Welcome to Cracking Tutorial #43! Hiya peepz, Ah better, my baskets "IN"/"OUT" are empty now.. I hope they stay empty ;) Oh by the way, I might be offline soon for a few months, so don't mail me your tutors for a while.. ... but don't worry, you'll hear from me again! OK, let's go! You'll need the following tools: (I use these tools, I assume you'll use 'em, but it doesn't mean that you'll need to use all those tools, so be sure to get them handy for the examples in this tutorial!) SoftICE 4.01 W32Dasm 8.93 Hacker's View 6.20 SmartCheck 6.03 TASM 5.00 Windows Commander 4.01 (I use it coz of easier to multitask) Don't ask me where to download all these tools since you had a chance to get them when you used my older tutorials. Here is a good site where you can grab tools from: http://mercury.spaceports.com/~quel/protools/ or ask any crackers to get you these tools! Are you ready?! OK! ;) (....this tutor was wrongly published in my previous version, hereby this article is corrected, tBS asks for apology, tnx tKC....) tARGET pROGRAM: TweakJr 99 1.01 pROTECTION : - Nag Screen with Delay + an OK Button - Help Button Disabled. - Auto run programs in Folder/Run is Disabled uRL : http://home3.swipnet.se/~w-31362/tweakjrenj.htm tOOLS uSED : - W32Dasm 8.93 - Hex Workshop 2.54 - Turbo Pascal 7.0 - Pcom 2.8b3 TweakJr is a powerful tool, who manipulates the registry as well, You can change the registry in a safe way, you donït have to worry about will the computer start or not after thes changes. Well, this cracking tutorial it's for beginner, I'll show you how to crack TweakJr 99, and make a patch using two ways, very easy, I hope you will enjoy this TuT and helps you learn! OK, guys, let's get started, Open TweakJr. There is a window, telling us to register the copy, after 3 sec a button appear, Click ok and look for strange things... Yes it's the help button, it was disabled bye the author Good! now go to about, what we see here is the #1 magic word "UNREGISTERED" Very Good! and we can't enter any UserName or UnlockKey Exellent! We'll show him what a shitty protection it is! :) Launch W32Dasm and disassemble the target, and look for the #2 magic word REGISTERED or something like that, Yes! we found it! one reference "Thank You for your Registration" Double Click and... (this method allow us to go all over the protection scheme) |ª| Register The Program `½½½'½½½½½½½½'½½½'½½½½½½ï I said Double Click and... * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0040D4CC(C) <-- here it is! | * Possible StringData Ref from Data Obj ->"Thank You for your Registration " <-- we land here ->"and for Supporting TweakJr 99 " ->"!" | :0040D4DA 68D8284400 push 004428D8 :0040D4DF 8D8E24100000 lea ecx, dword ptr [esi+00001024] :0040D4E5 E8E6B60100 call 00428BD0 :0040D4EA 6A00 push 00000000 :0040D4EC 685D040000 push 0000045D :0040D4F1 8D8E740B0000 lea ecx, dword ptr [esi+00000B74] :0040D4F7 E8CBAA0100 call 00427FC7 :0040D4FC 8BC8 mov ecx, eax :0040D4FE E8E6AC0100 call 004281E9 :0040D503 6A01 push 00000001 :0040D505 684C040000 push 0000044C We are in the end of the registration routine, so let's come up, to the code location 40D4CC, * Reference To: ADVAPI32.RegCloseKey, Ord:015Bh | :0040D4AF FF1500404300 Call dword ptr [00434000] :0040D4B5 E9E0000000 jmp 0040D59A * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0040D483(C) <-- here it is again! | :0040D4BA 8B07 mov eax, dword ptr [edi] :0040D4BC 68605D4400 push 00445D60 :0040D4C1 50 push eax :0040D4C2 E8979E0000 call 0041735E :0040D4C7 83C408 add esp, 00000008 :0040D4CA 85C0 test eax, eax :0040D4CC 750C jne 0040D4DA <-- We are here! You think if we change it to je, we'll be registered! WRONG! because, we are still in the routine that made us registered! so we must come up again! * Possible StringData Ref from Data Obj ->"John Doe" <--- What's That! Hmmm Maybe the boyfriend of the author, because the program looks after his name, and if ok, it will register itself without any