Welcome to Cracking Tutorial #11! Whoa! 2 weeks ago we released #10, I must say we're fast today! :P *cough* .. *cough* :) In this tutor we'll teach you everything more about W32Dasm, SoftIce, and SmartCheck. Without knowledge, no power! ;) Warning, this tutorial is a real mother! *grin* Oh btw I didn't write a tutor today, I've included other crackers' tutors here, 7 tutors in ONE! We hope you'll appreciate our bonus today! :)) Ok, let's rock! You'll need the following tools: (I use these tools, I assume you'll use 'em, but it doesn't mean that you'll need to use all those tools, so be sure to get them handy for the examples in this tutorial!) SoftIce 3.24 W32Dasm 8.93 Hacker's View 6.00 SmartCheck 6.0 Windows Commander 3.52 (I use it coz of easier to multitask) Don't ask me where to download all these tools since you had a chance to get them when you used my older tutorials. Here is a good cracking site where you can grab tools from: http://cracking.home.ml.org or http://surf.to/HarvestR or ask any crackers to get you these tools! Are you ready?! OK! ;) PART 1: How to get a serial in Sex Machine v1.2.0 using Softice Now what's this?? Another tut so fast?? You're damn right buddy. Now i know that i'm crazy :) "So..what are we gonna attack this time?", you ask. Well..how about some Visual Basic 5.0 stuff? Sounds cool? Well i'm the one to decide and i say YES! This time we'll attack a small program called: Sex Machine v1.2.0 (http://www.techsono.com/sexmachine) It's a VB5 program and therefor you need some basic knownledge of VB-cracking. This i will, of course, give to you =) So...let's start. The first you need to do it EDIT WINICE.DAT and add a line: EXP=\\MSVBVM50.DLL This is what SoftICE uses to recognice VB appz. So REBOOT.....back? Cool ! Now you're ready to start. Cya in cyberspace d00d. 1) Fire up the program and watch. SUX..a nast NAG saying: UNREGISTERED Hmm..we don't want it to say that so click "Go Away" and select "Enter Registration Key". Click "Yes, i agree..." Ok..you're now at the Name/Serial screen. 2) Enter your Name and a random Serial (Name:BuLLeT / Serial: 22446688) So..happy as you are you press CTRL+D and set a breakpoint on: GetWindowTextA/GetDlgItemTextA. Press F5 and click OK. Hmm..what's this? You just get the NAG saying "Wrong...." Well i think it's time to tell you that VB5 does not use the normal breakpoints. When cracking VB appz you must use some other BPX. Like: __vbastrcomp / multibytetowidechar / __vbastri4 Actually we could use all of them but then we'd have to trace a bit longer, and we don't wnat that. So.. 3) Clear the BPX (=BC*) and type: BPX __VBASTRCOMP Press F5 and click OK. *BANG* SoftIce is right in your ugly face :-/ Now what? Well let's start tracing a bit. What's that? It says TONYTOP several times. How come? Well..i did a bit of checking and found that TONYTOP cracked version 1.0 of this program. HEHE..they blacklisted him :) (I hope they won't blacklist me...hehe) 4) As you keep on tracing you see a lot of weird stuff which only VB appz uses stuff you don't need to know what is. Well..trace using F10..keep it going. i think you have to trace about 140 times :) (I didn't count them..just pressed F10 for a LOONG time). Keep on tracing till you see: MOV EAX, 00000001 ADD ESP, 0C ADD AX, SI JO 0042E588 MOV ESI, EAX JMP 0042E45D IMUL EDI, EDI, 40 JO 0042E588 PUSH EDI CALL [MSVBVM50!