Welcome to Cracking Tutorial #18! WOW, #17 and #18 today! Nothing is gonna stop us now! :) widYa-cL/2011 has sent me 7 tutors, so I decided to include all of his tutors here.. enjoy them! :) Warning, this tutorial is a real mother! *grin* Ok, let's rave! You'll need the following tools: (I use these tools, I assume you'll use 'em, but it doesn't mean that you'll need to use all those tools, so be sure to get them handy for the examples in this tutorial!) SoftIce 3.24 Beta W32Dasm 8.93 Hacker's View 6.03 SmartCheck 6.01 TASM 5.00 Windows Commander 3.53 (I use it coz of easier to multitask) Don't ask me where to download all these tools since you had a chance to get them when you used my older tutorials. Here are a few good cracking sites where you can grab tools from: http://surf.to/HarvestR http://catalyst.intur.net/~Iczelion/tools.html or ask any crackers to get you these tools! Are you ready?! OK! ;) PART 1: ~~~~~~ WIDYA-Cl 2011 [ WORLD CRACKING LINK ] Serial Catching in VB 5 0 1 0 1 0 1 0 Targets : Pretty Good Solitaire 98 - Pam 0 1 0 1 0 1 0 v.13 Reversing ... from Engineering Tools Used : Softice V3.24 newbie to Lab another ... Intro Hi guys ... u are reading my 3rd tutor ... sorry if there's any grammatical errors .. hope you'll understand this piece ...This is my first experience in VB programs ... i've heard a lot of comments about VB protection schemes ... someone said " ..VB is Newbies Nightmare . " ... hmm .. it sounds like a chalenge for me ... i invite you to join with me to reversing this "naughty" programs ... Flash Course Tips & Tricks (SandMan) : Visual Basic cracking still remains to many, a tough nut to crack because you can't just dead list it and expect to see where your going ... Therefore we need to adopt new methods to circumvent this natual barrrier and one possible way is to locate routines within the VB runtime library that we can place traps (breakpoints) on with SoftICE. In order to program Softice to quickly locate the String Compare Routine for us we place the following three lines in our WINICE.DAT file: AF4="^s 0 l ffffffff 56,57,8B,7C,24,10,8B,74,24,0C,8B,4C,24,14,33,C0,F3,66,A7;" EXP=C:\WINDOWS\SYSTEM\VB40032.DLL EXP=C:\WINDOWS\SYSTEM\MSVBVM50.DLL This has been tested on both VB4 & VB5 programs and does work, however, if the target program uses Integer/Reals for the serial number then the program will use a different set of routines instead, bypassing our String Compare Routine altogether... In order to combate this I think I've found a Integer/Real routine in VB5 that we can place a BPX on that will show us the *real* numeric serial that the program expects us to use... The VB5 Routine looks like this: PUSH EBP-20 CALL MSVBVM50._vbaR8Str ; Convert string to Integer/Real FCOMP QWORD PTR [00401028] ; Our numeric compare! Once you land on fcomp qword ptr [00401028] Type: DL 00401028 to see the *real* serial #. DL is not a typing error, DL means Display Long/real while D on it's own simply uses the current display format... See SoftICE manual for more information on SoftICE Commands. Okay, we now have something new for SoftICE to check on, so lets program this new Search Macro into it ... Open up WINICE.DAT, Make sure you have these lines: EXP=C:\WINDOWS\SYSTEM\VB40032.DLL EXP=C:\WINDOWS\SYSTEM\MSVBVM50.DLL AF3="^s 0 l ffffffff FF,75,E0,E8,85,EF,FF,FF,DC,1D,28,10,40,00,DF,E0,9E,75,03;" AF4="^s 0 l ffffffff 56,57,8B,7C,24,10,8B,74,24,0C,8B,4C,24,14,33,C0,F3,66,A7;" ALT-F3 Is our Integer/Real Compare search, works only in VB5 ALT-F4 Is our String Compare search, works in VB4 & VB5 Pretty Good Solitaire 98 Author : Thomas Warfield Goodsol Development Inc. Email : support@goodsol.com Homepage : http://www.goodsol.com Overview Pretty Good Solitaire 98 is a collection of 230 solitaire games, from classic games like Klondike, FreeCell, and Spider, to 22 original games invented especially for the program. Features: 230 solitaire games, full 256-color graphics, sound, undo to the beginning of the game, redo of all moves undone, automatic game saving on exit, selectable card backs, automatic card moving, quick mouse shortcuts for easy play : right click- quick move middle click- undo double click- move to foundation, over 2 billion starting positions for each game, statistics for multiple players, full history of the scores of all games played, selectable background colors for each game, choose one of the bitmap backgrounds provided, use any tilable bitmap file for a background, snapshot position - return to a previously saved position, The Solitaire Wizard - create your own solitaire games by selecting the rules for the game. Millions of different games can be created. Protection system Interesting one ... since there is no registration screen to enter registration data ... but in the help file mentions this : " if you do register this program, this is what you will get for your money: A registration code and instructions on how to input this code to register your copy " ... hmm ... seems that thomas wants to play a game with us ... hurrah ... this would be fun ! ... somehow it reminds me of sandra bullock in " The Net "... are u thinkin' what i'm thinkin' .. !? .. yeah she has a great ash ... Firstly ... i try holding [CTRL] key 'n start pushing on cards in help menu ... order screen pops up ... try again ... push on register ... #boom# ... huh ... game is over ... it was 2 easy .. here we're asked to enter : Name : Registration Code : The registration code is based on what you type in for name. 1. Deep within your System Registry it uses the following branch to store it's license data. HKEY_CURRENT_USER\Software\Goodsol\PGS98\Registration Code=" " Name=" " RVersion="4.98.2" 2. It's a 30 day, time limited program that will 'expire' after 30 days of being installed. The essay ... Click on Help - About ... Hold [CTRL] key and click on [Register] .... #boom# ... use the following entry as example : Name : widYa@cL 2011 Registration Code : 0101010 DO NOT push [OK] yet .... fire up Softice ( CTRL+D) and set breakpoint on HMEMCPY (BPX HMEMCPY) ... X [ENTER] to leave Softice ... then click [OK] button ... #bOOm# ... . From here press the 'F12' key 7 times to get into msvbvm50.dll code ... Now we want to quickly find the routine that compares our serial number with the *real* one and we can do this effortlessly by pressing the ALT-F4 keys together ... Softice should now report back one memory location of where the sub-routine were looking for is to be found in memory. In my case Softice reported: Pattern found at 017F:7B2FD9EA :-----------------: <- This address (SEGMENT:OFFSET) will be different on your system ! ... your next step is to set breakpoint on it but first clear HMEMCPY beakpoint 'coz we don't need it anymore ... BC* [ENTER] BPX 7B2FD9EA [ENTER] ; once again i remind u .. this address will be different in your system ... X [ENTER] ; leave Sice ... #boom# ... 'n Sice should now display this code snippet:- : 56 push esi ; save esi for later use : 57 push edi ; save edi for later use : mov edi, [esp ; press F10 at here .... D EDI ... you'll see 8B7C2410 + 10] "MICHAEL KREYLING" in wide format ; Scroll down data window ... until u see the following data : . . . . \ 5 S . & . . . . . . . 9 . 8 . 1 . 9 . 7 . 7 . 6 . 0 . 