Welcome to Cracking Tutorial #15! Ah here we are.. a third tutorial in 1999! :) In this tutor we'll teach you everything more about W32Dasm, SoftIce, and SmartCheck. Without knowledge, no power! ;) Warning, this tutorial is a real mother! *grin* Ok, let's rock! You'll need the following tools: (I use these tools, I assume you'll use 'em, but it doesn't mean that you'll need to use all those tools, so be sure to get them handy for the examples in this tutorial!) SoftIce 3.25 Beta W32Dasm 8.93 Hacker's View 6.02 SmartCheck 6.01 TASM 5.00 Windows Commander 3.53 (I use it coz of easier to multitask) Don't ask me where to download all these tools since you had a chance to get them when you used my older tutorials. Here are a few good cracking sites where you can grab tools from: http://cracking.home.ml.org or http://surf.to/HarvestR or ask any crackers to get you these tools! Are you ready?! OK! ;) PART 1: How to crack a CD Protection in Blood2 by ByteBurn At first excuse my english i know that it isnt the best and ill do my best ;) What we need: ------------- You need Wdasm8.9 and Hiew5.9.There are new versions out but i always use this two. W32Dasm 8.9 is a Windows disassembler.You can use it on W95/98 cause it is 32-Bit. Hiew is a nice Hex-Editor with Decode function. 1.Hello ------- Hello dudes.Now ill explain you how to crack Blood2.Blood2 is a cute little shootem up with a very simple copy protection.We can talk here about a cd-protection. Cause when you dont have the game cd in drive it wont run.Thats the first thing you see when you start it.And thats the first thing youve to know when you want to crack it. Which kind of protection.There are many protection shemes but ill explain here the most using protections youll see in your later life as a cracker ;). At first weve a simply protection sheme ill here call WEB.Hmm whats that?Its simply to explain.A protection sheme most found on games like Blood2 - Anno1602 - Quake2 - NFSI-IISE... We talk bout cd-protections.Very simple.Anything checks if there is the cd in drive,if it is then itll continous if not anything else let pops up the error message you recieve on the screen.This error message is in a little message box.And cause were using Windows95-98 (i think you do) its a Windows message box.And cause the message box contain a error message i call it Window Error Box and WEB is the shortcut ill use in this tutorial (ehhh now you know it ;)). If you know how to handle Delphi i am sure you used this kind of message box in any of your coded programms like when the user click on Exit itll pop up a message box which contain the sentence Good Bye or anything else.Easy to create with Delphi by creating a button,doubleclick on it so you come to the unit window and then youve to enter: showmessage('Good Bye Dude'); thats all. But back to the tutor.This is the WEB protection.Then weve Nag-Screens.This little dudes are harder to crack then WEBs cause you cant crack them with Wdasm (how i know...maybe anyone is so good to crack it with WDasm).Here youve to use Soft-Ice.A Nag-Screen is a little Window most with any nice picture where you can read that your trial period has expired or something else. This kind you can see in LBA2 - Commandos...If a time period is over the programm register this in most kinds by your system clock and you see the Nag-Screen.In some kind of games you can find this protection shemes too.Then weve a key protection.Found on most applications like WinZip - WinRAR - PhotoShop...Here youve to enter any key to unlock your version from trial to full. This protection is mostly found with a Nag-Screen and a WEB.At first your time expired.Then you have to enter the serial key and then comes the message box which contain a good or bad message. Serial Key protection you can crack with soft-ice.In some kinds you can crack it with Wdasm. When you use Soft-Ice you create a own key for your name or read the original key from the prog. When you use Wdasm you can only change the prog that it wont show you the bad error message but will always show you something like "Thanks for Register this Programm" no matter which name or key you enter.But thats not so good like make the key with Soft-Ice cause it wont work every time.A good example is WinRAR.When you crack it with Wdasm you can enter any key and it say "Thank you for Registry" but when you restart the prog youve to register it a second time. How you see,on the one site its easyer to crack on the other site its not so good. Ok now lets go to Blood2. 