þ¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿þ ÛÛÛÛ ÛÛ ÛÛÛ ÛÛ ÛÛÛ ÛÛÛÛ ÛÛ ÛÛ ÛÛ ÛÛÛÛ ÛÛ ÛÛÛÛ ÛÛÛÛ ÛÛ Û ÛÛÛÛ ÛÛÛÛÛ ÛÛ Û Û Û Û Û Û Û Û Û Û Û ÛÛ Û ÛÛ Û ÛÛ ÛÛ Û Û ÛÛ Û Û ÛÛ Û ÛÛ ÛÛ ÛÛÛÛÛ ÛÛÛÛ ÛÛÛÛ ÛÛ Û ÛÛ Û ÛÛ Û Û Û Û ÛÛÛÛÛÛ Û Û ÛÛ Û Û Û Û ÛÛ ÛÛÛÛÛ ÛÛÛÛÛ Û Û ÛÛÛÛÛ ÛÛÛ Û Û ÛÛ ÛÛ Û ÛÛ ÛÛÛ Û ÛÛÛÛÛÛ ÛÛ Û ÛÛÛ Û ÛÛÛ Û Û ÛÛÛÛÛÛ Û Û Û ÛÛ ÛÛ Û Û Û ÛÛ ÛÛ ÛÛÛÛ ÛÛÛÛ ììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììì Cracking Tutorial #22: CrAcKiNG Opera 6.01 bY making a valid serial and manually unpacking Aspack [cracked bY:] sLeEpY¿[FWA/NWA/FTPR8Z] iN 04/2002 [difficulty:] beginner/intermediate [where:] http://www.opera.com [tOOLz:] w32dasm 8.93, softice 4.05 (symbol loader), Hiew 6.0 ììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììì Hullo all, this tutorial is a bitch but i didn't know it until i started to crack it so I always wing my tutorials and this turns this into an unpacking tutorial and a cracking tutorial all in one. hoohaa yipee who cares. Don't bother making 3 copies yet, just make one backup. Open the program and check out the error message when you try to register it. Opera registration The registration information you have entered does not seem to be correct. Please make sure that you have entered it correctly. [OK] Well disassemble the prog in W32dasm. Hmm.. disassembly didn't take long, damn hell, its obviously packed or encrypted or something and that sucks. So here's an easy way to find out what its packed with. Start Ultraedit or any hex editor and look at the data on the side. Ultraedit tells us: ............@..A .aspack..P...p*. <--aspack .B... .......... ....@..A.adata.. Ok this is packed with aspack but i don't know what version and I can't get procdump to work right so anyway its time for a lesson in how to manually unpack aspack. (asspack) Man i hate asspack. Ok start up symbol loader. Open opera.exe and load it, hmm..doesn't break in softice. Well the reason is in the PE format. Start Procdump and click on "PE Editor". Open opera.exe, click on "Sections". You should be able to see the sections of opera. Right click on the section "CODE" and select "Edit section". In the box "Section characteristics", Procdump shows (.text): C0000040. Change this value (.text section) to E0000020. Close the pe editor and quit procdump. 0xC0000040 means: 0xC0000040 = IMAGE_SCN_MEM_READ | IMAGE_SCN_MEM_WRITE | IMAGE_SCN_CNT_INITIALIZED_DATA 0xE0000020 means: 0xE0000020 = IMAGE_SCN_MEM_EXECUTE | IMAGE_SCN_MEM_READ | IMAGE_SCN_MEM_WRITE | IMAGE_SCN_CNT_CODE (MIZ and Volatility both have an essay explaining this and how its from a header file for windows [win.h], if you want more in-depth info on that find their tuts, all we need to know is what to change it to) Start up Symbol Loader again and load opera, if you get an error run it anyway, we are now in softice! What fun heh. Lets jump into the very first call and begin the loop tracing, its easy once you get the hang of it. Just look for a jump that loops and set a Breakpoint right after it, or look for a conditional jump that never seems to be taken and set a breakpoint on its location. F10 to trace but if you decide to go that route, you'll be here for hours and its a waste of time when you can be through it in 10 minutes or so. Well I havnt got the log setup for symbol loader this time so Im just going to put in the final area of code, where you should end up when you are done tracing, in softice you should be in "opera.aspack". (if you wanna cheat, set a "BPX 6A73BA" in softice, maybe you'll land at the final push. (This is for windows 98se.) For me the final part of the loops was here: 0167:006A7395 E9EBFEFFFF JMP 006A7285 0167:006A739A B8F9BA1D00 MOV EAX, 001DBAF9 0167:006A739F 50 PUSH EAX 0167:006A73A0 038522040000 ADD EAX, [EBP+00000422] 0167:006A73A6 59 POP ECX 0167:006A73A7 0BC9 OR ECX, ECX 0167:006A73A9 8985A8030000 MOV [EBP+000003A8], EAX 0167:006A73AF 61 POPAD 0167:006A73B0 7508 JNZ 006A73BA 0167:006A73B2 B801000000 MOV EAX, 00000001 0167:006A73B7 C20C00 RET 000C 0167:006A73BA 6800000000 PUSH 00000000 <-will be out entry point! 