Welcome to Cracking Tutorial #25! Ah finally, sorry for delays but I was busy like hell last weeks, and no modem at my home. :-/ For a bonus I'll do 2 versions today. (#24 and #25) Like I said earlier, nothing is gonna stop me now! :) Anyway, enjoy it! :) Ok, let's rave! You'll need the following tools: (I use these tools, I assume you'll use 'em, but it doesn't mean that you'll need to use all those tools, so be sure to get them handy for the examples in this tutorial!) SoftIce 3.25 W32Dasm 8.93 Hacker's View 6.04 SmartCheck 6.03 TASM 5.00 Windows Commander 3.53 (I use it coz of easier to multitask) Don't ask me where to download all these tools since you had a chance to get them when you used my older tutorials. Here are a few good cracking sites where you can grab tools from: http://surf.to/HarvestR or http://harvestr.cjb.net http://atlantez.nl.eu.org/Iczelion http://protools.cjb.net or ask any crackers to get you these tools! Are you ready?! OK! ;) PART 1: ~~~~~~ How to crack MythII using W32Dasm and HIEW by Killer_3K ok, what we have here is one of the common commercial cd checks (witch r VERY ez to beat), these kind of cd checks is used in many games like: Mdk, F/A-16 and MANY others... We will crack this lil game using W32Dasm and HIEW. 1) Install Myth2 (full installion, takes 500mb...) 2) Run W32dasm&disassemble Myth2 (btw, b4 u start disassembling it, clear about 100mb on c:, cause this game is really fat, and although it won't be enaugh for full disassemble of the file, it will include the cd-checks part..) 3) Goto Functions, then select Import and look for Kernel32.GetDriveTypeA now you should arrive to here: * Reference To: KERNEL32.GetDriveTypeA, Ord:00DFh | :004272D3 FF1520F95A00 Call dword ptr [005AF920] :004272D9 83F805 cmp eax, 00000005 :004272DC 0F858F000000 jne 00427371 :004272E2 6A00 push 00000000 ......some other stuff. that's the begining of one of the cd checks... will come back to that part abit later... go back to Functions Import and double-click on kernel32.GetDriveTypeA again... u will arrive here: * Reference To: KERNEL32.GetDriveTypeA, Ord:00DFh | :00485F00 FF1520F95A00 Call dword ptr [005AF920] :00485F06 83F805 cmp eax, 00000005 <-- 05 means cd-rom drive :00485F09 0F858C000000 jne 00485F9B :00485F0F 8A0D881C5500 mov cl, byte ptr [00551C88] 4) allrighty, we want it to read from the hdd right? so we need to change it to 03, run hiew, goto hex mode and goto the offset (85306) and change 83F805 to 83F803 now scroll abit down till u reach: * Reference To: KERNEL32.GetVolumeInformationA, Ord:014Fh | :00485F42 FF151CF95A00 Call dword ptr [005AF91C] :00485F48 85C0 test eax, eax :00485F4A 7447 je 00485F93 <-- if it isn't possible to get volumeinfromation (cd not present etc) then jump to badboy :00485F4C 8D4C2418 lea ecx, dword ptr [esp+18] and more stuff... 5) u *CAN* nop this part, but it's not necessary, since it will be reading the data from the hdd, and it can always retrive the volume name from the hdd.. ok now scroll abit down till u reach :00485F5D 8D842418010000 lea eax, dword ptr [esp+00000118] * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00485F82(C) | :00485F64 8A10 mov dl, byte ptr [eax] :00485F66 8ACA mov cl, dl :00485F68 3A16 cmp dl, byte ptr [esi] :00485F6A 751C jne 00485F88 <--- badboy :00485F6C 84C9 test cl, cl :00485F6E 7414 je 00485F84 <-- goodboy :00485F70 8A5001 mov dl, byte ptr [eax+01] 6) ok so what we have here is the classical badboy goodboy.. allrighty, load hiew and goto offset 8536A (badboy) and nop it then goto 8536E and change it to jmp (7414 --> EB14) ok, now run mythII... yea! it works! now press the `new game` button... hmmm... it flys right back to winblows... hmm... what is wrong? remeber that cd check we skipped earlier? go back to it...: * Reference To: KERNEL32.GetDriveTypeA, Ord:00DFh | :004272D3 FF1520F95A00 Call dword ptr [005AF920] :004272D9 83F805 cmp eax, 00000005 <-- read from cd drive, change the 05 to 03... :004272DC 0F858F000000 jne 00427371 :004272E2 6A00 push 00000000 :004272E4 8D44241C lea eax, dword ptr [esp+1C] 7) ok, now scroll down till u reach: :00427320 8A10 mov dl, byte ptr [eax] :00427322 8ACA mov cl, dl :00427324 3A16 cmp dl, byte ptr [esi] :00427326 751C jne 00427344 <-- badboy :00427328 84C9 test cl, cl :0042732A 7414 je 00427340 <---goodboy :0042732C 8A5001 mov dl, byte ptr [eax+01] 9) now patch it the same way we patched the first cd check... close w32dasm after u finished patching.... 