Welcome to Cracking Tutorial #19! Well, well.. what can I say? Nothing is gonna stop us now! :) I've used AHM TritonTools 2000 components in this version, it's got a little bigger. I hope it'll work on your machine, else yell at Alexander Mehlhorn :) Warning, this tutorial is a real mother! *grin* Ok, let's rave! You'll need the following tools: (I use these tools, I assume you'll use 'em, but it doesn't mean that you'll need to use all those tools, so be sure to get them handy for the examples in this tutorial!) SoftIce 3.24 Beta W32Dasm 8.93 Hacker's View 6.03 SmartCheck 6.01 TASM 5.00 Windows Commander 3.53 (I use it coz of easier to multitask) Don't ask me where to download all these tools since you had a chance to get them when you used my older tutorials. Here are a few good cracking sites where you can grab tools from: http://surf.to/HarvestR http://catalyst.intur.net/~Iczelion/tools.html or ask any crackers to get you these tools! Are you ready?! OK! ;) PART: 1 ~~~~~~ HOW TO GET A SERIAL OF WINAMP SKIN MAKER 0.27 Tutor by RSiP Tools to use ~~~~~~~~~~~~ SOFT-ICE 3.24 Where to get the program ~~~~~~~~~~~~~~~~~~~~~~~~ http://members.tripod.com/ajie_g/skinners.html Start Winamp Skin Maker. Goto Help / About / Register. Enter a name : RSiP Reg# : 12345 Now press CTRL-D you're now inside SoftIce. type DATA (for the datascreen) type R (For the registryscreen) now we set a breakpoint so type: BPX GETDLGITEMTEXTA press F5 You're now back in skinner.. press OK *BOOM* you're now back in SoftIce. press F11 EAX=4 (this is the size of your name) now press F10 for 22 times untill you see: 0257:00404D59 PUSH EAX type: D EAX and you see your name and entered serialnumber in the datascreen now press F10 for 2 times untill you see: 0257:00404D5F ADD ESP,04 type: ? EAX 00545A04 0005528068 "TZ " <= This our serial Clear the breakpoint (BC *) Enter the your name and the serial press OK You're now *REGISTERED* RSiP would like to thank tKC for his tutors. PART: 2 ~~~~~~ Stones Connectcontrol 2.0.4 Tools: Hiew 6.03 W32Dasm 8.93 URL: http://www.image.dk/~stone/fuldver/CC2FSetup.exe 1. Start the program 2. Choose Menu. 3. Push the button "Forbindelser" 4. Choose Hj†lp, Registrering. 5. Enter your name, and serial, and press OK. And u will get a msg box, read what it says in the blue field "PogNavn" Note it, and make a copy of connectrl.exe -> connectrl.w32 and lauch the .w32 file in W32Dasm. Then u click on SDR and search for "PogNavn" when u have find it u dubble click on it TWISE and u will see something like this: * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00465CBC(U) <--- This one we are gonna need in just a few seconds | :00465D07 6A30 Push 00000030 *Possible StringData Ref from Code Obj ->"PogNavn" <--- Remember this one? | :00465D09 B97C5D4600 mov ecx, 00465D7C 6. Click on Goto Code Location, and write 465CBC, and u will see this: :00465CBA 84C0 test al, al :00465CBC 7449 je 00465D07 <--- This is where it happens! :00465CBE a11C1F47000 mov eax, dword ptr (00471F1C) 7. Can u see what we have to do? KEWL then letïs patch this bitch.. make sure that u get the office that we need to patch. So make sure that the green line is right on top of the :00465CBC 7449 je 00465D07 found the office? COOL (it is offest 650BC) 8. Then start HIEW, but do NOT close down W32DASM (we might need it later on!) and load connctrl.exe press enter twise to goto decode mode. Press F5 and enter 650BC press F3 and write 75. F9 to save and F10 to exit to windows/dos. 9. Then we start ConnectControl again and go to "Registrering..." Enter ur name and a serial and press OK What happens? that's right no nag when pressing OK. Then click "Hj†lp" and press "Om ConnectControl". Can u see the [IKKE-REGISTRERET!] ?? Now u have to think logical... it has a check.. to see if the name is right!. But where? thats right.. [IKKE-REGISTRERET!] is the check! now close ConnectControl and go to W32DASM and look for the [IKKE-REGISTRERET!] in SDR. Found it? cool.. then double click on it TWISE and then try to scroll a few lines up and u will see: * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0046F1E9 <------ This one we have to use..... | :0046F23C B82C394700 mov eax, 0047392C Click on Goto Code Location, and write 46F1E9 10. Now u will see this: * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:46F1E3(U) | :0046F1E7 84DB test bl, bl :0046F1E9 7451 je 0046F23C <--- Do u know anything about this one? 11. Then what do u think that need to be done here? that's right we only need ot change the je to jne 74 -> 75. Now make sure that the green bar is right over the line: :0046F1E9 7451 je 0046F23C The offest is 6E5E9. 12. Run Hiew and patch it. DONE? GOOD now we go back to ConnectControl ("Hj†lp", "Om ConnectControl") And what do u see??? Registreret til: YOUR NAME (you may need to write your name again to get it in the "Om ConnectControl" BOX. So that was it! hehe OKAY u did it! Enjoy! Signed Put PART: 3 ~~~~~~ KrYpToN's Cracking Tutorial #2 ------------------------------ Target : GameSpy3D 2.08 Tools : SoftIce 3.24 deShrink 1.4 W32Dasm 8.93 Hiew 6.03 I was asked to crack this by a couple of Quake/Unreal freaks, it is used to find quick servers for playng Internet games or something like that. It looked easy enough to crack - simple Name/RegKey protection but it turned out to be more complicated than I expected. 1) The Registration Code ------------------------ Install GameSpy and run it. You see the nag screen and the Register button. Click on it and enter some details. Click on OK and (if your not connected to the internet) you will see that it opens up the Dial-Up connection box. Click on Cancel and you'll see that it says 'Server not responding' or something similar. Looks to me like there is not just serial protection but also some kind of Internet protection check aswell. I decide to dissasemble the program with W32Dasm - it crashes - hmmmm... ok... lets just look at it in SoftIce. After the 3 GetWindowTextA Breakpoints press F12 until you are in the GameSpy code. Trace through until you get to the Dial-Up Connection bit, click on cancel, you will return back in to SoftIce, keep pressing F12 until you eventually get back to the GameSpy code again. Then trace a bit more. You will soon get to a call that takes a LONG time to finish executing, but it does, so just be patient. Get back into the GameSpy code and trace some more until you get to some very interesting code... CS:00461B8D CMP EAX,EBP CS:00461B8F JZ 00461D0E <-- BAD jump CS:00461B95 TEST EAX,EAX CS:00461B97 JZ 00461CE3 <-- another BAD jump CS:00461B9D MOV ECX,[EDI+0000014C] <-- your reg no. CS:00461BA3 MOV EDX,[ESP+0C] <-- the correct reg no. ... ... Well, we want to remove the 2 jumps and look at the correct serial no. so when you are at the 1st jump make a note of the HEX BYTEs that come before the asm jump instructions (not shown above) for use later with the hex editor. Anyway, type 'a' and enter 6 NOP's. Then trace to the 2nd jump and do the same. Now trace to just past the last line I have included above and type... d ECX (you will see your reg no.) then d EDX (you will see the real reg no.) Make a note of the real reg no. and exit softice - You will be told that your Registation No. is incorrect (but it wont say server not responding) if you want you can now try to enter the real code before you exit GameSpy and you will have it registered. 