Welcome to Cracking Tutorial #9! Yikes! Here we are again! More newbees.. Man, it's been long time no tutors! *cough* .. *cough* Ok, not a biggie problem! ;) As you can see, I've changed this version *again* It should look like professional :P Anyway, I hope you'll like this version! ;) Warning, this tutorial is a real mother! *grin* In this tutor I'll teach you everything more about W32Dasm and SoftIce. Without knowledge, no power! ;) Sorry for my bad grammatical errors, I hope you'll understand this piece! Ok, let's rock! You'll need the following tools: (I use these tools, I assume you'll use 'em, but it doesn't mean that you'll need to use all those tools, so be sure to get them handy for the examples in this tutorial!) SoftIce 3.23 W32Dasm 8.92 Hacker's View 5.91 Windows Commander 3.52 (I use it coz of easier to multitask) Don't ask me where to download all these tools since you had a chance to get them when you used my older tutorials. Here is a good cracking site where you can grab tools from: http://cracking.home.ml.org or ask any crackers to get you these tools! Are you ready?! OK! ;) Tools - What tools should we use? Tutor Part 1 - How to get a serial in WinAmp 2.01 We'll use SoftIce Tutor Part 2 - How to get a serial in WinNavigator 1.0 We'll use SoftIce and W32Dasm Tutor Part 3 - How to get a serial in WinBoost 98 1.1 We'll use SoftIce and W32Dasm Tutor Part 4 - How to make a 'keygen' for File Mag-Net 1.10 We'll use SoftIce, W32Dasm and HIEW *Please refer to PC.NFO where to get all those programs above!* Ending - Last Words PART 1: How to get a serial in WinAmp 2.01 Step 1. Run WINAMP.EXE Step 2. RightClick on WinAmp, select Shareware, click on Enter Registration Info. Enter "tKC/PC '98" as Name, "123456" as Reg#. Hmm, now you can't click OK button. What now? Step 3. Ok, not a big problem. Press CTRL-D to Softice. Step 4. Type BPX GETDLGITEMTEXTA and press F5 to return back to WinAMP. Step 5. Press BackSpace at Reg#, to erase "6" .. *boom* now you are in Softice! Step 6. You can press F11 to get to the caller. Step 7. Do you see EAX=0000000A in Register Window? It's the lenght for our name. Type ? EAX and you'll see: 0000000A 0000000010 <--- 10 letters for our name We know we're near the bitch's nest. We're getting there ;) Step 8. Trace downward (press F10) till you see: 0177:00403AD1 MOV ESI, EAX <--- our false code Step 9. Now type ? EAX and you'll see: 00003039 0000012345 "09" It's our false code. Ok, kewl. Step 10. Trace downward (press F10) till you see: 0177:00403AD6 PUSH EAX <--- our name Step 11. Type D EAX. What do you see in Data Window? *Our Name* Step 12. Trace downward (press F10) till you see: 0177:00403ADC ADD ESP, 04 Now you'll see in Register Window: EAX=04EC9715 .. hmm, what's it? Step 13. Type ? EAX and you'll see: 04EC9715 0082614037 "Ø-" Kewl, it's our code! Step 14. Type BC* and press F5 to return to WinAmp. Step 15. Enter "82614037" *registered!* PART 2: How to get a serial in WinNavigator 1.0 Step 1. Run WN.EXE Step 2. Click on Register, enter "tKC/PC '98" as Name, and "12345" as Registration Number. Step 3. Press CTRL-D to Softice. Step 4. Type BPX GETWINDOWTEXTA and press F5 to return back to WinNavigator. Step 5. Click OK .. *boom* now you are in Softice. Step 6. You can press F11 to get to the caller. Step 7. Hmm, I don't think we're at the right place. Coz WN is written in Delphi *duh* ;) Step 8. Ok, not a big problem, type BC* and press F5. Quit WN, open W32Dasm and disassemble WN.EXE. Step 9. Once it's disassembled, click