10) ok now run mythII, press on newgame.. yea! it works! u just cracked mythII! :) btw, a small comment, if myth2 will still fly back to winblows during the loading then clear up some space on c:... about 80mb (free on c:) should do it... that game is fat :) -Killer_3K PART 2: ~~~~~~ Patching of Packed/Protected files...(Writing a Loader) by R!SC -- April 1999 -- risc@notme.com -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- There are three ways to defeat packed/protected files #1:Unpack them, then patch the 'exe #2:Writing a loader, that waits for the program to unpack, then patches the memory #3:Patching the packed file to patch itself when unpacked :) In my eyes, they are like patching a reg code(#1), ripping a reg code(#2), and writing a keygen(#3), well, i never knew how to write a loader, so i decided to reverse engineer another crackers(Hayras's) loader/memory patcher, and re-write it in win32asm. It seemed like a good idea at the time :) and proves to be very useful indeed, more leet than ripping a reg code, as you may see.... aND sO tHE tUTORIAL bEGINS! -=-=-=-=-=-=-=-=-=-=-=-=-=- Target Program: NeoTrace v1.22 Url: http://www.neoworx.com Protection: Packed with Neolite & a little NAG when u want to exit Ok, as i dont really like tutorials on cracking as such, and to make a long story short, run NeoTrace, enter softice bpx DialogBoxParamA Click on quit, BOOM, back into softice...hit F11, click on the OK button BOOM?, in softice again, note the cmp eax, 01, and eax is zero? the jnz 40A67F gets taken if eax was not '1', ok, for killing this, we skip the call to DialogBoxParamA, so in softice, bpx DialogBoxParamA again, hit F11 when it breaks, click 'OK', use ctrl + cursor up to move up a few lines... * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0040A5FF(C) | :0040A60F 8B0DF4404200 mov ecx, dword ptr [004240F4] :0040A615 8B15543F4200 mov edx, dword ptr [00423F54] :0040A61B 6A00 push 00000000 :0040A61D 68E08C4000 push 00408CE0 :0040A622 51 push ecx * Possible Reference to Dialog: DialogID_00A4 | :0040A623 68A4000000 push 000000A4 :0040A628 52 push edx * Reference To: USER32.DialogBoxParamA, Ord:008Eh | :0040A629 FF15D8B24100 Call dword ptr [0041B2D8] :0040A62F 83F801 cmp eax, 00000001 :0040A632 754B jne 0040A67F See the first push? at 40A61B? Thats the first paramater for the function, so we want to jump from there to 40A67F, where we would be if OK was pressed? in softice, type in 'a 40A61B', then 'jmp 40A67F', write dowm the codes for the jump instruction (EB62), and the address of it (40A61B). Just a quick test that it works... Run NeoTrace again, bpx getwindowtexta, type in an address to trace, click on the trace button, hi softice :), Hit F11, make sure your inside of Neotrace, then type in 'e 40a61b eb,62' to do our patch. 