true , that if u don't have the crackrz toolz u can't crack , sometimes i find that is true , but let us think like this , if u had the crackerz toolz will u be able to crack , i think not , so what i'm trying to say here that when a crack is done , the credit don't go totally to the tool and also don't go totally to the cracker they just split the work i think most of the time by 50% each ....
so by this tutorial i will show alot of the non-believerz , that if u have the toolz and don't know how to crack or let's say u don't know assembly , that u can't crack and also that if u know assembly and don't have the toolz u also can't crack , so in the end i'd like to say , that these toolz will help you alot but in the end u r the one to read between the lines to understand every thing in the program !!!
pROTeCTION :
O.k about this program , its protection is not like allways - a name and a serial - , this time it is only a serial !! , so in this tutorial i will show u how to find - or let's say to calcualte a good serial - then at the end u will be able to make a keymaker or a serial generator as some ppl like to call it !!
|
|
o.k so we start by installing Internet Audio Mix , after the process in completed , let's run the program , u will see a window that asks for a serial to register the program lets enter a dummy serial in my case i entered like this :
1234567890
Now before u click on the register button let's get into softice by pressing Ctrl+d and set a breakpoint like this
one :
bpx GetDlgItemTextA
o.k now press F5 to exit softice , then click on the button register now softice will break press F11 to get the caller , and u should land at this code :
:00420B95 8BF8 mov edi, eax <-- we land here
:00420B97 8D542410 lea edx, dword ptr [esp+10]
:00420B9B 8D442418 lea eax, dword ptr [esp+18]
:00420B9F 52 push edx
:00420BA0 8D8C2490000000 lea ecx, dword ptr [esp+00000090] <-- ecx has our dummy code
:00420BA7 50 push eax
:00420BA8 51 push ecx <-- store it!
:00420BA9 8BCE mov ecx, esi
:00420BAB E890F9FFFF call 00420540 <-- we step into this call!
:00420BB0 3BFB cmp edi, ebx
:00420BB2 7627 jbe 00420BDB
o.k as we have seen until now that our dummy code it stored in the stack and at address 00420BAB there is a call , and since our dummy code is in the stack we should follow this call to see what it dose with our code and since there is a compare after the call , it gives us another reason to follow it so when u are at this address press F8 and u should see something like this :
:00420540 8B44240C mov eax, dword ptr [esp+0C]
:00420544 53 push ebx
:00420545 55 push ebp
:00420546 8B6C2410 mov ebp, dword ptr [esp+10]
:0042054A 56 push esi
:0042054B 57 push edi
:0042054C 8B7C2414 mov edi, dword ptr [esp+14] <-- edi has our dummy code again
:00420550 C7450000000000 mov [ebp+00], 00000000
:00420557 57 push edi <-- store it!
:00420558 BB01000000 mov ebx, 00000001
:0042055D C70000000000 mov dword ptr [eax], 00000000
:00420563 FF15B4714300 Call dword ptr [004371B4] <-- gets the length of our code !
:00420569 33F6 xor esi, esi
:0042056B 85C0 test eax, eax
:0042056D 7507 jne 00420576 <-- we will jump this cuz we entered some code!
:0042056F 5F pop edi
:00420570 5E pop esi
:00420571 5D pop ebp
:00420572 5B pop ebx
:00420573 C20C00 ret 000C
As you can see from the code above that we will jump at address 0042056D so after we jump you will see something like this code
:00420578 803C3E2D cmp byte ptr [esi+edi], 2D <-- compare our first digit with 2Dh = '-'
:0042057C 7405 je 00420583
:0042057E 46 inc esi <-- if not take next char
:0042057F 3BF0 cmp esi, eax <-- see if counter = no. of char (in our dummy code!)
:00420581 7CF5 jl 00420578 <-- if not jump back !! (make a loop !)
:00420583 3BF0 cmp esi, eax <-- another check for the counter
:00420585 7515 jne 0042059C
:00420587 57 push edi
:00420588 E84DDF0000 call 0042E4DA <-- make our string code to numeric value
:0042058D 83C404 add esp, 00000004
:00420590 894500 mov dword ptr [ebp+00], eax
:00420593 8BC3 mov eax, ebx
:00420595 5F pop edi
:00420596 5E pop esi
:00420597 5D pop ebp
:00420598 5B pop ebx
:00420599 C20C00 ret 000C
o.k i think we are getting closer here ... lets see what we've got ... at 00420578 to 00420581 is loop that the prog gose in to look for the char '-' in out code , at first i thought that the code would have a '-' in it but this was to see if u have entered a negative value , when u are at the address 00420578 write 'd esi+edi' and u will see our dummy code and in the middle of the loop do it again and u will see in the data window have the code , so we are now sure that this procedure is for seraching the '-' in our dummy code .