2) Patching The Program ----------------------- Ok, we want to remove the 2 jumps and make it permanent. Load up HIEW and press RETURN to get into hexmode and search for the Hex Bytes you made a note of earlier and press RETURN - nothing found, hmmm... If you go back to the ascii dump again (RET x 2) you will see the words 'Shrink' (meaning its compressed) and more importantly 'Shrinker' (the compressor used). This is why we cant find the hex bytes and also why W32Dasm crashed on us. So what we need is a Shrinker Decompressor. I found deShrink 1.4 and it worked like a dream! With the uncompressed exe I could find the Hex Bytes and I could disassemble to code in W32Dasm aswell. So now you can patch the code in HIEW and make it permanent. That's it. The only real problem is that the exe is now almost 3 times the size of the orginal and writing a patch is obviously impossible. The only way you could write a patch is to re-compress the exe with Shrinker - I don't have it so I don't know how well it would work. It might work. Anyway, thats it, that was my 1st compressed file I have encountered, they are a bit of a pain, but it was an interresting experience. E-Mail me at KrYpToN1999@hotmail.com with any comments or suggestions. -KrYpToN PART: 4 ~~~~~~ =============================================================================================== ====================================== patching Shrinker ====================================== =============================================================================================== Tutorial #2 on patching a packed file :-)nothing is impossible(-: Written by R!SC - risc_1@hotmail.com Knowledge is Power! ====================================== introduction! ====================================== =============================================================================================== I am going to try to teach you how to patch a file packed with Shrinker 3.x. How many times have you come across a program that you NEEDED to patch, only to find out it has been packed with 'Shrinker'? Its not nice asking people to 'Unpack the target with DeShrink, and then run our patch...'. Why bother when we can use Shrinkers own unpacking code, use the jump to the start of the original code to jump to our patch, patch the code in memory, then return execution to the original program. tHE IDEA OF THIS TUTORIAL IS NOT TO TEACH CRACKING, BUT PATCHING A PACKED FILE ====================================== things you need ====================================== =============================================================================================== Xceed Absolute Packager 1.1 (Target Program, Packed with Shrinker 3.4?) (Free trial version) Get it at: http://www.xceedsoft.com/absolute Soft Ice 3.22/3.23 ICEDUMP (i'm using beta 4 of this excellent addon) ProcDump v1.3 WDasm32 A Hex Editor & Calculator.. !PEN AND PAPER! (oLD sKOOL :-) Right then, i assume knowledge of softice, with this comes knowledge of asm, and knowledge of cracking ====================================== whats our target? ====================================== =============================================================================================== Absolute Packager has a NAG Screen every time it is loaded, stating 'X Days left for evaluation , I understand that I may use the program for evaluation purposes only', with Agree/Help/Quit buttons. Every package you create has a Nag aswell, stating it was 'Created with the Free Trial Version, and all packages created with the Free Trial Version will display this Nag', and theres several text reminders that its a 'Free Trial Version'. The 30 day trial doesn't work, i.e. it still works after the trial has ended, but were gonna kill this Nag & the Nag in the packages we create anyway. ====================================== lets begin... ====================================== =============================================================================================== Before we do begin, get your pen & paper ready and lets write down some variables. We need two file offsets, one for the DEP (Depacker Exit Point) & the other for our iMP (Inline Memory Patch) do it like this (this is VERY important if you want to follow along) OFFSET#1 ; FILE OFFSET-DEP OFFSET#2 ; FILE OFFSET-iMP PATCH#1 ; 5 BYTES (OUR CALL TO OUR PATCH) We want to find the exit point of the unpacker code, which will give us the original entry point of the program, before it was compressed with Shrinker. Loading absolute.exe into softice's symbol loader, doesn't work, instead of it soft ice breaking on the first instruction, the damn thing just runs. Heh, get ProcDump loaded, select the PE-Editor Function, load absolute.exe. We can see that the Entry Point is '0015654B', select sections, and lOOk for the nearest Virtual Offset to the Entry Point, you will find it to be the '.load' section, starting at RVA '00155000', '.load' + 154B = Entry Point! The file Offset of this section is '00002800', add 154B = 3D4B, the file offset of the Program Entry Point. (did you follow that??) Hex Edit absolute.exe, goto offset 3D4B, and change the '83' to a 'CC' (int 03). Enter softice, type in 'bpint 03', hit F5 Run Absolute.exe Softice will break here 0055654B CC int 03 (This address is the Entry Point + the ImageBase (00400000) ) Hmm, unpacking code normally locates itself far above the original code, so we trace through the code until it executes a jump or call to a location away from this address space, say somewhere between 00401000 & 00540000... type in 'e eip 83' to replace the 'int 03' with the proper instruction code 0055654B 833DB411550000 cmp dword ptr [005511B4], 00000 Start tracing the code with F10, trying to remember what calls do what :) (you'll see) When you execute this call, the programs runs... 005565D3 E806000000 call 5565DE so run the program again, replace the 'CC' with '83', start tracing again, F10 until you get to the call where the program ran, then step into it with F8. Carry on tracing with F10. After tracing for a while, the program runs again, after trying to step over a call [ebp-24]:- 0055664A A114365500 mov eax, dword ptr [00553614] (0006C31C) 0055664F 030528375500 add eax, dword ptr [00553728] (00400000) 00556655 8945DC mov dword ptr [ebp-24], eax (Original Program Entry point) 00556658 FF7510 push [ebp+10] 0055665B FF750C push [ebp+0C] 0055665E FF7508 push [ebp+08] 00556661 FF55DC call [ebp-24] (call 0046C31C) So there you go, a lesson in tracing through decompressor code, to find the Depacker Exit Point 'DEP', and the Program Entry Point 'PEP'. With these addresses, were set to patch this mother! Hex Edit Absolute.exe again, goto offset 3D4B, and change the 'CC' back to the original '83', search for the 'push [ebp+08],call [ebp-24]', 'FF7508FF55DC', it turns up at Offset 3E5E (write this down, OFFSET#1) change the first 'FF' to a 'CC'. We need to change this code to jump to our own code, instead of running the program, a jump takes up 5 bytes, so we have to overwrite both these instructions, don't worry though, because after patching the memory with our inline code, we can execute the two instructions we replaced. Whilst you have absolute.exe loaded in your hex editor, just look through the file, for some space around the unpacker code, to place our own patch code. There are plenty of places.. I choose offset 26C0 (write this down, OFFSET#2), just after the imports. Enter 'some text' here that we can search for in softice, after it has unpacked the program. Save the file, and run it again.. Softice breaks here 0055665E CC int 03 K, now search for the text you entered into the exe, type in s 0 l ffffffff 'some text', you should get 'Pattern found at 01xx:005548C0' and the text displayed in the data window, type in 'a eip', to assemble instructions at the current Eip. type in 'jmp 5548C0', then hit escape. Copy the instruction codes down for the jump you just wrote 'E95DE2FFFF' HIT F5, shrinker traps an