Cracking Tutorial #2 By SiONiDE Hi fellow Crackers. I write these tutorials in short amounts of time. Therefore I apologise for any grammatical errors in this essay. Enjoy the Tut! Cracking with "SoftIce": Difficulty Level: Easy [ ] Medium [X] Hard [ ] Expert [ ] Toolz Required: SoftIce 3.24 (well duh)..........A good Cracking Web Site. Brain............................Ummm....Head maybe?? Computer.........................You're on one now! Step 1: First of all you must configure your winice.dat, so open it with notepad. Yours, (in the end) should look like the below: PENTIUM=ON<=========>If for some reason SoftIce decides to run on a computer without NMI=ON a pentium, turn this option to "OFF". ECHOKEYS=OFF NOLEDS=OFF NOPAGE=OFF SIWVIDRANGE=ON THREADP=ON LOWERCASE=OFF WDMEXPORTS=OFF MONITOR=0 PHYSMB=80 <=========> This is the ammount of RAM on your computer, change it to your ammount. SYM=1024 HST=256 TRA=8 MACROS=32 DRAWSIZE=2048 INIT="lines 60;color f a 4f 1f e;wd 22;wc 22;wr;code on;X;" F1="h;" F2="^wr;" F3="^src;" F4="^rs;" F5="^x;" F6="^ec;" F7="^here;" F8="^t;" F9="^bpx;" F10="^p;" F11="^G @SS:ESP;" F12="^p ret;" SF3="^format;" CF8="^XT;" CF9="TRACE OFF;" CF10="^XP;" CF11="SHOW B;" CF12="TRACE B;" AF1="^wr;" AF2="^wd;" AF3="^wc;" AF4="^ww;" AF5="CLS;" AF8="^XT R;" AF11="^dd dataaddr->0;" AF12="^dd dataaddr->4;" CF1="altscr off; lines 60; wc 32; wd 8;" CF2="^wr;^wd;^wc;" EXP=c:\windows\system\vga.drv __ EXP=c:\windows\system\vga.3gr __\ EXP=c:\windows\system\sound.drv \\ EXP=c:\windows\system\mouse.drv \\ EXP=c:\windows\system\netware.drv \\ EXP=c:\windows\system\system.drv \\ EXP=c:\windows\system\keyboard.drv \\ EXP=c:\windows\system\toolhelp.dll \\ EXP=c:\windows\system\shell.dll \\ EXP=c:\windows\system\commdlg.dll \\ EXP=c:\windows\system\olesvr.dll \\ EXP=c:\windows\system\olecli.dll \\ EXP=c:\windows\system\mmsystem.dll \\ EXP=c:\windows\system\winoldap.mod \\ EXP=c:\windows\progman.exe \\ EXP=c:\windows\drwatson.exe )) These are the dll's on your computer, EXP=c:\windows\system\kernel32.dll )) For dlls you have, remove the ; from EXP=c:\windows\system\user32.dll // the begging of the location, If they EXP=c:\windows\system\gdi32.dll // are in a different DIR, just change it. ;EXP=c:\windows\system\comdlg32.dll // Sound Easy Enougth??? :) ;EXP=c:\windows\system\shell32.dll // ;EXP=c:\windows\system\advapi32.dll // ;EXP=c:\windows\system\shell232.dll // ;EXP=c:\windows\system\comctl32.dll // ;EXP=c:\windows\system\crtdll.dll // ;EXP=c:\windows\system\version.dll // ;EXP=c:\windows\system\netlib32.dll // ;EXP=c:\windows\system\msshrui.dll // ;EXP=c:\windows\system\msnet32.dll __// ;EXP=c:\windows\system\mspwl32.dll __/ ;EXP=c:\windows\system\mpr.dll Step 2: That's all your winice.dat needs to look like. Now lets learn a little about How softice works. SoftIce is a "debugger", probably the best one existing! The most common way to use it (the ways crackers use it) is to set what we call "breakpoints" or BP's. There many types of BP's, but we only need to know the ones which will break on execution (BPX). To enter SoftIce, just press "Ctrl + D" at any time on your computer, or you can press "F5". The same keys are used to leave SoftIce. Breakpoints: The "best" breakpoint to use for execution breakage is "BPX hmemcpy", this will work 99.9% of the time. It will break when a program enters any part of the memory. Which it will most certainly do!! Other breakpoints include ones which will reak when a pop up window is shown, i.e An Error msg. It is "BPX GetDlgItemTextA" or "GetWindowTexta". The "A" at the end is only used when the app is a 32-Bit Application, if not, just leave out the "A". Keys: "Ctrl + D"--------Enter/Leave SoftIce. "F11"-------------Trace, if it is Name/Serial Protection, press it twice. If it is Name, Company, Serial protection, press it three times. If it's just serial Protection, press it once. Hey I bet you think this is easy, "Well Duh!" "F10"-------------This allows you to scroll through each line of ASM. "D + Number etc---This will diplay the code of the Line of ASM in a window at the top. These should be the only keys you will need four now. If not, there will be a complete list on my website, http://sionide.cjb.net. Step 3: Well since softice is mainly used four finding out serial numbers, lets see how it's done. Find a Target that has a Name/Serial protection. Run it and enter the registration screen. Enter a name, I entered SiONiDE (hmmmmm, I wonder why?!?) and enter a serial, 123456 is best. Now click on "Enter" or "Register", what happens, it's an invalid serial number, (only a very stupid company would have a serial as "123456"!!! Anyway, press "Ctrl + D" to enter SoftIce, now is the time we set our breakpoints, yippy! Type "BPX hmemcpy", as it's the most common breakpoint that works. Press F5 to return to your target and Click "Okay" or "Register". *BOOM*, we're back in SoftIce, now we use the keys we learnt about earlier. Press F11 twice because of the little rule earlier. In the top window, you should see "EAX=7", this is the length of our name. S i O N i D E 1 2 3 4 5 6 7 Now we know we are close to the serial number. Press "F10" 10 million times until you see something like this: 0257:00404D59 PUSH EAX You now need to type this: D EAX, this will display your name and your fake serial that you entered at the Registration Screen. Then press "F10" a couple more times until you see something like this: 0257:00404D5F ADD ESP,04 You then type ? EAX which will come up with a number such as the below: 00545A04 0007315564 "TZ " <======This is the serial Number for our name!! Type: BC * to clear all Breakpoints and then F5 to return back to your target. Enter the name from the start, eg SiONiDE, then enter the serial you just got. Hit "Register" and what happens????? Serial Number Accepted, Thankyou for purchasing target! Walla!