Welcome to Cracking Tutorial #20! Well, well.. what can I say? Nothing is gonna stop us now! :) Warning, this tutorial is a real mother! *grin* Ok, let's rave! You'll need the following tools: (I use these tools, I assume you'll use 'em, but it doesn't mean that you'll need to use all those tools, so be sure to get them handy for the examples in this tutorial!) SoftIce 3.24 Beta W32Dasm 8.93 Hacker's View 6.03 SmartCheck 6.01 TASM 5.00 Windows Commander 3.53 (I use it coz of easier to multitask) Don't ask me where to download all these tools since you had a chance to get them when you used my older tutorials. Here are a few good cracking sites where you can grab tools from: http://surf.to/HarvestR or http://harvestr.cjb.net http://catalyst.intur.net/~Iczelion/tools.html http://www.suddendischarge.com or ask any crackers to get you these tools! Are you ready?! OK! ;) PART 1: ~~~~~~ Nico's Commander 5.01 Tutor by Put How to enter a random serial! Sorry for my bad grammatic, but i hope u will under stand it anyway... :P This tutorial is made by a newbie to another! http://members.theglobe.com/ncuppen/ncuk.exe Tools: W32Dasm Ver 8.93 Hiew 6.03 1. When u start the program, u get an ugly message. Here u say YES to enter a registration number! 2. Enter a random serial, and press OK, damn u get a message too that says: Invalid registration number! ??? we can't have that, can we? nope, so let's fire up W32Dasm. 3. Note: it is a VERY good idea to make a copy of nc.exe into nc.w32 so that u have nc loaded all the time... But that it up to ur self. When u have disassembled the file (this WILL take a while) look for the Invalid reg... in the SDR window. 4. Found it? Cool.. then u will see something like this.... * Referenced by a (U)nconditional ot (C)onditional Jump at Address: |:0044BF84(C) <--- this one is the mother! | * Possible Reference to String Resource ID=04229: "Invalid registration number!" :0044BF9F 6885100000 push 00001085 :0044BFA4 E83D6B0000 call 00452AE6 :0044BFA9 83C404 add esp, 00000004 :0044BFAC 833D34EC560000 cmp dword ptr [0056EC34], 00000000 :0044BFB3 740E je 0044BFC3 5. Now what is we going to use?? that right it is the: 44BF84, click on the Goto Code Location, and write the 44BF84 and click ok, then u will see: :0044BF79 55 push ebp :0044BF7A 8BEC mov ebp, esp :0044BF7C 51 push ecx :0044BF7D 894DFC mov dword ptr [ebp-04], ecx :0044BF80 837D0801 cmp dword ptr [ebp+08], 00000001 :0044BF84 7519 jne 0044BF9F <---- yep it is here. 6. So now u only need to get a offset to patch, so make sure that the green bar is standing on the line u need (:0044BF84 7519 jne 0044BF9F) the offset is: 4B384 and we need to change it to 74 (75 = jne - jump if not equal, 74 = je - jump if equal) 7. Fire up Hiew and load the nc.exe file press F5 and enter 4B384, press F3 and type 74, press F9 to save, and F10 to quit. Start Nico's Commander again, enter a serial and YEAH it takes the code... BUT almost every programmers make a check at the start up, so lets see if this program has one to... close Nico's Commander and start it again, does it have a check? yep it does, well that it is NOT good right? so look for some thing in that about box... found something? cool: "Days left in evaluation period: " lets go to W32Dasm again and look for it. when u have found it, u dubble click on it and u'll see this: :0044A87F E99B000000 jmp 0044A91F * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0044A866(C) | :0044A884 8D8D68FFFFFF lea ecx, dword ptr [ebp+FFFFFF68] :0044A88A E873110B00 call 004FBA02 :0044A88F C645FC02 mov [ebp-04], 02 :0044A893 8B55F0 mov edx, dword ptr [ebp-10] :0044A896 2B9570FFFFFF sub edx, dword ptr [ebp+FFFFFF70] :0044A89C B81E000000 mov eax, 0000001E :0044A8A1 2BC2 sub eax, edx :0044A8A3 50 push eax *Possible StringData Ref from Data Obj ->"%d" :0044A8A4 68B0415400 push 005441B0 :0044A8A9 8D8D68FFFFFF lea ecx, dword ptr [ebp+FFFFFF68] :0044A8AF 51 push ecx :0044A8B0 E8FEA70A00 call 004F50B3 :0044A8B5 83C40C add esp, 0000000C * Possible Reference to String Resource ID=04227: "Days left in evaluation period: " :0044A8B8 683100000 push 00001083 8. So what do u think that we need? If u look at the line: * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0044A866(C) Now u knwo what to do! - yeah that's right, click on the Goto Code Location and write 44A866, and u will see this: :0044A863 83F81D cmp eax, 0000001D :0044A866 7E1C jle 0044A884 if u scroll some lines up (about 10-15) u will see: * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0044A800(C) Try to search for this one in the GCL (Goto Code Location) write the 44A800 in the GCL and u will see this: * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0044A7C0(C) | :0044A7F0 83BD70FFFFFF00 cmp dword ptr [ebp+FFFFFF70], 00000000 :0044A7F7 7409 je 0044A802 :0044A7F9 83BD70FFFFFF01 cmp dword ptr [ebp+FFFFFF70], 