Welcome to Cracking Tutorial #12! Whoa! 2 weeks ago we released #11, I must say we're fast today! :P *cough* .. *cough* :) In this tutor we'll teach you everything more about W32Dasm, SoftIce, and SmartCheck. Without knowledge, no power! ;) 10 tutors in ONE! We hope you'll appreciate our Xmas bonus today! :)) Warning, this tutorial is a real mother! *grin* Ok, let's rock! You'll need the following tools: (I use these tools, I assume you'll use 'em, but it doesn't mean that you'll need to use all those tools, so be sure to get them handy for the examples in this tutorial!) SoftIce 3.24 W32Dasm 8.93 Hacker's View 6.00 SmartCheck 6.0 TASM 5.00 Windows Commander 3.53 (I use it coz of easier to multitask) Don't ask me where to download all these tools since you had a chance to get them when you used my older tutorials. Here are a few good cracking sites where you can grab tools from: http://cracking.home.ml.org or http://surf.to/HarvestR or ask any crackers to get you these tools! Are you ready?! OK! ;) PART 1: How to remove a CD Check in Microsoft Combat Simulator 98 by Cardenal Mendoza Cardenal Mendoza'z tutor #1: HOW TO CRACK MICRO$OFT COMBAT $IMULATOR 98 (a very easy cd check) ------------------------------------------- Hi there this is my first tutorial, so don't expect too much. I hope you'll enjoy it anyway ;-) Please excuse my bad english, it's not my mother language... Part 1: The beginning... ------------------------ In this tutorial I expect that you know how to use W32dasm and how to modify the exe with your hex editor. Install the game and choose full install. Then Try to start it without the cd. It won't work. A Dialog pop's up and asks you to put in the cd. No problem - start W32dasm and disassemble COMBATFS.EXE. Ok, now you should see the deadlisting of the code. Part 2: The cd-check... ----------------------- Click on String Data References and search for your error message. Have you found it? Ok? Just click on it. You should now see the following part of the code: * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00401D4E(C) | :00401D9E 8B15E8C84100 mov edx, dword ptr [0041C8E8] * Reference To: USER32.LoadStringA, Ord:0183h | :00401DA4 8B35E81A4200 mov esi, dword ptr [00421AE8] :00401DAA 6804010000 push 00000104 :00401DAF 68C0084200 push 004208C0 * Possible Reference to String Resource ID=01500: "Bitte legen Sie die Microsoft R Combat Flight Simulator-CD ei" :00401DB4 68DC050000 push 000005DC :00401DB9 52 push edx :00401DBA FFD6 call esi :00401DBC 8B0DE8C84100 mov ecx, dword ptr [0041C8E8] :00401DC2 8D8424A4000000 lea eax, dword ptr [esp+000000A4] :00401DC9 6804010000 push 00000104 :00401DCE 50 push eax Now doubleclick a second time on the string. It scrolls to a second location. Have a look at it. Hmm, this seems to be curios. Nothing interesting but the reference and a jmp. Look at the jump. Here is nothing interesting, too. That's why they call it possible reference. Not every time it is a reference. In this case it is not our string. But how to know that? Look back at the first location. Do you see the recerence to USER32.LoadStringA ?? I think I don't have to explain what this is. Most of the times real references are followed by a messageboxa, a showwindow or just any function which does something with our string, like lstrcpy or loadstringa. So let's go further. Click on our string to see if there is a "real" second location - no, we're back at our first place. Ok, now we should observe the whole function. First it does something in our registry. Do you see the string "InstalledFrom"? This should be our cd drive. Then there are the two strings of the error message ( the text and the caption of the dialog ). Then there follows a bunch of assembler code. Just ignore it for the moment. At the end there is a call to USER32.MessageBoxIndirectA. This is a unusual function and I see it here for the first time, but maybe I simply don't crack long enough :-( After the call there are two cmp's with a je after each. Now think what this could be... yes, it is the code which checks which button was pressed. The first cmp check's the cancel button. If you would change the je to jmp, it would close the game if no cd is inserted. The second jumps back, to see if the cd is now in the drive. After this two jumps you should see this: * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:00401E23(C), :00401E2D(C), :00401E48(C) | :00401E62 8B0DE8C84100 mov ecx, dword ptr [0041C8E8] :00401E68 51 push ecx :00401E69 E8F2F2FFFF call 00401160 :00401E6E 85C0 test eax, eax :00401E70 750B jne 00401E7D :00401E72 5F pop edi :00401E73 5E pop esi :00401E74 5D pop ebp :00401E75 5B pop ebx :00401E76 81C498010000 add esp, 00000198 :00401E7C C3 ret This seems to be the exit of the function for good guys, who have their cd in their drive. But we're bad, are we ;-) ... Part 3: The crack... -------------------- OK, if you look at the code above, the easiest thing would be to nop out the last two je, then the game would simply run to the good guy exit. But wait. First you should thing. You nop out the *check* of the buttons, therefore the errorwindow would popup, each time you would start the game. Of course it would run after you pressed something, but isn't there a better way. You could try to nop out the call to the USER32.MessageBoxIndirectA, too, but if there is one bad thing you could do, it is nopping out calls to a dll. You could try it, but then it will... Just try it, you will see. So look at the last part of the code. There are three different jumps to it. So the easiest working thing is, going to the first jump and change it to jump everytime. * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00401E60(C) | :00401E13 8A0DC0FF4100 mov cl, byte ptr [0041FFC0] :00401E19 51 push ecx :00401E1A E801FDFFFF call 00401B20 :00401E1F 8BF0 mov esi, eax :00401E21 3BF5 cmp esi, ebp :00401E23 753D jne 00401E62 <---- here it is... :00401E25 B341 mov bl, 41 :00401E27 885C241C mov byte ptr [esp+1C], bl Just change the 0x75 at the offset 0x00401E23 into a 0xEB. This will change it to jmp 00401E62. Try it... *KEWL* - It works. Isn't that a lame cd check?! I have expected something better from Micro$oft. Part 4: The finish... --------------------- I hope you had enjoyed this tutorial. Remember, it was my first - nothing is perfect at once :-) If you have suggestions for a second tutor, send me a mail to: Cardenal@gmx.net I hope to see you in tutor #2... OH, yes. Cracking a program you don't own yourself is illegal, so don't do this :-( Greetinx to: warp_9 & darkman & antos & homer Cardenal Mendoza 11/12/1998 PART 2: How to get a serial in DigiSignature v3.0 http://www.simtel.net/pub/simtelnet/win95/security/sign30.zip by Bisoux A Newbie Cracking tutorial useing a live approach on Digisignature Ver 3.0 - By Bisoux ------------------------------------------ this is my first essay so bare with me and my poor inglish ;o) Level : Newbie Tools : Winice ver 3.xx DigiSignature v3.0 URL:http://www.simtel.net/pub/simtelnet/win95/security/sign30.zip Introduction ------------ This Program has 0 security a small patch and it's registered. It didn't take me a very long time and I'm not a Master Cracker. I assume you have Sice installed and running and that u have a basic working knowledge of how to make it work for you, "the cracker". To make this tut more attractive then just a dry description of the cracking process I'll try to explain what is going on.... There will be 2 pahses the first one is for absolute beginners and the second one will just show how easy it to find the real serial and not to do an ugly patch 1.Doing the patch. ------------------ ok enough of bulls let's CRACK! ok run the programe... what do u know an ugly nag screen asking for u to register , let's register , click on the register tab and then the dialog box will pop up. So what do we have here : (I filled it like this but do whatever u want!) Name: Bisoux Company : KAC Serial Num: 123456789 (I always use this since if not all the numbers will be taken in the calculation I'll know in wich position it does) ok before pressing ok buttom let's put some break point on Sice now let me explain here a bite what we are doing exactly since a lot of newbies are doing it without understanding and it's a shame! we are going to break on a API call , now what's an API ? API stands for Application Programing Interface , that's mean that a lot of internal routines that are done a lot under windblows are offered as standard services by your OS (Operating System) e.g. drawing windows,I/O operations,memory operations etc... But anyway U should get an API refrence if u want to b a