Welcome to Cracking Tutorial #26! Ah finally, sorry for delays but no modem at my home yet. :-/ For a bonus I'll do 5 versions today. (#26, 27, 28, 29, and 30) *HELL!* Like I said earlier, nothing is gonna stop me now! :) Anyway, enjoy it! :) Ok, let's rave! You'll need the following tools: (I use these tools, I assume you'll use 'em, but it doesn't mean that you'll need to use all those tools, so be sure to get them handy for the examples in this tutorial!) SoftIce 3.25 W32Dasm 8.93 Hacker's View 6.10 SmartCheck 6.03 TASM 5.00 Windows Commander 3.53 (I use it coz of easier to multitask) Don't ask me where to download all these tools since you had a chance to get them when you used my older tutorials. Here are a few good cracking sites where you can grab tools from: http://surf.to/HarvestR or http://harvestr.cjb.net http://atlantez.nl.eu.org/Iczelion http://protools.cjb.net or ask any crackers to get you these tools! Are you ready?! OK! ;) ========================== How to crack Bryce 3D v3.1 ========================== In this tutorial u'll see how to get the full version of Bryce 3D v3.1 for free. Used Tools ========== SoftICE v3.2 (http://protools.cjb.net) InstallShield File Compressor ('icomp.exe') (http://www.pbdatacom.se/empire/files/files.htm) Target ====== Bryce 3D is a gfx program, which u can use to create fine and realistic landscapes. Its protection consists of a serial number check and u have to insert the CD-ROM when u want to start the program. How to get Bryce v3.1 ===================== (of course u can skip this passage if u already have it) 1) to build up your own Bryce 3D full version u have to download the following files: ftp.metacreations.com /pub/Applications/Bryce/demo/win/ bryce3d_demo.arj bryce3d_demo.a01 bryce3d_demo.a02 bryce3d_demo.a03 bryce3d_demo.a04 bryce3d_demo.a05 OR b3d_demo_win_full.zip AND ftp.metacreations.com /pub/Applications/Bryce/update/win/ b3d-31.zip Probably u've got the demo (about 28 MB) somewhere on a CD-ROM of PC magazine, so that u don't have to download it. In the demo version some important features r disabled, but there r all(?) texture, template,... files. With replacing the program files with the program files of the update package u get the full version of the program. 2) Extract the file 'data.1' from the demo package to a temporary directory (for example: c:\bryce ). 3) Extract the files from 'data.1' using 'icomp.exe': icomp data.1 *.* -d -i (BTW: U can unpack all programs packaged with InstallShield with this program. This could be useful if an installation requires a password in order to proceed with install. But this method does not work with so many programs, because often registry modifications, made by IS, r needed to start the program.) 4) Unpack 'b3d-31.zip', start a file-manager and start the B3D update program. Wait for the first message ('Welcome to the Bryce 3D Updater Program ...') and switch to the filemanager ([ALT]+[TAB]). Now go to the windows-temp dir- ectory (for example 'c:\windows\temp\') and find out where to the updater has extrackted its files to (maybe 'c:\windows\temp\~exb0000\'). Copy 'data.1' (around 7 MB) to 'c:\bryce' -or whatever- replacing the old 'data.1'. Close the setup program. 5) Unpack 'data.1' using 'icomp.exe': icomp data.1 *.* -d -i 6) The files r extrackted to the subdirectory 'update31'. Copy all files from this directory to the bryce-demo directory (for example: 'xcopy c:\bryce\update31\*.* c:\bryce\prog /e /r'). That's it. U can delete the temporary dirs now and copy all files from 'c:\bryce\prog\' to a dir of your choice ('c:\program files\bryce31'). How to patch it =============== Now the more interesting part 1) SoftIce should be loaded and the common changes in 'winice.dat' should be done. 2) Start Bryce. A box appears, which asks u to give name, company and a serial. When u enter something (for example 'NiTEHAWK/-/1234567890') and press ok, a message tells u that the program checks as first if the Bryce-CD-ROM is inserted. 