00000001 :0044A800 752F jne 0044A831 9. So what will u do here? u have a jne and a je and the line |:0044A7C0(C) u have 3 opportunities, i don't know what to do! :P but yeah it is right... we simply need to use the GCL *again* so write 44A7C0 and click ok 10. Then u will have this: :0044A7BA 3B055CC65500 cmp eax, dword ptr [0055C65C] :0044A7C0 752E jne 0044A7F0 <---- THIS IS IT! :0044A7C2 C70528C7550001000000 mov dword ptr [0055C728], 00000001 11. Cool now we have come to a final thing... hehe lets see what offset we have to change here: 49BC0 -> 74 (and i know that u know why!) 12. Fire up good old Hiew again and load the nc.exe file, press F5 enter 49BC0, press enter, press F3, type 74, hit F9 to save, f10 to quit, and start Nico's Commander again, and there is NO nag screen........ So u did it *again*! cool isnt it? Greets goes to: BuL-LeT, tKC, WildFire1, and every one else that i know.. :P -=Put=- PART 2: ~~~~~~ Title : 12Ghosts Universal Keygen With C Source Author : Kwai_Lo Date Written : 12-13-98 Leval : Intermediate (Not For Newbies) Url : http://www.12ghosts.com Tools needed : - SoftICE 2.0 And Above - W32Dasm 8.9 (any version will do) ***************************************************************************** 12 Ghosts Universal Keygen By Kwai_Lo ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Ello This Is My First Tut I Have Written.Mind Me For My Bad English and Grammartical Errors.Why I Called It Universal Keygen ,Itz Because It Calc's A Valid Serial That Registeres All Of The 12ghosts.com Software's At 1 Go.So Lest Start With Our Keygen.We Get The Program From 12ghosts.com And We Install It.I Got Pact ShutDown 1.99b.Ok Now Run The Program.U Will See A Screen With A Licence Agrement.Now We Click On Enter Registration Code.We Now See A Place To Put The Name And Serial.I Will Use Kwai_Lo For Name And 9999999999 For Serial. Now We Do Sum Tracing In S-ice.Put A Bpx On GetDlgItemTextA.Now Press F5. We R Now Back In The Windows.Click OK And We Will Be Kicked Back Into S-ice. Hit F11 To Return To Where It Was Called From We ,Trace Un Till 4037D5.Heres A Snipet Of The Code * Reference To: USER32.GetDlgItemInt, Ord:00F4h <------ U Land Here | :0040378E FF156CF44000 Call dword ptr [0040F46C] :00403794 894510 mov dword ptr [ebp+10], eax :00403797 8D8504FDFFFF lea eax, dword ptr [ebp+FFFFFD04] * Possible StringData Ref from Data Obj ->"RegName" | :0040379D BF70AB4000 mov edi, 0040AB70 :004037A2 50 push eax :004037A3 BE01000080 mov esi, 80000001 :004037A8 57 push edi :004037A9 56 push esi :004037AA E8AEF1FFFF call 0040295D <-- Checks Sumptin :004037AF 83C40C add esp, 0000000C :004037B2 395D10 cmp dword ptr [ebp+10], ebx :004037B5 7611 jbe 004037C8 :004037B7 FF7510 push [ebp+10] * Possible StringData Ref from Data Obj ->"RegNumber" | :004037BA 6864AB4000 push 0040AB64 :004037BF 56 push esi :004037C0 E8B5F2FFFF call 00402A7A <-- Checks Sumptin Else :004037C5 83C40C add esp, 0000000C * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004037B5(C) | :004037C8 53 push ebx :004037C9 891D10DA4000 mov dword ptr [0040DA10], ebx :004037CF 891D00DA4000 mov dword ptr [0040DA00], ebx :004037D5 E8B4F3FFFF call 00402B8E <-- Ok We Step Into Here :004037DA 85C0 test eax, eax :004037DC 59 pop ecx :004037DD 0F840C010000 je 004038EF :004037E3 391D10DA4000 cmp dword ptr [0040DA10], ebx :004037E9 0F84B0000000 je 0040389F :004037EF 8D45FC lea eax, dword ptr [ebp-04] :004037F2 C745FC04010000 mov [ebp-04], 00000104 .................. .................. ThisIs Just The Beggining.Once We Step In The Call.We Gotta Trace A Tonns. Heres The Continuation Referenced by a CALL at Addresses: |:004037D5 , :00403CB2 | :00402B8E 55 push ebp <-- We Land Here , Keep Tracing,F10 .............. .............. .............. :00402BB8 744D je 00402C07 * Reference To: KERNEL32.lstrlenA, Ord:02A1h | ................ ................ * Reference To: KERNEL32.IsBadWritePtr, Ord:0186h | .................. .................. * Reference To: KERNEL32.lstrcpyA, Ord:029Bh | :00402BF2 FF1538F34000 Call dword ptr [0040F338] * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:00402BD4(C), :00402BEC(C) | ................. ................. * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00402BB8(C) | :00402C07 6A64 push 00000064 * Reference To: KERNEL32.Sleep, Ord:023Fh | :00402C09 FF1528F34000 Call dword ptr [0040F328] :00402C0F 8D85F0FEFFFF lea eax, dword ptr [ebp+FFFFFEF0] * Possible StringData Ref from Data Obj ->"RegName" | ................... ................... :00402C38 E887FCFFFF call 004028C4 <-- Call ,Not Important :00402C3D 83C40C add esp, 0000000C :00402C40 85C0 test eax, eax :00402C42 0F84D2000000 je 00402D1A * Possible StringData Ref from Data Obj ->"RegNumber" | :00402C48 6864AB4000 push 0040AB64 :00402C4D 56 push esi :00402C4E E8B0FDFFFF call 00402A03 :00402C53 59 pop ecx :00402C54 