cracker.... when standing in a dialogbox (like you are now) the API which windows is useing to put your details in are normally the following : GetDlgItemTextA (without A in 16bit applications) GetWindowTextA and for all input procedures no matter what language used : hmemcpy This last one I use only as last resort because it often gives a "false alert" So know that we understand what we are doing (I hope) lets bpx on the first two API calls mentioned. bpx GetDlgItemTextA bpx GetWindowTextA Now back to our proggie ( ctrl-d ) and press the OK button! Sice will pop saying the reason is GetWindowTextA. That means that our first string is beeing loaded , but remember we have 3 strings that the proggie will read (name,company and serial) so what we want is to start tracing from the 3rd load of string this is why we are going to press twice more F5(=ctrl+d). Gr8 sice poped 2 more times now we r in the middle of GetWindowTextA API call so we'll press F12 to get back to our proggie source. Now the first thing I do when I crack a program is to take a look what is going on, where the the compare and the jumps are. Normally (but not always) the proggie will make some calls which mean that it will perform some function routines and then will come back to do a comparison with a conditional jump afterwards. First time I'm not going to step into all the calls just to see where and why the "Bad Boy" will pop up. So until then what I'll do is double click on every conditional jump i'll see and that will give me a bpx on that line (thanx to Sice and it's mouse support) . now the double click worx only if u had your sice is well configured to suppourt mouse and video driver now I persume u r allready familiar with all that , and if your not a great page about all this is : http://server.kibla.org/lusers/mib/sice.htm (and a great site of knowledge) anyway if u haven't got this possibilty u'll have to do a bpx on the addresse u c as a conditional jump like this : "bpx xxxx:xxxxxxxx ". but if your lazy like me get your mouse and video well configuered. A conditonal jump is the assmebly way to make an "IF" like in any another programming languges.so we must understand that the bad boy window did showed up because it failed a condition. SO continue trcaing useing F10 and double clicking on every single jump u c. Finally the bad boy will apear saying "wrong......" ,kewl normally the last jump or one before here is the final jump and u have all this in sice , great ctrl-d , bl to see the list of all you bpx's with a little numer next to 'bd' all of the except the last one bd 0 1 .... that means breakpoint disable and the advantage is that the location of all the other jumps wan't disapear just be disabeled. Now F5 to continue put in your name etc... press ok and sice will pop on this linge :00408845 8BD8 mov ebx, eax :00408847 FF37 push dword ptr [edi] :00408849 E8C2070000 call 00409010 :0040884E 83C404 add esp, 00000004 :00408851 3BC3 cmp eax, ebx :00408853 7411 je 00408866 <== you'll be here ! * Possible Reference to String Resource ID=00016: "Select one of the user ID names in the list at left, or use " | :00408855 6A10 push 00000010 * Possible Reference to String Resource ID=00063: "Error Message" | :00408857 6A3F push 0000003F next to where you'll land there will be a small mention in softice saying (no jump) now what does this means? Evry time that there is a compare or a test in assembly there is a flag wich contains the answer you can see the flag at the top right if your register window in softice is on (if it isn't just do 'wr' and it will pop up) now we would like to to change this right , wich will change the result of the test and make us jump instead... so we're going to use the r command in sice that changes/display the contenets of our register. If u have any problems with sice command just type in "help r" or what ever command you want to figure out and sice will give a small description of it. all that rest to do is change the no jump into jump u do this by typing 'r fl z' wich means toggle the zero flag. Now this will change the (no jump) into (jump) F5 (wich is the same as ctrl-d) and booommmmm! Your registred! congratulationsa u just cracked another proggie! now this proggie is has 0 protection beacuse if it had something more elaborated (like most prorams have) it will recheck your serial every time you load it, BUT not this baby! 2.Finding the right code (thanx to MisterE) ------------------------ Now that u know how to patch it you are really close to getting the right code. what has happened the u had : :00408851 3BC3 cmp eax, ebx :00408853 7411 je 00408866 that means a comparison between the registers eax and ebx,now u can do a lot of things here just bpx on 00408851 and you will have the answer but I will like to demonstrate the normal useuel way of finding your correct serial. So first of all unregiter the program , you'll do this by deleting the registery on HKEY_local_machine/softwares/thunderbyte/digisign/code Anyway for cracking u'll have to knoww and undesrtand the registery.... a lot of very good info can be obtained at _mammon's page on: http://www.eccentrica.org/Mammon/ After unregistering run the programme you'll have it like new , register , put your details , get into softice , bpx getwindowtexta (remeber the api call..) get back to the program , push the ok button , and your in soft-ice once again 2 more times f5 (remeber it has to load your 3 strings) f12 to get to your prorame , ok , let's look for our string in memory how ? simple... s 0 l ffffffff '123456789' (or whatevere bougie number you put in) these means s - search from address 0 l-length to ffffffff the string 'Your_String' . sice will answer you: match has been found in xxxx:xxxxxxxx gr8 now we want that evry time the programme will touch thise memory addresse it will tell us (that means break). so will do a bpr wich means break point on range , just like this : bpr xxxx:xxxxxxxx xxxx:xxxxxxxx+9 rw that means bpr from the addresse sice found until the same address plus our string's length , rw means read/write if u r lazy enough like me , u'll find that right clicking on a address and the choosing cut&paste will speed up things and will prevent unwanted copy mistakes. now that u have done this ,f5 to continue the programe , sice will pop up when your string is beeing manipulated , we saw b4 that this do not happen in the principal program but within a call of it so a F12 will get u back to where the call was from u'll land here : :0040883C FF1538404100 Call dword ptr [00414038] :00408842 83C404 add esp, 00000004 <=== u're here :00408845 8BD8 mov ebx, eax :00408847 FF37 push dword ptr [edi] :00408849 E8C2070000 call 00409010 :0040884E 83C404 add esp, 00000004 :00408851 3BC3 cmp eax, ebx :00408853 7411 je 00408866 looks familiar ? sure is now what do u c? eax moved to ebx wich get compared some instructions later.. let do a "d eax" (or right click on it and choose display) this will show us what eax contains . we c nothing bad , let us check what valus it conatins by doing "? eax" this will give 3 values decimal hexadecimal and it's value in ascii. so know u understand what the call is all about it put the value of your string in eax , this is a methode used not to show any echoes in the memory for crackers to look for.... ok we c this value is stored in ebx , not pushed for the next call(I wonder what this call is ;o) ) and then immidatly after the call get compared with eax , will f10 until there type "? ebx" u get your serial ? eax --> bingo your correct serial ! now disable all the break points get back try it! u have won the jackpot ! :))) easy no ? Final Words ----------- Now offcourse there r many more ways to crack this baby but in this method u'll do it in no more then 5 minutes , you can try to make a keygenerator now just step into the call 00409010 and figure out what it does or for the newbie try the deadlist methode it will worl easily as well. "Hope you learned something from this" (as someone said b4;) ) and that it will initiate u the newbie to the live approach , soft - ice is a very powerfull weapon that should be fully explored....... If u have any problems with this do not hesitate to contact me on: bisoux10@hotmail.com Thanx ----- Tillety - my aussie brother that corrected my inglish MisterE = great tut writer that helped me with this one Vizion for baring my newbie questions, Quantico,HalVarand all the rest from #C4N a great channel indeed a lot of nice people that will help you with any question you have ,so a very big thank you to nIabi ant Mexelite for this great channel of information. MindCrush for asking me to write