Welcome to Cracking Tutorial #10! Yikes! Here we are again! More newbees.. *cough* .. *cough* :)) In this tutor I'll teach you everything more about W32Dasm, SoftIce, and SmartCheck. Without knowledge, no power! ;) Warning, this tutorial is a real mother! *grin* Sorry for my bad grammatical errors, I hope you'll understand this piece! Ok, let's rock! You'll need the following tools: (I use these tools, I assume you'll use 'em, but it doesn't mean that you'll need to use all those tools, so be sure to get them handy for the examples in this tutorial!) SoftIce 3.24 W32Dasm 8.93 Hacker's View 5.92 SmartCheck 6.0 Windows Commander 3.52 (I use it coz of easier to multitask) Don't ask me where to download all these tools since you had a chance to get them when you used my older tutorials. Here is a good cracking site where you can grab tools from: http://cracking.home.ml.org or http://surf.to/HarvestR or ask any crackers to get you these tools! Are you ready?! OK! ;) Tools - What tools should we use? Tutor Part 1 - How to remove a CD-Check in Age of Empires We'll use SoftIce and HIEW Tutor Part 2 - How to get a serial in Easy CD-DA Extractor 3.0 We'll use SoftIce Tutor Part 3 - How to get a serial in MP3 to EXE 1.01 We'll use SoftIce and W32Dasm Tutor Part 4 - How to get a serial in Visual Day Planner 6.1 We'll use SmartCheck Ending - Last Words PART 1: How to crack Age of Empires I'm back :P I hope you will like this tutorial since it's my first one for a game. This tutorial is not as usual, this time i'm gonna teach you how to crack a game - Age of Empires. This one is not as easy as my "old" tutorials and therefor i included quite a lot of code. I also put a lot of comments, to make it easier for you. (newbie *cough cough*) :) For all of you to understand this i will advice you to read it several times and understand all of it. TOOLS: SoftIce 3.24 HIEW 5.92 This game has - as you probably already know - a cd-check when it's launched. This we don't like and we're therefor going to find a way around it. Normally we would only use W32Dasm when cracking this kind of protection, but not in this case. Actually it's just as easy in SoftIce (at least I think so). Of course you could try using W32Dasm and if you decide to do this i will give you a small hint. When programming it Microsoft did not use a normal text-box, they used graphic. So now you know ;) Ok..let's start. If you're a newbie go through this step by step. 1. Before using SoftICE you'll have to modify the WINICE.DAT file. Just delete the semi-colons before the EXP instructions, where USER32, GDI32, KERNEL32 are mentioned. Now SoftICE will load these export functions. 2. Launch SoftICE and open EMPIRES.EXE 3. Load it. (Modules->load) and ignore irrelevant error messages. 4. Soft-ICE pops up. Set a breakpoint on the function GetDriveTypeA (returns eax=5 if CDROM,eax=3 if Fixed HDD) by typing : bpx getdrivetypea [ENTER] The 'a' on the end of the function means, that we are talking about a 32-Bit application. Getdrivetype would work for a 16-Bit App. 5. Hit [CONTROL-D] to go back to the game. If SoftICE pops up again - ignore it. Just push [CONTROL-D] until you get to the main menu. 6. So now you are at the main menu - hit the 'Single Player' Button. 7. If you've done everything right - Soft-ICE pops up at the desired function. Hit [F11]. 8. Now you're at the place, where GetDriveTypeA has been called from !. Look around a bit.