83F8FF cmp eax, FFFFFFFF :00402C57 59 pop ecx :00402C58 8945FC mov dword ptr [ebp-04], eax :00402C5B 0F84B9000000 je 00402D1A :00402C61 8D85F0FEFFFF lea eax, dword ptr [ebp+FFFFFEF0] :00402C67 C70504DA4000D469C4FC mov dword ptr [0040DA04], FCC469D4 :00402C71 50 push eax :00402C72 C70508DA400059B34BFC mov dword ptr [0040DA08], FC4BB359 :00402C7C C7050CDA400013D88B73 mov dword ptr [0040DA0C], 738BD813 :00402C86 E89E010000 call 00402E29 <-- Ok This Gens A Serial For :00402C8B 3BC3 cmp eax, ebx Each Prog,We R Going For :00402C8D 59 pop ecx A Uni Keygen,So Trace On :00402C8E 0F8486000000 je 00402D1A :00402C94 3B45FC cmp eax, dword ptr [ebp-04] :00402C97 7549 jne 00402CE2 :00402C99 395D08 cmp dword ptr [ebp+08], ebx * Reference To: KERNEL32.lstrcpyA, Ord:029Bh | ............... ............... * Reference To: KERNEL32.lstrlenA, Ord:02A1h | .............. .............. * Reference To: KERNEL32.IsBadWritePtr, Ord:0186h | .............. .............. * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:00402CA2(C), :00402CBE(C) | ............ ............ * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00402C02(U) | ................. ................. * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00402C97(C) | :00402CE2 8D85F0FEFFFF lea eax, dword ptr [ebp+FFFFFEF0] :00402CE8 C70504DA4000D63332CC mov dword ptr [0040DA04], CC3233D6<-Special Buffer :00402CF2 50 push eax :00402CF3 C70508DA4000F98EE9D1 mov dword ptr [0040DA08], D1E98EF9<-Special Buffer 2 :00402CFD C7050CDA400083E9FB4E mov dword ptr [0040DA0C], 4EFBE983<-Special Buffer 3 :00402D07 E81D010000 call 00402E29 <-- This Is Where It Calc The :00402D0C 3BC3 cmp eax, ebx Uni Key Worth $200+,Ya Can :00402D0E 59 pop ecx Serial Fish The Serial Here :00402D0F 7409 je 00402D1A Or Step Into Call 00402E29 :00402D11 3B45FC cmp eax, dword ptr [ebp-04] :00402D14 0F84B0000000 je 00402DCA * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:00402C42(C), :00402C5B(C), :00402C8E(C), :00402D0F(C) | .............. .............. .............. .............. Ok Now Heres The Snippet Of Call 00402E29 Where It Calc's The Uni Key. It Is Kinda Long,Tracing Will Take Sum Time. * Referenced by a CALL at Addresses: |:00402C86 , :00402D07 , :00402DBB | ............. ............. * Reference To: KERNEL32.Sleep, Ord:023Fh | ........... ........... * Reference To: KERNEL32.IsBadReadPtr, Ord:0183h | ........... ........... * Reference To: KERNEL32.lstrlenA, Ord:02A1h | ........... ........... * Reference To: KERNEL32.lstrcmpA, Ord:0295h | :00402E6D 8B35F0F24000 mov esi, dword ptr [0040F2F0] * Possible StringData Ref from Data Obj ->"John Covington" | ........... ........... * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00402E7D(C) | * Possible StringData Ref from Data Obj ->"Clara Post" | ........... ........... * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00402E8C(C) | * Possible StringData Ref from Data Obj ->"Team PGC" <-- Pcg Got Blacklisted | hehehehehe ........... ........... * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00402E9B(C) | * Possible StringData Ref from Data Obj ->"Carol Swafford" | ........... ........... * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00402EAA(C) | * Possible StringData Ref from Data Obj ->"TRPS ROCKS" <-- TRPS SUX Big Time | ........... ........... * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00402EB9(C) | * Possible StringData Ref from Data Obj ->"mr.f0x" | ........... ........... * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00402EC8(C) | * Possible StringData Ref from Data Obj ->"Riz la+" <-- hmmmmmmmmm | ........... ........... * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00402ED7(C) | * Possible StringData Ref from Data Obj ->"SiLicon Surfer [PC]" | ........... ........... * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00402EE6(C) | * Possible StringData Ref from Data Obj ->"JUANDA" | ........... ........... * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00402EF5(C) | * Possible StringData Ref from Data Obj ->"PC98" <-- The Famous Group | ........... ........... * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00402F04(C) | * Possible StringData Ref from Data Obj ->"Tom Jones" | ........... ........... * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00402F13(C) | * Possible StringData Ref from Data Obj ->"Linda Georgie" | ........... ........... * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00402F22(C) | * Possible StringData Ref from Data Obj ->"Chen Borchang" | ........... ........... * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00402F31(C) | * Possible StringData Ref from Data Obj ->"Registered Uzer" | ........... ........... * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00402F40(C) | * Possible StringData Ref from Data Obj ->"teraphy" | ........... ........... * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00402F4F(C) | * Possible StringData Ref from Data Obj ->"STaRDoGG [PC]" | ........... ........... * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00402F5E(C) | * Possible StringData Ref from Data Obj ->"CleverMaxx" | ........... ........... * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00402F6D(C) | * Possible StringData Ref from Data Obj ->"BaMa/DSK" | ........... ........... * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00402F7C(C) | * Possible StringData Ref from Data Obj ->"[ FACTOR ]" | ........... ........... * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00402F8B(C) | * Possible StringData Ref from Data Obj ->"The_Gimp!" | ........... ........... * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00402F9A(C) | * Possible StringData Ref from Data Obj ->"Phrozen Crew" | ........... ........... * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00402FA9(C) | * Possible StringData Ref from Data Obj ->"CORE/JES" <-- 1st Pc Now Core | ........... ........... * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00402FB8(C) | * Possible StringData Ref from Data Obj ->"Dennis Ellis" | ........... ........... * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00402FC7(C) | * Possible StringData Ref from Data Obj ->"Anne Judson" | ........... ........... * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00402FD6(C) | * Possible StringData Ref from Data Obj ->"M A LEES" | ........... ........... * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00402FE5(C) | * Possible StringData Ref from Data Obj ->"Robert Jennison" | ........... ........... * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00402FF4(C) | * Possible StringData Ref from Data Obj ->"Destine Manifest" | ........... ........... * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00403003(C) | * Possible StringData Ref from Data Obj ->"Mohamed Dawoud" | ........... ........... * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00403012(C) | * Possible StringData Ref from Data Obj ->"mark henery" | ........... ........... * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00403021(C) | * Possible StringData Ref from Data Obj ->"terry GEORGI" | ........... ........... * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00403030(C) | * Possible StringData Ref from Data Obj ->"xxxxxxxxxxx" | ........... ........... * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0040303F(C) | :00403044 33D2 xor edx, edx :00403046 3955FC cmp dword ptr [ebp-04], edx :00403049 7409 je 00403054 :0040304B E846000000 call 00403096 <-- Dunt Think Itz Important * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:00402E41(C), :00402E52(C), :00402E67(C) | :00403050 33C0 xor eax, eax :00403052 EB3D jmp 00403091 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00403049(C) | :00403054 6A28 push 00000028 :00403056 58 pop eax :00403057 394508 cmp dword ptr [ebp+08], eax :0040305A 7603 jbe 0040305F :0040305C 894508 mov dword ptr [ebp+08], eax * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0040305A(C) | :0040305F A104DA4000 mov eax, dword ptr [0040DA04] <-Moves Special Buffer Into Eax :00403064 33C9 xor ecx, ecx :00403066 395508 cmp dword ptr [ebp+08], edx :00403069 7619 jbe 00403084 :0040306B 8B3508DA4000 mov esi, dword ptr [0040DA08] <-Moves Special Buffer 2 Into Esi * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00403082(C) | :00403071 0FBE1C39 movsx ebx, byte ptr [ecx+edi] }-+ :00403075 0FAFD8 imul ebx, eax } | :00403078 03DA add ebx, edx } | :0040307A 41 inc ecx } The :0040307B 03D6 add edx, esi } Algo :0040307D 3B4D08 cmp ecx, dword ptr [ebp+08] } | :00403080 8BC3 mov eax, ebx } | :00403082 72ED jb 00403071 }-+ * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00403069(C) | :00403084 3D00CA9A3B cmp eax, 3B9ACA00 <-- Cmps :00403089 7306 jnb 00403091 :0040308B 03050CDA4000 add eax, dword ptr [0040DA0C] <-Adds Special Buffer 3 IfTerms Meet * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:00403052(U), :00403089(C) | :00403091 5F pop edi :00403092 5E pop esi :00403093 5B pop ebx :00403094 C9 leave :00403095 C3 ret Ok Now I'll Rip The Algo And Show u Whats Itz Doing,Itz Pretty Simple Once U Get The Hang Of It :0040305F A104DA4000 mov eax, dword ptr [0040DA04] <--Moves Special Buffer Into Eax :00403064 33C9 xor ecx, ecx (IMPORTANT) :00403066 395508 cmp dword ptr [ebp+08], edx :00403069 7619 jbe 00403084 :0040306B 8B3508DA4000 mov esi, dword ptr [0040DA08] <--Moves Special Buffer Into Esi ......... ......... :00403071 0FBE1C39 movsx ebx, byte ptr [ecx+edi] <-- Moves A Char Of Name Into Ebx :00403075 0FAFD8 imul ebx, eax <-- Mul With Eax=CC3233D6 :00403078 03DA add ebx, edx <-- Add It With Edx That Is 0 At Start :0040307A 41 inc ecx <-- Inc Counter :0040307B 03D6 add edx, esi <-- Add Esi=D1E98EF9 To Edx :0040307D 