Welcome to Cracking Tutorial #42! Hiya peepz, heheh.. nothing's gonna stop us now! :) Oh by the way, I might be offline soon for a few months, but don't worry, you'll hear from me again! OK, let's go! You'll need the following tools: (I use these tools, I assume you'll use 'em, but it doesn't mean that you'll need to use all those tools, so be sure to get them handy for the examples in this tutorial!) SoftICE 4.01 W32Dasm 8.93 Hacker's View 6.20 SmartCheck 6.03 TASM 5.00 Windows Commander 4.01 (I use it coz of easier to multitask) Don't ask me where to download all these tools since you had a chance to get them when you used my older tutorials. Here is a good site where you can grab tools from: http://mercury.spaceports.com/~quel/protools/ or ask any crackers to get you these tools! Are you ready?! OK! ;) C-Dilla Safedisc Another comercial Protection defeated 18 July 1999 by Black Check There is a crack, a crack in everything That's how the light gets in Rating( )Beginner ( )Intermediate (X)Advanced ( )Expert "The SAFEDISC technology is comprised of three key features: (1) an authenticating digital signature (2) encryption that protects the content and (3) anti-hacking software. During premastering, the content is encrypted and carries with it authentication instructions. A unique SAFEDISC digital signature issubsequently added to the title during mastering. When a user plays an original disc, the authentication software reads the digital signature allowing the program to be decrypted and to play normally. SAFEDISC also includes anti-hacking technology that prevents the compromise of its security features. The anti-hacking technology is designed to not only deter casual copying, but also to provide strong resistance to DESTRUCTIVE hackers and commercial pirates. " From the Safedisc homepage (http://www.macrovision.com/scp.html): Hhmm... let's be DESTRUCTIVE. Introduction As you probably know Safedisc is another comercial protection by C-Dilla. Protected CDs always have the files Clokspl. exe and Dplayerx. dll in the root. Our target is Midtown Madness[German]. There is a Generic Crack by Pedro [Laxity], but i don't like inserting CDs in my drive just for playing a game :-) The executables consist of two parts. One is just the loader (Midtown. exe) and then there is always a *.icd file that contains the encrypted original exe. When the game is run the loader decrypts itself and the game Exe using a key on the CD. What we have to do is to dump the decrypted exe to disc and fix it. Tools required -Microsnot Midtown Madness Orginal CD (a 1:1 Copy and the Laxity Crack should do it too) -Softice for W9x -Procdump 1.4 -Adump -Frogsice 0.14 -> www. thepentagon. com/frog_s_print -W32Dasm -knowledge of the PE format -some time, nerves and a brain Essay ++++++++++++++++++ C-Dilla 'Safe'disc Essay by -Black Check- ++++++++++++++++++++++ ###################################### 1. Eliminating the Anti Softice Code # ###################################### SafeDisc uses two well known SICE detection methods. The first one is known as 'MeltIce' and has been released by David Eriksson. It just calls CreateFileA with the SICE Drivers "\\.\SICE" "\\.\SIWVID" "\\.\NTICE" (not important in this case) First i passed this with a Softice Macro: macro NOSICE ="d @(esp+4);e @(esp+4) 0;x;" then bpx CreateFileA if *(esp->4+4)=='SICE' || *(esp->4+4)=='SIWV' do "nosice" This works fine, but it's too slow. This crap is called about a hundred times! Another disadvantage is that you can't set Breakpoints on CreateFileA anymore. If anyone knows better please mail. The solution is much more simple. Just open Midtown. exe and search for 'ss' (ASCII) you'll find something like that: \.ss \.ss \.ss Just change 'ss' to 'xx' or whatever. You have to do this with 'DplayerX. dll', too. The CreateFile Checks are now out, but if you run the game with SICE loaded it just crashes. Seems like there is another check. I played around with bpint 2f, 41 etc but nothing. It uses int 68: 425205: xor eax, eax 425207: mov ax, 4300 42520b: int 68 42520d: mov [ebp-9c], eax 425213: cmp eax, 4300 425218: jz blablabla... Don't try to patch this. There's a tool around called Frogsice. Once you load it you get a blue screen everytime it detects Anti Sice ints. Frogsice has an option to fool the programm but this won't work because int 68 returns 0x4300 in eax when SICE is not loaded. Frogsice returns 0x0000 , so we'll have to patch Frogsice... -Open FrogSice. vxd -search for 60 80 7d 1d 43 -change the first byte to c3 (ret) Frogsice will now handle all calls to int 68 correctly without popping up all the time :-) Well the game now runs fine with SICE loaded. Let's get to the annoying part: ######################################## 2. Rebuilding the Encrypted Executable # ######################################## The enycrypted EXE contains the following objects: Object01: .text RVA: 00001000 Offset: 00000400 Size: 0018D800 Flags: 60000020 Object02: .rdata RVA: 0018F000 Offset: 0018DC00 Size: 00014E00 Flags: 40000040 Object03: .data RVA: 001A4000 Offset: 001A2A00 Size: 00030000 Flags: C0000040 Object04: .data1 RVA: 00314000 Offset: 001D2A00 Size: 00000200 Flags: C0000040 Object05: .rsrc RVA: 00315000 Offset: 001D2C00 Size: 00000E00 Flags: 40000040 .text -> encrypted .rdata -> contains the Import Data. Invalid since it only points to Safedisc routines .data -> encrypted .data1 -> encrypted .rsrc -> not encrypted (very honest... ) 2.1 Dumping the .text section ------------------------------ IMPORTANT! Be sure to replace that damn Microsoft Avi file, you will see it some times... :-) Run the game. Don't forget to load Frogsice and wait until you get to the main menu. Now minimize it and run ProcDump. Dump the whole process (Midtown. icd) with standard options. HexEdit your dump and copy the .text section to another file. If you don't know how to do this, stop reading and get some info on the PE File format. You can get the Object Infomation by disassembling Midtown. icd since the PE header isn't crypted. Note that the Raw Offsets of the sections aren't the same in the dump. They're moved by 0x200 bytes. In our dump of Midtown. icd the . code section begins at 0x600 NOT at 0x400! 2.2 Dumping the .data sections -------------------------------- As you can guess the .data sections are modified when the game runs. So we need them in an 'untouched' state. Set a bpx on the Programm Entrypoint of midtown. icd. (not midtown. exe!) You can get it out of the PE Header, or with W32Dasm. You have to be sure that you're in midtown. icd when setting it. Press Ctrl-D while the avi plays. Make sure that the process string on the bottom right is MIDTOWN. Now set your bpx (566c10). Run the game again and wait until Softice pops up. Now halt the Programm by assembling 'EB FE' to current EIP. It should look like this: 566C10: EB FE jmp 566c10 Now press F5 and dump the whole process with standard options again. Copy the .data and .data1 sections to another file. Remember the 0x200 bytes. You can kill the tasks now with Procdump. Now make a copy of Midtown. icd and call it whateverulike. exe. Paste your dumped sections. What about the .rdata section you're asking? Read on and cry... ########################## 3. A bitch called .rdata # ########################## The .rdata section once contained addresses of the imported dll's used by Midtown. exe. But when Safedisc messed it up it changed them to point to Safedisc routines that call the dll functions. Theese Safedisc routines are in Dplayerx. dll and depend on the correct CD Signature. Since this crap isn't loaded in our rebuilded exe it just crashes when it tries to call a dll. Run the protected exe again. Enable your breakpoint on the entry point and step into the first API Call. Call[58f14c] Now you're not in GetVersion but in the Safedisc routine: . . pushad push 00000031 --> the number of the imported function --> if this value is too large the call crashes. push 00000000 --> number of imported dll call [9b6146] --> get the real address of the function add esp, 8 popad jmp[09b6140] --> and jump there . . . This code pushes the numbers of the function and the dll and then