Welcome to Cracking Tutorial #13! Well, well.. a first tutorial in 1999! I hope we'll release 50 tutors this year! :)) In this tutor we'll teach you everything more about W32Dasm, SoftIce, and SmartCheck. Without knowledge, no power! ;) Warning, this tutorial is a real mother! *grin* Ok, let's rock! You'll need the following tools: (I use these tools, I assume you'll use 'em, but it doesn't mean that you'll need to use all those tools, so be sure to get them handy for the examples in this tutorial!) SoftIce 3.24 W32Dasm 8.93 Hacker's View 6.01 SmartCheck 6.0 TASM 5.00 Windows Commander 3.53 (I use it coz of easier to multitask) Don't ask me where to download all these tools since you had a chance to get them when you used my older tutorials. Here are a few good cracking sites where you can grab tools from: http://cracking.home.ml.org or http://surf.to/HarvestR or ask any crackers to get you these tools! Are you ready?! OK! ;) PART 1: Basic of Cracking by BuLLeT Heya ! Ok..so sitting here not knowing what to type, i thought i might as well write something about the basics of cracking. This tutorial is actually written due to the fact that i lately have got a few emails asking: "Why did you know that THAT was the correct byte to patch?" or "How did you know that THAT was the correct breakpoint to set?" These are commonly asked questions and i think it's time to answer them once and for all. Since this isn't gonna be a tutorial in which you need much cracking experience i think that being armed with W32Dasm, SoftICE & HIEW will get you started pretty well. In this tutorial i will not teach you how to crack a particular program, but teach you the basics in order to make it easier for you in the future when you decide to crack something. So..let's get started. I now assume that you have the disassemblers ready. One question that many newbies ask me is: "Can you recommend me a program to crack?" I can't..but i can give you an advice. I think everyone has a SHAREWARE cd filled with a lot of goodies on it. Put that in the drive and search it. You will sonner or later find a small (unsecure) program that has a week protection, and you will chose that as your target. A small program that a standard registration routine. (NAME/SERIAL). I would NOT recommend you to get a VB (=Visual Basic) nor would i advice you to get an encrypted one, since you then need knowledge of decrypting etc. (I will later explain how to check for encryption). The reason for not chosing a VB app is that VB isn't really a program. It uses the VBRUNxxx.DLL so therefor you can't just dis- assemble the EXE file since the important code is in the DLL. The reason for not chosing an encrypted program is pretty obvious. Since it's encrypted you will not be able to patch the code without causing a GPF (=General Protection Fault). So let those two types of programs rest for a while, while you start your cracking on an easy target. "But now that i've found a program that i THINK might be easy, what do i do?" Well first of all you might wanna check if the program really IS as week as you thought. An easy way to do this is to edit the file. (HIEW FILENAME.EXE) The first page you look at can actually tell you if it's encrypted/packed or not. (In most cases). If the file is not encrypted you will see, somewhere on the first screen, something like this: .idata / .rdata / .tls / .reloc / .rsrc If the program, however, IS encrypted/packed you will most likely see something like this. If the packer is SHRINKER: .shrink2 / .shrink3 If the program is encrypted by fx. PE-CRYPT you will noticed a nasty message saying: .ficken (=fuck in German) a lot of times. This is a feature provided by the cool program called PE-CRYPT by UNITED CRACKING FORCE. Tnx d00dz ! If you see one of these, or something else not looking "normal" you will know that the program has either been encrypted or packed and you will go on to the next target. So..assumed that you have your target, you now launch it so gather as much information about the registration process as you can. eg. TEXT/NAG/BUTTONS, stuff that you might neeed to use. One thing that you, most likely, need to note is the message you get when entering an INVALID serial. "Wrong serial.." Note it cause you'll sooner or later need it when