'bc *','x', click on quit, no NAG! kewl... Right oh, easy crack, lets see a loader for it then :) ;-=-Loader.asm-=-=-cut & paste me :)=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- ; based on original loader.exe by Hayras [tNO '98] used in ; Hayras's Neolite v1.22 memory patcher. ; ; Special thanks to TNO for graciously allowing me to use this ; source on behalf of Hayras, who has now retired from the scene. ; Yes, Hayras's loader reversed by R!SC, then totally re-written ; & released to the public, so everyone can learn this shit :) ; Requires Tasm 5.0 & import32.lib to compile ; tasm32 /ml loader.asm ; tlink32 /Tpe /aa /c loader,loader,, import32.lib ; replace with whatever... ; (c)1999 R!SC (see what i do instead of cracking...duh) yey Prophecy! .386P Locals jumps .Model Flat ,StdCall ;Define the needed external functions and constants here. Extrn MessageBoxA:PROC Extrn WaitForInputIdle:PROC Extrn WriteProcessMemory:PROC Extrn ReadProcessMemory:PROC Extrn CreateProcessA:PROC Extrn CloseHandle:PROC Extrn ExitProcess:PROC ;-=-Normal data-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- .Data CSiR_Tag db ' PE LOADER & CRACKER---R!SC 1999 ',0 CSiR_Error db 'Error!',0 CSiR_Error1 db 'Something fucked up...',0 OpenERR_txt db 'CreateProcess Error :(',0 ReadERR_txt db 'ReadProcessMemory Error :(',0 WriteERR_txt db 'WriteProcessMemory Error :P',0 VersionERR_txt db 'Incorrect Version of application :(',0 CSiR_ProcessInfo dd 4 dup (0) ;process handles CSiR_StartupInfo db 48h dup (0) ;startup info for the process were opening CSiR_RPBuffer db 10h dup (0) ;read buffer, for checking data ;-=-Patch datas-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- CSiR_AppName db 'NEOTRACE.EXE',0 fuck dd 40a61bh ; address to read data from for version checking sizeof dd 10 ; in the new process checkbytes db 06ah,0,068h,0e0h,08ch ; the bytes to check for db 040h,0,051h,068h,0a4h ; if there not there, we have the wrong version?? patch_data_1 db 0ebh,62h patch_size_1 dd 2 patch_addr_1 dd 40a61bh .Code ;-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Main: push offset CSiR_Tag mov dword ptr [CSiR_StartupInfo],44h ; (the size in bytes of the structure) push offset CSiR_ProcessInfo ; Typedef struct _PROCESS_INFORMATION push offset CSiR_StartupInfo ; Pointer to STARTUPINFO structure push 0 push 0 push 20h ; Creation flags push 0 push 0 push 0 push 0 push offset CSiR_AppName ; Pointer to name of executable mod call CreateProcessA test eax,eax jz OpenERR Wait4Depack: push LARGE-1 ; Timeout (in milliseconds, -1 = infinate) push dword ptr [CSiR_ProcessInfo] call WaitForInputIdle Check_Data: push 0 ; BytesRead push dword ptr [sizeof] ; Length push offset CSiR_RPBuffer ; Destination (to read them to) push dword ptr [fuck] ; Source push dword ptr [CSiR_ProcessInfo] ; Process whose memory we are to read call ReadProcessMemory test eax,eax jz ReadERR ;... ;int 03 ;-) cld lea esi, CSiR_RPBuffer lea edi, checkbytes mov ecx, 10 rep cmpsb jnz VersionERR ;... Patch_the_mother: push 0 ; Pointer to byteswritten (i like null though) push dword ptr [patch_size_1] ; Length push offset patch_data_1 ; Source push dword ptr [patch_addr_1] ; Destination push dword ptr [CSiR_ProcessInfo] ; Process whose memory we are to patch call WriteProcessMemory ; Call Kernel32!WriteProcessMenory test eax,eax jz WriteERR Close_This_app: push dword ptr [CSiR_ProcessInfo] call CloseHandle push dword ptr [CSiR_ProcessInfo+4] call CloseHandle Exit_Proc: Push LARGE-1 Call ExitProcess ;-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- VersionERR: lea eax, VersionERR_txt jmp abort ReadERR: lea eax, ReadERR_txt jmp abort OpenERR: lea eax, OpenERR_txt jmp abort WriteERR: lea eax, WriteERR_txt abort: push 0 push offset CSiR_Error ; Title push eax ; Message push 0 call MessageBoxA jmp Close_This_app End Main ;-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This basically loads the 'exe, the WaitForInputIdle function waits until the given process is waiting for user input with no input pending, then patches the memory, then carrys on running the process :) Its pretty easy code to follow, and with just alterations of the 'patch datas' section, can be fixed to patch almost any program :) If you fancy reversing a patch for neotrace, to make the packed version patch itself, get mine from http://www.gz.ee/cracks/n.htm, if you fancy reversing Hayras's loader yourself, thats availble from http://zor:code58@www.zor.org/tno/n.html