3) A common function used by cd-rom checks is 'GetDriveTypeA'. So switch to SI ([Ctrl]+[D]) and type 'bpx getdrivetypea', to make SI break when this function is called. 4) Switch back to B3D and push ok again. SI breaks and u r in the 'getdrivetypea'-function. So press [F12] to get out of it. :0051C839 56 push esi * Reference To: KERNEL32.GetDriveTypeA, Ord:00DFh :0051C83A FF15A0EB6600 Call dword ptr [0066EBA0] :0051C840 83F805 cmp eax, 00000005 << After 1x [F12] :0051C843 7565 jne 0051C8AA * Possible StringData Ref from Data Obj ->".psd" :0051C845 6878D46500 push 0065D478 * Possible StringData Ref from Data Obj ->"serial" :0051C84A 6838D46500 push 0065D438 Now u r in the 'cdrom-check-function' of the program, u suppose. To find out, if this is true, disable the breakpoint (bd *) and press [F12] again. :004E44E8 84D2 test dl, dl :004E44EA 0F8402020000 je 004E46F2 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004E44DE(C) :004E44F0 8B8BB0000000 mov ecx, dword ptr [ebx+000000B0] :004E44F6 E8E5810300 call 0051C6E0 :004E44FB 85C0 test eax, eax << After 1x [F12] :004E44FD 7425 je 004E4524 << ! :004E44FF 8B939C000000 mov edx, dword ptr [ebx+0000009C] :004E4505 6A01 push 00000001 :004E4507 6A01 push 00000001 :004E4509 52 push edx :004E450A E821150400 call 00525A30 U can see that u were right in your speculation. It seems, that the call at address :004E44F6 calls a serial&cdrom check function. There r several possibilities how to patch: u can manipulate the jump at 004E44FD or the function itself or ... Let's try the first posibility: - u r in SI. type 'e 4E44FD' - change '74' to 'EB' ('je' to 'jmp') - press return - switch back to B3D - and it worx, now u've got the registered version of B3D! (There is no need for a permanent patch, cause the program creates a file in the B3D-directory which shows that it is registered ('MetaImage.dll').) Notice: There could be different memory addresses on your system. Remarks? Write me the_nitehawk@hotmail.com CoSH's writing a Keygen for Kyodai Tutorial ============================================================================================ Tools used: Softice 3.23 W32Dasm BC++ 5.0 ============================================================================================ (1) : Install Kyodai, a nice Mahjongg Game. Press F9 to proceed to the registration screen. Enter your name and some bogus serial. ============================================================================================ (2) : Load Softice and put a "bpx hmemcpy" (Breakpoint on Execution) . Go back to the program and hit enter. ============================================================================================ (3) : Boom! You're in Softice. Hit F12 (trace til a "ret" instruction) a few times til you're back in the Kyodai code. Press F10 once. Now you can see your name in EDX. Put a BPM (Breakpoint on Memory Access) on EDX and hit F5. ============================================================================================ (4) : You'll land right in the Keygen algo. Now EAX holds the length of our name which is stored in EDX. movzx eax, byte ptr [edx+eax-01] ; Load last letter of our name in EAX mov edx, dword ptr [ebp-04] ; Move name into EDX movzx edx, byte ptr [edx] ; Load first letter of our name EDX add eax, edx ; First letter + last letter mov ecx, 0000000A ; 10 in ECX cdq ; Dunno whats cdq good for idiv ecx ; eax div ecx add edx, 00000030 ; modulus + 48 ============================================================================================ (5) : That's the calculation for the first number of our correct Serial. Now comes the rest. POINTA: mov eax, dword ptr [ebp-04] ; Load Name into EAX movzx eax, byte ptr [eax+ebx-02] ; Load first letter into EAX mov edx, dword ptr [ebp-04] ; Load Name into EDX