cracking. "So..why do i need it?". Well as you probably already know, since you have read other tutorials :P, you will need to find the place in the code where that messagebox is called. And just editing the file and search for it would be a waste of time since there probably are more checks you need to consider. Therefor you note the messages and disassemble the program in W32Dasm. Also called Windows 32 Disassembler. Now what?..after disassembling all you see is just a bunch of strange Assembly which you probably don't understand. And the cool part is: YOU DON'T NEED TO ! (at least not always). Of course it's good to know what it means but it's not required if the program you've found is easy enough. So..so you remember the message you got when entering a wrong name/serial? If so go to the SDR (=String Data Reference) in one of the menus to the right. This menu item is a very helpfull item when cracking since it will show you the text of the program. "What text?". Think about it! -while you give your eyes a rest from this LOOONG and EASY text. *hehe* One of the things you might find is the VERSION of the program and, most likely, the ERROR message you just noted. You see why this message is so important? :P Ok..now that you know that it shouldn't really be necessary to tell you to grab those scrollers and find the message. So..scrolling down, watching the other messages, you finally find the ERROR. To go the place in the program where it's located you double-click it. Now the data-window (in the back-ground) will change, and you will also see some stuff in the bottom line of the disassembler. You should see: CODE: XXXXXXXX / OFFSET XXXXXXXXh. This was the FIRST place where the ERROR was stored but it MIGHT be stored more places, and to check that you note the offset at the bottom and double- click the ERROR again. In some cases it changes but if it don't you just close the SDR window and start looking at the code. -go take a look at it. ZZZZZZZZZZZZZZzzzzzzzzzzzzzzzzzzz *BOO* Fell asleep? The first thing you'll need to do is to learn these simple Assembly codes: CMP = Compare (eg. CMP EAX, EAX) <- Compare EAX to EAX JE = Jump if Equal JNE = Jump if NOT Equal JL = Jump if Lower JLE = Jump if Lower or Equal JA = Jump if Above JAE = Jump if Above or Equal JMP = Jump Straigth This is pretty much what you need to know, at least in the beginning. Assembly is actually pretty logical as you see. But we're not at the right code yet. Cause right now we're already inside the message, and what we want is to be at the CALL which CALL's the message. This is where W32Dasm is cool. You trace up (use the scroller) until you see something like this: * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00xxxxxx(U/C) The 00xxxxxx at the right is the code location NOT the offset. The xxxxxx should be numbers (ex: 040260) So now you go to that address and look again. There you'll see something like this. This is just an easy example, but there are several types of this. :00xxxxxx 3BC5 cmp eax, ebp <---- Compare :00xxxxxx 741E je 00xxxxxx <---- Jump if Equal The 3BC5 is the code equal to the text. Which means that 74 = JE After learning the Assembly i just showed you, understanding this code should be pretty easy. EAX and EBP are registers which, in this case, is used to store the serials. Let's say that EAX contains the CORRECT serial and in EBP we find our WRONG serial (the random number we entered). So this should be pretty obvious. It compares EAX (=CORRECT SERIAL) with EBP (=WRONG SERIAL), and if they're equal it jumps to the address 00xxxxxx. Can this be more easy?? Nah..it can't. So considered the Assembly you just learned it should be pretty easy for you to figure out what to do to make this program accept ALL serial. Or? Ya know what to do? No?? Well..look at the JE (=Jump if Equal). Maybe changing this to JNE (=Jump if NOT Equal) would do the job. And yes..it will! Now it's time to move the green bar over the JE line and note the offset at the bottom of the disassembler. It should say something like: 00xxxxxxh, but you don't have to type the h since it's only there to show that we're dealing with HEXADECIMAL language. So, now you know WHAT and WHERE to patch so let's HIEW the file and patch. (HIEW FILENAME.EXE) Press twice