I know that WaitForInputIdle is not the best way to tell when a program has depacked/deprotected itself, and if your having problems with it patching the memory after it should have done, you can change the timeout value. With this loader, i have patched neolite & pecrypt so far, i know others will work, but i havent tested them yet... love R!SC -- risc@notme.com PART 3: ~~~~~~ WinZip 7.0 stuff for a keygen...R!SC 28th May 1999...risc@notme.com... ..best to print this text then study it, it will make it easier to follow.. after bpx getdlgitemtext, twice (1 to get the name, 1 to get the code) you should soon end up near here.. (getdlgitemtext breaks @ 408036, @ 40805c is the main call to check the information) * Reference To: USER32.GetDlgItemTextA, Ord:00F5h | :00408036 FF150C844600 Call dword ptr [0046840C] :0040803C 56 push esi <-- pointer to code :0040803D E800160200 call 00429642 <-- kill extra spaces on the end :00408042 59 pop ecx :00408043 56 push esi :00408044 E822160200 call 0042966B <-- kill extra spaces at the beginning :00408049 803D18D9470000 cmp byte ptr [0047D918], 00 <-- check first char of name :00408050 59 pop ecx - if NULL, no information was :00408051 745F je 004080B2 - entered :00408053 803D48D9470000 cmp byte ptr [0047D948], 00 <-- check first char of serial :0040805A 7456 je 004080B2 - NULL==no info entered :0040805C E8EAFAFFFF call 00407B4B <-- call the calculation routine tracing into ':0040805C CALL 00407B4B' you will (should) soon end up here... :00407C0E 8D85C0FEFFFF lea eax, dword ptr [ebp+FFFFFEC0] :00407C14 50 push eax <--pointer to buffer for real reg-code to go :00407C15 57 push edi <--pointer to ascii name we entered :00407C16 E8AB000000 call 00407CC6 <--calculate the serial :00407C1B 59 pop ecx <--pointer to ascii name we entered :00407C1C BE48D94700 mov esi, 0047D948 <--ascii 'fake' serial we entered :00407C21 59 pop ecx <--pointer to ascii real serial there, see, the code is calculated when call 00407CC6 is executed, and the 'real' serial no. is mirrored in memory, pointed to by ECX when you come out of the call :) heres the routine that calculates the code(creates 2 word values from it, then using these, creates the final valid number (being value#2value#1) i.e #1=0278 #2=1234, code = 12340278 * Referenced by a CALL at Address: |:00407C16 | :00407CC6 55 push ebp :00407CC7 8BEC mov ebp, esp :00407CC9 51 push ecx :00407CCA 8B4D08 mov ecx, dword ptr [ebp+08] <-- pointer to name :00407CCD 8365FC00 and dword ptr [ebp-04], 00000000 <-- place to store value #1 :00407CD1 53 push ebx :00407CD2 56 push esi :00407CD3 8A11 mov dl, byte ptr [ecx] <-- first char into dl :00407CD5 57 push edi :00407CD6 33C0 xor eax, eax :00407CD8 8BF1 mov esi, ecx <-- copy pointer to esi :00407CDA 33FF xor edi, edi * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00407CF1(U) | :00407CDC 84D2 test dl, dl <-- check for NULL :00407CDE 7413 je 00407CF3 - if so, weve done the whole name :00407CE0 660FB6D2 movzx dx, dl <-- clear dh :00407CE4 8BDF mov ebx, edi <-- counter for what character were on :00407CE6 0FAFDA imul ebx, edx <-- multiple the count by the ascii value :00407CE9 015DFC add dword ptr [ebp-04], ebx <-- add the answer to value #1 :00407CEC 8A5601 mov dl, byte ptr [esi+01] <-- get next char :00407CEF 47 inc edi <-- increase counter :00407CF0 46 inc esi <-- increase character pointer :00407CF1 EBE9 jmp 00407CDC <-- loop until char==NULL * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00407CDE(C) | :00407CF3 C705DCD3470001000000 mov dword ptr [0047D3DC], 00000001 :00407CFD 8BF1 mov esi, ecx <-- copy pointer to name :00407CFF 8A09 mov cl, byte ptr [ecx] <-- get first char * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00407D1C(U) | :00407D01 84C9 test cl, cl <-- check for NULL :00407D03 7419 je 00407D1E - if so, weve done every letter :00407D05 660FB6C9 movzx cx, cl <-- clear ch :00407D09 6821100000 