0 . . . Z . { . { . , , , , , , : mov esi, [esp ; F10 .... D ESI ... you'll see "WIDYA@CL 2011" 8B74240C + 0C] in wide format ... hmmm .... strange isn't it ?!... This routine is checking for a Name we didn't type in "Michael Kreyling" ... makes me wonder ... is it use for the generation of the valid serial or the author has a bad memory of thiz guy ...?! ... ... anyway ... thiz number '981977600' seems to be ur valid reg code ... clear all the breakpoints ... BC* [ENTER] X [ENTER] ... enter registration again ... Name : widYa@cL 2011 Registration Code : 981977600 ... push [OK] ... # # ... huh ... no expression of thanks ...!? . Look in Help - About ... Registered to : widYa@cL 2011 981977600 (NOTES : to Unregister Pgs98 run regedit - goto HKEY_CURRENT_USER\Software\Goodsol\PGS98\Registration - Delete Registration key) ... i've noticed that there's few 'odd' things in the generation of a valid serial after trying different registration names ... e.g : 1. when i used "CrackZ" as name the data window showed this number "652288" ... i enter reg screen again with the following entry : Name : CrackZ Registration Code : 652288 .. [OK] ... #boom# ... "Sorry . Invalid Registration Code ..." ... then i looked again at every valid registration number that i've got .... it always begin with "98" ... let's check it out... : Name : CrackZ Registration Code : 98652288 . [OK] ... #boom# ... now registered ... 2. I also triedthe following details : Name : widYa Registration Code : 0101010 ... 'damn' ... the valid reg code never showed up ... so i change my dummy reg code .... then ... after a few times entering registration with different key ... finally ... it showed up "98467069" ... hmmm .. though i've found the valid code i wasn't satisfied ... since we must scroll down the data window and sometimes we need to repeat the routine .... is there 'something' left behind !?? .... is it a buggie ??! .... aaahhh ..... i'm sleepy now ... i better sleep now ...............)^%$!.............!@# ...............*&* ....................&^%$!()%$ ......... #DAMN# .... who said that vb program is newbees nightmare ..... !? ... huh ... now i'm back ! .. with new energy ... let's continue our examination ... from what i've learned .. VB programs are not really a "program" since they used a lot of call to a library (dll). Let's say it wants to convert a strings into uppercase then it will call a function in dll (dynamic link library) that performs this task. Especially in serial prot schemes we can say there are 3 main routine we need to know (i've discussed this in my 2'nd tutor) : read your input, calculate a code with some formula, compare our input with the correct one. Now .. if we'd like to write a program ... then we will make it as effective as possible 'n as efficient as possible right? ...same as writter of msvbvm50.dll ... he must be wrote a one good function to make any uppercase strings task ... he must be wrote a one good function to make any compare strings task ... etc. Now .. i'd like to find a function in msvbvm50.dll which generates our valid code for all VB programs which has serial prot schemes ... is it possible ??? ... hmmm .. where do we start ..?!.... think .... think .... think ...... ! ... from what we've seen .. our name was converted to uppercase (right ?!) ... a good start for me .... what's this function name in msvbvm.dll ... rtcUpperCaseBstr ?! ... let's check it out ....... enter reg again .. with the following entry : Name : CrackZ Registration Code : 0101010 ... CTRL+D ... BPX rtcUpperCaseBstr [ENTER] X [ENTER] ... [OK] ... #bOOm# .. press F12 once ... we land here : 7B3CF8DC E8ADFFFFFF CALL MSVBVM50!rtcUpperCaseBstr 7B3CF8E1 66833E08 CMP WORD PTR [ESI], 08 ; D EAX .... CRACKZ in wide format ... set BPX at here 7B3CF8E5 8945F8 MOV [EBP-08], EAX BC* [ENTER] BPX 7B3CF8E1 ; This address might be different in your system X [ENTER] X [ENTER] ... D EAX ... you'll see UNREGISTERED COPY .. in wide charformat ... scroll down data window ... we found a fixed valid reg code "98652288" ... but still we need to repeat entering registration sometimes to find it ... ... i don't know if all this 'odd' things happen in your system too ... ... r u thinkin' wht i'm thinkin' ?! ... yeah ... where is that "bloody" function ! ... after learning about VB functions for a few minutes .. i decided to use __VbaStrCat function .... now enter reg again ... fill out the entries ....CTRL+D . BC* [ENTER] BPX __VbaStrCat [ENTER] X [ENTER] .. [OK] ... #BOOM# .... F12 once ... we land here : 7B3EEC36E85434F0FF CALL MSVBVM50!__vbaStrCat 7B3EEC3B50 PUSH EAX ; we're gonna set BPX at here ... D EAX ... wht do u see ? : M I .... interesting ?! .. No ?? ... BC* [ENTER] BPX 7B3EEC3B ; This address will be different in your system X [ENTER] ... D EAX ... wht do u see ? : M I C .... interesting ?! .. No ?? ... X [ENTER] ... D EAX ... wht do u see ? : M I C H .... interesting ?! .. hmm !? ... ... here i decided to trace the CALL ... snip ... snip ... snip ... heii i think i found the code which generates data we looked at EAX ... here is the snippet code : F3A4 REPZ ; move byte while cx!=0 MOVSB 5D POP EBP ; D EAX here 5F POP EDI 5E POP ESI 5B POP EBX C20800 RET 0008 ... let's create a function keys to make ur examination easier .... open up winice.dat 'n make the following changes : AF5="^s 0 l ffffffff F3,A4,5D,5F,5E,5B,C2,08,00;" F5="^x;^dd eax;" ... Restart windows .... make another cup of coffee .... now enter reg again with the following entry : Name : CrackZ Registration Code : 0101010 ... CTRL+D ... BPX __VbaStrCat [ENTER] X [ENTER] .. [OK] ... #BOOM# .... press ALT+F5 ... In my case Softice reported : Pattern found at 017F:7B2F20F5 :-----------------: <- This address (SEGMENT:OFFSET) will be different on your system ! BC* [ENTER] BPX 017F:7B2F20F5 X [ENTER] ... #bOOm# ... we're here : 7B2F20F5F3A4 REPZ MOVSB 7B2F20F75D POP EBP ; we're gonna set BPX at here BC* [ENTER] BPX 7B2F20F7 .... heiii ... u can relax now ... 'coz i'll show u the greatest magic you've ever seen .... ... Keep pressing F5 until you see the valid reg code in data window ( ... just like a slide show or a movie isn't it ?! ... everytime we push F5 .. the data window is updated char by char copy from "Michael Kreyling" strings .... after no more char to copy from "Michael Kreyling" ... then we have 'a commercial break' ... keep pressing F5 ... #bOOm# ... finally ... data window shows 97652288 in wide char format ... NO NEED TO SCROLL DOWN DATA WINDOW.... ) .... u can try with different entry ... soon you'll see that my new method will always shows the valid reg code .... aahh .... i'm satisfied now ... r u thinkin' somethin' ... ?! .. Yeah ... the valid reg code has 2 version ... Pgs97 version 'n Pgs98 version ... so the valid reg code for name : CrackZ is 98652288 or 97652288 ... both are works fine .... ... hmm ... now i have one more question in my mind .... r u thinkin' wht i'm thinkin' .. !? ... AGAINNN !?? ... what if we enter "Michael Kreyling" as name ... though we saw 974309568 in data window ... still we can't make it registered .... seems that Thomas Warfield has blacklist this guyz ...?!? ... (anyone knows who is Michael Kreyling ?!) ... ... heiii ... r u sayin' somethin' ... ?! .... ThankGod my parents didn't gave me name "Michael Kreyling" ...??? Pam v1.13 Author : Michael Doering Email : pam@tindrum.oche.de michael.doering@post.rwth-aachen.de Homepage : http://www.rwth-aachen.de/fsarch/Ww/members/doelf/pam/ http://www.fs2.RWTH-Aachen.DE/doelf/pam/ Overview The full featured multi audio player : pal skins, playlist editor, timer, karaoke, id3tag, lyrics 1.0 & 2.0, plays mp3, wav ,mid .... Protection system Registration is via selecting "About Pam" - Register ... we're asked to enter : name : e-mail : number : The registration code is based on what you type in for name 'n e-mail. 1. Deep within your System Registry it uses the following branch to store it's license data. HKEY_CURRENT_USER\Software\OhBugger\Pam 2. It's a 42 day, time limited program that will 'expire' after 42 days of being installed. 