SERIAL NUMBER IS FISHY - DECLINE YOUR PATCH'ITCH'ING
RasMan v1.46
A Cracking Tutorial
by ASTAGA [D4C/C4A]
DISCLAIMER
This reading material is not intended to violate Copyrights
and/or it is law, but educational purposes only. I hold no
responsibility ( by all means and in any shape whatsoever )
of the mis-used of this material.
Read END NOTES section at the end of this file.
ABOUT THE PROGRAM
Welcome to RasMan, A shareware application to monitor all of
your Dial-Up Networking connections. There are numerous online
timers already out on the Internet, so you may say why another
one.
I have evaluated numerous online timers but none of them provi
ded exactly what I wanted. Some of the problems were:
For such a simple requirement some of the program were overly
complicated or had special requirements.
None of the programs out there were able to accurately take into
account the many different costing rules being used by ISPs and
telecom providers.
The types of reporting available in some programs were limited
or non-existent.
What I wanted was a nice flexible program, small in size, unob
trusive and easy to use. So with that in mind here is a list of
RasMan features:
o The size of RasMan.exe itself is just 100k and the code
inside it has been designed in such a way to affect system
performance as little as possible.
o The program leaves all of the reporting and costing issues
to an external program. This leaves RasMan to the job of
monitoring connections and leaves all the complications of
costing / reporting to more capable programs.
o Instead of providing reporting, RasMan generates a log file
which can be easily imported into programs such as Microsoft
Excel. The format itself is totally customizable. The program
also generates a "schema.ini" file which allows the CSV file
to be used as an DAO data source.
o The program is simple to use. Just run it and forget about it,
until you want to review your Internet usage.
WHERE TO DOWNLOAD
Author : PJ Naughter
Copyright : PJ Naughter
Homepage : http://www.naughter.com
URL : http://www.naughter.com/download/rasman.zip
Size : 49 KB as of January 01, 2001
Rel Date : 8 May 2000
HOW TO GET VALID SERIAL NUMBER by using SoftIce
This time I will feed you like a baby, because too many question
how to find the location where S/N can be fish(ed).
Here, I will bring you how did I work. So, you can feel what is
right and wrong ( and pain of pressing F10 key ) during debugging
this program until you found reliable location where S/N is calcu
lated and/or generated. There is no concealment matters here,
assume both of us walking in the dark
1. Run RASMAN.EXE, in the registration dialog box type these below
informations :
Name : Pirates Order
Code : 73881050
Do not click OK button yet
2. Load SoftIce by pressing [ CTRL + D ], set a breakpoint as follow :
BPX GetWindowTextA [enter] and
F5 to return to the main program
3. Now, click OK button... you'll return back into SoftIce!
In within SoftIce press F11, F5, F11, then F12 11 times until you
see and break at :
______________________________________________________________
015F:6C386373 FF1594B5406C CALL [USER32!GetWindowTextA]
015F:6C386379 8D4518 LEA EAX,[EBP+18]
015F:6C38637C 50 PUSH EAX
015F:6C38637D 8D45E0 LEA EAX,[EBP-20]
015F:6C386380 FF7510 PUSH DWORD PTR [EBP+10]
015F:6C386383 50 PUSH EAX
015F:6C386384 E803010000 CALL 6C38648C
015F:6C386389 85C0 TEST EAX,EAX
015F:6C38638B 0F84090B0500 JZ 6C3D6E9A
....
....
_________________________ MFC42!.text+00015373 _______________
Wait, wait a minute... you break on MFC instead of RASMAN's main
program's code. That's not good even you can get fake code and
user name by pressing F10 2-4 times respectively.
Press F12 4 times to reach RASMAN main program's code.