exception, well, we haven't wrote the rest of our code yet, have we? we still have to crack the program, then we can finish off our patch.. ======================================data we have so far====================================== =============================================================================================== OFFSET#1 = 3E5E (DepackerExitPoint) OFFSET#2 = 26C0 (Where our Inline Memory Patch will go) PATCH#1 = E95DE2FFFF (jump to our iMP) ====================================== lets crack! ====================================== =============================================================================================== My way might be wrong, but it worked, so i'll tell you anyway...Basically, i keep tracing through the code with F10, until the Nag's popped up, remember the caller, run the prog again, then kill that call, test it to see if it still runs? If it doesn't, trace into it, and try again, i find the right place eventually.. run absolute.exe (with the int 03 still embedded at the DEP) type in 'e eip FF', then trace with F8 when you have executed the call [ebp-24], trace with F10, until the Nag pops up... its here:- 0046C3FB E8B09BFFFF call 00465FB0 (call Nag) well, this calls the Nag, then after clicking agree, returns you to softice, so put a breakpoint on the call, and run the program again.. Softice breaks on the call, type in 'e eip b8' which will change it to a 'mov eax,xxxxxxxx', hit F5 to run the program, GodDamn!, it works! heh, too easy. Our patch only has to change the byte at RVA 46C3FB to a 'b8', so lets do it.. Run the proggie again, this time, putting in the jmp at the DEP, and stepping into it with F8. when softice breaks, type in 'a eip', to assemble code at the current Eip. type in 'jmp 5548C0', then hit escape. Hit F8, were at location 5548C0 now? type in 'a eip' type in 'mov byte ptr [46C3FB], B8' (our iMP, Inline Memory Patch) then replace the Packer Exit Point. type in 'push dword ptr [ebp+08]' type in 'call [ebp-24]', then hit escape.. dump the memory, by typing in 'pagein 5548C0 10 c:\imp.dat' or write down all the instruction codes you just created.. 'C605FBC34600B8FF7508FF55DC' Hexedit absolute.exe again, then either copy & paste imp.dat into absolute.exe at OFFSET#2 26C0, or write in all the codes by hand. goto OFFSET#1 3E5E, and write in the jump instruction codes, save it and run! Cool, it works... now for killing the Nag in the Packages we create with it.. ====================================== removing NAG #2 ====================================== =============================================================================================== oki, now for a bit of ZEN cracking, as this is tutorial is really to teach patching packed files, and not cracking as such... Absolute Packager creates the self-extracting zips using a separate 'dll, 'xcdzip32.dll' (The Xceed Zip Compression Library:File Version 3, 5, 0, 4). Lucky for us, they use the same library in the full version as in the trial version, and just check some flag in memory, to see what sort of 'exe to create. well, upon disassembly of this dll, you can soon find this part of code... Disassembly of File: xcdzip32.dll :1000B1AF A1B08E0210 mov eax, dword ptr [10028EB0] <-- some version flag :1000B1B4 85C0 test eax, eax <-- check for zero :1000B1B6 741C je 1000B1D4 <-- JumpifEqual to 'no NAG' :1000B1B8 83F802 cmp eax, 00000002 <-- check for two :1000B1BB 7417 je 1000B1D4 <-- JumpifEqual to 'no NAG' :1000B1BD 83F803 cmp eax, 00000003 <-- check if three :1000B1C0 7417 je 1000B1D9 <-- JumpifEqual to NAG #2 * Possible StringData Ref from Data Obj ->"This self-extracting zip file " ->"was created with the free trial " ->"version of the Xceed Zip Self-Extractor. " ->" It will only unzip itself on " ->"the same machine that it was created " ->"on. Registering your Xceed Zip " ->"Self-Extractor will remove this " ->"limitation." | :1000B1C2 BE10480110 mov esi, 10014810 <-- NAG #1 (not ours) :1000B1C7 8BFB mov edi, ebx :1000B1C9 B93D000000 mov ecx, 0000003D :1000B1CE F3 repz :1000B1CF A5 movsd :1000B1D0 66A5 movsw :1000B1D2 EB13 jmp 1000B1E7 * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:1000B1B6(C), :1000B1BB(C) | :1000B1D4 C60300 mov byte ptr [ebx], 00 <-- Set a version flag. :1000B1D7 EB0E jmp 1000B1E7 <-- ha! done... * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:1000B1C0(C) | * Possible StringData Ref from Data Obj ->"This self-extracting zip file " ->"was created with the free trial " ->"version of the Xceed Absolute " ->"Packager - the software that makes " ->"it easy to create powerful, fully " ->"customizable self-extracting zip " ->"files." | :1000B1D9 BE08490110 mov esi, 10014908 <-- NAG #2 (the one we got :) oki, the way i crack this is change this line... :1000B1B4 85C0 test eax, eax <-- check for zero :1000B1B6 741C je 1000B1D4 <-- JumpifEqual to 'no NAG' to this :1000B1B4 33C0 xor eax, eax <-- zero eax (to force the jump) :1000B1B6 741C je 1000B1D4 <-- JumpifEqual to 'no NAG' So, change the byte at offset A5B4 to a '33', job done! Another lame protection bytes the dust... ====================================== end of tutorial ====================================== =============================================================================================== comments, suggestions, questions welcome, write in the subject 'i love you :)' risc_1@hotmail.com R!SC -- March 1999 (I will survive without you. Don't tell me that you wanna leave. If you wanna leave, I wont beg you to stay, and if you gotta go darling, maybe its better that way. I'm gonna be strong, i'm gonna be fine, don't worry about this heart of mine.) risc@notme.com risc_1@hotmail.com love me, hate me, u don't no me... Patch source code, if you like this sort of thing.. ;---------------------start of risc_abs.asm--------------------- ; to build risc_abs.com ; ; tasm risc_abs ; tlink /t risc_abs .MODEL TINY .CODE .286 ORG 100h start: jmp main ;_______________________________________________________________ intro db 0dh,0ah," Hi, guess who patched Shrinker?",0dh,0ah db " It was Patched by -R!SC- ",0dh,0ah,0ah db "Patch for Absolute Packager 1.1...",0dh,0ah,0ah,"$" done db " Groovy! Patch Successful",0Dh,0Ah,"$" error db " cant find file ? ",0Dh,0Ah,"$" error2 db " file wrong size, should be 673,347 bytes ",0Dh,0Ah,"$" filename db "absolute.exe",0 filename2 db "xcdzip32.dll",0 PATCH1 db 0E9h,05Dh,0E2h,0FFh,0FFh ; jmp 5548c0 PATCH2 db 0C6h,05h,0FBh,0C3h,46h,00,0B8h ; mov byte ptr [46C3FB], B8 db 0FFh,75h,08 ; push dword ptr [ebp+08] db 0FFh,55h,0DCh ; call [ebp-24] PATCH3 db 033h ; for the dll ; 13 bytes of code to apply to the file + another 5 for the jump to our code... ; then 1 more for the dll. ;_______________________________________________________________ main: mov ah, 9 ; print title lea dx, intro ; dx with offset of text int 21h mov ax, 3D02h ; Open File lea dx, filename int 21h jnb Ok ; jump if everything ok fileerror: mov ah, 9 ; error with file lea dx, error int 21h mov ax, 4C01h ; Exit with error int 21h ;_______________________________________________________________ Ok: mov bx, ax mov ax, 4202h ; seek eof xor cx, cx xor dx, dx int 21h ; int 03 : aw! our friend (cc) cmp ax, 04643h jne badsize cmp dx, 0ah jne badsize sizepassed: mov ax, 4200h ; file seek mov cx, 0 ; hi order word of offset mov dx, 03e5eh ; lo order word of offset OFFSET#1 int 21h mov ax, 4000h ; Write to file mov cx, 5 ; number of bytes to write lea dx, PATCH1 int 21h mov ax, 4200h ; file seek mov cx, 0 mov dx, 026c0h ; OFFSET#2 int 21h mov ax, 4000h mov cx, 21 lea dx, PATCH2 int 21h mov ax, 3E00h ; Close file int 21h ;do the dll mov ax, 3D02h ; Open File lea dx, filename2 int 21h jnb