þ¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿þ ÛÛÛÛ ÛÛ ÛÛÛ ÛÛ ÛÛÛ ÛÛÛÛ ÛÛ ÛÛ ÛÛ ÛÛÛÛ ÛÛ ÛÛÛÛ ÛÛÛÛ ÛÛ Û ÛÛÛÛ ÛÛÛÛÛ ÛÛ Û Û Û Û Û Û Û Û Û Û Û ÛÛ Û ÛÛ Û ÛÛ ÛÛ Û Û ÛÛ Û Û ÛÛ Û ÛÛ ÛÛ ÛÛÛÛÛ ÛÛÛÛ ÛÛÛÛ ÛÛ Û ÛÛ Û ÛÛ Û Û Û Û ÛÛÛÛÛÛ Û Û ÛÛ Û Û Û Û ÛÛ ÛÛÛÛÛ ÛÛÛÛÛ Û Û ÛÛÛÛÛ ÛÛÛ Û Û ÛÛ ÛÛ Û ÛÛ ÛÛÛ Û ÛÛÛÛÛÛ ÛÛ Û ÛÛÛ Û ÛÛÛ Û Û ÛÛÛÛÛÛ Û Û Û ÛÛ ÛÛ Û Û Û ÛÛ ÛÛ ÛÛÛÛ ÛÛÛÛ ììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììì Cracking Tutorial #16: CrAcKiNG Codewhiz Editor Version 1.7 (build 1.01b) [cracked bY:] sLeEpY¿[FWA/NWA/FTPR8Z] iN 02/2002 [difficulty:] beginner/intermediate(w32debugging) [where:] http://www.incatec.com/cgi-bin/Codewhiz.asp http://www.incatec.com/Codewhiz.zip http://www.davecentral.com/projects/codewhiz/ [tOOLz:] w32dasm, Hiew or hex editor of your choice... ììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììì Codewhiz 1.7 ($19.95) Codewhiz is a language sensitive source code editor including features like Branch collapsing, Keword coloring, Macro recording, Indenting, Language editor and much more. Define your new or modify existing languages using the included Codewhiz Language editor. The current version of Codewhiz includes Language support and definitions for Delphi, SQL ANSI, SQL Server and Oracle, VB Script, JScript, C and C++, HTML, VRML, Perl, DOS, Ada, Cobol and more Supports Win 95/98 and NT 4.0. Publisher: Incatec Inc. Language :: C/C++ License :: Shareware Platform :: Windows 95/98 - Windows NT 4.0 Price :: Between $10 and $40 ììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììì OK, hope you made the 3 filez, exe, w32, and bak... decompile the w32 and let it create the dead listing. Run the program and try to register it with any old bs. Write down the error message. Back to w32dasm, lets look at SDR's: "the serial number you entered is invalid" (this drops us here) :0108C157 "the serial number you entered is correct" (this drops us here) :0108C16E Look at the code for the obvious change....(scroll up!) :0108C14A 7517 jne 0108C163 change to jmp and your code is regged, offest 8B54A in HIEW :0108C14A EB17 jmps 0108C163 and written to codewhiz.ini (located in c:\windoze) (you can find this out by seeing it in the deadlisting or running filemon) -----------------Codewhiz.ini----------------- [Options] LCD=37319 LC=9089098080980980980980980980980980980980 <--fake code I put in [Openfiles] FileCount=0 [Position] Maximized=1 [Toolbars] Main=1 Edit=1 Html=0 Ruler=0 ----------------- We restart the prog and dammit here is that nag again...must be a check to that ini file for the regcode on startup...and we wern't validated. Next look for codewhiz.ini in the SDR's of w32dasm. Sheeeeeeit it appears in like 20+ places, so we decide to check it out the hard way this time, lets clicked through to each appearance and write down the suspicous numbers, and start with this one: :010CEF74 because if you scroll down you will see "options", the place in the ini where the code is stored ( see LC above), then a little lower you see this "121169080371". Looks like a hard coded serial, but nope its nothin, checking further...I like to look for jumps and trial and error them. Then you see: :010CF019 A17C1D0D01 mov eax, dword ptr [010D1D7C] :010CF01E 803800 cmp byte ptr [eax], 00 :010CF021 7545 jne 010CF068 <--if ini file reg code checks out, then jump So lets modify this code: :010CF021 7545 jne 010CF068 to this code: :010CF021 EB45 jmps 010CF068 (the offset in HIEW is CE421) Save it and run it, hey we are regged and no more NAG! ÝàáâãäåàáâãäåàáâãäåàáâãäåàáâãäåàáâãäåàáâãäåàáâãäåàáâãäåàáâãäåàáâãäåàáâãäåàáâãäåàáâãäåàÝ Since nothing is disabled lets look for another way to trash the nagscreen! "Codewhiz shareware version" is the caption on the nag, lets check it out. nuthin on that in SDR's.... "Unregistered Shareware Version" is a caption in the nag, lets