Welcome to Cracking Tutorial #37! Hiya peepz, Here's another tutor for you, nothing special :) As always, I'm busy with coding other projects... Anyway, let's go! You'll need the following tools: (I use these tools, I assume you'll use 'em, but it doesn't mean that you'll need to use all those tools, so be sure to get them handy for the examples in this tutorial!) SoftICE 4.00 W32Dasm 8.93 Hacker's View 6.20 SmartCheck 6.03 TASM 5.00 Windows Commander 4.01 (I use it coz of easier to multitask) Don't ask me where to download all these tools since you had a chance to get them when you used my older tutorials. Here is a good site where you can grab tools from: http://mercury.spaceports.com/~quel/protools/ or ask any crackers to get you these tools! Are you ready?! OK! ;) How to crack FTP Navigator 4.15 (http://www.vista.ru) ======> #Cracking4Newbies Target: 001 <====== Tools used: ----------- SoftICE, Hacker's View (avaible at protools.cjb.net) C4N Project Site: (tutorials for older projects and target for current project) ----------------- http://www.c4nprojects.cjb.net People being in the scene such long like yosh know that there was a weekly cracking target for NON-ops and for ops at #Cracking4Newbies. I don't know why but as I joined the channel the first time there wasn't such a project. I want to bring such project back to teach how to crack the next generation of crackers, also known as Newbies. I've chosen a target which I though was very easy to crack ... however some Newbies on C4N couldn't get it, so I decided to write this short tutorial. I hope that with the help of it everyone can understand how to crack such a target. As I started FTP Navigator the first time I thought that is has only a time limit protection ... a nice screen that looks like a NAG popps up ... after I've moved the mouse it got killed so this isn't a real NAG. Now what would happen if we set the time forward so FTP Navigator has expired? Well, let's try. Oh my god. The OK button in the START DIALOG, which has turned into a NAG Screen now get's disabled ... and it is only ENABLED after 1710 seconds (28.5 mins) ... press EXIT. So let's start killing that stupid NAG that got displayed after FTP Navigator has expired. For NAG Screens of that kind like you can find in FTP Navigator, I suggest you to BPX on ShowWindow ... and so have I done. After setting the BPX and starting FTP Navigator, SoftICE will pop up and the following code snippet will be displayed: :0042DCBF E81C84FDFF CALL USER32!ShowWindow :0042DCC4 E905010000 JMP 0042DDCE Now we need to go to the CALL that will generate the whole NAG Screen. So trace through the code with F12 (~ 16 times) and F10 (~ 40 times) a little bit, till you find something like the following code snippet: :0042E29E 8B03 MOV EAX,[EBX] :0042E2A0 E8831B0000 CALL 0042FE28 :0042E2A5 8B03 MOV EAX,[EBX] :0042E2A7 80787C00 CMP BYTE PTR [EAX+7C],00 :0042E2AB 740F JZ 0042E2BC :0042E2AD 8B45FC MOV EAX,[EBP-04] :0042E2B0 C7805001000002000000MOV DWORD PTR [EAX+00000150],00000002 :0042E2BA EB14 JMP 0042E2D0 :0042E2BC 8B45FC MOV EAX,[EBP-04] :0042E2BF 83B85001000000 CMP DWORD PTR [EAX+00000150],00 :0042E2C6 7408 JZ 0042E2D0 :0042E2C8 8B45FC MOV EAX,[EBP-04] :0042E2CB E838FDFFFF CALL 0042E008 :0042E2D0 8B45FC MOV EAX,[EBP-04] :0042E2D3 8B8050010000 MOV EAX,[EAX+00000150] :0042E2D9 85C0 TEST EAX,EAX :0042E2DB 74C1 JZ 0042E29E :0042E2DD 8945F8 MOV [EBP-08],EAX :0042E2E0 6A00 PUSH 00 :0042E2E2 6A00 PUSH 00 :0042E2E4 6801B00000 PUSH 0000B001 :0042E2E9 8B45FC MOV EAX,[EBP-04] :0042E2EC E8FB5CFFFF CALL 00423FEC :0042E2F1 50 PUSH