//**cracking tut by alpine**// //*****and******// //**The Immortal Descendants**// Greetings Well, this is my first essay for the Immortal Descendants. I hope you will enjoy it. Our target today is the best drummachine on the web. It is called Drum Station and it is from D-Lusion. You will need the following tools for our lesson: drum-station //download it from www.d-lusion.com, about 3 megs wdasm/ida //i hope you know where to get them softice // the same winspect // is good and always useful tool, which shows the specific //windows handle for every window.You will find it, as an //zip-file included to the crackers notes.If you can't find //it, let me know. hex- //or your editor//choice ---------------------------first step---------------------------------- Observing our target, we will find different "protections". First of all, we see an annoying nag screen which pops up every two minutes and lasts for about 20 seconds. During this time we can't use drum station. This is very annoying. Then you will see an rec button, by clicking on it, the same nag-screen pops up and of course the button is function disabled. There is also an serial protection scheme, but i'm not gonna deal with it in this lesson. -------------------------second step----------------------------------- Deleting The Nag-Screen: Fire up winspect.exe and you will see a small window. What we want to do is, getting the window handle of the nag-screen, to have place to breakpoint on. Regarding the winspect.exe you see in the first line window handle, this is the most importand thing for us. Fire up drumstation and wait till the nag-screen has gone.We won't crack the nag-screen at the beginning. Now click on the rec-button and nag-screen pops up. Move our mouse over the nag and you get a window handle from winspect. In my case it was &h840. You must delete the &H. Now my window handle is 840.Fire up softice and do the following: !!!You must fire up si till the nagscreen is active!!! bmsg 840 wm_destroy What does this phrase mean? I'm not going into detail but here is a brief explaination: It says: Break when the window with the handle 840 is destroyed. Leave softice now and wait a bit. You will be kicked back to softice. Now press f12 till you find yourself in prot 32 mode, should be in mfc42.dll .You are now one line under the call to user32!DestroyWindow. Now press f10 till you are back to the main exe file called dt-010. When you look up one line you should find a call: 004078E7 C744247800000000 mov [esp+78], 00000000 * Reference To: MFC42.Ordinal:09D2, Ord:09D2h | :004078EF E848330100 Call 0041AC3C <-- our call :004078F4 8D442464 lea eax, dword ptr [esp+64] <--here we land :004078F8 C744246420DB4100 mov [esp+64], 0041DB20 :00407900 89442400 mov dword ptr [esp], eax :00407904 8D4C2464 lea ecx, dword ptr [esp+64] :00407908 C744247802000000 mov [esp+78], 00000002 So the call at the adress 0137:004078ef triggers our nagscreen when we press the rec-button. No go to wdasm disassemble it and search for 004078f8. Get the offset, it is 6cef and find the offset in your hex-editor. Now , the easiest mode to crack it would be to nop it out. Try it. Finished? Then run you target and and press the rec-button. Nothing happens? Good, we made it. This was the first nag. Now we have to wait,till the nagscreen, which is triggered every three minutes pops up. But wait, it doesn't pop up? Did we crack it at the same time? Let me see, the call we nopped out is triggered from three calls: * Referenced by a CALL at Addresses: |:00402DF2 , :00408067 , :0041071B <--- these are the calls. | :004078C0 6AFF push FFFFFFFF :004078C2 68C8BD4100 push 0041BDC8 :004078C7 64A100000000 mov eax, dword ptr fs:[00000000] :004078CD 50 push eax :004078CE 64892500000000 mov dword ptr fs:[00000000], esp :004078D5 83EC70 sub esp, 00000070 :004078D8 6A00 push 00000000 :004078DA 8D4C2408 lea ecx, dword ptr [esp+08] :004078DE E81D750000 call 0040EE00 :004078E3 8D4C2404 lea ecx, dword ptr [esp+04] :004078E7 C744247800000000 mov [esp+78], 00000000 * Reference To: MFC42.Ordinal:09D2, Ord:09D2h | :004078EF E848330100 Call 0041AC3C one of these calls is our nag from rec-button the other one the one,which pops up every three minutes. So we have cracked this nag screen. -------------------------third step------------------------------------ We have to enable the rec-button, so we can save our drum loops as an wav-file. set a breackpoint on 0137:004078ef. Yes thats the adress we cracked before. Now press the rec-button and you will be kicked back to si. You will find yourself at: lea eax, dword ptr [esp+64]. Trace further on till you reach 0137:00402df7. :00402DE8 81FE201CB62E cmp esi, 2EB61C20 :00402DEE 740B je 00402DFB <-- notice the jump :00402DF0 8BCB mov ecx, ebx :00402DF2 E8C94A0000 call 004078C0 :00402DF7 6A00 push 00000000 <--you should be here :00402DF9 EB20 jmp 00402E1B * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00402DEE(C) | :00402DFB 8B83341B0000 mov eax, dword ptr [ebx+00001B34] :00402E01 85C0 test eax, eax You saw the cond jump? Good, it checks wether our target is registered or not. If it isn't esi and 2eb61c20 arn't the same. So, what we have to do is to change the cond. jump in an uncond. jump and we should be able to record. Thats all.... questions go to alpine@gmx.at alpine Thanks to the Immortal Descendants