4. If nothing goes wrong, you'll break and see these below snippet
codes :
_______________________________________________________________
015F:0040CD25 E8F0080000 CALL 0040D61A <== here
015F:0040CD2A 85C0 TEST EAX,EAX
015F:0040CD2C 7478 JZ 0040CDA6
015F:0040CD2E 8B4660 MOV EAX,[ESI+60]
015F:0040CD31 50 PUSH EAX
015F:0040CD32 683C524100 PUSH 0041523C
015F:0040CD37 68E8504100 PUSH 004150E8
015F:0040CD3C E8CF47FFFF CALL 00401510
015F:0040CD41 8BC8 MOV ECX,EAX
015F:0040CD43 81C1F4000000 ADD ECX,000000F4
015F:0040CD49 E822B8FFFF CALL 00408570
015F:0040CD4E 8B4E64 MOV ECX,[ESI+64]
015F:0040CD51 51 PUSH ECX
015F:0040CD52 6830524100 PUSH 00415230
015F:0040CD57 68E8504100 PUSH 004150E8
015F:0040CD5C E8AF47FFFF CALL 00401510
015F:0040CD61 8BC8 MOV ECX,EAX
015F:0040CD63 81C1F4000000 ADD ECX,000000F4
015F:0040CD69 E8B2B7FFFF CALL 00408520
015F:0040CD6E E89D47FFFF CALL 00401510
015F:0040CD73 8BC8 MOV ECX,EAX
015F:0040CD75 E8B66EFFFF CALL 00403C30 ==> F8
015F:0040CD7A 85C0 TEST EAX,EAX
015F:0040CD7C 6AFF PUSH FF
...
_________________________ RASMAN!.text+BD6E ___________________
Press F10 4 times - stop at 015F:0040CD31 - dump/display EAX
register :
: d eax [enter] ==> user name at virtual 0167:0066076C
Press F10 7 times - stop at 015F:0040CD4E - look at Register
Window ... see that DS:0064F51C=046755DA ? let's check it
out what is inside :
: ? 046755DA [enter]
046755DA 0073881050 " gU " ==> your fake code at virtual
0167:xxxxxxxxxxxx
Press F10 again and stop at 015F:0040CD75 - follow this CALL
function by pressing F8 key.
Note : you can ignore my guidance by pressing F10 at 015F:
0040CD75 and at last you'll get beggar-off message.
However, you should try this until you feel and understand
why
5. By following the above CALL, you'll see these below snippet
codes :
015F:00403C30 6AFF PUSH FF
015F:00403C32 6880E04000 PUSH 0040E080
015F:00403C37 64A100000000 MOV EAX,FS:[00000000]
015F:00403C3D 50 PUSH EAX
015F:00403C3E 64892500000000 MOV FS:[00000000],ESP
015F:00403C45 83EC14 SUB ESP,14
015F:00403C48 56 PUSH ESI
015F:00403C49 68605B4100 PUSH 00415B60
015F:00403C4E 8DB1F4000000 LEA ESI,[ECX+000000F4]
015F:00403C54 683C524100 PUSH 0041523C
015F:00403C59 8D44240C LEA EAX,[ESP+0C]
015F:00403C5D 68E8504100 PUSH 004150E8
015F:00403C62 50 PUSH EAX
015F:00403C63 8BCE MOV ECX,ESI
015F:00403C65 E8A6470000 CALL 00408410
015F:00403C6A 6834524100 PUSH 00415234
015F:00403C6F 8D4C2408 LEA ECX,[ESP+08]
015F:00403C73 C744242400000000 MOV DWORD PTR [ESP+24],00000000
015F:00403C7B E8EC950000 CALL 0040D26C
015F:00403C80 6A00 PUSH 00 ... to cont'd
_________________________ RASMAN!.text+2C30 ___________________
6. Finally after long tracing you'll reach these below
snippet codes :
_______________________________________________________________
cont'd....