EAX :0042E2F2 E8497DFDFF CALL USER32!SendMessageA :0042E2F7 8B45FC MOV EAX,[EBP-04] :0042E2FA E8ED5CFFFF CALL 00423FEC :0042E2FF 8BD8 MOV EBX,EAX :0042E301 E8EA7AFDFF CALL USER32!GetActiveWindow :0042E306 3BD8 CMP EBX,EAX :0042E308 7405 JZ 0042E30F :0042E30A 33C0 XOR EAX,EAX :0042E30C 8945E4 MOV [EBP-1C],EAX :0042E30F 33C0 XOR EAX,EAX :0042E311 5A POP EDX ... ... ... :0042E324 C3 RET Now as you might have guessed, this is kind of a loop. It is repeated again and again, till the 1710 seconds have passed. So we need to BREAK that loop - but how? Well if we would change the ZERO flag (r fl z) at 42E2DB, then the program would go on. That's what we want so far, since we want to remove the COMPLETE routine from being executed. So after you've passed the RETurn instruction at 42E324, we will be close the location, which we could patch (ie which CALL we could replace with NOPs): :0042E32C 33C0 XOR EAX,EAX :0042E32E 5A POP EDX ... ... ... :0042E3BE 80A03D010000F7 AND BYTE PTR [EAX+0000013D],F7 :0042E3C5 C3 RET ... ... ... :0042E3E0 E8E355FDFF CALL 004039C8 :0042E3E5 C3 RET ... ... ... :0042E3F4 5D POP EBP :0042E3F5 C3 RET After RETurning, you are RIGHT after the location the NAG has been killed: :00459D1E 33C0 XOR EAX,EAX Now just look at the last instruction (scroll up the Code Window one line), and you'll get the following: :00459D19 E83E44FDFF CALL 0042E15C Now we can replace the CALL 42E15C at 459D19 with NOPs to kill the NAG. Start Hacker's View, and replace E83E44FDFF with 9090909090 And the NAG won't be shown on startup again. If you want to remove the 'UNREGISTERED' text also, you have to preform a search for '(Unregistered)' and replace it with what you like. E. g. replace '4.15 (Unregistered)' with 4.15 (Registered)' ... don't forget to add a 00 right behind that ROUND BRACKET CLOSE to signify the string has ended. Another target has been Reverse Engineerd. ====> If you want to USE ANY PROGRAM BEYOND it's FREE TRIAL PERIOD, then please BUY IT. Greetings to: tKC, +Aesculapius, +MaLaTTiA, +ORC, /Miz, ACiD BuRN, alpine, Bisoux, Borna, Boggy, Carpathia, CoRN, Crackz, DEZM, DnNuke, epxy, Eternal Bliss, Dead Mike, FaNt0m, Fravia, fresh, Ghiri, HarvestR, Iczelion, Intern, Jeff, LaZaRuS, Lord Soth, LUCIFER48, McCodEMaN, MiZ, Ms Jessca, nIabI, night, NiKai, Nitrus, OkStart, pruri, RevX, Rhayader, Santa Clawz, sortof, tC, The OWL, The Sandman, Vladimir, Volatility, WarezPup, WKT Group, Xomgromit, yosh, ytc, zoltan, ECLiPSE, TMG and CiA group and EVERYONE ELSE. You may ask me any question you want. I can be reached at #Cracking4Newbies on EFNET or via e-mail at TORNADO@writemail.com My website with other tutorials and the cRACKER's n0TES can be found at learn2crk.cjb.net ------------------------------------------------------------------------------------------ Copyright c 1999 by TORN@DO and The Immortal Descendants. All Rights Reserved. How to find a Serial for GearAudio 1.1 with SoftIce By: +SEKt0r Wow! Back with my 4th tut, I dunno, I must be on drugs :). Ok, GearAudio is a proggy that lets you burn Audio CD's, a friend asked me to find a serial for it, so being a good friend, I did it for him. This program is so stoopid cos it calculates two correct codes, one for the fully registered version and the other to restore the trial back (???), I dunno why they did that (2 Serials), but it's bloody stoopid. PART 1: TOOLS ============= You need the following tools: Numega SoftIce 3.xx above (I use the new 4.00) GearAudio A brain (duh!) Get the philes from here: www.protools.cjb.net (Great site for cracking shit!) ftp://ftp.gearcdr.com/pub/demos/gearaudio_demo.exe (2.65 MB) After you have gotten the above tools continue. PART 2: FINDING THE SERIAL ========================== *Note the memory addresses might be different on your computers* STEP 1: Install (DUH!)