3. No nags, no limitations ! The essay ... Heei another VB programs ... this is good .... we're gonna test my new method. Use the following entry as example : Name : widYa@cL 2011 e-mail : widya-cl@usa.net number : 0101010 ... DO NOT push [register PAM] yet ....CTRL+D ... BPX __VbaStrCat [ENTER] X [ENTER] . [register PAM] ... #bOOm# .... press ALT+F5 ,,, In my case Softice reported : Pattern found at 017F:7B2F20F5 BC* [ENTER] BPX 017F:7B2F20F5 X [ENTER] ... #bOOm# ... we're here : 7B2F20F5F3A4 REPZ MOVSB 7B2F20F75D POP EBP ; we're gonna set BPX at here BC* [ENTER] BPX 7B2F20F7 ... now let's enjoy the movie presented by Visual Basic ..... Keep pressing F5 until you see the good serial form in wide format ... after pushing F5 for about 62 times .. the data window displays : 5 . E . o . 1 . 8 . 2 . a . S . 6 . 1 . 2 . 7 . 7 . n . j . 9 . p . 7 . 3 . 2 . 0 . 7 . 5 . 3 . 8 . 2 . 7 . A . g . x . . . c . ) . . c . o . p . y . r . i . g . h . t . . 1 . 9 . 9 . 8 . . b . y . . m . . d . o . e . r . i . n . g . . . . ... hmm .. is it the valid reg code ?! ... let's find out .... enter reg again : Name : widYa@cL 2011 e-mail : widya-cl@usa.net number : 5Eo182aS61277nj9p7320753827Agx ... #bOOm# ... Registered to widYa@cL 2011 - Thank You! ... You're Welcome! .... ... Wow .. the longest serial i've ever seen ... Final notes ... that's all for now guys ... pity .. i only have 2 programs written in VB ... i wish i can test with more programs ... Well i'm sure you have one ... please test my new method on your VB (4/5) programs which using serial prot schemes .. 'n let me know for the result or if u have any comments/suggestions/critics ... Greetz : SandMan,CrackZ,tKC/All PC members, tHATDUDE, UCF, Torn@do, The Immortal Descendants, +ORC, MiB , Iczelion, GCG, ED!SON, Razzia, +Xoanon, iCECREAM, FraVia, Lord Caligo, Buckaroo Banzai, +gthorne , Mexelite , Corn2, Vizion, Manson69, nIabI, Cyborg, ^pain^, intruder, Yaan, Laxity, JoGy, nIabI [C4N/ME], MR NICK, NaTzGUL [REVOLT], Qapla', The _RudeBoy_ , BigMoM, Aphex Twin [Vandals], vϋltϋ_‰, eXact, YOSHi, Volatility, ZeroDay, Aescu, _CbD_, Gavin Estey, DR. Encryption, Joshua Auerbach, Klee8084, masta_, Chuck Nelson, _HaK_, Nemrod and ReN, R. DeYoung, Hugo Perez, lownoise, Hayras, YOU ..... Special Thanks: Thomas Warfield, Michael Doering ... for giving me a chalenge ... u forced me to improve my skills a little bit Written / Design : widYa-cL 2011 bY Page Created : 23 February 1999 PART 2: ~~~~~~ WIDYA-Cl 2011 [ WORLD CRACKING LINK ] ... how 2 think like a programmer ... 0 1 0 1 0 1 0 Name : Photoline.exe - Type : Image 0 1 0 1 0 1 0 application Size : 2,412,544 bytes Reversing ... from Engineering Tools Used : Softice V3.24 - W32dasm 8.93 - newbie to Lab Hiew 6.01 another ... Photoline 5.06 Author : Bad G”gging Computerinsel GmbH. Email : support@pl32.com Homepage : http://www.pl32.com Intro Hi guys ... you are now reading my fourth tutorial ... sorry if there's any grammatical errors .. hope you'll understand this piece ... thiz time we're dealing with programs written in Visual C++ ... let's rock ! ... Overview PhotoLine 32 is a powerful image editing application. Besides its image editing capabilities PhotoLine 32 also has all the functions of a pixel and vector painting software. Due to numerous import and export drivers and its batch capabilities it fulfills the requirements of an image file format converter. The combination of batch conversion and a powerful macro action recorder results in an extremely powerful automation tool.PhotoLine 32 has especially been developed for Windows 95/98 and Windows NT and therefore supports OLE2 as well. Protection system Registration is by selecting Options - Register. We're asked to enter : Registration : [ ] [ ] The registration code is based on what you type in first entry. 1. Deep within your System Registry it uses the following branch to store it's license data. HKEY_CURRENT_USER\Software\Computerinsel\PhotoLine\Settings "SerialNumber500"=" " [HKEY_USERS\.DEFAULT\Software\Computerinsel\PhotoLine\Settings] "SerialNumber500"=" " 2. It's a 30 day, time limited program that will 'expire' after 30 days of being installed. 3. Intro 'Damn' Nag Screen The essay ... Click on Options - Register ... fill out the boxes with the following entry as example : Registration : [ 7171717 ] [ 01010 ] ... [OK] ... #bOOm# .. " Error : You entered a false serial number " ... what now ?! ... let's see what can we get from 'dead listings' ... fire up W32Dasm and disassemble photoline.exe ... wait... ^%$& wait.... !@#$% .... waiittt ..... done ! , click REFS - STRING DATA REFERENCE, look down for the message .... NONE !? ... hmm ... i think Bad G”gging has read CrackZ's protection tips no.3 ??! ... that's alright guys .... this is would be fun ... let's check for another 'unique' text ... snip ... snip ,,, aha ! ... '"Serialnumber500" ... double click on the text ... heeii there's 3 of them : 1. * Possible StringData Ref from Data Obj ->"SerialNumber500" :004DA804 6824BC5E00 push 005EBC24 ; we're gonna set bpx at here 2. * Possible StringData Ref from Data Obj ->"SerialNumber500" :0050ED46 6824BC5E00 push 005EBC24 ; we're gonna set bpx at here 3. * Possible StringData Ref from Data Obj ->"SerialNumber500" :0050F012 6824BC5E00 push 005EBC24 ; we're gonna set bpx at here ... for me these looks like a value name in registry .. run regedit .. 'n goto HKCU\Software\Computerinsel\PhotoLine\Settings ... you'll see value "SerialNumber500"="7171717 1010" ... we can attack this programs by setting breakpoint using RegQueryValueExA function just before we run it.... but i'd like to try an easier way .... now enter reg again .. fill out the entry with our example key .. DO NOT push [OK] yet ... CTRL+D (to get in Sice)... BPX HMEMCPY [ENTER] ... X [ENTER] ... [OK] ... #bOOm# ... F12 11 times (to get in photoline code) ... set BPX at 3 address above : BC* [ENTER] BPX 4DA804 [ENTER] BPX 50ED46 [ENTER] BPX 50F012 [ENTER] X [ENTER] ... #bOOm# ... we're back to photoline ... move your mouse a little bit ... #bOOm# ... Break due to BPX # ... :50F012 ... heii we break in our 3'rd breakpoint .... i don't like thiz ... leave Sice (X [ENTER]) ... click on ? - About Photoline ... #bOOm# ... Break due to BPX # ... :4DA804 ... aaah .. now let's analyze the code ... keep tracing ... untill we get the following code: :004DA8D8E853ACFBFF call 00495530 :004DA8DD8D4C2404 lea ecx, ; ? EAX : 0000001010 ... hmmm .. seems [esp+04] the show (keygen routine) is ; about to begin ... :004DA8E189442404 mov [esp+04], eax :004DA8E551 push ecx :004DA8E6E875000000 call 004DA960; STEP IN (F8) at here ... ... we're here now ... 004DA960 8B442404 mov eax, [esp+04] 004DA964 83EC08 sub esp, 00000008 004DA967 8B4804 mov ecx, ; ? ECX : 0007171717 ... [eax+04] 004DA96A 85C9 test ecx, ecx; ands 0007171717 with 0007171717 004DA96C 750C jne 004DA97A ; if zero flag not set then jump to 4DA97A ... we're jump to 4DA97A .... 004DA97A 8D4C2400 lea ecx, [esp] 004DA97E 51 push ecx 004DA97F 50 push eax 004DA980 E82B650400 call 00520EB0; keygen routine ! 004DA985 8B44240C mov eax, ; EAX=00006D6E85 .. ? EAX: 7168024 .. ur [esp+0C] dummy key (7171717 01010) ; has change (fucked up) in keygen routine ... 