2.Blood2 -------- Ok install Blood2 on regular size and grab the cd outa drive.Now click on Blood2.exe.Wow which special effect,you hear a scream and a little window pops up.Now after you make all your options ready and click on Start...bing...there is our little WEB.Please insert the cd into drive. Now your option.Insert the cd and click on ok or click on abort to return to windows.This is the time for you where youve to buy it,get a crack from the net,kill it from hd,or read a nice tut like this one and make it by yourself ;).You chose the last one great ;).Ok at first go to your hd manager programm like Norton Commander and go to your directory where you installed Blood2. This part is very needfull for you so please read it! Now youre on Blood2 directory.Make two copys of the original Blood2.exe.One youve to call Blood2.w32 and one Blood2.exx.Why?Its very easy to explain.Cause when you must disassemble the exe in WDasm,you can use the Blood2.exe.Hmm ok...But what when you make a error and have to disassemble the file again?Thats not so good for bigger files.Cause you cant use one file in different programms at the same time.A example.You disassembled the file with Wdasm,right your numbers down and now you want to patch it with Hiew.Hmm...now youve to close Wdasm to use the exe in Hiew so you can edit it.If you dont close Wdasm and want to edit it in Hiew you get a error like "Read mode only".Thats what i mean.You use it with Wdasm so you cant use it with Hiew too.Now when you want to disassemble the file disassemble the *.w32 file.Now its no problem to look on the file in Wdasm and also edit the same file in Hiew. The second copy youve to call Blood.exx.Its a backup of the original exe.No one is perfect and make any mistake in cracking.So if yo patch any wrong part of the file so that the programm wont run you can copy the Blood2.exx to Blood2.exe and everything is alright now ;). 3.Go to cracking ---------------- Now the interesting part.Run W32Dasm and disassemble the Blood2.w32 file by clicking on Disassembler\Open file to disassemble.Now go to your directory where you installed Blood2 and where you saved Blood2.w32 and doubleclick on Blood2.w32.The disassembling process start. At this point youve to know that how bigger the file to disassemble so more time it will take. For example: Ive a AMD K6 2-350 with 64MB SD-RAM and a 9ms HD.A 4MB file take up to 10mins to disassemble. So you can calculate what itll do when youve only a P133 with 16MB EDO...good bye time ;). Ok back to Blood2.Hey it finished the process great.Uno momento por favor!Whats that!?! Ther is only wirr warr written with wingdings font.No mucho problemo amigo!Click on Disassembler\ Font\Select Font.Now you can select your favorit font.Its good to say that you may dont chose any font like HandWriting or MickeyMouse ;).You may have to chose Arial or better Terminal. Ok you chose terminal and click on ok.Now a second time on Disassembler\Font\Save Font.Do that or you can on the next start chose a second time your font.So please save your font.Ok. Now click on String Data References Button on the upper right corner.Well call it SDR button. Ahh a little window pops up.What is all that?Here you can see the messages and other things of the prog.At this point it is usefull to say that you dont have everytime a SDR button avaible but can crack it with Wdasm.Thats the part where youve to Search for your error message.Click on Search\Fint Text.Now a little window pops up.Here you can enter the error message you recieved by the game.You dont have to enter all the text only the first word like "Please".Then click on ok and wait until your message was found.In our case we dont have to search for it,we can click on SDR button.Aha.You can see our error message on the first page.Do you see it?No matter you cant answer my question ;)."Please insert the Blood2 CD-ROM into your CD-ROM Drive". Doubleclick on it.Hey heeeyyy...You was warped on the main screen to the line which contain the error message.A little tip for the SDR window.Its alphabetical order.So when youve a error message like "Please insert CD" you can scroll down a bit until you see the messages which begin with "P".Thats not everytime so,like on Blood2 its on the first page.Ok.Now minimize the SDR window and take a look on Wdasm.Use your arrow keys to scroll up a bit until you see this (if youve the same version of the exe like me): * Possible StringData Ref from Data Obj ->"Please insert the game CD-ROM" ->"into the drive." :00403FBF BFE4A54200 mov edi, 0042A5E4 :00403FC4 83C9FF or ecx, FFFFFFFF :00403FC7 F2 repnz :00403FC8 AE scasb :00403FC9 F7D1 not ecx :00403FCB 2BF9 sub edi, ecx and so on and so on... Hmm...was that our error message?No it wasnt.Our one was "Please insert the Blood2 CD-ROM into your CD-ROM drive".So we dont need this one.Use your arrow keys to scroll up a bit until you come to our message and a bit more.Now it have to looks like this: :00403F89 0F8503010000 jne 00404092 <--------thats our one :00403F8F E876C0100 call 0042060A :00403F94 8B4804 mov ecx, dword ptr [eax+04] :00403F97 E8952E0100 call 00416E31 :00403F9C 8BAC24E0000000 mov ebp, dword ptr [esp+000000E0] * Reference To: USER32.LoadStringA, Ord:0183h :00403FA3 8B1D3C344200 mov ebx, dword ptr [0042343C] * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00404082(U) | :00403FA9 8B0DB8E74200 mov ecx, dword ptr [0042E7B8] :00403FAF 8D442450 lea eax, dword ptr [esp+50] :00403FB3 6A7C push 0000007C :00403FB5 50 push ecx * Possible Reference to String Resource ID=00008: "Please insert the Blood2 CD-ROM into your CD-ROM drive." :00403FB6 6A08 push 00000008 :00403FB8 51 push ecx :00403FB9 FFD3 call ebx :00403FBB 85C0 test eax ,eax :00403FBD 7524 jne 00403FE3 * Possible StringData Ref from Data Obj ->"Please insert the game CD-ROM " ->"into the drive." Ok thats it.Now you see the line contain the error text "Please insert the Blood2..."