stillOk ; jump if everything ok jmp fileerror stillOk: mov ax, 4200h ; file seek mov cx, 0 ; hi order word of offset mov dx, 0A5B4h ; lo order word of offset int 21h mov ax, 4000h ; Write to file mov cx, 1 ; number of bytes to write lea dx, PATCH3 int 21h mov ax, 3E00h ; Close file int 21h ;_______________________________________________________________ finished: mov ah, 9 ; Show msg lea dx, done int 21h mov ax, 4C00h ; All Done And Exit int 21h badsize: mov ah, 9 ; print to screen lea dx, error2 ; message int 21h mov ax, 4C01h ; Exit with error int 21h end start ;-----------------------end of risc_abs.asm--------------------- ====================================== blah blaah blah ====================================== =============================================================================================== Heh, with every packed file you attack, it always gets easier, and you always get quicker. Packing files is a poor way to protect them, people sell there packers with this as one reason to use them, another being faster loading times, and another being the compressed file is smaller?? heehee, if you really want small, program in a real language, Machine Language, if you really don't want it cracked, don't program it at all :( Some packers restrict patching memory directly somehow, probably by making the process read only (i'm not really very clued up on Win95 memory handling), so you can trace through the (un)packer code to find the exit point, but if you try patching the memory like i showed you here, you can get a fatal exception (one of those horrible blue screens, or a regular GPF). these packers need handling in a different way, you have to import some of your own functions, then open the process with read&write access, then use writeprocessmemory to apply your patch. its not as hard as it sounds.. lOOk oUT for my next tutorial on packed files, "Patching Neolite", as this is one of those packers that annoys me, and has a hidden catch for the cracker, but, said somewhere before "We always get what we want!" Get my fULL cRACK for Xceed Absolute Packager, use astalavista to search for it.. http://astalavista.box.sk hope this tutorial will benefit some of you -+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+- p.s. take a look at the procdump script if you want to learn about shrinker 3.2 or 3.3 exit points, i think there right(you really should trace through them yourself though, its good experience for you..) =============================================================================================== ====================================== (c) R!SC 1999 ====================================== =============================================================================================== PART: 5 ~~~~~~ February 1999 ... Basic Methods in cracking ... Code Reversing Engineering bY widYa-cL 2011 [ wOrLd CrackInG linK 99 ] 0 1 0 1 0 1 0 Tools Used : Softice V3.24 - W32Dasm 0 1 0 1 0 1 0 V8.93 Tutorial Title ... D N A ... ... from newbees to another ... Rating Extremely Easy ( X ) Easy ( Date : 103BC2F ) Medium ( ) Hard ( ) INTRO ... sorry if there's any grammaticals errors ... thiz is my 2'nd tuts .. hope you'll understand this piece ... In this tuts i'd like to show u an easy & the fastest method to find serial (we're not talking about VB proggies in here). I written thiz for newbies / anyone out there that : - wants to 'learn' the art of cracking ... - wants to know cracking basic methods/works ... - said "cracking is hard to 'learn' " ...i assume u already have tools needed. About Sofice setting u can learn it in Softice Resource Center in the SandMan page or u can simply edit your winice.dat (located in directory u have installed softice) into like thiz : PENTIUM=ON NMI=ON ECHOKEYS=OFF NOLEDS=OFF NOPAGE=OFF SIWVIDRANGE=ON THREADP=ON LOWERCASE=OFF WDMEXPORTS=OFF MONITOR=0 VERBOSE PHYSMB=48 ; i have 48 MB physical memory (RAM)....change thiz to the correct size SYM=1024 HST=256 TRA=8 MACROS=32 DRAWSIZE=4096 ; i have 4MB graphics card ...change thiz to the correct size INIT="WR;WL;WD;CODE ON;X;FAULTS OFF;ALTSCR OFF;WATCH EAX;WATCH DS:SI;WATCH ES:EDI;" F1="h;" F2="^wr;" F3="^src;" F4="^rs;" F5="^x;" F6="^ec;" F7="^here;" F8="^t;" F9="^bpx;" F10="^p;" F11="^G @SS:ESP;" F12="^p ret;" SF3="^format;" CF8="^XT;" CF9="TRACE OFF;" CF10="^XP;" CF11="SHOW B;" CF12="TRACE B;" AF1="^wr;" AF2="^wd;" AF4="^s 0 l ffffffff 56,57,8B,7C,24,10,8B,74,24,0C,8B,4C,24,14,33,C0,F3,66,A7;" AF5="CLS;" AF8="^XT R;" AF11="^dd dataaddr->0;" AF12="^dd dataaddr->4;" CF1="altscr off; lines 60; wc 32; wd 8;" CF2="^wr;^wd;^wc;" EXP=c:\win99\system\kernel32.dll ; my windows directory is win99....what yours.... EXP=c:\win99\system\user32.dll EXP=c:\win99\system\gdi32.dll EXP=c:\win99\system\comdlg32.dll EXP=c:\win99\system\shell32.dll EXP=c:\win99\system\advapi32.dll EXP=c:\win99\system\shell232.dll EXP=c:\win99\system\comctl32.dll EXP=c:\win99\system\crtdll.dll EXP=c:\win99\system\version.dll EXP=c:\win99\system\netlib32.dll EXP=c:\win99\system\msshrui.dll EXP=c:\win99\system\msnet32.dll EXP=c:\win99\system\mspwl32.dll EXP=c:\win99\system\mpr.dll EXP=c:\win99\system\msvbvm50.dll EXP=c:\win99\system\vb40032.dll EXP=c:\win99\system\vbrun300.dll A DROP from ASSEMBLY OCEAN ... before we continue ... allow me to show you short theory about General Purpose Register ... since u will deal with them in every steps ...... - Accumulator : EAX (32 bit) Extended of AX (16 bit). AX split into two 8 bit registers : AH (Acc high) & AL (Acc low) use for arithmetic and logical computations - Base : EBX (32 bit) Extended of BX (16 bit). BX split into two 8 bit registers : BH (Base high) & BL (Base low) hold indirect addresses - Count : ECX (32 bit) Extended of CX (16 bit). CX split into two 8 bit registers : CH (Count high) & CL (Count low) to count off the number of iterations in a loop or specify the number of characters in a string. - Data : EDX (32 bit) Extended of DX (16 bit). DX split into two 8 bit registers : DH (Data high) & DL (Data low) holds the overflow from certain arithmetic operations, and it holds I/O addresses when accessing data on the I/O bus. - Source Index : ESI (32 bit) Extended of SI (16 bit) use as pointers (much like the bx register) to indirectly access memory. You'll also use these registers with the string instructions when processing character strings. This is a pointer within a segment (usually DS) that is read from by the CPU. - Destination Index : EDI (32 bit) Extended of DI (16 bit) use as pointers (much like the bx register) to indirectly access memory. You'll also use these registers with the string instructions when processing character strings. This is a pointer within a segment (usually ES) that is written to by the CPU. - Base Pointer : EBP (32 bit) Extended of BP (16 bit) ; similiar to Base Register use to access parameters and local variables in a procedure. - Stack Pointer : ESP (32 bit) Extended of SP (16 bit) maintains the program stack. Normally, you would not use this register for arithmetic computations. The proper operation of most programs depends upon the careful use of this register. [wpe1.jpg (38490 bytes)] Note that the eight bit registers do not form an independent register set. Modifying al will change the value of ax; so will modifying ah. The value of al exactly corresponds to bits zero through seven of ax. The value of ah corresponds to bits eight through fifteen of ax. Therefore any modification to al or ah will modify the value of ax. Likewise, modifying ax will change both al and ah. Note, however, that changing al will not affect the value of ah, and vice versa. This statement applies to bx/bl/bh, cx/cl/ch, and dx/dl/dh as well. The