Welcome to Cracking Tutorial #29! Ah finally, sorry for delays but no modem at my home yet. :-/ For a bonus I'll do 5 versions today. (#26, 27, 28, 29, and 30) *HELL!* Like I said earlier, nothing is gonna stop me now! :) Anyway, enjoy it! :) Ok, let's rave! You'll need the following tools: (I use these tools, I assume you'll use 'em, but it doesn't mean that you'll need to use all those tools, so be sure to get them handy for the examples in this tutorial!) SoftIce 3.25 W32Dasm 8.93 Hacker's View 6.10 SmartCheck 6.03 TASM 5.00 Windows Commander 3.53 (I use it coz of easier to multitask) Don't ask me where to download all these tools since you had a chance to get them when you used my older tutorials. Here are a few good cracking sites where you can grab tools from: http://surf.to/HarvestR or http://harvestr.cjb.net http://atlantez.nl.eu.org/Iczelion http://protools.cjb.net or ask any crackers to get you these tools! Are you ready?! OK! ;) A crACk By TaMaMBoLo From [( $$ SaMSoUL CRAcKInG $$ )] Name : Winhex Version : 8.3 Disponibilit : http://www.muenster.de/~sf or http://move.to/sf (secondary URL) Target : WinHex.exe (358912 bytes) Hello! Here is my first tutor written for the newbies... I remained as simplest as possible in my explanations to be understood by everyone...Excuse me for bad gramatical english but i'am french... For this crack ,I chose as target ,WinHEx 8.3, which is a hexadecimal editor, ideal for you,crackers... Step one: Install Winhex 8.3 and launch On .You sees immediately that there are several protections: - Limitations - Impossible to safeguard a file of + 200 KB (!) - Nagscreens (when you quit and when winhex start) - Time limit... Ok! You saw that there are several limitations in this software.Now, ROCK'n ROll ! Step Two: Take windasm 8.93 and desassemble the executable (Winhex.exe = 351 KB). When you launch winhex several times in succession,Winhex will send you a nagscreen: " PLEASE REGISTER SOON. ". With windasm you double-click on " STRING DATA REFERENCE " and seek the sentence of the nag (" PLEASE REGISTER SOON. "). You find it without problem and while clicking on it ,we see that: :00422330 803D7364440000 cmp byte ptr [ 00446473 ], 00 --Very interresting! :00422337 jne 00422375 ---jump if you are a english user registered! :00422339 mov eax, dword ptr [ 00442C ]- else post nagscreen Deutch user * Possible ref. to Menu: MenuID_0001, Item: " Neu... Strg+N " * Possible Reference to Dialog: DialogID_000E, CONTROL_ID:000A, " &Warnen vor nderungen year Dateien dieser " :004223 mov ecx, 0000000A :00422343 cdq :00422344 idiv ecx :00422346 cmp edx, 00000008 :00422349 jne 00422375 ------------ jump if Deutch user registered... :0042234B cmp byte ptr [ 00445660 ], 00 - Else... :00422352 jne 00422362 -------------... jump if English user not registered! * Possible StringData ref. from Obj Code - >"Da Sie dieses Programm relativ " ----------NaGSCrEEn Deutsh to use! - >"h " :00422354 mov eax, 00422524 :00422359 mov dl, 03 :0042235B call 0040BC94 - NaGscreen posted :00422360 jmp 0042236E * Referenced by has (U)nconditional gold (C)onditional Jump At Address: |:00422352(C) * Possible StringData ref. from Obj Code - >"Please register soon."---- NaGSCrEEn English user! | :00422362 mov eax, 00422590 :00422367 mov dl, 03 :00422369 call 0040BC94 - NaGscreen posted * Referenced by has (U)nconditional gold (C)onditional Jump At Address: |:00422360(U) | :0042236E mov Al, 04 :00422370 call 0040B384 - end NaG (English user AND Deutch to user) * Referenced by has (U)nconditional gold (C)onditional Jump At Addresses: |:00422337(C),:00422349(C) | :00422375 push 00000000 - GooD BOy!no-NaGSCrEEn! :00422377 mov eax, dword ptr [ 00442014 ] :0042237C push eax :0042237D push 00000000 :0042237F mov eax, dword ptr [ 00446EE8 ] Ok! You immediately see something very