? thats our message.The little jne (jump if not equal) command let pop it up.Ok we now know two things.First there is a dude which checks if there is a cd in drive.That one is the call command.It checks if eax is 1.If eax is 1 everything is fine,there is cd in drive and we can continous.But when it is 0...uhhh nothing is fine and we cant continous cause there isnt a cd in drive.Hmm...Then there is the jump command.It let pop up the error message on our screen. jne = jump if not eqaul je = jump if equal.Now weve to options.We can attack the prog when we kill the call.This will happens when we nop it.Nop = no operation.Or we can set the call on eax1 so itll always think there is a cd in drive when he checks.At this point ive to tell you that some programms are not stupid and the notice when you nop.So its better to set the eax on 1. How to nop? 90 is the nop number.When a call or jump or whatever for a command have maybe the number E890987832 that are 10 numbers.That means that theyre 5 bytes.Every two numbers are one byte.E8=1 90=1 98=one 78=one 32=one.So weve to replace it with five 90s.Dont worry when it flip down a line in Hiew when you enter the first 90.Enter four other 90s too.That is how to nop. How to set eax on 1?Our number is E890987832.So replace it with E801000000.Ok that was how to set eax on 1.Now our second chance how to attack the prog.We now know that we can disable the check or fake it.Now we can kill the error box so it wont be shown on the screen and the game runs.Thats what were doing in Blood2.Do you see the jne command at the top? :00403F89 0F8503010000 jne 00404092 use your arrow keys to place the bar on it.Hey the bar change his color!Yes it changes to green. Now you can see on the bottom of the screen something in the status bar: Line:6601 Pg 62 and 63 of 745 Code Data @:00403F89 @Offset 00003389h in File:Blood2.w32 What does that means?Hmm...Ok.Were on line 6601,on page 62 and 63 of all 745,the code data is 00403F89 (:00403F89 <---look here 0F8503010000 jne 00404092),the Offset number is 00003389 (its the number well need when we want to patch it later) and all that is in File Blood2.w32.Not so hard to understand or?Now what we need is the @Offset number of the jne command.That is 00003389.Write down 3389 (you dont need the 0s so write it down without all the 000s and without the little h at the end of the number).Now start Hiew. 4.At Hiew --------- Ok start Hiew.No matter what you use if H.exe or H95.exe.Ohh its dos.Ok switch in Hiew to your directory where you installed Blood2 and where you have Blood2.exe.Then open Blood2.exe. Uff what that?No panic.Press F4.Now chose Decode and press enter.Ahh looks a little bit better. Now press F5 (goto).In the upper left corner you can now enter a number.Thats the place where youve to enter your @Offset numbers.Our is 3389.Enter 3389 and press Enter.Hey...you was warped to the place which contain the jne command.Haha we got you baby!Now press F3.... ShortCut: Now it can be the time for you where youll recieve something like bad data read only mode... Do you?Tstststsss....what did i said at the beginning?"please read this its very needfull for you"...You make the mistake and dont made two copys.Now you disassembled the Blood2.exe and want to edit it with Hiew.AEEE...that wont work.How i said you cant edit one file with two different programms.Ok switch back to Wdasm.Close wdasm and switch back to Hiew.Now try it again...and next time you do what i said!;) You can edit the line.You see that the cursor was placed on the 0F8503010000 .Hmm a bit long... No problem.The number for jne is 75/85...How you see it is there after the 0F.Now use the arrow keys to put the cursor on the 85.Change it to 84.Press F9 (save) and then F10 (quit). Ok how you see we dont nop it we change it from jne (jump if not equal) to je (jump if equal). If wed nop it wed to replace the numbers with six 90s.No matter now weve to look if it works. Go back to windows and click on Blood2.exe.Peng AHHHH the special effect scream is great ;). Now...wait!Are you sure you want to risk it?Maybe we change a wrong byte and now itll shut down your pc or destroy any files (dont laugh thats possible)?Ohh dude what we gonna do? Are you brave enough to take it up with your machine?Ok..slowly move your fat slimy burger finger on the Enter key...youre not sure...some seconds pass but then you cant wait!OHH MY GOD! What ive done!?!TADA!THE GAME RUNS WITHOUT CD! ;))))) You crack it dude. Ok thats all for now i hope you like this little tutorial.Watch out for my tutorial compilation called DephStar!Coming soon... For thanks that i make a so nice tutorial or for STUPID QUESTIONS mail me to: ByteBurn@onecooldude.com or reach me on IRC EFnet anywhere in #cracking4newbies #cracks .... Have a nice day and dont get busted by the cops ;) Thanks for reading this tutorial...by the way i love to write data lines down....;) PART 2: How to get a serial in Easy CD-DA Extractor v3.0.2 by Mr Fanatic/C4A http://www.saunalahti.fi/~poiko/cdda3/ Easy CD-DA Extractor, as the name says; Enables you to easily copy digital audio from audio compact disc into your computer. 