calls a routine that returns the real address in ECX and the wrong reference in the .rdata section in EAX. Debug a little till you understand. Then come back. As i figured out only the two first dlls are handled this way(Kernel & User). The import data for the others is ok. Now you have to find out how many imported functions there are. You can count them in W32Dasm. (Please be smarter:). There are 0x106 Kernel32. dll imports. The number of User32 imports doesn't matter because we can let the programm crash afterwards. Now load Adump. With the 'r' command you get the address where you can start dumping to. For me this is 82abd000. Now start the exe and stop at the Safedisc function. Copy the .rdata section to Adump Start Address + 1000: -m 58f000 l 14e00 82abe000 Set your EIP to 82abd000 and Softice-assemble this: -a 82abd000 @1: push ebx ----> manually set EBX to 0! push 00000000 ----> dll number - you have to change this later! call [9b6146] ----> get values into EAX and ECX mov edx, 58f000 ----> this is the address of the .rdata section @2: cmp dword ptr[edx], eax ;search for entry je @3 inc edx cmp edx, 5a3dfd -----> | 14e00h + 58f00h - 3 | | size of .rdata + offset rdata - 3 | je @4 jmp @2 @3: sub edx, 58f000 -----> rdata adr. add edx, 82abe000 -----> Adump Start Address +1000h mov [edx], ecx ;put the real Address into our new .rdata @4: inc ebx cmp ebx, 106 -----> number of exports from Kernel32 jnz @1 @5: jmp @5 -----> stop here Explanation: ------------- This will call the SafeDisc routine with every function number as a parameter. The correct Address is returned in ECX. The wrong index in the .rdata section is in EAX. Now it just searches the .rdata in Memory for the incorrect reference and puts the real value from ECX to the .rdata block we copied to Adump Memory. The values mentioned above are correct for my version of Midtown Madness. If you're working on another game you must compute them yourself. Now let our little proggie run. Wait a little. If you did it right nothing should crash. Go back into Softice. The cursor should be on @5. Now set EBX back to 0. Set EIP back to @1. And change the PUSH 00000000 to PUSH 00000001. Run again. The programm will crash because we pushed a value too large in EBX. That's ok. We have what we wanted >:) Now go back to Adump and write our .rdata section to disc. Paste it into our rebuilded exe. Start it and kiss your screen! IT WORKS! ####################################### 4. Making it a little more compatible # ####################################### Well our rebuilded exe runs fine. But it's still not perfect. Just try running it on another Windows 9x Version. It will crash. Why? The addresses we put in the import table are only valid for the Windoze version we ran it on. Normally the OS puts theese values there when the exe is loaded. Since we put them there by hand other Win9x will crash. Let's fix that: -Start Procdump (i really love it!) -go to Options -select: [v]Recompute Object Size [v]Optmize PE Structure [. ] Use actual import infos -click on Rebuild PE -choose our rebuilded exe Procdump will now generate a valid import table. Our rebuild is now perfect. Eject the ugly original CD and enjoy how fast the game starts :))! Ha! You can safely delete theese 'Safe'disc-bullshit files: 00000000407. 0016 00000000407. 256 Clokspl. exe - very nice icon... dplayerx. dll Old midtown. exe midtown. icd 2. 86 MB less crap on your drive :) -Black Check- Final Notes ################################################################################################# This crack is dedicated to Sir Gambit (Ich warte auf dich, du Arsch!) BIG thanx go to G-RoM, Lorian & Stone for ProcDump, tHeRaiN for Adump, +Frog's Print for FrogsICE , c0v3rt+ for pointing out the bpx problem and Numega. I won't excuse for my damn english. If you don't like it, don't read it! ################################################################################################# Mail INTERESTING stuff to black_check@yahoo. de Ob Duh I wont even bother explaining you that you should BUY this target program if you intend to use it for a longer period than the allowed one. Should you want to STEAL this software instead, you don't need to crack its protection scheme at all: you'll find it on most Warez sites, complete and already regged, farewell, don't come back. Heya dUdEs! Here i am again with another tutorial just for newbies, of course from a newbie but lets stop writing stupid things and let me show you how to patch a program in order to make it registered. Tools:-W32dasm(to see what and where we should make the changes to regg iT. -Hacker's View(or another HexEditor)_(to make the changes) -anything else that can make you happy Target: Alot Nanny 1.0 build 03 you can find it at http://www.alotenterprises.com Let's rock! 1: The file we are going to patch is Nanny.exe, so copy it again into the files Nanny.w32 (to use with W32dasm) and Nanny.xxx(for back up copy). This is done so now we can continue. 2: Run the program and in the main window click on Help->Register Alot Nanny. Enter whatever name you wanna and then a reg# that is longer then 12 character to unlock the *register* button so we can click it. See there the error message, it's saying: " Sorry, You typed an incorrect license key, please try again." Remember the error mesage becouse you will have to know it when we'll work in the desassembler 3: Now if you did what i've told you in step 1 you can now open W32dasm and load in the file Nanny.w32. After the loading process is finished go to the refs menu and chose from there SDR(string data references). Done it? oK. Now remember the error message; search in the SDR window for it. When you found it double click on it and you will find yourself in here: _______________________________________________________________________________________ * Referenced by a (U)nconditional or (C)onditional Jump at Address: | |:00458C13(C) | | | :00458C85 E87EF7FFFF call 00458408 | :00458C8A 40 inc eax | :00458C8B 7524 jne 00458CB1 | <-this is the jump that makes the | :00458C8D A174784900 mov eax, dword ptr [00497874] | error appeare | :00458C92 8B90E4020000 mov edx, dword ptr [eax+000002E4] | :00458C98 A174784900 mov eax, dword ptr [00497874] | :00458C9D E89AB3FDFF call 0043403C | | * Possible StringData Ref from Code Obj ->"Sorry, You typed an incorrect " /| our error| ->"license key, please try again." \| message | | | :00458CA2 B8D48D4500 mov eax, 00458DD4 | :00458CA7 E880A50300 call 0049322C | :00458CAC E9EB000000 jmp 00458D9C | _______________________________________________________________________________________| 4: See that jne makes the ugly message appeares so we got to change it. For that first you got to find the offset where the jump is so place the bar on the line: ***********:00458C8B 7524 jne 00458CB1******* If you see that the bar turns green then you're at the right place. Now look down in the W32dasm main window and see what is written there. Where you see written in there offset then a number after that then you will know the offset that you need. In our case it will be 0005808B 5: On this step, no:5 i got to tell you what you have to do in order to skip the error msg and trick the program into jumping to the "thank you for registering" or something like that. The jne that can be written in hexa 75 has to be changed in je that is 74 in hexa. So run Hiew and load nanny.exe file press F4 and select DECODE to see the file in asm code and then press F5 and enter the offset **0005808B** that we have from W32dasm and press enter. After that you will see that the cursor is on 75. Press F3 to edit the file and write 74. Then press F9 to save the change and exit Hiew. now run Nanny and register it. So... What is it telling you...maybe : "Thank you *your name* for registering...bla...bla...bla" bla...bla...bla.. ...bla 6: Ok so now we made it tell us that is register but is it regged...NO. If you click About in Help menu you will se there written at the bottom "Unregisterd"...hmm... than is not good. It's not good if you look at it one way, but you know what that means more effort and more reversing so for me that's OK. 7: Shit