([CONTROL-(],[CONTROL-(]) 9. Here is what you should see : :004D65F6 FF1554267000 Call [Kernel32!GetDriveTypeA] -> calls the function :004D65FC 83F805 cmp eax, 00000005 -> If CDROM - drive resent :004D65FF 7404 je 004D6605 -> jump to ... :004D6601 33C0 xor eax, eax -> if not : eax=0 .. :004D6603 EB53 jmp 004D6658 -> ... and return. :004D6605 8D84241C010000 lea eax, dword ptr [esp+0000011C] -> Volume-check ... :004D660C 6800010000 push 00000100 :004D6611 8D4C241C lea ecx, dword ptr [esp+1C] :004D6615 50 push eax :004D6616 8D54241C lea edx, dword ptr [esp+1C] :004D661A 51 push ecx :004D661B 8D44241C lea eax, dword ptr [esp+1C] :004D661F 52 push edx :004D6620 8D4C242C lea ecx, dword ptr [esp+2C] :004D6624 50 push eax :004D6625 6800010000 push 00000100 :004D662A 51 push ecx :004D662B 57 push edi :004D662C FF1558267000 Call [Kernel32!GetVolumeInformationA] -> Volume-check :004D6632 85C0 test eax, eax -> is a CD-ROM in the drive ? :004D6634 B800000000 mov eax, 00000000 -> eax=0 :004D6639 741D je 004D6658 -> no ! return with eax=0 ! :004D663B 8B460C mov eax, dword ptr [esi+0C] :004D663E 8D4C241C lea ecx, dword ptr [esp+1C] -> ecx = CD-ROM label :004D6642 05FD020000 add eax, 000002FD -> eax = Label (AOE) :004D6647 50 push eax :004D6648 51 push ecx :004D6649 E802D60500 call 00533C50 -> very interesting call ... :004D664E 83C408 add esp, 00000008 :004D6651 83F801 cmp eax, 00000001 -> if eax=1 ... set register flags :004D6654 1BC0 sbb eax, eax -> eax=eax-(eax+c) :004D6656 F7D8 neg eax -> 'invert' eax :004D6658 5D pop ebp :004D6659 5F pop edi :004D665A 5E pop esi :004D665B 5B pop ebx :004D665C 81C40C020000 add esp, 0000020C :004D6662 C20400 ret 0004 -> ... and return You can step through the code (execute it line by line) by pressing [F10] and trace into a call (going into a function) by pressing [F8].You can view the 'contents' of a variable by typing d [variable] (e.g. d eax). You can also set variables, by typing r [variable]=[value] (e.g.r eax=1). You can also toggle register-flags, by typing r fl [register] (e.g.r fl z -> inverts result of a compare (cmp)). As you can see, the program checks if you have a CD-ROM drive and returns the drive letter if so. Then it retrieves various info about the inserted CD-ROM (if it is inserted). If an error occurs it sets eax=0 and returns. All right. What now? Let's take a quick look into the mysterious call (only at the end of it) : :00533C50 55 push ebp :00533C51 8BEC mov ebp, esp :00533C53 57 push edi :00533C54 56 push esi :00533C55 53 push ebx :00533C56 8B750C mov esi, dword ptr [ebp+0C] :00533C59 8B7D08 mov edi, dword ptr [ebp+08] :00533C5C 8D05D08E5600 lea eax, dword ptr [00568ED0] :00533C62 83780800 cmp dword ptr [eax+08], 00000000 :00533C66 753B jne 00533CA3 :00533C68 B0FF mov al, FF :00533C6A 8BC0 mov eax, eax ... :00533CC6 E845070000 call 00534410 :00533CCB 83C404 add esp, 00000004 :00533CCE 38C3 cmp bl, al :00533CD0 74DA je 00533CAC :00533CD2 1BC0 sbb eax, eax :00533CD4 83D8FF sbb eax, FFFFFFFF :00533CD7 5B pop ebx :00533CD8 5E pop esi :00533CD9 5F pop edi :00533CDA C9 leave :00533CDB C3 ret The above function is rather complicated. You wouldn't want to know what it does... ;-) Anyway, if you go through it several times, changing some variables and flags, you'll arrive at the conclusion, that the value of eax (when the call returns) can be either 0, FFFFFFFF or 1.(If you inserted the wrong CD - it is 1 or FFFFFFFF). We can assume at this point, that the value 0 means, that we have inserted the right CD ... let's try it out ! When you are debugging and you are at the end of the function (e.g. 533CDA) type: r eax=0 [ENTER] and press [CONTROL-D] in order to let it go on.It works, you've made it ! Well, if you're not so sure about this business (WHY did it work ???) go on reading ... if you are sure or just don't care - jump to the cracking section. Okay, so you want to be a cracker...Lets assume, you haven't changed anything (and have inserted the wrong CD), then the call will return eax=1.Let's look again at the code after the call returns : :004D664E 83C408 add esp, 00000008 :004D6651 83F801 cmp eax, 00000001 -> if eax=1 . set Z ;or C if