Welcome to Cracking Tutorial #33! Hiya peepz, *finally* here's my chance to do this version quickly :) I was kinda busy last days, working on some projects... (and smooching my jess all days too :))) Anyway, let's go! You'll need the following tools: (I use these tools, I assume you'll use 'em, but it doesn't mean that you'll need to use all those tools, so be sure to get them handy for the examples in this tutorial!) SoftICE 4.00 W32Dasm 8.93 Hacker's View 6.15 SmartCheck 6.03 TASM 5.00 Windows Commander 4.00 (I use it coz of easier to multitask) Don't ask me where to download all these tools since you had a chance to get them when you used my older tutorials. Here are a few good cracking sites where you can grab tools from: http://surf.to/HarvestR or http://harvestr.cjb.net http://atlantez.nl.eu.org/Iczelion http://protools.cjb.net or ask any crackers to get you these tools! Are you ready?! OK! ;) TempClean v3.01 http://alvilim.virtualave.net Tutor by PinguTM (PinguTM@hotmail.com) This is my 10th tutorial, whey another one ;) Type: Register 4 Nuffin' Tools: WinDASM, Hiew In Windows 9x/NT many programs use temporary files which often stay after program shutdown. Because of that Windows grows while hard disk space decreases and overall system performance are slowing or even your system may crash due to the lack of space for your swap file. TempClean cleans temporary directories or search for temporary files across your hard disk so there is no need for you to think about trash that can fill up your disk. You can easy add WINDOWS/TEMP, Internet cache, Document history or any other directories you want and let TempClean clean them on every Windows start so you don't have to think about it. 1. When you start the program you are encountered straight away by the Info screen. It will say we have so many days left to register etc. You can hit the Register button and fill out the shit if you want but its obvious its going to be a wrong serial. 2. Load WinDasm and decomplie tempclean.exe Now select string data references and select "Registered to " 3. You will now see something like this.... * Possible StringData Ref from Code Obj ->"Registered to " | :0055C59D BA08C65500 mov edx, 0055C608 :0055C5A2 E8C576FAFF call 00503C6C :0055C5A7 8B55F8 mov edx, dword ptr [ebp-08] :0055C5AA 8B83DC020000 mov eax, dword ptr [ebx+000002DC] :0055C5B0 E8C7EAFCFF call 0052B07C 4. Scroll up a little till you see this........ * Referenced by a CALL at Address: |:0055C45D | :0055C570 55 push ebp :0055C571 8BEC mov ebp, esp :0055C573 83C4F8 add esp, FFFFFFF8 5. Notice the 0055C45D below Referenced bt a CALL, well click Goto Code Location button and type "55C45D" and hit return and you will end up here. :0055C44F E8E4EDFFFF call 0055B238 :0055C454 84C0 test al, al :0055C456 7417 je 0055C46F :0055C458 8B55FC mov edx, dword ptr [ebp-04] :0055C45B 8BC6 mov eax, esi :0055C45D E80E010000 call 0055C570 :0055C462 8B86C8020000 mov eax, dword ptr [esi+000002C8] :0055C468 E8A7F0FCFF call 0052B514 :0055C46D EB12 jmp 0055C481 6. Well, lets change that je to a jne... load up Hiew. Press F4 and select Decode. Now press F5 and type in the offset which is "5B856" Now press F3 for edit mode and type "75" press F9 to save, and F10 to quit. Re-Load TempClean. Cool we are brought to the clean screen. Click the INFO tab, You will see registered to but no name, well so fuck its fully registered and will not run out. Well lets make it look a bit better... 7. Load up hiew, Press F4 and select HEX. Now press F7 and type in the ASCII field "registered to" once it finds it press F3, then press Tab. Type something like PinguTM '1999 (Something like that) Now press F9 to update and F10 to quit. 8. Fire up TempClean again and check the INFO tab again. Cool Now there's your name :) Satisfied, heh. Cya'z next time ! This tut is dedicated to all the sluts who keep my dick happy! -=-=-=- PinguTM -=-=-=- Toca2 v1.0 HowTo Crack Tut2: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Target: Toca2 v1.0,CD-Check Tools : WinDAsm 8.93+ HView 5.6+ ' Cigarette and a glass of Wodka RedBuLL O.k., let's start ! First of all the game must be completely installed and a Copy of TC2.EXE must be created. Disassemble