man, it's 6:20 in tha morning and i gtg to school in 20 minuts so let's hurry. It's saying unregistered there...hmm... go again in w32dasm and look for unregistered. Found it k:) double click on it and you will lend here: _____________________________________________________________________ * Referenced by a (U)nconditional or (C)onditional Jump at Address: | |:0045940E(C) | | | | * Possible StringData Ref from Code Obj ->"Unregistered" | | | :0045945E BAE8944500 mov edx, 004594E8 | :00459463 8B45FC mov eax, dword ptr [ebp-04] | _____________________________________________________________________| The lines * Referenced by a (U)nconditional or (C)onditional Jump at Address: | |:0045940E(C) | Should mean something to you no? Let me tell you that the address 0045940E is where the jump to unregistered is made. Press UpKey until you get here: :0045940C 85C0 test eax, eax :0045940E 7C4E jl 0045945E <- this is the jump 8: Don't be scared if you don't see a jne or je, there is no problem you can cange this jump too. But how you will say. Easy do you see the number 7C4E that is in hexa the equivalent of *jl 0045945E* so now this is what i did 9: Open up Hiew and load again the nanny.exe file. Do you remember the offset for the line *:0045940E 7C4E jl 0045945E* no...! why not becouse i did not tell you that you have to notice this too. No problem the offset is 0005880E. Now in Hiew go to that offset again(remember how?) and replace 7C4E with 9090 and it will transform the asembler code intro this _____________________________________________________________________ :0045940C 85C0 test eax, eax | :0045940E 90 nop | :0045940F 90 nop | _____________________________________________________________________| 10: Now run the program again and register it and it will be all OK when you press the About button. OK i mean that it will say Registered to *your name*. KeWl no? This is all for today but if you're interested in my tutrials don't worry this is not the last. gRetZZ: ->tKC ->Northpole ->Filecat ->iNC ->ACiD_BuRN See you soon! VoodooKid Heya dudes. Welcome to my 2nd tutorial as always i hope you will enjoy it. Tools: Win32Dasm Hiew. Target: CD-R Diagnostic Version 0.1.4.8 Url: www.cdrom-prod.com First open Cdrdiag.exe to see how it acts. First we see this Nag that says that we are unregistered, and it will expire soon. Second we see a warning, that it will expire. Fire up under Asm and disassembler Cdrdiag.exe, Goto Refs and find "Registration: %s|Thank you for registering." Double click on it. Now we should be here: \\\\\\\\\\\\\\\\\\\\\\\\\\ Cut Out of Code ////////////////////////////// * Possible Reference to String Resource ID=00137: "Registration: "Thank you for registering." | :0040129C 6889000000 push 00000089 <- This is where you will stand :004012A1 FF3520F14200 push dword ptr [0042F120] :004012A7 FFd3 call ebx Ok lets scroll up a bit till you come to this: * Reference To: USER32.SerDlgItemTextA, Ord:022Ch | :00401284 FF1518534200 Call dword otr [00425318] :0040128A 803DE0EB420000 cmp byte ptr [0042EBE0], 00 :00401291 7439 je 004012CC <- is where it calls the bastard :00401293 8D854CFFFFFF lea eax, dword ptr [ebp+FFFFFF4C] :00401299 6A64 push 00000064 :0040129B 50 push eax \\\\\\\\\\\\\\\\\\\\\\\\\\ Cut Out of Code ////////////////////////////// Double click on :00401291 7439 je 004012CC And look at the buttom of asm it should say: Line:857 Pg 11 of 972 Code Data @:00401291 @Offset 00001291h in File:Cdrdiag.exe Look at the offset, 1291 never take the zeros or the little letter after. Now write down 1291 and open Hiew. Press F9 find Cdrdiag.exe Push Enter, Now press F4 choose Decode now press F5 (Goto) And enter the Offset: 1291. Now it should look like this: .00401291: 7439 je .0004012CC -------- (1) Now press F3 (Edit) and change the 74 to 75 now your line should look like this: .00401291: 7539 jne .0004012CC -------- (1) Great now press F9 (Safe) and then close Hiew, now try to open the program again. Now it says Thank you for registration. But we still see the Warning that it will expire. Oops we most have forgot something. Fire up under Asm and disassembler the program again. Goto Refs and choose "Warning: Your copy of CD-R Diagnostic will expire in %d days" Double click on it and you should be here: \\\\\\\\\\\\\\\\\\\\\\\\\\ Cut Out of Code ////////////////////////////// * Possible Reference to String Resource ID=00157: "Warning: Your copy of CD-R Diagnostic will expire in %d days" | :0040E4CD 689D000000 push 0000009D <- you should land here :0040E4D2 E853F5FFFF call 0040DA2A :0040E4D7 59 pop ecx Now scroll up a bit untill you see this: * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0040E4B6(C) | :0040E4BA 84D2 test dl, dl :0040E4BC 750A jne 0040E4C8 <- Bastard :0040E4BE 80FA44 cmp dl, 44 :0040E4C1 7416 jne 0040E4D9 :0040E4C3 83F807 cmp eax, 00000007 :0040E4C6 7D11 jge 0040E4D9 \\\\\\\\\\\\\\\\\\\\\\\\\\ Cut Out of Code ////////////////////////////// Double click on :0040E4BC 750A je 0040E4C8 And you will see this in the buttom of Asm: Line:29797 Pg 355 of 972 Code Data @:0040E4BC @Offset 0000E4BCh in File:Cdrdiag.exe Again we look at the offset that is E4BC open Hiew Press F9 (Open) find Cdrdiag.exe now press F4 Choose Decode And press F5 (Goto) type E4BC and you should be here: .0040E4BC: 740A je .00040E4C8 ------ (1) Ok press F3 (Edit) and change 74 to 75, push F9 (Safe) and then F10 Quit. Open the program and Boom Its registered. You cracked it. Feel free to contact me. #C.i.A (Efnet) Or filecat@usa.net GreetZ fly out too: The Keyboard Caper - For coding this tutorialpack Acidphreak - I'll pay you back sometime ;) Mr^HEX - For moral support \\RiPPeR - For moral support MARQUIS - Keep it up BlackB - Thnx for everything ShannoW - Thnx m8 TORN@DO - For helping newbies tHATDUDE - Hope you fix that problem with discs Ms_Jessca - For the great site (www.msjessca.da.ru) All +v/+o's #Cracks (Efnet) - For helping all these people. All on #C.i.A (Efnet) - CiA ;) And all +o's #Crackz (Undernet) - For all the support i got. Groups: UCF - CiA - PC And Binary99 Watch out for another of my tuts. -> FileCAT tARGET pROGRAM: TweakJr 99 1.01 pROTECTION : - Nag Screen with Delay + Button - Help Button Disabled. uRL : http://home3.swipnet.se/~w-31362/tweakjrenj.htm tOOLS uSED : - W32Dasm 8.93 - Hex Workshop 2.54 - Turbo Pascal 7.0 - Pcom 2.8b3 TweakJr is a powerful tool, who manipulates the registry as well, You can change the registry in a safe way, you donīt have to worry about will the computer start or not after thes changes. Well, this cracking tutorial it's for beginner, I'll show you how to crack TweakJr 99, and make a patch using two ways, very easy, I hope you will enjoy this TuT and helps you learn! NOTE: It took me about 1 minute to crack this program on my own. OK, guys, let's get started, Open TweakJr. There is a window, telling us to register the copy, after 3 sec a button appear, Click ok and look for strange things... Yes it's the help button, it was disabled bye the author Good! now go to about, what we see here is the #1 magic word "UNREGISTERED" Very Good! and we can't enter any UserName or UnlockKey Exellent! We'll show him what a shitty protection it is! :) Launch W32Dasm and disassemble the target, and look for the #2 magic word REGISTERED or something like that, Yes! we found it! one reference "Thank You for your Registration" Double Click and... (this method allow us to go all over the protection scheme) I said Double Click and... * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0040D4CC(C) <-- here it is! | * Possible StringData Ref from Data Obj ->"Thank You for your Registration " <-- we land here ->"and for Supporting TweakJr 99 " ->"!" | :0040D4DA 68D8284400 push 004428D8 :0040D4DF 8D8E24100000 lea ecx, dword ptr [esi+00001024] :0040D4E5 E8E6B60100 call 00428BD0 :0040D4EA 6A00 push 00000000 :0040D4EC 685D040000 push 0000045D :0040D4F1 8D8E740B0000 lea ecx, dword ptr [esi+00000B74] :0040D4F7 E8CBAA0100 call 00427FC7 :0040D4FC 8BC8 mov ecx, eax :0040D4FE E8E6AC0100 call 004281E9 :0040D503 6A01 push 00000001 :0040D505 684C040000 push 0000044C We are in the end of the registration routine, so let's come up, to