004DA989 83C408 add esp, 00000008 004DA98C A9FF0F0000 test eax, ; first check 00000FFF 004DA991 7407 je 004DA99A The test instruction logically ands eax with the value 00000FFF. If the result is non zero then it will clear the zero flag .. and we will be a bad cracker ,,, but if the result is zero then zero flag is set and we will jump to 004DA99A ( good cracker routine) ... of course in thiz case we will not jump to 4DA99A ... but let's assume we have enter the valid code .... ( i've cutted bad cracker routine from here) .... 004DA99A 2500F0FFFF and eax, FFFFF000 004DA99F 3D00D00700 cmp eax, ; second check 0007D000 004DA9A4 7407 je 004DA9AD ; if zero flag is set then jump to 004DA9AD (good cracker) This instruction performs the computation eax-0007D000 and sets the flags depending upon the result of the computation. The zero flag is set if and only if eax = 0007D000. 004DA9AD A138A26200 mov eax, ; at here .. EAX=00000000 [0062A238] 004DA9B2 85C0 test eax, eax; final check 004DA9B4 7417 je 004DA9CD ; if everythings is OK then jump to 004DA9CD (good cracker) 004DA9CD 66B80100 mov ax, 0001 ; good cracker routine 004DA9D1 83C408 add esp, ; good cracker routine 00000008 004DA9D4 C3 ret ... hmm ... those 3 checks routine above looks very interesting for me ! ... thiz time i'd like to give you an alternative solution ( READ : Re-Coding ) for this prot scheme 'n i think thiz would be more fair (at least for me) rather than examine the keygen routine ... clear all breakpoints 'n set BPX at 004DA985 ... enter reg again with "512000" in 1'st entry 'n enter any number in 2'nd entry ... Registration : [ 512000 ] [7171717] .. [OK] ... #bOOm# .. we land here : 004DA985 8B44240C mov eax, ; EAX=0007D49D .. ? EAX: 513181 .. [esp+0C] ... Interesting ?! .... NO ???? .... 7D000h - 7DFFFh = 512000 - 516095 ... enter reg again : Registration : [ 516095 ] [7171717] .. [OK] ... #bOOm# .. we land here : 004DA985 8B44240C mov eax, ; EAX=0007D364 .. ? EAX: 512868 .. [esp+0C] ... Got it ?! ... YEAH I can see it now ! ... as long as we enter a value from 512000 to 516095 in the first entry then EAX register at 4DA985 will have a value :0007DXXX ... now let's continue executing the next code ... 004DA989 83C408 add esp, 00000008 004DA98C A9FF0F0000 test eax, ; at here type : A [Enter] .. now 00000FFF enter this instruction : TEST EAX,00000000 [Enter] then press [ESC] key ... now any value in eax will result zero (set zero flags) 004DA991 7407 je 004DA99A ; so we'll always jump to 004DA99A 004DA99A 2500F0FFFF and eax, ; and 0007D364, FFFFF000 ... FFFFF000 EAX=0007D000 004DA99F 3D00D00700 cmp eax, ; cmp 0007D000,0007D000 ... set 0007D000 zero flags ... 004DA9A4 7407 je 004DA9AD ; we'll always jump to 004DA9AD 004DA9AD A138A26200 mov eax, ; at here .. EAX=00000000 [0062A238] 004DA9B2 85C0 test eax, eax ; ands 00000000,00000000 ... set zero flags ... 004DA9B4 7417 je 004DA9CD ; we're jump to 004DA9CD 004DA9CD 66B80100 mov ax, 0001 ; good cracker routine 004DA9D1 83C408 add esp, ; good cracker routine 00000008 004DA9D4 C3 ret ... heii ... it was registered ... The Cracks ... Load up photoline.exe into your favorite Hex-Editor. Search for the following bytes : A9FF0F0000 Replace with following bytes : A900000000 ... enter reg screen with any value from 512000 to 516095 in 1'st entry... you can type any number in 2'nd entry or leave it blank. Final notes ... that's all for now ... any comment/suggestions/critics ?! ... just let me know ! ... int 21h ,,, Greetz : SandMan,CrackZ,tKC/All PC members, tHATDUDE, UCF, Torn@do, The Immortal Descendants, +ORC, MiB , Iczelion, GCG, ED!SON, Razzia, +Xoanon, iCECREAM, FraVia, Lord Caligo, Buckaroo Banzai, +gthorne , Mexelite , Corn2, Vizion, Manson69, nIabI, Cyborg, ^pain^, intruder, Yaan, Laxity, JoGy, nIabI [C4N/ME], MR NICK, NaTzGUL [REVOLT], Qapla', The _RudeBoy_ , BigMoM, Aphex Twin [Vandals], vϋltϋ_‰, eXact, YOSHi, Volatility, ZeroDay, Aescu, _CbD_, Gavin Estey, DR. Encryption, Joshua Auerbach, Klee8084, masta_, Chuck Nelson, _HaK_, Nemrod and ReN, R. DeYoung, Hugo Perez, lownoise, Hayras, YOU ..... Special Thanks: Bad G”gging ... for giving me a challenge ... you forced me to improve my skills a little bit. Written / Design : widYa-cL 2011 bY Page Created : 01 March 1999 PART 3: ~~~~~~ 0 1 0 1 0 1 0 1 0 1 0 1 0 WIDYA-Cl 2011 [ WORLD CRACKING LINK ] 0 ... Time Limits ... Reversing Reversing Engineering Name : cpuidle.exe - Type : System Utility Engineering Lab Size : 570,884 bytes Lab ... from ... from newbie to Tools Used : Regmon v4.12 - Regedit newbie to another ... another ... Cpuidle 5.03 Author : Andreas Goetz Email : cpuidle@gmx.net Homepage : cpuidle.home.pages.de Intro Hi guys ... you are now reading my 5th tutorial ..... this is the shortest tute i've ever wrote ... bla ... bla ... bla ... Overview CpuIdle runs a HLT command in an idle priority thread under Win95/98. That allows modern microprocessors to save power and stay cool. Great for overclocking. CpuIdle's is also the best and most complete CPU optimizer for Win95/98 that exists. Most CPUs include performance increasing options that are disabled by default. CpuIdle activates them all! Yeah ... a great tool for my overclocked cpu ... The essay ... i had play around with this program for a few minutes ... and i see no registration screen here ... but no functions are disabled .. no nag screens as well ... definetely no limitations here except 30 days trial period ... looks like a deadware for me ... no matter how we crack it we can't make it into the registered version cause it only contains the code for the first episode. So our target now is to remove this date expiration. Before we go any further we need to know which registry keys are read/create and which files are read when we run the target. Let's checked registry first. Run regmon and put "cpuidle" in process include, "explorer;regmon" in process exclude ... now run cpuidle ... #bOOm# ... there's nothing interesting for me except these lines : Cpuidle OpenKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\StatMan\Config SUCCESS hKey: 0xC59A7DD0 Cpuidle QueryValueEx HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\StatMan\Config\RS232 SUCCESS 33 33 33 33 33 33 15 40 Cpuidle QueryValueEx HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\StatMan\Config\Drv SUCCESS 0 0 0 0 0 0 3E 40 Cpuidle QueryValueEx HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\StatMan\Config\Vxd SUCCESS 0 0 0 0 C0 AF E1 40 Cpuidle QueryValueEx HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\StatMan\Config\Vxd SUCCESS 0 0 0 0 C0 AF E1 40 Cpuidle CloseKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\StatMan\Config SUCCESS .. why ?! .. 'coz it create/read a key in a 'wrong' place ... Andreas hide it in Bill Gates teritory ( i don't like thiz !) ... look at value data for drv & vxd ... heh ... looks interesting for me ( my trial period is still 30 days left) ... now i wonder what the value will be if i have 29 days left .. heh .. the Drv value change into 3D ... hmm ... 30 -> 3(1)E ?? ... 29 -> 3(1)D ?? ... is it that simple ?! ... what the value will be if we want 60 days left ... is it 4E ? ... yeah just what i expected ... 