this. Pj (off course) Tetsuo (the linux expert) for beeing a good friend. Improtant links --------------- Fravia.org --> a must for any cracker GREAT knowledge site! cracking.home.ml.org <--- caligo's page evrything u'll ever need (hope it will not go down soon) from those 2 links u'll discover the wonderfull world of cracking :) Bisoux ------ PART 3: How to get a serial in Braga's Crackme by Night Mastah Numega Smartcheck 5.0 Beginners Guide Target: Braga.exe - Braga's Little Crackme 1 in Visual Basic 5 Tools: Smartcheck 5. ftp search for smchk50.exe While there are a few tutorials on Smartcheck at fravia.org, they didn't really help me to get started with SC, hopefully this tutorial will help you in learning this fantastic tool. This tut is to help you figure the basics, rather than just telling you how to complete braga's crackme. For those of you who are not familiar with SC, and what it is, heres a description from the Main Help File: SmartCheck is a run-time debugging tool that addresses the most problematic conditions encountered by Visual Basic developers:  Fatal run-time errors that are cryptic and hard-to-solve  Problems that result from a sequence of events  Incorrect Windows API Usage from Visual Basic  Bad values passed to built-in Visual Basic functions  Problematic value coercions  Errors in components, such as ActiveX controls, used by your program heh heh, well, not only can you use smartcheck for finding errors in your Visual Basic programs, you can also use SC to find out exactly what somebody elses program is doing, whether it is written in Visual Basic or not.Infact, heres news for all you crackers out there that hate cracking VB5 apps: SC makes it FUN! Ok, enough of the intro. After you have run the setup program (and found the required password using sice) start Smartcheck. In the File menu, select open, and open braga.exe. Then, in the Program menu, select settings. Change whatever you have to this: All the chack boxes in the Error Detection tab should be checked. In Advanced, in the Error Detection tab, the first 4 checkboxes should be checked, the rest shouldnt be checked. Make sure 'Suppress API Calls' is NOT checked. In the Reporting tab, everything except 'Report mousemove events from OCX' should be checked. Phew! Ok, now, press the green 'play' button and let the fun begin. Hopefully, a new window will be opened in SC, split into three sections. The bottom section, we dont have to worry about, because we normally wont have the Source Code of our targets programs. In this should read: "No source file". In the section above that, on the left hand side, you should have many lines of function calls, clicking on one reveals more details in the right hand section. One of the function calls you should see, the first one on the list, is InitializeCriticalSection(PTR: xxxxxxxx) If you look down the very bottom right hand corner of the main SC window, you should see how many program events have occured. I have 1360, from just loading braga.exe. In the View menu, select Show All Events. When you get to know sc more, you can experiment with the Specific Events (The Object Events is usually good for our needs.) OK, Braga's crackme should have loaded, so enter a dummy name and serial, and click Register. You will probably now have a Dlg box saying "Keep Trying :)))" Well, lets see what Smartcheck has given us. Search for the first 4 characters of whatever name you entered (for me, i entered night_mastah[mgm], so i searched for nigh). The Program Results section should now be sitting at a __vbaVarMove(VARIANT:String:"night_m",VARIANT:Empty) returns DWORD:63F35C Well, it doesnt exactly take a genius to figure out whats happening here. You can see, your name has been taken and placed at mem location 63F35C or whatever. Follow the Program Results down, and it should really speak for itself. It gets your serial, and keeps it for later. It then finds the LENgth of your name, then finds the LEFTmost character, for me it was 'n'. It then finds the Ascii value for that letter, then changes this to HEX (6E). Then, the program finds the first 4 letters of your name, although I dont think what happens next is what Braga intended. I think, by looking at the output from SC, he intended to find the ascii value for the first 4 letters of your name, but all the program does is (again) find the Ascii value for the first letter. It then changes this to to HEX aswell. Scrolling down further, you should come to the __vbaVarCat section, where the crackme works out the correct serial. Again, its fairly easy to work out whats happening, but if its not, let me explain: 1) It takes the hex value for the first letter of your name, then adds a '-' 2)On the end of that, it adds the string 'Pt-Cracker', and another '-' (the string is now 'xx-Pt-Cracker-' where xx is the hex val etc. 3)It then adds the HEX value again for the first letter of your name (although I dont think he meant that, maybe...) 'xx-Pt-Cracker-xx 4)Then, another '-' is added to the string. 'xx-Pt-Cracker-xx-' 5)Finally, he adds 12345 to the string. The Final String is: 'xx-Pt-Cracker-xx-12345' Scroll down another few lines, and you will find __vbaVarTstEq(VARIANT:String:"111222333444555", VARIANT:String:"6E-Pt-Cracker-6E-12345") ^^^^^^^^^^^^^ or whatever you entered as your serial. Again, no prizes for guessing what thats about. If you favour patching the crackme, in Wdasm, the address you should start looking at is !0040239E (__vbaVarTstEq() location) To convert the address from SC to Wdasm, if the address has 000, change that to: 004. Hopefully this small tutorial has helped you figure out the basics of Smartcheck 5.0. If you this tutorial has helped you, please repay the favour by saying "Hi" to me (night-) on #Cracking4newbies or #wwc on Efnet (hey - I'm a busy guy ;) See ya night mastah [ WWC ] Greets go out to: sAsh0r, T_D, luddite, prophecy, tKc and ne1 else I have forgotten ;) PART 4: How to crack Opera 3.50 by NeuRaL_NoiSE I'd like to show you how to crack Opera 3.50 in order to get a FULLY functional version, without any limitations of any sort. Anyway, please DO NOT FORGET that these guys WORK HARD to bring you a FANTASTIC browser, probably the BEST and FASTEST one you can find on the net...so please....if you really like it and USE it, REGISTER IT! ok, enough intro....LET'S CRACK! :) *** TOOLS USED: - W32Dasm v8.93 - Hacker's view v6.00 *** PART ONE: PREPARING THE SESSION _______________________________ Well well well.....so you downloaded this fast, little browser...and you like it a lot.... but you can't really stand that ugly nag screen that pops up when you start it, right !? Well, nothing strange, you're a normal human being like almost everyone, then :) Ok, the first thing to do is to poke around a bit to fully understand the many fantastic peculiarities of this browser (and btw if you're wondering, NO, Opera Software does NOT pay me to say that ;) : click on "EVALUATE", take a good look around, and learn how most things work (you should do that EVERYTIME when cracking a program! KNOW YOUR ENEMY, as master Fravia+ always says!)...when you finish your browsing, click on HELP/ABOUT OPERA.... oh! what do I see ! a bug ! it says "REGISTERED : NO"....hmmm well it looks like we'll have to fix that immediately, or it might have some dangerous consequences ! ;) PART TWO: LET'S GO FOR IT ! :) _____________________________ Close the help window and click on HELP/REGISTER OPERA...you will get a dialog that asks you to enter you name, organization and reg code...and since you have no clue on what to type in the third field, just enter bogus data... I'd really like to show you how the programmers intended to protect the front door of the protection scheme but left the back door pratically open to a strong cracking attack :) Disassemble Opera.exe with your honestly bought ( sure! ;p ) copy of W32Dasm....now what do you always look for when you disassemble a program?? The usual, boring, annoying invalid-code-beggar-off string....so let's do it! click on SEARCH, and type in "IS INVALID" or any other word combination you remember from that nasty message that tells you to beggar off and find somewhere a good serial number :)...what do you see ?? NOTHING! %-/ no match, no way!....ok... The first time I took a look at Opera's disassembly, I thought "WOO! THAT'S GOTTA BE AN INCREDIBLY THOUGH PROT SCHEME! LET'S ROCK!" but I was soon disappointed by the dumbness of the programmers (dumbness that I see only in the protecting method, no way I would judge their FANTASTIC program (and, again, NO THEY DO NOT PAY ME ;)... SO ! let's stop and THINK! <-- good quality in a cracker :) WHEN does the program recognize us as poor unregistered guys for the FIRST time?!? hmm... YEAH! the beginning...there's that small, white and brief pseudo-splash screen at the beginning that says: /--------------------\ | Opera 3.50 blah blah| | Copyright blah blah| | | | Registered to: | | (unregistered) | <-- A-HA! ;) \--------------------/ hmm...cool...let's see.....click again on SEARCH and this time type in "(unregistered)".... BINGO! 