*T*U*T*O*R*I*A*L* ~~~~~~~~~~~~~~~~~ By Northpole [CiA '99] ~~~~~~~~~~~~~~~~~~~~~~ Hiya. This is my first tutorial on cracking, I hope you will enjoy it. Please don't mind the errors in my language, but I'll think you'll understand (almost) everything... ----------------------------------- Target program: IconPackager 0.98b Get it from: www.stardock.com Other things you need: * All standard cracker tools * Some good brains Result: Keygen ----------------------------------- OK, here we go. After you installed the program, first take a look at it. So fire up IconPackager (IP). You see a nag, which we want to remove don't we ? If you don't, go eat some cookies and delete this tutorial ;p Next, we go looking in the About... menu, because that's most likely the place to register the software, and... *BINGO* A Register button! Press it and fill in some dummy name and code. I use "Northpole" as name and "123456" as serial. Press OK, and you'll get a nice messagebox saying it's incorrect. (We knew that, didn't we ?) Time to crack the proggie. Launch W32Dasm and disassemble the program. Take a look at the string references... Hmm, only "VB5!" and some other shit... Uh oh, we were wrong, it's a VB proggie. There goes W32dasm, let's open SmartCheck (SC). Run the program in SC, but disable Event Reporting first... We only need to see what happens at the registration... When you come at the registration part, enable Event Reporting again. Enter some dummy info, and press OK. My dummy info was "Northpole" and "123456", I advise you to use it to so will have less problems following... You'll notice that there is an annoying timer, that's for the available memory. So when you get the messagebox, disable Event Reporting again. Now you can easily look through the code. Start at the bottom and scroll up until you see the MsgBox. Then look at the lines above that one. txtName.Text txtNumber.Text txtName.Text Len(String:"Northpole") returns... Instr(long:1, VARIANT:VT_..., VARIANT:STring:"-") + MsgBox(...) (Note: if you don't see the arguments after the instructions, turn them on in the View menu) After that Instr, you get the msgbox... OK, we can suppose there has to be a - in out serial... OK, let's try it again. Enter a serial with a - somewhere in it. (Don't forget to enable Event Reporting again !) txtName.Text txtNumber.Text txtName.Text Len(String:"Northpole") returns... Instr(long:1, VARIANT:VT_..., VARIANT:STring:"-") ;We will pass it now txtName.Text txtNumber.Text Len(String:"123-456") returns... + MsgBox(...) Hmm, now it seems the length of our serial is not good... Let try something else. Let's make it a little longer: "123-456789" for example. Run it... AARGH! Errors! Acknowledge them, and your program will stop running. OK, if you look through the code, you will find out that the program will use "-489" for something and for that, it will convert "-" to a number... That fails. + String("-") --> Integer - coercion fails OK then, let's try a different place for the -, like in "12-3456789". YES! This does work :) txtName.Text txtNumber.Text txtName.Text Len(String:"Northpole") returns... Instr(long:1, VARIANT:VT_..., VARIANT:STring:"-") ; We will pass it now txtName.Text txtNumber.Text Len(String:"123-456") returns... Mid(...) Right(...) IsNumeric("3489")... Look what happens here: the program takes the 2 characters on position 4&5 (that's the mid) and the 2 last characters and combines them into one string, which has to be numeric... We can derive some format of the key now: ??-##????##... Len(String:"12-456789")... Mid(...) Len(String:"Northpole")... Mid$(...) Asc(...) Mid$(...) Asc(...) Mid(...) (This block keeps repeating) Len(String:"567")... Mid$(String:"567"...) Asc(String:"5") returns Integer:53 Mid$(String:"3489"...) String("3") --> Integer(3) Chr$(Integer:50) Len(String:"567")... Mid$(String:"567"...) Asc(String:"6") returns Integer:54 Mid$(String:"3489"...) String("4") --> Integer(4) Chr$(Integer:50) Len(String:"567")... Mid$(String:"567"...) Asc(String:"7") returns Integer:55 Mid$(String:"3489"...) String("8") --> Integer(8) Chr$(Integer:47) + MsgBox(...) Hmm.. take a close look at that... It takes the ASCII value of every character x in "12-34xxx89"... Then it takes the real value of each character in "3489" (that was numeric, you remember ?) And then it generates a character with some value... I don't know if you noticed it, but (and this is the clue) that 'some value' is the substraction of the ASCII value - the real value... Now we only have one more problem: how comes there is a MsgBox ? What is invalid about our serial ? Let's think again... We suppose that those characters generated with Chr$() would be wrong. But what would be the correct value ? Now, we're gonna guess: since we saw no other operations on our name, could it be the characters of our name ? <= believe me, it is :)) But, then we're done for this part. Now we can make it easy to ourselves: since the program takes the value of that combined string ("3478") to substract, it means that if we make that string "0000" nothing will be substracted... (you got it ?) And our name will be in the serial unchanged... Let's try it: since we don't know something about the first 2 characters, make them "12". Now we get (for "Northpole"): "12-00Northpole00" as serial... Heh, try it out, you'll see it works.. You can change the first two characters, it will stay registered. And I suppose it won't be hard to write a keygen now, eh ? Hehe... Do you also think it's a pretty lame protection ? (note: that whole block of Mid / Asc functions on our name, probably checks and filters out spaces and other special characters...) OK, that's it ! Cya! Northpole CiA (Crackers In Actions) '99 Greetz go to: * the whole CiA crew * everybody in #c.i.a * PeeWee * Natazzz (yep, you're right, C-Dance rulezzz :)