patch, lovely boy ;) | :0040D4CE 6818294400 push 00442918 :0040D4D3 8BCF mov ecx, edi :0040D4D5 E8F6B60100 call 00428BD0 Double right click in code location :0040D483(C) and scroll up until you see this: * Possible StringData Ref from Data Obj ->"Software\JockeSoft\TweakJr 99\1.0" <-- Check for TweakJr Entry | :0040D3EF 6818214400 push 00442118 :0040D3F4 6801000080 push 80000001 :0040D3F9 FFD3 call ebx <--- read entry :0040D3FB 85C0 test eax, eax <--- is eax=0 ?? (xor eax,eax) :0040D3FD 0F8577010000 jne 0040D57A <--- if eax<>0 then jump to UNREGISTERED :0040D403 8B4C2410 mov ecx, dword ptr [esp+10] :0040D407 8D542414 lea edx, dword ptr [esp+14] :0040D40B 52 push edx :0040D40C 50 push eax :0040D40D 8D442420 lea eax, dword ptr [esp+20] :0040D411 50 push eax :0040D412 6A00 push 00000000 * Possible StringData Ref from Data Obj ->"UserName" <-- Checks for UserName | :0040D414 680C214400 push 0044210C :0040D419 51 push ecx :0040D41A FFD5 call ebp <--- read UserName :0040D41C 85C0 test eax, eax <--- is eax=0 ?? (xor eax,eax) :0040D41E 0F8529010000 jne 0040D54D <<=== <--- if eax<>0 then jump to UNREGISTERED :0040D424 8B542414 mov edx, dword ptr [esp+14] :0040D428 52 push edx :0040D429 E863770100 call 00424B91 :0040D42E 8B542414 mov edx, dword ptr [esp+14] :0040D432 83C404 add esp, 00000004 :0040D435 8BD8 mov ebx, eax :0040D437 8D442414 lea eax, dword ptr [esp+14] :0040D43B 50 push eax :0040D43C 8D4C241C lea ecx, dword ptr [esp+1C] :0040D440 53 push ebx :0040D441 51 push ecx :0040D442 6A00 push 00000000 * Possible StringData Ref from Data Obj ->"UserName" | :0040D444 680C214400 push 0044210C :0040D449 52 push edx :0040D44A FFD5 call ebp <--- read UserName again :0040D44C 8B442410 mov eax, dword ptr [esp+10] :0040D450 50 push eax but we don't need to go into the code, because we found the magic jmp in 40D41E, so here we can replace it by je, and the program take the username from windows registered owner, easy hein! 0F 85 29 01 00 00 to -- 84 -- -- -- -- (--) stay unchanged. |ª| Enable Auto run programs in Folder/Run `½½½'½½½½½½½½½½½'½½½'½½½½½½½½'½½'½½½½½½½½½ï Now we are looking for somethings that relates Run, RunOnce, RunServices etc , and we found "Software\Microsoft\Windows\CurrentVersion\Run" <-- So let's try this! "Software\Microsoft\Windows\CurrentVersion\RunS" * Possible StringData Ref from Data Obj ->"Software\Microsoft\Windows\CurrentVersion\Run" | :00404175 6840164400 push 00441640 :0040417A 6801000080 push 80000001 * Reference To: ADVAPI32.RegOpenKeyExA, Ord:0172h | :0040417F FF1508404300 Call dword ptr [00434008] :00404185 85C0 test eax, eax :00404187 7551 jne 004041DA <-- this is the magic jump that we are after. :00404189 55 push ebp 75 51 to 74 -- (--) stay unchanged. Find the the two offsets and change them in HexWorkShop, Restart, Yes! it's registered WoW, the help button is now enabled Great! and all the function are enabled now. Quickly Let's do the patch with TP first: -------------------------------------Cut-Here-------------------------------------------------- Program TweakJr_Patch; Uses Crt; Const A: Array[1..2] of Record A : Longint; B : Byte; End = ((A:$D41F;B:$84) , (A:$4187;B:$74)); Var Ch:Char; I:Byte; F:File; FN:file of byte; Size:longint; Begin writeln('Crack for TweakJr 99 1.01 by tBS ''99'); Assign(F,'tweakjr.exe'); {$I-} Reset(F,1); {$I+} If IOResult <> 0 then begin writeln('No file found!'); halt(1); end; For I:=1 to 2 do Begin Seek(F,A[I].A); Ch:=Char(A[I].B); Blockwrite(F,Ch,1); End; Writeln('Patch completed'); Writeln('Enjoy it'); End. -------------------------------------Cut-Here-------------------------------------------------- Let's do the patch with Pcom: it's very simple and powerful, and before to use it you must read the DOC, you can learn lot of things. you can find it here: http://huizen.dds.nl/~exed/ the command line is : pcom tweakjr.src -p -i -e -p Compression -i Include anti-hacking code -e Encrypt output file -------------------------------------Cut-Here-------------------------------------------------- ; BEGIN $cls @TweakJr 99 1.01 Crack by tBS '99 @ @Press Y to apply patch, any other key to quit. $y/n @ @~!:Finding tweakjr.exe... +tweakjr.exe @ Found! @ @~!:Checking size... !319488 @ Ok! @ @~!:Checking bytes... >0000:d41f =85 >0000:4187 =75 @ Ok! @ @~!:Patching file... >0000:d41f '84 >0000:4187 '74 @ Ok! - @ @[Patch completed - press a key] $snd $key ; END -------------------------------------Cut-Here-------------------------------------------------- Ending: ½½½½½½½ Well, that's that. I hope you could follow it all, For any comments or if there's anything that I didn't explain too well then don't hesitate to mail me at: tBS@iquebec.com Greetingz to: tKC , NETRUNNER , MinIfoo , apoKalipse , wAvEr , Ivanopulo , rEd , schUmU , and all the crackers around the world Special Greetingz to: DaVinci , Nitallica , LagPRO , Socko , Fli7e , DnNuke , and all the GfXs around the world Extra Greetingz to : Marta , LeeLoo '43 , CeLLuLaiR and all the CbR around the world I would like to thank tKC for his kindness and all the members of CiA Button Wizard v6.3 Crack Tutorial by Bubba Hack, Sept.99 ======================================================== Tools required:- Smartcheck 6.0x Software located at:- http://www.joelryan.com/ Instructions:- Run Button Wizard at least once before running Smartcheck. It's the usual Smartcheck setup, everything except mouse reporting switched on and away we go. The first thing the program does is check for four entries in the registry (in HKCU, Software, VB & VBA Settings, BWProt5). They are called "fSD", "fUN", "fPW" & "fRC". The next thing to happen is the date check and if this is the first time you've run this program, it's set to 30 days. This start date is stored in "fSD" (Start Date by chance ?). 30 days from this date and it's all over.... or is it ? Quit Button Wizard, increase the date by 1 day and restart it again. The value in "fSD" is checked and the days left decreased by one. Now quit Button Wizard once more. Going to use a bit of the old Zen cracking as described by Fravia and other good crackers. We have a registry key here called "fPW" .. now I am guessing that this stands for "Password" ? OK .. open up Regedit and find the entry for Button Wizard as per the above location. Add a new String value called "fPW" and set it to anything you want (this will at least tell us what it is compared against etc.) and quit Regedit. Reload Button Wizard and we should now see that the program checks the value of "fPW" against what should be in there and we can work out the correct key .. we are still unregistered and it still cannot find those other two registry entries. Quit Button Wizard (again!) and load up Regedit again, and add the other two entries "fUN" & "fRC" (at a guess Regcode) and leave them blank. One more time, press F5 in Smartcheck (you haven't closed this down as well ?) and we should now get some error message about these two new entries being invalid ....... but what's this the program is now registered. Can you believe it ? If the registry contains the entry "fPW" and there is something in it .. and the other two registry keys are blank then Button Wizard believes you have registered this program. Three cheers for the programmer and his "tough" registration routine :) Tutorial by: Bubba Hack, Sept. 1999 - bubba_hack@hotmail.com TB Start v1.0 Crack Tutorial by Bubba Hack, Sept.99 =================================================== Tools required:- Smartcheck 6.0x Software located at:- http://??? Instructions:- Usual Smartcheck setup, everything except mouse reporting switched on and away we go. First thing it does is check the INI file for the correct name & password. You can see that it checks up to 128 characters of empty space EVEN THOUGH the program has not been registered and this data would not be present. So we are looking at some sloppy programming at play here .. will it continue until we find the correct key sequence ? OK .. let's have a go. Seeing as this tool sits on the system tray, click once on it and then click on the Registration menu, click on Register Program. A dialog box appears requesting First Name, Middle Initial & Surname.... and of course the magic number. So enter the following (it's short as we've seen the program check 128 characters before .. you'll soon see why). Name: Fred Initial: J Surname: Bloggs Registraition Number: 123456 And click on Register Program .. drat, we got it wrong. Look at Smartcheck and what do we see hidden under "cmdRegister_Click" ... is the following. 