120 days -> 5e ! ..... that's enough for me ... let's change the value to "FE" and we'll have 122880 days (122880/360= 341 years ! ...) left for evaluation ... or you can just delete the StatMan key to get your 30 trial period back ... .. heh .. amazing ?! ... this is the first time i crack without using Sice & W32dasm ...! Final notes ... any comment/suggestions/critics ?! ... juSt leT me knOw ! Greetz : SandMan,CrackZ,tKC/All PC members, tHATDUDE, UCF, Torn@do, The Immortal Descendants, +ORC, MiB , Iczelion, GCG, ED!SON, Razzia, +Xoanon, iCECREAM, FraVia, Lord Caligo, Buckaroo Banzai, +gthorne , Mexelite , Corn2, Vizion, Manson69, nIabI, Cyborg, ^pain^, intruder, Yaan, Laxity, JoGy, nIabI [C4N/ME], MR NICK, NaTzGUL [REVOLT], Qapla', The _RudeBoy_ , BigMoM, Aphex Twin [Vandals], vϋltϋ_‰, eXact, YOSHi, Volatility, ZeroDay, Aescu, _CbD_, Gavin Estey, DR. Encryption, Joshua Auerbach, Klee8084, masta_, Chuck Nelson, _HaK_, Nemrod and ReN, R. DeYoung, Hugo Perez, lownoise, Hayras, YOU ..... Special Thanks : Andreas Goetz ... u had reminds me to clean garbages from my registry ! Written / Design : widYa-cL 2011 bY Page Created : 05 March 1999 PART 4: ~~~~~~ 0 1 0 1 0 1 0 1 0 1 0 1 0 WIDYA-Cl 2011 [ WORLD CRACKING LINK ] 0 Reverse Reverse Engineering Name : unreal.exe - Type : Multimedia Player Engineering Lab - Size : 746,496 bytes Lab ... from ... from newbie to Tools Used : Softice V3.24 - Hiew 6.02 newbie to another ... another ... Time Limits in Unreal Player Max 1.29 Release 8 Trial Version Author : 303 Technology Email : info@303tek.com Homepage : http://www.303tek.com Intro Hi guys .. you are now reading my 6th tutorial .. sorry for any grammatical errors .. hope you'll understand this piece .. Overview Unreal Player is the player which can play most of your favorite files including mp3, MOD,MIDI ,AVI and CD-audio.You can use the same simple interface for all format. And you can also customize it.And you can control Unreal Player by TELNET client from port 30303. Almost all players are FPU intensive and optimized for only Pentium processors. Therefore their performance is poor or even terrible on PC which is based on non-intel CPU. Unreal Player solved this problem using MMX and K6 3D technology. We are offering pentium build and cyrix/AMD build. The essay ... this was very funny guys .. 'coz when i ran the programs for the very first time i was inform by thiz nice messages " Thank you for evaluating Unreal Player Max " ... 0 days left ... " Evaluation period has expired. Thank you for your interest in unreal player. " ... ???? ... what the .... it was already expired even before i try it for once !? ..... hmm ... *@&!^ .... I pushed my system date backward one month ... and then ran it again ... hei now i have 11 days left ... better ! ... playing around for a few minutes ... heh .. what a great tool we got here ... now let's play a while with the time limits. I was not in the mood to deadlisting this program ... now tell me guys .. !? how the program knows the expiration date .... yeah it must read the present system date everytime it run right ?! ... what's the function name is Sice ?! ... GETLOCALTIME ... let's check it out. [CTRL]+D BPX GETLOCALTIME [ENTER] X [ENTER] ... run the program ... ^ bOOm ^ ... first landing .... X [ENTER] ... ^ bOOm ^ ... F11 once (to get the caller) .. now we should be in Unreal code ... push F10 12 times until we get this interesting code : 0045B71EE87573FAFF call ; F10 ... EAX=00008D69 00402A98 0045B7232B430C sub eax, ; F10 ... look at EAX register ... (in my [ebx+0C] case) EAX=00000013 ... ; with EAX=13 at here we'll have 11 days left ! BC* [ENTER] BPX 45B723 [ENTER] X [ENTER] .. now re-run the program .. #bOOm# : 0045B7232B430C sub eax, ; F10 ... edit eax value : R EAX=12 [ebx+0C] [ENTER] ... ; with EAX=12 at here we'll have 12 days left .. right ?! .. enough for me ! .. we should change the eax value to zero if we want our 30 days back ... let's make it permanently .... here i have an alternative solution ... Run your favourite hex editor .. open unreal.exe ... find for this value (hex) : 2B430C .. replace with : 2BC090 ... save it ... I also written a simple byte patcher in pascal ... simply compile it (tpc name.pas) 'n run it in the same directory as unreal.exe .. now the new code should look like this : 0045B7232BC0 sub eax,eax ; eax=eax-eax .. the result always zero ... right ?! ,,, 0045B72590 nop ; no operand ... we need this code to fill the black hole ... heh amazing ?! .. it only takes 1 minute ... the fastest crack i've ever made .. r u sayin' somethin' ?! ... yeah this should recorded in Guinnes Book Of Record ... #Doh# ... now we have forever trial period ... Patcher Source Uses Crt; Const A : Array[1..2] of Record A : Longint; B : Byte; End = ((A:$5AB24;B:$C0), (A:$5AB25;B:$90)); Var Ch:Char; I:Byte; F:File; Begin Writeln; Writeln(' Unreal Player 1.29 Release 8 Trial Version'); Writeln(' Crack bY widYa@cL 2011 [wOrLd cRaCkinG linK 99]'); Writeln; Writeln(' Target Name: unreal.exe Size: 746,496 bytes'); Writeln; Write(' Status :'); Assign(F,'UNREAL.EXE'); {$I-} Reset(F,1); {$I+} If IOResult <> 0 Then Begin Write(' File not found!'); Halt(1); End; If FileSize(F) <> 746496 Then Begin Write(' Wrong Version/File Size! .. aborted !'); Halt(1); End; For I:=1 To 2 Do Begin Seek(F,A[I].A); Ch:=Char(A[I].B); Blockwrite(F,Ch,1); End; Write(' File successfully patched! .. Have Fun !') End. Final notes any comment/suggestions/critics ?! ... juSt leT me knOw ! Greetz : SandMan,CrackZ,tKC/All PC members, tHATDUDE, UCF, Torn@do, The Immortal Descendants, +ORC, MiB , Iczelion, GCG, ED!SON, Razzia, +Xoanon, iCECREAM, FraVia, Lord Caligo, Buckaroo Banzai, +gthorne , Mexelite , Corn2, Vizion, Manson69, nIabI, Cyborg, ^pain^, intruder, Yaan, Laxity, JoGy, nIabI [C4N/ME], MR NICK, NaTzGUL [REVOLT], Qapla', The _RudeBoy_ , BigMoM, Aphex Twin [Vandals], vϋltϋ_‰, eXact, YOSHi, Volatility, ZeroDay, Aescu, _CbD_, Gavin Estey, DR. Encryption, Joshua Auerbach, Klee8084, masta_, Chuck Nelson, _HaK_, Nemrod and ReN, R. DeYoung, Hugo Perez, lownoise, Hayras, Flu(X), YOU ..... Written / Design : widYa-cL 2011 bY Page Created : 9 March 1999 PART 4: ~~~~~~ 0 1 0 1 0 1 0 1 0 1 0 1 0 WIDYA-Cl 2011 [ WORLD CRACKING LINK ] 0 Reverse Reverse Engineering Name : unreal.exe - Type : Multimedia Player Engineering Lab - Size : 746,496 bytes Lab ... from ... from newbie to Tools Used : Softice V3.24 - Hiew 6.02 newbie to another ... another ... Time Limits in Unreal Player Max 1.29 Release 8 Trial Version Author : 303 Technology Email : info@303tek.com Homepage : http://www.303tek.com Intro Hi guys .. you are now reading my 6th tutorial .. sorry for any grammatical errors .. hope you'll understand this piece .. Overview Unreal Player is the player which can play most of your favorite files including mp3, MOD,MIDI ,AVI and CD-audio.You can use the same simple interface for all format. And you can also customize it.And you can control Unreal Player by TELNET client from port 30303. Almost all players are FPU intensive and optimized for only Pentium processors. Therefore their performance is poor or even terrible on PC which is based on non-intel CPU. Unreal Player solved this problem using MMX and K6 3D technology. We are offering pentium build and cyrix/AMD build. The essay ... this was very funny guys .. 'coz when i ran the programs for the very first time i was inform by thiz nice messages " Thank you for evaluating Unreal Player Max " ... 0 days left ... " Evaluation period has expired. Thank you for your interest in unreal player. " ... ???? ... what the .... it was already expired even before i try it for once !? ..... hmm ... *@&!