the Copy and start the game without having the CD inserted. Aha, the game doesn't display an error message, like 'Cannot find any CD'. If you click on 'Start Game' it does automatically start in Network Modus, cause it can't find a CD. Remember this -> 'Network Game' In W32DASM we look for the String 'Network Game' at the string data refs, do a double-click and we'll be here: * Referenced by a CALL at Address: |:0049276A | :00492B80 6868CC7500 push 0075CC68 :00492B85 68B0355700 push 005735B0 * Possible Indirect StringData Ref from Data Obj ->"RACE MENU" | :00492B8A 68084A5700 push 00574A08 :00492B8F E83CC50000 call 0049F0D0 :00492B94 50 push eax :00492B95 6860B07500 push 0075B060 :00492B9A E8716B0200 call 004B9710 :00492B9F 6848787500 push 00757848 * Possible Indirect StringData Ref from Data Obj ->"START AUTOTRADER RAC CHAMPIONSHIP " ->"RACE" | :00492BA4 68E84B5700 push 00574BE8 ... Blah ... Blah ... Blah * Possible Indirect StringData Ref from Data Obj ->"NETWORK GAME" | :00492CD6 68A8465700 push 005746A8 :00492CDB E8F0C30000 call 0049F0D0 :00492CE0 50 push eax :00492CE1 6860B07500 push 0075B060 :00492CE6 E8D56C0200 call 004B99C0 :00492CEB 6A0D push 0000000D :00492CED 6810794A00 push 004A7910 :00492CF2 68A01D4900 push 00491DA0 :00492CF7 6860B07500 push 0075B060 :00492CFC E81F6D0200 call 004B9A20 :00492D01 68586B7500 push 00756B58 * Possible Indirect StringData Ref from Data Obj ->"GO TO THE TEST TRACK" | :00492D06 68884E5700 push 00574E88 ... Blah ... Blah ... Blah Let's backtrace the Jump, since here the Menues are created which will be displayed at game start. Click on GOTO CODE LOCATION, enter '49276A' and you'll be here : * Referenced by a CALL at Addresses: |:0048F919 , :00497D35 | :00492760 E83B010000 call 004928A0 :00492765 E816030000 call 00492A80 :0049276A E811040000 call 00492B80 <- Menue Checks :0049276F E81C060000 call 00492D90 :00492774 E807070000 call 00492E80 :00492779 E882160000 call 00493E00 :0049277E E86D170000 call 00493EF0 :00492783 E898080000 call 00493020 :00492788 E8C3090000 call 00493150 :0049278D E8AE0A0000 call 00493240 :00492792 E8590B0000 call 004932F0 :00492797 E8940C0000 call 00493430 :0049279C E8FF0E0000 call 004936A0 :004927A1 E82A100000 call 004937D0 :004927A6 E8A5110000 call 00493950 :004927AB E830180000 call 00493FE0 :004927B0 E85B190000 call 00494110 :004927B5 E8661B0000 call 00494320 :004927BA E8511C0000 call 00494410 :004927BF E8BC1D0000 call 00494580 :004927C4 E8E71E0000 call 004946B0 :004927C9 E802200000 call 004947D0 :004927CE E84D210000 call 00494920 :004927D3 E828260000 call 00494E00 :004927D8 E843240000 call 00494C20 :004927DD E82E250000 call 00494D10 :004927E2 E8B9260000 call 00494EA0 :004927E7 E834270000 call 00494F20 :004927EC E89F280000 call 00495090 :004927F1 E86A2B0000 call 00495360 :004927F6 E8A52A0000 call 004952A0 :004927FB E8B02D0000 call 004955B0 :00492800 E89B3A0000 call 004962A0 :00492805 E8863B0000 call 00496390 :0049280A E8713C0000 call 00496480 :0049280F E80C3D0000 call 00496520 :00492814 E8873D0000 call 004965A0 :00492819 E8823E0000 call 004966A0 :0049281E E8FD400000 call 00496920 :00492823 E8A8460000 call 00496ED0 :00492828 E8B32F0000 call 004957E0 :0049282D E82E310000 call 00495960 :00492832 E839330000 call 00495B70 :00492837 E8B4350000 call 00495DF0 :0049283C E8DF3D0000 call 00496620 :00492841 E8EA220000 call 00494B30 :00492846 E8E53F0000 call 00496830 :0049284B E860340000 call 00495CB0 :00492850 E81B070000 call 00492F70 :00492855 E876390000 call 004961D0 :0049285A E861370000 call 00495FC0 :0049285F E8DC370000 call 00496040 :00492864 E8F7380000 call 00496160 :00492869 E802140000 call 00493C70 :0049286E E85D120000 call 00493AD0 :00492873 E868140000 call 00493CE0 :00492878 E8A31D0000 call 00494620 <- Menu Checks :0049287D E8FE490000 call 00497280 :00492882 E8194D0000 call 004975A0 :00492887 85C0 test eax, eax <- Is CD inserted? :00492889 7505 jne 00492890 <- CD - Check :0049288B E850530000 call 00497BE0 As you can see yourself, there were lots of CALL's and at the end there is a compare - maybe our CD - Check, which checks after the CALLs which create the Menues, if the Original - CD has been inserted or not. So we have to change the command from JNE (Jump if Not Equal) to JE (Jump if Equal), then the Check will be automatically accepted by the Prorgam, also if the CD is missing ! OK, remember the @Offset (91C89) and start HView and look for the Byte. For Newbies: Press F5, enter 91C89 and press [ENTER]. Then the byte must be changed from 75 to 74 : press F3, enter 74 and then press F9. *BooM* , the damn CD-Check has been removed ! Opt: If you change the 74 (JE) to EB (JMP), then the Game is optimum cracked, since it will run WITH or WITHOUT the CD inserted! (c) written by -=[T']okE]=- --- deadly Jokes are comin' now ! --- [05/23/99] ------------------------------------------------------------------------------- Tutorial translated from GERMAN => ENGLISH by TORN@DO of ID (learn2crk.cjb.net) ------------------------------------------------------------------------------- Even a Blind Pig Finds an Acorn (Once In a While) Or a quick "non" crack. This is my first ever "tutorial". Hi there, my name is Mudder and in one name or another I've been On IRC for years hanging out in the crack channels. I have always wanted to be a cracker but I have Attention Defecate Disorder that I had never grown out of, this makes it hard to focus and have the patients that a cracker needs. With that said, this "tutorial" will show you that if you got an IQ a point or two higher than a doorknob, you too can learn something. I used not the "softice" nor did I use windasm or anything else except for a program called Regmon. Find it at: http://www.sysinternals.com/regmon.htm I used regmon cause I'm running NT. windows 95 & 98 users get regmon 95. O.K. here we go. My target program is called Fastcad 32 and the version is 6.032 The place to get this program is: ftp://fastcad.com/fc32demo.exe Size of program is 3.1 megs When I ran the program it starts up with a message that says that it is fully functional for 14 days and after that it disables some functions. We can't have that now, can we? So here is what this non-programmer did to "fix" the problem. Install regmon and run it first, I set a filter in all registry operations of the main exe fcw32.exe ran fastcad and then looked at all the registry hits. 1 FCW32.EXE OpenKey HKLM\Software\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FCW32.EXE NOTFOUND 2 FCW32.EXE OpenKey HKCU SUCCESS Key: 0xE1B1D680 3 FCW32.EXE OpenKey HKCU\Control Panel\Desktop SUCCESS Key: 0xE1AE5220 4 FCW32.EXE QueryValue HKCU\Control Panel\Desktop\SmoothScroll NOTFOUND 5 FCW32.EXE CloseKey HKCU\Control Panel\Desktop SUCCESS Key: 0xE1AE5220 6 FCW32.EXE CreateKey HKCR SUCCESS Key: 0xE1B2B7C0 7 FCW32.EXE OpenKey HKCR\CLSID SUCCESS Key: 0xE1AE5220 8 FCW32.EXE CreateKey HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer SUCCESS Key: 0xE1B3BD60 9 FCW32.EXE OpenKey HKLM SUCCESS Key: 0xE1ACF9C0 10 FCW32.EXE CreateKey HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer SUCCESS Key: 0xE1B1F320 11 FCW32.EXE OpenKey HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer NOTFOUND 12 FCW32.EXE OpenKey HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer SUCCESS Key: 0xE1B36280 13 FCW32.EXE QueryValue HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\EnforceShellExtensionSecurity NOTFOUND 14 FCW32.EXE CloseKey HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer SUCCESS Key: 0xE1B36280 15 FCW32.EXE QueryValue HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\AltColor NOTFOUND 16 FCW32.EXE CreateKey HKCR\CLSID\{C3266A00-C24D-11d1-8567-444553540000} SUCCESS Key: 0xE1AE6240 17 FCW32.EXE QueryValue HKCR\CLSID\{C3266A00-C24D-11d1-8567-444553540000}\C3266A00-C24D-11d1-8567-444553540000 SUCCESS NONE <--------this looks interesting 18 FCW32.EXE CloseKey HKCR\CLSID\{C3266A00-C24D-11d1-8567-444553540000} SUCCESS Key: 0xE1AE6240 I ran the registry editor and opened the key (#17 up there) and I modified it back to a zero length file, closed the registry editor and ran fastcad. ??? you now have 14 days to evaluate ???? hmmmmmmm, I may have something here. Back to regedit and export the key: ---------------------------Exported Key---------------------------- REGEDIT4 [HKEY_CLASSES_ROOT\CLSID\{C3266A00-C24D-11d1-8567-444553540000}] "C3266A00-C24D-11d1-8567-444553540000"=hex(0):10,00,00,00,e4,00,00,00,00,00,00,\ 00,5b,02,00,00 ----------------------------End Key---------------------------------- Then I edited the key to look like this: ------------------------Cut here------------------------------------ REGEDIT4 [HKEY_CLASSES_ROOT\CLSID\{C3266A00-C24D-11d1-8567-444553540000}] "C3266A00-C24D-11d1-8567-444553540000"=hex(0): ----------------------Cut here-------------------------------------- saved this as Fastcad.reg and that was that. Now all I have to do is click on this file every few days and lo and behold I have a brand new evaluation period. I know that the real crackers will say that this is a lame way to do it but you have to remember that I am not a programmer and I have great difficulty concentrating on anything for more than a few minutes at a time, Besides that, it works and I did not have to have anybody do it for me. Sorry if this is a little hard to understand, but if you read it a few times and try it. Things should come to you. ---------------------------Thank you---------------------------------- I want to send out a personal greet to tKC, cause without you and your great tutors I would have been lost. Greets to MS_JESSCA, cause she sent me more cracks than I can count. And finally to everyone in #cracks Mudder Name : Infinity Textures Version : 1.3.0 Availability: http://www.i-tex.de Protections : - Compressed and crypted with a program house - Nagscreen - Trial period Target : Infinity.exe (617472 Bytes) Tools : Softice 3.25 Brain CRaCKer : TaMaMBoLo Contact us : Samsoul99@Hotmail.com (Welcome frenchies!) Infinity textures is a very practical program for all the draughtsmen. As its name indicates it, we can generate textures.Infinity Textures has the merit to be easy to use and equipped with a good power . Protections of the software have got several points: a first approach (by desassembling the exe) enables us to note that the programmers have crypted their software. It is not possible to disassemble the exe coze the code is compressed and crypted by the same. We can also see the software is protected by a nagscreen and a trial period . We could have used ProcDUMP to dump the executable. This would have allowed us to obtain a discompressed exe and thus to disassemble the program with windasm .But it is a hard work and not very obvious for the beginners .More, it is not necessary because the software has a recording box which to register the software... We will use our debugger to find one serial corresponding with our name... Step 1 You install Infinity Textures and you launch the program .Go to the option which allows to type a serial and your name (Help/Register). Type your name and a serial and DON'T validate.You make emerge Softice while supporting on CTR+D . We will use breakpoint HMEMCPY. Under Softice you type BPX HMEMCPY and you start again Softice while pressing F5 .You validate your serial while pressing on entry . Softice must have recover on the way. Step 2 Therefore you are at the beginning of the routine HMEMCPY which is in fact API of Windows and not our program .We will be in the heart of Windows .It is necessary to return in the code of the program that we want to crack. For that we will use the key F12 to go up in the code which interress us .It is necessary to press 12 TIMES on F12 in order to find itself just after the sub-routine which calls the API HMEMCPY. Step 3 If you supported 12 TIMES well on F12,you should arrive at this: 004C99F7 CALL 004206A8 ---------------- the adress which calls HMEMCPY 004C99FC MOV EAX, [ EBP-01D0 ]--------- With F12 ,you are here 004C9A02 CALL 004014 004C9A07 CMP EAX,05 ------------------- Test if our name is > 5 caracters 004C9A0A JL 004C9898 ------------------ not! we jump in 4c9898 (bad boy!) 004C9A10 LEA EDX, [ EBP-01D0]----------| 004C9A16 MOV EAX, [ EBX+000001E8 ] | It's ok we continue the treatment of our name 004C9AlC CALL 004206A8-----------------| 004C9A21 MOV EAX, [ EBP-01D0 ]--------- now we treat the entered serial 004C9A27 CALL 004014 004C9A2C TEST EAX,EAX ----------------- is There something in the serial? 004C9A2E JLE 004C9898 ----------------- not! we jump in 4c9898 (bad boy!) 004C9A34 LEA EDX, [ EBP-01D0]----------| 004C9A3A MOV EAX, [ EBX+000001E0 ] | It's ok we continue the treatment of our serial 004C9A40 CALL 004206A8 | 004C9A45 MOV EAX, [ EBP-01D0] | 004C9A48 LEA EDX, [ EBP-01D8 ] --------| 004C9A51 CALL 004FlD80 ----------------| here ,we generate the serial corresponding to 004C9A56 MOV EAX, [ EBP-01D8 ] | the name 004C9A5C LEA EDX, [ EBP-01D4 ] | 004C9A62 CALL 004F34FC-----------------| 004C9A67 MOV EAX, [ EBP-01D4 ] 004C9A6d Push EAX --------------------- *)( Serial! )(* 004C9A6E LEA EDX, [ EBP-01D0]----------| 004C9A74 MOV EAX, [ EBX+000001E8 ] | 004C9A7A CALL 004206A8 | here ,we compare the serial obtained and 004C9A7F MOV EDX, [ EBP-01D0 ] | 004C9A85 POP EAX | that entered with the name 004C9A86 CALL 00403F24-----------------| 004C9A88 JNZ 004C9898 ----------------- It's not good! we jump (BAd BOy!) 004C9A91 MOV EDX, [ 004FElB8 ]--------- If not we continue... 004C9A97 MOV EDX, [ EDX ] OK! You have got all before the very eyes... By pressing F12 ,12 times, you must land just behind the call 00420A8 . Continuing to trace the program with the key F10 , we see that the software checks if the name that we entered is higher than 5 (address 4C9A07) .If it's oK, we continue by treating the serial that we entered .The program already will test if we entered a serial (address 4C9A2C).If all is well we continue. At address 4C9A45 the program generates finally the serial corresponding to the name . And with the address 4C9A6D we have the result of the serial corresponding to our name... To see it,in softice you make E EAX. Softice must indicate a beautiful serial to you... For me,i obtain: Name : Tamambolo#99 Serial: FR7KP0E8PH A crACk By TaMaMBoLo From [(/$$-SaMSoUL CRAcKInG-$$\)] Samsoul99@Hotmail.com Name : Winhex Version : 8.3 availabity : http://www.muenster.de/~sf or http://move.to/sf (secondary URL) Target : WinHex.exe (358912 bytes) Protections:- Limitations - Impossible to safeguard a file of + 200 KB (!) - Nagscreens (when you quit and when winhex start) - Trial periode... Tools : Softice 3.25 Brain CRaCKer : TaMaMBoLo Contact us : Samsoul99@Hotmail.com (Welcome frenchies!) Hello! Here is my first tutor written for the newbies... I remained as simplest as possible in my explanations to be understood by everyone...Excuse me for bad gramatical english but i'am french... For this crack ,I chose as target ,WinHEx 8.3, which is a hexadecimal editor, ideal for you,crackers... Step one: Install Winhex 8.3 and launch On .You sees immediately that there are several protections: - Limitations - Impossible to safeguard a file of + 200 KB (!) - Nagscreens (when you quit and when winhex start) - Trial periode... Ok! You saw that there are several limitations in this software.Now, ROCK'n ROll ! Step Two: Take windasm 8.93 and desassemble the executable (Winhex.exe = 351 KB). When you launch winhex several times in succession,Winhex will send you a nagscreen: " PLEASE REGISTER SOON. ". With windasm you double-click on " STRING DATA REFERENCE " and seek the sentence of the nag (" PLEASE REGISTER SOON. "). You find it without problem and while clicking on it ,we see that: :00422330 803D7364440000 cmp byte ptr [ 00446473 ], 00 --Very interresting! :00422337 jne 00422375 ----------------------------------jump if you are a english user registered! :00422339 mov eax, dword ptr [ 00444A2C ]---------------- else post nagscreen Deutch user * Possible ref. to Menu: MenuID_0001, Item: " Neu... Strg+N " * Possible Reference to Dialog: DialogID_000E, CONTROL_ID:000A, " &Warnen vor nderungen year Dateien dieser " :0042233E mov ecx, 0000000A :00422343 cdq :00422344 idiv ecx :00422346 cmp edx, 00000008 :00422349 jne 00422375 -------------------------------- jump if Deutch user registered... :0042234B cmp byte ptr [ 00445660 ], 00 --------------- Else... :00422352 jne 00422362 --------------------------------... jump if English user not registered! * Possible StringData ref. from Obj Code - >"Da Sie dieses Programm relativ " ------NaGSCrEEn Deutsh to use! - >"h " :00422354 mov eax, 00422524 :00422359 mov dl, 03 :0042235B call 0040BC94 ------------------------------- NaGscreen posted :00422360 jmp 0042236E * Referenced by has (U)nconditional gold (C)onditional Jump At Address: |:00422352(C) * Possible StringData ref. from Obj Code - >"Please register soon."---- NaGSCrEEn English user! | :00422362 mov eax, 00422590 :00422367 mov dl, 03 :00422369 call 0040BC94 ------------------------------- NaGscreen posted * Referenced by has (U)nconditional gold (C)onditional Jump At Address: |:00422360(U) | :0042236E mov Al, 04 :00422370 call 0040B384 ------------------------------- end NaG (English user AND Deutch to user) * Referenced by has (U)nconditional gold (C)onditional Jump At Addresses: |:00422337(C),:00422349(C) | :00422375 push 00000000 ------------------------------- GooD BOy!no-NaGSCrEEn! :00422377 mov eax, dword ptr [ 00442014 ] :0042237C push eax :0042237D push 00000000 :0042237F mov eax, dword ptr [ 00446EE8 ] Ok! You immediately see something very interressant: If you go up a little bit in the code,you see that the prog will test many memory addresses. With address 42234B there is a comparison: cmp byte ptr [ 00445660 ], 00 . This comparison is not important for us . Address 445560 is used for the prog to test if it is a German user who is registered or not. Comparison determining if the English user is registered or not ,is located at address 422330: cmp byte ptr [ 00446473 ], 00. It is the address 446473 which determines if the English user is registered .If 446473=0, user not-registered and if 446473=1 user registered... It is not very hard to understand, isn't-it? Step THRee: At a moment the program will put address 446473 to 0 .It's necessary to locate in the code this moment when the prog initializes the address 446473 to 1. In assembler,there are many ways to putt 1 in a address .We doesn't know how the progammor managed to put 1 to 446473, so we will seek in the code, the places where the program use the address 446473.We inevitably find out a place where the prog puts 1 at the address 446473.For the research, take WINDASM and go to option " SEARCH " ,go and click on " FIND TEXT " and enter 736444. It's OK,I entered the address memory upside down (446473=736444...) , but it is normal because in Hexa, puts the byte of reavy weight in front of and the byte low weight behind (look at desassemblage 1,address 422330 to understand). Step For: You will find much places in the code where the address is called. But if you notice,you will always see a XOR EAX,EAX .It is not very interressant for us because function XOR puts EAX at 0, however it is better for us to force it to 1.Watch This ! :0043F662 call 0040E0D8 :0043F667 cmp eax, dword ptr [ 00446024 ] :0043F66D je 0043F673 * Referenced by has (U)nconditional gold (C)onditional Jump At Address: |:0043F65E(C) :0043F66F xor eax, eax ---------------- BAd BOy! EAX=0 and... :0043F671 jmp 0043F675 ----------------... jump to 43f675 to could 446473 to 0 * Referenced by has (U)nconditional gold (C)onditional Jump At Address: |:0043F66D(C) :0043F673 mov Al, 01 ------------------ GOOd BOy! AL=1 and... * Referenced by has (U)nconditional gold (C)onditional Jump At Address: |:0043F671(U) :0043F675 A273644400 mov byte ptr [ 00446473 ], Al -------------... could 446473 to 1 (It' S GOOd FoR YOu!) Programmer put his initialization's routine at the end of prog! This is why the research is long... At address 43F66F there are XOR EAX,EAX and a jump which send us to the address 43F675 where the prog puts the Al contents in 446473... But to address 43F673 there is a MOV AL,1 very interressant!... And if we erase XOR EAX,EAX and JUMP 43F675, what does it occur? Step FiVe: Takes an editor Hexa , go to offset 3EA6F and puts 90,90,90,90. Now the prog will no more put EAX at 0 but will put Al at 1 and will put Al in 446473... Make the patch and launch WinHex . bOOM! *!REGIsTeReD!