interressant: If you go up a little bit in the code,you see that the prog will test many memory addresses. With address 42234B there is a comparison: cmp byte ptr [ 00445660 ], 00 .This comparison is not important for us . Address 445560 is used for the prog to test if it is a German user who is registered or not. Comparison determining if the English user is registered or not ,is located at address 422330: cmp byte ptr [ 00446473 ], 00. It is the address 446473 which determines if the English user is registered. If 446473=0,user not-registered and if 446473=1 user registered... It is not very hard to understand,isn't-it? Step THRee: At a moment the program will put address 446473 to 0 .It's necessary to locate in the code this moment when the prog initializes the address 446473 to 1. In assembler,there are many ways to putt 1 in a address. We doesn't know how the progammor managed to put 1 to 446473, so we will seek in the code, the places where the program use the address 446473.We inevitably find out a place where the prog puts 1 at the address 446473. For the research, take WINDASM and go to option " SEARCH " ,go and click on " FIND TEXT " and enter 736444. It's OK,I entered the address memory upside down (446473=736444...) , but it is normal because in Hexa, puts the byte of reavy weight in front of and the byte low weight behind (look at desassemblage 1,address 422330 to understand). Step For: You will find much places in the code where the address is called. But if you notice,you will always see a XOR EAX,EAX .It is not very interressant for us because function XOR puts EAX at 0, however it is better for us to force it to 1.Watch This ! :0043F662 call 0040E0D8 :0043F667 cmp eax, dword ptr [ 00446024 ] :0043F66D je 0043F673 * Referenced by has (U)nconditional gold (C)onditional Jump At Address: |:0043F6(C) :0043F66F xor eax, eax ------- BAd BOy! EAX=0 and... :0043F671 jmp 0043F675 -------... jump to 43f675 to could 446473 to 0 * Referenced by has (U)nconditional gold (C)onditional Jump At Address: |:0043F66D(C) :0043F673 mov Al, 01 - GOOd BOy! AL=1 and... * Referenced by has (U)nconditional gold (C)onditional Jump At Address: |:0043F671(U) :0043F675 A273644400 mov byte ptr [ 00446473 ], Al -... could 446473 to 1 (It' S GOOd FoR YOu!) Programmer put his initialization's routine at the end of prog! This is why the research is long... At address 43F66F there are XOR EAX,EAX and a jump which send us to the address 43F675 where the prog puts the Al contents in 446473... But to address 43F673 there is a MOV AL,1 very interressant!... And if we erase XOR EAX,EAX and JUMP 43F675, what does it occur? Step FiVe: Takes an editor Hexa , go to offset 3EA6F and puts 90,90,90,90. Now the prog will no more put EAX at 0 but will put Al at 1 and will put Al in 446473... Make the patch and launch WinHex . bOOM! *!REGIsTeReD!*. For ReMArKs,CRiTiKs,COnTaKts ===> tamambolo@post.club-internet.fr Frenchies : if you want some tutors written in french,send me a mail. TaMaMBoLo 99 [( $$ SaMSoUL CRAcKInG $$ )] Cookie Crusher v2.11 http://www.thelimitsoft.com/ Tutor by PinguTM (PinguTM@hotmail.com) This is my 4th tutorial, hopefully not the last ;) How to enter a random serial\Key! Tools: W32Dasm Ver 8.93 Hiew 6.03 Poor ole Addie was looking for a crack for this lil proggie, so i decided to crack it for his sorry butt! ;) 1. When you start the program, u get get the usual shit, the proggie will end in 30 dayz... Hit NO, coz you dont wanna know how much u hafta pat to register it! 2. Click the Right mouse button on the Lightbulb in the systray, and goto "About Cookie Crusher" then next click License Now. Fill out all the boxes and hit Register. BAH! Nag telling us the shit we entered is wrong! 3. Load WinDasm and decomplie cookie.exe. Now select string data references and select "Thank you for licensing cookie ." 