|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
heya ! i'm back with part 2 of this tutorial , for those who read part 1 i say thank you and they know what this tutorial is all about , but for those who is reading this and didn't read part 1 , stick around .......
o.k our target is the font creator program , as usual this prog needs a Name and Registration Password , and the name of the company (but this is optional ) , what we're gona do here , is first find the serial for our name , then we will patch the exe file to turn this programm into a keyMaker instead of tracing the code.......
so...let's begin
|
|
O.k ... Let's Find our serial First !!!
o.k install the font creator program , run it , you will be hit with a nag , but the start button is yet Disabled and the register button is enabled , let's click it !! , o.k ... a name and a registration password and the company name let's enter our info , in my case :
Name : FaT[BiT] \ TNT!
Company : TNT!CRACK!TEAM!
Registration Password : 010 010 010 010
now click on the register button , and there you go :
Now ... remember this message cuz we will need it in a while !! , now copy the file fcp2.exe to the win32dasm dir and dasm it !! , once it is finished look for the error message , double click on it and scroll up a little bit and you should see something like this :
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
:004B75AF 6A00 push 00000000
* Possible StringData Ref from Code Obj ->"Registration failed: Invalid Password"
:004B75BA B86C764B00 mov eax, 004B766C
|:004B7557(C)<-- we go here !!!
:004B75B1 668B0D24764B00 mov cx, word ptr [004B7624]
:004B75B8 B201 mov dl, 01
:004B75BF E83C23FAFF call 00459900
:004B75C4 8B45FC mov eax, dword ptr [ebp-04]
As allways this code has been called by another location , and this time it is at address 004B7557 so let's find this location click on serach\find text and enter this address , when you get there scroll up a little bit !! to see something like this :
:004B7546 8B45F8 mov eax, dword ptr [ebp-08]
...
:004B7594 B202 mov dl, 02
* Possible StringData Ref from Code Obj ->"Thank you for registering the "
:004B7596 B830764B00 mov eax, 004B7630
...
* Possible StringData Ref from Code Obj ->"Registration failed: Invalid Password"
:004B75BA B86C764B00 mov eax, 004B766C
:004B7549 E8A614F5FF call 004089F4
:004B754E 8B55D4 mov edx, dword ptr [ebp-2C]
:004B7551 58 pop eax
:004B7552 E89DCBF4FF call 004040F4
:004B7557 7556 jne 004B75AF <-- BadBoy Jump
:004B7559 8D55D0 lea edx, dword ptr [ebp-30]
:004B755C 8B45FC mov eax, dword ptr [ebp-04]
->"Font Creator Program."
:004B759B E86023FAFF call 00459900
:004B75BF E83C23FAFF call 00459900
:004B75C4 8B45FC mov eax, dword ptr [ebp-04]
To me i think it is clear , what about you !!! , o.k let me explain !! , Now at address 004B7557 is our badboy jump , now we could patch this jump ... but before we do ( or you do !!) , we don't know yet if our serial will be put in the registry so that the prog will check it every time it starts , and if it do , then we will have to find where that check is , by the way if you want to patch , you have to NOP it ... and then enter any serial and it'll say thanx for registring.. but run it again .... hmmm !!! the screen still there so let's forget about this patch.. and think of something else ... and since i have skool tomorrow ... i will tell when i get back ..... cya
o.k back from skool let's continue with this ... now we don't want to patch the code we want to find the serial for our name i think this is better so let's take a code look at the code before the jump , here it is again so you don't have to scrollup i know that's you hardly reading this ... so here you go your Majesty .... :P ....
:004B7546 8B45F8 mov eax, dword ptr [ebp-08]
:004B7549 E8A614F5FF call 004089F4
:004B754E 8B55D4 mov edx, dword ptr [ebp-2C]
:004B7551 58 pop eax <-- set a bpx here
:004B7552 E89DCBF4FF call 004040F4
:004B7557 7556 jne 004B75AF <-- BadBoy Jump
:004B7559 8D55D0 lea edx, dword ptr [ebp-30]
:004B755C 8B45FC mov eax, dword ptr [ebp-04]
o.k ... you maybe wonder now why did we set a break point at 004B7551 will to tell you the truth , any call needs a parameter to work with , and since the jump after the call is our bad boy jump , then this call is sure gona check our serial , right !! so we set a break point at it to see what is in eax , but i now alot of you might say now how do i set a breakpoint on this address , and again i say it is easy .....
now run the font creator program and click on register , enter youe info , now before you click on Register , press [Ctrl]+d to get into softice and set a break point like this one :
bpx hmemcpy
then press F5 to get out of softice , now click on register and Softice will break , now press F11 one time , then press F12 7 times , now do a bc * , then set a break point on 004B7551 , by writing bpx 004B7551 , now press F5 , softice will break again press F10 once , then write d eax to see what is in it and there you go , this looks like a serial in my case it was :
H4A674561980
Write down this number and clear all breakpoints and let's try , and !!! yes Font Creator Program is Registered .....
for those who is reading this tutorial to find a serial for there name i'd like to say thankx alot for reading , but for those who want more stick around to see how we can patch the exe file to make it a key gen ...... stick around ....
|
|
Now maybe some of you have read a tutorial on how to make a keygen , you know it'll show you how the code is calculated and then code it on Delphi , VB or C++ , but in this tutorial just like part 1 , we will not code or trace the code on how the serial is calculated , some of might you like to do this , but to save time , i'd rather not , so if you want to continue reading then you are wellcome and if you don't wana , then thank you for reading this far ......
o.k ....
so we know now where our code is and we also know where it jumps , so ... what we want to do here is to make the exe point
to our serial instead of pointing to our error message string ... so like before ... enter your info , and before you click on register
set a breakpoint on hmemcpy now click on register press F11 then F12 (7 times) then set a break point on 004B7551 leave
softice ... softice will break again , now let's start the trace , press F10 then write d eax our serial is there press
F10 again we are at the call , once again we press F10 and we are at the jump let's jump it .....