__VbaStrI4] MOV EDX, EAX <---------- This is where you STOP! 5) Ok..you're now standing at 'MOV EDX, EAX' and you don't have a clue what to do. Well...when you traced the CALL a lot of registers changed. So let's look in some of those nasty registers. Let's start with EAX. Type 'D EAX' Hmm..a number.. (In my case: 33280) But it looks weird doesn't it? It should normally look like: '33280' but it's '3 3 2 8 0'. how come? This is because VB uses multibytetowidechar. A funtion to convert data to wide char. Doesn't really matter..you got the number don't ya? 6) So..clear all breakpoints (=BC*). Press F5 and enter the right serial. *BOOM*...registered...hopefully :) I hope this tought you just a bit about VB cracking. All for now..Cya ------------------- i MaY Be SLoW - BuT i'M DeaDLy aS HeLL ------------------- Written by -=[BuLLeT]=- E-Mail: BuL_LeT@hotmail.com ------------------- i MaY Be SLoW - BuT i'M DeaDLy aS HeLL ------------------- PART 2: How to get a serial inPowerAIM v1.3.7 using SmartCheck Ok..once again i bring you a tutorial to help you improve your skills. This time we'll crack a program called: PowerAIM v1.3.7 (Add-on for AOL) We'll crack it using SmartCheck so you don't need to know Assembly or anything to follow this tutorial. So...let's get started: (oh..remember your SCREEN NAME - it's needed later) 1) Start SmartCheck (=SC from now on) and open PWRAIM.EXE Run it and press 'acknowledge' a lot of times. (until it stops loading). 2) A popup-screen will be shown to your good old newbie face *cough* :) Press 'Register' and enter a random code. 3) Click 'OK'. 4) Go back to SC and go to the following section: DoEvents/Timer1_Timer/btn_EnterReg.Do.Click/RaiseEvent/ btn_Enter.Reg.Do.Click/DoEvents/btn_OK_Click/ There you'll see this line: Double(x.xxxxx+xxx) --> Long (xxxxxxx) |---------| |-----| | | Your code + some stuff | Your code - stuff 5) Click it and watch the Debug Window (the one on the right). There you see: Double x.xxxxxx+xxx Long xxxxxxx <-------- | And guess what?? What d'ya think the is? ---- You're damn right you are..your code. (In my case: SCREEN NAME: BuLLeT / Reg-Key: 6011810) Hope you enjoyed cracking this VB5 app. I surely did =) All for now..Cya ------------------- i MaY Be SLoW - BuT i'M DeaDLy aS HeLL ------------------- Written by -=[BuLLeT]=- E-Mail: BuL_LeT@hotmail.com ------------------- i MaY Be SLoW - BuT i'M DeaDLy aS HeLL ------------------- PART 3: How to crack Stone's Connect Control v1.4.1 using W32Dasm So..once again i give you the opportunity to learn to crack. The program we will attack is called: Stone's Connect Control v1.4.1 (http://www.image.dk/~stone) This program is free for private users. You will, however, see a NAG which we will try to modify into showing your own name. We will crack this fella using W32Dasm and HIEW. So...ready to go? OK! 1) Launch the program...you see it? "IKKE REGISTRERET"...Note it... 2) Launch the nasty disassembler W32Dasm and disassemble CONNCTRL.EXE 3) Select SDR (=String Data Reference) and find the message. Double-click it and close the SDR window. Now you should see: * Referenced by a (U)nconditional ar (C)onditional Jump at Address: 0041408E(C) 004140C0 B848614100 MOV EAX, 00416148 *Possible StringData Ref from Code Obj -> "[IKKE-REGISTRERET!]" 004140C5 BA24414100 MOV EDX, 00414124 ......some other un-important stuff. 4) You see the CALL? -> 0041408E.....let's check that address. Scroll up till you see: * Referenced by a (U)nconditional ar (C)onditional Jump at Address: 00414088(U) 0041408C 84DB TEST BL, BL 0041408E 7430 JE 004140C0 Even more un-important stuff... 5) So..trace up further till you see: * Referenced by a (U)nconditional ar (C)onditional Jump at Address: 00414064(C) 00414086 33DB XOR EBX, EBX 00414088 EB02 JMP 0041408C ...how much un-important stuff is there ????? 6) Trace up even further till you see this: 00414079 8B1540614100 MOV EDX, DWORD PTR [00416140] * Reference To: VCL20.System.