015F:00403C80 6A00 PUSH 00
015F:00403C82 6830524100 PUSH 00415230
015F:00403C87 68E8504100 PUSH 004150E8
015F:00403C8C 8BCE MOV ECX,ESI
015F:00403C8E E81D470000 CALL 004083B0
015F:00403C93 8D4C2408 LEA ECX,[ESP+08]
015F:00403C97 8BF0 MOV ESI,EAX
015F:00403C99 E832360000 CALL 004072D0
015F:00403C9E 8B4C2404 MOV ECX,[ESP+04]
015F:00403CA2 C644242001 MOV BYTE PTR [ESP+20],01
015F:00403CA7 8B41F8 MOV EAX,[ECX-08]
015F:00403CAA 8D4C2404 LEA ECX,[ESP+04]
015F:00403CAE 50 PUSH EAX
015F:00403CAF 50 PUSH EAX
015F:00403CB0 E8B1950000 CALL 0040D266
015F:00403CB5 50 PUSH EAX
015F:00403CB6 8D4C2410 LEA ECX,[ESP+10]
015F:00403CBA E881360000 CALL 00407340 ****
015F:00403CBF 33D2 XOR EDX,EDX
015F:00403CC1 3BF0 CMP ESI,EAX ==> ? EAX;? ESI
015F:00403CC3 0F94C2 SETZ DL
...
_________________________ RASMAN!.text+2CBA ___________________
Press F10 once - stop at 015F:00403CC1 - check that EAX and
ESI registers :
:? esi
046755DA 0073881050 " gU " ==> your fake code
:? eax
3DE3A6D0 1038329552 "= " ==> your potential red code.
Write it down.
NOTE :
I HOPE THIS TUTE CAN ANSWER THE MOST 'FAQ' : " HI ASTAGA ...
HOW DID YOU FIND, LOCATE MEMORY ADDRESS THAT S/N CAN BE
CAUGHT ?? " ; " WHAT / WHY I SHOULD DO A SEARCH STRING ..." ;
I remind you that tracing codes ( debugging ) IS NOT A NICE
JOB. As a matter of fact, i tooks TIME and PATIENCE.
If you read tute and feel how easy to fish a S/N, it is becau
se I (we) have traced the codes for you. That's why I always
include the memory location and hex code(s) in all my tutes.
If you little bit trained you can do a search string for the
CALL function near the classic CMP/JN/JNZ instructions i.e
you can BPX at 015F:00403CBA , BUT by doing this little trick
you just can get valid serial number NOT how and where did
you or should reach and found that suspicious location.
By reading tutes and practising it, you will have build,
develope your own feeling, AND intuition ( or maybe Zen )
over target program. Moreover, don't hesitate to dump, check
every changes occured in the Register Window.
7. Disable all breakpoints by typing
BD * [enter]
Press F5 or X to return to the main program
8. Repeat registration procedure and keyed-in 1038329552 as
your S/N.
Click OK button ..... there you're registered.
9. Where the hell is my registration code is stored ??
The correct registration code is stored in the registry as
follows :
REGEDIT4
[HKEY_LOCAL_MACHINE\Software\PJ Naughter\RasMan\General]
"Name"="Pirates order"
"ID"=dword:3de3a6d0
10. How can I practise with my own user name ?
- I strongly recommended you not to do this !
E N D N O T E S
Distributing your serial number is illegal and is no
different than distributing illegal
copies of the registered
software. Violation of
this rule may
result in
temporary or permanent revocation of this
license and cancellation of the
serial number;
the original licensee
will also be held responsible for
damages, physical and estimated.
Do not distribute your crack release based on this tutorial, because
you become a LAMER(s)!!!!!!!!
( tHATDUDE (PC97) defined LAMER(s) is the guy who sits in front of
personal computer, using Hex Editor, ripping off other group(s)
crack release, repacking (distro) them under his name.
Adopted from newsgroup alt.cracks, alt.crackers - February 1997 )
More about LAMER(s):
lamer /n./ [prob. originated in skateboarder slang]
Synonym for luser, not used much by hackers but common among warez
d00dz, crackers, and phreakers. Oppose elite. Has the same connota
tions of self-conscious elitism that use of luser does among
hackers.
< SOURCE: http://sagan.earthspace.net/jargon/jargon_27.html >
Never attribute to malice that which is adequately
explained by stupidity
ASTAGA [D4C/C4A] tute-rasman146.zip
[EOF] 1/2/01 4:33:58 PM