*. For ReMArKs,CRiTiKs,COnTaKts ===> Samsoul99@Hotmail.com Frenchies : if you want some tutors written in french,send me a mail. A crACk By TaMaMBoLo From [(/$$-SaMSoUL CRAcKInG-$$\)] TaMaMBoLo 99 Cracking Tutorial for FreeHand 8.0.1 ======> Coding a SalesAgent Generic Time Limit Cracker <====== More and more Software authors decide to use SalesAgent by Release Soft for 'protecting' their programs. And as cracking SalesAgent's Time Limit and NAG is kinda easy, I decided to code a GENERiC SalesAgent cracker and use some of the saved time for teaching some more knowledge the crackers that need it. Back to the tutorial: I will use an easy method for cracking SalesAgent, since there is NO NEED in using a COMPLICATE ONE. We will code together a SalesAgent CRACK-LOADER in this tutorial! First of all, make sure you have at least two SalesAgent programs ... I've chosen FireWorks and FreeHand ... but you can use any other program too. You will just find small modifications in the code snippet. Start the program. As you can see a screen like the one for VBox pops up. Now you have three choices: BUY - TRY - ORDER. If you press on BUY nothing real happens. So we can assume that there's no way to register this program. This dialog box seems to be an advanced one, so a BPX DialogBoxParamA will work. Exit FireWorks and restart it. SoftICE will pop up. This is at the DialogBoxParamA function. Press F10 to step over this CALL. Now the TRIAL SCREEN pops up. Press on TRY. SoftICE will pop up and after you've pressed F12 the following code snippet will be displayed: :00408B11 E8BAD3FFFF CALL 00405ED0 ; check time limit and display NAG :00408B16 83F8FF CMP EAX,-01 :00408B19 55 PUSH EBP :00408B1A 750B JNZ 00408B27 :00408B1C FF15B8954400 CALL [USER32!PostQuitMessage] :00408B22 E981000000 JMP 00408BA8 :00408B27 8B742418 MOV ESI,[ESP+18] :00408B2B 56 PUSH ESI :00408B2C FF1598954400 CALL [USER32!ShowWindow] :00408B32 56 PUSH ESI :00408B33 FF15A8954400 CALL [USER32!UpdateWindow] :00408B39 55 PUSH EBP :00408B3A 55 PUSH EBP :00408B3B 68D08B4000 PUSH 00408BD0 :00408B40 E8DB800100 CALL 00420C20 Now we can circumvent the time limit by just changing the JNZ instruction at 408B1A to a JMP instruction, right? No! If your time limit has expired, the program will be quited before returning from that CALL. However we can bypass the NAG and time limit by just chaning one instruction. If you don't know why, think again ... then read on! If we change the CALL 405ED0 at 408B11, where the NAG is generated, into JMP 408B27 then we will bypass the NAG and also the time limit check. Now we know that the memory address of our patch is 408B11 and that we want to execute JMP 408B27 there! So exit and restart FreeHand. At 408B11, do the following: A JMP 408B27 SoftICE displayed EB14 as the code ... now we need to find some similarities between programs being 'protected' by SalesAgent, so look at the following code, I've ripped of from FireWorks 2.0, and compare it to the above one: :00408C53 E8E8D1FFFF CALL 00405E40 ; check time limit and display NAG :00408C58 83F8FF CMP EAX,-01 :00408C5B 55 PUSH EBP :00408C5C 750B JNZ 00408C69 :00408C5E FF154C924200 CALL [USER32!PostQuitMessage] :00408C64 E981000000 JMP 00408CEA :00408C69 8B7C2418 MOV EDI,[ESP+18] :00408C6D 57 PUSH EDI :00408C6E FF1534924200 CALL [USER32!ShowWindow] :00408C74 57 PUSH EDI :00408C75 FF153C924200 CALL [USER32!UpdateWindow] :00408C7B 55 PUSH EBP :00408C7C 55 PUSH EBP :00408C7D 68208D4000 PUSH 00408D20 :00408C82 E8557F0100 CALL 00420BDC What have you found out? Well before you read further, THINK AGAIN, since you might LEARN A LOT! I've found out the following similarities: 1) The code to be patches is always located around address 408000 - 409000. 2) The code can always be patched with a simple EB 14. 3) FF FF 83 F8 FF always exists ONLY ONCE. This can be used for deciding whether this is the location to be patched or not. Now we do need everything to code a Process Patcher that will crack all SalesAgent 'protected' programs. Following is the source code I've used. There were several things added, but you will fully understand it! My GENERiC CRACK works very well on evey target I've chosen till now to test. And someone told me that it also works on POLISH software also ... so I saved myself lots of time, I could spent by writing tutorials! // * ================================================================== * // * MANY THANKS TO Gi0 FOR RELEASING HIS PROCESS PATCHER SOURCE CODE! * // * IT SAVED ME THE TIME FOR CODING MY ONE! * // * ================================================================== * // THE SALES AGENT GENERIC TIME LIMIT CRACK by TORN@DO // => TSAGTLCT.INI #include #include void main(void) { STARTUPINFO