4. You will now see something like this.... * Possible StringData Ref from Data Obj ->"Invalid Registration ID!" | :00412F5F 685CCB4400 push 0044CB5C :00412F64 E8541D0200 call 00434CBD :00412F69 E957030000 jmp 004132C5 5. Dont close the string data references yet. Click "Invalid Registration ID!" again and you should arrive here.... * Possible StringData Ref from Data Obj ->"Thank you for licensing Cookie " ->"Crusher! We appreciate your business " ->"and support." | :0040CCD6 683D324600 push 0046323D :0040CCDB 6A00 push 00000000 6. Now close string data references and scroll a littleup till you see this...... :0040CCB3 E8A0770100 call 00424458 :0040CCB8 66C745CC1400 mov [ebp-34], 0014 :0040CCBE 8BCF mov ecx, edi :0040CCC0 8BC1 mov eax, ecx :0040CCC2 99 cdq :0040CCC3 33C2 xor eax, edx :0040CCC5 2BC2 sub eax, edx :0040CCC7 3BD8 cmp ebx, eax :0040CCC9 0F8543010000 jne 0040CE12 :0040CCCF 6A40 push 00000040 6. Notice that jne (Jump not equal), what d'ya think would happen if that was a je (Jump if equal)?, Well load up Hiew. Press F4 and select Decode. Now press F5 and type in the offset which is "C2C9" Now press F3 for edit mode and type "0F84" press F9 to save, and F10 to quit. Now Re-Load Cookie and go back to the registration screen and fill in the details and hit Register. WOOHOO it accepts the details :) Ok close the program and Reload. BAH nag again :( hmmm, remember the proggie lasts only for 30 dayz well.... 7. Select string data references again, and select "UNREGISTERED 30 DAY EVALUATION " you will arrive here... * Possible StringData Ref from Data Obj ->"UNREGISTERED 30-DAY EVALUATION " ->"COPY ONLY" | :00401EEF BA24F74500 mov edx, 0045F724 :00401EF4 8D45CC lea eax, dword ptr [ebp-34] :00401EF7 E8FC220200 call 004241F8 :00401EFC FF8584FEFFFF inc dword ptr [ebp+FFFFFE84] 8. Now close string data references and scroll a littleup till you see this...... :00401EDB 59 pop ecx :00401EDC 8BFB mov edi, ebx :00401EDE 8BC8 mov ecx, eax :00401EE0 8BC7 mov eax, edi :00401EE2 99 cdq :00401EE3 33C2 xor eax, edx :00401EE5 2BC2 sub eax, edx :00401EE7 3BC8 cmp ecx, eax :00401EE9 0F840D030000 je 004021FC 9. Notice the je, well lets change it to a jne... load up Hiew. Press F4 and select Decode. Now press F5 and type in the offset which is "14E9" Now press F3 for edit mode and type "0F85" press F9 to save, and F10 to quit. Now Re-Load Cookie Crusher again. Hmmm, no nag :) Fill out the usual register details to register it (it should still accept any shit you enter). Now close down again and reboot. Check About cookie crusher. Look it says its registered to whatever shit you put in ;) well Addie, now you know how i done it! -=-=-=- PinguTM -=-=-=- Akai CDxtract 1.23 http://home.fr.clara.net/chavonnet Tutor by PinguTM (PinguTM@hotmail.com) This is my 5th tutorial, whey another one ;) How to enter a random serial\Key! Tools: W32Dasm Ver 8.93 Hiew 6.03 The coder of this app must be a fucking idiot. This only took me 1 minute to crack ;) 1. When you start the program there is no nags but still functions are limited :( 2. Click on Register and fill out the boxes and hit OK. BOOOO Nag telling us its wrong! 3. Load WinDasm and decomplie cdxtract.exe (make a copy of it first, call it test.exe or something??) Now select string data references and select "Error: Incorrect user code" 4. You will now see something like this.... * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00406AD6(C) | :00406B8A 6A00 push 00000000 :00406B8C 6A00 push 00000000 * Possible StringData Ref from Data Obj ->"Error: Incorrect user code" | :00406B8E 680CEA4000 push 0040EA0C * Reference To: MFC42.MFC42:NoName0037, Ord:04B0h | :00406B93 E8963B0000 Call 0040A72E 5. Now close string data references and notice the 00406AD6(C), well we want to go to this part of the