to go to DECODE mode. There you will need the following keys: F5 = GOTO OFFSET / F3 = EDIT / F9 = UPDATE Knowing this, you hiew the file, go to decode mode, press F5 and enter the offset. Then to edit press F3 and enter 75 (=JNE). To update your work press F9, and quit HIEW. Launch the program and it SHOULD be cracked (IF you chose an easy program AND if it only has one check, you will now see a REGISTERED and 100% working program). * I think i pretty much answered the first question. What you just read is mostly for W32Dasm and can NOT be done like this in SoftICE. In SoftICE, however, you can get the CORRECT serial by typing ? EAX This i will describe a bit more detailed in the following. So..time to answer the second question, which was how i find out which break- points to set. Well..this is a thing you will learn pretty fast. Generally you can say that when cracking a DELPHI program you can be pretty sure it uses either: GetDlgItemText(A) or GetWindowText(A). (Now this was kinda stupid to write that, cause now i know that the newbies got another question to ask. "When i try to set GetDlgItemText(A) it gives me an ERROR!". So i might as well just explain a bit. The (A) is NOT something you should type. You can write either GetDlgItemText or GetDlgItemTextA, depending on if the program you're cracking is 16 or 32-bit (by typing the A you'll set a 32-bit). Now.. that should pretty much cover it. Just remember that the A can also be typed in other breakpoints. Again i'll need to tell you an exception. In the beginning i told ya NOT to crack VB in the beginning but here's a reason against that, cause cracking VB can SOMETIMES be VERY easy. The only thing you need is to set a breakpoint on __VbaStrCmp, which needs to be enabled from your WINICE.DAT This is, however, not a good idea to start with, cause you'll pretty fast get lost in KERNEL32 or USER so do that when you start to understand what you're doing. Ok, time to set the CORRECT breakpoint (BPX from now on). A thing that many crackers advice is to use Quick View and look at the imports etc. This it not a thing i usually do since it's actually not necessary. You can just set all four BPX. GetDlgItemText/GetDlgItemTextA/GetWindowText/GetWindowTextA. By setting these you can be pretty sure to make SoftICE break. These are the most commonly used BPX's and will worx in almost all programs you'll meet in the beginning. So, set them ALL four and let's crack using SoftICE! Ok..you will need to re-install the program in order to crack the NOT cracked version. Let's say you have two input boxes: Name/Serial. You enter your NAME, and enter a random SERIAL. Press CTRL+D to go to SoftICE to set the BPX's. Set them and press F5. Click the OK/REGISTER/CHECK button, or whatever it might say. You should now be back in SoftICE. If you're NOT, go back to SoftICE using CTRL+D and clear ALL BPX's (=BC*). Set a new one called HMEMCPY. This is a breakpoint which will break every time something is copied to memory. Using this you'll need some experience since you'll have to trace through the KERNEL and USER so get to the program. So..assuming that the program used one of the four breakpoints you're now back in SoftICE and ready to trace. And that's exactly what we're gonna do. In SoftICE you'll need the following keys in the beginning: F5 = RUN / F8 = Trace INTO a CALL / F10 = Trace OVER a CALL / F11 = Go back to CALL'er ok..now you would normally press F11 to return to the CALL'er but you might forget something. The program had TWO input-boxes which means that it will break TWO times. So press F5 to read the second input-box. Ok..NOW you may press F11 to return to the CALL'er, and start tracing. So, Press F11 and start pressing F10, while you watch your name/serial go through the registers etc. Now since i don't know the program i can't tell you all the details so let's just skip the section where is compares our serials. Like above you'll also here see this: :00xxxxxx 3BC5 cmp eax, ebp <---- Compare :00xxxxxx 741E je 00xxxxxx <---- Jump if Equal Again it should be pretty easy. You know that our serial is in EBP and that the CORRECT serial is in EAX. So type: ? EAX or D EAX and note the serial. Clear all BPX's and press F5 to run the program again. Now use your own NAME and the CORRECT