þ¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿þ ÛÛÛÛ ÛÛ ÛÛÛ ÛÛ ÛÛÛ ÛÛÛÛ ÛÛ ÛÛ ÛÛ ÛÛÛÛ ÛÛ ÛÛÛÛ ÛÛÛÛ ÛÛ Û ÛÛÛÛ ÛÛÛÛÛ ÛÛ Û Û Û Û Û Û Û Û Û Û Û ÛÛ Û ÛÛ Û ÛÛ ÛÛ Û Û ÛÛ Û Û ÛÛ Û ÛÛ ÛÛ ÛÛÛÛÛ ÛÛÛÛ ÛÛÛÛ ÛÛ Û ÛÛ Û ÛÛ Û Û Û Û ÛÛÛÛÛÛ Û Û ÛÛ Û Û Û Û ÛÛ ÛÛÛÛÛ ÛÛÛÛÛ Û Û ÛÛÛÛÛ ÛÛÛ Û Û ÛÛ ÛÛ Û ÛÛ ÛÛÛ Û ÛÛÛÛÛÛ ÛÛ Û ÛÛÛ Û ÛÛÛ Û Û ÛÛÛÛÛÛ Û Û Û ÛÛ ÛÛ Û Û Û ÛÛ ÛÛ ÛÛÛÛ ÛÛÛÛ ììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììì Cracking Tutorial #27: CrAcKiNG Bitmap to Icon 3.5 two ways with w32dasm & Softice [cracked bY:] sLeEpY¿[FWA/NWA/FTPR8Z] iN 05/2002 [difficulty:] beginner/intermediate [where:] http://www.qtam-computer.com/download.html [tOOLz:] softice 4.05, W32dasm 8.93, Hiew 6.1 ììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììì http://www.qtam-computer.com/download.html Bitmap to Icon 3.5 511K QTam Bitmap to Icon version 3.5 Shareware QTam Bitmap to Icon is a small utility can convert file BMP to or from ICO file. Registered version also support GIF, JPG and multi-resource ICO file format. With wizard-liked interface of program, making an ICO has never been easier. (May 01) Word..... I'm bored at work and here is another tutorial...This program is fairly easy to break. I'm gonna try to show how to make this program into yours two different ways. The 1st with w32dasm using brutal cracking, the second with Softice using a more elegant style and much cleaner. ¬½¼¬½¼¬½¼¬½¼¬½¼¬½¼¬½¼¬½¼¬½¼¬½¼¬½¼¬½¼¬½¼¬½¼¬½¼¬½¼¬½¼¬½¼¬½¼¬½¼¬½¼¬½¼¬½¼¬½¼¬½¼¬½¼¬½¼¬½¼¬½¼ [PART 1] Make your usual 3 copies of the program, bak, exe, and w32. Goto register this program, there is no error msg telling you that the serial is incorrect, it just does nothing, so disassemble the prog and lets check the SDR button for a happy msg. We find: "All limitation has been removed" "Thank you for registering," well first try the 2nd one: "Thank you for registering," :0046266A (right below this is the "All limitation has been removed" so both must be in the same happy message when you reg it) ììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììì :00462632 E865D0FFFF call 0045F69C <-important call :00462637 8B45F4 mov eax. dword ptr [ebp-0C] :0046263A 8B55F8 mov edx, dword ptr [ebp-08] :0046263D E88A15FAFF call 00403BCC :00462642 7426 je 0046266A :00462644 8B45FC mov eax, dword ptr [ebp-04] :00462647 BABC274600 mov edx, 004627BC :0046264C E87B15FAFF call 00403BCC <-important call :00462651 0F850F010000 jne 00462766 <-jmp to crap :00462657 8B45F8 mov eax, dword ptr [ebp-08] :0046265A BACC274600 mov edx, 004627CC :0046265F E86815FAFF call 00403BCC <-important call :00462664 0F85FC000000 jne 00462766 <-jmp to crap * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00462642(C) | * Possible StringData Ref from Code Obj ->"Thank you for registering, " :0046266A 68DC274600 push 004627DC <-we get dropped here ììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììì These two jumps go past our reg code...so Nop Nop Nop :00462651 0F850F010000 jne 00462766 :00462664 0F85FC000000 jne 00462766 change both the above like so: :00462651 0F850F010000 jne 00462766 :00462651 909090909090 nop :00462664 0F85FC000000 jne 00462766 :00462664 909090909090 nop ììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììì Go back and reg the prog, any information will register it now. Restart the prog, its unregged again....that always sucks, so lets find where it checks the reg info. In the SDR there is this that should make you suspicious: "Software\QTam\Bitmap to Icon\3" pops up in 4 places: :00462718 :00462D20 :00463F04 <-hmm..........if you follow this one, you will end up in the right place (:00463F44) :0046785B ììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììì start up regedit and you'll see that this is where you reg key is stored: HKEY_CURRENT_USER\Software\QTam\Bitmap to Icon\3 RegisteredCode RegisteredName ììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììì I don't like to chase it that way but that is just one way, i prefer this. :0046264C E87B15FAFF call 00403BCC <-important call Now I decided to delve into this call because programs often use the same calls from different places to save time, so if our regcode is checked here at the time we reg it, it is probably checked in this call from somewhere else again when we restart. So inside this call we have a call from a shitload of places...erg...73 places to be exact...So RET from this call. So here's an idea, go back and look for a call, right above the 3 calls to this location: :00462632 E865D0FFFF call 0045F69C <-important call Chances are not as good but still good enough that this call is used in the other place in the program where it checks the serial too. Hmm inside this one we see this: ììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììì * Referenced by a CALL at Addresses: |:00462632 , :00463F44 | ììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììì Ok, you should see what im getting at, if not stay with it. The first call is where we just came from, our original check to reg the app: 00462632 So the second call is at: 00463F44 So lets goto that code location: ììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììì :00463F44 E853B7FFFF call 0045F69C :00463F49 8B45E0 mov eax, dword ptr [ebp-20] :00463F4C 8B55F4 mov edx, dword ptr [ebp-0C] :00463F4F E878FCF9FF call 00403BCC :00463F54 741E je 00463F74 :00463F56 8B45FB mov eax, dword ptr [ebp-08] :00463F59 BA30424600 mov edx, 00464230 :00463F5E E869FCF9FF call 00403BCC <-hey our call again :00436F63 7527 jne 00463F8C <-jump to crap :00463F65 8B45F4 mov eax, dword ptr [ebp-0C] :00463F68 BA4042600 mov edx, 00464240 :00463F6D E85AFCF9FF call 00403BCC <-hey our call again :00463F72 7518 jne 00463F8C <-jump to crap ììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììììì Looks a lot like the above code that calls into the same routine and everything. This I've found to be the easiest way to kill the startup check! Start up Hiew... Change these: :00436F63 7527 jne 00463F8C (offset 63363) :00463F72 7518 jne 00463F8C (offset 63372) To these: :00463F72 9090 nop :00436F63 9090 nop Save and exit, run the program and you are regged with whatever username you last regged it with. ¬½¼¬½¼¬½¼¬½¼¬½¼¬½¼¬½¼¬½¼¬½¼¬½¼¬½¼¬½¼¬½¼¬½¼¬½¼¬½¼¬½¼¬½¼¬½¼¬½¼¬½¼¬½¼¬½¼¬½¼¬½¼¬½¼¬½¼¬½¼¬½¼ [PART 2] Using Softice to get the real reg code....... Well we know where our main compare is at so lets Run Softice and get to that location, and check the registers. Run an uncracked, unmodified copy of the prog, (you should have that backup), and goto the register screen and fille it with bogus junk. I used: Reg name: sleepy Reg code: 123456789 I always start with BPX HMEMCPY and follow that till i get to the programs code, in this case BMP2ICO!CODE+0001E9B0, then BC * to clear the BPX, then set a new BPX on where i think the code is at. So going back to the above code... :00462632 E865D0FFFF call 0045F69C <-important call :00462637 