push 00001021 <-- magic xor value :00407D0E 51 push ecx <-- the characters ascii value :00407D0F 50 push eax <-- value #2 :00407D10 E82A000000 call 00407D3F <-- do some real complicated stuff (see ARRGH!) :00407D15 8A4E01 mov cl, byte ptr [esi+01] <-- get next char :00407D18 83C40C add esp, 0000000C :00407D1B 46 inc esi <-- increase char pointer :00407D1C EBE3 jmp 00407D01 <-- loop until [char]==NULL * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00407D03(C) | :00407D1E 0FB74DFC movzx ecx, word ptr [ebp-04] <-- retrive value #1 (dw) :00407D22 83C063 add eax, 00000063 <-- fuckup value #2 a bit more :00407D25 51 push ecx <-- push value #2 :00407D26 0FB7C0 movzx eax, ax <-- knock value #2 down to a dw :00407D29 50 push eax <-- push value #1 * Possible StringData Ref from Data Obj ->"%04X%04X" | :00407D2A 687CF44600 push 0046F47C :00407D2F FF750C push [ebp+0C] :00407D32 E809E20400 call 00455F40 <-- convert HEX value's #1 & #2 into ASCii :00407D37 83C410 add esp, 00000010 - in reverse order, so the value reads #2#1 :00407D3A 5F pop edi :00407D3B 5E pop esi :00407D3C 5B pop ebx :00407D3D C9 leave :00407D3E C3 ret =====ARRGH!======================================= * Referenced by a CALL at Addresses: |:00407D10 , :00407DFB big bad value #2 creator routine | :00407D3F 55 push ebp :00407D40 8BEC mov ebp, esp :00407D42 8B4508 mov eax, dword ptr [ebp+08] :00407D45 56 push esi :00407D46 33C9 xor ecx, ecx <-- clear ecx :00407D48 6A08 push 00000008 <-- how many times to do maths on every character :00407D4A 8A6D0C mov ch, byte ptr [ebp+0C] <-- ch==ascii value of name :00407D4D 5A pop edx <-- edx==8 (loop counter) * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00407D65(C) | :00407D4E 8BF1 mov esi, ecx <-- copy ecx into esi :00407D50 33F0 xor esi, eax <-- xor old value #2 with ascii letter from name :00407D52 66F7C60080 test si, 8000 <-- i think this checks if higest bit is set.. :00407D57 7407 je 00407D60 - i.e is it signed or unsigned, positive or neg.. :00407D59 03C0 add eax, eax <-- add old value #2 to itself :00407D5B 334510 xor eax, dword ptr [ebp+10] <-- our magic xor number (00001021) :00407D5E EB02 jmp 00407D62 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00407D57(C) | :00407D60 D1E0 shl eax, 1 <-- shift contents of eax over to the left by 1 bit * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00407D5E(U) | :00407D62 D1E1 shl ecx, 1 <-- shift contents of ecx over to the left by 1 bit :00407D64 4A dec edx <-- decrease counter :00407D65 75E7 jne 00407D4E :00407D67 5E pop esi :00407D68 5D pop ebp :00407D69 C3 ret okay, we have the code calculation routine, quite simple ;) so lets rewrite it in asm (erm win32asm, but just the calculation bit, no input / output for you...) ;--winzip keygen code--R!SC--http://csir.cjb.net--risc@notme.com--28th May 1999-- input_name db 'R!SC' db 40 dup (0) value_1 dd 0 value_2 dd 0 finalvalue dd 0 start: ;) calc_value_1: lea esi, input_name xor edi, edi mov dword ptr [value_1], edi mov dword ptr [value_2], edi mov dword ptr [finalvalue], edi ; make sure all values are clear before we begin xor eax, eax xor ebx, ebx mov dl, byte ptr [esi] value_1_loop: test dl, dl je done_value_1 movzx dx, dl mov ebx, edi imul ebx, edx add dword ptr [value_1], ebx mov dl, byte ptr [esi+1] inc edi inc esi jmp value_1_loop done_value_1: lea esi, input_name value_2_loop: xor ecx, ecx mov ch, byte ptr [esi] test ch, ch je done_value_2 mov edx, 8 arrgh_1: mov ebx, ecx ; i use ebx instead of esi for this bit :) xor ebx, eax test bx, 08000h je arrgh_signed add eax, eax xor eax, 00001021h jmp arrgh_not_signed arrgh_signed: shl eax, 01 arrgh_not_signed: shl ecx, 01 dec edx jne arrgh_1 inc esi jmp value_2_loop done_value_2: add eax, 063h movzx eax, ax mov word ptr [finalvalue+2], ax mov eax, value_1 mov word ptr [finalvalue],ax mov eax, [finalvalue] ;int 03 ;--winzip keygen code--R!SC--http://csir.cjb.net--risc@notme.com--28th