serial to register the program. Ok..so the section about SoftICE got pretty small, but i dunno what else to write. I think i pretty much covered what you need to know. I hope i helped some of you out there who really want to become crackers. If you did not understand this text, or even got a clue about what it's about, you might as well just forget becomming a cracker. This text is on LEVEL -00 and should be understood by everyone who has read more than one tutorial. One final thing i'd like to say is. DO NOT GIVE UP ! If you still can't crack the program after 2 hours just go get another. MAYBE you just got a hard program or something. So..get those cracking skills enhanced and GO ON ! * I hope that i will get some response on this, cause i think i actually did a pretty good job (considering i wrote this in 30 minutes). Plz lemme know if this text helped you in ANY way ! All for now..Cya ------------------- i MaY Be SLoW - BuT i'M DeaDLy aS HeLL ------------------- Written by [BuLLeT-CiA'98] E-Mail: BuL_LeT@hotmail.com ------------------- i MaY Be SLoW - BuT i'M DeaDLy aS HeLL ------------------- PART 2: Using Softice by BuLLeT In this text you'll find usefull information about SoftIce. I'll try to answer the following questions: * What is SoftIce? * What is a breakpoint? * How do i search for a string/hex? * How do i choose which breakpoint to set? * A list of the most used breakpoints! What is SoftIce? ---------------- Actually i didn't think this was worth explaining cause if you have it you already know what it is, but anyway. SoftIce is an advanced debugger. First you install SoftIce, by adding the following line to your AUTOEXEC.BAT :\\WINICE.EXE Note that it MUST be loaded at startup. This will load SoftIce. Also note that by adding this line to your startup will automatically launch Windows, as it's a build in feature in SoftIce to load Windows. Well once you've rebooted and you're back in Windows, you can by pressing CTRL+D at any time break to SoftIce. To return from breaking press CTRL+D (or F5). Another important thing to note is that there in WINICE.DAT are some lines to include symbols etc. There is most likely a ; in front of some of these lines: EXP=c:\windows\system\kernel32.dll EXP=c:\windows\system\user32.dll EXP=c:\windows\system\gdi32.dll EXP=c:\windows\system\msvbvm50.dll EXP=c:\windows\system\shell32.dll EXP=c:\windows\system\advapi32.dll If you see a ; you should remove it as these are the most common DLL's to use. (If you remove a ; you must reboot) Also you should not remove the ; if you don't have the file! What is a breakpoint? --------------------- A breakpoint (from now on BPX) is an option you set to break at a curtain point in a program etc. For example to break right at the registration box. Example: If you enter a wrong serial, a messagebox pops up telling you that your input is wrong, you should most likely set a BPX on messagebeep. Note that this depends. All in all a BPX is a flag you set in memory to break on a curtain place in a program. You set a BPX by typing (within SoftIce) BPX BPM There are MANY more possibilities than this but i don't think ya need more to get started. How do i search for a string/hex? --------------------------------- Searching in SoftICE is used especially together with BPM since the search will return the address of the text. To search you can type: S 0 L FFFFFFFF 'BuLLeT' (Which will search from 0 to FFFFFFFF for BuLLeT) S 0 L FFFFFFFF 42,75,4C,4C 65 54 (Which does the same as above) How do i choose which breakpoint to set? ---------------------------------------- Well this can sometimes be difficult, since you first have to determine if it's a 16 or 32-bit app you're attacking. But often you can say that if it's a 32-bit app you have to add a A to the BPX-line. Example: BPX getwindowtextA (will be explained later) To check if it's a 16 or 32-bit app, you should try to edit it. Look through the file. If you see something like: U N R E G I S T E R E D it's most likely a 32-bit app. If it's: UNREGISTERED it's most likely 16-bit. Another easy thing to do it checking the README.TXT of the program. Sometimes the author explained it to you. But you could (like me) just set both 16 and 32-bit BPX, to be sure ;) A list of the most used