si, di, bp, and sp registers are only 16 bits. There is no way to directly access the individual bytes of these registers as you can the low and high order bytes of ax, bx, cx, and dx. (The Art of Assembly) DNA ( DEADLISTING IN ACTION ] ...let's say we have a programs called target.exe...we are now launch target.exe, enter the registration dialog, fill out the entries (name/key/etc) with our favor, then a window pop up says "sorry, your name.." or "invalid.." or "Registration unsuccesful.." or "wrong code"....etc. write down the message 'n quit target.exe. We're gonna do a "fast" serial cracking...fire up W32Dasm and disassemble target.exe...wait..wait.... once it's disassembled, click REFS - STRING DATA REFERENCE, look down for the message, double click on ur message text ...'n soon we'll see thiz form : * Referenced by a (U)nconditional or (C)onditional Jump at Address: :XXXXXXXX(C) ; ..goto thiz address * Possible Reference to String Resource ID=XXXX: "........................." :XXXXXXXX ???? ???????? * Possible StringData Ref from Data Obj ->"...ur message..." :XXXXXXXX ???? ???????? ...ur next step is ... go to Referenced Address::XXXXXXXX(C) by pressing [SHIFT+F12] goto code location XXXXXXXX.......'n we'll see the CMP/TEST in thiz form : XXXXXXXX TEST ..... , ..... ; Test one register or address to another. XXXXXXXX JE / JNE / etc ; If equal / if not equal ... then jump ....... to good/bad cracker ... OR XXXXXXXX CMP ..... , ..... ; Compare one register or address to another. XXXXXXXX JE / JNE / etc ; If equal / if not equal ... then jump to ....... good/bad cracker ... ... from now on let's call thiz condition as CGATE (CRACKERS GATE ) .. so when u try to find a serial then the first thing u need 2 know is CGATE address ...since it determines are we a good cracker or a bad ones ... ...if u can find your serial in here then u need to trace some instructions code above the CGATE (usually we only need to trace the last CALL before it) ... .. one thing i need to tell u is "the routines" that worked behind just before ur message pops up ... we can say there's 3 of them : 1. routine which read ur input 2. routine which calculate the input in a unique formula to generate a valid serial (most of prog only calculate the name we entered) ..we call this a key generator routine (my favour) 3. routine which compare the valid serial with serial we entered ... so let's say u want to make a keygen then u need to know where 1'st routine is start/end & 2'nd routine is start/end. Well .. in thiz tutor we're only discussed the 3'rd routine .. though thiz routine examination makes me boring but i hope it can help someone out there ... .. hmm ... are u thinking what i'm thinking ?! ... yeah ... u are talking 2 much theory ... .. here we go then ... let's see what we can do with all that easy theory above.. let's jazzy guys .... Ur targets : PolyView 3.20, VCDCutter 3.31 / MPEGPlayer 3.31, WinXfiles 3.7 / TWinExplorer PlusImage 99 1.3 , IrvanView 32 2.98 Win-eXpose-I/O 95 V 2.00 POLYVIEW VERSION 3.20 OVERVIEW The high performance image viewer and format conversion tool for Windows 95/98/NT from PolybytesR. PolyView's major features are: - Supports most of the popular graphics image formats , including BMP, GIF, JPEG, PCX, Photo-CD (read-only), PNG, SGI, TARGA, TIFF, and many others.  Sophisticated support for animated GIF creation and playback.  TWAIN support for acquiring blocks of images from scanners and digital cameras. Multiple threads enhance usability and allow time consuming operations,  such as image file reading and writing, to be performed in parallel with user interface operations.  Both full screen and windowed slide shows , using specified or random ordering, sound files, and transition effects.  A wide variety of image appearance manipulation and filtering operations.  Highly effective interpolated zooming .  Sophisticated color resolution and image size manipulation algorithms.  Thumbnail and directory browsers and Albums for image file management.  OLE drag-and-drop methods for enhanced compatibility with the Windows desktop and applications.  Automated creation of Web pages. Protection system Registration is via selecting Registration - License Information. Here you will be asked to enter : Licensee : License number : The registration code is based on what you type in for your name...On successful registration the following entries are created within your Registry File: HKEY_CURRENT_USER\Software\Polybytes\PolyView\Defaults\ KU="User Name" KV="value"(value) THE ESSAY Run Polyview - Click Registration - License Information...use thiz entry as example : Licensee : widYa@cL 2011 License number : 0101010 ...push [OK]....a window pop up "Registration unsuccessful. Please verify that you have entered the information exactly as shown on your registration letter." ... time to crack .. fire up W32dasm 'n disassemble polyview.exe ...wait...*#!*...done... click REFS - STRING DATA REFERENCE, look down for ur message , double click on it ...we land here : * Referenced by a (U)nconditional or (C)onditional Jump at Address: :0044ED53(C) * Possible Reference to String Resource ID=00141: "Unregistered" :0044EDF1 688D000000 push 0000008D :0044EDF6 8BCF mov ecx, edi :0044EDF8 E84B800800 call 004D6E48 :0044EDFD 53 push ebx :0044EDFE 53 push ebx * Possible StringData Ref from Data Obj ->"Registration unsuccessful. Please " ->"verify that you have entered the " ->"information exactly as shown on " ->"your registration letter." ... remember ur next steps ... yup .. press [SHIFT+F12] goto code location 0044ED53....we'll see thiz : :0044ED49 E842B4FEFF call 0043A190 ; ur last call...Trace thiz CALL ( push right arrow ) :0044ED4E 83C408 add esp, 00000008 :0044ED51 85C0 test eax, eax ; Crackers Gate :0044ED53 0F8498000000 je 0044EDF1 ... kewl ... we're only see one comparison in here ... ; this is what we looking :0043A1C1 3BC3 cmp eax, ebx for ... Write down the address ... heii .. are u sayin' somethin'...?!... yeah ... amazing we're only use w32dasm so far .. we're only need just one ' sweet final touch ' to finish thiz ... yup ..we must use debugger ( Softice ) to see what's in EAX & EBX registers. We need to set breakpoint at 0043A1C1...but first we'll have to get into the polyview code in Softice .... now enter the registration screen again ... fill out the entries... DO NOT push [OK] yet.....press [CTRL+D] to get into softice.... 'n set some breakpoints ... BPX GetWindowTextA [Enter] BPX GetDlgItemTextA [Enter] BPX MessageBoxA [Enter] X [Enter] ; leave Softice 'n back to Polyview ... Push [OK] ... *BOOM* ...Break due to BPX USER32!GetWindowTextA ... now press F11 to get the caller ...aah... we are in polyview code ... now we can set breakpoint at 0043A1C1 : BC* [Enter] ; clear all breakpoints 'coz we don't need it anymore... BPX 0043A1C1 [Enter] X [Enter] .... we are here... .. take a look at register window EAX=A14F1FDC EBX=00018A92.. it's a value in hexadecimal base... now let's see the value in decimal base ... :0043A1C1 3BC3 cmp eax, ; ? EAX .... 2706317276.....? EBX ebx ....0000101010 .... yup ...ur dummy code compare to the correct code ...write down the correct code... clear all breakpoint ..BC* [Enter] - X [Enter] . Enter registration again fill out entries with the following : Licensee : widYa@cL 2011 License number : 2706317276 ... [OK] ... *.......* ... " Registration Succesful...."