the code location 40D4CC, * Reference To: ADVAPI32.RegCloseKey, Ord:015Bh | :0040D4AF FF1500404300 Call dword ptr [00434000] :0040D4B5 E9E0000000 jmp 0040D59A * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0040D483(C) <-- here it is again! | :0040D4BA 8B07 mov eax, dword ptr [edi] :0040D4BC 68605D4400 push 00445D60 :0040D4C1 50 push eax :0040D4C2 E8979E0000 call 0041735E :0040D4C7 83C408 add esp, 00000008 :0040D4CA 85C0 test eax, eax :0040D4CC 750C jne 0040D4DA <-- We are here! You think if we change it to je, we'll be registered! WRONG! because, we are still in the routine that made us registered! so we must come up again! * Possible StringData Ref from Data Obj ->"John Doe" <--- What's That! Hmmm Maybe the boyfriend of the author, because the program looks after his name, and if ok, it will register itself without any patch, lovely boy ;) | :0040D4CE 6818294400 push 00442918 :0040D4D3 8BCF mov ecx, edi :0040D4D5 E8F6B60100 call 00428BD0 Double right click in code location :0040D483(C) and scroll up until you see this: * Possible StringData Ref from Data Obj ->"Software\JockeSoft\TweakJr 99\1.0" <-- Check for TweakJr Entry | :0040D3EF 6818214400 push 00442118 :0040D3F4 6801000080 push 80000001 :0040D3F9 FFD3 call ebx <--- read entry :0040D3FB 85C0 test eax, eax <--- is eax=0 ?? (xor eax,eax) :0040D3FD 0F8577010000 jne 0040D57A <--- if eax<>0 then jump to UNREGISTERED :0040D403 8B4C2410 mov ecx, dword ptr [esp+10] :0040D407 8D542414 lea edx, dword ptr [esp+14] :0040D40B 52 push edx :0040D40C 50 push eax :0040D40D 8D442420 lea eax, dword ptr [esp+20] :0040D411 50 push eax :0040D412 6A00 push 00000000 * Possible StringData Ref from Data Obj ->"UserName" <-- Checks for UserName | :0040D414 680C214400 push 0044210C :0040D419 51 push ecx :0040D41A FFD5 call ebp <--- read UserName :0040D41C 85C0 test eax, eax <--- is eax=0 ?? (xor eax,eax) :0040D41E 0F8529010000 jne 0040D54D <<=== <--- if eax<>0 then jump to UNREGISTERED :0040D424 8B542414 mov edx, dword ptr [esp+14] :0040D428 52 push edx :0040D429 E863770100 call 00424B91 :0040D42E 8B542414 mov edx, dword ptr [esp+14] :0040D432 83C404 add esp, 00000004 :0040D435 8BD8 mov ebx, eax :0040D437 8D442414 lea eax, dword ptr [esp+14] :0040D43B 50 push eax :0040D43C 8D4C241C lea ecx, dword ptr [esp+1C] :0040D440 53 push ebx :0040D441 51 push ecx :0040D442 6A00 push 00000000 * Possible StringData Ref from Data Obj ->"UserName" | :0040D444 680C214400 push 0044210C :0040D449 52 push edx :0040D44A FFD5 call ebp <--- read UserName again :0040D44C 8B442410 mov eax, dword ptr [esp+10] :0040D450 50 push eax but we don't need to go into the code, because we found the magic jmp in 40D41E, so here we can replace it by je, and the program take the username from windows registered owner, easy hein! 0F 85 29 01 00 00 to -- 84 -- -- -- -- (--) stay unchanged. Find the offset and change it in HexWorkShop, Restart, Yes! it's registered WoW, and the help button is now enabled Great! so quickly Let's do the patch with TP first: -------------------------------------Cut-Here-------------------------------------------------- Program TweakJr_Patch; Uses Crt; Const A: Array[1..1] of Record A : Longint; B : Byte; End = ((A:$D41F;B:$84)); Var Ch:Char; I:Byte; F:File; FN:file of byte; Size:longint; Begin writeln('Crack for TweakJr 99 1.01 by tBS ''99'); Assign(F,'tweakjr.exe'); {$I-} Reset(F,1); {$I+} If IOResult <> 0 then begin writeln('No file found!'); halt(1); end; For I:=1 to 1 do Begin Seek(F,A[I].A); Ch:=Char(A[I].B); Blockwrite(F,Ch,1); End; Writeln('Patch completed'); Writeln('Enjoy it'); End. -------------------------------------Cut-Here-------------------------------------------------- Let's do the patch with Pcom: WARNING: Pcom's patchers work only under dos! but it's very simple and powerful, and before to use it you must read the DOC, you can learn lot of things. you can find it here: http://huizen.dds.nl/~exed/ -------------------------------------Cut-Here-------------------------------------------------- ; BEGIN $cls @TweakJr 99 1.01 Crack by tBS '99 @ @Press Y to apply patch, any other