2 matches ! :) let's examine the first one... :0045F882 7532 jne 0045F8B6 :0045F884 6A40 push 00000040 :0045F886 56 push esi * Possible Reference to String Resource ID=21110: "Opera 3.50" | :0045F887 6876520000 push 00005276 :0045F88C E8400B0000 call 004603D1 :0045F891 56 push esi :0045F892 E8F9CA0700 call 004DC390 :0045F897 59 pop ecx :0045F898 A344555000 mov dword ptr [00505544], eax :0045F89D 6A40 push 00000040 :0045F89F 59 pop ecx :0045F8A0 2BC8 sub ecx, eax :0045F8A2 8D8090555000 lea eax, dword ptr [eax+00505590] :0045F8A8 51 push ecx :0045F8A9 50 push eax * Possible Reference to String Resource ID=21428: " (unregistered)" <-- OUR | MATCH :0045F8AA 68B4530000 push 000053B4 :0045F8AF 8BCF mov ecx, edi :0045F8B1 E81B0B0000 call 004603D1 beautiful, ain't it ? :) well...what's your first thought ?? Yes, I know...that JNE at 45F882.... but please....let's put inside this a LITTLE bit of ZEN.....there's NO jump between the pushing of the two strings...what the heck could that mean ?!? When you run the browser, you see "Opera 3.50 (unregistered)" in the main program bar....so, considered that the JNE at 45F882 brings to NO string pushing in the dead listing, if you jump there you should see NOTHING in the program bar....and that's quite impossible isn't it ?! :) Therefore you should easily understand that we are NOT near the ProtHQ :) So....let's keep on SEARCHING! Press F3 and stop by the second match... here it is: * Possible Reference to String Resource ID=21110: "Opera 3.50" | :00491E84 6876520000 push 00005276 :00491E89 FF3528595000 push dword ptr [00505928] :00491E8F FFD7 call edi * Reference To: USER32.SetDlgItemTextA, Ord:022Ch | :00491E91 8B35A4C44E00 mov esi, dword ptr [004EC4A4] :00491E97 8D85C4FEFFFF lea eax, dword ptr [ebp+FFFFFEC4] :00491E9D 50 push eax :00491E9E 53 push ebx :00491E9F FF7508 push [ebp+08] :00491EA2 FFD6 call esi :00491EA4 8D8540FBFFFF lea eax, dword ptr [ebp+FFFFFB40] :00491EAA 83C3FE add ebx, FFFFFFFE :00491EAD 50 push eax :00491EAE 53 push ebx :00491EAF FF7508 push [ebp+08] :00491EB2 FFD6 call esi :00491EB4 8D856CFCFFFF lea eax, dword ptr [ebp+FFFFFC6C] :00491EBA 50 push eax * Possible Reference to Dialog: SPLASH, CONTROL_ID:2B26, "Text" | :00491EBB 68262B0000 push 00002B26 :00491EC0 FF7508 push [ebp+08] :00491EC3 FFD6 call esi :00491EC5 833DB45D500000 cmp dword ptr [00505DB4], 00000000 :00491ECC 7526 jne 00491EF4 :00491ECE 8D85C4FEFFFF lea eax, dword ptr [ebp+FFFFFEC4] :00491ED4 68FF000000 push 000000FF :00491ED9 50 push eax * Possible Reference to String Resource ID=21428: " (unregistered)" <-- OUR | MATCH :00491EDA 68B4530000 push 000053B4 :00491EDF FF3528595000 push dword ptr [00505928] :00491EE5 FFD7 call edi :00491EE7 8D85C5FEFFFF lea eax, dword ptr [ebp+FFFFFEC5] :00491EED 50 push eax :00491EEE 53 push ebx :00491EEF FF7508 push [ebp+08] :00491EF2 FFD6 call esi * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:00491C03(U), :00491CFE(U), :00491ECC(C) | :00491EF4 6A01 push 00000001 :00491EF6 58 pop eax * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:00491BF9(U), :00491C8A(U), :00491D08(U) | :00491EF7 5F pop edi :00491EF8 5E pop esi :00491EF9 5B pop ebx :00491EFA C9 leave :00491EFB C21000 ret 0010 WOOOOW! MAN! QUITE A LOT OF CODE HERE ! DO YOU WANT ME TO GET MAD!? :)) Nope....just read the whole block one more time, please.... It's E*A*S*Y! c'mon! use your intelligence! the program pushes "Opera 3.50" at first...then we have some junk operations....and then the IMPORTANT pushing of the "(unregistered)" string .....but think about it...DO YOU SEE THAT JNE BEFORE THIS LAST PUSHING ?!? YEAH! IT'S IT!.... take a closer look : :00491EC5 833DB45D500000 cmp dword ptr [00505DB4], 00000000 :00491ECC 7526 jne 00491EF4 :00491ECE 8D85C4FEFFFF lea eax, dword ptr [ebp+FFFFFEC4] :00491ED4 68FF000000 push 000000FF :00491ED9 50 push eax * Possible Reference to String Resource ID=21428: " (unregistered)" <-- OUR | MATCH :00491EDA 68B4530000 push 000053B4 the JNE at 491ECC is what us crackers call a GOOD JUMP, because it (in this case) doesn't allow the program to print "(unregistered)" in the program bar...so this time WE HAVE A CONDITIONAL JUMP BETWEEN THE TWO PUSHING! You dig it ?!? ZEN cracking is the solution to all of your problems, guys....ZEN! :) OK....so now we know that if the program takes that jump, then it is REGISTERED and we have a little more time to evaluate it before sending out our 35$ to Opera Software :)... but WHAT do we need to TAKE THAT JUMP ?! hmm...let's take an even CLOSER look: :00491EC5 833DB45D500000 cmp dword ptr [00505DB4], 00000000 :00491ECC 7526 jne 00491EF4 As clear as caribbean water, ain't it ? :) It compares the value stored inside [00505DB4] with ZERO....if it's NOT zero, it takes the jump, otherwise....we are UNREGISTERED ! :) What now ?? Easy! we must scan the disassembly for every occurrance where the program puts something inside ptr [00505DB4].... to do so, get to the beginning of the disassembly, click on SEARCH and type in "mov dword ptr [00505DB4],".... you wait, and you wait, and you wait, and you wait (my computer is a bit slow, ya know ;) until......... YEAH ! A MATCH! (btw the ONLY match...in other words, this is the only place where [00505DB4] is modified...) there u go: :00491D58 E8DE1A0200 call 004B383B :00491D5D 3BC6 cmp eax, esi :00491D5F A3B45D5000 mov dword ptr [00505DB4], eax <--OUR MATCH Nevermind about the CMP, the two important instructions here are the CALL and the MOV... So, we know now that it MOVes the value of EAX inside our pointer after CALLING the procedure at 4B383B...we know that this is the ONLY time that the pointer is being affected, so if EAX is a ZERO now, WE'LL BE UNREGISTERED LATER! it would be much better to get a 01, or whatever else don't u think ?? :) so...LET'S ENTER the call....yeah....do you feel it ? we're inside the ProtHQ ...watch your back from now on...;) our brave W32Dasm will make us land right HERE: :004B383B 8D8138010000 lea eax, dword ptr [ecx+00000138] :004B3841 85C0 test eax, eax :004B3843 741A je 004B385F <--- JUMP NUMBER 1 :004B3845 803800 cmp byte ptr [eax], 00 :004B3848 7415 je 004B385F <--- JUMP NUMBER 2 :004B384A 81C190030000 add ecx, 00000390 :004B3850 51 push ecx :004B3851 E82FA5FDFF call 0048DD85 :004B3856 85C0 test eax, eax :004B3858 59 pop ecx :004B3859 7404 je 004B385F <--- JUMP NUMBER 3 :004B385B 6A01 push 00000001 :004B385D 58 pop eax :004B385E C3 ret * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:004B3843(C), :004B3848(C), :004B3859(C) | :004B385F 33C0 xor eax, eax :004B3861 C3 ret WOOHO! THIS IS THE HEART OF THE PROTECTION SCHEME ! WE GOT IT NAKED, AT LAST! :) so CALM DOWN! and proceed slowly....we said that we must get a NON ZERO value inside EAX at the end of this call, right ?!? let's look.... if we take the first jump (at 4B3843), we will land at 4B385F, where that nasty "XOR EAX, EAX" will put a ZERO inside our EAX! SO JUMP NUMBER ONE IS AN EVIL JUMP! if we take the second jump (at 4B3848), we get the same result... SO JUMP NUMBER TWO IS EVIL TOO! finally, if we take the third one (at 4B3859) nothing changes at all...we get, again, a ZERO inside EAX...but if we DO NOT TAKE ANY OF THESE JUMPS, we'll get to the part of the code where "01" is PUSHed and then POPped inside EAX.....EEEEHAA! WE WOULD BE THEREFORE REGISTERED! what should we do in order to skip those 3 nasty jumps !? we must PHYSICALLY MODIFY THE EXE FILE ! PART THREE: THE PATCHING ________________________ write down the OFFSETS of both THE FIRST JUMP and the PUSH 00000001 instruction..... they should be B3843 and B385B respectively. CLOSE W32DASM ! We don't need it anymore! Run HIEW (Hacker's View) and open Opera.exe. Change to DECODE MODE and GO to the first offset.... Press F3 to edit the bytes, and then F2 to modify the assembly instruction...change JE 0000B385F into JMPS 0000B385B ...press F9 to save the change, and exit Hiew... IMPORTANT: DO YOU UNDERSTAND WHAT WE HAVE DONE? WE HAVE MODIFIED THE PROGRAM, TELLING IT TO *ALWAYS* JUMP TO THE PLACE WHERE "01" IS PUSHED....THEREFORE, WE'LL ALWAYS BE REGISTERED! run Opera.exe....AND YES ! IT'S REGISTERED! phew...we made it :) PART FOUR: LAST WORDS _____________________ Well a BIG BIG "THANK YA BROTHA!" goes to fellow cracker -MeMorY_LosT...it was together with him that I first cracked the beta version of Opera 3.50! MANY MANY THANKS to ytc_ for giving me the opportunity to write this tutorial! D00D, I WON'T FORGET THIS ! :) GREETINGS to all the fantastic people at #cracking4newbies ! Guys, yew RULE! :) AND, last but not least, personal GREETINGS go to TIN (il cracker americano che parla meglio l'italiano :)), ZOLTAN (my favourite robot ! :)) and L0KE (man, where the hell have ya disappeared !? ;)) MANY THANKS to The Keyboard Caper too, for taking the time to read this tutorial :) .......THAT'S ALL, FOLKS! :) -NeuRaL_NoiSE PART 5: How to get a serial in DLL Demon v1.0 http://members.aol.com/progency by BuLLeT Since it's been 5 days since the last tut i think we'd better crack some more. DLL Demon v1.0 (http://members.aol.com/progency) We'll use W32Dasm & SoftICE in this tut. 1) Fire up the program.. "You are on day 1 of 30..." SUCKS ! Click OK. Select Register in the Help menu. Hmm... Serial: XXXXXX What's this? Seems like the program calculates your code from that number. 