...Open up GearAudio *cough* Trial (GearAudio.Exe) STEP 2: Click on Purchase. STEP 3: Hrmm 3 textboxes, type in a bogus name eg. +SEKt0r. And also type in a fake bogus serial eg. 12341234 and a company eg. medium (For you BuBBleGun :) As explained in the other tuts (have you read them?!?!) the reason why I don't use the fake serial 123456789 because some programs eg. WinZip has the numbers and letters in it's code so when you look for it, you can land up shit creek. STEP 4: Goto SoftIce by using CTRL + D, then set the two main breakpoints like this: BPX GetWindowTextA (ENTER) BPX GetDlgItemTextA (ENTER) STEP 5: Now press F5 or CTRL + D(Exit). STEP 6: Click on OK. *BOOM BLAM SHWAT* (was that necessary?) Your should be back into wonderful SoftIce with the breakpoint GetWindowTextA in use. STEP 7: Now at the bottom of the Command Window (look under notes for help where that is) it should say: Break Due To BPX USER32!GETWINDOWTEXTA (ET=XXXX) STEP 8: Now press F5 two times, and the F11. The reason why I pressed F5 twice was because SoftIce broke back once, and there are three boxes, so I press F5 two more times. We are now in the TimeLock DLL, it should say: TL32V20!TEXT+2FB3 Now disable the GetWindowTextA breakpoint by typing: BD 0 (Breakpoint Disable) OR BC 0 (Breakpoint Clear) STEP 9: We are now at: 015F:00513FB5 LEA EAX,[EBP-28] ^^^^^^^^^^^^^ Might be different on your puter Now at the top of the screen (in the register window) it should be highlighted and should display: EAX=00000006 Hrmmm... the length of our company name (MeDIuM) that we entered. STEP 10: Now we trace down till we get to here: 015F:00513FCE ADD ESP,08 WHOAAA what's in our Data Window? **OUR SERIAL** full registered If the serial didn't come up type: D ECX OR D ESP OK, but this serial is to register the program fully, so that is good, but we are crackers, and must find as much as we can about this program and all the serials. *NOTE* Everyone's serial will be different because the Registration Number changes everytime the registration dialog is shown. STEP 11: Trace down (F10) till you come across the following: 015F:00513FD3 JNZ 00514028 Now we step into the JNZ with F10. STEP 12: We come at: 015F:00514028 LEA EAX,[EBP-28] Now trace down till you come across: 015F:00514032 ADD ESP,04 STEP 13: What do we see in the Data Window!??! *OUR SERIAL* for the trial restore STEP 14: If the correct serial didn't show up type this: D ECX. My reg info was: User: +SEKt0r Company: MeDIuM Full Reg No: 1719992987396675 Trial Restore No: 9757897638589326 *NOTE* The serials change after every time the registration box is shown! PART 3: NOTES ============= This what a SoftIce layout screen should look like: |---------------| |Register | R to edit |---------------| |Data Window | D to view an address, E to edit it |---------------| |Code Window | U to view and address, A to insert code |---------------| |Command Window | Type commands |---------------| F5/CTRL + D - Run F8 - Step into functions F10 - Step over functions F11 - Step out of functions *Note* If some of the windows don't come up, just put the above letters eg, E,A then the windows will come up or try WD. You might want to print this tutorial out because you can't read stuff in winblows notepad while in SoftIce. PART 4: FINAL THANKS ==================== Many thx goes to these following ppl, again: Xzi -Thnx for being a freind. eFFeCT -For being a friend and a newbie ;) ARSN!K -For being there to teach me Pascal :) WoLf -For his help + tuts ED!SON -For his KICK ASS tutor tKC -For also his tuts and giving me the oppotunities, thnx a lot man :) ME -hehe for writing this tut (:)->-< ALL THE PPL IN MEDIUM, KEEP CRACKING GUYZ! Everyone at #Medium #C.I.A #Cracking #Crackers #Cracking4Newbies #UCF2000 on EFNet, AND #TeamFortress and #VB on OzOrg. And everyone else that I forgot about :) Expect more tuts from me soon (:o)~ Contacting Me: E-Mail: t1cker@hotmail.com ICQ: 18381503 IRC: Usually on EFNet as SEKt0r or tIKA if I cant get SEKt0r as my fucken nick :( You can find me usually in the above channels! *This tutorial, as usually, can only be used for educational purposes!* *If yer like the program, support the makers and buy the program!* How to make a Crack for TechFacts 1.41 with Win32DASM By: +SEKt0r Howdy ppl (:-o. I'm back with my 5th tut! Well, I have been busy, but I managed to write a tut just for you people... TechFacts 95 is a powerful Windows 95/NT tool that empowers you to diagnose, solve and report Windows problems. Taken from it's help phile :) Enough of that gay shit, lets crack! PART 1: TOOLS ============= You need the following tools: Win32DASM (I use 8.93!) TechFacts (I use v 1.41) Turbo Pascal 7.0 A brain (duh!) Get the philes from here: www.protools.cjb.net (Great site for cracking shit!) ftp://zdftp.zdnet.com/pub/private/sWlIB/utilities/system_utilities/tekf32.zip (1.3MB approx.) After you have gotten the above tools continue. PART 2a: FINDING THE OFFSET =========================== STEP 1: Install [Setup.exe] (DUH!) STEP 2: Open TechFacts (Tekfct95.exe). STEP 3: Hrmm. A nag, fuck, that's going. Click on: Help -> About -> Enter Reg Key STEP 4: Enter yer name, company and serial. Mine was: *Note* Since TechFacts doesn't like the "+" char, I couldn't put "+" at the start of my name... not a biggie :) Name: SEKt0r Company: MeDIuM Code: 12341234 STEP 5: Click on ok, ouch, "Registration Key Failed!", bah, close TechFacts. STEP 6: Open up Win32DASM, goto: Disassembler -> Open File STEP 7: Select the TechFacts EXE file (Tekfct95.exe). STEP 8: Wait a while this bitch disassembles... finished? STEP 9: Click on the SDR window (String Data Reference). STEP 10: Look for "Registration Key Failed!" Double click it. STEP 11: Now we are at: *Referenced by a (U)nconditional or (C)onditional Jump at Address: :00485D9B (C) ;Go into this Conditional Jump :00485ED3 PUSH 00000030 ;Max letter count *Referenced to user32.MessageBeep, Ord:0000h :00485ED5 CALL 00406FF0 ;Beep if MsgBox comes up *Possible StringData Ref from Code Obj -> "Registration Key Failed" :00485EDA MOV EAX,00486030 ;We are here :00485EDF CALL 004438CC We see from the above code that we must go into the :00485D9B (C). STEP 12: Click on: Goto -> Goto Code Location And then input the code location which is 00485D98 STEP 13: After we click OK, we are here: :00485D96 CALL 00402D4C ;Hrmm a call... :00485D9B JNE 00485ED3 ;We landed here and this line should be highlighted green Well, we have here a call then a JNE (Jump if not equal). STEP 14: Ok we have found the Code location and now we need the offset. Easy. Just look at the bottom of the window, but make sure that the green bar is on the JNE 00485ED3 eg. The bottom bar should say: Line: 299248 Pg 3563 of 6276 Code Data @:00485D9B @Offset 0008519Bh in File: TekFct95.exe *Note* The offset is 0008519B ,but don't include the h! PART 2b: Patching ================= We have our offset, now we are ready. I have included the Pascal Source Code for all the newbies. Here it is: Uses Crt; Const A: Array[1..1] of Record {<-------- 1 byte to be patched} A : Longint; B : Byte; End = ((A:$0008519B;B:$0F74)); {<--------------- Offset "0008519B" and byte "0F74 = 74 = je " to be changed} Var Ch:Char; {<----- Defines the variables and what they mean} I:Byte; F:File; FN:file of byte; Size:longint; Begin {<------------ Start of the proggy} textcolor(white); {<----- Changes the textcolor} Writeln(' Crack for Techfacts95 v. 1.41 '); Assign(F,'Tekfct95.exe'); {<-------------- Filename to be patched} {$I-} Reset(F,1); {$I+} If IOResult <> 0 then begin textcolor(red); writeln('File not found!'); {<--Display error message if file not found} writeln('Put the crack in the same dir as Tekfct95.exe'); halt(1); {<------ Quit the proggy} end; If FileSize(F) <> 1519616 Then {<----Exact file size} Begin textcolor(red); Write(' Wrong Version/File Size! .. aborted!'); Halt(1); End; For I:=1 to 1 do {<---------------------- 1 byte to be patched} Begin Seek(F,A[I].A); Ch:=Char(A[I].B); Blockwrite(F,Ch,1); End; Writeln('File successfully patched!'); End. PART 3: FINAL THANKS ==================== Many thx goes to these following ppl, again: Xzi -Thnx for being a freind. eFFeCT -For being a friend and a newbie ;) ARSN!K -For being there to teach me Pascal :) WoLf -For his help + tuts ED!SON -For his KICK ASS tutor tKC -For also his tuts and giving me the opportunities, thnx a lot man :) ME -For writing this quick tut? ALL THE PPL IN MEDIUM, KEEP CRACKING GUYZ! Everyone at #Medium #C.I.A #Cracking #Crackers #Cracking4Newbies #UCF2000 on EFNet, AND #TeamFortress and #VB on OzOrg. And everyone else that I forgot about :) Expect more tuts from me soon (:o)~ Contacting Me: E-Mail: t1cker@hotmail.com ICQ: 18381503 IRC: Usually on EFNet as SEKt0r or tIKA if I cant get SEKt0r as my fucken nick :( You can find me usually in the above channels! *This tutorial, as usually, can only be used for educational purposes!* *If yer like the program, support the makers and buy the program!* Cracking Security Administrator For Windows 95/98 v1.3 by douby^dread First of all, I'd like to say that I really like Tornado's approach of helping newbies with increasing their cracking skills. That's why I decided to help him with this project of his ;-) When you run Secagent, the first thing you'll notice is the a window asking you for the serial number.. It doesn't ask for a name or company or something. So the serial is probably hardcoded or sumphing like that... Let's enter a wrong serial... What you get is a messagebox whining about a wrong registration code.. Now what ? We could do a couple of things first of all we could do lil'bit of fooling around in soft- ice, setting some breakpoints and stuff or we could load the program in w32dasm and take a look at the dead listing first... The latter is the approach I usually prefer.. So guess what I did first eh ? Yeah dudez, you got it right, I disassembled the program in w32dasm and took a look at the string table.. And boy, there were a couple of nice fish swimming around in there ;-) "Sorry this registration code", "Registration has successfully".. Double clicking on one of these babes will get you here: :00471C64 8B55FC mov edx, dword ptr [ebp-04] :00471C67 8BC3 mov eax, ebx :00471C69 E842B0FFFF call 0046CCB0 :00471C6E 84C0 test al, al :00471C70 7438 je 00471CAA ;if al == 0 wrong serial :00471C72 8B4DFC mov ecx, dword ptr [ebp-04] * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00471C0E(C) | :00471C75 BAEC1C4700 mov edx, 00471CEC :00471C7A A1B4584700 mov eax, dword ptr [004758B4] :00471C7F E8E07FFFFF call 00469C64 :00471C84 B201 mov dl, 01 :00471C86 A1B4584700 mov eax, dword ptr [004758B4] :00471C8B E8B87FFFFF call 00469C48 :00471C90 6A40 push 00000040 * Possible StringData Ref from Code Obj ->"Information" | :00471C92 B9F01C4700 mov ecx, 00471CF0 * Possible StringData Ref from Code Obj ->"Registration has successfully " ->"completed!" | :00471C97 BAFC1C4700 mov edx, 00471CFC :00471C9C A1C0404700 mov eax, dword ptr [004740C0] :00471CA1 8B00 mov eax, dword ptr [eax] :00471CA3 E85C50FDFF call 00446D04 :00471CA8 EB18 jmp 00471CC2 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00471C70(C) | :00471CAA 6A10 push 00000010 * Possible StringData Ref from Code Obj ->"Error" | :00471CAC B9281D4700 mov ecx, 00471D28 * Possible StringData Ref from Code Obj ->"Sorry, this registration code " ->"is invalid!" | :00471CB1 BA301D4700 mov edx, 00471D30 :00471CB6 A1C0404700 mov eax, dword ptr [004740C0] :00471CBB 8B00 mov eax, dword ptr [eax] :00471CBD E84250FDFF call 00446D04 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00471CA8(U) | :00471CC2 33C0 xor eax, eax :00471CC4 5A pop edx :00471CC5 59 pop ecx :00471CC6 59 pop ecx :00471CC7 648910 mov dword ptr fs:[eax], edx As you can see, the routine containing the serial check is probably located at :0046CCB0... So let's take a look over there ;-) :0046CCB0 55 push ebp :0046CCB1 8BEC mov ebp, esp :0046CCB3 51 push ecx :0046CCB4 53 push ebx :0046CCB5 56 push esi :0046CCB6 8955FC mov dword ptr [ebp-04], edx :0046CCB9 8BF0 mov esi, eax :0046CCBB 8B45FC mov eax, dword ptr [ebp-04] :0046CCBE E81171F9FF call 00403DD4 :0046CCC3 33C0 xor eax, eax :0046CCC5 55 push ebp :0046CCC6 68A4CD4600 push 0046CDA4 :0046CCCB 64FF30 push dword ptr fs:[eax] :0046CCCE 648920 mov dword ptr fs:[eax], esp :0046CCD1 33DB xor ebx, ebx :0046CCD3 C605B858470000 mov byte ptr [004758B8], 00 :0046CCDA B8BC584700 mov eax, 004758BC :0046CCDF E8C06CF9FF call 004039A4 :0046CCE4 8B45FC mov eax, dword ptr [ebp-04] :0046CCE7 E8346FF9FF call 00403C20 :0046CCEC 83F80C cmp eax, 0000000C :0046CCEF 0F8599000000 jne 0046CD8E :0046CCF5 8B45FC mov eax, dword ptr [ebp-04] :0046CCF8 803838 cmp byte ptr [eax], 38 :0046CCFB 0F858D000000 jne 0046CD8E :0046CD01 8B45FC mov eax, dword ptr [ebp-04] :0046CD04 80780233 cmp byte ptr [eax+02], 33 :0046CD08 0F8580000000 jne 0046CD8E :0046CD0E 8B45FC mov eax, dword ptr [ebp-04] :0046CD11 80780331 cmp byte ptr [eax+03], 31 :0046CD15 7577 jne 0046CD8E :0046CD17 8B45FC mov eax, dword ptr [ebp-04] :0046CD1A 80780439 cmp byte ptr [eax+04], 39 :0046CD1E 756E jne 0046CD8E :0046CD20 8B45FC mov eax, dword ptr [ebp-04] :0046CD23 80780830 cmp byte ptr [eax+08], 30 :0046CD27 7565 jne 0046CD8E :0046CD29 8B45FC mov eax, dword ptr [ebp-04] :0046CD2C 80780935 cmp byte ptr [eax+09], 35 :0046CD30 755C jne 0046CD8E :0046CD32 8B45FC mov eax, dword ptr [ebp-04] :0046CD35 80780A53 cmp byte ptr [eax+0A], 53 :0046CD39 7553 jne 0046CD8E :0046CD3B 8B45FC mov eax, dword ptr [ebp-04] :0046CD3E 80780B45 cmp byte ptr [eax+0B], 45 :0046CD42 754A jne 0046CD8E :0046CD44 B8BC584700 mov eax, 004758BC :0046CD49 8B55FC mov edx, dword ptr [ebp-04] :0046CD4C E8A76CF9FF call 004039F8 :0046CD51 C605B858470001 mov byte ptr [004758B8], 01 :0046CD58 B301 mov bl, 01 :0046CD5A 33D2 xor edx, edx :0046CD5C 8B8600050000 mov eax, dword ptr [esi+00000500] :0046CD62 E86DCEFCFF call 00439BD4 :0046CD67 33D2 xor edx, edx :0046CD69 8B8614050000 mov eax, dword ptr [esi+00000514] :0046CD6F E8B8D9FBFF call 0042A72C :0046CD74 33D2 xor edx, edx :0046CD76 8B8610030000 mov eax, dword ptr [esi+00000310] :0046CD7C E853CEFCFF call 00439BD4 :0046CD81 33D2 xor edx, edx :0046CD83 8B860C030000 mov eax, dword ptr [esi+0000030C] :0046CD89 E846CEFCFF call 00439BD4 * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:0046CCEF(C), :0046CCFB(C), :0046CD08(C), :0046CD15(C), :0046CD1E(C) |:0046CD27(C), :0046CD30(C), :0046CD39(C), :0046CD42(C) | :0046CD8E 33C0 xor eax, eax :0046CD90 5A pop edx :0046CD91 59 pop ecx :0046CD92 59 pop ecx :0046CD93 648910 mov dword ptr fs:[eax], edx :0046CD96 68ABCD4600 push 0046CDAB * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0046CDA9(U) | :0046CD9B 8D45FC lea eax, dword ptr [ebp-04] :0046CD9E E8016CF9FF call 004039A4 :0046CDA3 C3 ret A lot of jumps to 0046CD8E eh? Prolly not a nice place to jump to eh ;-) And what do you think about all those cmp byte ptr [eax + X], XX eh? Prrrretty suspicious if you ask me... What could that cmp eax, 0000000C mean ? A length check ? Well I'm usually a very lazy person, so this is what I did... I just wrote down the decimal numbers and the letters corresponding to the ascii numbers behind all the eax compares... So: cmp byte ptr [eax], 38 -> 8 cmp byte ptr [eax+02], 33 -> 3 cmp byte ptr [eax+03], 31 -> 1 cmp byte ptr [eax+04], 39 -> 9 cmp byte ptr [eax+08], 30 -> 0 cmp byte ptr [eax+09], 35 -> 5 cmp byte ptr [eax+0A], 53 -> S cmp byte ptr [eax+0B], 45 -> E Eh, but what about the spaces the program doesn't check, like [eax+01] ? Well, it could be the program checks them later in another routine, but like I said, I'm lazy, so for now, put some nice X's in the empty spaces... This is what we'll get: 8X319XXX05SE Okiz, let's enter this number in the "enter registration code"-textfield... And.. Bingo! It works ;-) Well that's all folks.. Greets go out to: all dread members, all faith members, all revolution members and all ecolove members, yosh, carpathia, bjanes, hutch, sortof, josephCo and prolly some other dudes I forgot ;-) ------------------------------------------------------------------------------------------ #Cracking4Newbies Project site at c4nprojects.cjb.net How to crack EscapeRC v1.0.1 by ACiD BuRN [ECLiPSE/CiA] Description : a VB5 Time_Limit! tools used : - Wdasm89 (yes , i wanna have fun!) - hexeditor! URL: http://members.xoom.com/ACiD_K17/Prog/EscapeRC.zip the essai : As you can see , the tool used isn't Soft ice or Smart check , but Wdasm! In Vb app , you can't found string data refernces with the original version of wdasm :( anyway , you can use the imports! So , run your target , after you moved your computer's date in 2002 for exemple... Boom , you see a messagebox : Trial period is over , BLABLABLA.... ok , the VB apps don't use the API : messageboxa. they use one similar : rtcmsgbox So , in VB, for messagebox , you need to use : Bpx rtcmsgbox (for vb6 : bpx msvbvm60!rtcmsgbox) ok , u can use soft ice , but in this essay i want to show that u can use Wdasm for cracking VB... Fire up , Wdasm , dessasm your target (EscapeRC.exe)... goto imort and look for : rtcmsgbox click 2 times , coz the 1st time is not important. you will see this : * Reference To: MSVBVM50.rtcMsgBox, Ord:0253h scroll up and you see : * Referenced by a (U)nconditional or (C)onditional Jump at Address: <== Referenced at |:0041FA39(C) 41FA39 | :0041FB84 B904000280 mov ecx, 80020004 :0041FB89 B80A000000 mov eax, 0000000A :0041FB8E 894DAC mov dword ptr [ebp-54], ecx :0041FB91 894DBC mov dword ptr [ebp-44], ecx :0041FB94 894DCC mov dword ptr [ebp-34], ecx :0041FB97 8D5594 lea edx, dword ptr [ebp-6C] :0041FB9A 8D4DD4 lea ecx, dword ptr [ebp-2C] :0041FB9D 8945A4 mov dword ptr [ebp-5C], eax :0041FBA0 8945B4 mov dword ptr [ebp-4C], eax :0041FBA3 8945C4 mov dword ptr [ebp-3C], eax :0041FBA6 C7459C205A4000 mov [ebp-64], 00405A20 :0041FBAD C7459408000000 mov [ebp-6C], 00000008 * Reference To: MSVBVM50.__vbaVarDup, Ord:0000h | :0041FBB4 FF158CD34200 Call dword ptr [0042D38C] :0041FBBA 8D55A4 lea edx, dword ptr [ebp-5C] :0041FBBD 8D45B4 lea eax, dword ptr [ebp-4C] :0041FBC0 52 push edx :0041FBC1 8D4DC4 lea ecx, dword ptr [ebp-3C] :0041FBC4 50 push eax :0041FBC5 51 push ecx :0041FBC6 8D55D4 lea edx, dword ptr [ebp-2C] :0041FBC9 6A00 push 00000000 :0041FBCB 52 push edx * Reference To: MSVBVM50.rtcMsgBox, Ord:0253h <=== you land here after click ------------------------------------------------------------------------------------ So , you saw : Referenced at 0041FA39 in Wdasm , menu goto , and choose Code location and enter : 0041FA39 you will land here : * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0041FA24(C) :0041FA34 66837DEC1F cmp word ptr [ebp-14], 001F <== compare with 1F (31 in deci) :0041FA39 0F8D45010000 jnl 0041FB84 <== a conditional jump! :) :0041FA3F 6830394000 push 00403930 * Reference To: MSVBVM50.__vbaNew, Ord:0000h | :0041FA44 FF15E8D24200 Call dword ptr [0042D2E8] :0041FA4A 50 push eax :0041FA4B 6810A04200 push 0042A010 now , u have just to patch it! to be sure it works , i changed it to : :0041FA34 66837DEC00 cmp word ptr [ebp-14], 00 :0041FA39 0F8445010000 je 0041FB84 hex edit your target and: - search : 66837DEC1F and change it to : 66837DEC00. - search : 0F8D45010000 and change it to : 0F8445010000 save it , and run it! WOW! no more Time limit! hehe fucking easy! now , u know how to patch VB using Wdasm! Well , this tut is finish , hope u understand all this piece of text , but if you have a comment or one question, mail me to : ACiD_BuRN@crackerinaction.org have fun... greetings to my groups : ECLiPSE / CiA also greetingz to: (no specific order) R!SC, ^Inferno^, AB4DS, Cyber Blade, Klefz, , Volatility, Torn@do, T4D Jeff, [Virus], JaNe , Appbusta , Duelist , tKC , BuLLeT , Lucifer48 , MiZ , DnNuke , Bjanes , Skymarshall , afkayas , elmopio , SiFLyiNG , Fire Worx , Crackz , neural_en , WarezPup , _y , SiONIDE , SKORPIEN Lazarus , Eternal_Bliss , Magic Raphoun , DEZM , Bisoux , Carpathia , K17 , theMc , noos , Xmen , TeeJi , JB007 , Arobas .... i want to greets PWA members , i left this group due to not enough time for them :( sorry Dudes ;) , i will back! if your name is not here sorry! lot of men to greets! ACiD BuRN [ECL/CiA] We really hope you've enjoyed this tutorial too much as we did! Don't miss Tutor #38 soon! ;) And as I said last time: Without knowledge, there's no power! ;) Credits go to: Socko for Splash Logo. +SEKt0r for providing 2 tuts in this version. TORN@DO for providing a tut in this version. douby^dread for providing a tut in this version. ACiD BuRN for providing a tut in this version. tKC/CiA (hey it's me!) for coding this version :) All the crackers (non-members of CiA) are welcome to send tutors for the next tutorials .. see below for my email address! And all the tutors can be found at www.msjessca.da.ru! Greetz goto all my friends! You can find me on IRC or email me at tkc@reaper.org Oh btw, please don't expect me to reply your mails, since I get 50+/- mails everyday.. be sure that I really appreciate your mails! :) Coded by The Keyboard Caper - tKC The Founder of PhRoZeN CReW/Crackers in Action '99 Compiled on 05 September 1999 Cracking Tutorial #37 is dedicated to Ms_Jessca, my liefie only. Who else?