؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟
غغغغ غغ
غغغ غغ غغغ
غغغغ غغ غغ غغ
غغغغ غغ غغغغ غغغغ
غغ غ غغغغ غغغغغ غغ غ غ غ
غ غ غ غ غ غ غ
غ غغ غ غغ غ غغ غغ
غ غ غغ غ غ غغ غ
غغ غغ غغغغغ غغغغ غغغغ غغ غ
غغ غ غغ غ غ غ غ
غغغغغغ غ غ غغ غ غ غ
غ غغ غغغغغ غغغغغ غ غ غغغغغ
غغغ غ غ غغ غغ غ غغ
غغغ غ غغغغغغ غغ غ
غغغ غ غغغ غ غ
غغغغغغ غ غ غ
غغ غغ
غ غ
غ غغ
غغ غغغغ
غغغغ
ىىىىىىىىىىىىىىىىىىىىىىىىىىىىىىىىىىىىىىىىىىىىىىىىىىىىىىىىىىىىىىىىىىىىىىىىىىىىىىىىىىىىىىى
Cracking Tutorial #22:
CrAcKiNG Opera 6.01 bY making a valid serial and manually unpacking Aspack
[cracked bY:] sLeEpY؟[FWA/NWA/FTPR8Z] iN 04/2002
[difficulty:] beginner/intermediate
[where:] http://www.opera.com
[tOOLz:] w32dasm 8.93, softice 4.05 (symbol loader), Hiew 6.0
ىىىىىىىىىىىىىىىىىىىىىىىىىىىىىىىىىىىىىىىىىىىىىىىىىىىىىىىىىىىىىىىىىىىىىىىىىىىىىىىىىىىىىىى
Hullo all, this tutorial is a bitch but i didn't know it until i started to crack it so
I always wing my tutorials and this turns this into an unpacking tutorial and a
cracking tutorial all in one. hoohaa yipee who cares.
Don't bother making 3 copies yet, just make one backup.
Open the program and check out the error message when you try to register it.
Opera registration
The registration information you have entered does not seem to be correct.
Please make sure that you have entered it correctly.
[OK]
Well disassemble the prog in W32dasm.
Hmm.. disassembly didn't take long, damn hell, its obviously packed or encrypted or
something and that sucks. So here's an easy way to find out what its packed with.
Start Ultraedit or any hex editor and look at the data on the side.
Ultraedit tells us:
............@..A
.aspack..P...p*. <--aspack
.B... ..........
....@..A.adata..
Ok this is packed with aspack but i don't know what version and I can't get procdump
to work right so anyway its time for a lesson in how to manually unpack aspack.
(asspack) Man i hate asspack.
Ok start up symbol loader. Open opera.exe and load it, hmm..doesn't break in softice.
Well the reason is in the PE format.
Start Procdump and click on "PE Editor". Open opera.exe, click on "Sections". You
should be able to see the sections of opera. Right click on the section "CODE" and
select "Edit section". In the box "Section characteristics", Procdump shows (.text):
C0000040. Change this value (.text section) to E0000020. Close the pe editor and quit
procdump.
0xC0000040 means:
0xC0000040 = IMAGE_SCN_MEM_READ | IMAGE_SCN_MEM_WRITE | IMAGE_SCN_CNT_INITIALIZED_DATA
0xE0000020 means:
0xE0000020 = IMAGE_SCN_MEM_EXECUTE | IMAGE_SCN_MEM_READ | IMAGE_SCN_MEM_WRITE |
IMAGE_SCN_CNT_CODE
(MIZ and Volatility both have an essay explaining this and how its from a header file
for windows [win.h], if you want more in-depth info on that find their tuts, all we
need to know is what to change it to)
Start up Symbol Loader again and load opera, if you get an error run it anyway, we are
now in softice! What fun heh.
Lets jump into the very first call and begin the loop tracing, its easy once you get
the hang of it. Just look for a jump that loops and set a Breakpoint right after it, or
look for a conditional jump that never seems to be taken and set a breakpoint on its
location. F10 to trace but if you decide to go that route, you'll be here for hours and
its a waste of time when you can be through it in 10 minutes or so. Well I havnt got
the log setup for symbol loader this time so Im just going to put in the final area of
code, where you should end up when you are done tracing, in softice you should be in
"opera.aspack". (if you wanna cheat, set a "BPX 6A73BA" in softice, maybe you'll land at
the final push. (This is for windows 98se.)
For me the final part of the loops was here:
0167:006A7395 E9EBFEFFFF JMP 006A7285
0167:006A739A B8F9BA1D00 MOV EAX, 001DBAF9
0167:006A739F 50 PUSH EAX
0167:006A73A0 038522040000 ADD EAX, [EBP+00000422]
0167:006A73A6 59 POP ECX
0167:006A73A7 0BC9 OR ECX, ECX
0167:006A73A9 8985A8030000 MOV [EBP+000003A8], EAX
0167:006A73AF 61 POPAD
0167:006A73B0 7508 JNZ 006A73BA
0167:006A73B2 B801000000 MOV EAX, 00000001
0167:006A73B7 C20C00 RET 000C
0167:006A73BA 6800000000 PUSH 00000000 <-will be out entry point!
0167:006A73BF C3 RET
this line changes by the time you get there, since its loading as you go:
0167:006A73BA 6800000000 PUSH 00000000
to this:
0167:006A73BA 6800000000 PUSH 005DBAF9 <-write this down!