1) Run CDDAE.EXE and you will see a message box stated that "Easy CD-DA Extractor 3 is shareware and may be previewed 21 days. Continued ..." and there are three button such as "Enter registration code", "Register now!", and "Let me try it..." 2) Click on the "Enter registration code" and enter the following:- Registration name: mISTER fANATIC [C4A] Registration code: 1122334455 3) Press "CTRL-D" to return into SoftIce, type "bpx hmemcpy", and press "CRTL-D" to return into Easy CD-DA Extractor. Finally, click on the "OK" button to register and you are back to SoftIce. 4) Press "F12" until you see the following:- xxxx:0042BF77 8D4DFC LEA ECX,[EBP-04] xxxx:0042BF7A 8B01 MOV EAX,[ECX] xxxx:0042BF7C 50 PUSH EAX xxxx:0042BF7D BA0861B00 MOV EDX,004B6108 5) Type "bd 0" or "bd *" to disable the breakpoint. 6) Then, type "g 42C023" and you will see the following:- xxxx:0042C023 E8E457FDFF CALL 0040180C <-- Press "F8" xxxx:0042C028 84C0 TEST AL,AL xxxx:0042C02A 740C JZ 0042C038 7) Press, "F8" to trace into the call. Then, type "g 401A20" and you will see the following:- xxxx:00401A20 E813FCFFFF CALL 00401638 <-- KeyGen routine xxxx:00401A25 66C745CC3800 MOV WORD PTR [EBP-34],0038 xxxx:00401A2B 83C408 ADD ESP,08 xxxx:00401A2E 8D957CFFFFFF LEA EDX,[EBP-0084] xxxx:00401A34 8D45E0 LEA EAX,[EBP-20] <-- Type "d edx" 8) Press "F10" untill the line "xxxx:00401A34 8D45E0 LEA EAX,[EBP-20]" and type "d edx" and you will see some interesting registration code like "EZCDDAX3-472E9018-2FA64397-705" in the Data Window. 9) Press "CTRL-D" to return to Easy CD-DA Extractor. Enter the following:- Registration name: mISTER fANATIC [C4A] Registration code: EZCDDAX3-472E9018-2FA64397-705 BOOM, its registered! Well, I hope you learned something from this tutorial. mailto: mr_fanatic@iname.com or c4a@iname.com PART 3: How to get a serial in FlashFXP v1.0.58 by Mr. Fanatic/C4A http://flashfxp.phix-it.com 1) Run FlashFXP.EXE and you will see a text "UNREGISTERED 30 DAY EVALUATION COPY". 2) Click on the "HELP" and "ABOUT". Then, double click on the portrait of a man who is tickling his head. You will see the registration dialog box. Then, enter the following:- Name: mISTER fANATIC [C4A] Reg. code: 1122334455 3) Press "CTRL-D" to return into SoftIce, type "bpx hmemcpy", and press "CRTL-D" to return into FlashFXP. Finally, click on the "OK" button to register and you are back to SoftIce. 4) Press "F12" until you see the following:- xxxx:0049E374 8B4DF8 MOV ECX,[EBP-08] xxxx:0049E377 A114124E00 MOV EAX,[004E1214] xxxx:0049E37C 8B00 MOV EAX,[EAX] xxxx:0049E37E BA78E44900 MOV EDX,0049E478 xxxx:0049E383 E8D8070300 CALL 004CEB60 5) Type "bd 0" or "bd *" to disable the breakpoint. 6) Then, type "g 49E3C8" and you will see the following:- xxxx:0049E3C8 E893070300 CALL 004CEB60 xxxx:0049E3CD 8B45FC MOV EAX,[EBP-04] xxxx:0049E3D0 50 PUSH EAX xxxx:0049E3D1 A130104E00 MOV EAX,[004E1030] 7) At the "xxxx:0049E3D0 50 PUSH EAX", type "d edx" and you will see some interesting serial number in the Data Window. 8) Press "CTRL-D" to return to FlashFXP. You will see dialog message box stated "Thank you for registering, you'll need to restart Flashfxp for the registration to take effect". 9) So, click on the "OK" button. Restart the FlashFXP program. BOOM, its registered! Well, I hope you learned something from this tutorial. mailto: mr_fanatic@iname.com or c4a@iname.com PART 4: How to get a serial in Waste Whacker v3.20 by Mr. Fanatic/C4A http://www.dbytes.com Waste Whacker automates the process of removing unwanted files from your hard drives. These files can be backup files created by many applications, temp files not removed by Windows or other programs, files with a zero-byte size, old Internet cache files, plus many others. All files types are customizable by the user. Files can be sent to the Recycle Bin, completely removed from the system, or archived for later retrieval. Additionally, Waste Whacker can be run during Windows bootup. 1) Run WASTEW.EXE and you will see a message box stated that "Waste Whacker - Trial Version...Purchase it for $19.95". 2) Click on the "Option", "Register" and enter the following:- User Name: C4A Team Registration Number: 665544332211 3) Press "CTRL-D" to return into SoftIce, type "bpx hmemcpy", and press "CRTL-D" to return into Waste Whacker. Finally, click on the "OK" button to register and you are back to SoftIce. 4) Press "F12" until you see the following:- xxxx:00475545 8B55F4 MOV EDX,[EBP-0C] xxxx:00425548 8D4340 LEA EAX,[EBX+40] xxxx:0042554B E860E6F8FF CALL 00403BB0 xxxx:00425550 8D55F4 LEA EDX,[EBP-0C] 5) Type "bd 0" or "bd *" to disable the breakpoint. 