:004B75AF 6A00 push 00000000 <-- we land here after we make the jump
:004B75B1 668B0D24764B00 mov cx, word ptr [004B7624]
:004B75B8 B201 mov dl, 01
:004B75BA B86C764B00 mov eax, 004B766C <-- Eax point to our error string
:004B75BF E83C23FAFF call 00459900 <-- Call our error message
hehehehehe ..... Sorry but i don't know y !!! i'm ... never mind !!! back to the tutorial !!!
o.k dudes i think the end of this programm is near !!! don't you think !!!
o.k now the call at address 004B75BF calls our error message with eax points to our error string , now before we made this
jump and got to this code , we saw eax hold our serial at the address 004B7551 pop eax but the call after it changed
the value of eax ......... i hope you got the picture !!!
Now what we have to do is to NOP the call at address 004B7552 then allways make the jump to the error message by changing the jne to jmp , then at address 004B75BA we also NOP the mov command so that the value of eax will not change , and then the prog will make the call to our error message but will have our serial in eax , not our error string !! GET IT !!
Ahh but there is one problem here (if that what you said is true !!) , that after the message appear with our serial , and we write it down , then we enter it correctly the prog will still go to the error message right ..... !!!
ahhh got it , we can make a loader to load the program and patch it in the memory right !!! , then we fill our info , click on register , we'll see our correct Registation password on the error message , we write it down , then we exit the program then we run it WITHOUT the loader , click on register , enter our info and our correct Registration Password and it's registered
|
|
Now ... there is a very wonderfull tool for making a loader , i think that you allready have it !! , yes ! it is R!SC's Process patcher , now for those of you who know how to write a loader using this tool (i.e a script) then you can go ahead and write it (i.e you now know where to patch !!) , but for those who don't know how to code a script stick around ....
o.k make a new text document and name it whatever you like but with the extension .rpp and then open it and write down like this and i will explain later why i did it this way :
;TNT!CRACK!TEAM!
O=tnt_fcp.exe: ; <-- Name of the output file
F=fcp.exe: ; <-- Name of the original file
;
P=4B7557/75/EB: ; <-- The jump at address 004B7557 we patch it to jump allways
;
P=4B7556/FF/90: ;
P=4B7555/F4/90: ;
P=4B7554/CB/90: ;
P=4B7553/9D/90: ;
P=4B7552/E8/90: ; <-- The call at address 004B7552 we NOP it so eax won't change it's value
;
P=4B75BE/00/90: ;
P=4B75BD/4B/90: ;
P=4B75BC/76/90: ;
P=4B75BB/6C/90: ;
P=4B75BA/B8/90: ; <-- The mov command at address 004B75BA we also NOP it cuz eax has our correct serial instead of the error string
;
;R!SC thanx a million for this great tool !!!!
;
$
There you go !!! but i know some of you have questions !!!
Now i think that some of you is thinking like this , we need to NOP the call at address 004B7552 , but what about these other address that you have put in the loader !!! , and from where did you get them ????????
hmm ... Kool Q
o.k we need to nop the call at address 004B7552 right !! now the command for it in machine language is E89DCBF4FF
now the address 004B7552 only holds the E8 and the 9D command belong to address 004B7553 and this
gose for the rest of the command ... now if we start to patch from address 004B7552 the loader will patch it right but that
will affect the rest of the command and when it will come to the next byte it will not be the same as we told the loader to so to
avoid this problem we patch in reverse and this is what i have done , we first NOP where the call is going then we NOP the
call command it self and since the jump command is after the call , we can start from there and way up ... this also gose for the
mov command at address 004B75BA we first NOP the operands of the command then we NOP the command it's self (but y ??)
ohhh you and your questions !!! :)
o.k ... let me show you something and learn from it like i did !! , open the fcp2.exe with HIEW and go to address 004B7552
now place the pointer at the first byte which is E8 now press F3 , then write 90 , did you saw what happen to the
rest of the command is no longer there !! , it has changed to something else !! , now press Esc , and go to the last byte of the
command call which is FF and press F3 , now write 90 , kool the command is still there , it has not changed , (y ? ) cuz
we are now only changing the parameter of the call not the command it's self !!! .... i hope you got the picture , cuz i don't know
any other way to explain it more than this !!!
o.k back to the tutorial , compile you Script and copy the exe file to the font creator program Dir. now let's run it i mean the loader ... o.k kool the font creator program has started ... o.k kool again ... click on register ... enter your info ... then click the register button .... and *B00M* there you go you correct serial is on the error message .....i think we have done a great job don't you think .... now write down the serial , close the font creator program , run it again by double clicking on the fcp2.exe (yess !!! without the loader !! ) , write the same info ... and the correct serial and *B00M* again ... our thank you message ...
|
|
tKC ( You really Showed us the LIGHT !!! thanx alot )
LW2000 ( Thanx !!! i now use my brain !!)
Xasx (Hola !! This tutorial is dedicated to u !!)
Sir_dReAm ( i hope you like this one !!! )
MazM ( Where the hell are you !! )
BillGamEZ ( Thanx !! you are a true Friend !! )
Bonez (Thanx for the support !! )
and to all TNT!CRACK!TEAM! members
cya FaT[BiT] \ TNT!