Hello all Crackers, ..::Calculici::.. FROM ONE NEWBIE TO ANOTHER Tutor Nr. 10 Program: Advanced Office 97 Password Recovery ( where: http://www.elcomsoft.com ) Protection: Serial Level: Beginner Tools: SoftICE 4.05 Offset Converter 1.0 CASPR v0.920 HIEW 6 LANGUAGE 2000 UPX 1.01 (optional) Brain A cool drink. E-mail: calculici83@yahoo.com DISCLAIMER This reading material is not intended to violate Copyrights and/or it is law, but educational purposes only. I hold no responsibility ( by all means and in any shape whatsoever ) of the mis-used of this material. FIRST OF ALL All the cracking tools you can get at http://protools.cjb.net. You see some weird tools. Yes! I wanted to try some of the tools on that site and the program was requested by a friend of mine, so I couldn't say no. Let me say that +DZA KRAKER made a very good tut about Advanced Zip Recovery Password and I recomend it. It is very good. STARTING I started the program and i saw that is was unregistered. I looked at the Help/Enter Registration Code. I entered "12345" the window has done a resizing and it gave the answer "Wrong Registration Code". At this time I though that a disassembled file would be great but, !SURPRISE!, I couldn't disassemble it with W32DASM. No big problem. Me thinks it is compressed. OK. Now comes the first new tool, LANGUAGE 2000. This program checks the header of EXE files and looks if the file is compressed. And what do you think it happends if we open the file "ao97pr.exe". It will say that is it made in Visual C++ and that is packed with ASPack/ASProtect. Luckly we have the second tool which is CASPR. This file decompresses the file "ao97pr.exe". This tool is a command line tool. So you got to write like this: CASPR ao97pr.exe This command will "spit out" a file called ao97pr.ex_ which is the file "ao97pr.exe" uncompressed. Now for our good old SoftIce 4.05. Launch SoftIce, then open the program. Press the button to register the AO97PR program (Enter the registration code). When you are in Enter Registration Code Box,ender "12345" as registration code, then enter SoftIce by pressing CTRL+D. Here put a breakpoint on "hmemcpy". So type like this: bpx hmemcpy After this leave SoftIce (pressing CTRL+D) and press the OK button in the Registration Code Box. If all is well you should be back in SoftIce. In SoftIce press F12 for 9 times until you get here: xxxx:416D53 MOV EAX,[0058F004] xxxx:416D58 ADD EAX,00000200 xxxx:416D5D PUSH EAX xxxx:416D5E CALL 00416ADC <--This call is interesting xxxx:416D63 POP ECX xxxx:416D64 TEST EAX,EAX xxxx:416D66 JNZ 00416D72 <--Jump to good boy Press F10 to trace the code and when you get to 416D5E press F8 to step into the call. Then trace the code by pressing F10 many times until you will find your self here: xxxx:416B1A PUSH EDX xxxx:416B1B CALL 00416A80 <--This is where the code is calculated xxxx:416B20 ADD ESP,08 xxxx:416B23 TEST EAX,EAX xxxx:416B25 JZ 00416B2E <--This jump is our targer.Why? I will explain. xxxx:416B27 MOV EAX,00000001 xxxx:416B2C JMP 00416B49 Now the explanation. First at 416D64 if EAX=1 then it will jump to the good screen:"Thank you for registering!". Now look at 416B27. The line is: MOV EAX,1. So if the program goes over this and attribuites EAX=1 then it will be registered. OK. Remember 416B25. We have to change the JZ to a JNZ. OK. Now launch Offset Converter and open the file "ao97cracked.exe" (this is the file "ao97pr.ex_" after you renamed him). Enter in the Virtual Offset Box 416B25. The program will give you the result: 16125. Remember this. Now launch Hiew and open the file "ao97cracked.exe". Press ENTER(twice) to get to the decode mode. Press F5 and enter 16125. You will land here: xxxx:416B25 JZ 00416B2E xxxx:416B27 MOV EAX,00000001 xxxx:416B2C JMP 00416B49 Change the JZ to a JNZ. How?. Simple you have to change 7407 TO 7507, so press F3 and enter 75. Easy Huh!!!. Now launch the program again, not the original but the cracked one, i mean "ao97cracked.exe". Now if you want you could use UPX 1.01 to compress the exe is you like. FINAL WORDS Hope you liked this tutorial. I know that there is an easier way around it, but I am going to leave it to the real crackers because I am only a newbie. GREETS +Dza Kraker(Regele Piratilor) <--You showed me the way man Xasx <--Thanx for publishing my tuts My mom <--I will always love you My girlfriend <--Oh, you are so far My dad <--My dad is my tester My collegs <--I made some cracks for them ENDer 2000 <--The site where I realese my cracks TNT <--For it is a real pleasure to watch this guys and to be friends with them tKC <--You got me hooked on, on this Phrozen Crew <--You were the best LaZaRuS <--He helped me too Corneliu Vadim Tudor <--Hope he wont pe president in my country All of you <--The ones who try doing something with their life The rest <--Hope I didn't forget no one <<--Everything starts from a ZERO-->> E-mail: calculici83@yahoo.com Name: Calculici