3B4D08 cmp ecx, dword ptr [ebp+08] <-- Cmp With Name Length :00403080 8BC3 mov eax, ebx <-Overides Special Buffer :00403082 72ED jb 00403071 <-- Loops :00403084 3D00CA9A3B cmp eax, 3B9ACA00 <-- Cmp eax with 1000000000 :00403089 7306 jnb 00403091 :0040308B 03050CDA4000 add eax, dword ptr [0040DA0C] <-- If Less Then Add 1325132163 Ok Now We Know How It Gens A Valid Serial ,For My Name Kwai_Lo The Serial Is 2149378377.Now We Code A Universal Keygen.I'll Coded Mine In C. /* ************************************************** */ /* Compile With Bcc 5.0 And Above */ /* ************************************************** */ #include #include #include int main() { unsigned char name[500]={0}; int nlen,i; unsigned long int d1,mb1,mb2,sp1={0}; for(;;){ clrscr(); printf("UNIVERSAL KEYGEN FOR 12GHOSTS v99.1b SOFTWARE\n"); printf("CODED BY KWAI_LO'98\n"); printf("\nPLEASE ENTER A REGISTRATION NAME : "); gets(name); nlen=strlen(name); if(nlen<1) return 0; else if(nlen>40) /*The Prog Only Takes 40 Chars*/ return 0; else break; } mb1=0xCC3233D6; /*Hard Coded Look At Line 0040305F*/ mb2=0xD1E98EF9; /*Hard Coded Look At Line 0040306B*/ for(i=0 ; i"Tlon32" | :0044300A B840324400 mov eax, 00443240 <-- Moves A Magic Buffer :0044300F E81853FFFF call 0043832C Into Eax (MB==Tlon32) :00443014 8B45F0 mov eax, dword ptr [ebp-10] :00443017 8B55F4 mov edx, dword ptr [ebp-0C] :0044301A E8690DFCFF call 00403D88 :0044301F 0F857C010000 jne 004431A1 Once We Reach Here We Step Into Call 0043832C (F8).Keep On Tracing Untill U Reach Here. :004383BB 0FB64402FF movzx eax, byte ptr [edx+eax-01] <-- Moves 1st Char Of Name :004383C0 0345E8 add eax, dword ptr [ebp-18] <-- Adds A Value To It, 0x19 At Start :004383C3 7105 jno 004383CA :004383C5 E8A6AAFCFF call 00402E70 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004383C3(C) | :004383CA B9FF000000 mov ecx, 000000FF :004383CF 99 cdq :004383D0 F7F9 idiv ecx <-- Divides Eax With 0xff,Remainder Will Be In Edx :004383D2 8955E0 mov dword ptr [ebp-20], edx <-- Saves The Divided Value :004383D5 8B45EC mov eax, dword ptr [ebp-14] :004383D8 3B45F0 cmp eax, dword ptr [ebp-10] <-- Compares To See If We Reached The End Of The Magic Buffer :004383DB 7D0D jge 004383EA <-- If So The Jump To Reset It :004383DD 8345EC01 add dword ptr [ebp-14], 00000001 <-- Else Add 1 :004383E1 7105 jno 004383E8 :004383E3 E888AAFCFF call 00402E70 <-- Dont Think It Is Important * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004383E1(C) | :004383E8 EB07 jmp 004383F1 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004383DB(C) | :004383EA C745EC01000000 mov [ebp-14], 00000001 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004383E8(U) | :004383F1 8B45EC mov eax, dword ptr [ebp-14] :004383F4 8B55FC mov edx, dword ptr [ebp-04] :004383F7 0FB64402FF movzx eax, byte ptr [edx+eax-01] <-- Moves 1st Char Of Hard Coded Value That Is "Tlon32" :004383FC 3145E0 xor dword ptr [ebp-20], eax <-- Xor's The Saved Value With 1st Char Of Hard Coded Value :004383FF 8D45CC lea eax, dword ptr [ebp-34] This Is Now The 1st Digit Of The Serial Number, :00438402 50 push eax :00438403 8B45E0 mov eax, dword ptr [ebp-20] :00438406 8945D0 mov dword ptr [ebp-30], eax :00438409 C645D400 mov [ebp-2C], 00 :0043840D 8D55D0 lea edx, dword ptr [ebp-30] :00438410 33C9 xor ecx, ecx :00438412 B880844300 mov eax, 00438480 :00438417 E890F6FCFF call 00407AAC <-- Store Code :0043841C 8B55CC mov edx, dword ptr [ebp-34] :0043841F 8D45DC lea eax, dword ptr [ebp-24] :00438422 E859B8FCFF call 00403C80 :00438427 8B45E0 mov eax, dword ptr [ebp-20] :0043842A 8945E8 mov dword ptr [ebp-18], eax <-- Replaces 0x19 With The Xored Value :0043842D FF45E4 inc [ebp-1C] :00438430 FF4DD8 dec [ebp-28] <-- Dec Name Length :00438433 7580 jne 004383B5 <-- Loop And There We Have It.A Simple Algo.Lets Recap What Has Happened Here 1.Moves 1st Char Of Name 2.Addes A Value to 1st Char Of Name Call This qbx (Starts With 0x19) 3.Divides It With 0xFF And Saves The Remainder 4.Checks To See If We Have Reached The End Of The Hard Coded Value,If So Reset It 5.Moves 1st Char Of Hard Coded Value 6.Xor's It With The Remainder That We Divided Just Now 7.Moves The Xored Value In To qbx 8.Stores The Code 9.Loop Untill Finish 10.Sicks A 19 In Front Of The Code Well Simple Eh ?? Below Is My Source For The Keygenerator In C :) /* The C Source Code.Compile With Borland C v5+ */ #include #include #include int main() { int nlen,i; unsigned int qax,qbx={0},qcx,qdx={0},qsi={0}; /*<-- I Used The Registers To,Easier To Identify*/ unsigned char name[500]={0},code[100]={0}; unsigned char hrdcod[7]="Tlon32"; /*<-- Hard Coded Value*/ for(;;){ clrscr(); printf("KEY GENERATOR FOR HTML DIR v2.01"); printf("\nCODED BY KWAI_LO [TNO'98]\n"); printf("\nPLEASE ENTER A REGISTRATION NAME : "); gets(name); nlen=strlen(name); if(nlen<1) return 0; else if(nlen>50) return 0; else