^ .... I pushed my system date backward one month ... and then ran it again ... hei now i have 11 days left ... better ! ... playing around for a few minutes ... heh .. what a great tool we got here ... now let's play a while with the time limits. I was not in the mood to deadlisting this program ... now tell me guys .. !? how the program knows the expiration date .... yeah it must read the present system date everytime it run right ?! ... what's the function name is Sice ?! ... GETLOCALTIME ... let's check it out. [CTRL]+D BPX GETLOCALTIME [ENTER] X [ENTER] ... run the program ... ^ bOOm ^ ... first landing .... X [ENTER] ... ^ bOOm ^ ... F11 once (to get the caller) .. now we should be in Unreal code ... push F10 12 times until we get this interesting code : 0045B71EE87573FAFF call ; F10 ... EAX=00008D69 00402A98 0045B7232B430C sub eax, ; F10 ... look at EAX register ... (in my [ebx+0C] case) EAX=00000013 ... ; with EAX=13 at here we'll have 11 days left ! BC* [ENTER] BPX 45B723 [ENTER] X [ENTER] .. now re-run the program .. #bOOm# : 0045B7232B430C sub eax, ; F10 ... edit eax value : R EAX=12 [ebx+0C] [ENTER] ... ; with EAX=12 at here we'll have 12 days left .. right ?! .. enough for me ! .. we should change the eax value to zero if we want our 30 days back ... let's make it permanently .... here i have an alternative solution ... Run your favourite hex editor .. open unreal.exe ... find for this value (hex) : 2B430C .. replace with : 2BC090 ... save it ... I also written a simple byte patcher in pascal ... simply compile it (tpc name.pas) 'n run it in the same directory as unreal.exe .. now the new code should look like this : 0045B7232BC0 sub eax,eax ; eax=eax-eax .. the result always zero ... right ?! ,,, 0045B72590 nop ; no operand ... we need this code to fill the black hole ... heh amazing ?! .. it only takes 1 minute ... the fastest crack i've ever made .. r u sayin' somethin' ?! ... yeah this should recorded in Guinnes Book Of Record ... #Doh# ... now we have forever trial period ... Patcher Source Uses Crt; Const A : Array[1..2] of Record A : Longint; B : Byte; End = ((A:$5AB24;B:$C0), (A:$5AB25;B:$90)); Var Ch:Char; I:Byte; F:File; Begin Writeln; Writeln(' Unreal Player 1.29 Release 8 Trial Version'); Writeln(' Crack bY widYa@cL 2011 [wOrLd cRaCkinG linK 99]'); Writeln; Writeln(' Target Name: unreal.exe Size: 746,496 bytes'); Writeln; Write(' Status :'); Assign(F,'UNREAL.EXE'); {$I-} Reset(F,1); {$I+} If IOResult <> 0 Then Begin Write(' File not found!'); Halt(1); End; If FileSize(F) <> 746496 Then Begin Write(' Wrong Version/File Size! .. aborted !'); Halt(1); End; For I:=1 To 2 Do Begin Seek(F,A[I].A); Ch:=Char(A[I].B); Blockwrite(F,Ch,1); End; Write(' File successfully patched! .. Have Fun !') End. Final notes any comment/suggestions/critics ?! ... juSt leT me knOw ! Greetz : SandMan,CrackZ,tKC/All PC members, tHATDUDE, UCF, Torn@do, The Immortal Descendants, +ORC, MiB , Iczelion, GCG, ED!SON, Razzia, +Xoanon, iCECREAM, FraVia, Lord Caligo, Buckaroo Banzai, +gthorne , Mexelite , Corn2, Vizion, Manson69, nIabI, Cyborg, ^pain^, intruder, Yaan, Laxity, JoGy, nIabI [C4N/ME], MR NICK, NaTzGUL [REVOLT], Qapla', The _RudeBoy_ , BigMoM, Aphex Twin [Vandals], vϋltϋ_‰, eXact, YOSHi, Volatility, ZeroDay, Aescu, _CbD_, Gavin Estey, DR. Encryption, Joshua Auerbach, Klee8084, masta_, Chuck Nelson, _HaK_, Nemrod and ReN, R. DeYoung, Hugo Perez, lownoise, Hayras, Flu(X), YOU ..... Written / Design : widYa-cL 2011 bY Page Created : 9 March 1999 PART 5: ~~~~~~ 0 1 0 1 0 1 0 1 0 1 0 1 0 WIDYA-Cl 2011 [ WORLD CRACKING LINK ] 0 Reverse Reverse Engineering Serial Catching in VB6 Engineering Lab Lab ... from ... from newbie to Tools Used : Softice V3.24 newbie to another ... another ... Speak 1.8.21 - Rev.501 Author : Shadi Shalabi Email : support@shadisoft.com Homepage : http://www.ShadiSoft.Com Intro Hi guys .. you are now reading my 7th tutorial .. sorry for any grammatical errors .. hope you'll understand this piece .. Overview Speak will make your computer even more helpful and entertaining than ever. Speak will use Microsoft Agent Animated Characters to read your text for you. You can tell Genie (as an example) to read your documents, emails, web pages or any text in the clipboard. Just keep the cool animated character on top of your desktop and click on him whenever you want him to read for you. Control the speed and pitch and enjoy many characters with different expressions and animations. Speak supports voice recognition. Speak can run your applications by voice commands you provide. Speak will also remind you of your appointments with Speak Reminders. The essay .. this is great .. another vb programs ! .. this time using vb6 dynamic link library (msvbvm60.dll) ... hmm seems i have a chance to test my method in new VB library. Now we should make a little changes to our winice settings before we go any further ... open winice.dat and make the following changes :: F5="^x;^dd eax;" EXP=C:\WINDOWS\SYSTEM\MSVBVM60.DLL ; EXP=C:\WINDOWS\SYSTEM\MSVBVM50.DLL ; remark this line We have to remark msvbvm50.dll export symbol 'coz it has the same functions with msvbvm60.dll which can screw up our examination. Restart windows to apply the changes ... DONE ... run speak ... #bOOm# .. (" please register this software ") sure .. later ok ?! .. [NO] ... (" Good night unregister user") eh ?! we have a smart genie here ! ... amazing ! this genie can read our system registry ! .. now click on About - unlock speak to enter the registration dialog ... ("Are you really going to set me free and make me only yours ?") sure .. but can u shut the f%ck up please ! ... i enter widYa@cL 2011 as name and 0101010 as dummy key ... remember the function i used in vb5 ?! yeah we're using __vbaStrCat(2 under score) : [CTRL]+D BPX __VBASTRCAT [ENTER] X [ENTER] ... push [unlock] .. #bOOm# ... hmm .. it has a big diff from previous library .. press F10 (9 times) until we land here : 0177:66060B7A 8B4508 MOV EAX,[EBP+08] ; we're gonna see what's in EAX 0177:66060B7D ED POP EBP ; set BPX at here 0177:66060B7E C20800 RET 0008 BC* [ENTER] BPX 66060B7D [ENTER] ... heh .. u can relax now ... sit back and enjoy a new movie from Microsoft ... push F5 (about 57 times) .. untill you see a good serial form in wide char : 7 . 4 . 0 . 2 . 2 . ;. 4 . 9 7 . 3 . 5 . 4 . : . 1. 4 . 9 9 . 5 . 4 . . . p . e. a . k ... enter registration again with this key ... Full Name : widYa@cL 2011 Registration Key : 74022;497354:149954 ... [unlock] ... #bOOm# ... ("Thank you Master widYa@cL 2011. You are trully my friend") ... ??? ... plok .. plok .. plok ... ("I'm your humble servant") ... !? ... Woaah .. i like this softwarez A LOT ! ... heii are you sayin' somethin' ?! ... yeah ... VB is the most easiest protection schemes .... Jokes bY the Genie : Why won't sharks attack lawyers? ... Professional courtesy! At the cocktail party, one woman said to another, 'Aren't you wearing your wedding ring on the wrong finger?' The other replied, 'Yes, I am, I married the wrong man'. How can you tell when a lawyer is lying? ... His lips are moving! What do you give the man who has everything? ... Antibiotics! ... ha ... ha ... ha ... Final notes When u fails ... and lost in hell ... still can't find the door ... just ask the guy in the mirror any comments/suggestions/critics ?! ... juSt leT me knOw ! Greetz : (no spesific order) SandMan,CrackZ,tKC/All PC members, tHATDUDE, UCF, Torn@do, The Immortal Descendants, +ORC, MiB , Iczelion, GCG, ED!SON, Razzia, +Xoanon, iCECREAM, FraVia, Lord Caligo, Buckaroo Banzai, +gthorne , Mexelite , Corn2, Vizion, Manson69, nIabI, Cyborg, ^pain^, intruder, Yaan, Laxity, JoGy, nIabI [C4N/ME], MR NICK, NaTzGUL [REVOLT], Qapla', The _RudeBoy_ , BigMoM, Aphex Twin [Vandals], vϋltϋ_‰, eXact, YOSHi, Volatility, ZeroDay, Aescu, _CbD_, Gavin Estey, DR. Encryption, Joshua Auerbach, Klee8084, masta_, Chuck Nelson, _HaK_, Nemrod and ReN, R. DeYoung, Hugo Perez, lownoise, Hayras, Flu(X), Harvest, YOU ..... Written / Design : widYa-cL 2011 bY Page Created : 11 March 1999 PART 6: ~~~~~~ 0 1 0 1 0 1 0 +=widYa@cL 2011=+ 0 1 0 1 0 1 0 from newbie to Tools Used : Softice 3.24 - W32Dasm Reverse another 8.93 - Hiew 