key to quit. $y/n @ @~!:Finding tweakjr.exe... +tweakjr.exe @ Found! @ @~!:Checking size... !319488 @ Ok! @ @~!:Checking bytes... >0000:d41f =85 @ Ok! @ @~!:Patching file... >0000:d41f '84 @ Ok! - @ @[Patch completed - press a key] $snd $key ; END -------------------------------------Cut-Here-------------------------------------------------- Ending: Greetingz to: tKC , NETRUNNER , MinIfoo , ApoKalipse , Waver , Ivanopulo , Red , Schumu , and all the cracker around the world Special Greetingz to: DaVinci , Nitallica , LagPRO , Socko , Fli7e , DnNuke , and all the GfX around the world Extra Greetingz to : Marta , LeeLoo , Cellular and all the CbR around the world I would like to thankx tKC for his kindness and all the members of CiA Batch File Wizard v1.8 Crack Tutorial by Bubba Hack, Sept.99 ============================================================ Tools required:- Smartcheck 6.0x Software located at:- http://??? Instructions:- Usual Smartcheck setup, everything except mouse reporting switched on and away we go. First thing it does is check the INI file for the correct name & password. You can see that it checks up to 128 characters of empty space EVEN THOUGH the program has not been registered. So some sloppy programming at play here .. will it continue until we find the correct key sequence ? OK .. let's have a go. Click on the Registration menu, click on Register Program. A dialog box appears requesting First Name, Middle Initial & Surname.... and of course the magic number. So enter the following (it's short as we've seen the program check 128 characters before .. you'll soon see why). Name: Fred Initial: J Surname: Bloggs Registraition Number: 123456 And click on Register Program .. drat, we got it wrong. Look at Smartcheck and what do we see hidden under "cmdRegister_Click" ... is the following. 1) The 3 entries are added to one string (now "Fred J Bloggs") 2) Each and every character in the string is examined, converted to upper case and the decimal ASCII value is extracted. 3) Each value is then added to another string. 4) The registration key is this string .. checked at the end of the code by way of Trim$(String "70826968327432667679717183") 5) It can't be that easy .. can it ? Copy & paste the above key and click on register program again. Hey presto .. we got it. 6) The correct details are then written to the INI file. Source code for a keygen (so simple .. it hurts) -o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o Dim regkey as String Dim key As String Dim keylen As Integer Dim dummy As String Dim delete_space As String Dim keyvalue As Integer Dim f As Integer key = Text1.Text Text2.Text = "" regkey = "" keylen = Len(Text1.Text) For f = 1 To keylen dummy = UCase$(Mid$(key, f, 1)) ' get char & convert to uppercase keyvalue = Asc(dummy) delete_space = Trim$(Str$(keyvalue)) regkey = regkey & delete_space Trim$ (regkey) Next f Text2.Text = regkey -o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o Tutorial by: Bubba Hack, Sept. 1999 - bubba_hack@hotmail.com We really hope you've enjoyed this tutorial too much as we did! Don't miss Tutor #43 soon! ;) And as I said last time: Without knowledge, there's no power! ;) Credits go to: DnNuke for Splash Logo. Black Check for providing a tut in this version. VoodooKid for providing a tut in this version. FileCAT for providing a tut in this version. tBS for providing a tut in this version. Bubba Hack for providing a tut in this version. tKC/CiA (hey it's me!) for coding this version :) All the crackers (non-members of CiA) are welcome to send tutors for the next tutorials .. see below for my email address! And all the tutors can be found at www.msjessca.da.ru! Greetz goto all my friends! You can find me on IRC or email me at tkc@reaper.org Oh btw, please don't expect me to reply your mails, since I get 50+/- mails everyday.. be sure that I really appreciate your mails! :) Coded by The Keyboard Caper - tKC The Founder of PhRoZeN CReW/Crackers in Action '99 Compiled on 17 September 1999 Cracking Tutorial #42 is dedicated to Ms_Jessca. My liefie only. Who else?