break; } qbx=0x19; /*<-- Set The Value To Be Added */ for(i=0;i=0x06){ /*<-- Checks To See If We Have Reached The Max Of The Magic Byffer */ qsi^=qsi; } qsi++; qax=hrdcod[qsi-0x01]; /*<-- Moves 1st Char Of Maggic Buffer */ qbx^=qax; /*<-- Xores The Magic Buffer With The Remainder And Saves It*/ code[i]=qbx; /*<-- Stores Code */ } printf("YOUR REGISTRATION CODE IS : 19"); for(i=0;i Entry Point 014F:00401001 8BEC MOV EBP,ESP 014F:00401003 83EC44 SUB ESP,44 014F:00401006 56 PUSH ESI 014F:00401007 FF1548734000 CALL [KERNEL32!GetCommandLineA] 014F:0040100D 8BF0 MOV ESI,EAX 014F:0040100F 8A00 MOV AL,[EAX] ................cut............... 014F:0040104C 50 PUSH EAX 014F:0040104D FF1558734000 CALL [KERNEL32!GetStartupInfoA] ................cut .............. 014F:00401064 6A00 PUSH 00 014F:00401066 6A00 PUSH 00 014F:00401068 FF155C734000 CALL [KERNEL32!GetModuleHandleA] 014F:0040106E 50 PUSH EAX 014F:0040106F E87B0E0000 CALL 00401EEF -->Start of programme 014F:00401074 50 PUSH EAX 014F:00401075 8BF0 MOV ESI,EAX 014F:00401077 FF1554734000 CALL [KERNEL32!ExitProcess] -->The End. For most software this looks similarly. Instead in chance of compression or encoding of programme in place of entry point is decode(decopmress) function. It looks in this way: Start of programme Decompress function under address in memory Check whether all is ok Jump( jmp) under address in memory that is our main programme. In such event one was in obligation find address where in memory located is decmopressed code and moment of jump to it. What, I will not describe manner how to seek this because decompress code is as a rule short and can be traced with SoftIcem or other debugger. Let's look in such case to starting code of WinAmp 2. 0 . :u 4d1000 l f 014F:004D1000 669C PUSHF 014F:004D1002 60 PUSHAD 014F:004D1003 E8CA000000 CALL 004D10D2 ---> decompress function 014F:004D1008 0300 ADD EAX,[EAX] 014F:004D100A 0400 ADD AL,00 014F:004D100C 0500060007 ADD EAX,07000600 :u eip l 8f 014F:004D10D2 58 POP EAX 014F:004D10D3 2C08 SUB AL,08 014F:004D10D5 50 PUSH EAX ................cut............... 014F:004D1108 50 PUSH EAX 014F:004D1109 800424BF ADD BYTE PTR [ESP],BF 014F:004D110D 833A00 CMP DWORD PTR [EDX],00 014F:004D1110 0F84A7140000 JZ 004D25BD ---> the end of decompression 014F:004D1116 F70200000080 TEST DWORD PTR [EDX],80000000 014F:004D111C 741B JZ 004D1139 ................cut............... 014F:004D25BD 8B6C2418 MOV EBP,[ESP+18] 014F:004D25C1 8BFD MOV EDI,EBP 014F:004D25C3 81EF00004000 SUB EDI,00400000 014F:004D25C9 85FF TEST EDI,EDI 014F:004D25CB 7443 JZ 004D2610 --> some checks ................cut............... :u eip l 2f 014F:004D2617 81C62A160000 ADD ESI,0000162A 014F:004D261D 6A05 PUSH 05 014F:004D261F 59 POP ECX 014F:004D2620 F3A4 REPZ MOVSB 014F:004D2622 61 POPAD 014F:004D2623 669D POPF 014F:004D2625 E94653F5FF JMP 00427970 --> jump to main programme 014F:004D262A E96B69F5FF JMP 00428F9A After what I recognized, that in this place is jump to main porgramme, well after that there already begins standard code with API functions. When on start we will show content of memory ( d cs: 00427970 in Softice of course) then we'll see during steping, that decompress function writes all stuff there. Most important is for us JMP 00427970 after which follows realization already decompressed code and how to get there, has no matter, even with method of attempts and fails. Now we will use ProcDump to decompress. It makes possible beteween decompression packed exes (what not always works), defining script to decompress even new or unknown packers. There is file skript.ini, in which we define everthing. There are already defined Shrinker, PESHIELD, WWPACK. Programme uses several commands to such definition, check by yourself. We'll add new section i.e. WinAmp. [INDEX] P1=PEShield ...... P7=WinAmp [WinAmp] L1=LOOK E9,46,53,F5,FF L2=BP L3=STEP What means seek(command LOOK) bytes of our jump JMP 00427970( E9,46,53,F5,FF -is that same but in hex), after finding breakpoint it (BP), and on the end do step by step analyse (STEP), save decrypted file to disk. Pretty easy, isn't it? :). Run ProcDump and choose Trace our type WinAmp, open file WinAmp.exe and programme beautifully decompresses oneself. And what's most important it works after this process. IMO, ProcDump is worth interest and some practise eg just on WinAmp. Always We can always find soft that's copressed not well-known type of compressor and then we will handle this. These, what do not know ProcDump should download it from http://www.suddendischarge.com/ in section NonDOs, or from http://pub.vse.cz/pub/msdos/SAC/pc/pack/. ______ ______ ______ ______ / \ / \ / \ / \ _________________________________________________/ . // / // / // / / | \__/ /_\__ /_\__ /_\__ /| |[CP!]: http://crackpllist.cjb.net / // / // / // / / | |________________________________________________/ // / // / // / /__| \___/ \_______\\_______\\_______\ PART 5: ~~~~~~ _ _ _ _ _ _ _ / \_____/ \______ / \____ / \___________/ \ / \_______/ \____ \ \ \ \ \_ \ \ \ \ \ \ _____/ . \ . \/ /\ \ / . \ . \________\ . \ /_ _____ | / /_ / /_ /_ / \ \ /_ / \_ /_ / / \ _/ \_ | | / / \_/ \ \_/ \ \__/ \ / \_/ \ \_/ \ / / / \ | |__\ \ / \ / / \ / . \___/ \_ / /__| \ / / / \ / / \ / \ \____/ / \____ /\____/ /___\__ \\____ /\____/\ / \______/ \_____ / \_/ \____/ \_/ \_/ \__/ \_/ - t h e h o m e o f p o l i s h c r a c k e r s - proudly presents: `~*Ïõ[ a tutorial:Exepackers - how to defeat'emÿ #2............................]