6) Then, type "g 475586" and you will see the following:- xxxx:00475580 8B45FC MOV EAX,[EBP-04] <- real code xxxx:00475583 8B5340 MOV EDX,[EBP+40] <- fake code xxxx:00475586 E85DE9F8FF CALL 00403EE8 xxxx:0047558B 7512 JNZ 0047559F <- jump if not equal 7) Then, type "d eax" and you will see some interesting registration code like "633606821559" in the Data Window. Type "d edx" and you will see another registration code like "665544332211". Hah, its our entered registration code. 8) Press "CTRL-D" to return to Waste Whacker. Enter the following:- User Name: C4A Team Registration Number: 633606821559 BOOM, its registered! Well, I hope you learned something from this tutorial. mailto: mr_fanatic@iname.com or c4a@iname.com PART 5: How to crack HexDecOctBin 1.00 by KrYpToN KrYpToN's Cracking Tutorial #1 ------------------------------- Target: HexDecOctBin 1.00 Tools : SoftIce 3.24 Hiew 6.01 HexDecOctBin (HDOB) is a nice little Hex/Dec/Oct/Bin conversion program with a nasty Nag Screen and Time Limit. So this requires two cracks. This tutorial assumes that you know a litte about SoftIce and have done some cracking before, so this probably isn't the best tutorial for a complete beginner. 1) The Time Limit ------------------ Unzip ROBHDOB.EXE and run it. You will see the nag screen that we will remove in part 2. Move the date forward a few months an re-run HDOB. You will see a message saying that the trial period is over. Close the program and start SoftIce (CTRL-D). Put a breakpoint on the GetLocalTime API - this is where how program gets the date from to check to see if the trial period is over. Do this by typing: BPX GETLOCALTIME BTW, you can extend the trial period by editing the Registry. Run REGEDIT and search for ROBHDOB. You will arrive at a folder entitled ROBHDOB. Look in the 1.00 sub-folder and you will see two values called Last Launch and First Launch. Double click on them and modify the Value Data and exit REGEDIT. Run HDOB and the time trial should be extended. Anyway, get out of SoftIce (CTRL-D again) and run HDOB. As soon as it starts, SoftIce will pop-up saying something similar to... Break due to BPX KERNEL32!GetLocalTime (ET=1.09seconds) As you can see on the green bar below the code, we are in KERNEL32, not HDOB, press F11 and you will enter ROBHDOB just after the GetLocalTime Call: CS:004054FC 8D4C2404 CALL [KERNEL32!GetLocalTime] -->CS:00406502 51 LEA ECX,ESP+4 ... ... Now trace through the code until you get to... CS:0040281D 8378F800 CMP DWORD PTR [EAX-08],00 -->CS:00402821 7576 JNZ 00402899 ... ... This is the critical jump. We want to disable this jump so that it never executes. The easiest way to do this is to this is to use NOP statements. Type a (ret) when your code pointer is over the jump statement and you will be able to enter new code. Type NOP (ret) twice and then press (ret) again to get out of the assemble function. BTW, NOP (if you don't already know), stands for No OPeration. It basically does nothing and thats exactly what we want. Before I forget, you should make a note of the hex digits before the ASM instruction for use with the hex editor later. Ok, disable all breakpoints by typing BD* and exit SoftIce (CTRL-D) the program should now run as normal - no trial period over message. To make this permanent though you have to edit the file with a hex editor (I like HIEW, so I'll be explaining this how you would do it HIEW). Open the file and press F4, select hex mode and then press F7. This is the search function. In the HEX section type in the Hex instructions of the the jump (7576) and press (ret). Check that you have arrived at the correct place by checking that the Hex bytes before the 7576 match up with the previous hex bytes in SoftIce. You should get there on your first jump. Now press F3 to get into edit mode and replace 7576 with 9090 (the two NOP instructions) and press Update (F9) and then this first crack is complete! 2) The Nag Screen ------------------ This is really easy - all you need is an hex editor (use HIEW). If you have read tKC's Tutors 2 and 3 (if you haven't read them all) then this wont be new to you. All you have to do is search for the hex string: FF FF 82. This is some kind of open window command that if changed to FF FF 7E, doesn't open the window. Enter the debugger and get into Hex mode (F4 if you have forgotten) and search for FF FF 82. Keep searching (CTRL-F7) until the you see some of the words in the ascii section that are from the Shareware Nag Screen. There should be an FF FF 82 string at around Offset 2DC3C (at the top of the screen - make sure that ShowOffset in the HIEW.INI is set to Global). Now change the 82 to 7E, save and exit. Run HDOB and there you have it, HDOB completely Nag free! 3) Writing Patches ------------------- Im not going to say alot here, I will just put in some Pascal source for you to look at, it is only a shell, it has no error checking, it