check it out. nuthin on that in SDR's.... So lets try something new! Today we will debug with w32dasm. So with the program still deadlisted in w32dasm, click at the top "DEBUG", then next click "load process", just leave that line blank and click OK. It knows that the deadlisted prog is the one we wanna debug. You will see 3 seperate windows filled with all kinds of confusing stuff but don't worry about all of it because all we need to know is how to set breakpoints (which is, if ya dont know, where you want the code to pause so you can figure out what the hell is going on in the woods here). Ok so first thing first, your code should have stopped here waiting for input from you telling it what to do, thats just how code is. that is what is showing in your top most window. :010CEF48 55 push ebp in the window to the right should be this: :010CEF48 push ebp same thing, got it? go now back to the top screen and scroll down, you can set a breakpoint on anything by pressing F2, here is what i've done to keep it easy, just scroll down and set breakpoints on all the calls and jumps for a couple pages, after doing that go back to the right most window and click "RUN", the code will execute fast until it hits a breakpoint, if no nag appears then click "run" until the next breakpoint and just keep doing that till we see our nag. Now keep an eye on the breakpoints and make sure you dont run out of them, but we know a nag screen is going to pop up soon and most likely it will be a call. Well after scrolling and setting breakpoints (make sure you have a breakpoint set on :010CF042) all of a sudden our nag pops up and right on a breakpoint of a call. Here the nag is called: :010CF042 FF92D8000000 call dword ptr [edx+000000D8] which is actually a call to 0104FD58, u can see this if u use w32dasm debugger. It will show up in the right window, but we dont care where its called from, we just want the quickest kill today and what else is quicker, you know there has to be a conditional jump statement nearby just because if its regged it jumps the nag. scroll up a little bit and we find this again: :010CF021 7545 jne 010CF068 So now we know a second way to kill a nag screen using the w32dasm built in debugger! just like above, change this code: :010CF021 7545 jne 010CF068 to this code: :010CF021 EB45 jmps 010CF068 (the offset in HIEW is CE421) save and run the prog and we are rid of the nag! laterz! ¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿ email me if you are bored: sleepy@linuxwaves.com ._Tutorialz_. [--------------------------------------------------------------------] [ 1. Cracking Cosmi's Generic Installshield Protection ] [ 2. CRACKING(?) MATH WORKSHOP 2.0 ] [ 3. CrAcKiNG DLSuperCBT Resynchronizing Byte Compare Program ] [ 4. CrAcKiNG the nag on DLSuperCBF - Dir Binary File Compare Program] [ 5. CrAcKiNG n)0(va crackme v3 (crazy approach) ] [ 6. CrAcKiNG mIRC(R) v5.91 Internet Relay Chat Client ] [ 7. CrAcKiNG Actionizer 1.4 ] [ 8. CrAcKiNG Tag Wizard 4.3.0 ] [ 9. CrAcKiNG Freecell for Win2k and WinXP ] [10. CrAcKiNG Netrace 1.0a ] [11. CrAcKiNG Winrar 3 Beta 2 THROUGHLY ] [12. CrAcKiNG Aditor Pro 3.05 build 1 ] [13. CrAcKiNG EasyType 1.0 ] [14. CrAcKiNG The Psychedelic Screen Saver v2002.0215 ] [15. CrAcKiNG Applet Headline Factory Version 4.0 ] [16. CrAcKiNG Codewhiz Editor Version 1.7 (build 1.01b) ] ¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿ gReEtz: MiNioN, GreycZ, KlutCh, KiNgEr, MidNight, FWA, NWA, FTPiRatEz! HAR! BEASTFXP! ¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿ CopyLeft: __ ______ __ __ _ _____/ / ___ / ____/__\ \/ /(_) / ___/ / / _ \/ __/ / __ \ // / (__ ) /__/ __/ /___/ /_/ / / _/_ /____/_____|___/_____/ .___/_/\___/ /_/ [all rights reversed] Boredom causes crackers and babies. ¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