Welcome to Cracking Tutorial #36! Hiya peepz, Here's another tutor for you, nothing special :) As always, I'm busy with coding other projects... Anyway, let's go! You'll need the following tools: (I use these tools, I assume you'll use 'em, but it doesn't mean that you'll need to use all those tools, so be sure to get them handy for the examples in this tutorial!) SoftICE 4.00 W32Dasm 8.93 Hacker's View 6.15 SmartCheck 6.03 TASM 5.00 Windows Commander 4.00 (I use it coz of easier to multitask) Don't ask me where to download all these tools since you had a chance to get them when you used my older tutorials. Here are a few good cracking sites where you can grab tools from: http://surf.to/HarvestR or http://harvestr.cjb.net http://atlantez.nl.eu.org/Iczelion http://protools.cjb.net or ask any crackers to get you these tools! Are you ready?! OK! ;) Cracking MechWarrior3 A tutorial by BlueFox CD Check series, tut #1 June 1999 Hi! And welcome all to this, my first tut :) I will try to explain everything, so this tut will be suitable for a very new newbies =) We will be dealing here with a relatively easy cd check protection. This should get you started on cracking more complex cd based schemes. OK, the most common, but not the only, way to check for the presence of the games cd is to check for a certain file on the cd, it may also read the file and verify the contents, or mabey multiple files, ok you get the idea its *usually* based around file i/o. NOTE: we are talking about games that DONT REQUIRE files off the cd, but they just check to see if it there Now, the first thing to do when dealing with a game of this sort is to run the program w/o the cd to see WHERE in the game and how many times the cd is checked for. For example it might have one check at the begginning of the game, and then once more when you try to host a multiplayer game or something. Also does the game just boot you out when it doesnt find the cd? Does it show an error box then kick you out? does the error box, if any, have a "retry" button? If there is an error box, is it a MessageBox? Or just a regular window? Theses are all important to the crack, so figure it out, and keep what you find in mind. NOTE: you can determine if a window is a MessageBox by useing softice and typeing 'bpx MessageBoxA' then run the game and get it to display the error, if its a MessageBox sice will break Ok, now you know that our target, Mech3, has only ONE check at the very beginning, and that is displays an error message with a retry button(!). The retry button could come in very handy because it will act as an entry point to the protection code. (but we wont use it here) We now have eneough info to crack this target, but let us first try and get a little more info to help us recognize what we will be looking for in the protection code. Now, since this target has a nice little window with a retry button, we will run the game w/o the cd and wait for the window to pop up. You there? Good =) OK, now remember i said that alot of cd check protections use the filesystem to to check for the cd. So, fire up FileMon, set the process filter to mech3*. Now click on the 'OK' button of the error window, you will get the following: (NOTE: i have delted a couple lines, that where obviously worthless) Mech3 Ioctl A: SUCCESS Subfunction: 08h Mech3 Ioctl C: SUCCESS Subfunction: 08h Mech3 FindOpen C:\*.* SUCCESS DISK2PAR.T01 Mech3 FindClose C:\*.* SUCCESS Mech3 Ioctl D: SUCCESS Subfunction: 08h Mech3 FindOpen E:\VIDEO\C1.AVI NOTREADY (the filename will be the same for you, but the DRIVE letter may change) OK, you see access to all the drive letters in your system, but why? why not just the drive letter of your cd drive? Well, because this game is scanning all the drives until it find a cd-rom drive, then it will attempt to open the file 'c1.avi', OK simple enought, now how is the best way to try and crack this? Well, i dont know =) We saw that it is scanning all the drives in the system, GetDriveTypeA is usually used to do something like that so let us set a break on it and see