breakpoints! ------------------------------------ 16-BIT 32-BIT Reading/writing files: readfile readfileA writefile writefileA createfile createfileA Reading INI-files: getprivateprofilestring getprivateprofilestringA getprivateprofileint getprivateprofileintA Registry access: regcreatekey regcreatekeyA regdeletekey regdeletekeyA regqueryvalue regqueryvalueA regclosekey regclosekeyA regopenkey regopenkeyA Dialog boxes: getwindowtext getwindowtextA getdlgitemtext getdlgitemtextA getdlgitemint getdlgitemintA Drive access: getdrivetype getdrivetypeA Message boxes: messagebox messageboxA messagebeep messagebeepA Time and Date: getlocaltime getlocaltimeA getsystemtime getsystemtimeA getfiletime getfiletimeA Create a window: createwindow createwindowA showwindow showwindowA Some usefull VB: hmemcpy __vbastrcomp multibytetowidechar widechartomultibyte Whether you can use all of these or not might depend on the lines in WINICE.DAT (remember the ;'s =) ) All for now...cya ! ------------------- i MaY Be SLoW - BuT i'M DeaDLy aS HeLL ------------------- Written by [BuLLeT-CiA'99] E-Mail: BuL_LeT@hotmail.com ------------------- i MaY Be SLoW - BuT i'M DeaDLy aS HeLL ------------------- PART 3: How to get a serial in DLL Show v3.9 by BuLLeT http://www.execpc.com/~sbd Like the last program i wrote a tut for i also, by this one, do not know what kinda program it is. Just know that it must have something to do with DLL's ;) This program has a trial period of 30 days after which it will expire. So we'd better get that debugger rolling before the period ends. 1) Launch the program. Hmm..looks like a NAG. Continue and look in the HELP menu. "Register..." It says..just what we need. Select it and prepare ! 2) WOW..a wizard ;) Well the stuff we care about is on the right side, so enter your UserName, Organization and enter a random serial. (User Name: BuLLeT / Organization: CiA / Registration: 22446688) 3) Press CTRL+D to enter SoftICE and set a breakpoint on: GetDlgItemTextA 4) Press F5 to return to the program and click OK/REGISTER/WHATEVER ;) 5) So..you noticed? You DIDN'T ??? ARRHHHGGGG. Well i'll tell ya. Since the program has 3 input-boxes you will need to press F5 2 more times. To return to the CALL'er press F11. 6) Ok..so..now you're in the holy place of ASM :P Press F10 16 times until you see this: * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0040E65F(C) | :0040E66D 53 push ebx :0040E66E 56 push esi :0040E66F E85C700000 call 004156D0 <---- Hmm..a CALL :0040E674 83C408 add esp, 00000008 <---- Not important :0040E677 3BC5 cmp, eax, ebp <---- Compare.. :) :0040E679 741E je 0040E699 <---- Jump if equal 7) So...we have some very nice lines there..don't we? YES ;) Well that d'ya think we need to do? It compares two registers - interesting If you have been following the code you would know that your (INCORRECT) serial is in EBP. So what's in EAX? Try to look at the registers. EAX should, if you entered BuLLeT & CiA as User Name & Organization, contain: EAX=DCB5D1D3 (HEX) Let's see what's really in there. Type: ? EAX This is the secret number we have ben waiting for. YOUR SERIAL !! (In my case: 3702837715) 8) Note the serial, clear all breakpoints (BC*), press F5 and do the registration again. But this time with the CORRECT serial! Once again a little tut was brought to you by [BuLLeT/CiA'98] ! All for now..Cya ------------------- i MaY Be SLoW - BuT i'M DeaDLy aS HeLL ------------------- Written by -=[BuLLeT]=- E-Mail: BuL_LeT@hotmail.com ------------------- i MaY Be SLoW - BuT i'M DeaDLy aS HeLL ------------------- PART 4: How to crack 4-Net v2.0 by BuLLeT http://www.geocities.com/SiliconValley/Way/2686 Like that last couple of programs, i dunno what this program does. I do know, however, that this program MUST be registered in order to use it 100%. This program can be registered from the HELP-REGISTER section, and that's what we're gonna do. So..let's go! 1) Launch the program. Go to the HELP-REGISTER section and type in a name and a random chosen serial. (eg: Name:BuLLeT / Serial: 22446688) Note the errormessage! 