proggie so select the pulldown menu Goto, then select Goto Code Location. Now type 406AD6 and hit OK 6. You will now see something like this.... :00406AC9 8B8D70FFFFFF mov ecx, dword ptr [ebp+FFFFFF70] :00406ACF 83B93878010000 cmp dword ptr [ecx+00017838], 00000000 :00406AD6 0F84AE000000 je 00406B8A :00406ADC 8B9570FFFFFF mov edx, dword ptr [ebp+FFFFFF70] :00406AE2 81C220780100 add edx, 00017820 :00406AE8 52 push edx * Possible StringData Ref from Data Obj ->"user_name" | :00406AE9 68B0E94000 push 0040E9B0 7. Notice the je, well lets change it to a jne... load up Hiew. Press F4 and select Decode. Now press F5 and type in the offset which is "5ED6" Now press F3 for edit mode and type "0F85" press F9 to save, and F10 to quit. Now Re-Load Akai CDxtract and enter the reg details with whatever you want, hit OK. Well its now registered ;) Reload to see if there is some kind of check. But there is not much point coz there isnt. Quite cool how changing ONE byte saved you $35 :) -=-=-=- PinguTM -=-=-=- High Grow 1.1 http:// -Dont know? found on stupid cracking sites etc....? Ask the Author at: slicker@mweb.co.za Tutor by PinguTM (PinguTM@hotmail.com) This is my 6th tutorial, whey another one ;) How to enter a random serial\Key! Tools: W32Dasm Ver 8.93 Hiew 6.03 Welcome to the world's first artificially simulated marijuana growing program. With HighGrow, you can now finally grow your own marijuana plants without the constant fear of a visit by members of your local narcotics branch! Although HighGrow encourages people to grow their own marijuana in it's virtual growroom and guarantees that the growth of it's virtual plants will closely resemble the growth of real plants, Slick Software will not be held responsible for encouraging anyone to grow real marijuana. 1. When you start the program you are encountered by the usual nags etc.. Just click on Registration code entry 2. Fill out the boxes and hit Register Highgrow. Guess what, Invalid Reg Id 3. Load WinDasm and decomplie highgrow.exe Now select string data references and select "Thank you for registering this version of highgrow" 4. You will now see something like this.... * Possible Reference to String Resource ID=00041: "Thank you for registering this... :00407E05 6A29 push 00000029 :00407E07 57 push edi * Reference To: USER32.LoadStringA, Ord:0177h | :00407E08 FF1508664300 Call dword ptr [00436608] :00407E0E 6A30 push 00000030 5. Now close string data references and scroll up a little till you see this... * Possible StringData Ref from Data Obj ->"385-9015453-728" | :00407DCC 8B15E8D04100 mov edx, dword ptr [0041D0E8] * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00407DEC(C) | :00407DD2 8A08 mov cl, byte ptr [eax] :00407DD4 3A0A cmp cl, byte ptr [edx] 6. Notice the "385-9015453-728", well lets try registering using that code. Fill out the registration boxes again with whatever name you want and use the code "385-9015453-728" BOOM registration is accepted. You you can grow your virtual dope for more than 100 days. If only getting dope was that easy ;) 7. This next section is for you peeps that have been locked out of the program by the Lock Highgrow function. This enables the user to Password protect it so unlawful access cant be accessed. Well if your bro whatever has done this and you to drown his plants etc to piss him off read on.... 8. select string data references and select "Invalid Password Entered" yow will see this.. * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004073E6(U) | :004073ED 85C0 test eax, eax :004073EF 743C je 0040742D :004073F1 6A30 push 00000030 * Possible StringData Ref from Data Obj ->"Warning" | :004073F3 68ACD14100 push 0041D1AC * Possible StringData Ref from Data Obj ->"Invalid Password Entered!" | :004073F8 68B4D14100 push 0041D1B4 :004073FD 56 push esi 9. Notice the