what we get. Run the game w/o the cd, it will pop up that error window. Go into softice (Ctrl-D) and type 'bpx GetDriveTypeA' now quit sice with another Ctrl-D. Run the game and you will break on a call to GetDriveTypeA. This is where we will begin our descent into the deep, dark, spooky code woods. Scared? YES? Good, me too =) Now, we are in sice, inside system code, so we will hit F12 to keep going until we exit the GetDriveTypeA api call. We will be at this code: FF1538515BC0 CALL [KERNEL32!GETDRIVETYPEA] ;our call to getdrivetypea 83E803 SUB EAX, 03 7423 JZ 0056F7E8 ;if eax = 3 then it will jmp 83E802 SUB EAX, 02 7542 JNZ 0056F80C ;if eax = 5 then it wont jmp 83FF05 CMP EDI, 05 ;not sure about this 753D JNZ 0056F80C 8D54241C LEA EDX, [ESP+1C] 52 PUSH EDX 68A8637200 PUSH 007263A8 ;dump this location, you will see "x:\video\c1.avi" FF1590555B00 CALL [005B5590] ;this is pushed as parameter to this call 83C408 ADD ESP, 08 ;fix stack 85C0 TEST EAX, EAX ;test outcome of call 7526 JNZ 0056F80C ;guess: if we jmp here this will likely give us the error EB1C JMP 0056F804 ;guess: likely this will take us into the game Now you will notice, if you scroll down the code window (Ctrl-DownArrow) that a constant is pushed onto the stack as parameter to the call following it. Well we are curious, so do a 'd 7263a8' and what do we see but our lovely 'a:\video\c1.avi' now this is set for the A drive but that is not what we want (remember that it scans all the drive letters), so hit Ctrl-D (several times) until that turns into 'x:\video\c1.avi' where x is the letter of your cdrom drive. So now you are back again from that last call to GetDriveTypeA and we have our correct string in the data window, so we hit F8 to single step down until we are ontop of the CALL [005B5590] go now hit F10 to step over the call. OK, now what do you suppose the CALL [005B5590] does? well the pointer to the string 'e:\video\c1.avi' is pushed on the stack as a parmeter to this call, so that tells me that this call is problably doing the checking to see if that file is there, now for most calls the returne value, is stored in eax, so the TEST EAX, EAX line is setting the Zero flag based upon what is in EAX. OK, so we think for a sec, and we guesstamate that we are *supposed* to take the JMP 0056F804, so how are we gonna go that if that nasty JNZ 0056F80C is always jumping us away just before we get there? Well the simplest way to do this is to press F8 until you are ontop of the JNZ 0056F80C now type 'e eip 90 90' this will put the bytes 90 90 at your current point in the code, 90 is a NOP which means No OPeration, you see now that it just goes over the NOP's and takes the JMP like we want it to, so clear your breakpoints with 'bc *' and hit Ctrl-D. BINGO! We found the right place. Mech3 is now cracked. OK, you go play the game for a while. then you come back, and the next time you try and play it you still get the same error! What gives!?! We only patched the game in memory, to make our crack permanent we must patch the mech3.exe file, so open it up with a good hexeditor (like Uedit or HIEW) and search for some bytes surrounding the JNZ: 83 C4 08 85 C0 75 26 EB 1C change the 75 26 to 90 90 such as: 83 C4 08 85 C0 90 90 EB 1C Thats it. Good luck BlueFox greets some good crackers, and overall cool ppl =) NeUrAl_N TORN@DO HarvestR yoshi DEZM Tin WarezPup ED!SON tKC and everyone in PC Iczelion hutch Lord Caligo CrackZ Mammon_ Fravia+ Greythorne +ORC YES, there are lot of ppl i missed, sorry =) This entire work is copyright, BlueFox 1999 I think there is an article in older tutor for MechWarrior3, but who cares for now? If you want learn, go for it! :) ...........tKC Cracking Tutorial for My PhoneBook 3.53 (http://members.aol.com/bobyang) ======> Feeling the way through the code <====== First of all I'd like to tell you that I will use a style that differs a bit from my other tutorials you can find at learn2crk.cjb.net ... I try to show you how to feel your way through the code (I don't know if it's understandable ... but at least I do hope so). On the