May 1999-- i used this code in my keygen, and it worked 100% :) you can enter a maximum of 40 characters, extra leading & trailing spaces are chopped off i.e "R!SC 99 ",0 --> "R!SC 99",0 " oh my 1",0 --> "oh my 1",0 "heh ",0 --> "heh",0 ' R!SC !" $%^& *()::',0 --> 'R!SC !" $%^& *()::',0 okay! so you should have no problem coding your own keygen for winzip now! short & sweet keygen tutorial, with just the essential information written friday afternoon, may 28th 1999 by R!SC if you want the real messy source code (TASM 5) mail me PART 4: ~~~~~~ Cracking tutorial 1 by NE(c)RO'99 [DoB] Yowzer, In my first tutorial I wil teach you how to crack META MASTER. META MASTER is a program for sitebuilders who don't like to write their META TAGS theirselves, but who like to let it done. I'm one of them. The program has a limitation: It doesn't work @ 100% unless you enter a serial number. This is what I gonna learn to you... Here we go. Target: META MASTER 2.5 & 2000 (later on this tutorial) URL: http://www.net-matrix.com Cracker: NE(c)RO'99 [DoB] Date: 20/05/1999 and 21/05/1999 (version 2000 @ last date) META MASTER 2.5 The first thing you need to know is in wich code-language it is coded, so load HIEW and open the file you wonna crack (in our case it is META MASTER). (Tip: make a shortcut in you're WINDOWS\SEND TO\ map). You should see something that points to a VB aplication (the name of a dll MSVBVM50.DLL wich is used in VB). Now you see this, and you are shure it is a VB program. This points that there are 2 ways to crack this serial protection. 1) Use Softice 2) Use Smartcheck Because I haven't seen many tutorials on Smartcheck, I tought as wel try to crack it this way, and write a tutor over it. So, load Smartcheck, open the executable file of META MASTER and press F5 (or click the PLAY triangle). Now MM starts. Try to register the program. You'll see something like this (in version..) (Version 2000 comes later on in this tutor) NAME: NE(c)RO'99 ==> (c) = [ALT] [1][8][4] COMPANY: [DoB] Software code (I don't really remember this, learned to much I think :-) SERIAL: 22446688 (OR ANYTHING you'll like, but I use this because it is easy to recognise later) REGISTER NOW REGISTER LATER Click on register now, and you'll see a message like this. The serial entered is NOT the right one (or something similiar). Click OK. Close the program and go to Smartcheck. In one of the 2 screens you'll see something with many "+". Just click on +command_click ==> it extracts.. good.. Scroll down to the bottom and scroll up again untill you'll see your wrong serial (22446688 in my case). You'll see that it will be "converted" to an other character. Some places lower you see a similaire number that's been converted to a "normal" number. This is the serial (in my case it is: 265185164) (The numbers could be diferent one your computer). Now you can try of it works, or you can repeate all of this with your name. Final notes: * I don't know anything about the Visual Basic code, but it isn't really dificult to crack these applications. Please note that if you wonna keep on using this program, please buy it. * Things written in this tutorial can be something else, but if you use version 2.5 it's the same as in this tutorial. Ok, that's it for now, cya l8er. Please mail your comments and remarks to: NEcRO_DoB@ThePentagon.com You can find me on EFNET in #C.i.A and #DREAD aka Natazzz Thnx to: tKC for his wonderfull tutor's, NaShA, SuPeRio(r), PfH, DoBuTiL, G-Force, Northpole, everybody on #C.i.A & #DREAD & #C-Dance (long ago :) Download some cracking tools here: http://HarvestR.cjb.net http://move.to/DoB META MASTER 2000 Well, Since I've written this tutorial, I checked the website again and I founded a new version of META MASTER, I've cracked it by a M8, and I saw that the registration proces was diferent, so here we go (again). Assuming that you already D/L