2) Now quit the program and disassemble using W32Dasm. Go to SDR (=String data reference). Double click the message and close SDR. 3) Hmm..two CALL's. Let's note where the CALL is CALLED and trace up. Trace up until you see: :004800B1 E8423CF8FF call 00403CF8 <--- Hmm..a CALL :004800B6 7530 jne 004800E8 <--- ...a strange one <--| :004800B8 8D55EC lea edx, dword ptr [ebp-14] | :004800BB 8B45FC mov eax, dword ptr [ebp-04] | :004800BE 8B8048020000 mov eax, dword ptr [eax+00000248] | :004800C4 E817F3F9FF call 0041F3E0 | :004800C9 8B55EC mov edx, dword ptr [ebp-14] | | * Possible StringData Ref from Code Obj ->"Cl4nET" | | | :004800CC B864014800 mov eax, 00480164 | :004800D1 E8FA3DF8FF call 00403ED0 | :004800D6 85C0 test eax, eax <--- Test eax, eax..nice | :004800D8 7E0E jle 004800E8 <--- Another jump <-- 4) TWO jumps which jumps to the same place ;) We might need to do something to them..reversing? Sure! The first must be changed to..you know it? JNE (=Jump if Not Equal) --> JE (=Jump if Equal) JLE (=Jump Below or Equal) --> JAE (=Jump Above or Equal) This is the way they should most likely be used, however, in this case we will change the 1ST to JE, and the 2ND to JNE. 5) So quit W32Dasm and launch HIEW. 6) Press ENTER twice to go to the debug mode. 7) Press F5 and enter the OFFSET (=7F4B6) 8) Press F3 and type 74 (=JE) 9) Press F9 to update the first change 10) Press F5 and enter the OFFSET (=7F4D8) 11) Press F3 and type 75 (=JNE) 12) Press F9 to update the second change 13) Press ESC a few times until the program quits 14) Once again launch the program and once again go to the HELP-REGISTER section. Now do like before...enter your NAME and a random SERIAL. CONGRATZ...REGISTERED! Hope you enjoyed, once again, following a tut by me. All for now..Cya ------------------- i MaY Be SLoW - BuT i'M DeaDLy aS HeLL ------------------- Written by -=[BuLLeT]=- E-Mail: BuL_LeT@hotmail.com ------------------- i MaY Be SLoW - BuT i'M DeaDLy aS HeLL ------------------ PART 5: How to crack Voodoo Lights & Cosmos-1 v1.1.11 by BuLLeT http://www.SomeWhere.On.The.Net This "program" is actually several screensavers in one. And since it 3DFX is SUCKS BIG TIME that it's UNREGISTERED, so let's attack diz sucka ! 1) Launch the screensaver..hmm..worx fine..doesn't even show an UNREGISTERED box. This must mean that it has an evaluation period. And it does ;) 30 days to be exact..after that period the program won't even start. You just get an ugly "Your trial period has expired.." or something like that. So..set the date more than 30 days forward and run the screensaver. BAAHHH an ugly NAG pops up. Well since this NAG is there we might as well use it. NOTE the NAG-message and quit the program. 2) Disassemble it (c:\windows\system\voodoo~1.scr) using W32Dasm and go to the SDR section (=String Data Reference) 3) Find the message and double click it. You see there is only ONE CALL and therefor you just close SDR again, and trace up to see which CALL that calls the CALL. ;) (CALL AT 004013B3) 4) You should now see this: * Referenced by a CALL at Address: |:004013B3 | :004094D8 83C4F0 add esp, FFFFFFF0 :004094DB E828010000 call 00409608 :004094E0 84C0 test al, al :004094E2 754B jne 0040952F :004094E4 54 push esp * Reference To: KERNEL32.GetSystemTime, Ord:0000h | :004094E5 E8ADB20400 Call 00454797 :004094EA 66813C24CE07 cmp word ptr [esp], 07CE <- Compare 30 days ...some more stuff.... <---------- The line to NOP :004094F2 66837C240209 cmp word ptr [esp+02], 0009 :004094F8 731F jnb 00409519 Hmm..a JA (=Jump if Above) logical? Yeah..it will jump there is the trial period has expired (if DATE > 30 days from installation then jump) You also see a JNB at address: 004094F8. We need to change that too. 5) So let's change that. But to what? Well..what about NOP'ing it? That might be a good idea. So quit W32Dasm and launch HIEW. 6) Press ENTER twice to go to the debug mode. 7) Press F5 and enter the OFFSET (=8AF0) 8) Press F3 and type 90 TWICE ! (=90) 9) Press F5 and enter the second offset. (=8AF8) 10) Press F3 and type EB (=JUMP STRAIGHT) 11) Press F9 to update your changes, and quit HIEW. 12) Once again launch the program and enjoy the "REGISTERED" version. NOTE: By doing this you will only make the program think that it's always below the allowed amount of days. This will NOT make it say: REGISTERED in the About box, but who cares. You don't have a screensaver to read the About box do ya? Nah..But if you want go ahead crack that section yourself. -gOOD lUCK Hope you enjoyed, once again, following a tut by me. All for now..Cya ------------------- i MaY Be SLoW - BuT i'M DeaDLy aS HeLL ------------------- Written by -=[BuLLeT]=- E-Mail: BuL_LeT@hotmail.com ------------------- i MaY Be SLoW - BuT i'M DeaDLy aS HeLL ------------------- PART 6: How to crack Pixshow v4.0 by Darkshadow [CiA] http://web.triton.net/fasttrax/sunshine/sshome.html In this little tutorial I will teach you how to crack Pixshow v4.0 Ok.. lets start...install Pixshow 4.0 etc.. :P 1. Run pixshow, a dialog box should appear saying pixshow has expired *DON'T PEE YOUR PANTS*. Ok click "Close". 