STRING DATA REFERENCE, look down for the string: "Wrong registration number" and double click it. Step 10. Close SDR window, you should see the line: * Possible StringData Ref from Code Obj ->"Wrong registration number" :004A79CF B8047B4A00 mov eax, 004A7B04 ... ... ... * Possible StringData Ref from Code Obj ->"The registration successfully" Step 11. Now press PgUp key till we get: :004A7996 E8EDC3F5FF call 00403D88 Step 12. This is the address we're gonna use in SoftIce. Close W32Dasm. Go back to WN, run it and enter as in Step 2. Step 13. CTRL-D to SoftIce. Type BPX SHOWWINDOW, then F5. Click OK .. *boom* you're back in SoftIce. Step 14. Type G 4A7996 <--- this is where we've got the address in W32Dasm. *boom* we're back at WN. Click OK, again click OK. *boom* we're at the right caller! Step 15. Do you see EAX=0151C89C in Register Window? Type D EAX and we'll see our name in Data Window. Kewl, we know we're near the bitch's nest. We're getting there ;) Step 16. Trace downward (press F10) till you see: 0177:004A79C5 MOV EAX, [EBP-04] Now you'll see in Register Window: EDX=0151C8C8 .. hmm, what's it? Step 17. Type D EDX and you'll get "12345" in Data Window.. Kewl, our false code! Step 18. Trace downward (press F10) till you see: 0177:004A79C8 CALL 00403E98 Now you'll see in Register Window: EAX=0151C8B4 .. hmm, what's it? Step 19. Type D EAX and what do we get in Data Window? *our registration code!* Step 20. Type BC* and press F5 to return to WN. Step 21. Enter "4459953" *registered!* PART 3: How to get a serial in WinBoost 98 1.1 Step 1. Run WB98.EXE Step 2. Click on Register, enter "tKC/PC '98" as Name, and "12345" as Registration Code. Step 3. Click OK. Nothing happens, hmm it sucks. Again it's written in Delphi! *duh* ;) Step 4. Ok, not a big problem. Quit WB98, open W32Dasm and disassemble WB98.EXE. Step 5. Once it's disassembled, click STRING DATA REFERENCE, look down for the string: "WinBoost 98 has been registered" and double click it. Step 6. Close SDR window, you should see the line: * Possible StringData Ref from Code Obj ->"WinBoost 98 has been registered" :004AE069 B844E34A00 mov eax, 004AE344 Step 7. Now press PgUp key till we get: :004AE019 8B45F4 mov eax, dword ptr [ebp-0C] Step 8. This is the address we're gonna use in SoftIce. Close W32Dasm. Go back to WB98, run it and enter as in Step 2. Step 9. CTRL-D to SoftIce. Type BPX SHOWWINDOW, then F5. Click ORDER FORM .. *boom* you're back in SoftIce. Step 10. Type G 4AE019 <--- this is where we've got the address in W32Dasm. *boom* we're back at WB98. Click ORDER LATER, then click OK. *boom* we're at the right caller! Step 11. Trace downward (press F10) till you see: 0177:004AE01C MOV EDX, [EBP-10] Now you'll see in Register Window: EAX=0904054 .. hmm, what's it? Step 12. Type D EAX and you'll get "12345" in Data Window.. Kewl, our false code! Step 13. Trace downward (press F10) till you see: 0177:004AE01F CALL 00403D74 Now you'll see in Register Window: EDX=091BF7C .. hmm, what's it? Step 14. Type D EDX and what do we get in Data Window? *our registration code!* Step 15. Type BC* and press F5 to return to WB98. Step 16. Enter "375782918" *registered!