and installed this program, you would like the FULL version for removing that anoying banner, and to make the first option work. So, what do we do? Let's check in which language it's written. Right, check it in HIEW (Tip: Make a shortcut in your WINDOWS\SEND TO directory). Go to the dir. Where Meta Master is installed, and click on it, right click, Send to ==> HIEW. What do we see? Well, we see the program isn't encrypted or packed, and we see it's written in VB (U should see the reference to MSVBVM50.DLL ==> this stands for VB 5.0). So, already 2 choices about how to crack: SoftICE or Smartcheck. Because I've not seen so many tutorials about Smartcheck, I'm writing one. So, here we go. Open Smartcheck, and let the program load (F5) It will take a while, so let it go. I'll be back when it's done (I wont breakfast! NOW). When it's done you'll see Meta Master Pops up. Try to register it. It doesn't work? Damn, it needs to be cracked. Close META MASTER, and then I'll be back of breakfast. I yust dressed up and looked at my PC, It was ready, so breakfast can wait, and here we go again. We see, after long waiting: (Left side): Green bar at top Blue bar under it Form1 (Fomr) created +Form1_Load +Picture1 (1)_MouseMove +Picture1 (1)_MouseMove +Picture1 (1)_MouseMove +Picture1 (1)_MouseMove +Picture1 (1)_MouseMove +Picture1 (1)_MouseMove +Picture1 (1)_MouseMove +Timer1_Timer +Picture1 (1)_MouseMove +MnuUnlock_Click +Timer1_Timer +CmdRegister_Click Note that the number of times you see +Picutre1 (1)_MouseMove, depends on the number of times you moved with your cursor over the banner. We wonna get our serial, so let's see what's in Form1_Load. Click on the "+" and scroll down untill you see all the other items. We need to see this: Long (0) --> Integer (0) Left <== We need this one! ActiveLock.PropertyChanged Form1.Caption <-- "Meta Master 2000 - Unregistered" (String) Well, asuming that you see this code, it isn't really dificult. You should start "Revers engeniering", so we see [Fomr1.Caption <--...] well, this is something wich tells us that it isn't registered, and it isn't. Click on it and you will only see this text in your right window. [ActiveLock.PropertyChanged] Doesn't give more information. Let's Click on [Left]. Well, what we see here is more interesting: - string (variant) - Unsigned Short * * .pbstrVal = 0065F380 o String = 00530C08 * ="CB8C9FBD9FFA537B575601D733606E12ACF597B3" - Long Lengt = 16 0x00000010 note that the software number on my computer is: 3336F1577D51B0E6 Well, what would happen if we give the FIRST 16 numbers as serial? Nothing. Wrong serial. But I gave them in LOWERCASE. Let's do the same UPCASE. Registration was succesfull. Thank you for supporting our products. Cool it works. Click OK and you've got your 100% working program. Please note that the numbers could be different on each computer. I'm searching where they get that number, and If I find it, You'll find it on my homepage: http://move.to/DoB. If you know, let me know: NEcRO_DoB@ThePentagon.com Greets, NE(c)RO. Thanks to: Northpole (C-Dance rules!), Pfh, NaShA (xxx), DoBuTiL, SuPeRio(r), G-Force, Tcom, Veroke, Everybody on #C.i.A & #DREAD & #C-Dance (long ago..:). Cya in my next tutorial. You can find me on EFNET #C.i.A & #DREAD aka Natazzz We're small, but we're everywhere. DoB PART 5: ~~~~~~ ZipClean by NE(c)RO'99 [DoB] In this tutorial I will teach you how to crack ZipClean of CFA. Url: http://pages.ripco.com:8080/~swb/ Target: All programs have the same registration routine, so ... Cracker: NE(c)RO'99 [DoB] Type of program: Serial protection with computername Code language: Visual Basic Cracked with Smartcheck Well, this is a verry easy target, so just d/l it and install. You'll get a pretty image when it start's.. (A crackers live could be so beautifull... :-) Well, if you've installed it, you'll get a annoying splash screen and a (irritation) sound. So, what