@LStrCmp@51F89FF7, Ord: 0000h 0041407F E8BCD0FEFF CALL 00401140 00414084 7504 JNE 0041408A Hmm....a CALL followed by a JNE (=Jump if Not Equal)....interesting isn't it? Well..at least I think it is :) 7) So..what can we conclude from this? In the CALL something is calculated. If the result of the CALL is NOT equal it'll jump. Cool! This means that we can just change something....but what? Guessed it ? I hope so..Let's change the JNE to JE (=Reverse the Jump) 8) Note the offset at the bottom of W32Dasm --> @Offset 00013479h Launch HIEW CONNCTRL.EXE 9) Press Enter twice to go to Decode mode. 10) Press F5 and enter the offset 11) Press F3 to edit the file and type 75 (=JE) 12) Press F9 to update your changes, followed by a few ESC's 13) ...so..you think you're done? WRONG! Before you will see your name in the About Box, you will have to tell the program where to find the name etc. So where do we do that? Well..i'd say Registry is a pretty good guess ;) 14) Fire up REGEDIT.EXE and go to this section: [HKEY_CURRENT_USER\Software\Stone's Software\ConnectControl\Start] There you'll have to add this: "RegNavn"="BuLLeT" (=or any name you like) "RegNr"="S12345" (=it *HAS* to start with 'S') That should be all..after creating the Strings quit REGEDIT and run CONNCTRL.EXE again...what happend to the IKKE REGISTRERET ?? Well..you see your name? Cool...program cracked successfully (once again :P ) All for now..Cya ------------------- i MaY Be SLoW - BuT i'M DeaDLy aS HeLL ------------------- Written by -=[BuLLeT]=- E-Mail: BuL_LeT@hotmail.com ------------------- i MaY Be SLoW - BuT i'M DeaDLy aS HeLL ------------------- PART 4: How to crack Stone's WebWriter 2 v2.1.1 using W32Dasm Ok..time to attack another program ;) Stone's WebWriter 2 v2.1.1 (http://www.image.dk/~stone) This program is free for private users. You will, however, see a NAG which we will try to modify into showing your own name. We will crack this fella using W32Dasm and HIEW. So...ready to go? OK! 1) Launch the program...you see it? "IKKE REGISTRERET" 2) Launch the nasty disassembler W32Dasm and disassemble WEBWRITE.EXE 3) Select SDR (=String Data Reference) and search for the message....hmm..it's not there! Now what?? Well..try scrolling down till you're at a line saying: "p". Double-click it until you at the bottom see that you're at offset: 0006D8B1 - close the SDR window. Now you should see: * Referenced by a (U)nconditional ar (C)onditional Jump at Address: 0046E494(U) 0046E498 84DB TEST BL, BL 0046E49A 7440 JE 0046E4DC .......some ASM code * Reference To: VCL30.System.LoadResString@02614E1B, Ord: 0000h .......some other ASM code *Possible StringData Ref from Code Obj -> "p" 0046E4B1 8B159DE4700 MOV EDX, DWORD POTR [0047DE94] 0046E4B7 FF7482FC PUSH [EDX+4*EAX-04] ......some other un-important stuff. 4) You see the CALL? -> 0046E494.....let's check that address. Scroll up till you see: * Referenced by a (U)nconditional ar (C)onditional Jump at Address: 0046E470(C) 0046E492 33DB XOR EBX, EBX 0046E494 EB02 JMP 0046E498 Even more un-important stuff... 5) Trace up even further till you see this: (should be on the same screen) 00414079 8B1540614100 MOV EDX, DWORD PTR [0047F418] * Reference To: VCL30.System.@LStrCmp@51F89FF7, Ord: 0000h 0046E48B E8302DF9FF CALL 004011C0 0046E490 7404 JE 0046E496 Hmm....a CALL followed by a JE (=Jump if Equal)....interesting isn't it? Sure it is..i mean...is HAS to be :) 6) So..what can we conclude from this? In the CALL something is calculated. If the result of the CALL is equal it'll jump. Cool! This means that we can just change something....but what? Guessed it ? I hope so..Let's change the JE to JNE (=Reverse the Jump) 7) Note the offset at the bottom of W32Dasm --> @Offset 0006D890h Launch HIEW WEBWRITE.EXE 8) Press Enter twice to go to Decode mode. 9)Press F5 and enter the offset 10)Press F3 to edit the file and type 75 (=JNE) 11)Press F9 to update your changes, followed by a few