8B45F4 mov eax. dword ptr [ebp-0C] :0046263A 8B55F8 mov edx, dword ptr [ebp-08] :0046263D E88A15FAFF call 00403BCC :00462642 7426 je 0046266A So set a BPX on 462632, and lets check it out: press F10 twice and you will be at location 46263A :0046263A 8B55F8 mov edx, dword ptr [ebp-08] in softice, make sure your data window is there (type "wd" and press enter) if you use my winice.dat then its allready there in the dat file. type the following: D EDX this will show your username: sleepy D EAX this will show your real regcode: 543038BAW in the data window: 546068BAW....... ........StaticTe type BC * to clear out the breakpoints, and enter your name and your valid regcode, Registered! Softice is always a much cleaner approach but cracking it with w32dasm is always great before you mess with SI, that way you learn how the code works somewhat before jumping into softice and *sometimes* getting lost. As you can see with the above example, we knew right where to go in softice because we found the compare and the serial check routine in w32dasm. Well another boring tutorial done, and i still have 5 hours left at work.... If you get bored, i usually personalize the progs on my computer, run resource hacker, exescope, or ultraedit and change some things. Later ¬½¼¬½¼¬½¼¬½¼¬½¼¬½¼¬½¼¬½¼¬½¼¬½¼¬½¼¬½¼¬½¼¬½¼¬½¼¬½¼¬½¼¬½¼¬½¼¬½¼¬½¼¬½¼¬½¼¬½¼¬½¼¬½¼¬½¼¬½¼¬½¼ email me if you are bored: sleepy@linuxwaves.com ._Tutorialz_. [-------------------------------------------------------------------------------] [ 1. Cracking Cosmi's Generic Installshield Protection ] [ 2. CRACKING(?) MATH WORKSHOP 2.0 ] [ 3. CrAcKiNG DLSuperCBT Resynchronizing Byte Compare Program ] [ 4. CrAcKiNG the nag on DLSuperCBF - Dir Binary File Compare Program ] [ 5. CrAcKiNG n)0(va crackme v3 (crazy approach) ] [ 6. CrAcKiNG mIRC(R) v5.91 Internet Relay Chat Client ] [ 7. CrAcKiNG Actionizer 1.4 ] [ 8. CrAcKiNG Tag Wizard 4.3.0 ] [ 9. CrAcKiNG Freecell for Win2k and WinXP ] [10. CrAcKiNG Netrace 1.0a ] [11. CrAcKiNG Winrar 3 Beta 2 THROUGHLY ] [12. CrAcKiNG Aditor Pro 3.05 build 1 ] [13. CrAcKiNG EasyType 1.0 ] [14. CrAcKiNG The Psychedelic Screen Saver v2002.0215 ] [15. CrAcKiNG Applet Headline Factory Version 4.0 ] [16. CrAcKiNG Codewhiz Editor Version 1.7 (build 1.01b) ] [17. CrAcKiNG iuVCR 4.0.0.205 beta5 Trial (R_02-28-2002) ] [18. CrAcKiNG The Weakest Link -NOCD- ] [19. CrAcKiNG Blowfish 2000 V2.3 by finding a valid serial ] [20. CrAcKiNG the CD Check in Tony Hawk Pro Skater 3 ] [21. CrAcKiNG DLL Show 4.7 bY Turning it Into its Own Keygen ] [22. CrAcKiNG Opera 6.01 bY making a valid serial and manually unpacking Aspack ] [23. CrAcKiNG Tickle 2.8 with w32dasm, & finding a valid serial with SI hmemcpy ] [24. CrAcKiNG AxMan 3.12 with a valid serial using softice Hmemcpy ] [25. CrAcKiNG Acid_Cool_178 Assembler Crackme01 using W32dasm ] [26. CrAcKiNG Mirc 6.1 bY finding a valid serial using Softice Hmemcpy ] [27. CrAcKiNG Bitmap to Icon 3.5 two ways with w32dasm & Softice ] ¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿ gReEtz: MiNioN, GreycZ, KlutCh, KiNgEr, MidNight, FWA, NWA, FTPiRatEz! HAR! BEASTFXP! ¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿ CopyLeft: __ ______ __ __ _ _____/ / ___ / ____/__\ \/ /(_) / ___/ / / _ \/ __/ / __ \ // / (__ ) /__/ __/ /___/ /_/ / / _/_ /____/_____|___/_____/ .___/_/\___/ /_/ [all rights reversed] Boredom causes crackers and babies. ¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿¿