Welcome to Cracking Tutorial #31! Ah finally, I'm back! Many thanks goto Ms_Jessca for providing me a modem. (Jess: thank you, my liefie!) Today I'll do 2 versions.. (#31 and 32) *welp* Like I said earlier, nothing is gonna stop me now! :) Anyway, enjoy it! :) Ok, let's rave! You'll need the following tools: (I use these tools, I assume you'll use 'em, but it doesn't mean that you'll need to use all those tools, so be sure to get them handy for the examples in this tutorial!) SoftICE 4.00 W32Dasm 8.93 Hacker's View 6.10 SmartCheck 6.03 TASM 5.00 Windows Commander 4.00 (I use it coz of easier to multitask) Don't ask me where to download all these tools since you had a chance to get them when you used my older tutorials. Here are a few good cracking sites where you can grab tools from: http://surf.to/HarvestR or http://harvestr.cjb.net http://atlantez.nl.eu.org/Iczelion http://protools.cjb.net or ask any crackers to get you these tools! Are you ready?! OK! ;) Poster 6.1 http://www.postersoftware.com Tutor by PinguTM (PinguTM@hotmail.com) This is my 8th tutorial, whey another one ;) How to enter a random serial Tools: W32Dasm Ver 8.93 POSTER 6 is the Windows 95/98 32-bit version of the acclaimed Windows shareware program for making big posters, signs, and banners. Posters can be up to 9 feet by 9 feet at 300 DPI, even bigger at lower resolutions.Poster combines the best features of word-processing, graphics, and desktop publishing with features especially tuned for big posters and banners. This includes complete flexibility in the placement of graphics, a full set of drawing tools and over 100 special effects (like 3D, rotate, and arch) for text. All text and graphics are enlarged and tiled over multiple pages. POSTER supports all True-Type and ATM fonts, and imports graphics from BMP, GIF, JPG, TIF, and WMF files, scanners (TWAIN), the Clipboard, and OLE applications. A spelling checker is included. POSTER supports full color, and all Windows-compatible printers. Full support is provided for non-standard poster and paper sizes, including continuous form banner printing. POSTER includes exclusives like picture smoothing for smooth enlargements, and font stretching for all windows fonts, including special effects. 1. When you start the program you encounter nags and other shit. Once in the program, goto Help, then Registration. Next Click on Enter Registration Code. 2. Enter any code and hit OK. Yep, guess what.... Wrong code :( 3. Load WinDasm and decomplie poster.exe Now select string data references and select "Invalid Registration Code" 4. You will now see something like this.... * Possible Reference to String Resource ID=00175: "Invalid Registration Code" | :0040B835 68AF000000 push 000000AF :0040B83A 8B1598A84700 mov edx, dword ptr [0047A898] :0040B840 52 push edx :0040B841 E8CA7C0300 call 00443510 :0040B846 83C408 add esp, 00000008 5. Scroll up a little till you see this..... * Possible StringData Ref from Data Obj ->"081349" | :0040B805 68B4F34600 push 0046F3B4 :0040B80A 8D8554FFFFFF lea eax, dword ptr [ebp+FFFFFF54] :0040B810 50 push eax :0040B811 E88A120500 call 0045CAA0 :0040B816 83C408 add esp, 00000008 :0040B819 85C0 test eax, eax :0040B81B 7436 je 0040B853 * Possible StringData Ref from Data Obj ->"050582" | :0040B81D 68BCF34600 push 0046F3BC :0040B822 8D8D54FFFFFF lea ecx, dword ptr [ebp+FFFFFF54] :0040B828 51 push ecx :0040B829 E872120500 call 0045CAA0 :0040B82E 83C408 add esp, 00000008 :0040B831 85C0 test eax, eax :0040B833 741E je 0040B853 6. Hmmmmm, I wonder what those 5 digit codes can be. Well load up Poster again and go back to the Registration screen. Enter the first code "081349" and hit OK. Just as i thought Whey, registered Baby ;) ! See what happens when you enter the other code, but being registered is good enough for me! -=-=-=- PinguTM -=-=-=- Lorenz Graf's HTMLtool v2.7 http://www.lograf.com Welcome to Lorenz Graf's HTMLtool, one of the most versatile and most affordable code-oriented HTML editors available for Windows. 1) Run HTMLTOOL.EXE and you will see a message box stated that "Please register !". 2) Click on the "Enter registration code" and enter the following:- Name/Company: C4A Team Registration code: 665544332211 3) Press "CTRL-D" to return into SoftIce, type "bpx hmemcpy", and press "CRTL-D" to return into Lorenz Graf's HTMLtool. Finally, click on the "Register" button to register and you are back to SoftIce. 4) Press "F12" until you see the following:- xxxx:004EBBD3 8B45F8 MOV EAX,[EBP-08] xxxx:004EBBD6 8D55FC LEA EDX,[EBX-04] <-- type "d eax" xxxx:004EBBD9 E80A32FFFF CALL 004DEDE8 <-- KeyGen routine xxxx:004EBBDE 8B45FC MOV EAX,[EBP-04] xxxx:004EBBE1 50 PUSH EAX <-- type "d eax" 5) Type "bd 0" or "bd *" to disable the breakpoint. 6) Press "F10" until the line below:- xxxx:004EBBD6 8D55FC LEA EDX,[EBX-04] 7) Then, type "d eax" and you will see something interesting like "C4A Team" in the Data Window. Hah, its our entered Name/Company. 8) Press "F10" again until the line below:- xxxx:004EBBE1 50 PUSH EAX 9) Type "d eax" and you will see something interesting like "2FB1FE035EB2BF6C" in the Data Window. Hah, its the real registration code. 10) Press "CTRL-D" to return to Lorenz Graf's HTMLtool. Enter the following:- Name/Company: C4A Team Registration code: 2FB1FE035EB2BF6C BOOM, its registered! Well, I hope you learned something from this tutorial. mailto: mr_fanatic@iname.com or c4a@iname.com @MailGate v2.75 http://www.titansoft.com @MailGate is a program that is designed to route mail. With Mailgate you can route mail to Faxes (with it's built in fax gateway), Internet users,MAPI users, Printers (local or network). You can also create Auto-Responders etc. Spam filtering can be used to eliminate unwanted mail. Messages can be saved as files for users of the @MailGate client. When first running MailGate you are asked for MAPI profile information etc. , If you are not using MAPI just uncheck "Use MAPI". The MAPI gateway functionality of MailGate is just a small part of MailGate's power. 1) Run MAILGAT2.EXE. 2) Click on the "About", "Register" and enter the following:- Registration Name: C4A Team Registration ID : 11223344 3) Press "CTRL-D" to return into SoftIce, type "bpx hmemcpy", and press "CRTL-D" to return into @MailGate. Finally, click on the "Register" button to register and you are back to SoftIce. 4) Press "F12" until you see the following:- xxxx:004AC1EF 8B45F8 MOV EAX,[EBP-08] xxxx:004AC1E2 E8E57BF5FF CALL 00403DDC xxxx:004AC1E7 8BD8 MOV EBX,EAX xxxx:004AC1E9 85DB TEST EBX,EBX xxxx:004AC1EB 7E28 JLE 004AC225 5) Type "bd 0" or "bd *" to disable the breakpoint. 6) Then, press "F10" untill u see the following:- xxxx:004AC202 8D55F8 LEA EDX,[EBP-08] xxxx:004AC205 8B86DC010000 MOV EAX,[ESI+000001DC] xxxx:004AC20B E8546EF7FF CALL 00423064 xxxx:004AC210 8B45F8 MOV EAX,[EBP-08] xxxx:004AC213 0FB64438FF MOVZX EAX, BYTE PTR [EDI+EAX-01] xxxx:004AC218 69C0A76F0200 IMUL EAX,EAX,00026FA7 xxxx:004AC21E 0145FC ADD [EBP-04],EAX xxxx:004AC221 47 INC EDI xxxx:004AC222 4B DEC EBX xxxx:004AC223 75DD JNZ 004AC202 7) At xxxx:004AC213 0FB64438FF MOVZX EAX, BYTE PTR [EDI+EAX-01], type "d eax" and you will see our registration name "C4A Team" in the Data Window. Below is the HEX code for "C4A Team":- C 4 A T e a m *NOTE* 20 = space == == == == == == == == 43 34 41 20 54 65 61 6D 8) At xxxx:004AC218 69C0A76F0200 IMUL EAX,EAX,00026FA7, type "? eax" and you will see the following:- 00000043 0000000067 "C" The hex code of "C" is 43. EAX is equal to 43. Then, it is multiple with 26FA7. 9) At xxxx:004AC21E 0145FC ADD [EBP-04],EAX, type "? eax" and you will see the following:- 00A338B5 0010696885 The value in EAX is added to [EBP-04] which currently is 0. 10) There is a LOOP between 004AC202 and 004AC223. Below is part of the calculation regcode in C language:- for(i=0;i 85 (jne) becomes 84 (je) - for "Oket.afp": 0F85AD000000 by 0F84AD000000 ===> 85 (jne) becomes 84 (je) - nothing for "Vfaw.afp" now , you have to save the change with an hexeditor! when it is finish , you just have to run the game ! the Game work good ! with a CD-R ! ToMB RAiDER III is Now Cracked ! notes : if you want to save the change with the hexeditor , you must save the file with another name because it is used by Wdasm and it is write protected ! ex: save it with Tomb.exe then close Wdasm and rename it with Tomb3.exe ! voila ! it is finish for this tutor ! I hope you learn something in this ! if there is one problem you can mail ma at acid2600@hotmail.com. Happy Cracking and have FuN ! :) ACiD BuRN [ReFleXZ'99] Final Notes... Greetz To: R!SC, ^Inferno^, AB4DS, Cyber Blade, Klefz, , Volatility, Torn@do, T4D, Jeff, [Virus], Jane , Appbusta , Duelist , tKC , BuLLeT , Lucifer48 , MiZ , DnNuke , Bjanes ... ---> 4 Being So Good Friends To Me. Sorry if you are not here too many people to greetz !) ....And All Crackers ! .... U can Found me on IRC : At #ReFleXZ99, #Cracking4Newbies , #ECL on Efnet Disclaimer... This tutorial is written for EDUCATIONAL purposes only. So if you want to use the program after its trial period ends please BUY IT! Support shareware (and its authors), this is our learning tool! ReFleXZ is not responsible for any damage caused with this essay or any of its parts. So everything what you're doing and 'experimenting' is on your own responsibile! Also, in this tutorial you'll not find any serial numbers, so try to search elsewhere under Cracks and Warez. Copyright c 1999-2000 By ReFleXZ '99 All Rights Reserved WWW Gif Animator 1.0 This tutorial is coming from... ReFleXZ '99 Url: Http://ReFleXZ99.cjb.net Email: ReFleXZ@fcmail.com About the essay... Written by: ACiD BuRN Date:20th March 1999 Program name: WWW Gif Animator v1.0 Program type: W32 Program location: Here Program filename: N/A Program size: n/c Tools required: Soft - ice 3.2x Difficult level: Easy ( X ) Medium ( ) Hard ( ) Pro ( ) Introduction... yes ! another tut 4 you ! this time we will crack using soft-ice ! We won't patch the file but find the correct serial for our name ! About the protection... Name / Serial protection .... The Essay... when we enter our name , surname and random serial number and press on Ok, the prog say that the serial is wrong bla bla bla ... ctrl + D and , put a bpx on getwindowtexta.press F5 to back to the proggy. now enter : First Name: ACiD Last Name : BuRN code : 12345 then push on Ok. we back to softice and it say us : 'break due to BPX Getdlgitemtexta' type d EAX and we see in the data window : ACiD BuRN press F5 again to pass the check of the name.we want the serial check. at the down of soft-ice window we see : USER32 .... we are not at the good place so press F12. it is good now ! now trace with F10 and we will see : EAX=3039 good ! type ? EAX and we see: 00003039 0000012345 "09" 3039 it is the hex and 12345 it is the Decimal value. 12345 ! it is what we entered ! cool we are near the good thing ! continu with F10 and check EAX for change.you will see : EAX=7D5F4 EAX have changed ! type ? EAX we see: 0007D5F4 00005135314 Cool , what is 513534 ? it look like a serial ! ctrl+D , type BC 0 for delete bpx. press F5 to back in window. So enter : First Name: ACiD Last Name : BuRN Code : 513524 Now the proggy don't say us BaD serial , we are Registered ! Another Cracked ! Hope you understand all in this essay , and if you have a problem you can mail me at : acid2600@hotmail.com Happy Cracking and have FuN ! :) ACiD BuRN [ReFleXZ'99] Final Notes... Greetz To: R!SC, ^Inferno^, AB4DS, Cyber Blade, Klefz, , Volatility, Torn@do, T4D, Jeff, [Virus], Jane , Appbusta , Duelist , tKC , BuLLeT , Lucifer48 , MiZ , DnNuke , Bjanes ... ---> 4 Being So Good Friends To Me. Sorry if you are not here too many people to greetz !) ....And All Crackers ! .... U can Found me on IRC : At #ReFleXZ99, #Cracking4Newbies , #ECL on Efnet Disclaimer... This tutorial is written for EDUCATIONAL purposes only. So if you want to use the program after its trial period ends please BUY IT! Support shareware (and its authors), this is our learning tool! ReFleXZ is not responsible for any damage caused with this essay or any of its parts. So everything what you're doing and 'experimenting' is on your own responsibile! Also, in this tutorial you'll not find any serial numbers, so try to search elsewhere under Cracks and Warez. Copyright c 1999-2000 By ReFleXZ '99 All Rights Reserved HD Morph This tutorial is coming from... ReFleXZ '99 Url: Http://ReFleXZ99.cjb.net Email: ReFleXZ@fcmail.com About the essay... Written by: ACiD BuRN Date:17th April 1999 Program name: HD Morph Program type: W32 Program location: N/A Program filename: N/A Program size: n/c Tools required: Soft - ice 3.2x Difficult level: Easy ( X ) Medium ( ) Hard ( ) Pro ( ) Introduction... Hello ! time to learn again ! , so a long time ago , there ..... lol About the protection... Name / Serial protection .... The Essay... this time it is for a vb proggy but not a crackme , it is a shareware : HDmorph. It can change the Hard disk icon . not sure it is useful but it is not ReGGed ! So we will play with it ! fisrt there is a thing who work good in vb cracking, it is this search : S 0 L ffffffff 56,57,8b,7c,24,10,8b,74,24,0c,8b,4c,24,14,33,c0,f3,66,a7 NOTE: its a good to put this in winice.dat. the Alt-F4 that is rarely used in your winice.dat file.so you can use Alt-F4 as shortcut ! put this in the winice.dat AF4="^s 0 l ffffffff 56,57,8b,7c,24,10,8b,74,24,0c,8b,4c,24,14,33,c0,f3,66,a7;" This will save you the time of typing all that ! restart your computer now ! when it is done , we can start to crack this babe ! Run it and click on about and on register. Enter nAME: ACiD BuRN sERIAL: 123456 ctrl+D to soft-ice and type bpx hmemcpy. click on Ok and we back at Soft-ice ! great ... now press F11 and F12 untill you see Msvbvm50 at the down of the softice window. We are now at the good place , alt+F4 to search the compare emplacement ! Now you should see "search pattern found at XXX:XXXXXXXX". for me XXX:XXXXXX is 25F:7B1DD9EA. Put a bpx on 25F:7B1DD9EA and disabled the hmemcpy bpx ,type bd 0. now press F11 and we break at 25F:7B1DD9EA . it is where is the comparaison , We will see : : 56 push esi : 57 push edi : 8B7C2410 mov edi, [esp + 10] ; Move real serial into edi : 8B7C240C mov esi, [esp + 0C] ; Move fake serial into esi : 8B4C2414 mov ecx, [esp + 14] press F10 to pass "mov edi, [esp + 10]" and type d edi for see the real serial ! for ACiD BuRN we see: 1.3.0.2.6.8.6.3.0.5.4.4.3.2.0.7.9.2.1.6.3.8.1.3.1.2.1.4.0.4 'cauz it is a vb proggy it is in wide format (space between digits). So, the real code is 130268630544320792163813121404 for check if it is the good one , we will enter: nAME: ACiD BuRN cODE: 130268630544320792163813121404 press Ok button , but nothing say good work or bad serial , just end the proggy and restart it. go in about , and you see Registered to: ACiD BuRN Great ! Cool work we made it ! Another cracked ! I hope you understand all in this essay Iif you have a problem you can mail me at : acid2600@hotmail.com have fun and happy cracking ! ACiD BuRN [ReFleXZ'99] Final Notes... Greetz To: R!SC, ^Inferno^, AB4DS, Cyber Blade, Klefz, , Volatility, Torn@do, T4D, Jeff, [Virus], Jane , Appbusta , Duelist , tKC , BuLLeT , Lucifer48 , MiZ , DnNuke , Bjanes ... ---> 4 Being So Good Friends To Me. Sorry if you are not here too many people to greetz !) ....And All Crackers ! .... U can Found me on IRC : At #ReFleXZ99, #Cracking4Newbies , #ECL on Efnet Disclaimer... This tutorial is written for EDUCATIONAL purposes only. So if you want to use the program after its trial period ends please BUY IT! Support shareware (and its authors), this is our learning tool! ReFleXZ is not responsible for any damage caused with this essay or any of its parts. So everything what you're doing and 'experimenting' is on your own responsibile! Also, in this tutorial you'll not find any serial numbers, so try to search elsewhere under Cracks and Warez. Copyright c 1999-2000 By ReFleXZ '99 All Rights Reserved We really hope you've enjoyed this tutorial too much as we did! Don't miss Tutor #32 soon! ;) And as I said last time: Without knowledge, there's no power! ;) Credits go to: THE 1 for Splash Logo. Mr Fanatic for providing 2 tuts in this version. PinguTM for providing a tut in this version. ACiD BuRN for providing 3 tuts in this version. tKC/CiA (hey it's me!) for coding this version :) All the crackers (non-members of CiA) are welcome to send tutors for the next tutorials .. see below for my email address! Greetz goto all my friends! You can find me on IRC or email me at tkc@reaper.org Oh btw, please don't expect me to reply your mails, since I get 50+/- mails everyday.. be sure that I really appreciate your mails! :) Coded by The Keyboard Caper - tKC The Founder of PhRoZeN CReW/Crackers in Action '99 Compiled on 05 July 1999 Cracking Tutorial #31 is dedicated to Ms_Jessca my liefie only ...who else?