þ¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿þ ÛÛÛÛ ÛÛ ÛÛÛ ÛÛ ÛÛÛ ÛÛÛÛ ÛÛ ÛÛ ÛÛ ÛÛÛÛ ÛÛ ÛÛÛÛ ÛÛÛÛ ÛÛ Û ÛÛÛÛ ÛÛÛÛÛ ÛÛ Û Û Û Û Û Û Û Û Û Û Û ÛÛ Û ÛÛ Û ÛÛ ÛÛ Û Û ÛÛ Û Û ÛÛ Û ÛÛ ÛÛ ÛÛÛÛÛ ÛÛÛÛ ÛÛÛÛ ÛÛ Û ÛÛ Û ÛÛ Û Û Û Û ÛÛÛÛÛÛ Û Û ÛÛ Û Û Û Û ÛÛ ÛÛÛÛÛ ÛÛÛÛÛ Û Û ÛÛÛÛÛ ÛÛÛ Û Û ÛÛ ÛÛ Û ÛÛ ÛÛÛ Û ÛÛÛÛÛÛ ÛÛ Û ÛÛÛ Û ÛÛÛ Û Û ÛÛÛÛÛÛ Û Û Û ÛÛ ÛÛ Û Û Û ÛÛ ÛÛ ÛÛÛÛ ÛÛÛÛ ììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììì Cracking Tutorial #26: CrAcKiNG Mirc 6.1 bY finding a valid serial using Softice Hmemcpy [cracked bY:] sLeEpY¿[FWA/NWA/FTPR8Z] iN 05/2002 [difficulty:] beginner/intermediate [where:] http://www.mirc.com [tOOLz:] softice 4.05, W32dasm 8.93 to view dead list ììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììì Word... Here is another prog whos prior versions have been cracked and keygen'd a bizillion time over, but it definatly one i recommend reading and doing as it seems (as other tuts tell) that you will pick up some good assembler knowledge just by following the code with softice. It is very interesting how this program takes your name and creates a reg code out of it. I won't go that in-depth as I cant keygen for crap yet but I can show how to find a serial for your name. Also as with all prior versions, this is a two part code and it still needs the "-". OK, try to reg the prog... Press the reg button and no lucking out on the guess, here's our error msg: The registration name and number you have entered do not match. Ok well to start with you want a dead list of the code, make one with w32dasm. I did because it gives you an idea where to start. Pick the good msg. * Possible Reference to String Resource ID=01911: "Your registration has been successfully." :004C3CAD 6877070000 push 00000777 Follow this code up until we find a conditional jump that goes to the bad crap message: :004C3C24 0F84B7000000 je 004C3CE1 Opening up the code around it.... ììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììì * Reference To: USER32.SendDlgItemMessageA, Ord:0000h | :004C3C0E E8FFB50800 Call 0054F212 :004C3C13 6837D75600 push 0056D737 :004C3C18 6850D35600 push 0056D350 :004C3C1D E88FFBFFFF call 004C37B1 <-Our important call :004C3C22 85C0 test eax, eax :004C3C24 0F84B7000000 je 004C3CE1 <-Our deciding jump :004C3C2A C605AAD3560000 mov byte ptr [0056D3AA], 00 :004C3C31 BE6C3C5700 mov esi, 00573C6C :004C3C36 BF50D35600 mov edi, 0056D350 :004C3C3B 33C0 xor eax, eax :004C3C3D 83C9FF or ecx, FFFFFFFF :004C3C40 F2 repnz :004C3C41 AE scasb :004C3C42 F7D1 not ecx :004C3C44 2BF9 sub edi, ecx :004C3C46 87F7 xchg edi, esi :004C3C48 8BC7 mov eax, edi :004C3C4A 8BD1 mov edx, ecx :004C3C4C C1E902 shr ecx, 02 :004C3C4F F3 repz :004C3C50 A5 movsd :004C3C51 8BCA mov ecx, edx :004C3C53 83E103 and ecx, 00000003 :004C3C56 F3 repz :004C3C57 A4 movsb :004C3C58 6837D75600 push 0056D737 :004C3C5D 6850D35600 push 0056D350 :004C3C62 E8BCFEFFFF call 004C3B23 :004C3C67 6A00 push 00000000 * Possible Ref to Menu: MenuID_003C, Item: "Register..." | : :misc code lines..... : * Possible Reference to String Resource ID=01912: "Registration" | :004C3CA0 6878070000 push 00000778 :004C3CA5 E80D8AF6FF call 0042C6B7 :004C3CAA 50 push eax :004C3CAB 6A00 push 00000000 * Possible Reference to String Resource ID=01911: "Your registration has been entered successfully." | :004C3CAD 6877070000 push 00000777 ììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììì * Reference To: USER32.SendDlgItemMessageA, Ord:0000h This will be out new SI breakpoint..... BPX SendDlgItemMessageA Now at this point you can change the conditional jump so you can reg with anything, but that was in a previous tutorial, we're after the serial this time! Lets check out the important call: :004C3C1D E88FFBFFFF call 004C37B1 <------- ììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììì * Referenced by a CALL at Addresses: |:004C394F , :004C3A23 , :004C3C1D | :004C37B1 55 push ebp <-starting of CALL :004C37B2 8BEC mov ebp, esp :004C37B4 53 push ebx :004C37B5 56 push esi : :lines of code : :004C3831 5F pop edi :004C3832 5E pop esi :004C3833 68D43D5700 push 00573DD4 <-push name and serial :004C3838 57 push edi <-on these 2 lines :004C3839 E880FEFFFF call 004C36BE <-another important call (2)! :004C383E 85C0 test eax, eax :004C3840 740A je 004C384C <-bad jump :004C3842 B801000000 mov eax, 00000001 <-load eax with 1, good! :004C3847 E991000000 jmp 004C38DD <-take jump ììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììì :004C38DD 5F pop edi <-land here :004C38DE 5E pop esi :004C38DF 5B pop ebx :004C38E0 5D pop ebp :004C38E1 C20800 ret 0008 <-Return bak to 004C3C22 ììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììì Next we look at the second important call...(2) :004C3839 E880FEFFFF call 004C36BE ììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììì :004C36BE 55 push ebp :004C36BF 8BEC mov ebp, esp :004C36C1 83C4F4 add esp, FFFFFFF4 :004C36C4 53 push ebx : :lines of code : :004C36C7 8B750C mov esi, dword ptr [ebp+0C] <-store your name :004C36CA FF7508 push [ebp+08] :004C36CD E84ECA0700 call 00540120 :004C36D2 59 pop ecx :004C36D3 83F805 cmp eax, 00000005 <-compare name length with 5 :004C36D6 7307 jnb 004C36DF <-take this jump :004C36D8 33C0 xor eax, eax <-xor eax and reg fail :004C36DA E9C9000000 jmp 004C37A8 <-back to reg fail * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004C36D6(C) | :004C36DF 6A2D push 0000002D <-push "-" on the stack :004C36E1 56 push esi :004C36E2 E899C90700 call 00540080 <- make sure the serial has a "-" in it :004C36E7 83C408 add esp, 00000008 :004C36EA 8BD8 mov ebx, eax :004C36EC 85DB test ebx, ebx :004C36EE 7507 jne 004C36F7 :004C36F0 33C0 xor eax, eax :004C36F2 E9B1000000 jmp 004C37A8 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004C36EE(C) | :004C36F7 C60300 mov byte ptr [ebx], 00 :004C36FA 56 push esi :004C36FB E874580800 call 00548F74 :004C3700 59 pop ecx :004C3701 8945FC mov dword ptr [ebp-04], eax <- ? eax to see fakey :004C3704 C6032D mov byte ptr [ebx], 2D serial "0000012345" :004C3707 43 inc ebx :004C3708 803B00 cmp byte ptr [ebx], 00 :004C370B 7507 jne 004C3714 :004C370D 33C0 xor eax, eax :004C370F E994000000 jmp 004C37A8 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004C370B(C) | :004C3714 53 push ebx :004C3715 E85A580800 call 00548F74 :004C371A 59 pop ecx :004C371B 8945F8 mov dword ptr [ebp-08], eax <- ? eax to see fakey :004C371E FF7508 push [ebp+08] serial "0000067890" :004C3721 E8FAC90700 call 00540120 :004C3726 59 pop ecx :004C3727 8945F4 mov dword ptr [ebp-0C], eax <- ? eax to see lenght of : username "0000000006" :lines of code (sleepy = 6 chars) : :004C375A 3B5DFC cmp ebx, dword ptr [ebp-04] <- ? EBX to see 1st part :004C375D 7404 je 004C3763 of real reg code : "0000003840" :lines of code : :004C379A 3B5DF8 cmp ebx, dword ptr [ebp-08] <- ? EBX to see rest of real code "0000410467" :004C379D 7404 je 004C37A3 <-take jump if all is good to register :004C379F 33C0 xor eax, eax <-xor eax and crap out :004C37A1 EB05 jmp 004C37A8 <-jump to reg fail ììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììì Now the dumbcrap about this is that the CMP function is what is left over from previous versions of MIRC and isnt used anymore, its actually a flaw so we can see our code! Mainly because the compare routine just compares the valid serial to a bunch of crap, in an old version of Mirc it compared the real and entered code there to decide if it regged or not, but since the protection algo has gotten better and it determines the code in the algo now. We remember that the 1st part and second part of our fakey serial were stored in [ebp-04] & [ebp-08] but down the line just got garbage out, so we have to remember to look for a compare with [ebp-04] & [ebp-08] to know where are real code is. Either that are going the hard way and checking the algo. Here is the info: :004C3701 8945FC mov dword ptr [ebp-04] :004C371B 8945F8 mov dword ptr [ebp-08] ? ebp-04 shows 0000012345 ? ebp-08 shows 0000067890 :004C375A 3B5DFC cmp ebx, dword ptr [ebp-04] :004C379A 3B5DF8 cmp ebx, dword ptr [ebp-08] but now at the actual compare they show this: ? ebp-04 shows 0009302208 ? ebp-08 shows 0009302204 So its comparing our serial with crap, I even nopped out those two compare lines and put in the valid code i found and it still regged it, therefore proving that those lines are just leftover from a previous algo in an old version of the prog. Well anyway, piece the code together and you get: user: sleepy reg: 3840-410467 Pop it in the box and you're registered! ììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììì So to make it quick, Ctrl+D, BPX SendDlgItemMessageA Then goto the reg screen of mirc and put in your dummy info. mine: user: sleepy reg: 12345-67890 Follow the code (F10) until you see MIRC!.text+000C2C0E. Once you are in Mirc code type BC *, and set a new BPX on 4C375A and 4C379A. BPX 4C379A BPX 4C375A Press Ctrl+D, Bam first location, ? EBX Write it down.. Press Ctrl+D, Bam second location, ? EBX Write it down. The End of this long tutorial.! Laterz ¬½¼¬½¼¬½¼¬½¼¬½¼¬½¼¬½¼¬½¼¬½¼¬½¼¬½¼¬½¼¬½¼¬½¼¬½¼¬½¼¬½¼¬½¼¬½¼¬½¼¬½¼¬½¼¬½¼¬½¼¬½¼¬½¼¬½¼¬½¼¬½¼ email me if you are bored: sleepy@linuxwaves.com ._Tutorialz_. [-------------------------------------------------------------------------------] [ 1. Cracking Cosmi's Generic Installshield Protection ] [ 2. CRACKING(?) MATH WORKSHOP 2.0 ] [ 3. CrAcKiNG DLSuperCBT Resynchronizing Byte Compare Program ] [ 4. CrAcKiNG the nag on DLSuperCBF - Dir Binary File Compare Program ] [ 5. CrAcKiNG n)0(va crackme v3 (crazy approach) ] [ 6. CrAcKiNG mIRC(R) v5.91 Internet Relay Chat Client ] [ 7. CrAcKiNG Actionizer 1.4 ] [ 8. CrAcKiNG Tag Wizard 4.3.0 ] [ 9. CrAcKiNG Freecell for Win2k and WinXP ] [10. CrAcKiNG Netrace 1.0a ] [11. CrAcKiNG Winrar 3 Beta 2 THROUGHLY ] [12. CrAcKiNG Aditor Pro 3.05 build 1 ] [13. CrAcKiNG EasyType 1.0 ] [14. CrAcKiNG The Psychedelic Screen Saver v2002.0215 ] [15. CrAcKiNG Applet Headline Factory Version 4.0 ] [16. CrAcKiNG Codewhiz Editor Version 1.7 (build 1.01b) ] [17. CrAcKiNG iuVCR 4.0.0.205 beta5 Trial (R_02-28-2002) ] [18. CrAcKiNG The Weakest Link -NOCD- ] [19. CrAcKiNG Blowfish 2000 V2.3 by finding a valid serial ] [20. CrAcKiNG the CD Check in Tony Hawk Pro Skater 3 ] [21. CrAcKiNG DLL Show 4.7 bY Turning it Into its Own Keygen ] [22. CrAcKiNG Opera 6.01 bY making a valid serial and manually unpacking Aspack ] [23. CrAcKiNG Tickle 2.8 with w32dasm, & finding a valid serial with SI hmemcpy ] [24. CrAcKiNG AxMan 3.12 with a valid serial using softice Hmemcpy ] [25. CrAcKiNG Acid_Cool_178 Assembler Crackme01 using W32dasm ] [26. CrAcKiNG Mirc 6.1 bY finding a valid serial using Softice Hmemcpy ] ¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿ gReEtz: MiNioN, GreycZ, KlutCh, KiNgEr, MidNight, FWA, NWA, FTPiRatEz! HAR! BEASTFXP! More Greetz: tHEHermit @ cracking4newbies, as he helped me with some info on how to keygen an older mirc after i serialed this, so maybe i can keygen this bitch! ¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿ CopyLeft: __ ______ __ __ _ _____/ / ___ / ____/__\ \/ /(_) / ___/ / / _ \/ __/ / __ \ // / (__ ) /__/ __/ /___/ /_/ / / _/_ /____/_____|___/_____/ .___/_/\___/ /_/ [all rights reversed] Boredom causes crackers and babies. ¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿ WIDTH=13 HEIGHT=13 BORDER=0