je, well lets change that to a jne... load up Hiew. Press F4 and select Decode. Now press F5 and type in the offset which is "67Ef" Now press F3 for edit mode and type "75" press F9 to save, and F10 to quit. Re-Load Highgrow and when it asks for the password just hit Check Password and thats you in ;) -=-=-=- PinguTM -=-=-=- EVE Text Editor v1.0 http://www.canexus.com/eve Tutor by PinguTM (PinguTM@hotmail.com) This is my 7th tutorial, whey another one ;) How to enter a random serial\Key! Tools: W32Dasm Ver 8.93 Hiew 6.03 EVE is a powerful tool designed to combat the growing problem of internet plagiarism. EVE accepts essays in plain text format and returns links to web pages from which a student may have plagiarized. EVE has been developed to be powerful enough to find plagiarized material while not overwhelming the professor with false links. Try EVE by giving it an essay in plain text (.txt) format. Next, find some similar material on the web, copy a couple of paragraphs into the essay, and give the new essay to EVE. 1. When you start the program you are encountered straight away by the registration screen 2. Fill out the boxes and hit Unlock. It prompts that invalid data has been entered 3. Load WinDasm and decomplie eve.exe Now select string data references and select "Invalid username or registration" 4. You will now see something like this.... * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:0040461E(C), :0040488D(C) | :00404986 6A00 push 00000000 :00404988 6A00 push 00000000 * Possible StringData Ref from Data Obj ->"Invalid Username or Registration " ->"Code" | :0040498A 681CD44300 push 0043D41C :0040498F E863260200 call 00426FF7 5. Notice 0040488D(C), well well we want to go to this part of the proggie so select the pulldown menu Goto, then select Goto Code Location. Now type 40488D and hit OK, you should see this..... * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00404884(U) | :0040488B 85C0 test eax, eax :0040488D 0F85F3000000 jne 00404986 :00404893 6A01 push 00000001 :00404895 8D4C2410 lea ecx, dword ptr [esp+10] :00404899 E852450100 call 00418DF0 :0040489E 8D442470 lea eax, dword ptr [esp+70] :004048A2 6A63 push 00000063 :004048A4 50 push eax :004048A5 C784241801000000000000 mov dword ptr [esp+00000118], 00000000 6. Notice the jne, well lets change that to a je... load up Hiew. Press F4 and select Decode. Now press F5 and type in the offset which is "3C8D" Now press F3 for edit mode and type "0F84" press F9 to save, and F10 to quit. Re-Load EVE and enter any old shit and hit UNLOCK. Kewl it accepts it :) but did you notice the message in the registration screen? "One of the eve files needs replaced or was corrupted" it's a CRC check :( so.... 7. select string data references and select "One of the files EVE needs was " you should see something like this... | :0040422D 3BC3 cmp eax, ebx :0040422F 755F jne 00404290 * Possible StringData Ref from Data Obj ->"One of the Files EVE needs was " ->"corrupted and will be replaced." | :00404231 BFACD24300 mov edi, 0043D2AC :00404236 83C9FF or ecx, FFFFFFFF :00404239 33C0 xor eax, eax 8. Obvious, lets change that jne to a je... load up Hiew. Press F4 and select Decode. Now press F5 and type in the offset which is "362F" Now press F3 for edit mode and type "74" press F9 to save, and F10 to quit. Re-Load EVE Hehehe No reg screen and fully werking. Hmmmm, what can i krack next ???? cya next time ;) -=-=-=- PinguTM -=-=-=- HOW TO CRACK Html Publisher Pro 3.010 dAvid/nIgHtMaRe'1 on Jun 1999 Welcome To My 16th Cracking Tutorial this time i'll teach you how to crack Html Publisher Pro 3.010 Sorry for my bad grammatic, but i hope u will under stand it anyway... Tools Used: W32Dasm 89.3 (SIMPLY the best) Far 1.52 or any other Norton Commander like clone 1 or more cups of coffee (A Pot will usualy do) you