õÏ*~` `~*Ïõ[ written by:Gustaw Kit...................................................]õÏ*~` `~*Ïõ[ date:24 November 1998...................................................]õÏ*~` `~*Ïõ[ translator:Zomo.........................................................]õÏ*~` In issue #1 of tutorial I introduced manner of unpacking exe files using ProcDump . Shows, that programme this can be useful to crack commercial protections, TimeLock or Vbox4 by PreviewSoftware. This protection type is fairly easy to reverse. For example we will take programme Ulead Cool3D v2.0(use Vbox4). If we will load programme U3dedit2. exe to debugger( SoftIce) following code will appear : 014F:004F1000 PUSH DWORD PTR [ESP+0C] 014F:004F1004 PUSH DWORD PTR [ESP+0C] 014F:004F1008 PUSH DWORD PTR [ESP+0C] 014F:004F100C PUSH 55E239F5 -----> prepare address 014F:004F1011 PUSH 55AD2D76 -----> of packed data 014F:004F1016 PUSH 55E23DA9 014F:004F101B PUSH 55E23D53 014F:004F1020 CALL [004F11F0] ----> run vbox4 014F:004F1026 PUSH FFFFFFFF 014F:004F102B CALL EAX -----> run programme 014F:004F102D RET 000C Function CALL [004F11F0] calls procedure( PreviewExecGate..) from vbox4 dlls, which decode firs part of programme and in EAX is returned new EntryPoint(on my computer F0000) to decoded data. Stepping farther in programme, CALL EAX(press F8), we pass to new fragment of code: ______ ______ ______ ______ 014F:004F0000 PUSH DWORD PTR [ESP+0C] 014F:004F0004 PUSH DWORD PTR [ESP+0C] 014F:004F0008 PUSH DWORD PTR [ESP+0C] 014F:004F000C PUSH B6A4DD7F 014F:004F0011 PUSH BBC60E1F 014F:004F0016 PUSH 6D171A8C 014F:004F001B PUSH 415F4B5A 014F:004F0020 CALL [004F01D4] ---> next vbox4 function 014F:004F0026 PUSH FFFFFFFF 014F:004F002B CALL EAX 014F:004F002D RET 000C As we can see code is analogous to preceding. CALL [4F01D4] invokes vbox4 functions, which starts procedures check conditions Trial and if every thing is ok then decodes rest of programme and in EAX is returned address of real programme(this time Cool3D). In chance unsuccesful trial check in EAX is address of ExitProcess function, that ends execution of programme. If we will trace farther our code (in Call Eax - F8) then we will enter on our main programme under address 6CF20. This address is worth to write down or remember, because this is simply correct EntryPoint of main programme, which is already full version without vbox4. Ok.., we know everything that we needl. Solution of problem vbox4 is to copy unpacked programme from memory and save it into exefile. Maybe someone prefers to attempt with SoftIce and SoftDump( look at fravia. org) to do this. It will demand to know good structures of PE-EXE and is hard, describing this ain't my target. There is easy solution because we know splendid programme ProcDump, which makes possible recording of processes from memory to file and preserve all exefiles' structure. As I already described in preceding parts ProcDump possesses file script. ini in which are instructions how to debug decoded programmes. In latest version ProcDump32 1.1.6 should be already ready section for Vbox: [VBOX Dialog] L1=LOOK FF,D0 ; find first call eax L2=BP ; breakpoint on found address L3=BPREG EAX ; sets break on address in register EAX ; as we know there's address of next part of code L4=OBJR ; sets actual search address on EIP L5=LOOK FF,D0 ; find second call eax L6=BP ; then breakpoint it L7=STEP ; and save decoded programme Important is suitable proper setup of process of loading and of reconstruction the file. Because programme packed with vbox4 has also packed segments and data tables so we must mark options of reconstruction ie. Create New Import. In once of problems we switch on also options Ignore Faults in section Trace. After affirmative unpacking of file we can also remove sections WeiJunLi from structure of new file( options PE Editor). From curiosities look in new file's EntryPoint - 6CF20. Ok.., correct. IMO, ProcDump is worth interest and some practise e. We can always find soft that's copressed not well-known type of compressor and then we will handle this. These, what do not know ProcDump should download it from http://www.suddendischarge.com/ in section NonDOs, or from http://pub.vse.cz/pub/msdos/SAC/pc/pack/. / \ / \ / \ / \ _________________________________________________/ . // / // / // / / | \__/ /_\__ /_\__ /_\__ /| |[CP!]: http://crackpllist.cjb.net / // / // / // / / | |________________________________________________/ // / // / // / /__| \___/ \_______\\_______\\_______\ PART 6: ~~~~~~ How to crack components for Delphi: AHM TritonTools 2000 Beta 1.3 URL: http://www.tritontools.com/index_e.html Cracker: tKC/CiA '99 Many people asked me to write a tutor how to crack the components, and I decided to write this quickly. There are many components with different protections, most of 'em can be defeated on this way I'm teaching you below. It's pretty easy, let's start! Oh wait, this time I'll use AHM2000 for D4 (Delphi 4) but it can be done with D3! ;) Step 1. Run Delphi and install the components. (Components/Install Packages) Step 2. Open a new form and put 1 of the AHM components on the form (let's say we'll use AHMIEButton) and compile PROJECT1.EXE! Step 3. Quit Delphi, run PROJECT1.EXE, looks fine, nothing happens. Step 4. Set your date ahead to 2000 year, and run again PROJECT1.EXE. Step 5. *boom* Expired! Also it loads your Netscape or IE4/5 or your default web browser. Not nice eh? Ok, now we'll work.. Step 6. Copy PROJECT1.EXE to PROJECT1.W32, also copy to PROJECT1.EXX for backup. Step 7. Load your W32Dasm and open PROJECT1.W32, done? Ok, click Imported Functions and double click on kernel32:GetLocalTime. Again double it. Step 8. Now you'll see like: * Referenced by a CALL at Addresses: |:004443D3 , :004455BE :00408440 83C4E8 add esp, FFFFFFE8 :00408443 8D442408 lea eax, dword ptr [esp+08] :00408447 50 push eax * Reference To: kernel32.GetLocalTime, Ord:0000h :00408448 E85BD9FFFF Call 00405DA8 (The address might be different coz of your Delphi's runtime files) Step 9. Now notice referenced calls above, we'll try Address 4455BE. Press Shift-F12, type 4455BE and let's go! Step 10. Now we get the following: :004455BE E87D2EFCFF call 00408440 <--- that's where we were.. :004455C3 DC5DF4 fcomp qword ptr [ebp-0C] :004455C6 DFE0 fstsw ax :004455C8 9E sahf :004455C9 7609 jbe 004455D4 <--- check if it expires * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004455D2(C) :004455CB E818FEFFFF call 004453E8 <--- NAG and shell execute :004455D0 84C0 test al, al your web browser! Step 11. Ok, what now? We'll change JBE 004455D4 to JMPS 004455D4, the offset address is 449C9, right? Step 12. Run HIEW, open PROJECT1.EXE, press F5 and enter 449C9.. Step 13. Change 76 to EB by using F3, then save it (F9) and it'll look like: 000449C9: EB09 jmps 0000449D4 -------- (1) 000449CB: E818FEFFFF call 0000447E8 -------- (2) 000449D0: 84C0 test al,al 000449D2: 74F7 je 0000449CB -------- (3) 000449D4: 803B00 cmp b,[ebx],000 ;" " Step 14. Now run PROJECT1.EXE. Kool, it doesn't expire! Is it done now? NO! ;) Step 15. Run Delphi and UNINSTALL your AHM packages, then quit Delphi. Step 16. Let's goto your AHM folder where you've installed your packages. Remember we've used AHMIEButton from Enhanced components, we'll need to find which file does it use. Let's try at AHMEnhancedD40.bpl.. Step 17. Run HIEW and open AHMEnhancedD40.bpl, press F7 to search for "76 09" (in bytes). Now we find: 00004EFD: 7609 jbe 000004F08 -------- (4) 00004EFF: E818FEFFFF call 000004D1C -------- (5) 00004F04: 84C0 test al,al 00004F06: 74F7 je 000004EFF -------- (6) Step 18. Change 76 to EB and save it. Open another file: AHMEnhancedClass.dcu.. Press F7 to search for "76 09" and we find: 000067E6: 7609 jbe 0000067F1 -------- (3) 000067E8: E80000 call 0000067EB -------- (4) 000067EB: 0000 add [bx][si],al 000067ED: 84C0 test al,al 000067EF: 74F7 je 0000067E8 -------- (5) Step 19. Change 76 to EB and save it! Now run your Delphi and re-install your AHM package and put AHMIEButton on the form again, compile it! Step 20. Set your date to year 2000 (if you've changed back to 1999 earlier) Run your compiled project. Does it expire? NO! Kool! Easy?! :) Step 21. Now you can do with other components on the same way above. Step 22. Enjoy it, tKC................email: tkc@reaper.org We really hope you've enjoyed this tutorial too much as we did! Don't miss Tutor #21 soon! ;) And as I said last time: Without knowledge, there's no power! ;) Credits go to: [K]in[G] for Splash Logo. Put for providing a tut in this version. Kwai_Lo for providing 2 tuts in this version. Gustaw Kit/Zomo for providing 2 tuts in this version. tKC/CiA (hey it's me!) for coding this version :) All the crackers (non-members of CiA) are welcome to send tutors for the next tutorials .. see below for my email address! Greetz goto all my friends! You can find me on IRC or email me at tkc@reaper.org Coded by The Keyboard Caper - tKC The Founder of PhRoZeN CReW/Crackers in Action '99 Compiled on 11 April 1999 Cracking Tutorial #20 is dedicated to all the crackers...