movzx edx, byte ptr [edx+ebx-01] ; load second letter into EDX add eax, edx ; A + B mov ecx, 0000000A ; 10 in ECX cdq ; Crap idiv ecx ; EAX div ECX add edx, 00000030 ; modulus + 48 lea eax, dword ptr [ebp-08] ; | call 00403A54 ; | mov edx, dword ptr [ebp-08] ; )---- Stores the number mov eax, edi ; | call 00403B34 ; | inc ebx ; dec esi ; jne 00479B34 ; If ESI (length of Name) not 0 jump POINTA ============================================================================================ (6) : Ok that's it now you just have to write a Keygen for it :) . I've included my source below. Greetings fly out to : Alx(away) , _tribe , wolvie , Arfa , REKiEM , delight , Mooncat , _bjanes_ , HiGHTiMEZ , and you ;P . ============================================================================================ ============================================================================================ #include int main(void) { cout << "\n\n\n"; cout << " - [ KYODAI 6-8.x KEYMAKER BY CoSH [PCY] ] -\n"; cout << " --------------==================-----------\n"; cout << " Enter your Name = "; char name[50]; cin.getline(name,50); int length = 0; char endser[50]; for (length = 0; name[length] != '\0' ; length++); char eins,zwei; eins = name[length-1]; zwei = name[0]; eins = eins + zwei; eins = eins % 10; eins = eins + 48; int count = 0; endser[count] = eins; for (count = 2; count != length+1 ; count ++) { eins = name[count-2]; zwei = name[count-1]; eins = eins + zwei; eins = eins % 10; eins = eins + 48; endser[count-1] = eins; } endser[count-1] = '\0'; cout << " Your Serial is = "; cout << endser; cout << "\n\n Press enter to proceed"; cin.get(); return 0; } How to crack Eternal Bliss's Camouglage crackme and how to make a keygen for it by ACiD BuRN. hi dudes :) today , i will teach u how to crack a vb crackme , and how to keygen it ! why ? coz , there isn't lot of vb keygens tutorial , do i wanted to make one ! where to found it : http://surf.to/crackmes very good site with lot of crackmes ! Protections : - anti smartcheck - serial / name 1)anti smartcheck (SC): there is some way to detect if smart check is used , so i will give u the most used ! the prog , looks at the title bare of SC, and if it founds : "NuMega SmartCheck" then the prog close itself ! shit ! the second way is too look at the SC window ID : NMSCWM50 and if it found it , then it close itself. how to bypass that ? if u want to crack most of vb app with anti smart check , it is better to patch ur SC executable. use an hexeditor and look for NuMega SmartCheck , then change it with what u want ! but for patch the NMSCWM50 string , it is more hard , coz u don't see it with hexeditor. you can use the prog : UPK by CyberBlade a friend! but i don't have used this app to do that , i will teach u how i did to run the crackme with SC! firt, i have found that it is the second protection who is used in this crackme : it looks at : NMSCWM50 so , with soft ice , u have to set a BPX on a API who breaks just before the message box who say , you are not registered blablabla ... then , you have to load the crackme into SC and run it! it will break in Sice , and the now do a research like this : s 0 l ffffffff "NMSC" (i haven't searched at NMSCWM50 to be sure to found something).type : s untill you haven't find NMSCWM50. the first time you will see that , overwritte it in memory by 0's for exemple. so when the prog looked for NMSCWM50, it just found 00000000.hehe , do the crackme continu to run and we are now in SC! 2)how to reg it so , click on register and enter your name and a serial like 123456 and the click on "check it".You will see : Wrong Try again at place of your name , so that wasn't the good one =)! ok, exit the crackme and now go in SC. First save your project , with File/save as... coz , i think you don't want to do the first part of this tut many times! you will see command5_click , double