can also drink tea 1 or more ciggys (A Pack will usualy do) (Smoke em baby Smoke em) he he Where http://www.fcoder.com Protection Type serial Crack Type Correct serial run Html Publisher Pro 3.010 you'll be greated whit a nag screen plus a place to enter the correct serial that you got when you bought the proggy yeah right! well enter any serial you like i entered 123454 and got this error message RegCode is not correct For Registration contact with http://www.fcoder.com Yeah sure i'll register you not at that place hehe goto Far copy PublisherPro.exe to PublisherPro.w32 for use whit W32Dasm when done goto the Strn Ref button and click it now look for the error message you got you do remember it right well anyway you should hmm what the f... is this i can't find that message any where hmm maby its encrypted no i don't think so lets try the Import Button What are you wating for click it hmm what is this check.dll ? thats not a normal dll that windoze has is it ? no back to far copy check.dll to check.w32 for use whit w32dasm back to w32dasm and start dissambling check.w32 when done goto the Strn Ref Button and click it lets see if we can find the error message now found it good in case you still can't just look for RegCode is not correct For Registration you have found it now right ??? well good but whats that just below it REGCODE (NICE) click it and close down the Strn Ref Window you'll be here * Possible StringData Ref from Data Obj ->"REGCODE" :10001938 E8EE150100 call 10012F2B <-hey check it out :) :1000193D 84DB test bl, bl :1000193F 0F84A1000000 je 100019E6 :10001945 8B4DF0 mov ecx, dword ptr [ebp-10] so check the call out press right arrow and you'll land here :10012F2B 56 push esi :10012F2C 8BF1 mov esi, ecx :10012F2E 8B06 mov eax, dword ptr [esi] :10012F30 8D48F4 lea ecx, dword ptr [eax-0C] :10012F33 3B0DC8E30110 cmp ecx, dword ptr [1001E3C8] <-nice :10012F39 7418 je 10012F53 :10012F3B 83C0F4 add eax, FFFFFFF4 :10012F3E 50 push eax now fist i tried to use a calculator to change the hex to dec ditend work then i thought to my self well i'm sure thats the correct code somehow hmm lets remove the hex from it and we'll have 100138 so i started up Html Publisher Pro 3.010 and entered 100138 as code and pressed Register me and guess what **rEgGeD* COOL :) Another Protection broken nothing is gonna stop me now hehe this might also work whit any other software at http://www.fcoder.com but i don't know since i haven't checked it out yet but i will and then i'll get back to you whit a new tutorial if you got any comments or questions send em to me if i got enough time i'll send you an e-mail back you might find me on irc/EFNET in the channel #bsc or #c.i.a under the nick dAvId_nM1 if i got time i'll chat anyway i'hope you sea you in tutor #17 Cracking Tutorial #16 Written bY dAvid/nIgHtMaRe'1 On Jun 1999 wanna contact me yeah its possibal e-mail me at dAvIdnM1@usa.net We really hope you've enjoyed this tutorial too much as we did! Don't miss Tutor #30 soon! ;) And as I said last time: Without knowledge, there's no power! ;) Credits go to: Funkyzero/CiA for Splash Logo. TaMaMBoLo for providing a tut in this version. dAvid/nIgHtMaRe'1 for providing a tut in this version. PinguTM for providing 4 tuts in this version. tKC/CiA (hey it's me!) for coding this version :) All the crackers (non-members of CiA) are welcome to send tutors for the next tutorials. See below for my email address! Greetz goto all my friends! You can find me on IRC or email me at tkc@reaper.org Oh btw, please don't expect me to reply your mails, since I get 50+/- mails everyday. Be sure that I really appreciate your mails! :) Coded by The Keyboard Caper - tKC The Founder of PhRoZeN CReW/Crackers in Action '99 Compiled on 23 June 1999 Cracking Tutorial #29 is dedicated to Ms_Jessca... who else?