just patches the program. So here it is.... ---------------CUT-HERE--------------------------------------------------- PROGRAM HDOBCRK; CONST OFFSETS : ARRAY [1..3] OF LONGINT = ($1C21, $1C22, $2DC3C); CONST OLDBYTES : ARRAY [1..3] OF BYTE = ($75, $76, $82); CONST NEWBYTES : ARRAY [1..3] OF BYTE = ($90, $90, $7E); VAR FH1 : FILE; BUFFER : BYTE; COUNT : BYTE; PROCEDURE ERROR; BEGIN WRITELN('ERROR - EXITING PORGRAM'); HALT(1); END; BEGIN WRITELN('HEX/DEC/OCT/BIN CRACK BY KrYpToN'); WRITELN; WRITELN('PATCHING FILE...'); {$I-} ASSIGN(FH1,'ROBHDOB.EXE'); {$I+} RESET(FH1,1); FOR COUNT:=1 TO 3 DO BEGIN SEEK(FH1,OFFSETS[COUNT]); BLOCKREAD(FH1,BUFFER,1); IF BUFFER=OLDBYTES[COUNT] THEN BEGIN SEEK(FH1,OFFSETS[COUNT]); BLOCKWRITE(FH1,NEWBYTES[COUNT],1); END ELSE ERROR; END; WRITELN('PATCHING COMPLETED'); END. ---------------CUT-HERE--------------------------------------------------- Email me at KrYpToN1999@Hotmail.com if you have any suggestions or comments. -KrYpToN PART 6: How to crack FLOPPYLABEL 4.1 by RSiP http://www.ziplabel.com Tutor by RSiP Tools to use ~~~~~~~~~~~~ W32DASM 8.93 HIEW 6.01 Where to get the program ~~~~~~~~~~~~~~~~~~~~~~~~ FLPLABEL 4.1 http://www.ziplabel.com Start FLPLABEL Goto SPINE then goto CUSTOMIZE INITIALS... you will see Registration Error Sorry, Only registered users may access this function *remember Registration Error* Start W32DASM Load FLPLABEL.EXE When ready goto REFS then goto String Data References StrnREF go to:"Registration Error" if found double klick it to go to the lines... you will see. :00411568 E853A90000 call 0041BEC0 :0041156D 83C40C add esp, 0000000C :00411570 85C0 test eax, eax :00411572 7518 jne 0041158C :00411574 6A10 push 00000010 * Possible StringData Ref from Data Obj ->"Registration Error" :00411576 68486F4300 push 00436F48 * Possible StringData Ref from Data Obj ->"Sorry, only registered users may " ->"access this function" Did you see :00411568 E853A90000 call 0041BEC0 lets look this call by pressing the "CALL" button at the top. You see this: * Referenced by a CALL at Addresses: |:00403886 , :00409C65 , :0041120F , :00411568 , :00412B0E | :0041BEC0 83EC0C sub esp, 0000000C :0041BEC3 8B542414 mov edx, dword ptr [esp+14] :0041BEC7 8B4C2410 mov ecx, dword ptr [esp+10] :0041BECB 89542404 mov dword ptr [esp+04], edx :0041BECF 80F242 xor dl, 42 :0041BED2 8B442418 mov eax, dword ptr [esp+18] :0041BED6 88542404 mov byte ptr [esp+04], dl :0041BEDA 8A542407 mov dl, byte ptr [esp+07] :0041BEDE 53 push ebx :0041BEDF 8A5C2409 mov bl, byte ptr [esp+09] :0041BEE3 80F266 xor dl, 66 :0041BEE6 894C2404 mov dword ptr [esp+04], ecx :0041BEEA 8854240B mov byte ptr [esp+0B], dl :0041BEEE 8A542406 mov dl, byte ptr [esp+06] :0041BEF2 80F365 xor bl, 65 :0041BEF5 80F241 xor dl, 41 :0041BEF8 80F144 xor cl, 44 :0041BEFB 3AD3 cmp dl, bl :0041BEFD C6400300 mov [eax+03], 00 :0041BF01 751A jne 0041BF1D <= BAD BOY :0041BF03 8A54240B mov dl, byte ptr [esp+0B] :0041BF07 884802 mov byte ptr [eax+02], cl :0041BF0A 8A4C2408 mov cl, byte ptr [esp+08] :0041BF0E 8810 mov byte ptr [eax], dl :0041BF10 884801 mov byte ptr [eax+01], cl :0041BF13 B801000000 mov eax, 00000001 :0041BF18 5B pop ebx :0041BF19 83C40C add esp, 0000000C :0041BF1C C3 ret Lets see what the BAD BOY jump does... press the "Jump to" button at the top. * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0041BF01(C) | :0041BF1D 8B0D6C094500 mov ecx, dword ptr [0045096C] :0041BF23 85C9 test ecx, ecx :0041BF25 740A je 0041BF31 :0041BF27 B801000000 mov eax, 00000001 :0041BF2C 5B pop ebx :0041BF2D 83C40C add esp, 0000000C :0041BF30 C3 ret Well, lets crack the program, Set the green bar at the :0041BF01 751A jne 0041BF1D line At the bottum you see @Offset 0001B301h this is where you enter the programm with hiew. Hiew cdrlabel.exe press F4 [mode] press F3 [select mode DECODE] press F5 [goto line.....] Enter 0001B301 You'll see :0041BF01 751A jne 0041BF1D change 751A to 9090 by pressing F3 [EDIT] and when done press F9 [UPDATE] the line looks now: :0041BF01 90 nop :0041BF02 90 nop BTW jou can also change this line from JNE to JE but i like the NOP better ! Start FLPLABEL Goto SPINE then goto CUSTOMIZE INITIALS... Now can you enter your initials.... or Start FLPLABEL goto HELP then ABOUT FLPLABEL... *** THANKS FOR REGISTERING! *** BTW this works on all the label programms version 4.1 from ZIPLABEL.COM RSiP would like to thank tKC for his tutors. PART 7a: How to make a keygen for Calendar Builder 3.2d by tKC/CiA '99 http://www.rks-software.com (I won't give you full details how I cracked this product but I'll tell you how to make a keygen, it's so easy....) Step 1. Make sure your SoftIce is loaded, and now run CB.EXE. Step 2. Press CTRL-D and type BPX SHOWWINDOW, press CTRL-D again to return to CB. Click Help, then click Enter Serial Number. Step 3. You should be back in SoftIce now, type G 4929BA. Step 4. Now you're back at CB, type "tKC" as name, and "12345" as serial. Step 5. Now type D EAX and you'll see our serial in Data Window: RKS-451319. Step 6. Kool, we have a serial