1) The 3 entries are added to one string (now "Fred J Bloggs") 2) Some form of "encryption" is done to the string - which if you check the before and after values of the ASCII characters, the "encryption" routine adds 1 to the ASCII value unless it's a space (char 32). Eg. Our name becomes "Gsfe K Cmphht". 3) Each and every character in the string is examined, converted to upper case and the decimal ASCII value is extracted. 4) Each value is then added to another string. 5) The registration key is this string .. checked at the end of the code, but unlike the authors other program (The Batch File Wizard v1.8) the code is not left there in front of you. So you will have to sit there and either write a small program to generate a working string (with the extremely tough encryption) .. or sit there and type in each of the numbers one after the other into the box. For our name, the code ends up being:- 71837069327532677780727284 6) It can't be that easy .. can it ? Copy & paste the above key and click on register program again. Hey presto .. we got it. 7) The correct details are then written to the INI file. Source code for a keygen (so simple .. it hurts) -o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o Dim regkey as String Dim key As String Dim keylen As Integer Dim dummy As String Dim delete_space As String Dim keyvalue As Integer Dim f As Integer key = Text1.Text Text2.Text = "" regkey = "" keylen = Len(Text1.Text) For f = 1 To keylen dummy = UCase$(Mid$(key, f, 1)) ' get char & convert to uppercase keyvalue = Asc(dummy) If keyvalue <> 32 Then ' Check for space keyvalue = keyvalue + 1 ' If not space then "encrypt" the name End if delete_space = Trim$(Str$(keyvalue)) regkey = regkey & delete_space Trim$ (regkey) Next f Text2.Text = regkey -o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o Tutorial by: Bubba Hack, Sept. 1999 - bubba_hack@hotmail.com " Quequeroïs Crackme " About the essay... Written by: DnNuke Program name: Querqueroïs CrackMe Program type: ASM Tools required: SoftIce v3.** Introduction... "The Mask" is a crackme coded entirely in assembly and it's very easy, the program wants a serial, a key file and then...a surprise, you must discover the secret ;))! Good work cracker! RULEZZZZZ! Patching is absolutely NOT ALLOWED and you needen't to disassemble. The file is also packed with a stupid exe-packer only for prevent disassembling ;) I'll publish the first GOOD solution of this crackme on my site in english in tool's section and in italian in the UIC's section (Italian University of Crackers) good luck! Quequero About the protection... A Serial, Keyfile, And A Suprise? The Essay... Ok cRACKERS, Hope Your Up For Some XOR:ing...! First Goto The CrackMe, Enter: 1133557799 Open Sice "bpx hmemcpy" Press "Check" Sice Breaks. Press F11 Once, And Then F12 7 Times Then Do A F10 See The Cmp EAX, 0C Well Thatïs The Cmp Of Our Password Lenght. ? 