eax=0 :004D6654 1BC0 sbb eax, eax -> eax=1-1 => eax=0 :004D6656 F7D8 neg eax -> 'invert' eax => eax=0 :004D6658 5D pop ebp :004D6659 5F pop edi :004D665A 5E pop esi :004D665B 5B pop ebx :004D665C 81C40C020000 add esp, 0000020C :004D6662 C20400 ret 0004 -> ... and return So the whole function returns an eax=0 if the CD is wrong...Hmmm.... Usually, when looking at simple protections, you'll see that when an eax=0 means WRONG then an eax=1 will mean ALL RIGHT. Let's see, what happens if the call returns with an eax=0 .... :004D6651 83F801 cmp eax, 00000001 -> if eax=1 ... (set C=1) :004D6654 1BC0 sbb eax, eax -> eax=eax-(eax+c) => eax=0-1=FFFFFFFF :004D6656 F7D8 neg eax -> 'invert' eax => eax=1 Looks like this is another simple protection-scheme ... Now you have basically two ways to crack this game: You can set eax=1 in the function or you can set eax=0 in the call. It is possible, that the game might make a check during the gameplay with this call but with another function. Considering this, it would be best to insert a 'mov eax=0' instruction into the call, somewhere at the end (or beginning, followed by a 'return'). But this game won't make a check ! (You can try it out ...) So you can just as well insert a 'mov eax=1' instruction in the function, somewhere at the end (or beginning, followed by a 'return'). It is up to you. I've chosen the first possibility. I'll try to explain how to do it: 1. The easiest way is to write down a long sequence of the hexadecimal-code, in order to locate this fragment in the exe-file.(e.g. 8D05D08E560083780800 - this is taken from 533C5C to 533C62) You could just as well read the local offset from SoftICE - it can be a bit confusing though. 2. Launch hiew (HIEW EMPIRES.EXE), press [F4] and then [F2], in order to view the text in hex-mode. 3. Search for the string, you've written down.([F7]) 4. Now switch to decode-mode ([F4],[F3]) - you're right there - shortly after the beginning of the call. 5. Go to the 'mov esi,[ebp][0000C]' instruction (it will be overwritten, but that doesn't matter) 6. Press [F3] followed by [TAB] 7. Now you can type the command 'mov eax,0h' - you surely remember why, don't you. The hex-code of this command should look like : B800000000 Now it should jump to the end of the call - type 'jmp xxxxxx' , where xxxx represents the end of the call.The adress will vary so you have to look for it yourself.In our listing, it is at 533CD7.Look at this code and look for it in hiew. Then you'll have the needed address... 8. Press [ESC] to end assembly, [F9] to save it, quit HIEW and launch the game... 9. It works ! I hope i made myself a bit clear and that you understand just 80% of it. If you do not understand or have any question/comment feel free to contact me. This crack could without a doubt be done more elegant, but i'll leave it up to you to find the easiest way. After all i did teach you one of the ways :P All for now..Cya ------------------- i MaY Be SLoW - BuT i'M DeaDLy aS HeLL ------------------- Written by -=[BuLLeT]=- E-Mail: BuL_LeT@hotmail.com ------------------- i MaY Be SLoW - BuT i'M DeaDLy aS HeLL ------------------- PART 2: How to get a serial in Easy CD-DA Extractor 3.0 beta Now what's this??? Two tutorials in ONE day! I must be writing my bloody ass off..i wonder why i feel like writing all the time :P Well, the program we're gonna attack this time is called: Easy CD-DA Extractor 3.0 beta [build 340] (http://www.saunalahti.fi/~poiko/cdda3) I bet you all know what this is. If you do not know what this is i'll just give a short describtion. CD-DA is a program to RIP audio cds. This is very usefull and in addition this also has the cool feature of being able to get all the track info from the internet - a huge database with (almost) every CD! To follow this tutorial step by step you only need SoftICE 3.24. Sounds cool? Well it is :) So..what are we waiting for? Let's crack this little bastard. 