Welcome to Cracking Tutorial #38! Hiya peepz, Here's another tutor for you, nothing special :) As always, I'm busy with coding other projects... Anyway, let's go! You'll need the following tools: (I use these tools, I assume you'll use 'em, but it doesn't mean that you'll need to use all those tools, so be sure to get them handy for the examples in this tutorial!) SoftICE 4.00 W32Dasm 8.93 Hacker's View 6.20 SmartCheck 6.03 TASM 5.00 Windows Commander 4.01 (I use it coz of easier to multitask) Don't ask me where to download all these tools since you had a chance to get them when you used my older tutorials. Here is a good site where you can grab tools from: http://mercury.spaceports.com/~quel/protools/ or ask any crackers to get you these tools! Are you ready?! OK! ;) Tutorial to Crack: Microsoft Age of Empires 2 : Age of Kings By: CloudS [cloud@plasa.com] Tools Needed: - Win Disassembler (W32Dasm) 8.9 or higher - Hackers' View (Hiew) 6.0 or higher - AoE2:AoK CD. I use ver 1.0(00.09.07.0222) 10/3/99 I just borrow AoE2 CD from my friend and install then play it. But what happen when I play it w/o the CD inserted? It doesn't allow me to play Single Player mode! Hmmm.... Let's crack it! Please forgive my bad English and please note that I'm a newbie too therefore if there's mistake on this tut, please tell me. 1. Make full install of AoE 2 then take out the CD. Start the game and click on "Single Player". It says "You must insert a game CD to play a Single Player..." OK. Click on "Exit". 2. Disassembler Empires2.exe. You won't find the message in String Data References coz it's graphic, not window MsgBox. Click on "Functions -> Imports" Scroll down till you find something interesting. Hmmm... "Kernel32.GetDriveTypeA" seems suspicious. Let's double click it. You arrive at: * Reference To: KERNEL32.GetDriveTypeA, Ord:00DFh | :0041F11A FF153C115C00 Call dword ptr [005C113C] <- here we are :0041F120 83F805 cmp eax, 00000005 <- Is CD there? :0041F123 740F je 0041F134 <- Yes? Jump! :0041F125 33C0 xor eax, eax <- eax = 0 :0041F127 5F pop edi :0041F128 5E pop esi :0041F129 5D pop ebp ... ... There's a jmp after the call. Let's reverse it! Remember that the offset is 1E523h (See bottom of your W32Dasm) 3. Close W32Dasm and Open Hiew. Choose Empires2.exe and press [ENTER] 2 times to enter Decode(Asm) Mode. Press F5(GoTo) and enter 1E523 You'll arrive at .0041F11A: FF153C115C00 call GetDriveTypeA ;KERNEL32.dll .0041F120: 83F805 cmp eax,005 ;"" .0041F123: 740F je .00041F134 -------- (1) .0041F125: 33C0 xor eax,eax .0041F127: 5F pop edi .0041F128: 5E pop esi .0041F129: 5D pop ebp Put the cursor at 740F : .xxxxxxxx: 740F je .00041F134 -------- (1) ^^ Press F3(Edit), enter 75 and press F9 to update. 4. Close Hiew and start Empires2. Click on "Single Player" and it still ask for the CD! Hmm... I remember there's a xor after the jump. Let's nop the xor! 5. Let's Hiew Empires2.exe again .Enter Decode Mode and goto 1E525 (It's under the reversed jump) then press F3 ,enter 9090, and press F9. Exit Hiew. 6. Let's play the game again and click on Single Player. Yeah! It works! Note: The address above MAY be different on another version of the game. The one I use is Version 1.0 Many thanx to: * tKC for providing time reading this tut * RC for the CD Greetz: * tKC and all the crackers out there, esp Indonesian crackers! That's all folks! See ya! Heya dudes Welcome to my first tutorial and certainly not the last. Target: Jator 3.5 SPADIX Software Tools: W32Dasm, Hiew6.00 (or any hex editor), Windows Commander(couse of its multitask function) Let's rock!:) First thing first; copy the jbator.exe file to jbator.w32 for use in W32Dasm and jbator.bak for backup copy. When you start the program it will tell you how much can u use that software. You will click ok and you can use it. Click