* PART 4: How to make a 'keygen' for File Mag-Net 1.10 Step 1. Run FMAGNET.EXE Step 2. Enter "tKC/PC '98" as Name, and "12345" as Code. Step 3. Sorry, wrong Registration ID or KEY. Kewl, let's go! Step 4. Quit FMAGNET, copy FMAGNET.EXE to FMAGNET.EXX, copy FMAGNET.EXE to FMAGNET.W32. Open W32Dasm and disassemble FMAGNET.W32. Step 5. Once it's disassembled, click STRING DATA REFERENCE, look down for the string: "Sorry, wrong Registration ID or" and double click it. Step 6. Close SDR window, you should see the line: * Possible StringData Ref from Data Obj ->"Sorry, wrong Registration ID or" :0040276A 68B4A04100 push 0041A0B4 Step 7. Now press PgUp key till we get: :00402763 6A10 push 00000010 Step 8. This is the address where we're gonna patch FMAGNET.EXE. The offset is 1B63 (look below in W32Dasm for the offset) Close W32Dasm. Step 9. Run HIEW FMAGNET.EXE, press F4 to select Decode Mode (ASM), press F5 and enter 1B63. You should see: 00001B63: 6A10 push 010 00001B65: 68D8A04100 push 00041A0D8 00001B6A: 68B4A04100 push 00041A0B4 Step 10. Now this is what FMAGNET will show you the error messages. I'm not gonna tell you the full details, if you play with SoftIce, you'll find the registers where the name/code are stored in. The best is to play till you get it. Step 11. Ok, press F3 to edit FMAGNET.EXE, type the following: 00001B63: 8B6C2410 mov ebp,[esp][00010] 00001B67: 8B74241C mov esi,[esp][0001C] 00001B6B: 8BC5 mov eax,ebp 00001B6D: 8BDE mov ebx,esi 00001B6F: 50 push eax 00001B70: 53 push ebx Step 12. Press F9 to update FMAGNET.EXE and exit HIEW. Run FMAGNET and enter your name/code, click Register. Step 13. Kewl, you've got your name and a correct serial! *oops* *!@#$%* *crash* Shit happens. ;) Step 14. Not a biggie problem. We'll have to correct it. Open W32Dasm, click Imported Functions, look down for the string: "MSVCRT.exit" and double click it. Step 15. Close ImpFn window, you should see the line: :0041236A FF15E4C04100 Call dword ptr [0041C0E4] Ah, this is the address to where we have to call to exit FMAGNET after showing us our name/code! The offset is 1176A. Look below in W32Dasm for the offset. Close W32Dasm. Step 16. Run HIEW FMAGNET.EXE, press F4 to select Decode Mode (ASM), press F5 and enter 1B63. This is where you've patched it. Press F3 and goto 1B76, enter "E8EFFB0000", press F9 to update FMAGNET.EXE. Step 17. It should look like: 00001B63: 8B6C2410 mov ebp,[esp][00010] 00001B67: 8B74241C mov esi,[esp][0001C] 00001B6B: 8BC5 mov eax,ebp 00001B6D: 8BDE mov ebx,esi 00001B6F: 50 push eax 00001B70: 53 push ebx 00001B71: E830F10000 call 000010CA6 ------ (1) 00001B76: E8EFFB0000 call 00001176A ------ (2) Step 18. Exit HIEW, run FMAGNET. Enter your name/code. *boom* Works .. no crash! Step 19. Now you'll have the idea how the 'keygen' works. You'll need to play with another programs to understand the bitch! :P I really hope you've enjoyed this tutorial too much as I did! In next tutorial, I'll give you more advanced lessons on keygens, and how to use SmartCheck. If you ask me nicely, then you'll get a tutor #10 very soon! ;) I've got wise words from somebody, here it says: If you give a person a crack, he will be hungry again. If you teach a person to crack, he will never be hungry again! And as I said last time: Without knowledge, there's no power! ;) Credits go to: DaVince for Splash Logo - you r0x! Arcane for providing programs since I have no phone at home yet! ;) Acid420 for providing the site to grab programs for this tutorial. And everybody for supporting PC! PersGreetz go to: Miss Jessica, PowerLord, Arcane, Taylor, Nitallica & everyone on IRC! Yea babes again! *sigh* ;) You can find me on IRC or email me at tkc@phrozen.crew.in.the.freeza.org Written by The Keyboard Caper - tKC/PC '98 The Founder of PhRoZeN CReW '94-98 Compiled on 27 September 1998 Cracking Tutorial #9 is dedicated to Miss Jessica...