....cracks done.... VCDCUTTER 3.31 OVERVIEW VCDCutter is a special mini version of MPEGPlayer. It is a MPEG,VCD and Movie Player. This mini version can play MPG,VCD,or other movie files(such as MPG,DAT,AVI,MOV). Very friendly and menu-driven with full featured control with movie file. It can extract MPG, frame from VCD or MPG file, cutting your favourite part or whole MPG file (or track) to disk when playing (now can extract system stream,or video, audio stream only). Some features of VCDCutter: - Support mostly movie format playing(MPG,DAT,AVI,MOV,M1v,MPV,:::). - Many options to fully control the playing operation. - Cut mpg clips to disk, and save them as mpg (video&audio),m1v (video only),or mp3 (audio only) files. supported streams include: mpg system stream, video only stream or audio only stream. - You can cut some clips, and then join them into on file. - You can capture frames to disk when you are playing. you can merge 4 frames into one big frame by check Merge Soption. - Fully control the playback quality and performance . - You can resize the display window size to avoid some rubbish on your screen edge. - You can control the playing speed in range 0.1X~10X. VCDCutter supports the following formats. MIDI (.mid) MPEG-1 (.mpg, .mpeg, .mpv, .mpe) Audio-video interleaved (.avi) Nonproprietary Apple? QuickTime? files (.mov, .qt) Wave (.wav) AU (.au, .snd) AIFF (.aif, .aifc, .aiff) PROTECTION SYSTEM Registration is via selecting Configuration - Register. Here you will be asked to enter : User Name : User Code : The registration code is based on what you type in for User Name and User ID...On successful registration the program stores license data in cdplayer.dat located in your windows sytem directory. The User ID is different in each computer .. so u can't use my license data.... THE ESSAY Run VCDCutter - Right Click - Configuration - Register ... use thiz entry as example : User Name : widYa@cL 2011 User Code : 0101010 ... push [Register] ... a window popz up says "Please ensure you have entered ...." ... disassemble vcdcut.exe ..wait...done...click REFS - STRING DATA REFERENCE, look down for ur message , double click on it ...we land here : * Referenced by a (U)nconditional or (C)onditional Jump at Address: :0041330C(C) :00413387 6AFF push FFFFFFFF * Reference To: USER32.MessageBeep, Ord:0194h :00413389 FF155C554700 Call dword ptr [0047555C] :0041338F A120634400 mov eax, dword ptr [00446320] :00413394 6A00 push 00000000 * Possible StringData Ref from Data Obj ->"Error" :00413396 6898D24200 push 0042D298 * Possible StringData Ref from Data Obj ->"Please ensure you have entered " ...press [SHIFT+F12] goto code location 0041330C....we see thiz : :00413302 E829480000 call 00417B30 ; trace thiz call ( right arrow in w32dasm ) :00413307 83C408 add esp, 00000008 :0041330A 85C0 test eax, eax ; Crakers Gate :0041330C 7479 je 00413387 ... we see there are three CMP (right ?!) : :00417B7C 83F908 cmp ecx, 00000008 ; Loop Counter :00417B94 3BD1 cmp edx, ecx ; Loop Counter ... we're only interesting at last comparison before ret... : * Reference To: USER32.wsprintfA, Ord:0264h ; we're gonna set breakpoint using wsprintfA function :00417C20 FF15EC554700 Call dword ptr [004755EC] :00417C26 8BB4242C020000 mov esi, dword ptr [esp+0000022C] :00417C2D 83C410 add esp, 00000010 :00417C30 8D842414010000 lea eax, dword ptr [esp+00000114] * Referenced by a (U)nconditional or (C)onditional Jump at Address: :00417C59(C) :00417C37 8A10 mov dl, byte ptr [eax] :00417C39 8A1E mov bl, byte ptr [esi] :00417C3B 8ACA mov cl, dl :00417C3D 3AD3 cmp dl, bl now enter the registration box again ... fill out the entries... DO NOT push [ Register ] yet.....press [CTRL+D] to get into softice.... BPX WSPRINTFA [Enter] X [Enter] ...[Register] ... *BOOM*... press F11 to get the caller....we land here....(use F10 to step over) :00417C26 8BB4242C020000 mov esi, [esp+0000022C] :00417C2D 83C410 add esp, 00000010 :00417C30 8D842414010000 lea eax, ; EAX now contain data [esp+00000114] pointed by ESP+114 .... type D EAX ... what do u see in Data Window ... in my case ... c32e8403-577c879c ... kewl .. it's the correct code ; copy first char from :00417C37 8A10 mov dl, [eax] correct code to dl (dl=00000063) ; copy first char from :00417C39 8A1E mov bl, [esi] ur dummy code to bl (bl=00000031) :00417C3B 8ACA mov cl, dl ; copy dl to cl :00417C3D 3AD3 cmp dl, bl ; compare 'c' to '0' .... .... write down the correct code ... type BC* [Enter] - X [Enter] . Enter registration again fill out entries with the correct code : ... push [Register] ... " Thanks for your support ! Registeration is Suceed ! " .... are u thinking what i'm thinking ?! .... yeah..i should ask the author of VCDCutter to join me taking TOEFL course next month ..... cracks done ... heiii .. thiz proggy has a twin brother called MPEGPlayer ... used the same level prot schemes ... similiar codes ... definetely same solution as above ... i'll leave this so u can try to crack it as an exercise...but first u have to delete cdplayer.dat in your windows system dir 'coz it uses the same license data. WINXFILES VERSION 3.7 OVERVIEW WinXFiles with its attractive tabbed-dialog interface features secure encryption to prevent unauthorized access of all type of files and particularly of your image collection. "To protect Your Personal Image collection" Secure Multi Image Viewer Included: You can encrypt your pictures once and see them as often as you want with your password and a click of mouse, thanks to the WinXFilest Secure Multi Image Viewer inside. It includes a quick thumbnail preview mode. Supports BMP, JPG, GIF, Animated GIF, PNG, TIF, PCX, WMF. Ultra-Fast Window and Full Screen image display. "To Protect all Your Personal files" Application AutoLaunch: With a click of the mouse and your password you can select an encrypted file. WinXFiles will decrypt it and run the file with the associated application. "To Securely Erase The Files You Truly want to Delete" Secure File Wipe: It enables you to completely destroy the contents of any files you truly want to delete. Unlike the normal delete process, which merely replaces the first letter of a filename to allow it to be overwritten, this function obliterates the file contents. It will prevent anyone else from undeleting files you thought you had erased. Protection system Registration is intro program .. we're asked to enter : User Name : Key : The registration code is based on what you type in for your name & the date when u entered it...On successful registration the following entries are created within your Registry File: HKEY_CURRENT_USER\Software\Pepsoft\WXF32\Reg\ "User Name"= "User Key"= THE ESSAY .. as usual we use thiz as entry : User Name : widYa@cL 2011 Key : 0101010 ... push [ OK ] ... a window popz up says " Invalid Registration Password " ... disassemble wxfiles.exe ..wait...done...click REFS - STRING DATA REFERENCE, look down for ur message , double click on it ...we land here : * Referenced by a (U)nconditional or (C)onditional Jump at Address: :0046F51F(C) :0046F55A 6A00 push 00000000 :0046F55C 668B0DF0F54600 mov cx, word ptr [0046F5F0] :0046F563 B202 mov dl, 02 * Possible StringData Ref from Code Obj ->"Invalid Registration Password." .. [SHIFT+F12] goto code location 0046F51F ... :0046F51A E81944F9FF call 00403938 ; CGATE is in here ... trace this call (right arrow) :0046F51F 7539 jne 0046F55A .. we're here ... :00403938 53 push ebx :00403939 56 push esi :0040393A 57 push edi :0040393B 89C6 mov esi, eax :0040393D 89D7 mov edi, edx :0040393F 39D0 cmp eax, edx ; Crakers Gate .. :00403941 0F848F000000 je 004039D6 ; if equal then leave 'bad cracker routine' 'n goto 'good cracker' :004039D6 5F pop edi :004039D7 5E pop esi :004039D8 5B pop ebx :004039D9 C3 ret ... just to make clear .. we can imagine the codes into like this : :0040393F 39D0 cmp eax, edx ; we're gonna set breakpoint at here.. :0046F51F 7539 jne 0046F55A ; if not equal then jump to hell ... if equal then proceed 'the way to heaven' :0046F521 8B45FC mov eax, dword ptr [ebp-04] :0046F524 E813040000 call 0046F93C :0046F529 6A00 push 00000000 :0046F52B 668B0DF0F54600 mov cx, word ptr [0046F5F0] :0046F532 B202 mov dl, 02 * Possible StringData Ref from Code Obj ->"WinXFiles is now registered. Thanks " ->"a lot!" ... once again we need Sice just to see what's in EAX,EDX ... let's finish thiz out ...we're only need 'one sweet final touch' ... heii .. are u sayin' somethin' ..?! ..yeah.. i wish i'm a master in assembly so i can make disassembler+debugger in one proggy.. ... Call the angle (Sice) to guide us (CTRL+D) ...hmm .. since we have already know the address we want to set BPX at ... u can use any function that u want as long as it can lead us to break in wxfiles code ... here we have good function (HMEMCPY) ... BPX HMEMCPY [ENTER] ..