6.02 Engineering Lab WebFlix Pro 1.5.1 Build Date 19990104 Author : MediaWare Solutions Pty Ltd Email : info@mediaware.com.au Homepage : http://www.mediaware.com.au Intro Hi guys, you are now reading my 8th tutorial ... bla .. bla .. bla .. Overview WebFlix Pro is a complete MPEG-1 video exploration and analysis tool. With WebFlix Pro you can : play MPEG-1 (.mpg) and Video CD (.dat) videos, quickly and accurately get to any location in a video, play a presentation as a continuous loop with auto repeat, analyze the action of your favorite sports star in slow motion by combining variable rate play with auto repeat, cut and paste from separate videos to create your own custom video, find key video events, such as film cuts and dissolves to create a shot index of your video which can be exported as an html summary page of thumbnail images, analyze the underlying MPEG-1 stream, convert a Video CD (.dat) video to a MPEG-1 (.mpg) file. This means that the entire video is at your fingertips from extracting your favorite frames as snapshots to put in your photo album to combining those special moments in your existing videos into your own movie creation. Best of all WebFlix Pro requires no special hardware to run on your computer. The Essay Run Webflixpro and enter registration dialog via Register-Register WebFlix Pro ... we're asked to enter : KEY : Your name : Company name : Fill out with your favour entry .. now we should set some breakpoints before pushing the OK button : [CTRL]+D BPX GETWINDOWTEXTA [ENTER] BPX GETDLGITEMTEXTA [ENTER] BPX MESSAGEBOXA [ENTER] BPX HMEMCPY [ENTER] X [ENTER] push [OK] .. #bOOm# .. surprise .. break due to BPX32!MessageBoxA .. press F11 to get the caller .. #bOOm# .. "Sorry, I cannot recognise your registration key. Please re-enter." .. [OK] .. #bOOm# .. we're landing in tk80.dll code below messageboxa call .. huh we're break in the bad routine already ! .. we have to find this bad conditional jump .. tracing backwards now .. snip ... snip ... snip ... 3 minutes left ... 'DAMN' forget about it! ... clear all breakpoints & leave SoftICE at once .. Now let's see what can we get from deadlistings ... double click on our bad message ... heh seems we can easily registered this program .. HOW ?! .. just avoid the bad routine (messages) and we'll lead automatically to good routine ... yep we're gonna modified some bytes ! save us a lot of time ! (i've cutted a lot of codes to save our time) .. here are our 'magic' conditional jumps .. i'm sure you can easily locate these codes : :0045689E 3BF8 cmp edi, eax ; do they match ? :004568A0 0F842E010000 je 004569D4 ; jump if equal to good routine :004568A6 3B3D541F4D00 cmp edi, dword ptr [004D1F54] ; another comparison :004568AC 0F8422010000 je 004569D4 ; jump if equal to good routine :004569DD 3BC8 cmp ecx, eax ; another comparison :004569DF 0F84EC010000 je 00456BD1 ; jump if equal to good routine :00456BE0 3BC1 cmp eax, ecx ; another comparison :00456BE2 0F8EAA000000 jle 00456C92 ; jump if less or equal to good routine :00456CA3 3BCA cmp ecx, edx ; another comparison :00456CA5 742C je 00456CD3 ; jump if equal to good routine Huh .. we don't care anymore what's value being compare in codes above .. now let's finish this naughty program .. first, create backup copy of webflixpro.exe .. just in case .. now let's modified the bytes using hiew (Note the offset at the bottom of Win32dasm) : :004568A0 (@offset 55CA0h) :004568AC (@offset 55CACh) :004569DF (@offset 55DDFh) :00456BE2 (@offset 55FE2h) :00456CA5 (@offset 560A5h) run hiew webfli~1.exe - select mode decode (F4-F3) - find the offset to patch (F5) - Edit (F3) 55CA0 : 0F842E010000 --> change to --> E92F01000090 55CAC : 0F8422010000 --> change to --> E92301000090 55DDF : 0F84EC010000 --> change to --> E9ED01000090 55FE2 : 0F8EAA000000 --> change to --> E9AB00000090 560A5 : 742C --> change to --> EB2C .. don't forget to update the changes (F9) .. i also written a simple byte patcher in asm .. not good enough but it works. After we patched it then we can enter any entry in registration dialog to make it registered. Then the program will create the license data in 'license.dat' located in our webflix directory . That'S aLL 4 now guys ... hope this tut can help u .. Asm patcher source ; Webflix Pro 1.5.1 19990104 patcher ; bY widYa@cL 2011 (20/03/99) ; ; use tasm32 wfp151-p.asm and then tlink /3/t wfp151-p.obj ; to generate wfp151-p.com .model tiny .386P .code org 100h start: mov dx, offset intro call print ; print intro ; find target file mov dx,offset filename ; get filename into ds:dx mov cx,3fh ; any file attributes mov ah,4eh ; find first matching file int 21h jc notfound ; If carry is set, ax contains one of the following error codes ; 2: File not found - 18: No more files .. heh look the same .. ; good we found it .. now check the filesize ; after Find First File is called, we have a good information at the DTA:Offset 26 (decimal) File size in bytes ; let's use it .. shall we ?! .. mov ah,2fh ; get DTA address (returns pointer to the current DTA in es:bx) int 21h mov eax,[bx+26] ; get file size in bytes into eax cmp eax,[filesize] ; do they match ? jne wrongsize ; yes ? nope it .. no ? get the right version ! .. ; gotcha .. open the file mov dx,offset filename ; get filename into ds:dx mov ax,3D02h ; open file for reading & writing int 21h mov bx,ax ; put file handle in bx ; let's write the patch mov ax,4200h ; seek (move file pointer) from the beginning of file mov cx,5 ; hi order of offset mov dx,5ca0h ; lo order of offset int 21h ; move it .. mov ah,40h ; setup to write new byte(s) mov cx,6 ; six bytes to patch mov dx,offset byte1 ; point dx to patch data int 21h ; patch it .. ; woaah .. mov ax,4200h mov cx,5 mov dx,5cach int 21h mov ah,40h mov cx,6 mov dx,offset byte2 int 21h mov ax,4200h mov cx,5 mov dx,5ddfh int 21h mov ah,40h mov cx,6 mov dx,offset byte3 int 21h mov ax,4200h mov cx,5 mov dx,5fe2h int 21h mov ah,40h mov cx,6 mov dx,offset byte4 int 21h mov ax,4200h mov cx,5 mov dx,60a5h int 21h mov ah,40h mov cx,1 mov dx,offset byte5 int 21h mov ah,3eh ; done .. close the file int 21h ; available messages mov dx,offset msgsucc ; have fun .. call print jmp exit wrongsize: mov dx,offset msgver ; duh .. call print jmp exit notfound: mov dx,offset msgnotf ; waaah .. call print exit: mov ah,4ch ; back to real life int 21h ; our handy procedure print proc mov ah,9 ; print string int 21h ret print endp ; data byte1 db 0E9h,02Fh,01,00,00,090h,0 byte2 db 0E9h,023h,01,00,00,090h,0 byte3 db 0E9h,0EDh,01,00,00,090h,0 byte4 db 0E9h,0ABh,00,00,00,090h,0 byte5 db 0EBh,0 filename db 'webfli~1.exe',0 filesize dd 1121792 intro db 0ah,0dh, 'ŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽ―' db 0ah,0dh, 'ˆ Crack for WebFlix Pro 1.5.1 19990104 ˆ' db 0ah,0dh, 'ˆ -=widYa@cL 2011=- ˆ' db 0ah,0dh, '¬ŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽ•' db 0ah,0dh,0ah,0dh,'$' msgsucc db 'Patch Successful : Don''t Forget To Support',0ah,0dh,'$' msgver db 'Patch Failed : Wrong Version',0ah,0dh,'$' msgnotf db 'Patch Failed : File Not Found',0ah,0dh,'$' end start Final notes ... and we only get for what we have done .. ... let me know if you have any comments/suggestions/critics ?! ... Special greetz CrackZ, SandMan, Torn@do GOD IS THE MOST GREAT Written bY : widYa@cL 2011 Page CreaTed : 20 March 1999 PART 7: ~~~~~~ 0 1 0 1 0 1 0 0 1 0 1 0 1 0 Reverse Engineering Reverse Engineering Lab [.. thinkin' somethin' ?! ...] Lab Tools : Softice from newbie to 3.24 - W32Dasm 8.93 another Screen area 1024x768 pixels [mY fuTure grOup ... frOm tHE ouTer gaLaxY] Winboost 98 1.24 Key