Now we finally got to the end of the packer code, so lets dump it!
Highlight the RET at 006A73BF and type:
a eip [press enter]
jmp eip [press enter][press enter]
Ok now opera.exe will run in an infinite loop!
The original entry point is the value we wrote down before that final RET (005DBAF9),
and the image base is the one we will see in procdump (00400000).
Startup Procdump, goto options, choose "Rebuild Import Table", click OK. Back in the
main window it will show you all current programs running. Look for opera.exe. To dump
the prog, right click opera.exe and choose the option "Dump (Full)". Name your exe
operadump or something so you know what it is. The new file will be more than double
size, 2.64Meg. Next we have to put the right entry point of the new operadump.exe. With
procdump, go in the option "PE Editor" and open the operadump.exe that you have made.
Procdump tells ya that the "Image Base" is 00400000. Now here I hope you wrote down
that number, 005DBAF9.
New Entry Point = Original Entry Point - Image Base
New Entry Point = 005DBAF9 - 00400000
1DBAF9 = 005DBAF9 - 00400000
Well here is our new entry point: 005DBAF9 - 00400000 = 1DBAF9.
In the "Entry point" box of procdump, put in 001DBAF9. Now run operadump.exe (make sure
its in the opera directory), and hell yes it works. Opera 6.01 is successfully
unpacked. Now we can kill it with w32dasm! Good ol' w32dasm...
Well, after its unpacked, we browse through the SDR window and find this:
w-dUR6m-yMJYc-wKB7P-aSu6f-PEXcz (at code location 0057D956)
I started here because you wont find the error message and opera has most easy entries
closed off from us. So this tutorial is getting long and i'll save some time and jump
right to it. Anyway, maybe a hardcoded serial? well if we put it in its no good...
but this gives us an idea...its gotta be a blacklisted serial so lets open up our code
in ultra-edit and search for (make sure you look in the unpacked file):
w-dUR6m-yMJYc-wKB7P-aSu6f-PEXcz
change it so it says:
1-11111-11111-11111-11111-11111
(HEX:
31 ad 31 31 31 31 31 ad 31 31 31 31 31 ad 31 31 31 31 31 ad 31 31 31 31 31 ad 31 31 31
31 31)
Ok save it and go back to startup opera and put in any name and organization.
as your registration code enter:
w-dUR6m-yMJYc-wKB7P-aSu6f-PEXcz
bam, since its not blacklisted anymore we are registered!
another prog cracked!..sorta!
We validated a blacklisted serial number.
Other:
"S#E@,R*NO_[*]R,[E#G"
"S[E,,R}N[O_P"
These 2 strings seemed strange to me because together they equal 31 chars, same length
as our registration code.
Laterz
؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟
email me if you are bored: sleepy@linuxwaves.com
._Tutorialz_.
[-------------------------------------------------------------------------------]
[ 1. Cracking Cosmi's Generic Installshield Protection ]
[ 2. CRACKING(?) MATH WORKSHOP 2.0 ]
[ 3. CrAcKiNG DLSuperCBT Resynchronizing Byte Compare Program ]
[ 4. CrAcKiNG the nag on DLSuperCBF - Dir Binary File Compare Program ]
[ 5. CrAcKiNG n)0(va crackme v3 (crazy approach) ]
[ 6. CrAcKiNG mIRC(R) v5.91 Internet Relay Chat Client ]
[ 7. CrAcKiNG Actionizer 1.4 ]
[ 8. CrAcKiNG Tag Wizard 4.3.0 ]
[ 9. CrAcKiNG Freecell for Win2k and WinXP ]
[10. CrAcKiNG Netrace 1.0a ]
[11. CrAcKiNG Winrar 3 Beta 2 THROUGHLY ]
[12. CrAcKiNG Aditor Pro 3.05 build 1 ]
[13. CrAcKiNG EasyType 1.0 ]
[14. CrAcKiNG The Psychedelic Screen Saver v2002.0215 ]
[15. CrAcKiNG Applet Headline Factory Version 4.0 ]
[16. CrAcKiNG Codewhiz Editor Version 1.7 (build 1.01b) ]
[17. CrAcKiNG iuVCR 4.0.0.205 beta5 Trial (R_02-28-2002) ]
[18. CrAcKiNG The Weakest Link -NOCD- ]
[19. CrAcKiNG Blowfish 2000 V2.3 by finding a valid serial ]
[20. CrAcKiNG the CD Check in Tony Hawk Pro Skater 3 ]
[21. CrAcKiNG DLL Show 4.7 bY Turning it Into its Own Keygen ]
[22. CrAcKiNG Opera 6.01 bY making a valid serial and manually unpacking Aspack ]
؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟
gReEtz: MiNioN, GreycZ, KlutCh, KiNgEr, MidNight, FWA, NWA, FTPiRatEz! HAR! BEASTFXP!
gReEtz to people I don't know: anTiHerO, TaMaMBoLo, and Volatility for there unpacking
tutorials.
؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟
CopyLeft:
__ ______ __ __ _
_____/ / ___ / ____/__\ \/ /(_)
/ ___/ / / _ \/ __/ / __ \ // /
(__ ) /__/ __/ /___/ /_/ / / _/_
/____/_____|___/_____/ .___/_/\___/
/_/
[all rights reversed]
Boredom causes crackers and babies.
؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟؟re Program ]