*BOOM* ... F12 7X ... BC* [ENTER] BPX 40393F [ENTER] X [ENTER] X [ENTER] :0040393F 39D0 cmp eax, edx ; D EAX u see 0101010 .... D EDX .. in my case shows.. BXUXZWJKPXMNLGP .... write down the correct code ... clear the garbage from ur planet .. BC* [Enter] - X [Enter] . Enter registration again fill out entries with the correct key ... [OK] ..."WinXFiles is now registered. Thanks a lot!" ... are u thinking what i'm thinking ?!... yeah .. everybody greetz to good cracker.... ... thiz proggy has a twin sister called TwinExplorer ...used the same level prot schemes .. similiar codes .. definetely same solution as above ... i'll leave this so u can try to defeat it as an exercise ... IRVANVIEW 32 V.2.98 OVERVIEW IrfanView is a fast FREEWARE image viewer/converter for Win95/NT. Supported file formats: JPG/JPEG, GIF, BMP, DIB, RLE, PCX, DCX, PNG, TIFF, TGA, RAS/SUN, ICO, CUR, ANI, AVI, WAV, MID, RMI, WMF, EMF, PBM, PGM, PPM, IFF/LBM, PSD, CPT, EPS, CLP, CAM, MPG/MPEG, MOV, LWF, AIF, G3 and Photo-CD(Overview Photo-CD support). Some features of IrfanView: Preview option, Drag&Drop support, fast directory view (fast moving through directory), slideshow, audio CD player, batch conversion, print option, change the color depth, scan support, cut/crop, capturing, many effects (sharpen, blur, photoshop filter factory) ... The first graphic viewer WORDLWIDE with Animated-GIF support ! The first graphic viewer WORDLWIDE with Multiple-ICO support ! One of the first graphic viewers with Multipage-TIFF support ! Protection system Registration is via selecting About - Registration . Here you will be asked to enter : Your Name : Your Code : The registration code is based on what you type in for your name...On successful registration the program stores license data in I_View32.ini located in your windows directory ... in the following section [Registration] Name= Code= THE ESSAY Run the proggy - select About - Registration ... use thiz entry as example : Your Name : widYa@cL 2011 Your Code : 0101010 ... [OK] ... "Invalid Registration" ... disassemble I_View32.exe ..wait...done...click REFS - STRING DATA REFERENCE, look down for ur message , double click on it ...we land here : :0044033D E8DEF9FDFF call 0041FD20 ; Trace thiz call :00440342 83C408 add esp, 00000008 :00440345 85C0 test eax, eax ; Cracker Gate :00440347 752C jne 00440375 * Possible StringData Ref from Data Obj ->"Incorrect registration !" ... last comparison before ret ... :0041FFA0 3BE8 cmp ebp, eax ; check thiz out ... ... are u feeling what i'm feeling ?! ... yeah .. thiz tutor makes me boring .. ... Enter Registration again - Fill out the entries - [CTRL+D] - BPX GetDlgItemTextA [Enter] - X [Enter] - [OK] - *BOOM* - F11 - BC* [Enter] - BPX 41FFA0 [Enter] - X [Enter] - ? EBP .. 0101010 ... ? EAX .. 0449531208 - u tell me .... Win-expose-i/o 95 version 2.00 OVERVIEW Win-eXpose-I/O is a Windows 95 file I/O Tracing/Debugging SHAREWARE util. that lets you examine in real time what files each running application is using or trying to use. Win-eXpose-I/O for Windows 95 traces all the file activities in all the application and in all the different VM (even DOS boxes) and gives you a clear picture on problems troubleshooting (like where and what the hell is the help file / INI file that the application is using or complaining that is missing). Win-eXpose-I/O for Windows 95 is a MUST HAVE tool for anyone who is installing windows software on the computer or just trying to make sure the current software is working properly, Win-eXpose-I/O saves those HUGE amount of hours trying to configure new or existing software by letting you know in real time what files each application is using or seeking. Win-eXpose-I/O for Windows 95 application has a very intuitive and simple to operate user interface, yet a very powerful one that lets any user novice to guru use the program in just a meter of seconds, just run it and then activate the other applications and you will see on the Win-eXpose-I/O screen a real-time logging of all the file activities and their results. Win-eXpose-I/O for Windows 95 is also used as a GREAT performance improves by letting you know for each application all the file seeking failures (like searching for a file on the path) and then just by changing a few system settings like PATH or working directory you will gain a performance improvement. Protection system Registration is via selecting the 'Help' menu then choosing the 'Registration' option. Here you will be asked to enter : First,LastName Company Name Address Line #1 Address Line #2 Serial Number Password The actual password is based on the Serial No. Once you've registered the program it will store your User details and the password itself at C:\Windows\wxr95.ini file instead of in your registry file!. THE ESSAY Run the proggy - select Help - Registration ... we'll use the following entry as example : First,LastName : widYa@cL 2011 The cRuSadER Company Name : worLd cRaCkinG linK Address Line #1 : Cracker Galaxy Address Line #2 : nO wheRe Serial Number : 0101010 Password : showmeplease ...push [OK]....a window pop up says "Wrong password, Please re-enter Information." ...as u wish sir.... time to crack .. fire up W32dasm 'n disassemble wxi95.exe ...wait....done... click REFS - STRING DATA REFERENCE, look down for ur message , double click on it ...we land here : * Referenced by a (U)nconditional or (C)onditional Jump at Address: :004061D0(U) :004061D7 85C0 test eax, eax ; Crackers Gate :004061D9 0F84CF000000 je 004062AE ; if equal then jump to "good cracker" . . . . . . * Possible StringData Ref from Data Obj ->"Wrong Password" :00406277 6894A64000 push 0040A694 * Possible StringData Ref from Data Obj ->"Wrong password, Please re-enter " ->"Information." .. scroll up a little bit ... * Referenced by a (U)nconditional or (C)onditional Jump at Address: :004061BA(C) :004061CE 33C0 xor eax, eax :004061D0 EB05 jmp 004061D7 .. hmm .. not interesting ...scroll up a little bit ....we're here.... * Reference To: MSVCRT40.sprintf, Ord:043Fh :004061A6 8D85CCFEFFFF lea eax, dword ptr [ebp+FFFFFECC] ; we're gonna set breakpoint at here :004061AC 8D8DCCFDFFFF lea ecx, dword ptr [ebp+FFFFFDCC] * Referenced by a (U)nconditional or (C)onditional Jump at Address: :004061CC(C) :0040619D FF15247B6D00 Call dword ptr [006D7B24] :004061A3 83C40C add esp, 0000000C :004061B2 8A10 mov dl, byte ptr [eax] ; copy data to dl from memory location pointed by EAX :004061B4 3A11 cmp dl, byte ptr [ecx] ; compare it to data pointed by ECX :004061B6 751A jne 004061D2 :004061B8 0AD2 or dl, dl :004061BA 7412 je 004061CE :004061BC 8A5001 mov dl, byte ptr [eax+01] :004061BF 3A5101 cmp dl, byte ptr [ecx+01] :004061C2 750E jne 004061D2 :004061C4 83C002 add eax, 00000002 :004061C7 83C102 add ecx, 00000002 :004061CA 0AD2 or dl, dl :004061CC 75E4 jne 004061B2 now enter the registration again ... fill out the entries... DO NOT push [ OK ] yet.....press [CTRL+D] to get into softice.... set some breakpoints ... BPX GetWindowTextA [Enter] BPX GetDlgItemTextA [Enter] BPX MessageBoxA [Enter] X [Enter] ... Push [OK] ... *BOOM* ...Break due to BPX USER32!GetWindowTextA ... now press F12 2X ...aah... we're in wxi95 code ...now we can set breakpoint at 4061A6 : BC* [ENTER] BPX 4061A6 [ENTER] X [ENTER] *.......