0167:006A73BF C3 RET this line changes by the time you get there, since its loading as you go: 0167:006A73BA 6800000000 PUSH 00000000 to this: 0167:006A73BA 6800000000 PUSH 005DBAF9 <-write this down! Now we finally got to the end of the packer code, so lets dump it! Highlight the RET at 006A73BF and type: a eip [press enter] jmp eip [press enter][press enter] Ok now opera.exe will run in an infinite loop! The original entry point is the value we wrote down before that final RET (005DBAF9), and the image base is the one we will see in procdump (00400000). Startup Procdump, goto options, choose "Rebuild Import Table", click OK. Back in the main window it will show you all current programs running. Look for opera.exe. To dump the prog, right click opera.exe and choose the option "Dump (Full)". Name your exe operadump or something so you know what it is. The new file will be more than double size, 2.64Meg. Next we have to put the right entry point of the new operadump.exe. With procdump, go in the option "PE Editor" and open the operadump.exe that you have made. Procdump tells ya that the "Image Base" is 00400000. Now here I hope you wrote down that number, 005DBAF9. New Entry Point = Original Entry Point - Image Base New Entry Point = 005DBAF9 - 00400000 1DBAF9 = 005DBAF9 - 00400000 Well here is our new entry point: 005DBAF9 - 00400000 = 1DBAF9. In the "Entry point" box of procdump, put in 001DBAF9. Now run operadump.exe (make sure its in the opera directory), and hell yes it works. Opera 6.01 is successfully unpacked. Now we can kill it with w32dasm! Good ol' w32dasm... Well, after its unpacked, we browse through the SDR window and find this: w-dUR6m-yMJYc-wKB7P-aSu6f-PEXcz (at code location 0057D956) I started here because you wont find the error message and opera has most easy entries closed off from us. So this tutorial is getting long and i'll save some time and jump right to it. Anyway, maybe a hardcoded serial? well if we put it in its no good... but this gives us an idea...its gotta be a blacklisted serial so lets open up our code in ultra-edit and search for (make sure you look in the unpacked file): w-dUR6m-yMJYc-wKB7P-aSu6f-PEXcz change it so it says: 1-11111-11111-11111-11111-11111 (HEX: 31 ad 31 31 31 31 31 ad 31 31 31 31 31 ad 31 31 31 31 31 ad 31 31 31 31 31 ad 31 31 31 31 31) Ok save it and go back to startup opera and put in any name and organization. as your registration code enter: w-dUR6m-yMJYc-wKB7P-aSu6f-PEXcz bam, since its not blacklisted anymore we are registered! another prog cracked!..sorta! We validated a blacklisted serial number. Other: "S#E@,R*NO_[*]R,[E#G" "S[E,,R}N[O_P" These 2 strings seemed strange to me because together they equal 31 chars, same length as our registration code. Laterz ¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿ email me if you are bored: sleepy@linuxwaves.com ._Tutorialz_. [-------------------------------------------------------------------------------] [ 1. Cracking Cosmi's Generic Installshield Protection ] [ 2. CRACKING(?) MATH WORKSHOP 2.0 ] [ 3. CrAcKiNG DLSuperCBT Resynchronizing Byte Compare Program ] [ 4. CrAcKiNG the nag on DLSuperCBF - Dir Binary File Compare Program ] [ 5. CrAcKiNG n)0(va crackme v3 (crazy approach) ] [ 6. CrAcKiNG mIRC(R) v5.91 Internet Relay Chat Client ] [ 7. CrAcKiNG Actionizer 1.4 ] [ 8. CrAcKiNG Tag Wizard 4.3.0 ] [ 9. CrAcKiNG Freecell for Win2k and WinXP ] [10. CrAcKiNG Netrace 1.0a ] [11. CrAcKiNG Winrar 3 Beta 2 THROUGHLY ] [12. CrAcKiNG Aditor Pro 3.05 build 1 ] [13. CrAcKiNG EasyType 1.0 ] [14. CrAcKiNG The Psychedelic Screen Saver v2002.0215 ] [15. CrAcKiNG Applet Headline Factory Version 4.0 ] [16. CrAcKiNG Codewhiz Editor Version 1.7 (build 1.01b) ] [17. CrAcKiNG iuVCR 4.0.0.205 beta5 Trial (R_02-28-2002) ] [18. CrAcKiNG The Weakest Link -NOCD- ] [19. CrAcKiNG Blowfish 2000 V2.3 by finding a valid serial ] [20. CrAcKiNG the CD Check in Tony Hawk Pro Skater 3 ] [21. CrAcKiNG DLL Show 4.7 bY Turning it Into its Own Keygen ] [22. CrAcKiNG Opera 6.01 bY making a valid serial and manually unpacking Aspack ] ¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿ gReEtz: MiNioN, GreycZ, KlutCh, KiNgEr, MidNight, FWA, NWA, FTPiRatEz! HAR! BEASTFXP! gReEtz to people I don't know: anTiHerO, TaMaMBoLo, and Volatility for there unpacking tutorials. ¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿ CopyLeft: __ ______ __ __ _ _____/ / ___ / ____/__\ \/ /(_) / ___/ / / _ \/ __/ / __ \ // / (__ ) /__/ __/ /___/ /_/ / / _/_ /____/_____|___/_____/ .___/_/\___/ /_/ [all rights reversed] Boredom causes crackers and babies. ¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿re Program ]