click on it to look in this interesting thing :) now , go down with SC , to look for your name, you will see : --------------Start of SC cut-------------------------------- Mid(varian:byReF String:"ACiD BuRN",long1,VARIANT:Integer:1) Asc(string:"A")returns Integer:65 Trim(VARIANT:Integer:34) Mid(varian:byReF String:"ACiD BuRN",long2,VARIANT:Integer:1) Asc(string:"C")returns Integer:67 Trim(VARIANT:Integer:32) Mid(varian:byReF String:"ACiD BuRN",long3,VARIANT:Integer:1) Asc(string:"i")returns Integer:105 Trim(VARIANT:Integer:10) Mid(varian:byReF String:"ACiD BuRN",long4,VARIANT:Integer:1) Asc(string:"D")returns Integer:68 Trim(VARIANT:Integer:39) Mid(varian:byReF String:"ACiD BuRN",long5,VARIANT:Integer:1) Asc(string:" ")returns Integer:32 Trim(VARIANT:Integer:67) Mid(varian:byReF String:"ACiD BuRN",long6,VARIANT:Integer:1) Asc(string:"B")returns Integer:66 Trim(VARIANT:Integer:33) Mid(varian:byReF String:"ACiD BuRN",long7,VARIANT:Integer:1) Asc(string:"u")returns Integer:117 Trim(VARIANT:Integer:22) Mid(varian:byReF String:"ACiD BuRN",long8,VARIANT:Integer:1) Asc(string:"R")returns Integer:82 Trim(VARIANT:Integer:49) Mid(varian:byReF String:"ACiD BuRN",long8,VARIANT:Integer:1) Asc(string:"N")returns Integer:78 Trim(VARIANT:Integer:45) ------------------End of Smartcheck cut---------------------- Now , look at this code ! did you find something cool ? look : Mid(varian:byReF String:"ACiD BuRN",long1,VARIANT:Integer:1) <= 1st char Asc(string:"A")returns Integer:65 <=== Ascii value in decimal Trim(VARIANT:Integer:34) <=== what is this value ?? why not tring all this value as serial ? so , take all value for each letter.You will found : 343210396733224945 so , now lets try it ! name : ACiD BuRN serial : 343210396733224945 click on check it and it works ! cool we have cracked it ! now , i will ecplain you how to make a keygen ! 3)Keygen it so , how did it make this fucking value ?! hehe! let me see ! why not a xor operation ! look : Asc(string:"A")returns Integer:65 <== 1st ascii value Trim(VARIANT:Integer:34) <== 1st good key Asc(string:"C")returns Integer:67 <== 2nd ascii value Trim(VARIANT:Integer:32) <== 2nd good key ..... if we do : 65 XoR 34 (do this with windows scientific calcul) we found : 99 hehe ! if we found the same value with : 67 XoR 32 , we have found how to make a serial! let see ! 67 XoR 32 = 99 ! cool ! we made it ! coz if we do : 67 XoR 99 = 32 =) the good value of the key so , to make a good serial for your name, you have to take the ascii value in decimal and xor it to 99.save this value and and add near it the next result for each letters of your name ! how to code thaT? i will give source in VB5. 4)source of the Keygen: --------------Start of the source------------- Private Sub Command1_Click() For i = 1 To Len(Text1.Text) code = Asc(Mid$(Text1.Text, i, 1)) Xor 99 Text2.Text = Text2.Text & code Next i End Sub ----------------End of the source------------- to test it , make a new project , with a button and 2 textbox. double click on the button , and past this code. hehe ! Job done ! Crackme Cracked! =) i hope you have learn something with this tut , and sorry for my bad english. you can mail me at : Acid2600@hotmail.com cya laterz ! Greetings to : ALl ReFLeXZ TeaM , all ECLiPSE TeaM , ALL CrackerWorld TeaM and all CrossOver Team coz i am member in this cool groups ! also greets to : tKC , BuLLeT , Duelist , Eternal Bliss , HarvestR, Parker, Agora ... so all my friends on effnet in #eclipse99 , #reflexz99 #siliconcrackers , #C.i.A , #cracking4newbies ... if i forget to put ur name here , sorry ! too many people to greets ! Greets to all crackers =) ACiD BuRN How to patch Binary Clock v 2.3 http://www.barefootinc.com 2Lz : W32ASM 8.9 or higher Any Hex Editor will do Hello, For now I'm gonna try to show you how to PATCH (I've worked my a$$ so hard to find the SN in SoftIce, but I can't, so I guess you'll have to ask