2) Enter your name and a random code. Click Register. "INVALID"....hmm..time to disassemble this sucka. 3) Launch W32Dasm and disassemble DLLDEMON.EXE Done? k :) Select SDR (=String Data Reference) and scroll down. Now we should be looking for INVALID, but while scrolling you see this: * Single User Licence * Site Licence This means that the program can be registered in two ways depending on how much money you pay :P Hmm..since the program accepts more codes this also means that it is harder to patch. So let's just skip the idea of making all codes work and let us instead get both the codes :) 4) Quit W32Dasm. Launch DLLDEMON and go to the register form. Again you enter your name and a random code. 5) Press CTRL+D to enter SoftICE. So which breakpoints do we set? Well you try setting some of them but since i did a bit of research i'll just give you the right BPX. Set a breakpoint: BPX HMEMCPY - press F5 - click Register - *BRRWWWW* back in SoftICE ;) 6) Press F5 followed by F11. But now you're in the KERNEL....don't worry! 7) Press F10 until you see: DLLDEMON!CODE+xxxxxxxx Now you're back in DLLDEMON and it's time to press F10 again :-/ So you keep pressing F10 until you see this: MOV EAX, [EBX+00000204] CALL 00420634 MOV EDX, [EBP-10] <--- This is where you stop! When you're at the line type: D EDX - D'ya see it ? Yeah you do..your serial number is right in your face. But that's not the one we want so keep going. 8) Continue to press F10 until you see: MOV DL, 01 CALL 004676CC MOV EDX, [EBP-08] <--- This is where you stop! Now what? Guessed it already? Yeah..type: D EDX You see the number? Should be in a format like this: DSxxx-xxxx-xxx This is one of the keys - the "Single User Licence". But we also want the "Site Licence" key don't we? Well if you don't want it you can just stop now, clear all breakpoints (=BC*) and register the program, but for you who want both keys keep on reading. 9) Keep tracing using F10 until you see this: (you will have to trace though the KERNEL again) XOR EDX, EDX CALL 004676CC MOV EDX, [EBP-08] <--- This is where you stop! Ok...i think you already know what to do...or? Well i'll help ya get the last number then :) Type: D EDX - See it? Your number is in a format like this: DSxx-xxxx-xxx 10) So..this should pretty much cover this. Clear all breakpoints (=BC*) and enjoy the registered version. Single/Site licenced. But there is a but here. (butt ?!?!?...hehe) If you of some reason simply don't understand this you can get pass this in an easy way using MY info. Launch REGEDIT.EXE - and go to: [HKEY_CURRENT_USER\Software\Progency\DLLDemon1.0] There you change the already existing line to this: "rk"=dword:000242c2 Now you run DLLDEMON and register using this info: Name: BuLLeT Single-User-Licence: DSU100-8302-276 Site-Licence: DS74-5200-130 If you don't understand this last section you should probably start over or just accept that you're not a cracker *cough cough* :-\ All for now..Cya ------------------- i MaY Be SLoW - BuT i'M DeaDLy aS HeLL ------------------- Written by -=[BuLLeT]=- E-Mail: BuL_LeT@hotmail.com ------------------- i MaY Be SLoW - BuT i'M DeaDLy aS HeLL ------------------- PART 6: How to crack Nico's Commander v4.10 http://www.geocities.com/SiliconValley/Way/2686 by BuLLeT Ok..since i got a urgend request i had to do this fast. <--- tKC says "thanks!" ;) Nico's Commander v4.10 (http://www.geocities.com/SiliconValley/Way/2686) Actually i dunno what this program is or does since i only launched it 2 times. I know however that this program asks for a serial when it's launched and that it will expire in a curtain time. But who cares. Let's crack diz sucka ! 1) Ok..so you launch the program and see an ugly NAG-screen. "Enter your registration number now..." yeah right...let's try that. Click YES. 2) Ok. Now you see a registration box. Enter a random sreial and press OK. NAAAH..."Invalid registration number". <--- NOTE IT ! 3) Launch W32Dasm and disassemble NC.EXE. Select SDR (=String Data Reference) and search for it. Found it? Ok..double-click it and close the SDR window. 4) Ok..so now you should see this: * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00424B49(C) * Possible Reference to String Resource ID=04229: "Invalid registration number!" | :00424B68 6885100000 push 00001085 :00424B6D E8C35C0000 call 0042A835 :00424B72 397DE8 cmp dword ptr [ebp-18], edi Hmm..a (C)onditional Jump at address 00424B49 <--- Let's check it out.. scroll up. 5) Ok..you see what i see? * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00424B1B(C) | :00424B42 817DE4DC9A28A2 cmp dword ptr [ebp-1C], A2289ADC :00424B49 751D jne 00424B68 :00424B4B A17C5D4800 mov eax, dword ptr [00485D7C] * Possible Reference to String Resource ID=04230: "Congratulations. Your copy is now registered." A CMP followed by a JNE (=Jump if NOT Equal) I wonder what a wuick reverse would do here. 6) So let's try it. Note the offset at the bottom (offset: 23F49). Quit W32Dasm, launch HIEW (or another HEX editor of your choice) 7) Ok..(i assume you use HIEW). Type: HIEW NC.EXE Press ENTER twice to go to Decode mode. 8) Press F5 and enter the offset. 9) Press F3 to edit the file and type: 74 (=Jump if Equal). 10) Press F9 to save your work and ESC until you're back in DOS/Windows. 11) Ok..launch the program and, once again, enter a random serial. This time, however, you should get another screen...like this: "Congratulations. Your copy is now registered." And we all know what that means right? Sure...REGISTERED ! Hope you enjoyed, once again, following a tut by me. All for now..Cya ------------------- i MaY Be SLoW - BuT i'M DeaDLy aS HeLL ------------------- Written by -=[BuLLeT]=- E-Mail: BuL_LeT@hotmail.com ------------------- i MaY Be SLoW - BuT i'M DeaDLy aS HeLL ------------------- PART 7: How to get a serial in Teleport Pro v1.29, and how to make a keygen. by PaRKER TUTORIAL : Serial && KeyGen For Teleport Pro v1.29 -------------------------------------------------- Thanx to tKC, Flu[X] and many other peeps, I have learned to crack and I'd like to share with other persons the few things I know now. So let's start this first tutorial with a small shareware, Teleport Pro, which is some kind of a www site grabber. To crack this shareware, you'll need SoftICE and a compiler to make the key generator (easier in assembler). First of all, if it's your first use of SoftICE, you'll need to edit your winice.dat file. Remove the ";" before the lines where are kernel32.dll, gdi32.dll and user32.dll. Then restart your computer. Ok, now you are ready. Launch Teleport Pro. In the help menu, you'll see the "Register" choice. A box will appear and in the left bottom corner, three text fields : Name, Organization and Serial. Hmm, let's see what happens. Name : PaRKeR, Organization : , Serial : 12345. OK. Damnit ! Not Registered. Let's reverse engineer the monster. CTRL-D brings you to the SoftICE window. Let's modify some stuff now : "lines 43" add more lines, "wr" brings the registers window, "wd" brings the data window. We add the breakpoints now : to get the info from text fields, the functions usually are getwindowtexta, getdlitemtexta, or getdlgitemint. Type "bpx getwindowtexta", "bpx getdlgitemtexta" at first. CTRL-D and your are back to the Register window. Press OK. BOUM ! You are back to SoftICE due to getwindowtexta. Let's think a bit. Three text fields, it would be logical to have three breaks. Get out of the call by pressing F11. Press F11 again to continue. BOUM ! Another break. F11, F11, last break, F11. If you press another time F11, you'll get out of the SoftICE cause there are no more breaks. So let's trace with F10 now. It will allow you to pass over calls. Press F10 again and again till you get to the following lines : 157:004246CD XOR EBX,EBX 157:004246CF PUSH 0A 157:004246D1 PUSH EBI 157:004246D2 PUSH PTR [ESI+000000DD] 157:004246D8 CALL 0042A960 ARG ! Just after the call, you see that the register EAX has changed. Now EAX=00003039 ... 