0C = 12 Cool 12 Chars It Is.. Letïs Keep On Going.. Untill ****:004013A6 CALL... Go In That Call. Why? Because Itïs The Last Call B4 The Error Message. In The Call Youïll See See A Check Routine. XOR ECX, ECX MOV AL, [YOUR PASS] first the 1:st char, then the 2:nd..... MOV DL, [A LINE FROM THE PROGAM] XOR AL, DL -- XORïS THE DU..! CMP AL, [A NOTHER LINE FROM THE CRACKME] JNZ ..... So What You Do Here Is This.. At Mov Dl,.... Do A (D ecx+004022FB) You See The u?..... Stuff.? Well Itïs XOR:ed With Our Serial! You Can See The Codes On The Left Side.. At CMP AL,... Do (D ecx+004022EF) Now You See What The Results Of The XOR Has To Be... So Letïs Reverse It aLL...! Hope You Wrote The Codes Down.. 20 76 C8 1E B4 90 C3 7D AD 2C CA 72 ------------------------------------------- xor 75 3F 8B 41 D2 FF B1 18 DB 49 B8 52 Now You Do It Somewhere... I Did It And I Did Not Write Down The Numbers.. But The Code Is: UIC...... Nah, I Wont Ruin "THE FUN" Of The CrackMe.. =) But If You Donït Find It Mail Me.. Ok After The Right Password Is Pressed It Says "Still Unregistered" WHAT?!?!?!? Oh It Must Be The KeyFile He Talked About.. Ok Letïs Use Filemon. 4 It.. Ah See a mask.key? I Do..! Create One.. Now In Sice Do BPX MessageBoxA! F11 You Get "GOOD CRACKER!" HeH I Know! Then Back In Sice.. Trace A Bit Down To. ****:0040144E XOR ECX, ECX = ECX -0 MOV ESI... MOV EDI... MOV AL, ECX+00402252 XOR#1 B.S. TO AL MOV AH, [YOUR PASS] PASS TO AH MOV DL, ECX+EDI XOR#2 B.S. TO DL XOR AH, DL CMP AH, DL Well Letïs Do The Same Thing Here... At MOV AL, ECX.... Do (D ecx+00402252) Then You See The Codes.. [To the Left] At MOV DL, ECX+EDI Do (D ecx+edi) Second Codes. Letïs Reverse Them! 65 A4 B5 89 12 58 9F FF FB ED 55 21 A8 7B CE E5 18 97 45 3A 12 37 77 EE 58 --------------------------------------------------------------------------------------- XOR 3F 3F D7 ED 67 34 F3 9E 97 72 61 0F 86 55 AC 9C 38 C6 30 5F 63 42 12 9C 73 How I Know The Leangth Of This?? Well At ****: 00401471 CMP ECX, 19 Do ? 19 And You Get 25! Now Were Done! Letïs Check UIC.... "Good Cracker!" heh I Still Know That =) But What?? "Still Unregistered" OH NO! Ok Be Patient Nuke.. Donït blow Up Any-Thing.! - I Have To Take A Walk... BRB. Ah Iïm Back.! That Was Nice.. Ok Letïs Fuck It Up! So This Is The Suprise Then Hu! Letïs try Filemon Again And See What He Tells Us. Oh Do You See A "mask.exe" Hah The CrackMe Is Called "The Mask.exe" That Means 2:nd KeyFile..? Ok Letïs Do It Fast.. At ****: 004012C0 You See MOV AL, ECX+0040227F MOV AH, [YER PASS] MOV DL, ECX+EDI XOR AH, AL CMP AH, DL JNZ ... I Hope I Donït Have To Tell Ya What To Do Here... But AnyWay Remember This.. 1# The mask.exe Will Only Work Once! You Have To Restart The Crackme So That It Can Pass A JNZ.. 2# A Nother Complicated Thing! Damn You Quequero.! =) In The ;Mask.exe There Has To Be "Wait Let Me Count.." 177 spaces Or SomeThing Between The Start Of The File And The PassWord.. Try, And If It Ainït 177 You Can See At The MOV AH, [YER PASS] That The "G" Starts Where It Should... If You Got Stuck Somewhere Plz Mail Me... @ DnNuke@yahoo.com Hope Youïve Learned Something From This Tutor.. I Know I Did.. - Never Do XOR CrackMes Again! Bye For Now // DnNuke'99 [CiA] Final Notes... :...;HALL OF FRIENDS;....: MiZ ---- Your School Sux Dude :P R!SC ---- You Realy Like Me! :P NOooooooooooooOS ---- For All The Ehhh, You Know :) Night_Mastah ---- You Go Boy! ;) Acid Burn ---- You Are Not Lame! Ehh Right? :P tKC ---- 4 Giving Me A Chance In CiA Torn@do, iNC ---- 4 Recommending me in CiA, Thanx dude. fli7e, LagPro, \\\\ Socko, NorthPole, PeeWee ---- Your GFX Amazes ME! Ms_jessica ---- Havenït Seen Ya Yet :) SiONiDE, Z-Wing, \\\\ FileCat, VisionZ ---- You Guyïs Crack Me Up :) ZoBeL ---- My New GREAT Friend! Vidi mo se, HR 4 Ever! :*) IceCream, Carpathia, Bisoux, Duelist, LaZaRus, Stealthy, FireWorx :P, WarezPup, AB4DS, AcidHac, Hades... ---> 4 Being So Good Friends To Me. Sorry If I Forgot To Add YOU! Plz Mail Me If So... The Sandman, tkC, Eternal Bliss, TORN@DO ----> For Their Cracking Tuts... ....And All Otherz Fellow Crackers That Knows Me.... And Donït Forget To Visit Me At #c.i.a, #Cracking4Newbies On Efnet THE SAINT Man September 1999.09.19 e-mail zaaz12@post.tele.dk TARGET: THERE IS NO TARGET YOU STUPID PEACE OF SHIT THIS TUTOR IS ABOUT ASSEMBLY(DUMASS) ENGLISH: AS SOME OF YOU ALLREADY KNOW I AM DANISH SO DO NOT COMPLAIN TO ME. LEVEL: THIS TUTOR IS FORE PEOPLE WITH BRAIN, SO BLONDS GET A LIFE. AND