tHE lEGENDARY kEYBOARD cAPER on how to find it) Binary Clock v 2.3 (a small program that tells you the time in Binary). BTW, you can get the Keygen for this apps by Snowcat @ http://snowcat.cjb.net, Okay enough p00p let's sKANK ! Got the proggy? OK, kewl!When you first run the program, a p00p screen come up telling you "UNREGISTERED COPY, you have been using this for ... times" we don't want that to show up don't we? OK, disassemble the file, finish? Open the String Data Reference, look up for UNREGISTERED <-- p00p screen, double click on it.... Wait! don't close the window yet, we'll use that later to find out if there's another one (which we will). #1 string :00402C61 8B86D4010000 mov eax, dword ptr [esi+000001D4] :00402C67 85C0 test eax, eax :00402C69 7556 jne 00402CC1........hmmm, I wonder what this is :) * Possible StringData Ref from data obj ->"UNREGISTERED" :00402C6B BFD8724200 mov edi, 004252D8 .........................................some crap OK, make sure the line is on the jne, and write the offset #2 string * Possible StringData Ref from data obj ->"UNREGISTERED" :004036E6 68D8524200 push 004252D8 :004036EB 55 push ebp .........................................another crap Trace up some lines 'til you find * Reference to : KERNEL32.lstrlenA, Ord: 02A1h | :004036CB 8B3D58E14100 mov edi, dword ptr [0041E158] :004036D1 55 push ebp :004036D2 FFD7 call edi :004036D4 7508 test eax, eax :004036D6 5F jne 004036E0......ah, another beautiful piece :) ........................................still another crap Write the offset again #1 offset 00002069h #2 offset 00002AD6h Trigger your Hex Editor (I use Hex Workshop 2.54) And with the search ability, help yourself, find them. Okily, change 75 (JNE) to 74 (JE) and so does with the other one. Press Ctrl+S to save the file (before you do it, make sure you closed the WinAsm and the program, or else it will get you a sharing violation message) OK, run the proggie, do you see a NAG SCREEN? Naw! Cool, we've patched it! But...but....what the f@!k, Hey, you stupid cracker, I couldn't change the color! OK calm down, I'm pissed also, so write down the message, which is "The only color allowed in the unregistered version is red" So once again, *sigh* disassemble the file, and (again) find the message in SDR, if you're right you'll be right here: ..............................crappy crappy crap crap :004029AC 6681FA0880 cmp dx, 8008 :004029B1 741A je 004029CD.........Hi, sweety! :004029B3 6A40 push 00000040 *Possible StringData Ref from Data Obj ->"Binary Clock v2.3" :004029B5 687C524200 push 0042527C *Possible StringData Ref from Data Obj ->"The only color allowed in the " "unregistered version is red" 004029BA 6840524200 push 00424240 ...................................................... So again write the offset, 00001DB1h, and change 74 (JE) to 75 (JNE) in your Hex Editor. Save it, run it. Can you change the color? Yesiree! We're finish! Note: This might not be the best patch nor the clearest tutorial (since I'm a complete newbie), but I think I should share you the happiness of patching for the first time :) Special thanks: tKC and BuLLeT for makin' such a great tutorials! Last Word: I found a bug about this patch, :(, after you closed the proggy, it won't show the last used color, instead it used the first RED one, oh well, I'm satisfied anyway :) If you find this tut somehow useful ,please write me and share your happiness! p00p tERTz jurek@chickmail.com written on June 6, 198I THE SAINT Man This is my first tutorial so I hope that you like it and most of all appreciate the hard work of making this tutorial understandable fore you if you don't like it simply don't read it but if you have any suggestions on how to make it better e-mail me at zaaz12@post.tele.dk ENGLISH: Well I'll let you judge that. (excuse my bad jokes but learn how to deal with it because I don't give a shit). Just