2. Another dialog box should appear with two textboxs for you to fill in your User Name and Regnumber. Now type any shit you want in to the two boxes (i use dSCiA 1234567), please note you can only use abc letters not /[] etc.. 3. Click "OK" and message box should appear telling you that the "Registration failed!", remember that error message :). Click "OK" to exit Pixshow. 4. Now run W32dam v8.9 and disassemble pixshow.exe, once it has disassemble pixshow click on the SDR (String Data References) button. 5. You should see this below:- String Resource ID=65280: "Field '%s' must have a value" String Resource ID=65500: "Assertion failed" String Resource ID=65535: "Invalid numeric input" " (" " >>>" " already exists. Select another " " AMPM" " AND (" " by Sunshine Software" " files found - Double click filename " " files" " has a size of zero. This may " " is already bookmarked!" " mailto:" " not found." " to recycle bin" " v@" etc...etc... 6. Scroll down and look for the error message that you got, when you enter the wrong reg number (Registration failed!) and double click on the error message, and then close the SDR dialog. 7. You should then see the following code:- * Possible StringData Ref from Code Obj ->"Registration successful!" | :004C4F00 B878504C00 mov eax, 004C5078 :004C4F05 E866D9F7FF call 00442870 :004C4F0A EB0A jmp 004C4F16 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004C4DF9(C) <------------------- That is were the error dialog box appears | * Possible StringData Ref from Code Obj ->"Registration failed!" | :004C4F0C B89C504C00 mov eax, 004C509C :004C4F11 E85AD9F7FF call 00442870 8. Do you see 004C4DF9 (read my comments).. Now go to the Goto menu and click on "Goto Code Location" and type 004C4DF9 and click "OK" 9. Now you should see the following code below:- * Possible StringData Ref from Code Obj ->"498p-" | :004C4DE6 BA984F4C00 mov edx, 004C4F98 :004C4DEB E8ECF0F3FF call 00403EDC :004C4DF0 8B55F8 mov edx, dword ptr [ebp-08] :004C4DF3 58 pop eax :004C4DF4 E8A7F1F3FF call 00403FA0 :004C4DF9 0F850D010000 jne 004C4F0C <--- This line should be colored green :004C4DFF 6825300000 push 00003025 :004C4E04 68C47A0000 push 00007AC4 10. Now.. look at the bottom of W32dam, you should see @Offset 000C41F9h File: PixShow.exe That's the offset were we want to patch it. Exit W32dam 11. Run your hex editor (Hacker's viewer in da best!) and go to the offset 000C41F9 and make the data go into asm. You should see the following coded below:- .000C4DF9: 0F850D010000 jne .0000C4F0C -------- (1) .000C4DFF: 6825300000 push 000003025 .000C4E04: 68C47A0000 push 000007AC4 .000C4E09: 8D45F8 lea eax,[ebp][-0008] .000C4E0C: 50 push eax .000C4E0D: 8D55F4 lea edx,[ebp][-000C] 12. Now we are going to change a byte..press F3 and move to 85 and change it to 84 and then press F9 to save the changes. The JNE will change to a JE :P 13. Exit the hex editor and run PixShow and enter any Name and Reg number and click "OK" *BOOM* it registered *WOW*.. How simply just one byte can mean the different between having a register program *KEWL* :) Cya I hope you like this little tutorial... Darkshadow [CiA] PART 7: How to crack CDRLABEL 4.1 by RSiP http://www.ziplabel.com Tutor by RSiP [sorry for the bad english but i'm DUTCH] Tools to use ~~~~~~~~~~~~ W32DASM HIEW 6.00 Where to get the program ~~~~~~~~~~~~~~~~~~~~~~~~ CDRLABEL 4.1 http://www.ziplabel.com Start W32DASM Load CDRLABEL.EXE When ready goto REFS then goto String Data References StrnREF go to: Registration Error [Find this string] is found double klick it to go to the lines... you will see. :004134CC FF1590664500 Call dword ptr [00456690] :004134D2 E9CA1C0000 jmp 004151A1 :004134D7 8B150C2D4500 mov