ESC's 12)...so..you think you're done? WRONG! Before you will see your name in the About Box, you will have to tell the program where to find the name etc. So where do we do that? Well..i'd say Registry is a pretty good guess ;) 13)Fire up REGEDIT.EXE and go to this section: [HKEY_CURRENT_USER\Software\Stone's Software\WebWriter\Start] There you'll have to add this: "RegNavn"="BuLLeT" (=or any name you like) "RegNr"="S12345" (=it *HAS* to start with 'S') That should be all..after creating the Strings quit REGEDIT and run WEBWRITE.EXE again...what happend to the IKKE REGISTRERET ?? Well..you see your name? Cool...program cracked successfully (once again :P ) All for now..Cya ------------------- i MaY Be SLoW - BuT i'M DeaDLy aS HeLL ------------------- Written by -=[BuLLeT]=- E-Mail: BuL_LeT@hotmail.com ------------------- i MaY Be SLoW - BuT i'M DeaDLy aS HeLL ------------------- PART 5: How to get a serial in GameLaunch 3D v1.00.0020 using SmartCheck This is my first tutorial and i hope it helps everybody to understand cracking of VB proggies. The proggie we want to crack is Game Launch 3D i hope you all heard of it? Well its a must for Quake 1 + 2, Hexen 2 and Heretic 2 gamers .. :) Game Launch 3D v1.00.0020 ftp://ftp.cdrom.com/pub/planetquake/gamelaunch/gamelaunch100.exe For this tutorial you only need Smartcheck from Numega. This is pretty simple copy protection so lets get goin. :) 1. Start the program .. hmm whats this evaluation? Ok enter any evaluation name you want. After you have given all your paths to the program goto Help, Register Gamelaunch Enter random e-mail User name and code. (e.g Name: AgorA [CIA] | E-mail: Crackers.in.@ction | Registration Number: 12345) 2. Ok it will tell you that it is an incorrect code. :) 3. Start up Numega Smartcheck. In program settings, [Error Detection] everything should be ticked, In [Reporting] everything should be ticked except Report Mouse movements from ocx control and in [Error Detection -> Advanced] only the top 3 boxes should be ticked. 4. Ok load the program executable. Run the program.... ok go make yourself some coffee and some toast cause this is gonna take a while .. :) 5. It will tell you sometime its got errors, just click on acknowledge not supress. After Its finished loading goto Help and Click on Register Gamelaunch again. Enter the E-mail you want, and enter any stupid code again. Ok now in Smartcheck go down until you find Register_Bar_click ok expand the tree ... Expand Register_Frm_show and Expand the tree Register_Cmd_click. 6. Ok now for the difficult bit. Under the Email_txt.text under the word trim$ you will find your e-mail address you have entered. Ok go a little bit more down under the word RegCode_txt.text you will see the Registration number you have entered. Now look it is now going to convert your info you gave to long int ... Ok we are more interested in where the code gets compared so we can find out what the real serial is. We know that our code has the name Trim$. It also says that its looking for 4 x 4 digit number we can see that by when the program looks for Long(4) -> Integer. Ok lets go down ... far down until we find trim$ again and we see our code. Ok so it takes trim$ and it compares it with "left" ok so maybe the number above trim$ will be our serial? Left hmm lets have a look what is in "left" ahh we see a lot of numbers but the one format looks familiar yes it does xxxx-xxxx -xxxx-xxxx <- thats our format. Whats the code behind that ahh yes its our name, e-mail converted. 