1. Open the program..what's this? "Enter registration code...." Let's press that nasty little button. Enter your name and a random serial. (e.g.: BuLLeT / 22446688) 2. So now it's time to run that wonderful little debugger. Press CTRL+D. Now we need to set a bpx. Try setting GetWindowTextA / GetDlgItemTextA Press F5 and click OK. What's this...no break. Well now what? You know of any other breakpoints that might be useful? Well at least i remember one ;) 3. I wonder what this little fella could do: BPX HMEMCPY (=useful - i think) So press CTRL+D to return to SoftIce. You might wanna clear the other bp's which you set before. (BC* = clear all breakpoint). Type: BPX HMEMCPY, and press F5. Click OK. 4. BZZZZzzzz....BOOM. Beam me up Scotty ;) You're now back in SoftICE happier than ever. But you're at the wrong place aren't you? It says: USER32 in the bottom of the screen. Hmm..let's get to the right place. Press F10 a lot of times. (about 148 times I think). At least until you see this: XOR EDX,EDX <- Set EDX=0 MOV [EBP-04],EDX <- Move stuff around LEA EDX, [EBP-04] <- Put EBP-04=EDX INC DWORD PTR [EBP-18] <- Increase stuff MOV EAX, [EBX+000001E0] <- Move stuff to EAX CALL 0045C978 <- A call..hmm... LEA ECX, [EBP-04] <- This is where you should be 5. Ok..you're now at 'LEA ECX, [EBP-04]' right? If not start over =) If you have done everything i told you correctly you should now see this line in the top right corner of the screen: SS: 0079EA48=009D5254 What this means is not a child thing and i will therefor not explain it in details. *cough* So..what's next? Well, isn't it obvious? If not keep reading. 6. Try typing: 'D 009D5254'. What d'ya see? You should see your name twice and what's that below? Looks like a code. Or? This is a piece of what i saw in the data-window: BuLLeT........... XXXXXXXXXX....... BuLLeT........... ........EZCDDAX3- 711189DC-A7964775 -396............. Doesn't that look too easy? I should be a moron if i couldn't see it..but i could. (Lucky me :) ) 7. So..write it down and clear all breakpoint (=BC*). Press F5 to return to CD-DA and enter the code. (Name:BuLLeT / Code:EZCDDAX3-711189DC-A7964775-396) 8. YIIIIHAAAAAAAAAAAA. Damn you're good *cough*. No more NAG and no more: "You can only select multible tracks....." And they lived happily ever after......*kiss* Damn..i'm getting sentimental...sux All for now..Cya ------------------- i MaY Be SLoW - BuT i'M DeaDLy aS HeLL ------------------- Written by -=[BuLLeT]=- E-Mail: BuL_LeT@hotmail.com ------------------- i MaY Be SLoW - BuT i'M DeaDLy aS HeLL ------------------- PART 3: How to get a serial in MP3 to EXE 1.01 http://software.webset.de/buschjost/mp3eng.htm Step 1. Run MP3TOEXE Step 2. Click on Register, enter "The Keyboard Caper" as Name, "tKC" as Serial, and "12345" as Registration Code. Step 3. Click OK. Wrong code.. Hmm it's written in Delphi! *duh* ;) Step 4. Ok, not a big problem. Quit MP3TOEXE, open W32Dasm and disassemble MP3TOEXE.EXE. Step 5. Once it's disassembled, click STRING DATA REFERENCE, look down for the string: "The Registrationinformation is wrong. Try again?" and double click it. Step 6. Close SDR window, you should see the line: * Possible StringData Ref from Code Obj ->"The Registrationinformation is " ->"wrong. Try again?" :0045468B BA4C4B4500 mov edx, 00454B4C Step 7. Now press PgUp key till we get: :0045459A 8D55F8 lea edx, dword ptr [ebp-08] Step 8. This is the address we're gonna use in SoftIce. Close W32Dasm. Go back to MP3TOEXE, run and click Register button. Step 9. CTRL-D to SoftIce. Type BPX SHOWWINDOW, then F5. Click Enter RegistrationCode .. *boom* you're back in SoftIce. Step 10. Type G 45459A <--- this is where we've got the address in W32Dasm. *boom* we're back at MP3TOEXE. Re-enter info as in Step 2, then click OK. *boom* we're at the right caller! Step 11. At 0177:0045459A, you'll see SS: 0071ED7C=00C4E1CC in Register Window, type D C4E1CC, and we get my name in Data Window. Kewl, trace down till: 0177:004545AE PUSH EAX Step 12. Type D EAX and you'll get "12345" in Data Window.. Kewl, our false code! Step 13. Trace downward (press F10) till you see: 0177:004545E7 POP EAX Now you'll see in Register Window: EDX=00C4E1CC .. hmm, what's it? Step 14. Type D EDX and what do we get in Data Window? *our registration code!* Step 15. Type BC* and press F5 to return to MP3TOEXE. Step 16. Enter "032C8CD850E55270" *registered!* It won't say if it has accepted your code, just click X to close, again X to close boxes. Then click About, you'll see it's registered! PART 4: How to get a serial in Visual Day Planner 6.1 ftp://www.inklineglobal.net/win32/2day61.zip Step 1. Run VDP.EXE, click Enter Reg. Code. Step 2. Enter "The Keyboard Caper" as Name, "The Cracker" as Company and "12345" as Code. Step 3. Wrong Registration Code! Kewl, let's go! Step 4. Quit VDP. Run SmartCheck. (I'll use SC as a shortcut) Step 5. Click Program/Settings. In Error Detection, all the boxes should be checked. In Reporting, everything should be checked except Report MouseMove events. Go back to Error Detection, click Advanced, first 4 boxes should be checked, and the rest unchecked. Step 6. Click OK to accept settings. Ok, let's go! Step 7. In SC, open File VDP.EXE and RUN it! Step 8. Don't panic! If you get API failure or whatever, just click ACKNOWLEDGE. DON'T CLICK SUPPRESS! Else it will stop showing all the errors! Right now, keep clicking Acknowledge till you get VDP popping up on screen. It's normal showing all shit errors. Step 9. Ok, now you see VDP on your screen, click Register/Enter Reg. Code. Re-enter "The Keyboard Caper" as Name, "The Cracker" as Company and "12345" as Code. Step 10. Click OK, now you'll get Wrong Code box. Goto SC, in Program Results window, You'll see: + mnuCode_Click below, click on + to expand branch. Trace down till you see + RegcodeForm.Show, expand it. Step 11. Trace down till you see + btnOK_Click, expand it. Go down to SECOND LCase$, on the right window (debug info) you'll see: String string = 0058A3D0 "12345" Step 12. Ok, it's where you've entered a wrong code. Go down to LCase$.. hmm.. there are so many LCase$ below, and its showing lots registration codes! So what, Take any one you want.. In my case, I take: 3882D927-9Y78-29699 Step 13. Ok, enter that code.. Ahhhh now it has accepted the code! Kewl, your first serial in VB5 program! Step 14. For some practise, I suggest u to unregister VDP and re-play it over till you know what you're doing. To unregister VDP, open REGEDIT, goto: HKEY_CLASSES_ROOT\.isl\Code And delete the key, press F5 to update the registry. Close REGEDIT. Step 15. Now you can re-crack your VDP. In next tutor, I'll show you more how to get more out of SmartCheck. It's fun! I really hope you've enjoyed this tutorial too much as I did! In next tutorial, we'll include other crackers' tuts here. Don't miss Tutot #11! ;) And as I said last time: Without knowledge, there's no power! ;) Credits go to: DaVince for Splash Logo - you r0x! (This is the last logo I've got from him, finally we come at it. DV, I'll miss your gfx!) BuLLeT for providing tuts in this version. PersGreetz go to: Miss Jessica, PowerLord, Arcane, Nitallica, Meshi & everyone on IRC! Yea babes again! *always* You can find me on IRC or email me at tkc@reaper.org Written by The Keyboard Caper - tKC The Founder of PhRoZeN CReW/Crackers in Action '98 Compiled on 16 November 1998 Cracking Tutorial #10 is dedicated to all the newbees :-P