help->register now and when the dialog box apeares you write in there name and reg#. The error message it will be: "Registration Failed! Invalid Serial". Ugly little bastard, no?Remember this message couse you will need it. Now what you have to do is to open the file jbator.w32 in w32dasm, go to the Refs menu and select String Data References. After that search for the message "Registration Failed! Invalid Serial" and double click on it. You will go to this: * Possible StringData Ref from Code Obj -> "Registration......" -> "Number............" :00489DE5 B87C9E4800 mov eax, 00489E7C :00489DEA E83951FBFF call 0043EF28 Before that it's written: * Referenced by a (U)conditional or (C)onditional Jump at Address: |:00489D88 So what you have to do is go to that adress, becouse from there it is called the error message, that keeps us from registering the progr. Okay, so did you go there? Now you can see this: :00489D88 745B je 00489DE5 ^ ^ this is where from | this is the jump that its called the message | we have to change in order to | trick the program to skip the error If you are locking down in w32dasm you can see the offset for the location where you are. It's in our case *00089188* Now patching it is very easy. Open Hiew and load the jator.exe file. Then press F4 and select DECODE, press F5 and enter the offset that we have from the desassembler 00089188 and you will see that the cursor is on 74(je). You have to change it to 75 (jne) in order to make the program skip the error message and jump to the message that will say to you "Thank you for registering". To change that press F3 to edit and write instead of 74, 75. Press F9 for saving the changes and exit Hiew. Go to jator's directory and open the program. Click help-> register and enter any Name and serial# that you want and click Ok. Do you see "Thank you for registering". Yea? Well Okay. Then i have to tell you "Thank you for reading this" Special thenks to:->the Keyboard Caper(you're greate dude) :->Northpole :->FileCat See you soon! VoodooKid:) ReallyGood 2.7.0.6 (Internet online timer) http://www.reallygood-software.com Tutor by PinguTM (PinguTM@hotmail.com) This is my 16th tutorial, whey another one ;) Type: Serial Tools: WinDASM, Hiew 1. Run reallygood.exe and go into the Register section and fill out the blanks with bullshit you know aint going to work :) but try registering so we can see what error message we get. 2. Load WinDasm and decomplie reallygood.exe Now select string data references and select "Sorry the registration key is " 3. You will now see something like this.... * Possible StringData Ref from Code Obj ->"Sorry, The Registration Key is " ->"Invalid." | :0045FED3 B848004600 mov eax, 00460048 :0045FED8 E82763FDFF call 00436204 :0045FEDD E91D010000 jmp 0045FFFF 4. Scroll up a little bit till you see this........ :0045FEBE 8B55F8 mov edx, dword ptr [ebp-08] :0045FEC1 E8BE3DFAFF call 00403C84 :0045FEC6 741A je 0045FEE2 :0045FEC8 6A00 push 00000000 :0045FECA 668B0D3C004600 mov cx, word ptr [0046003C] :0045FED1 B202 mov dl, 02 5. If you dont know how to operate hiew read back into my older tuts. We wanna change that je 0045FEE2, to a- jne 0045FEE2 So into hiew with offset "5F2C6" and change that 74 to 75 and save back. 6. Reload the program and fill out all the registration details out again and hit Register, Yeah! Hellacool! Thanks for registering :) Thats what we wanted! Now check the Info screen. Yeah.. Registered to PinguTM! There is also no register check so this is another one byte wonder :) Since i didnt have time for my C.I.A trial, i may aswel go back to tut'ing :) also Rachael this tut is dedicated to you. P.S. I am gonna fuck you rotten on Wensday! :) -=-=-=- PinguTM -=-=-=- Welcome to my 21th tutorial! How to keygen the Cracking4newies Crackme 3 project Introduction: Well , this is project to teach newbies cracking.It is the 3rd project , i didn't look the others yet , coz i am damn busy... Anyway , i take time to make one tutor , coz this will help newbies , who want to learn keygening , and it is good for me to make keygens sometimes , hehe :) Crackme notes from crackme's readme : ================================================================================ #Cracking4Newbies WEEKLY CRACKING TARGET FOR EVERYONE -------------------------------------------------------------------------------- Start: 25/08/1999 End: 02/09/1999 Name of target: #Cracking4Newbies CrackMe #3 URL: http://c4nprojects.cjb.net Size: 12 KB Objectives: Explain how the serial number is generated ... and if possible, code a KeyGEN for it. ================================================================================ i will add this : Level : easy coded by : ytc and Kwai Lo (thx friends , nice crackme!) I)lets go! ok, now it is time to keygen this bitch , so in soft ice set your favorites BPX used in name / serial cracking : bpx getwindowtewta and getdlgitemtexta. Enter your name and Fake serial.(name : ACiD BuRN / Serial : 12345) Click on enter , you are now back in Soft ice , press F12 coz you are not in the good place , but in the lame user32 dll... now , you can see , you are in the crackme. (i hope u understand all , i am tired as hell ;) ) trace with F10 , until u land here : * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004010C6(C) | :004010AF 0FBE4415C0 movsx eax, byte ptr [ebp+edx-40] ; put in eax the 1st ascii value of you name (for ACiD BuRN : A=41) :004010B4 03F0 add esi, eax / :004010B6 8D7DC0 lea edi, dword ptr [ebp-40] / :004010B9 83C9FF or ecx, FFFFFFFF / :004010BC 33C0 xor eax, eax / :004010BE 42 inc edx / Loop :004010BF F2 repnz / :004010C0 AE scasb / :004010C1 F7D1 not ecx / :004010C3 49 dec ecx / :004010C4 3BD1 cmp edx, ecx / :004010C6 76E7 jbe 004010AF / ok , so what does this loop ?! : movsx eax, byte ptr [ebp+edx-40] <== eax = ascii value of the char at position EDX add esi, eax <== esi = esi + eax inc edx <== next char cmp edx, ecx <== compare length of your name with the counter in edx jbe 004010AF <== If all chars are not done, loop until edx = length name so , this loop just take each ascii value and add it in ESI. the result for ACiD BuRN is : 2A8 41 + 43 + 69 + 44 + 20 + 42 + 75 + 52 + 4E = 2A8 A C i D space B u R N After this loop , you land here : :004010C8 897508 mov dword ptr [ebp+08], esi ; [ebp+8] contains ESI value :004010CB C1650807 shl dword ptr [ebp+08], 07 ; [ebp+8] = shl [ebp+8],7 :004010CF 8D4DF4 lea ecx, dword ptr [ebp-0C] :004010D2 6A0A push 0000000A :004010D4 51 push ecx :004010D5 68E9030000 push 000003E9 :004010DA 53 push ebx As you can see , the esi value (for me : 2A8) is strored in [ebp+8]. then you see : shl dword ptr [ebp+08], 07 really interesting ;) well , we have to trace again.. Trace until you land here : * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004010E4(C) | :00401102 8D55F4 lea edx, dword ptr [ebp-0C] :00401105 52 push edx :00401106 E840010000 call 0040124B :0040110B 8B4D08 mov ecx, dword ptr [ebp+08] ; ECX = [ebp+8] ([ebp+8]= shl esi,7) :0040110E 83C404 add esp, 00000004 :00401111 03CE add ecx, esi ; ECX = ECX + ESI (ESI=2A8 for me) :00401113 3BC8 cmp ecx, eax ; ? eax = fake serial / ? ecx = good :00401115 6A00 push 00000000 :00401117 751B jne 00401134 ; if not equal jump lame cracker * Possible StringData Ref from Data Obj ->"Good!" | :00401119 685C504000 push 0040505C * Possible StringData Ref from Data Obj ->"Congratulations!" | :0040111E 6848504000 push 00405048 :00401123 53 push ebx Nice , now , i think you are able to make a keygen! lemme show u all the algo : 1st part: Add all ascii value of your name and strore it in a variable.