7. Take the the serial that you get and voila enter it in the Registration Number field and voila it accepts that code. In my case 499F-q563-Te7Z-eD8Z. Well i hope you enjoyed this tutorial as much as i did. :) cya next time. -->The Badest, Meanest Cracker on the fact of this earth. :)<-- --->AgorA<--- Written by AgorA E-Mail: AgorA_666@hotmail.com PART 6: How to make a keygen for UnInstall Manager v2.5 Flu[X]'s cracking tutor #5 - A EXTREMELY easy keygen Tools -Softice 3.2+ -Uninstall manager v2.5 -Turbo Pascal 7 -Brain I HIGHLY RECOMEND YOU VIEW THIS IN NOTEPAD! -INTRO- Ok, in this tut ill teach you how to do a keygen.. THIS is a VERY easy example. Simple principals.. simple protection. This is probably the most simple protection IVE EVER seen! Ok, install and start out target. Find under the menus the register button. Enter a fake code.. i used: name: Fluxphrozen code: 121212 ok get into softice (Control-D) set a bpx on 44FD57 hopefully softice should break.. you will see the heart of the protection scheme.. Ok it is inportant to know at the start of this routine EDI contains ho many letters there are in out name. Also note, before the program gets to this point, it converts your name to total lowercase.. you can see that from tracing. I will just concentrate on the maths part of it. Note EBX is used as an accumulator.. the below function just adds up all the ascii values into one number. :0044FD57 mov edx, dword ptr [ebp-04] <-get name into edx :0044FD5A mov dl, byte ptr [edx+eax-01] <-get character :0044FD5E cmp dl, 20 <-compare character to a "spacebar" :0044FD61 je 0044FD6E <-if equal to "spacebar" skip the adding process :0044FD63 mov ecx, dword ptr [ebp-04] <-get name into ecx (usless instruction.. never used) :0044FD66 and edx, 000000FF <-basically does nothing to data (another unimportant step) :0044FD6C add ebx, edx <-add ascii value of character to accumulator :0044FD6E inc eax <-increase position in name to get next character :0044FD6F dec edi <-decrease # of letters left to process in your name :0044FD70 jne 0044FD57 <-if no more letters left continue or else bak to top of this process Ok that piece of code should be simple. i hope i explained it well enough.. ok now what happens with the number it makes? below is the code that processes it. :0044FD72 xor ebx, 00000089 <-XOR result by hex $89 :0044FD78 xor ebx, 00000033 <-Xor Result of above by $33 :0044FD7B lea edx, dword ptr [ebp-08] <-| :0044FD7E mov eax, dword ptr [esi+0000021C] <-| these functions get your fake :0044FD84 call 0041F8E0 <-| serial you put in the box :0044FD89 mov eax, dword ptr [ebp-08] <-| to check it :0044FD8C call 00407408 <-| :0044FD91 cmp ebx, eax <-Compare your fake one with real generated ebx= real eax= fake Now to make a keygenerator. I have included my source below. It is commented and should be easy to follow. ===Begin Source Code=== program umkeymaker; var name:string; {declare variables to use} secondc:integer; total:integer; pos,z:integer; begin writeln('Uninstall Manager v2.5 Keygen'); {write info to screen} writeln('Flu[X]/PC98'); writeln('7/06/98'); writeln(' '); write('Enter Name :'); readln(name); {read keyboard input} Write('Registration Key : '); total:=0; {initalize variables} secondc:=0; pos:=1; while pos <= length(name) do {change name to all lowercase} begin z:= ord(name[pos]); secondc:=ord(name[pos]); if ord(name[pos]) <= 90 then begin if ord(name[pos]) >= 65 then begin name[pos]:= char(ord(name[pos]) + 32); end; end; pos:=pos+1; end; secondc:=0; pos:=1; {reset counter variable} while pos <= length(name) do {add ascii values of lowercasr name together} begin if ord(name[pos]) <> $20 then {test to see if name has a space} begin secondc := secondc + ord(name[pos]); end; pos := pos +1; end; total := secondc XOR $89; {XOR total by 89 hex} secondc:= total; {copy resul;t from above to secondc} total := secondc XOR $33; {XOR the result by 33 hex} writeln(total); {print out total, which is your key} end. ===END Source