3039 in hexa is 12345 in dec. We located our code. Let's continue : 157:004246DD MOV EBP,EAX <--- The code is now in EBP ! 157:004246DF MOV EAX,[00484C5C] 157:004246E4 ADD ESP,0C 157:004246E7 CMP [EAX+0000029F],BL 157:004246ED JZ 0042482A 157:004246F3 CMP EBP,EBX <--- Hmmm 157:004246F5 MOV EDI,00429AD4 157:004246FA JZ 00424755 Hmm, EBP is compared here ... but EBX=0 : not the good one. Let's go on : 157:004246FC PUSH DWORD PTR [ESI+000000D5] 157:00424702 CALL 00424FAF 157:00424707 CMP EBP,EAX <--- Hmmm 157:00424709 POP ECX 157:0042470A JNZ 0042471B Now EBP is compared with EAX. Type "? eax" and it will give you an ascii string, a hexa number and a dec number. We write it down. We disable the breakpoints by typing "bd *", press CTRL-D. We enter 1944573845 as the new serial - it's the number i got in EAX, not a random number :). OK. WAOW ! Registered. That rocks ! Close Teleport Pro. Well, we'll have to check the key generation routine now. To unregister the shareware (thing that you MUST do if you are not the owner of a licence), launch Regedit, and remove HKEY_CURRENT_USER/Software/Tennyson Maxwell dir. Close Regedit. Back to Teleport Pro, unregistered. Open the Register window and enable the breakpoints by typing "be *" in SoftICE. Let's have a look in the piece of code above; you boggle a while and it appears clearly to you that the key is generated at 00424FAF and is stored in EAX. Press OK, BOUM, the break. Clear all breakpoints by typing "bc *". Now you can add a new breakpoint by typing "bpx 424702" : that is where the call is called - hmmm. Press F11. Now we are at the good address. Let's step into the call by pressing F8. Let's press F8 till you get that : 157:00424FCE MOV ESI,5DFEE4A4 <--- Hmm I think it's important 157:00424FD3 XOR EBX,EBX <--- EBX will be the number of the char considered 157:00424FD5 TEST EDI,EDI <--- Is name entered is in EDI empty ? 157:00424FD7 JZ 00424FE2 157:00424FD9 PUSH EDI 157:00424FDA CALL 0042A020 <--- Step over that call, it sux :) 157:00424FDF POP ECX 157:00424FE0 JMP 00424FE4 157:00424FE2 XOR EAX,EAX 157:00424FE4 ADD EAX,-4 <--- Length-4 157:00424FE7 CMP EBX,EAX <--- Have we reached Length-4? 157:00424FE9 JAE 00424FF7 <--- If yes, let's go out 157:00424FEB XOR ESI,[EDI+EBX] <--- If no, let's xor esi with a strange number : it's the 4 bytes of the name from char EBX - reversed. 157:00424FEE TEST BL,40 157:00424FF1 JZ 00424FF4 157:00424FF3 INC EBX 157:00424FF4 INC EBX <--- Next char 157:00424FF5 JMP 00424FD5 <--- And we loop 157:00424FF7 MOV EAX,ESI <--- Yeah, we finally have it :) I let the you the key generator as an exercise. I have chosen TASM to make a KeyGen. ASM is easier cause you just have to copy some of the code and adapt it to your code. Just an hint : if you didn't get it, just before the piece of code just above, Teleport Pro checks if the length of your name is greater or equal than 5. I hope you had fun with the tutorial, and that I'll be back for other adventures. Special thanx go to tKC and CrackZ. Mail comments, suggestions to parker__@caramail.com <=-PaRKER-=> PART 8A: How to crack FullDisk v3.3 8B: How to code a Patch in ASM by PaRKER ----------------------------------------------- CRACKING FULLDISK v3.3 - Using W32Dasm And Hiew ----------------------------------------------- Hi, and here I am for another tutorial, this time I will use W32Dasm and Hiew to remove two easy protections in a prog called Fulldisk. This tutorial is for educationnal purpose only, don't forget either to register this prog or remove it from your hard drive when done. Ok, install the program, launch it. No nag screen. Cool. There is a register option in the file menu with the name/key scheme. You may have a look if you want, but it won't be the aim of this tut. Ok, let's close the program. Hmmm, some sort of nag. Ok we'll have a look at this later. Let's change the system date. Ok, a message appears telling you that your trial period is over. It says exactly : "Your evalution period of 30 days has expired." Now let's try to patch this prog. Copy fulldisk.exe to 1.exe for exemple, and then backup 1.exe to 1.bak. We'll disassemble the original file and make all the modifications on 1.exe, replacing it by its backup if we fuck up something. Disassemble fulldisk.exe with W32Dasm. We'll check the date limit first. Click on the StrnRef button, and search for the string quoted above. It should be the last one or so. Double click on it, and you get to the following lines : :00401C6E 837D801E cmp dword ptr [ebp-80], 0000001E :00401C72 0F8E1D000000 jle 00401C95 :00401C78 837D803C cmp dword ptr [ebp-80], 0000003C :00401C7C 0F8D13000000 jnl 00401C95 :00401C82 6A00 push 00000000 :00401C84 6A00 push 00000000 * Possible StringData Ref from Data Obj ->"Your evaluation period of 30 days " ->"has expired." | :00401C86 6870314100 push 00413170 Hmmm, pretty clear, isn't it ? 1E is the hexadecimal value for 30. So the prog compares the value in [ebp-80] to 30, and if its lower or equal (jle), it jumps, otherwise it pops up the dialog box. Let's have a look at the following lines : * Reference To: MFC40.Ordinal:0425, Ord:0425h | :00401C8B E8B4D20000 Call 0040EF44 :00401C90 E92A000000 jmp 00401CBF * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:00401C72(C), :00401C7C(C) | :00401C95 837D803C cmp dword ptr [ebp-80], 0000003C :00401C99 0F8E20000000 jle 00401CBF :00401C9F 6A00 push 00000000 :00401CA1 6A00 push 00000000 * Possible StringData Ref from Data Obj ->"Your evaluation period of 30 days " ->"expired one month ago." | :00401CA3 68EC314100 push 004131EC Hmmm, another check at :00401C95. It checks now if the number of days is greater than 60 (3C in hexa) and if it's lower or equal, it jumps to :00401CBF. When looking at this lines, we can see that there is no more check or that kind of thing. I guess what you are thinking : "I wish the program could jump directly to that line. Indeed, that's how we will patch the program. Highlight the line :00401C72 and get the offset of the line (look at the staus bar of W32Dasm) : it should be 1072h. Now go to line :00401CBF, and note the offset : 10BFh. Now we are ready to hexedit the program. Launch Hiew on 1.exe, press F4, select decode, press F5, enter 1072 and now you can see : .00401C72: 0F8E1D000000 jle .000401C95 -------- (1) Press F3, we'll change the jle to a jmp by entering E9, then we'll put 4800 to jump to 10BF, and we'll update with F9 key. Now the line is : .00401C72: E948000000 jmp .000401CBF -------- (1) Cool. Close Hiew and launch the prog : no more dialog box. That's OK, except when closing the program, the nag still appears. Hmmm, let's check in W32Dasm. The title of this box is : "How did you like Fulldisk?" Click on Search, Find Text, and search "How did". Well, it will lead you to dialog box number 67. Now let's find all the call to that dialog box. Click on DlgRef button and double click on DialogID_0067. You'll find a reference to that dialog box. But wait, there may be others. So double click again : bham, another reference, and another. That makes three references to that box. How can we check which is the good one? Hmmm, we'll use breakpoints. Press CTRL-L and click on load. Wait a bit. Then go to each line that references to DialogID_0067. Press F2 to add breakpoints at those lines. Then run the program. Quit Fulldisk. Breakpoint! Cool. Click on terminate. Here is the critical section : * Referenced by a CALL at Address: |:00402DBE | :0040BAB0 55 push ebp :0040BAB1 8BEC mov ebp, esp :0040BAB3 6AFF push FFFFFFFF :0040BAB5 680CBB4000 push 0040BB0C :0040BABA 64A100000000 mov eax, dword ptr fs:[00000000] :0040BAC0 50 push eax :0040BAC1 64892500000000 mov dword ptr fs:[00000000], esp :0040BAC8 83EC04 sub esp, 00000004 :0040BACB 53 push ebx :0040BACC 56 push esi :0040BACD 57 push edi :0040BACE 894DF0 mov dword ptr [ebp-10], ecx :0040BAD1 8B4508 mov eax, dword ptr [ebp+08] :0040BAD4 50 push eax * Possible Reference to Dialog: DialogID_0067 | :0040BAD5 6A67 push 00000067 :0040BAD7 8B4DF0 mov ecx, dword ptr [ebp-10] Cool, referenced by a call at address :00402DBE. Let's check there : :00402DA9 83B8A401000000 cmp dword ptr [eax+000001A4], 00000000 :00402DB0 0F8544000000 jne 00402DFA :00402DB6 6A00 push 00000000 :00402DB8 