þ¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿þ ÛÛÛÛ ÛÛ ÛÛÛ ÛÛ ÛÛÛ ÛÛÛÛ ÛÛ ÛÛ ÛÛ ÛÛÛÛ ÛÛ ÛÛÛÛ ÛÛÛÛ ÛÛ Û ÛÛÛÛ ÛÛÛÛÛ ÛÛ Û Û Û Û Û Û Û Û Û Û Û ÛÛ Û ÛÛ Û ÛÛ ÛÛ Û Û ÛÛ Û Û ÛÛ Û ÛÛ ÛÛ ÛÛÛÛÛ ÛÛÛÛ ÛÛÛÛ ÛÛ Û ÛÛ Û ÛÛ Û Û Û Û ÛÛÛÛÛÛ Û Û ÛÛ Û Û Û Û ÛÛ ÛÛÛÛÛ ÛÛÛÛÛ Û Û ÛÛÛÛÛ ÛÛÛ Û Û ÛÛ ÛÛ Û ÛÛ ÛÛÛ Û ÛÛÛÛÛÛ ÛÛ Û ÛÛÛ Û ÛÛÛ Û Û ÛÛÛÛÛÛ Û Û Û ÛÛ ÛÛ Û Û Û ÛÛ ÛÛ ÛÛÛÛ ÛÛÛÛ ììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììì Cracking Tutorial #23: CrAcKiNG Tickle 2.8 with w32dasm, then finding a valid serial with softice hmemcpy [cracked bY:] sLeEpY¿[FWA/NWA/FTPR8Z] iN 04/2002 [difficulty:] beginner/intermediate [where:] http://www.worldlynx.net/pgerhart/ [tOOLz:] w32dasm 8.93, softice 4.05, Hiew 6.0 ììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììì Published on 20-Sep-2000 Developer Paul Gerhart License Tickle Price $10.00 File Size 1,229K Tickle lets you keep your Internet ServiceProvide (ISP) connection alive. Tickle lets you specify one or more Domain Names (or IPaddresses). Then Tickle lets you specify a time period, for example 5 minutes. From thenon, Tickle makes sure that Domain (server) gets 'tickled' at your specified rate. Tickle also has a 'roulette' and 'random time' mode so that different Domains are 'tickled' and ensures that the tickle is sent at a (slightly) random time. Tickle runs in the TaskBar's Tray area. ììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììì Word once again...I'm bored and after fixing computers all day i gotta wait for a comp to finish formatting. So here's another tutorial. First I'll show ya how to crack this gay program with w32dasm, then i'll show ya how to get a valid serial for your name with softice so you dont have to screw with the cracking part if you dont want to. So Part one is cracking this prog with w32dasm, part two with SI. [PART 1] Well make the usual 3 copies, a backup and one for w32dasm! Now lets try to register this program. Hmm, we didn't luck out and guess the correct serial... Name / Code mis-match. Try again Well this prog isn't protected from anything. So lets disassemble it and crack it the brutal way first. ììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììì * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:00402D48(C), :00402D62(C) | :00402DCE 6A00 push 00000000 :00402DD0 6A00 push 00000000 * Possible StringData Ref from Data Obj ->"Name / Code mis-match. Try again." | :00402DD2 68C4F44000 push 0040F4C4 * Reference To: MFC42.Ordinal:04B0, Ord:04B0h | :00402DD7 E8DE6F0000 Call 00409DBA ììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììì Our crap message is called from 402D48 & 402D62, so lets go find them! ììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììì * Reference To: MFC42.Ordinal:0217, Ord:0217h | :00402D1A E8C5700000 Call 00409DE4 :00402D1F 898574FFFFFF mov dword ptr [ebp+FFFFFF74], eax :00402D25 8D4D84 lea ecx, dword ptr [ebp-7C] :00402D28 51 push ecx :00402D29 8B8D78FFFFFF mov ecx, dword ptr [ebp+FFFFFF78] :00402D2F E8B8020000 call 00402FEC :00402D34 898570FFFFFF mov dword ptr [ebp+FFFFFF70], eax :00402D3A C645FC01 mov [ebp-04], 01 :00402D3E 8D4D84 lea ecx, dword ptr [ebp-7C] :00402D41 E83A060000 call 00403380 :00402D46 85C0 test eax, eax :00402D48 0F8580000000 jne 00402DCE <-checks to see if anything was entered :00402D4E 8D55E8 lea edx, dword ptr [ebp-18] :00402D51 52 push edx :00402D52 8D4584 lea eax, dword ptr [ebp-7C] :00402D55 50 push eax :00402D56 E865060000 call 004033C0 <- this call figures your serial :00402D5B 25FF000000 and eax, 000000FF :00402D60 85C0 test eax, eax :00402D62 746A je 00402DCE <-- change to nop offset 2D62 :00402D64 E867E4FFFF call 004011D0 :00402D69 894580 mov dword ptr [ebp-80], eax :00402D6C 8D4DEC lea ecx, dword ptr [ebp-14] :00402D6F E8ACEBFFFF call 00401920 :00402D74 50 push eax ììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììì Well you should know what to do here, drop the prog in HIEW and change this: :00402D62 746A je 00402DCE to this: :00402D62 9090 No-Operation or this :00402D62 756A jne 00402DCE or many other things just dont let it jump. F9 to update the file, F10 to quit! Run the crappy program and put in whatever you want to register it. Well this program wont stay regged because it checks the registry on program start so I was going to show you where that was at so it could be killed to but instead we'll just use Softice and get a valid serial number. ììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììì [PART 2] ììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììì Ok, fun fun...copy the backup of the program so we can have a fresh exe. Make sure SI is loaded, look elsewhere on how to config and install it. If your reading this you should allready know that! =0) Start "tickle.exe" and goto register, fill in as username whatever you want (I use sleepy), fill in your fakey code..i put in a bunch of crap, 67676767 or 66669999. Press Ctrl+D to break into softice, put a breakpoint on Hmemcpy (BPX HMEMCPY). Press Ctrl+D to leave softice and click the "validate my code" button. Softice will break, just press Ctrl+D once and Softice will break again. On the second break you should be here: KERNEL!HMEMCPY 0147:9EA6 55 PUSH BP more code..blah blah blah press F10 (roughly 92 times, you will go through a ton of code, Kernel32!_Freqasm, MFC42!.text, USER32!.text, until you end up in: TICKLE!.text 0167:004041A5 6A32 PUSH 32 more code... Ok clear HMEMCPY breakpoint (BC *) Now you can do two things, since we allready found the compare routine above we can just set a breakpoint on the call before it or we can trace it the fun way and waste time. Im opting for the quick way: From above we have this: ììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììì :00402D56 E865060000 call 004033C0 <- this call figures your serial :00402D5B 25FF000000 and eax, 000000FF :00402D60 85C0 test eax, eax :00402D62 746A je 00402DCE ììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììì So lets set the Breakpoint on the call that figures the serial. (BPX 402D56) Press enter, then press Ctrl+D again, SI will popup again right on that call. Press F10 once and you will be here: :00402D5B 25FF000000 and eax, 000000FF In SI, type D ECX to see your fakey serial, 66667777 In SI, type D EDX to see your valid serial, B1C72FBF Write your good serial down, Clear the BP's (BC *) and register the product with your valid serial! (case sensitive) You can also dive in the call here to find the serial but who cares: :00402D56 E865060000 call 004033C0 <- this call figures your serial 0167:00403398 8BC1 MOV EAX, ECX D EAX = B1C72FBF <-the valid serial 0167:004033CB 50 PUSH EAX D EAX = 676767 <-fakey 0167:004033EA 50 PUSH EAX D EAX = 676767 <-fakey 0167:004033F0 52 PUSH EDX D EDX = B1C72FBF <-the valid serial Stored here in the registry if you want to unreg it again just delete the code key: HKEY_LOCAL_MACHINE\Software\Paul Gerhart Software\Tickle\User Code (your code) Name (your name) Laterz! ¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿ email me if you are bored: sleepy@linuxwaves.com ._Tutorialz_. [-------------------------------------------------------------------------------] [ 1. Cracking Cosmi's Generic Installshield Protection ] [ 2. CRACKING(?) MATH WORKSHOP 2.0 ] [ 3. CrAcKiNG DLSuperCBT Resynchronizing Byte Compare Program ] [ 4. CrAcKiNG the nag on DLSuperCBF - Dir Binary File Compare Program ] [ 5. CrAcKiNG n)0(va crackme v3 (crazy approach) ] [ 6. CrAcKiNG mIRC(R) v5.91 Internet Relay Chat Client ] [ 7. CrAcKiNG Actionizer 1.4 ] [ 8. CrAcKiNG Tag Wizard 4.3.0 ] [ 9. CrAcKiNG Freecell for Win2k and WinXP ] [10. CrAcKiNG Netrace 1.0a ] [11. CrAcKiNG Winrar 3 Beta 2 THROUGHLY ] [12. CrAcKiNG Aditor Pro 3.05 build 1 ] [13. CrAcKiNG EasyType 1.0 ] [14. CrAcKiNG The Psychedelic Screen Saver v2002.0215 ] [15. CrAcKiNG Applet Headline Factory Version 4.0 ] [16. CrAcKiNG Codewhiz Editor Version 1.7 (build 1.01b) ] [17. CrAcKiNG iuVCR 4.0.0.205 beta5 Trial (R_02-28-2002) ] [18. CrAcKiNG The Weakest Link -NOCD- ] [19. CrAcKiNG Blowfish 2000 V2.3 by finding a valid serial ] [20. CrAcKiNG the CD Check in Tony Hawk Pro Skater 3 ] [21. CrAcKiNG DLL Show 4.7 bY Turning it Into its Own Keygen ] [22. CrAcKiNG Opera 6.01 bY making a valid serial and manually unpacking Aspack ] [23. CrAcKiNG Tickle 2.8 with w32dasm, & finding a valid serial with SI hmemcpy ] ¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿ gReEtz: MiNioN, GreycZ, KlutCh, KiNgEr, MidNight, FWA, NWA, FTPiRatEz! HAR! BEASTFXP! ¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿ CopyLeft: __ ______ __ __ _ _____/ / ___ / ____/__\ \/ /(_) / ___/ / / _ \/ __/ / __ \ // / (__ ) /__/ __/ /___/ /_/ / / _/_ /____/_____|___/_____/ .___/_/\___/ /_/ [all rights reversed] Boredom causes crackers and babies. ¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