now, but we won't need to enter this correct serial. Now repeat Step 2 and Step 3, type "a" as name, and "12345" as serial. Step 7. Now type D EAX and you'll see our serial in Data Window: RKS-129804. Step 8. Ok, repeat Step 2 and Step 3, type "b" as name, and "12345" as serial. Step 9. Now type D EAX and you'll see our serial in Data Window: RKS-131801. Step 10. Ok, repeat Step 2 and Step 3, type "A" as name, and "12345" as serial. Step 11. Now type D EAX and you'll see our serial in Data Window: RKS-129804. Step 12. For last time, repeat Step 2 and Step 3, type "a " (a + space) as name, and "12345" as serial. Step 13. Now type D EAX and you'll see our serial in Data Window: RKS-129804. Step 14. Okay, write down on your paper: a = 129804 b = 131801 A = 129804 a = 129804 (with space) Step 15. If you look at those serials, you'll notice a (without space) and a (with space) serials are the same, so we'll say space character gives you RKS-0 as serial. Are you following me, right? Step 16. Take your calculator and do 131801 - 129804 = ??? ... what do we get? 1997, right? I bet "c" will give you 133798 as serial. Step 17. Ok, I have another page here that gives me all the ASCii values for characters: 0 - 32 - 64 - @ 96 - ` 128 - ? 160 - 1 -  33 - ! 65 - A 97 - a 129 - ? 161 - 2 -  34 - " 66 - B 98 - b 130 - ' 162 - 3 -  35 - # 67 - C 99 - c 131 - ? 163 - etc etc etc, got it? Okay! :) Step 18. Take your calculator, do 33 * 1997 = ??? ... it'll be 65901, right? ... 65 * 1997 = ??? 129805 ..hmm.. 97 * 1997 = ??? ..193709 ..hmm.. "A" gives me 129804, why 193709?? Ah, remember "a" and "A" is the same, so UpperCase characters don't matter. Ok, 66 * 1997 = ??? ... 131802 ..hmm.. now we know we should subtract 1 from each of values, eg: 1) 33 * 1997 = 65901 2) 65 * 1997 = 129805 3) 66 * 1997 = 131802 65901 - 1 = 65900 129805 - 1 = 129804 131802 - 1 = 131801 So "!" gives me 65900.. "a" gives me 129804 "b" gives me 131801, right? Step 19. Ok, the rest should be easier to solve. I hope you have Visual Basic 5/6 installed. Else you can use Delphi. But this time I'll use VB5. :) Step 20. Ok, in your VB, put TextBox on your form, it'll be called Text1. Put another TextBox on the form, as Text2. And then put CommandButton on the form, it'll be Command1. Step 21. Doubleclick on CommandButton, now you can enter your coding here (HEY! I'm not teaching you how to use VB! Only how to calculate your serial!) :) Step 22. Ok, in code window at Private Sub Command1_Click(), type here: For a = 1 To Len(Text1.Text) <--- this is a loop counter, for the length of the name. BO = Mid(Text1.Text, a, 1) <--- this will extract each character from your name. If BO = Chr(32) Then <--- if a character is " " (space) then shit = shit + 0 <--- don't subtract 1, or don't multiply, so it'll be 0 End If If (BO > Chr(96)) And (BO < Chr(123)) Then <--- if a character is "a" or up to "z" then shit2 = Asc(BO) - 32 <--- 'converts' to UpperCase (97 - 32 = 65), got it?? shit2 = shit2 * 1997 <--- multiply with 1997 (65 * 1997 = 129805) shit2 = shit2 - 1 <--- subtract 1 (129805 - 1 = 129804) shit = shit + shit2 <--- add old values, eg. if enter as "a" then End If 0 + 129804 = 129804 If (BO > Chr(32)) And (BO < Chr(97)) Then <--- if a character is "!" or up to "`" then shit3 = Asc(BO) <--- 33 = 33 eg. "!" = 33.. shit3 = shit3 * 1997 <--- 33 * 1997 = 65901 shit3 = shit3 - 1 <--- 65901 - 1 = 65900 shit = shit + shit3 <--- eg. if enter as "a!" then 129804 + 65900 = End If 195704, got it? ;) If (BO > Chr(122)) And (BO < Chr(127)) Then <--- if a character is "{" or up to "~" then shit4 = Asc(BO) <--- 123 = 123 eg. "{" = 123.. shit4 = shit4 * 1997 <--- same as above shit4 = shit4 - 1 <--- eg. if enter as "tKC" then shit = shit + shit4 <--- "t" : (116 - 32) * 1997 = (167748 - 1) = 167747 + "K" : 75 * 1997 = (149775 - 1) = 149774 + End If "C" : 67 * 1997 = (133799 - 1) = 133798 + Next a ------ 451319 shit5 = Right(Str(shit), Len(shit)) <--- converts the value to a string Text2.Text = "RKS-" + shit5 <--- gives you a final serial eg. RKS-451319 Step 23. Ok, compile this babe, and enter your name, and try in CB to check if it's valid! ;) Step 24. Geez, that's fun, right?? :) Let's do 1 more at PART 7b below, the same protection... :) Step 25. Doubleclick this line to extract my source code for VB5! PART 7b: How to make a keygen for Visual Business Cards 3.2c by tKC/CiA '99 http://www.rks-software.com (I won't give you full details how I cracked this product but I'll tell you how to make a keygen, it's so easy....) Step 1. Make sure your SoftIce is loaded, and now run VBC.EXE. Step 2. Press CTRL-D and type BPX SHOWWINDOW, press CTRL-D again to return to VBC. Click Help, then click Enter Serial Number. Step 3. You should be back in SoftIce now, type G 45C0F6. Step 4. Now you're back at CB, type "tKC" as name, and "12345" as serial. Step 5. Now type D EAX and you'll see our serial in Data Window: RKS-1347183. Step 6. Kool, we have a serial now, but we won't need to enter this correct serial. Now repeat Step 