si; char InfoText[] = "SalesAgent GENERiC TiME LiMiT CRACK by TORN@DO"; unsigned long i = 0; unsigned long AddressOfPatch = 0; char DataRead[8200] = {0}; char Message[200] = {0}; char* cl; PROCESS_INFORMATION pi; FILE* DATA_FILE; char FileName[256] = {0}; ZeroMemory(&si,sizeof(si)); si.cb = sizeof(si); cl = GetCommandLine(); if ((DATA_FILE = fopen("TSAGTLCT.INI", "r")) != NULL) { fread(FileName, sizeof(char), 256, DATA_FILE); fclose(DATA_FILE); } else {MessageBox(NULL, "Couldn't read TSAGTLCT.INI! Create a TSAGTLCT.INI and write the complete name\n(including .EXE) of the EXE file in it! Check the INFO.HTML for an example!\n\nRemember: Both files must be stored at the program directory!", InfoText, MB_OK); exit(-1); } if (CreateProcess(FileName, cl, NULL, NULL,FALSE, NORMAL_PRIORITY_CLASS, NULL, NULL, &si, &pi)) { ReadProcessMemory(pi.hProcess, (LPVOID) 0x408000, DataRead, 8192, NULL); // ============================= Sales Agent 2.7.x Crack =========================== for (i = 0; i <= 8192; i++) { if ((DataRead[i] == 0xFF) && (DataRead[i+1] == 0xFF) && (DataRead[i+2] == 0x83) && (DataRead[i+3] == 0xF8) && (DataRead[i+4] == 0xFF)) { AddressOfPatch = 0x408000 + (i-3); break; } } if (AddressOfPatch != 0) WriteProcessMemory (pi. hProcess, (LPVOID) AddressOfPatch, "\xEB\x14", 2, NULL); // ============================= Sales Agent 2.6.x Crack =========================== if (AddressOfPatch == 0) { for (i = 0; i <= 8192; i++) { if ((DataRead[i] == 0xEB) && (DataRead[i+1] == 0x05) && (DataRead[i+2] == 0xB8) && (DataRead[i+3] == 0x01) && (DataRead[i+4] == 0x00) && (DataRead[i+7] == 0x83)) { AddressOfPatch = 0x408000 + (i-7); break; } } if (AddressOfPatch == 0) { MessageBox(NULL, "Either Release Software has changed SalesAgent a lot,\nor you have chosen the wrong EXE file!\n\nPlease contact me if this crack doesn't work any longer!", InfoText, MB_OK); CloseHandle (pi.hProcess); CloseHandle (pi.hThread); } WriteProcessMemory (pi. hProcess, (LPVOID) AddressOfPatch, "\xEB\x07", 2, NULL); } CloseHandle (pi.hProcess); CloseHandle (pi.hThread); } else { sprintf(Message, "%s not found! Check TSAGTLCT.INI and ensure that\nyou've executed the process patcher in the program directory!", FileName); MessageBox(NULL, Message, InfoText, MB_OK); exit(-1); } } Another target has been Reverse Engineerd. ====> If you want to USE ANY PROGRAM BEYOND it's FREE TRIAL PERIOD, then please BUY IT. Greetings to: tKC, +Aesculapius, +MaLaTTiA, +ORC, /Miz, alpine, Bisoux, Borna, Boggy, Crackz, DnNuke, ECLiPSE Group, epxy, Eternal Bliss, Dead-Mike, FaNt0m, Fravia, fresh, Ghiri, HarvestR, Iczelion, Jeff, LaZaRuS, Lord Soth, LUCIFER48, McCodEMaN, MiZ, Ms Jessca, night, NiKai, Nitrus, OkStart, pruri, RevX, Rhayader, Santa Clawz, tC, The Sandman, Vladimir, Volatility, WarezPup, WKT Group, Xomgromit and EVERYONE ELSE You may ask me any question you want. I can be reached at #Cracking4Newbies on EFNET or via e-mail at TORNADO@writemail.com My website with other tutorials and the cRACKER's n0TES can be found at learn2crk.cjb.net ------------------------------------------------------------------------------------------ Copyright c 1999 by TORN@DO and The Immortal Descendants. All Rights Reserved. We really hope you've enjoyed this tutorial too much as we did! Don't miss Tutor #34 soon! ;) And as I said last time: Without knowledge, there's no power! ;) Credits go to: Dasomen for Splash Logo. Tornado for providing a tut in this version. Mudder for providing a tut in this version. TaMaMBoLo for providing 2 tuts in this version. PinguTM for providing a tut in this version. [T']okE] for providing a tut in this version. tKC/CiA (hey it's me!) for coding this version :) All the crackers (non-members of CiA) are welcome to send tutors for the next tutorials .. see below for my email address! Greetz goto all my friends! You can find me on IRC or email me at tkc@reaper.org Oh btw, please don't expect me to reply your mails, since I get 50+/- mails everyday.. be sure that I really appreciate your mails! :) Coded by The Keyboard Caper - tKC The Founder of PhRoZeN CReW/Crackers in Action '99 Compiled on 18 July 1999 Cracking Tutorial #33 is dedicated to Ms_Jessca, my liefie only, who else?