edx, dword ptr [00452D0C] :004134DD A1082D4500 mov eax, dword ptr [00452D08] :004134E2 8D4C2410 lea ecx, dword ptr [esp+10] :004134E6 51 push ecx :004134E7 52 push edx :004134E8 50 push eax :004134E9 E8B2B30000 call 0041E8A0 <= NICE ! :004134EE 83C40C add esp, 0000000C :004134F1 85C0 test eax, eax :004134F3 7518 jne 0041350D :004134F5 6A10 push 00000010 * Possible StringData Ref from Data Obj ->"Registration Error" :004134F7 68E0904300 push 004390E0 * Possible StringData Ref from Data Obj ->"Sorry, only registered users may " ->"access this function" Did you see :004134E9 E8B2B30000 call 0041E8A0 lets look this call by pressing the "CALL" button at the top. You see this: * Referenced by a CALL at Addresses: |:00403B16 , :0040A1B3 , :0041313C , :004134E9 , :00414AD7 |:00414CA0 , :00414E68 | :0041E8A0 83EC0C sub esp, 0000000C :0041E8A3 8B4C2414 mov ecx, dword ptr [esp+14] :0041E8A7 8B442410 mov eax, dword ptr [esp+10] :0041E8AB 894C2404 mov dword ptr [esp+04], ecx :0041E8AF 80F142 xor cl, 42 :0041E8B2 8B542418 mov edx, dword ptr [esp+18] :0041E8B6 884C2404 mov byte ptr [esp+04], cl :0041E8BA 8A4C2407 mov cl, byte ptr [esp+07] :0041E8BE 53 push ebx :0041E8BF 8A5C2409 mov bl, byte ptr [esp+09] :0041E8C3 80F166 xor cl, 66 :0041E8C6 89442404 mov dword ptr [esp+04], eax :0041E8CA 884C240B mov byte ptr [esp+0B], cl :0041E8CE 8A4C2406 mov cl, byte ptr [esp+06] :0041E8D2 80F365 xor bl, 65 :0041E8D5 80F141 xor cl, 41 :0041E8D8 3444 xor al, 44 :0041E8DA 3ACB cmp cl, bl :0041E8DC C6420300 mov [edx+03], 00 :0041E8E0 751A jne 0041E8FC <= BAD BOY! :0041E8E2 8A4C240B mov cl, byte ptr [esp+0B] :0041E8E6 884202 mov byte ptr [edx+02], al :0041E8E9 8A442408 mov al, byte ptr [esp+08] :0041E8ED 880A mov byte ptr [edx], cl :0041E8EF 884201 mov byte ptr [edx+01], al :0041E8F2 B801000000 mov eax, 00000001 :0041E8F7 5B pop ebx :0041E8F8 83C40C add esp, 0000000C :0041E8FB C3 ret Lets see what the BAD BOY jump does... press the "Jump to" button at the top. * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0041E8E0(C) | :0041E8FC A1F42C4500 mov eax, dword ptr [00452CF4] :0041E901 85C0 test eax, eax :0041E903 740A je 0041E90F <=REMEMBER THIS ALSO :0041E905 B801000000 mov eax, 00000001 :0041E90A 5B pop ebx :0041E90B 83C40C add esp, 0000000C :0041E90E C3 ret Well, there are a couple solutions.. Set the green bar at the :0041E8E0 751A jne 0041E8FC line At the bottum you see @Offset 0001DCE0h this is where you enter the program with hiew. now lets crack the program Hiew cdrlabel.exe press F4 [mode] press F3 [select mode DECODE] press F5 [goto line.....] Enter 0001DCE0 You'll see :0041E8E0 751A jne 0041E8FC change 751A to 9090 by pressing F3 [EDIT] and when done press F9 [UPDATE] the line looks now: :0041E8E0 90 nop :0041E8E1 90 nop BTW jou can also change this line from JNE to JE but i like the NOP better ! Start CDRLABEL goto HELP then ABOUT CDRLABEL... *** THANKS FOR REGISTERING! *** Option 2: start as above but change this line @offset 0001DD03 :0041E903 740A je 0041E90F change 740A to 750A the line looks now: :0041E903 750A jne 0041E90F Start CDRLABEL goto HELP then ABOUT CDRLABEL... *** THANKS FOR REGISTERING! *** as you can see.. there are more ways to crack a programm...... see ya, RSiP ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~END~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ RSiP would like to thank tKC for his tutors. I learn to use W32DSAM by using/reading the tutors of tKC. I started with tutor 1 en i'm still read the tutors! We really hope you've enjoyed this tutorial too much as we did! Don't miss Tutot #14 soon! ;) And as I said last time: Without knowledge, there's no power! ;) Credits go to: Laz/CiA for Splash Logo RSiP for providing tuts in this version. Darkshadow/CiA for providing tuts in this version. BuLLeT/CiA for providing tuts in this version. tKC/CiA (hey it's me!) for coding this version :) All the crackers (non-members of CiA are welcome to send tutors for the next tutorials .. see below for my email address! PersGreetz goto Ms_Jessca ..who else? :-/ Greetz goto all the crackers! You can find me on IRC or email me at tkc@reaper.org Coded by The Keyboard Caper - tKC The Founder of PhRoZeN CReW/Crackers in Action '99 Compiled on 23 January 1999 Cracking Tutorial #13 is dedicated to Ms_Jessca *sigh* :P