Now after u finish the loop we come to address 00420588 where the call command is , now if u want to go through , its up to u but to make the story short , i only pressed F10 to execute the call command then wrote '? eax' to see the value of eax and guess what it was equal to our dummy code . so now we know that this call is to convert our string value to numeric value.
so now we continue with the trace and we execute the ret command , now trace with F10 until u reach this code :
:00420BCF 50 push eax
:00420BD0 8BCE mov ecx, esi
:00420BD2 E8B9F4FFFF call 00420090 <-- check if code is valid procedure
:00420BD7 3BC3 cmp eax, ebx
:00420BD9 751C jne 00420BF7 <-- a nice one don't u think !!
|
* Possible StringData Ref from Data Obj ->"That registration code is not " <-- our error message !!
->"valid. Double check the number "
->"you are typing in."
O.k The End is near ... as u can see from the following code that at address 00420BD2 is a call command which calcualte or let's say checks if our code is valid ,if yes the result will be put back into eax , which will make it different from ebx , which also will cuz the jne at address 00420BD9 to function (i mean to jump it !!) , now there is two way to crack this prog . i will say the easy one first , it is offcourse PATCHING all u have to do is to patch the jump at address 00420BD9 and make it jmp , and that will make us allways jump to the thank u message , but i think this is not a good idea so i thought let's first step into the call and find out what is going on ... so press F8 to get into the call and u should see something like this !!
:00420090 56 push esi
:00420091 8B742408 mov esi, dword ptr [esp+08] <-- esi has our dummy code
:00420095 81FE40420F00 cmp esi, 000F4240 <-- compare it with 1000000
:0042009B 57 push edi
:0042009C 764C jbe 004200EA <-- if less then err
:0042009E 8BC6 mov eax, esi <-- else put our code in eax
:004200A0 33D2 xor edx, edx <-- clear the edx
:004200A2 BF74290100 mov edi, 00012974 <-- put in edi 12974h = 76148d
:004200A7 F7F7 div edi <-- our code / 76148d
:004200A9 85D2 test edx, edx <-- check the remainder
:004200AB 753D jne 004200EA <-- if it's not zero then err
:004200AD 8B413C mov eax, dword ptr [ecx+3C]
:004200B0 BF01000000 mov edi, 00000001
:004200B5 3BF0 cmp esi, eax
:004200B7 742A je 004200E3
:004200B9 89713C mov dword ptr [ecx+3C], esi
:004200BC E8BFFCFFFF call 0041FD80
|
* Possible Reference to String Resource ID=40231: "Thank you!!! As a registered user ..."
|
This is the End .... o.k so what do u think ? , i think every thing is easy right !! , o.k here is a what happend ...
at address 00420091 our dummy code was put in esi then at address 00420095 our code was compared with 000F4240h = 1000000d
so u can say here that this is the first rule for a valid serial , the serial or the code must be larger that 1000000 as a
numeric value , then at address 0042009E our code is put into eax , then at 004200A0 edx is xored = 0 , after that edi is
set to the value 00012974h = 76148d , and then our code is divided by 76148 , if the remainder is equal to zero then it is a valid
serial if not then the jump at address 004200AB will function (we will jump it!) and it will xor the eax = 0 , and it will return
back to the call and the error message will be displayed .....
I think every thing is clear now ... but again here is flash back ...
to get a valid code there is 2 conditions :
1. our code must be larger that 1000000
2. when we divied our code over 76148 the remainder must be zero
i think that is easy ... so all we have to do now is to find a number when we divied it over 76148 it will give us the remainder = 0 , and at the same time it is larger that 1000000 (i know i said it again !! :) ) ... but we don't have to calculate that number ourselfs , we can write a code to calculate it for us .... hehehehe i love computers !!
so here is the code
{ a little program to generate a valid serials
program test;
for Internet Audio Mix v1.44 coded by FaT[BiT] \ TNT! }
uses
crt ;
var
code : longint ;
begin
clrscr ; {clear the screen }
for code := 1000001 to 3000000 do { start the loop from 100001 to 3000000 or more if u want }
if (code mod 76148 = 0) then { check if reminder of code / 76148 = 0 }
writeln(code);{if yes write code -> continue looping }
readln;
end.
after we write and complie this code the program will give us this alot of numbers and guess what they are all valid serial cuz they are larger that 1000000 ( this is y we started the loop from 1000001 ) and also there remonder is = 0 , so choose any one u like and let's try it , and then ......
|
|
|
|
tKC ... (for showing me the light !! )
LW2000 ... ( Thanx alot i now use my brain )
[XasX] ... (a very good founder and a very good friend also!)
AzmO ... (yes!! man we are different !! )
Sir dReAm ... (i will be seeing u soon !! )
BoneZ ... (thanx alot for the support !!)
BillGameZ, VaibLitzeR, MezUz , and ShaQ ... (good luck to u all !! )
and to all TNT!CRACK!TEAM! members ... (keep up the good work !!)
any comments mail me : fattnt@yahoo.com
See ya in another tut !!! Soon !!!