Generator Author : Magellass Corp. Email : winboost98@kagi.com Homepage : http://www.magellass.com Intro Hi guys .. you are now reading my 9th tutorial .. this time we're gonna discuss about making keygenerator .. mind me for my bad English ... hope you can understand this piece and help you in anyway ... let's rock ! Overview WinBoost 98 is a special utility to configure and personalize Windows 98/95 looks and feels. Using easy to use graphical user interface you can configure hundreds of Windows 98/95 hidden settings, from the Start Menu, Desktop, Accessories, Windows Explorer, to Internet Explorer. This is something you cannot do on the regular operations. In addition, you will get hundreds of selected Windows 98/95 Tips & Tricks to boost your Windows productivity and performance. The Essay This serial protection scheme is based on the User Name to generate a Registration Code. Needless to say, we can find the correct reg code easily but there's nothing we can learn from it .... so I'd like to have some fun here by making a keygenerator. Usually we can easily find the keygen routine just by taking a good look in deadlistings. First thing you need to know is the location of good/bad message at StringData Ref. Now let's disassemble wb98.exe and look for a good message ... and here it is : * Referenced by a (U)nconditional or (C)onditional Jump at Address: :004D1885(C) * Possible StringData Ref from Code Obj ->"WinBoost 98 has been registered successfully." :004D18AC B86C1D4D00 mov eax, 004D1D6C scroll up a little bit from here .. you should see some serial numbers .. what's this ?! .. I simply don't care .. scroll up again .. heh this looks familiar for me : 004D175D 8B55F8 mov edx, dword ptr [ebp-08] ; hmm .. is it our name ? 004D1760 8B45FC mov eax, dword ptr [ebp-04] ; reg code ? 004D1763 E8E0FEFFFF call 004D1648 ; and this must be a call to keygen routine ... 004D1768 8D55F0 lea edx, dword ptr [ebp-10] .. enough playing in Win32dasm and fire up SoftICE .. let's have a live concert ! Generally we can always use HMEMCPY in order to break at the target file code. Now goto the registration dialog and use Pirate Copy as Reg Name and 0101010 as Reg Code. [CTRL]+D BPX HMEMCPY [ENTER] X [ENTER] [OK] .. *boom* .. press F12 untill we land in wb98 code .. then set breakpoint at 4D11648 .. X [ENTER] .. keep tracing .. snip .. snip .. STOP ! : 004D166A 8B45FC mov eax, [ebp-04] ; eax contain user name 004D166D E85227F3FF call 00403DC4 ; gets name length into eax 004D1672 8BC8 mov ecx, eax ; copy to ecx 004D1674 33DB xor ebx, ebx ; zero ebx 004D1676 33C0 xor eax, eax ; zero eax 004D1678 8945F8 mov [ebp-08], eax ; copy eax to [ebp-08] 004D167B 33F6 xor esi, esi ; zero esi 004D167D 66B80100 mov ax, 0001 ; ax=1 004D1681 66BA0200 mov dx, 0002 ; dx=2 004D1685 6683F910 cmp cx, 0010 ; compare cx (name length) with 10h (16) 004D1689 7E04 jle 004D168F ; if less or equal jump to 004D168F 004D168B 66B91000 mov cx, 0010 ; else cx=10 004D168F 6685C9 test cx, cx ; is cx=0 ? (User Name blank) 004D1692 7446 je 004D16DA ; yes : exit keygen routine .. else: nope it 004D1694 0FBFF0 movsx esi, ax ; esi=ax=1 .. use as starting char position 004D1697 8B7DFC mov edi, [ebp-04] ; ebp-04 (name) .. copy to edi 004D169A 0FB67437FF movzx esi, byte ptr ; esi contain one char from name (edi) with esi as [esi+edi-01] char position ; P i r a t e_C o p y 004D169F 03DE add ebx, esi ; ebx=ebx+esi ( the result from this loop is save in ebx) 004D16A1 6683C002 add ax, 02 ; ax=ax+2 004D16A5 663BC8 cmp cx, ax ; are we finished ? 004D16A8 7DEA jge 004D1694 ; no ? then loop again 004D16AA 0FBFC2 movsx eax, dx ; eax=dx=2 .. use as starting char position 004D16AD 8B75FC mov esi, [ebp-04] ; now esi contain our name 004D16B0 0FB64406FF movzx eax, byte ptr ; eax contain one char from name (esi) with eax as [eax+esi-01] char position ; P i r a t e_C o p y 004D16B5 0145F8 add [ebp-08], eax ; ebp-08=ebp-08+eax ( the result from this loop is save in ebp-08) 004D16B8 6683C202 add dx, 02 ; dx=dx+2 004D16BC 663BCA cmp cx, dx ; are we done ? 004D16BF 7DE9 jge 004D16AA ; no ? loop again 004D16C1 8BC3 mov eax, ebx ; eax=ebx 004D16C3 F7E8 imul eax ; eax=eax*eax 004D16C5 6955F813270200 imul edx, [ebp-08], ; edx=ebp-08*22713 00022713 004D16CC 8D940236E7CD00 lea edx, [eax+edx+00CDE736]; edx=eax+edx+cde736 004D16D3 8BF2 mov esi, edx ; esi=edx 004D16D5 C1E603 shl esi, 03 ; esi=esi*2^3 004D16D8 2BF2 sub esi, edx ; esi=esi-edx ... step this code (F10) ... we'll see ESI=22238000 ; ? ESI ... 572751872 ... gotcha ! That's it ... take a few minutes to understand this block of codes and draw a flowchart in your mind ... then write it out .. heh damn easy ! ... here i have written one in C++. On succesful registration the program will store our license data in system registry: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\explorer\ShellIconOverlayIdentifiers\Overlays Ijn="00802322" ; our reg code in little endian ... DWORD 22238000h = 572751872 heh .. nice try don't u think ?! ... hope next time the author will hide it in deeper place ! ... WARNINGS ! : this will be a garbage in your system registry when you uninstall the program and too many garbage will decrease your system performance ! ... do u like when someone put garbage in your home ? I HATE IT ! I REALLY DON'T GIVE A F%CKIN' CARE WHERE THE SETTINGS/FILES WAS STORED BY ALL AUTHOR'S SOFTWAREZ AS LONG AS THE UNINSTALL WILL REMOVE IT ALL CLEANLY ! ... ANYWAY NO ONE CAN HIDE ANYTHING IN MY SYSTEM ! ... ... it should put in here : HKEY_LOCAL_MACHINE\Software\Magellass\WinBoost98 RegisteredOwner="Pirate Copy" Keygenerator Source // Written in Borland C++ 5.2 // Compile with bcc filename.cpp (smaller but slower) or bcc32 filename.cpp (faster but larger) // huh how do make it faster and smaller ! #include #include #include #include void main(void) { char name[255]; int oddeven=0,sw=0,pos=0,x=0,cx,reg[2]; long edx,esi; clrscr(); cout << " Keygenerator for Winboost 1.24 bY widYa@cL 2011\n"; cout << " Copyright (C) wOrLd cRaCkinG linK '99\n\n"; cout << " User Name : ";gets(name);cx=strlen(name); if (cx == 0) exit(0); if (cx > 0x10) cx = 0x10; while (pos < cx || sw < 2) { if (pos >= cx) { reg[x]=oddeven; x+=1;sw+=1;oddeven=0;pos=1; } else { oddeven=oddeven+name[pos]; pos+=2; } } reg[0]= reg[0]*reg[0]; edx = reg[1]*0x22713; edx = reg[0]+edx+0xCDE736; esi = edx; esi = esi << 3; esi = esi-edx; cout << " Registration Code : " << esi << endl; getch(); } Final Notes +Thanks+ 2 aLL my friends ouTThere for the responds though it always follow with 'softwarez links' ... hopefully i'll make another tuts (untill 99 tuts .. hurraah !) ... it was not only about breaking the protection ... let me know if you have any comments /suggestions/critics Special Thanks Magellass Corp for giving me a challenge ... it forced me to improve my skills a little bit ... GOD IS THE MOST GREAT Written / Design bY : widYa-cL 2011 Page CreaTed : 25 March 1999 We really hope you've enjoyed this tutorial too much as we did! Don't miss Tutor #19 soon! ;) And as I said last time: Without knowledge, there's no power! ;) Credits go to: FunkyZero/CiA for Splash Logo. widYa-cL/2011 for providing 7 tuts in this version. (tnx!) tKC/CiA (hey it's me!) for coding this version :) All the crackers (non-members of CiA) are welcome to send tutors for the next tutorials - see below for my email address! Greetz goto all my friends! You can find me on IRC or email me at tkc@reaper.org Coded by The Keyboard Caper - tKC The Founder of PhRoZeN CReW/Crackers in Action '99 Compiled on 27 March 1999 Cracking Tutorial #18 is dedicated to all the crackers...