* ... we're here .. :004061A6 8D85CCFEFFFF lea eax, [ebp+FFFFFECC] ; D EAX ..u see .. f413c2da :004061AC 8D8DCCFDFFFF lea ecx, [ebp+FFFFFDCC] ; D ECX ..u see .. showmeplease .. hey .. are u sayin' somethin' ...?!... yeah .. i can crack a hundreds softwarez with thiz methods ... FINAL NOTES ... phew .. &*#! ....that was all 4 now guys ... well .. i hope there's somethin' u can learned from thiz tuts ... whattt ...r u sayin' somethin' ....!?.... please let me know your comments/suggestions/critics ... i'll be waitin' 4 your mail ...c u guys ... Greetz flies to : (no particular order) SandMan,CrackZ,tKC/All PC members, tHATDUDE, UCF, Torn@do, The Immortal Descendants, +ORC, MiB , Iczelion, GCG, ED!SON, Razzia, +Xoanon, iCECREAM, FraVia, Lord Caligo, Buckaroo Banzai, +gthorne , Mexelite , Corn2, Vizion, Manson69, nIabI, Cyborg, ^pain^, intruder, Yaan, Laxity, JoGy, nIabI [C4N/ME], MR NICK, NaTzGUL [REVOLT], Qapla', The _RudeBoy_ , BigMoM, Aphex Twin [Vandals], vûltû_‰, eXact, YOSHi, Volatility, ZeroDay, Aescu, _CbD_, Gavin Estey, DR. Encryption, Joshua Auerbach, Klee8084, masta_, Chuck Nelson, _HaK_, Nemrod and ReN, R. DeYoung, Hugo Perez, lownoise, Hayras, YOU ..... NO BYTES WERE HARMED IN THIS TUTORIAL ------------------------------------------------------------------------ ------------------------------------------------------------------------ Essay by: widYa-cL 2011 Page Created: 17th February 1999 PART: 6 ~~~~~~ Screen area 1024x768 pixels Reverse Engineering Lab +=widY@cL 2011=+ from newbie to another Tools : W32dasm 8.93 - MP3 Explorer 2.3.0 Key Project Info : Release Softice 3.24 Generator 10th - 03 April 1999 Author : Pierre LEVY Homepage : http://ourworld.compuserve.com/homepages/pierre_levy/ The Essay Goto the registration dialog and we're asked to enter : E-mail address : Registration key : Enter Pirate Copy as ' E-mail address ' and 0101010 as Registration key ... #bOOm# ... bad message pops up : " Registration info are not correct ! Please try again. " as you wish ! ... disassemble mp3 explorer.exe and double click on bad message text in SDR window and we land here : * Referenced by a (U)nconditional or (C)onditional Jump at Address: :00401964(C) * Possible Reference to String Resource ID=00154: "Registration info are not correct ! Please try again." let's check this referenced address ... aah here it is : 0040195DE8DE510000 call 00406B40 ; heh .. looks like a call to keygen routine ! 0040196285C0 test eax, eax ; if eax=0 then sets the zero flag .. 004019640F8485000000 je 004019EF ; jump to hell if zero flag set Notes: If we entered the correct code then we'll return from the call with eax=1 -> ands 1 with 1 will result 1 -> zero flag not set If we entered the wrong code then we'll return from the call with eax=0 -> ands 0 with 0 will result 0 -> zero flag is set Now leave Win32dasm at once ... enter the reg dialog again .. put our entry .. enter sice .. set BPX GetWindowTextA (our trap) .. hit [OK] .. bOOm .. kick F11 once to get the caller .. aah we're in mp3explorer code now .. set BPX 00406B40 ... X [ENTER] .. bOOm ... keep tracing ... snip ... snip .. snip .. AHA ! : 00406B928B7AF8 mov edi, ; copy name length to edi (B) [edx-08] 00406B9583FF04 cmp edi, 04 ; compare name length with 4 00406B987D35 jge 00406BCF ; minimal name length is 4 ! 00406BCF85FF test edi, edi ; if edi=0 then sets the zero flag 00406BD17E18 jle 00406BEB ; if zero flag is set (Z=1) then beggar off 00406BD38B442420 mov eax, ; copy name to eax [esp+20] 00406BD70FBE0C06 movsx ecx, byte ; get one char from eax (name) into ptr [eax+esi] ecx 00406BDB51 push ecx ; save ecx for later use 00406BDCE82F130100 call 00417F10 ; this call convert lowercase to uppercase (the result in eax) ; also tells us that we can use any char in name 00406BE183C404 add esp, 04 ; correct stack 00406BE403E8 add ebp, eax ; ebp=ebp+eax (the result from this iteration save in ebp) 00406BE646 inc esi ; esi=esi+1 00406BE73BF7 cmp esi, edi ; are we done ?! 00406BE97CE8 jl 00406BD3 ; no ? then loop again 00406BEB8B4C240C mov ecx, ; ecx=18A92h=101010 (our dummy code) [esp+0C] 00406BEFBAC0D40100 mov edx, ; edx=1D4C0 ( a constant value from 0001D4C0 Pierre) 00406BF42BD5 sub edx, ebp ; edx=edx-ebp That was it ! .. a very simple algorithm ! edx hold the correct registration code .. now take a look at these next codes ... 00406BF633C0 xor eax, eax ; zero eax 00406BF83BCA cmp ecx, edx ; compare dummy code with the correct code ; the zero flag is set (Z=1) if and only if ecx = edx 00406BFA8D4C2420 lea ecx, ; [esp+20] 00406BFE0F94C0 sete al ; sete same as setz. set al value (boolean) if equal / zero (Z=1) ; if we enter the correct code then al value will set to 1 else al / eax still zero 00406C018BF0 mov esi, eax ; in this case esi = eax = 0 ('coz we enter the wrong code) 00406C228BC6 mov eax, esi ; eax = esi = 0 ... we'll return from this call with eax=0 ! But as you can see if we entered the correct code then we'll return from the call with eax=1. Heii .. are you thinkin somethin ?! ... yep we can have more fun here ! .. in this case (weak protection schemes), we can also modifies (patching) the codes so we'll return from the call with eax=1 ... here is some variations : - 00406BFE 0F94C0 sete al CHANGE TO 0F95C0 setne al (set if not zero) now you can enter any entry to make it registered ... BUT ... please don't enter the correct code ! OR - 00406C22 8BC6 mov eax, esi CHANGE TO B001 mov al, 1 with this method we'll always be a good buyer no matter what we entered And on succcesfull registration the program stores the license data in mp3 explorer.ini located in windows directory. [User settings] RegisteredEmail=Pirate Copy RegistrationKey=??? Well .. hope there's something you can learn from this tut ... wait for my next project ! .. Source code // written in BC++ 5.2 // compile with bcc name.cpp or bcc32 name.cpp #include #include #include #include #include void main() { char name[255],ecx=0,eax; int esi=0,ebp=0,edi; clrscr(); cout << " Keygenerator for MP3 Explorer 230 bY widY@cL 2011\n"; cout << " Copyright (C) wOrLd cRaCkinG linK '99\n\n"; cout << " Enter name (minimal 4 char) : ";gets(name); edi=strlen(name); if (edi < 4) exit(0); while (esi < edi) { eax=toupper(name[ecx]); ebp=ebp+eax; esi++;ecx++; } cout << " Registration key : " << (0x1D4C0 - ebp) << endl; getch(); } Final Notes let me know if you have any comments/suggestions/critics (dot) We really hope you've enjoyed this tutorial too much as we did! Don't miss Tutor #20 soon! ;) And as I said last time: Without knowledge, there's no power! ;) Credits go to: aCD/CiA for Splash Logo. Put for providing a tut in this version. RSiP for providing a tut in this version. R!SC for providing a tut in this version. KrYpToN for providing a tut in this version. widYa-cL/2011 for providing 2 tuts in this version. tKC/CiA (hey it's me!) for coding this version :) All the crackers (non-members of CiA) are welcome to send tutors for the next tutorials - see below for my email address! Greetz goto all my friends! You can find me on IRC or email me at tkc@reaper.org Coded by The Keyboard Caper - tKC The Founder of PhRoZeN CReW/Crackers in Action '99 Compiled on 06 April 1999 Cracking Tutorial #19 is dedicated to all the crackers...