(ESI in memory) 2nd part: take the value in ESI and do a shl,7 on it and strore it in a variable.([ebp+8] in memory) 3rd part: take the value of the 1st part and add it to the 2nd part's value. 4th part: take the result in decimal for serial :) Name : ACiD BuRN sERiAL : 87720 i gave you all to make your own keygen , but i will show u my source ;) coz this tut is for newbies , well this is my delphi source... i coded it very fast at 2 am , but works fine! II) Delphi keygen sources: procedure TForm1.Edit1Change(Sender: TObject); var i,ascii,result: integer; begin for i:=1 to length(edit1.text) do begin ascii:=ascii + ord(edit1.text[i]); end; asm mov eax,ascii mov ecx,ascii shl eax,7 add eax,ecx mov ascii,eax end; result:=ascii; edit2.text:=inttostr(result); end; end. to make this work , u need to create a new project in delphi 4 and put this text box edit1.text box = place to enter name edit2.text box = final serial click on edit1.text , in events , double click on "on change" and past this code! have Fun :) III) Ending... I want to thanx my friends ytc and kwai_lo for this cool crackme ;) Well , this tut is finish , hope u understand all this piece of text , but if you have a comment or one question, mail me to : ACiD_BuRN@crackerinaction.org Enjoy! Greetings to my groups : ECLiPSE / CiA Also greetingz to: (no specific order) R!SC, ^Inferno^, AB4DS, Cyber Blade, Klefz, , Volatility, TORN@DO, T4D Jeff, [Virus], JaNe , Appbusta , Duelist , tKC , BuLLeT , Lucifer48 , MiZ , DnNuke , Bjanes , Skymarshall , afkayas , elmopio , SiFLyiNG , Fire Worx , Crackz , neural_en , WarezPup , _y , SiONIDE , SKORPIEN Lazarus , Eternal_Bliss , Magic Raphoun , DEZM , Bisoux , Carpathia , K17 , theMc , noos , Xmen , TeeJi , JB007 , Arobas , T0AD ,ytc , Kwai_lo.... i want to greets PWA members , i left this group due to not enough time for them :( sorry Dudes ;) , i will back! if your name is not here sorry! lot of men to greets! ACiD BuRN [ECL/CiA] VB keygening : ORDiX Mpack v1.X by ACiD BuRN [ECLiPSE/CiA] well... i was lazy to make this tut , but it was requested by a friend so i will make it for help him. introduction: ~~~~~~~~~~~~~ this is my 1st VB keygening tut for a real app (not a crackme). It is not hard at all , kinda easy i can say.. You will need : - Smart check 6 - a brain :) - some Beer - and this fucking ordix shit (see my ECL release to have it) i assume u know how to configure smart check and how to use it... don't come and bug me on IRC for this , i have others thing to do. look for an essay for this , or something but i am too busy for answer on irc.. mail if there is a real prob.. Lets start : ~~~~~~~~~~~~ Open the file with smart check and run it... in menu help , register enter : - as name: ACiD BuRN - as code: 11223344 click on ok , and this fucker say u : invalid shit , blablababla... anyway , end the programme , and go in smart check to look this bitch. i am to lazy to write all this shit so , look the pic : now , i will explain you the algo: - 1st , u see in smart check your name. - 2nd , the prog take this length: in SC = Format(VARIANT:9,..... - 3rd , then , u see this : len(NACiD BuR9)returns :10 so it take your name , take the last char of it (N for ACiD BuRN) and place it at first... then take the len of your name and place it at last place... (9 coz length of ACiD BuRN = 9) exemple : ******************************** * 1st : Fuck you * * 2nd : uFuck yo * * 3rd : uFuck yo8 * ******************************** - 4th , take all ascii value in hex and add them as string (not addition).. exemple : NACiD BuR9 N = 78 in decimal = 4E in hexa result = 4E A = 65 in decimal = 41 in hexa result = 4E41 C = 67 in decimal = 43 in hexa result = 4E4143 i = 105 in decimal = 69 in hexa result = 4E414369 D = 68 in decimal = 44 in hexa result = 4E41436944 " "= 32 in decimal = 20 in hexa result = 4E4143694420 B = 66 in decimal = 42 in hexa result = 4E414369442042 u = 117 in decimal = 75 in hexa result = 4E41436944204275 R = 82 in decimal = 52 in hexa result = 4E4143694420427552 9 = 57 in decimal = 39 in hexa result = 4E414369442042755239 i hope u understand now! well , result is the correct serial :) the serial length can't be more than 12 (u saw this when u enter your serial) but if the length of the serial is > 9 , u need to take the hex ascii value of the 2 digits of the length. (sorry for my lame english) . ACiD BuRN U <--- length = 11 so : UACiD BuRN 3131 <-- 31 = hex value of ascii value 49 of the digit 1. so the serial is : 5541436944204275524E203131 now , u have understand i think and i hope :) i am lazy to code a keygen who work for name > 9 so , i will give you source for a keygen in VB who work with 9 chars max as name : i just coded it to show u , this source is not good coded , but i don't have time to make it better ... At least , it works! ---------------------------VB Source of the Keygen------------------------------- Private Sub Command1_Click() Text3.Text = "" On Error GoTo sortie checksum = Mid(Text1.Text, Len(Text1.Text)) dede = Asc(Mid$(Text1.Text, Len(Text1.Text))) check2 = Len(Text1.Text) code = checksum & Text1.Text & check2 Text2.Text = code For x = 1 To Len(Text1.Text) bignum = Hex(Asc(Mid$(Text2.Text, x, 1))) Text3.Text = Text3.Text & bignum Next x Last = Hex(Asc(Len(Text1.Text))) final = Text3.Text & Last Text3.Text = final sortie: Select Case Err.Number Case 5 MsgBox "please enter your name!", vbOKOnly, Keygen End Select ---------------------------END OF VB Source of the Keygen---------------------------- to make this source work , u need to put 3 text box and a button : text1.text = where u enter the name text2.text = hidden text box text3.text = where u see the final serial like i said earlier , this was coded fast , so don't bug me for lame coding... if your not happy , FUCK YOU! Well , this tut is finish , hope u understand all this piece of shit, but if you have a comment or one question, mail me to : ACiD_BuRN@crackerinaction.org Enjoy! Greetings to my groups : ECLiPSE / CiA Also greetingz to: (no specific order) R!SC, ^Inferno^, AB4DS, Cyber Blade, Klefz, , Volatility, TORN@DO, T4D Jeff, [Virus], JaNe , Appbusta , Duelist , tKC , BuLLeT , Lucifer48 , MiZ , DnNuke , Bjanes , Skymarshall , afkayas , elmopio , SiFLyiNG , Fire Worx , Crackz , neural_en , WarezPup , _y , SiONIDE , SKORPIEN Lazarus , Eternal_Bliss , Magic Raphoun , DEZM , Bisoux , Carpathia , K17 , theMc , noos , Xmen , TeeJi , JB007 , Arobas , T0AD ,ytc , Kwai_lo.... i want to greets PWA members , i left this group due to not enough time for them :( sorry Dudes ;) , i will back! if your name is not here sorry! lot of men to greets! ACiD BuRN [ECL/CiA] We really hope you've enjoyed this tutorial too much as we did! Don't miss Tutor #39 soon! ;) And as I said last time: Without knowledge, there's no power! ;) Credits go to: strazi for Splash Logo. CloudS for providing a tut in this version. VoodooKid for providing a tut in this version. PinguTM for providing a tut in this version. ACiD BuRN for providing 2 tuts in this version. tKC/CiA (hey it's me!) for coding this version :) All the crackers (non-members of CiA) are welcome to send tutors for the next tutorials .. see below for my email address! And all the tutors can be found at www.msjessca.da.ru! Greetz goto all my friends! You can find me on IRC or email me at tkc@reaper.org Oh btw, please don't expect me to reply your mails, since I get 50+/- mails everyday.. be sure that I really appreciate your mails! :) Coded by The Keyboard Caper - tKC The Founder of PhRoZeN CReW/Crackers in Action '99 Compiled on 05 September 1999 Cracking Tutorial #38 is dedicated to Ms_Jessca, my liefie only. Who else?