2 and Step 3, type "a" as name, and "12345" as serial. Step 7. Now type D EAX and you'll see our serial in Data Window: RKS-387464. Step 8. Ok, repeat Step 2 and Step 3, type "b" as name, and "12345" as serial. Step 9. Now type D EAX and you'll see our serial in Data Window: RKS-393425. Step 10. Ok, repeat Step 2 and Step 3, type "A" as name, and "12345" as serial. Step 11. Now type D EAX and you'll see our serial in Data Window: RKS-387464. Step 12. For last time, repeat Step 2 and Step 3, type "a " (a + space) as name, and "12345" as serial. Step 13. Now type D EAX and you'll see our serial in Data Window: RKS-387464. Step 14. Okay, write down on your paper: a = 387464 b = 393425 A = 387464 a = 387464 (with space) Step 15. If you look at those serials, you'll notice a (without space) and a (with space) serials are the same, so we'll say space character gives you RKS-0 as serial. Are you following me, right? Step 16. Take your calculator and do 393425 - 387464 = ??? ... what do we get? 5961, right? I bet "c" will give you 399386 as serial. Step 17. Ok, I have another page here that gives me all the ASCii values for characters: 0 - 32 - 64 - @ 96 - ` 128 - ? 160 - 1 -  33 - ! 65 - A 97 - a 129 - ? 161 - 2 -  34 - " 66 - B 98 - b 130 - ' 162 - 3 -  35 - # 67 - C 99 - c 131 - ? 163 - etc etc etc, got it? Okay! :) Step 18. Take your calculator, do 33 * 5961 = ??? ... it'll be 196713, right? ... 65 * 5961 = ??? 387465 ..hmm.. 97 * 5961 = ??? ..578217 ..hmm.. "A" gives me 387464, why 578217?? Ah, remember "a" and "A" is the same, so UpperCase characters don't matter. Ok, 66 * 5961 = ??? ... 393426 ..hmm.. now we know we should subtract 1 from each of values, eg: 1) 33 * 5961 = 196713 2) 65 * 5961 = 387465 3) 66 * 5961 = 393426 196713 - 1 = 196712 387465 - 1 = 387464 393426 - 1 = 393425 So "!" gives me 196712.. "a" gives me 387464 "b" gives me 393425, right? Step 19. Ok, the rest should be easier to solve. I hope you have Visual Basic 5/6 installed. Else you can use Delphi. But this time I'll use VB5. :) Step 20. Ok, in your VB, put TextBox on your form, it'll be called Text1. Put another TextBox on the form, as Text2. And then put CommandButton on the form, it'll be Command1. Step 21. Doubleclick on CommandButton, now you can enter your coding here (HEY! I'm not teaching you how to use VB! Only how to calculate your serial!) :) Step 22. Ok, in code window at Private Sub Command1_Click(), type here: For a = 1 To Len(Text1.Text) <--- this is a loop counter, for the length of the name. BO = Mid(Text1.Text, a, 1) <--- this will extract each character from your name. If BO = Chr(32) Then <--- if a character is " " (space) then shit = shit + 0 <--- don't subtract 1, or don't multiply, so it'll be 0 End If If (BO > Chr(96)) And (BO < Chr(123)) Then <--- if a character is "a" or up to "z" then shit2 = Asc(BO) - 32 <--- 'converts' to UpperCase (97 - 32 = 65), got it?? shit2 = shit2 * 5961 <--- multiply with 5961 (65 * 5961 = 387465) shit2 = shit2 - 1 <--- subtract 1 (387465 - 1 = 387464) shit = shit + shit2 <--- add old values, eg. if enter as "a" then End If 0 + 387464 = 387464 If (BO > Chr(32)) And (BO < Chr(97)) Then <--- if a character is "!" or up to "`" then shit3 = Asc(BO) <--- 33 = 33 eg. "!" = 33.. shit3 = shit3 * 5961 <--- 33 * 5961 = 196713 shit3 = shit3 - 1 <--- 196713 - 1 = 196712 shit = shit + shit3 <--- eg. if enter as "a!" then 387464 + 196712 = End If 584176, got it? ;) If (BO > Chr(122)) And (BO < Chr(127)) Then <--- if a character is "{" or up to "~" then shit4 = Asc(BO) <--- 123 = 123 eg. "{" = 123.. shit4 = shit4 * 5961 <--- same as above shit4 = shit4 - 1 <--- eg. if enter as "tKC" then shit = shit + shit4 <--- "t" : (116 - 32) * 5961 = (500724 - 1) = 500723 + "K" : 75 * 5961 = (447075 - 1) = 447074 + End If "C" : 67 * 5961 = (399387 - 1) = 399386 + Next a ------ 1347183 shit5 = Right(Str(shit), Len(shit)) <--- converts the value to a string Text2.Text = "RKS-" + shit5 <--- gives you a final serial eg. RKS-1347183 Step 23. Ok, compile this babe, and enter your name, and try in VBC to check if it's valid! ;) Step 24. Geez, that's fun, right? :) Enough for today! Cya next time ...tKC Step 25. Doubleclick this line to extract my source code for VB5! We really hope you've enjoyed this tutorial too much as we did! Don't miss Tutor #16 soon! ;) And as I said last time: Without knowledge, there's no power! ;) Credits go to: Fli7e for Splash Logo ByteBurn for providing tuts in this version. Mr. Fanatic/C4A for providing tuts in this version. KrYpToN for providing tuts in this version. RSiP for providing tuts in this version. tKC/CiA (hey it's me!) for coding this version :) All the crackers (non-members of CiA) are welcome to send tutors for the next tutorials .. see below for my email address! Greetz goto all my friends! You can find me on IRC or email me at tkc@reaper.org Coded by The Keyboard Caper - tKC The Founder of PhRoZeN CReW/Crackers in Action '99 Compiled on 25 February 1999 Cracking Tutorial #15 is dedicated to all the crackers...