8D8D20FFFFFF lea ecx, dword ptr [ebp+FFFFFF20] :00402DBE E8ED8C0000 call 0040BAB0 I think we're done :) Indeed, at line :00402DB0 there is a jump that goes over the call. Once again, get the offsets corresponding to lines :00402DB0 and :00402DFA, and once again hexedit the 1.exe file : .00402DB0: 0F8544000000 jne .000402DFA -------- (1) becomes : .00402DB0: E945000000 jmp .000402DFA -------- (1) Save the whole thing. Launch the prog : no more nag, no more date limit :)) There is an asm file that patch those 6 bytes join with this tut. It will help you to do your own patchs. Have fun. PaRKeR/CiA'98 Thanx go to : tKC, CrackZ, Josh and all CiA members. PART 8B: How to code a Patch in ASM: ; Fulldisk v3.3 Crack ; by PaRKeR (12/12/98) ; ; Use tasm fdisk33c.asm then tlink /t /3 fdisk33c.obj .MODEL TINY .386 .DATA INTRO DB 0AH, 0DH, '' DB 0AH, 0DH, ' Fulldisk v3.3 Crack ' DB 0AH, 0DH, ' PaRKeR/CiA''98 ' DB 0AH, 0DH, '' DB 0AH, 0DH, ' This crack removes the 30 days limit ' DB 0AH, 0DH, ' and the nag screen that appears when ' DB 0AH, 0DH, ' closing the program. ' DB 0AH, 0DH, '', 0AH, 0DH DB 0AH, 0DH, ' Opening fulldisk.exe.', 0AH, 0DH, '$' FILE DB 'FULLDISK.EXE', 0 HANDLE DW 0 PATCH1 DB 0E9H, 03EH, 00H, 0 PATCH2 DB 0E9H, 045H, 00H, 0 NOTFOUND DB ' File not found. Aborting.', 0AH, 0DH, '$' ; dunno how to check filesize, but i have put the informations FILESIZE DD 01BE00H BADSIZE DB ' Filesize incorrect. Aborting.', '$' CRACKED DB ' File successfully cracked.', 0AH, 0DH, '$' .CODE ORG 100H START: LEA EDX, [INTRO] CALL PRINT LEA DX, [FILE] MOV AX, 3D02H INT 21H MOV [HANDLE], AX CMP AX, 02H JNE WRITE LEA DX, [NOTFOUND] CALL PRINT JMP EXIT WRITE: MOV BX, HANDLE MOV CX, 00H MOV DX, 107CH ; 1st offset MOV AX, 4200H INT 21H MOV CX, 03H ; 3 bytes to patch LEA DX, [PATCH1] ; values MOV AH, 40H INT 21H MOV BX, HANDLE MOV CX, 00H MOV DX, 21B0H ; 2nd offset MOV AX, 4200H INT 21H MOV CX, 03H ; 3 bytes to patch (again) LEA DX, [PATCH2] ; values MOV AH, 40H INT 21H LEA DX, [CRACKED] CALL PRINT EXIT: MOV AX, 4C00H INT 21H PRINT PROC MOV AH, 09H INT 21H RET PRINT ENDP GET PROC MOV AH, 0AH INT 21H RET GET ENDP END START PART 9A: How to get a serial in Split32 v1.1 9B: How to make a keygen in ASM by PaRKER Cracking Split32 v1.1 by PaRKeR ------------------------------- First of all I'd like to say that Split32 is a VB5 program, and that's why I have chosen to have a look at it : I have heard so many things about Numega SmartCheck that I wanted to try it. VB5 progs are different in the way that the functions used are not implemented in the prog itself but in a DLL called MSVBVM50.DLL and then, VB5 progs are some kind of a list of calls to functions in that DLL. Cracking VB5 progs can be made by using SoftICE, adding EXP=c:\windows\system\msvbvm50.dll in your winice.dat file, or by disassembling the file and taking a look at the code, or by using SmartCheck, THE perfect tool for VB5 programs. This tutorial is divided into two parts : an easy part consists in getting a serial number for Split32, the second one, a little harder in making a key generator for the same Shareware. For those two parts you'll only need SmartCheck 6.0 and a ascii/hex/dec convertor, and, of course Split32. PART I - Getting a serial number -------------------------------- Okay, launch Split32 ... hmm. Classic : limited time trial and limited number of launches. Click on about. Bingo! Name/Key Scheme. Now let's have a look at SmartCheck. First you'll need to configure it. Run it. Chose in the menu Program/Settings. In Error Detection, all boxes should be checked. Clink on Advanced. Here only the four first boxes should be checked. Then click on Reporting. There all boxes should be checked except the the one for MouseMove. Click on OK, you are now ready to use SmartCheck. Chose File/Open and open Split32.exe. Then chose Program/Start. The program is now lauched by SmartCheck. You will get some API failures, just click on Acknoledge each time. After a moment the window of the program will appear. As you might have noticed, a window in SmartCheck has opened, showing all the events associated to the program. This will be the most usefull window in your whole life of VB cracker (hmm, perhaps not that true...). Now let's click on About in the Split32 window. You'll notice that your clicks are recorded in the Program Results window. Ok. Now enter a name (I used PaRKeR) and a key (I used 12345). Click on OK. Nothing happened and your back at Spli32 main window. Click on Quit. Don't forget to acknoledge the few failures you'll have in return. Now you are alone facing that BIG window with all the results and events of the program. Let's boggle the concept a while. If a key is generated and a comparison happens, it must be when clicking on OK in the about window or that kind of thing, right? So let's have a look at what happens when you clicked on OK. Because you are very clever, you have noted the name of the event associated to your click. In my case, it is : + Command1_Click Let's click on the "+" sign : it changes into a "-" sign and all the events that happened are shown to you! Great! This should look like : - Command1_Click | Text1.Text | Text3.Text <-- "0" (String) | Text1.Text | Len returns LONG:6 | ... | ... | + Form4_Unload - Command1_Click Even for a new cracker, it would appear clearly that this REALLY sounds like a key generation routine. Now let's place the highlighted bar on Text1.Text for exemple. In the right window, it will show : (No additional details) Hmmm, moving the bar down 3 times we can see : - String string1 = 0043372C |- = "PaRKeR" Pretty clear : 6 is the length of the string PaRKeR. If you have little knowledge of computer programming, all the other operations will be clear as crystal for you. Let's go down ... nothing very interresting ... WAAAAAAAIT! Look at this strange string : Text3.Text <-- "905591-S47" Si ce n'est pas un numero de serie, je veux bien etre pendu ! Note this string down. Close SmartCheck. Run Split32. About. Name : PaRKeR, Key : 905591-S47. OK. Hmmm, nothing happened. About. BOUUUUUM, registered to one user. TOOOOOOO EASY ! :) PART II - Making a key generator -------------------------------- This part will be a little harder cause you'll need to feel the thing rather than looking for clear instructions. Ok. Let's get back to the Program Results Window, when you clicked on the Command1_Click. Moving the bar downwards, we'll look at the comments in the right window. Hmmm, nothing interesting till the event called Mid : - string (variant) | - String .bstrVal = 0043372C | |- = "PaRKeR" |- Long length = 1 0x00000001 - start (variant) |- Integer .iVal = 1 0x0001 Then we have another event : Asc returns Integer:80. Hmmm, of course! 80 is the decimal value for the character "P". Then a little after, we have Text3.Text <-- "81" (String). Why 81 and not 80??? Hmmm, 81 is 80+1. Some lines after, we have : Asc returns Integer:97. Once again as you should have guessed, 97 is the decimal value for "a". Then we have Text3.Text <-- "180" (String). DOH! 97+81=178. Wait a sec... 180=178+2, so we have 180=(80+1)+(97+2). Sounds like this part of the algorithm will be sum(i+Name[i], i, 0, length-1). This will be verified with the other lines after : 265=(80+1)+(97+2)+(82+3), and it goes again and again. Ok. 6 chars later, we have : Val returns double:538 (displayed as single-precision floating point) Text3.Text <-- "905591-S47" (String) Damned, even Einstein won't know how to get from the first line to the other one... What can we do now. A little leprechaun on my shoulder says that I SmartCheck is hiding me some stuff. Well, let's chose View/Show All Events when the bar is over "905591-S47". BINGO! A lot of new stuff appears in the window. Let's highlight Val returns double:538 (...). Just under is a call to __vbaVarMul, look the stuff in the right window : that's 150756*6 (hmmm, 6 is the length of the name...), then __vbaVarAdd : that's 904536+517 (hmmm, 904536=6*150756), then __vbaVarAdd : that's 905053+538 (hmmm, our 538 and 905053=904536+517). Hurra, we have the first part of the key : "905591". Then a __vbaVarCat, then __vbaVarAdd : that's 41+6 (remember, 6 is the length of the string). BAM! we have the third part of the key "47" and then another __vbaVarCat. That means that the prog gets "905591", "-S" and "47" to make the key. We're done! But we have a few things to check : are 150756, 517 and 41 constants or variables? Is the formula sum(i+Name[i]) right? For the second part, you can check that now with the Show All Events option : indeed this is right. For the first part, the only way I found is to check the whole stuff again with a