|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
iNTROdUCTION :
hi there and wellcome to another tutorial ...
U know sometimes u like to go back to the old stuff in ur life and remembering how it used to be , i think it is kool , this
is what i felt today when i cracked this program , this probley the first time i use win32dasm after 3 months of not using it ..
and after i cracked this program i felt that i should write a tutorial about this prog to show u that no matter how good u r
in cracking sometimes u return to ur early beginings ....
pROTEcTION :
o.k this prog needs a registration code to register it, so let's find this code ...
|
|
o.k install the prog. and before u continue the setup it will run ...( damn !! that is fast !!)... as u can see it needs a registration code to register , so let's enter our dummy code , in my case i wort like this :
Registration Code : 1234567890
now press the o.k button and our error message will apear ... saying "Sorry , blah blah blah ", o.k now let's copy the exe file to the win32dasm dir and dasm it , and look for our error message ... when u find it click on it then scroll up u will see this code :
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
:00476723 6A10 push 00000010
* Possible StringData Ref from Code Obj ->"Error"
:00476725 B99C674700 mov ecx, 0047679C
* Possible StringData Ref from Code Obj ->"Sorry, this registration code "
:0047672A BAA4674700 mov edx, 004767A4
|:004766AA(C) <-- We go to this code
->"is invalid."
:0047672F A110B14700 mov eax, dword ptr [0047B110]
:00476734 8B00 mov eax, dword ptr [eax]
o.k we now go to this address 004766AA , click on serach/find text and enter the address , after win32dasm find the address scroll up and u will see this code :
:004766A1 33C0 xor eax, eax
:004766A3 E858FEFFFF call 00476500 <-- our check procedure
:004766A8 84C0 test al, al <-- return the result in eax
:004766AA 7477 je 00476723 <-- jump if not equal to error
o.k kool !! i think we took evey thing we need from win32dasm it is now time to change to softice to set a breakpoint on
004766A3 and see what is going on inside the call ...
so run the program and enter any registration code you like , but before you click on the o.k button set a breakpoint like
this one :
bpx hmemcpy
now press F5 and then press the o.k button , softice will break so press F11 button then press the F12 button for 11 times then clear all the breakpoints and set a breakpoint like this one :
bpx 004766A3
then press the F5 button to exit softice ... but softice will break again now you are at the call press F8 to get inside the call , once you are in trace with the F10 button until you reach this code :
:004765D5 E86AD8F8FF call 00403E44 <-- gets the length of our code and out it in eax
:004765DA 83F80C cmp eax, 0000000C <-- check the length with 0Ch = 12
:004765DD 7C43 jl 00476622 <--if less then err.
:004765DF 8B07 mov eax, dword ptr [edi] <-- eax has our code
:004765E1 803839 cmp byte ptr [eax], 39 <-- check if 1st char. is 39h = "9"
:004765E4 753C jne 00476622 <-- if not then err.
:004765E6 8B07 mov eax, dword ptr [edi]
:004765E8 80780131 cmp byte ptr [eax+01], 31 <-- check if 2nd char. is 31h = "1"
:004765EC 7534 jne 00476622 <-- if not then err.
:004765EE 8B07 mov eax, dword ptr [edi]
:004765F0 80780230 cmp byte ptr [eax+02], 30 <-- check if 3rd char. is 30h = "0"
:004765F4 752C jne 00476622 <-- if not then err.
:004765F6 8B07 mov eax, dword ptr [edi]
:004765F8 80780332 cmp byte ptr [eax+03], 32 <-- check if 4th char. is 32h = "2"
:004765FC 7524 jne 00476622 <-- if not then err.
:004765FE 8B07 mov eax, dword ptr [edi]
:00476600 80780437 cmp byte ptr [eax+04], 37 <-- check if 5th char. is 37h = "7"
:00476604 751C jne 00476622 <-- if not then err.
:00476606 8B07 mov eax, dword ptr [edi]
:00476608 80780950 cmp byte ptr [eax+09], 50 <-- check if 10th char. is 50h = "P"
:0047660C 7514 jne 00476622 <-- if not then err.
:0047660E 8B07 mov eax, dword ptr [edi]
:00476610 80780A50 cmp byte ptr [eax+0A], 50 <-- check if 11th char. is 50h = "P"
:00476614 750C jne 00476622 <-- if not then err.
:00476616 8B07 mov eax, dword ptr [edi]
:00476618 80780B4C cmp byte ptr [eax+0B], 4C <-- check if 12th char. is 4Ch = "L"
:0047661C 7504 jne 00476622 <-- if not then err.
:0047661E B301 mov bl, 01
:00476620 EB07 jmp 00476629
o.k !!! here is all the AzM in English !!
first get the length of our registration code and make sure that it is not less than 12 , then it takes the first char and see if it is "9" , then check the 2nd and see if it is "1" , then the 3rd and see if it is "0" , then the 4th and see if it is "2". then the 5th and check if it is "7" , then it gose to the 10th, 11th and 12 and check if they are "PPL" repectivley ... and offcourse what you put in the places of the other char. is up to u .... so here is is again
Our Valid Registration Code must be at this form :
9 1 0 2 7 X X X X P P L X
now the last thing to do is to use ur imagination to fill anything in the X's to have a valid Registation code or you can leave it like this , so let's try it and ...
|
|
tKC ... (for showing me the light !! )
LW2000 ... ( Thanx alot i now use my brain )
[XasX] ... (a very good founder and a very good friend also!)
AzmO ... (yes!! man we are different !! )
Sir dReAm ... (where the FUCK! r ya ? )
ASTAGA ... (i don't mind if u comment this tutorial)
BoneZ ... (thanx alot for the support !!)
BillGameZ, VaibLitzeR, MezUz , and ShaQ ... (good luck to u all !! )
and to all TNT!CRACK!TEAM! members ... (keep up the good work !!)
any comments mail me : fatzbit@linuxmail.org
See ya in another tut !!! Soon !!!
--= EOF =--