kidding. Target : The CD protections. Tools : Windasm8.9(or later version) or IDA PRO any one, and any type of Hex editor (in my case Hiew6.3) Notes : This type of CD defeating does not work on all types of CD protections . Some CD's are overprotected. These kind of protections is a little harder to defeat. I'll teach you how to defeat them in my next tutorial, but there will only be a next tutorial if you e-mail me(zaaz12@post.tele.dk ) an tell me what you thought about this one or if you think that it is worth fore me to make more tutorials that you will read or USE. Well now it's time to start the damn game you want to crack. Ok! Start the game you want to crack without the CD. It didn't work of course, but what did the error message say. Fore an example the error message could say.You need the XXX cd to play the XXX game..(XXX means the game that you are running). Remember it and press ok and load windasm8.9. In Windasm8.9 or newer Ok ! Load the games exe. When it is done dissembling the exe Press Strn.Ref next to print in the right corner. A small window pops up. Scroll down and find the error message.(if you could find a error message it's because its protected with VB e-mail me and I will make a tutor of how to crack those stupid protections). You found it. Double click on it and close the little window. You are now in the cd check routine. Look fore every call and jump(also jmp, or jne) there are. Double click on the calls first. The OPBAR turned green. Ooops you fucked up. Kidding. Look really god on you screen on till you find this line @offset without the h the line looks like this. @xxxxxxxh (remember that the xxxxxxx means some Numbers I say xxxxxx because that the numbers change every time you double click on a line. Write down the numbers without the h. Close windasm8.9 now and load Hiew. In Hiew Ok! In Hiew you find the games exe use the coursers to land on the exe and press enter. Finished. Just Kidding. Press F4 and then decode. Press F5 and enter the numbers you wrote down in windasm8.9. Remember only the numbers not the @ and not the h only the numbers. Then press enter. You are now some were in the exe but you don't know were. Don't worry. Press F3 to edit. (Well I have to explain you something first. Fore every to numbers that you landed on you have to write 90. Example: we say that the numbers are: 12658943 then you just do like this 12to90 65to90 89to90 43to90 so it will look like this 90 90 90 90 It will exactly look like that because every time to numbers are typed it will jump down.(90 means nop and that means no operation). When you are done then press F9 fore update and F10 fore exit). Success You have cracked the mother fucking cd. e-mail me if you have any questions.(And please e-mail me and support me if you want me to make other tutorials to) My E-mail is zaaz12@post.tele.dk We really hope you've enjoyed this tutorial too much as we did! Don't miss Tutor #27 soon! ;) And as I said last time: Without knowledge, there's no power! ;) Credits go to: LiveWire for Splash Logo. NiteHawk for providing a tut in this version. CoSH/PCY for providing a tut in this version. ACiD BuRN for providing a tut in this version. p00p tERTz for providing a tut in this version. The Saint Man for providing a tut in this version. BugHUNTER for providing a tut in this version. tKC/CiA (hey it's me!) for coding this version :) All the crackers (non-members of CiA) are welcome to send tutors for the next tutorials .. see below for my email address! Greetz goto all my friends! You can find me on IRC or email me at tkc@reaper.org Oh btw, please don't expect me to reply your mails, since I get 50+/- mails everyday.. be sure that I really appreciate your mails! :) Coded by The Keyboard Caper - tKC The Founder of PhRoZeN CReW/Crackers in Action '99 Compiled on 23 June 1999 Cracking Tutorial #26 is dedicated to Ms_Jessca... who else?