different name : and it appears that those 3 numbers are constants. Now we are really done. Here is the final generation routine : - first part : 150756*length+517+sum(i+Name[i], i, 0, length-1); - second part : -S; - third part : length+41. Hmmm, thanx SmartCheck ! U rox. Personal greetings goes to : tKC, CrackZ and Josh. Don't forget to unregister Split32 while you are done. For that, open regedit, remove the key HKEY_USERS/.Default/Software/Microsoft/Windows/CurrentVersion/rh or buy the license. Thanx, Authors deserve your help. PaRKeR PART 9B: How to make a keygen in ASM: ; Split32 v1.1 Key Generator ; by PaRKeR (9/12/98) ; ; Use tasm splitkg.asm then tlink /t /3 splitkg.obj .MODEL TINY .386 .DATA INTRO DB 0AH, 0DH, '' DB 0AH, 0DH, ' Split32 v1.1 Key Generator ' DB 0AH, 0DH, ' by PaRKeR ' DB 0AH, 0DH, '' DB 0AH, 0DH, 'Enter your name : ', '$' INPUT DB 20H NLENGTH DB 0 REGNAME DB 20H DUP (0) BEGCODE DB 10H DUP (0) MIDCODE DB '-S', '$' ENDCODE DB 10H DUP (0) OUTPUT DB 0AH, 0DH, 'Your key is : ', '$' BADNAME DB 0AH, 0DH, 'ERROR : No name entered', 0AH, 0DH, '$' NEWLINE DB 0AH, 0DH, '$' .CODE ORG 100H START: LEA EDX, [INTRO] CALL PRINT LEA DX, [INPUT] CALL GET CMP BYTE PTR [NLENGTH], 0 ; Is name entered empty ? JNE NEXT LEA DX, [BADNAME] ; If yes, error message CALL PRINT JMP EXIT NEXT: MOVZX EAX, BYTE PTR [NLENGTH] ; If no, length stored in EAX LEA EDI, [REGNAME] ; Name in EDI MOV EBX, EAX ; Length in EBX MOV ECX, 150756 MUL ECX ; 150756*Length in EAX XOR ECX, ECX ; i=0 GO: MOVZX EDX, BYTE PTR [EDI+ECX] ; Name[i] in EDX ADD EAX, EDX ; EAX+Name[i] in EAX INC ECX ADD EAX, ECX ; EAX+i+1 in EAX CMP ECX, EBX ; End of Name ? JB GO ADD EAX, 517 ; EAX+517 in EAX LEA EDI, [BEGCODE] PUSH EBX CALL HEXCONV POP EBX LEA DX, [OUTPUT] CALL PRINT LEA DX, [BEGCODE] CALL PRINT MOV EAX, EBX ; Length in EAX ADD EAX, 41 ; Length+41 in EAX LEA EDI, [ENDCODE] CALL HEXCONV LEA DX, [MIDCODE] CALL PRINT LEA DX, [ENDCODE] ; And we print the whole stuff CALL PRINT LEA DX, [NEWLINE] CALL PRINT EXIT: MOV AX, 4C00H INT 21H PRINT PROC MOV AH, 09H INT 21H RET PRINT ENDP GET PROC MOV AH, 0AH INT 21H RET GET ENDP ; This procedure converts the number stored in EAX to a string that we put ; at the address given in EDI. Don't forget to push EBX, ECX and EDX if ; needed cause this will change their contents. HEXCONV PROC XOR EBX, EBX MOV ECX, 0AH @@LOOP1: XOR EDX, EDX DIV ECX ADD EDX, 30H PUSH EDX INC EBX TEST EAX, EAX JNZ @@LOOP1 XOR EDX, EDX XOR EAX, EAX @@LOOP2: POP EDX MOV BYTE PTR [EDI+EAX], DL INC EAX TEST EBX, EBX DEC EBX JNZ @@LOOP2 MOV BYTE PTR [EDI+EAX], '$' RET HEXCONV ENDP END START PART 10A: How to get a serial in MP3 to EXE v1.5 10B: How to make a 'keygen' http://software.webset.de/buschjost/mp3eng.htm by tKC Step 1. Run MP3TOEXE Step 2. Click on Register, enter "The Keyboard Caper" as Name, "MP3-12345" as Serial, and "12345" as Registration Code. Step 3. Click OK. Wrong code.. Hmm it's written in Delphi! *duh* ;) Step 4. Ok, not a big problem. Quit MP3TOEXE, open W32Dasm and disassemble MP3TOEXE.EXE. Step 5. Once it's disassembled, click STRING DATA REFERENCE, look down for the string: "The Registrationinformation is wrong. Try again?" and double click it. Step 6. Close SDR window, you should see the line: * Possible StringData Ref from Code Obj ->"The Registrationinformation is " ->"wrong. Try again?" :0046DF24 BAA4E44600 mov edx, 0046E4A4 Step 7. Now press PgUp key till we get: :0046DE1B 8D55F8 lea edx, dword ptr [ebp-08] Step 8. This is the address we're gonna use in SoftIce. Close W32Dasm. Go back to MP3TOEXE, run and click Register button. Step 9. CTRL-D to SoftIce. Type BPX SHOWWINDOW, then F5. Click Enter the RegistrationCode .. *boom* you're back in SoftIce. Step 10. Type G 46DE1B <--- this is where we've got the address in W32Dasm. *boom* we're back at MP3TOEXE. Re-enter info as in Step 2, then click OK. *boom* we're at the right caller! Step 11. At 0177:0046DE1B, you'll see SS: 0074EC58=00C88DE4 in Register Window, (SS: 0074EC58 address might be diff on your machine..), type D C88DE4, and we get my name in Data Window. Kewl, trace down till: 0177:0046DE2F PUSH EAX Step 12. Type D EAX and you'll get "12345" in Data Window.. Kewl, our false code! Step 13. Trace downward (press F10) till you see: 0177:0046DE68 POP EAX (above this line, you get "0177: 0046DE65 MOV EDX, [EDX-24]", keep it in mind, we'll need this info for Part 10B later.) <-- See Part 10B, Step 2 below) Now you'll see in Register Window: EDX=00C88DE4 .. hmm, what's it? Step 14. Type D EDX and what do we get in Data Window? *our registration code!* Step 15. Type BC* and press F5 to return to MP3TOEXE. Step 16. Enter "4BFCAAB2655E43AE" *registered!* Just close the program and reload, it'll then be reg'd! PART 10B: How to make a 'keygen' for MP3 to EXE v1.5 Step 1. Now you'll need to unregister your MP3 to EXE, run your REGEDIT, and goto: HKEY_LOCAL_MACHINE\Software\Oliver Buschjost\MP3TOEXE\v1.5 Delete the keys: Free, Name and Serial. Press F5 to update your registry! Step 2. Ok, open W32Dasm, copy MP3TOEXE.EXE to MP3TOEXE.W32 and disassemble MP3TOEXE.W32. Once it's disassembled, press Shift-F12 to open a box (Goto Code Location), enter 46DE65 (remember this address? we got this address in Softice, look above at Part 10A, Step 13) Step 3. I assume you're now at the line: :0046DE65 8B55DC mov edx, dword ptr [ebp-24] Step 4. Now press PgDn key till we get: :0046DF24 BAA4E44600 mov edx, 0046E4A4 <--- tells you it's wrong code, try again? :0046DF29 A1D4C54700 mov eax, dword ptr [0047C5D4] :0046DF2E 8B00 mov eax, dword ptr [eax] :0046DF30 E8BB15FCFF call 0042F4F0 :0046DF35 83F807 cmp eax, 00000007 <--- clicked yes or no? :0046DF38 7533 jne 0046DF6D <--- jump after clicked yes/no Step 5. Those lines above are instructions to tell the program to open the box and tell you that your code is wrong. Ok, we're gonna change them to tell you what's a correct code. It's fun! :) Step 6. Run HIEW MP3TOEXE.EXE, press F4 to select Decode Mode (ASM), press F5 and enter 6D324 (you've got this Offset address in W32Dasm) You should see: 0006D324: BAA4E44600 mov edx,00046E4A4 ;" F_" 0006D329: A1D4C54700 mov eax,[00047C5D4] 0006D32E: 8B00 mov eax,[eax] 0006D330: E8BB15FCFF call 00002E8F0 -------- (1) 0006D335: 83F807 cmp eax,007 ;"" 0006D338: 7533 jne 00006D36D -------- (2) Step 7. That's where you're gonna change the bytes. Now press F3, enter: 0006D324: 8B55DC mov edx,[ebp][-0024] <--- correct code 0006D327: 52 push edx <--- shows you the code 0006D328: 90 nop <--- nop out 0006D329: A1D4C54700 mov eax,[00047C5D4] 0006D32E: 8B00 mov eax,[eax] 0006D330: E8BB15FCFF call 00002E8F0 0006D335: 83F807 cmp eax,007 ;"" 0006D338: C9 leave <--- close the box 0006D339: C3 retn <--- to return to the call Step 8. Press F9 to update MP3TOEXE.EXE, quit HIEW and run MP3TOEXE. Oops! Seems, it checks the CRC! Ok, go back to W32Dasm, click STRING DATA REFERENCE, look down for the string: "This program has been modified " and double click it. Step 9. Close SDR window, you should see the lines: * Possible StringData Ref from Code Obj ->"This program has been modified " ->"either by a virus or by a transfer " ->"problem. It will terminate now." :00462870 68FC284600 push 004628FC :00462875 6A00 push 00000000 Step 10. Ok, goto the line till you get: :00462856 7430 je 00462888 Step 11. You're gonna change this byte to bypass the instructions. Run HIEW MP3TOEXE.EXE, press F5 61C56, press F3, and enter EB. Now press F9 to update, quit HIEW. Run MP3TOEXE, kewl no CRC check! Step 12. Enter your name, any serial (remember it must start with "MP3-" eg. MP3-12345, and any code. *boom* Now you'll see a correct code! Enter it and guess what? *heeeeyaa* You've made it! We really hope you've enjoyed this tutorial too much as we did! Don't miss Tutot #13 soon! ;) And as I said last time: Without knowledge, there's no power! ;) Credits go to: LagPRO/CiA for Splash Logo Bisoux for providing tuts in this version. Cardenal Mendoza for providing tuts in this version. Night Mastah/WWC for providing tuts in this version. NeuRaL_NoiSE for providing tuts in this version. BuLLeT/CiA for providing tuts in this version. PaRKER/CiA for providing tuts in this version. tKC/CiA (hey it's me! :)) for providing tuts in this version. All the crackers (non-members of CiA are welcome to send tutors for the next tutorials .. see below for my email address! PersGreetz goto Ms_Jessca ..who else? :-/ Greetz goto all the crackers! You can find me on IRC or email me at tkc@reaper.org Coded by The Keyboard Caper - tKC The Founder of PhRoZeN CReW/Crackers in Action '98 Compiled on 14 December 1998 Cracking Tutorial #12 is dedicated to Ms_Jessca *sigh* :P