download page we already saw the following info about the protection: You only get to record 6 entries per group with a maximum number of 3 groups. That's total of 18 entries. So our target has been somehow limited in it's functionality ... that's what we called 'crippled'. Knowing the exact protection of the target we can then go on analyzing and cracking it. So create 6 entries in the current group. And now watch what's happening as you try to add a 7th entry: Only 6 entries allowed per group in the shareware version. Please register the program. The displayed message box looks like a standard messagebox, so a BPX MessageBoxA will work. So set the necessary BPX and try adding an new entry again. You'll find yourself in SoftICE: :00456A2E FF1520944600 CALL [USER32!MessageBoxA] :00456A34 5E POP ESI :00456A35 C20C00 RET 000C Ok. Now return from that CALL ... now the following code snippet is displayed: :0040F400 E801760400 CALL 00456A06 ... ... ... :0040F413 C3 RET This is still not the location we're interested in, so press F10 until the RET instruction at 40F413 is executed. Then the following code snippet will be displayed: :00457F0E EB7F JMP 00457F8F ... ... ... :00457F8F 8BC3 MOV EAX,EBX :00457F91 5E POP ESI :00457F92 5B POP EBX :00457F93 5D POP EBP :00457F94 C21C00 RET 001C This is still not something we're interested in, so once more press F10 until the RET instruction at 457F94 is executed. Now the following code snippet will be displayed: :00458096 E8F5FDFFFF CALL 00457E90 :0045809B EB02 JMP 0045809F Looking above the code snippet there seems not to be a check how many entries have been enterd ... so let's set a BPX to 458096 ... where the MessageBox has not been created yet and restart the 'Entry Adding Process'. SoftICE will pop up again. Now it's time for some tracing. So enter the CALL with F8 and trace the code till you find suspicious instructions like CMP, JG, JB, ... After some tracing (~ 19 F10's) you will have found the following code snippet: :0040F226 83F806 CMP EAX,06 :0040F229 0F8DC3010000 JGE 0040F3F2 It can't be that simple ... can it? Yes. We actually found the location for our first patch. So write down the memory address (for later use with Iczelion's awesome Address to Offset Utility) ... or just write down the offset F229 h. Now to patch it we simply have to change it that it doesn't matter how much entries we have added ... so we have to disable the check. This can be done in several ways. One of those ways is replacing JGE 40F3F3 (0F8DC3010000) with INC EAX (404840484048) DEC EAX INC EAX DEC EAX INC EAX DEC EAX So patch this now in memory using SoftICE's 'Assemble code' command. After patching, try if it works ... and as you might have assumed already IT DOES. So now we just have to disable GROUP LIMITATION. You need to create 2 groups of course until you can create a third one, which will produce the following error-message: Only 3 groups allowed in the shareware version. Please register the program. Using the same method as above will lead you to the following code snippet: :00412BF8 83BEB009000003 CMP DWORD PTR [ESI+000009B0],03 :00412BFF 0F8D05020000 JGE 00412E0A This is the second limitation in our shareware program. After patching it in memory you'll find out that everything works flawlessly now. Now use a hex-editor, like Hacker's View (also known as HIEW) and patch the offset F229h and 12BFFh. To remove the '(SHAREWARE)' text in the title bar also ... just preform an ASCII search and replace it with 202D200000000000000000. Another target has been Reverse Engineerd. ====> If you want to USE ANY PROGRAM BEYOND it's FREE TRIAL PERIOD, then please BUY IT. Greetings to: tKC, +Aesculapius, +MaLaTTiA, +ORC, /Miz, alpine, Bisoux, Borna, Boggy, Crackz, DnNuke, ECLiPSE Group, epxy, Eternal Bliss, Dead-Mike, FaNt0m, Fravia, fresh, Ghiri, HarvestR, Iczelion, Jeff, LaZaRuS, Lord Soth, LUCIFER48, McCodEMaN, MiZ, Ms Jessca, night, NiKai, Nitrus, OkStart, pruri, RevX, Rhayader, Santa Clawz, sortof, tC, The Sandman, Vladimir, Volatility, WarezPup, WKT Group, Xomgromit, yosh, ytc, ECLiPSE, TMG and CiA group and EVERYONE ELSE You may ask me any question you want. I can be reached at #Cracking4Newbies on EFNET or via e-mail at TORNADO@writemail.com My website with other tutorials and the cRACKER's n0TES can be found at learn2crk.cjb.net ------------------------------------------------------------------------------------------ Copyright c 1999 by TORN@DO and The Immortal Descendants. All Rights Reserved. Cracking Tutorial for Ulead Cool 3D 2.5 ====> Using ProcDump for Auto-Cracking VBox <==== Tools used ---------- ProcDump 1.5.0 (avaible together with several tuts at procdump32.cjb.net) First of all I'd like to tell you that this tutorial is thought of a quick help for people new to ProcDump who'd like to kill the VBox 4.0 protection. This tutorial has been requested by a guy on #cracking4newbies on EFNet. Although I think most of you can use ProcDump for killing VBox protection already this guy was not able to do so. I hope after this short tutorial everyone is able to do this. Choose any program protected by VBox 4.0.3 ... I've chosen Ulead Cool 3D 2.5, which I found on a CD-ROM near my PC. But this will work with any target protected by VBox < 4.2. The first step of course is to start ProcDump ... after that choose UNPACK. Now you need to choose 'VBox Dialog'. After you pressed on OK you need to choose the EXE file that has been protected by VBox ... for me this is U3DEDIT2.EXE. Now you have to wait till your target has been loaded and the VBox Screen is displayed. The next step is to press the TRY button. Now you have to switch back to ProcDump and press the OK button, which signifies ProcDump that the target has been loaded and is ready to be worked with. Now the Unpacker Status Window in ProcDump showed me the following information Predumping File ... Tracing File ... Hiding Debugger to host ... Breakpoint reached at 0x004FC000 String search in progress ..... Setting breakpoint at 0x004FC02B Breakpoint reached at 0x004FC02B Setting breakpoint at 0x004FB000 Breakpoint reached at 0x004FB000 Setting Memory Search Base to 0x004FB000 String search in progress ..... Setting breakpoint at 0x004FB02B And then the VBox Dialog appeared once again. You now need to press the TRY button. Then 'Step by step analyzis' has been activated and you need to choose the output file, e. g. CRACKED.EXE. Then you'll get something like 'Process Successfully unpacked :) (EIP 0x004FB20B)'. Now use ProcDump's included PE Editor to kill the no-longer needed section, which is 'WeiJunLi' and apply the changes 'To PE file'. Now your target has been automatically cracked using ProcDump ... that was only an introduction to ProcDump for Newbies ... more experienced crackers should choose the way I've chosen and crack VBox using SoftICE (hint!). But this lesson has been written for Newbies to ProcDump as an introduction. IF YOU WOULD LIKE TO HAVE A TUTORIAL ON A SPECIFIC TARGET (NO GAMES), MEET ME ON IRC AT #Cracking4Newbies or #C.i.A or e-mail me at TORNAD0_@hotmail.com ... NOTE DOWN URL AND SIZE OF THE TARGET AND ALSO INCLUDE THE TYPE OF PROTECTION. Another target has been Reverse Engineerd. ====> If you want to USE ANY PROGRAM BEYOND it's FREE TRIAL PERIOD, then please BUY IT. Greetings to: tKC, +Aesculapius, +MaLaTTiA, +ORC, /Miz, alpine, Bisoux, Borna, Boggy, Crackz, DnNuke, ECLiPSE Group, epxy, Eternal Bliss, Dead-Mike, FaNt0m, Fravia, fresh, Ghiri, HarvestR, Iczelion, Jeff, LaZaRuS, Lord Soth, LUCIFER48, McCodEMaN, MiZ, Ms Jessca, night, NiKai, Nitrus, OkStart, pruri, RevX, Rhayader, Santa Clawz, tC, The Sandman, Vladimir, Volatility, WarezPup, WKT Group, Xomgromit and EVERYONE ELSE You may ask me any question you want. I can be reached at #Cracking4Newbies on EFNET or via e-mail at TORNAD0_@hotmail.com My website with other tutorials and the cRACKER's n0TES can be found at: learn2crk.cjb.net ------------------------------------------------------------------------------ Copyright c 1999 by TORN@DO and The Immortal Descendants. All Rights Reserved. Secure 2.0 http://www.coredcs.com Tutor by PinguTM (PinguTM@hotmail.com) This is my 13th tutorial, whey another one ;) Type: Time Limit Tools: WinDASM, Hiew 1. When you start the program you will see "You are on day 1 of the 30 day evaluation.. Put your system clock forward a few months and reload. Bah Evaluation perion over and we cant get into the program :( 2. Load WinDasm and decomplie secure.exe Now select string data references and select "SECURE EVALUATION " as this was in the title bar 3. You will now see something like this.... * Possible StringData Ref from Data Obj ->"SECURE EVALUATION" | :0040A921 6864124100 push 00411264 :0040A926 8D855CF3FFFF lea eax, dword ptr [ebp+FFFFF35C] :0040A92C 50 push eax :0040A92D 8B8DE4F2FFFF mov ecx, dword ptr [ebp+FFFFF2E4] 4. Scroll way up till you see this........ :0040A836 83BD58F3FFFF1E cmp dword ptr [ebp+FFFFF358], 0000001E :0040A83D 0F8E00010000 jle 0040A943 :0040A843 6820114100 push 00411120 :0040A848 8D8D5CF3FFFF lea ecx, dword ptr [ebp+FFFFF35C] :0040A84E 51 push ecx 5. Notice the CMP line. This is compairing the evaluation time to 1E, which =30 days, well lets change the jle to a jne :) load up Hiew. Press F4 and select Decode. Now press F5 and type in the offset which is "9C3D" Now press F3 for edit mode and type "0F85" press F9 to save, and F10 to quit. Re-Load Secure.. BAH a CRC check, Modified priggie etc... 6. Now select string data references and select "Program has halted " (you will have seen this in the title bar) now you will see this...... * Possible StringData Ref from Data Obj ->"Program has Halted" | :0040592E 6894014100 push 00410194 :00405933 8D954CEFFFFF lea edx, dword ptr [ebp+FFFFEF4C] :00405939 52 push edx :0040593A 8B8D40EFFFFF mov ecx, dword ptr [ebp+FFFFEF40] 8. Now scroll way up till you see this....... :00405892 83BD48EFFFFFFF cmp dword ptr [ebp+FFFFEF48], FFFFFFFF :00405899 0F85C5000000 jne 00405964 :0040589F 68E4FF4000 push 0040FFE4 :004058A4 8D8D4CEFFFFF lea ecx, dword ptr [ebp+FFFFEF4C] :004058AA 51 push ecx 9. Hmmm, that jne looks suspect. Fire Hiew up like before and goto offset "4C99" Press F3 and type "0F84" which will make it je. Press F9 to save and F10 to exit. Re-load Secure...... Awsome it loads right up :) now it wont expire. Put your clock to the correct date and re-load. Hmm, still comes up with day whatever of 30. Ack well as soon as the limit is up it wont expire and thats the main thing! 0. There are still some little things that can be done to this, like taking the UNREGISTERED COPY out of the main title bar and removing the Day whatever of 30 nag. If you try this and get them removed plz mail me on how you done it coz i cant really be bothered :) -=-=-=- PinguTM -=-=-=- Kingpin: Life of Crime v1.0 (US) http://www.Your-Local-Gaming-Store.come :) Tutor by PinguTM (PinguTM@hotmail.com) This is my 14th tutorial, whey another one ;) Type: CD Check Tools: WinDASM, Hiew 1. When you start Kingpin and select a new game, you will get an error saying that you need the Kingpin cd to play and that sucks.... right? 2. Load WinDasm and decomplie Kingpin.exe Now select string data references and select "You must have the kingpin CD in " ... click it again......... 3. You will now see something like this.... * Possible StringData Ref from Data Obj ->"You must have the KINGPIN CD in " ->"the drive to play." | :0044203C 68C8414500 push 004541C8 :00442041 50 push eax :00442042 E859D7FDFF call 0041F7A0 :00442047 83C408 add esp, 00000008 4. Scroll up till you see this........ :00442036 8BF0 mov esi, eax :00442038 85F6 test esi, esi :0044203A 750E jne 0044204A 5. If you have read alot of my tuts you should know how to operate hiew. So fire hiew up goto offset "4203A" and change that jne to a je :) 6. Now back to WinDASM, scroll down a little till you see this..... * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0044203A(C) | :0044204A E881FEFFFF call 00441ED0 :0044204F 85C0 test eax, eax :00442051 750E jne 00442061 * Possible StringData Ref from Data Obj ->"You must have the KINGPIN CD in " 7. Ahhh, another jne... Yup we wanna change it to je. Back to hiew with offset "42051" and sort that sukka out :) 8. Now back again to WinDASM and scroll down again till you see this.... :00442061 56 push esi :00442062 E819000000 call 00442080 :00442067 83C404 add esp, 00000004 :0044206A 85C0 test eax, eax :0044206C 5E pop esi :0044206D 750E jne 0044207D * Possible StringData Ref from Data Obj ->"You must have the KINGPIN CD in " 9. All i can say now is goto offset "4206D" and change that jne to a je. Now you can take Kingpin back to the store and exchange it for another game to crack :) -=-=-=- PinguTM -=-=-=- LP Ripper Version 3.0 http://www.cfbsoftware.com.au Tutor by PinguTM (PinguTM@hotmail.com) This is my 15th tutorial, whey another one ;) Type: Serial Tools: WinDASM, Hiew Are you converting your Vinyl LPs to MP3 Files? You have probably discovered how time-consuming it is, trying to record each track as a separate MP3 file. LP Ripper makes the task much easier. Just record each side of your LP as a single WAV file on your computer. LP Ripper automatically splits the file into a separate WAV file for each track, and optionally calls your MP3 Encoder to produce an MP3 file for each track. 1. Start lpripper.exe and select Help, Register. Fill out the boxes and hit OK. Motherfucker- Invalid Id, Hmmmm i knew that was comming :) 2. Load WinDasm and decomplie lpripper.exe Now select string data references and select "Invalid registration no" 3. You will now see something like this.... * Possible StringData Ref from Code Obj ->"Invalid Registration No" | :004518E7 B828194500 mov eax, 00451928 :004518EC E81BCBFFFF call 0044E40C 4. Scroll up till you see this........ :004518D4 751B jne 004518F1 :004518D6 837DFC00 cmp dword ptr [ebp-04], 00000000 :004518DA 7415 je 004518F1 :004518DC 6A05 push 00000005 :004518DE 668B0D1C194500 mov cx, word ptr [0045191C] :004518E5 B201 mov dl, 01 5. If you have read alot of my tuts you should know how to operate hiew. So fire hiew up goto offset "50CDA" and change that je to a jne. Save it and reload LpRipper and enter all the register details again, Hit ok... Hmmm no nag, so i guess its accepted the info. Click Help, About. Bah... Still says Trial Version.... 6. Back to WinDASM, select string data references and select "Trial" you should see this... * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00453EC8(C) | * Possible StringData Ref from Code Obj ->"Trial" | :00453F12 BA703F4500 mov edx, 00453F70 :00453F17 8B86DC020000 mov eax, dword ptr [esi+000002DC] :00453F1D E80A8AFDFF call 0042C92C 7. Notice the 00453EC8(C), well hit the GoTo location button and enter "453EC8" you will see this...... :00453EC8 7448 je 00453F12 :00453ECA 8D55FC lea edx, dword ptr [ebp-04] :00453ECD A1C8224800 mov eax, dword ptr [004822C8] :00453ED2 8B00 mov eax, dword ptr [eax] :00453ED4 8B80C4020000 mov eax, dword ptr [eax+000002C4] :00453EDA E81D8AFDFF call 0042C8FC 9. Hmmmm thet je looks dodgy, goto offset "532C8" and change that je to a jne. Save again and re-run proggie. Go back to the about screen. Whey... There is our details we entered last time :) Now the proggie fix's .WAV for more than 30 seconds! Cya next time :) -=-=-=- PinguTM -=-=-=- We really hope you've enjoyed this tutorial too much as we did! Don't miss Tutor #37 soon! ;) And as I said last time: Without knowledge, there's no power! ;) Credits go to: Northpole for Splash Logo. BlueFox for providing a tut in this version. TORN@DO for providing 2 tuts in this version. PinguTM for providing 3 tuts in this version. tKC/CiA (hey it's me!) for coding this version :) All the crackers (non-members of CiA) are welcome to send tutors for the next tutorials .. see below for my email address! And all the tutors can be found at www.msjessca.da.ru! Greetz goto all my friends! You can find me on IRC or email me at tkc@reaper.org Oh btw, please don't expect me to reply your mails, since I get 50+/- mails everyday.. be sure that I really appreciate your mails! :) Coded by The Keyboard Caper - tKC The Founder of PhRoZeN CReW/Crackers in Action '99 Compiled on 14 August 1999 Cracking Tutorial #36 is dedicated to Ms_Jessca... my liefie only ...who else?