do we wont? We like registered software, so there we go. Launch smartcheck, open the program, and launch ZipClean with it. You'll see zipclean starts when you press [F5]. Now you need to register. But, the serial is different for each computername. Enter a fake serial (I use 2244668800), but you only see stars... Now, you'll get a annoying box which says: Nope, that's not the wright code But, in some minutes, you'll gonna get the wright one. Close ZipClean and go back to Smartcheck. Now you see this: + Command1_Click Just click on it. The first thing you can click on and which will give you some information (in the right window): LEN RETURNS LONG: ******** Click on this and it will show you your computername. Now, scroll down. When you're at the bottom, you'll see this: | Right: | Left !(We need this)! | Text2.text | + form5_Unload | MsgBox returnes Integer: 1 (here you see you were wrong) | Str$ | ----------> Command1_Click (the end of Command1_Click) So, we see.. Left: Click on it.. (at the last 2 lines) ="8852274100668" Long length = 10 0x0000000A (this 10 points on the number of char's we need to give as serial, so finaly my serial should be --> and IS 8852274100 But these characters are diferent for every computername. So, I hope you understood this, and I hope you'll gona read my tutors in the future. Cya l8er. NE(c)RO Thnx to: tKC for his wonderfull tutors, BuL_LeT for his wonderfull Ball_Popper, Northpole, PfH, SuPeRio(r), NaShA, DoBuTiL, everybody on #DREAD & #C.i.A . This tutorial is for educational purposes only. Buy this software if you like to keep using it. Ps: this text is written with the ENGLISH spelling check of Office 2000, and I'm Dutch, so don't blame me, blame Microsoft. PART 6: ~~~~~~ Here's a code for Anti-SoftICE in Delphi coded by Natalie, my friend. (girlie, hoekom het ek in jou geval? :-/ Ek sal wag tot jy klaar is met jou studies en dan kyk ons ok? 3 jaar skool? *sug* en nogmaals dankie vir jou hulp en jou geduld ...tKC) ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ unit AntiSoftIce; interface implementation uses windows, dialogs; function SoftIce95: boolean; var hfile: Thandle; begin result:=false; hFile:=CreateFileA('\\.\SICE', GENERIC_READ or GENERIC_WRITE, FILE_SHARE_READ or FILE_SHARE_WRITE, nil, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, 0); if(hfile<>INVALID_HANDLE_VALUE) then begin CloseHandle(hfile); result:=true; end; end; initialization if SoftIce95 then begin MessageDlg('SoftICE is detected!', mtError,[mbOK], 0); halt; end; end. {Mike, ek hoop hierdie een sal jou help. Jy is welkom om dit uit te gee aan jou vriende, solank jy my nie vergeet nie! 8-) Volgende keer bring gerus jou kleertjies na KP, dan jol ons lekker weer soos laasnaweek. (Jammer oor jou selfoon!) Dalkies trek ek oor na PTA in 3 jaar as jy nog eendag wegbreek van vroumense af, mis jou baie. xx Natalie} ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ We really hope you've enjoyed this tutorial too much as we did! Don't miss Tutor #26 soon! ;) And as I said last time: Without knowledge, there's no power! ;) Credits go to: [K]in[G] for Splash Logo. R!SC for providing 2 tuts in this version. Killer_3K for providing a tut in this version. NE(c)RO/DoB for providing 2 tuts in this version. Natalie for coding me an Anti-SoftICE in Delphi (girlie, u r0x!) tKC/CiA (hey it's me!) for coding this version :) All the crackers (non-members of CiA) are welcome to send tutors for the next tutorials .. see below for my email address! Greetz goto all my friends! You can find me on IRC or email me at tkc@reaper.org Oh btw, please don't expect me to reply your mails, since I get 50+/- mails everyday.. be sure that I really appreciate your mails! :) Coded by The Keyboard Caper - tKC The Founder of PhRoZeN CReW/Crackers in Action '99 Compiled on 31 May 1999 Cracking Tutorial #25 is dedicated to Ms_Jessca... who else?