Code=== I hope to see you again in Flu[X] tutor #6 As always if you like a program buy it! Thi essay is for educational purposes ONLY! Software authors deserve your support! Flu[X]/PC98 PART 7: How to crack LiveImage 1.29D Build 52 using W32Dasm Flu[X]'s cracking tutor #6 - Dealing with a packed EXE Getting past Disassembler Protection Tools -Softice 3.2+ -Live Image v1.29D Build 52 -Hackersview 5.65+ -Brain Ok ... recently programmers are using techniques or programs to "pack" their EXEcutables or DLL's in an attempt to add additional copyright protection. A popular one is shrinker. If your a cracker.. believe me you know about it :) Ok enough lets get started.. Ok lets examine our target, Live Image v1.29D Build 52, it asks for a name/serial. So we begin tracing (hmemcpy). Eventually we come to these lines of code: mov eax,[ebp-20] mov ecx,[ebp-0C] mov esp, ebp Ret ----- After return is executed ----- cmp eax,0 je BAD_Cracker OK, what it does is move a value into EAX, and if that value is 0 it means you failed the serial check... Now.. if we could make it always pass the test... we would have a full regged copy (because the programmer always uses the above routine to check his serials). OK, i also notice that ebp-20 is 0 unless it is right serial.. but wait.. EBP is always non zero.. so if we moved ebp into eax it will always pass the test. so the above code would become: mov eax,[ebp] ; line changed... mov ecx,[ebp-0C] mov esp, ebp Ret Ok we think this is going to be some simple patch... So we opan up W32Dasm to find the file offset (we did write down the address from SoftIce didnt we?). Ok we disassemble the file.. and what?!?! what is this crap? i cant find that code anywhere! This EXE is packed..ARGHHH...So after a bit of analyzing we notice that it is packed by shrinker.. so we must De-pack it. I used Unshrinker v1.2 (on my web page http://tuts98.cjb.net). Ok we now have an unshrinked EXE file :) Things should be good right? No, wrong. Lets disassemble the unpacked EXE with W32Dasm, what it wont work? It seems as if the author not only used Shrinker, but also added a bit of his own protection! ok.. now what do we do here? wait a sec, remember what the code we are looking for is? Maybe if we used our heads a bit (a very little bit) we would recall taht Hiew allows for Hex Searches :) mov eax,[ebp-20] mov ecx,[ebp-0C] mov esp, ebp This translates to: 8B45E08B4DF48BE5 so if we open the file in Hiew we can do a search for 8B45E08B4DF48BE5. Hit the F7 key in Hiew and type it in the hex string area.. and find it. Hey.. it worked.. we found our code.. so change it from: 8B45E0 8B4DF4 8BE5 to: 8B4500 ;note the 00. 8B4DF4 8BE5 save the file and run.. Hey look its registered.. crack done! Also about a patch.. a patch for this program would be virtually seeing as it is improbable to modify a packed file. I hope to see you again in Flu[X] tutor #7 As always if you like a program buy it! Thi essay is for educational purposes ONLY! Software authors deserve your support! Flu[X]/PC98 http://tuts98.cjb.net We really hope you've enjoyed this tutorial too much as we did! Don't miss Tutot #12! ;) And as I said last time: Without knowledge, there's no power! ;) Credits go to: Lazareth/CiA for Splash Logo BuLLeT/CiA for providing tuts in this version. AgorA/CiA for providing tuts in this version. Flu[X]/PC for providing tuts in this version. (All the crackers (non-members of CiA are welcome to send tutors for the next tutorials .. see below for my email address!) Greetz go to all the newbees! You can find me on IRC or email me at tkc@reaper.org Coded by The Keyboard Caper - tKC The Founder of PhRoZeN CReW/Crackers in Action '98 Compiled on 30 November 1998 Cracking Tutorial #11 is dedicated to all the newbees :-P