MY LAST WORDS ARE: DO YOU HAVE ANY COMPLAINING TO SAY GO SOMEWERE ELSE. DO YOU HAVE GOOD COMMENTS PLEASE MAIL ME. DO YOU HAVE ANY SUGGESTMENTS OF HOW TO MAKE MY TUTOR BETTER MAIL ME. I ALLREADY GET ABOUT 100 MAILS A MONTH AND THATS WY I KEEP MAKING NEW TUTORS FORE ALL YOU NEWBES. FIND MY TUTORS AT THIS FINE SITE.. LETS GET BUSY: REGISTERS --------- Registers are basically default places in which to store data. The only ones we need to worry about are: (E)AX,(E)BX,(E)CX,(E)DX ( The (E) is only significant when debugging 32-bit code ) Also the register pairs: DS:SI ; Can be used as the source for string operations ES:DI ; Used as the target for string operations To understand registers isn't very important for cracking, generally just to know that they're variables for data storage is enough to get you started :) FLAGS ----- Flags are essentially like registers except that they can only be true or false ( ie 0 or 1 ) These are set by commands such as CMP, and are used to check the outcome of such a call, ie: CMP AX, BX ; Compare AX to BX, if equal the zero flag is set to 1 JZ 00124531 ; If the zero flag is set, jump to 001254531. To understand this properly you'll probably have to read on and then come back... :P The Stack & Push/Pop -------------------- Before any function call, a program must 'push' any parameters that the function expects onto the stack. Think of it as a stack of plates, the first plate on the stack is the last one to be taken off-- the stack is exactly the same. It's important to remember this 'first on/last off' principal when looking at a call, as this means that the parameters will be passed in reverse order... In case my babbling has confused you, lets look at this example: The windows api function GetDlgItemText requires the following parameters: (1) Handle of dialog box (2) Identifier of control (3) Address of buffer for text (4) Maximum size of string Therefore these could be passed like so: MOV EDI,[ESP+00000220] ; Get Handle of dialog box in EDI PUSH 00000100 ; PUSH (4) Max size of string PUSH 00406130 ; PUSH (3) Address of buffer for text PUSH 00000405 ; PUSH (2) Identifier of control PUSH EDI ; PUSH (1) Handle of dialog box CALL GetWindowText ; CALL the function Easy eh? This can be one of the simplest ways of cracking a serial number app, if you know the address of the buffer for the serial number, in this case 00406130, just breakpoint it, and you'll usually end up in or around the procedure that generates the real serial! :) POP is simply used to remove the first item from the stack, there are usually a lot of them before a function returns to the program... AND --- USAGE : AND dest,src PURPOSE : Performs a logical AND of the two inputs, replacing the dest with the result EXAMPLE : AND BX, 03h There's not very much that can be said about this call, it does what it says. CALL ---- USAGE : CALL address PURPOSE : Executes a function at the address 'address' EXAMPLE : CALL 10284312 Calls the function at address 'address', once the function has finished, the code with continue the line after the call. CMP --- USAGE : CMP dest,src PURPOSE : Subtracts src from dest and updates the flags. EXAMPLE : CMP AX,03h This is an important instruction as far as we ( crackers ) are concerned :). Somewhere in the program for it to verify something, ie. to compare the real serial to the one we enter, or to check if a program is registered etc. This instruction usually preceeds a jump instruction of some kind. INT --- USAGE : INT interrupt_number PURPOSE : Calls a default function ( usually coded in the BIOS ) EXAMPLE : INT 10h You won't really see this command much ( if at all ) when debugging windows programs, but they turn up all over the place in DOS. Usually the parameters are passed in the default registers ( AX,BX,CX etc. ) There are far too many INT calls to list here, better to get a copy of an interrupt list. Ralph Browns is very good! :) JMP --- USAGE : JMP address PURPOSE : Equivalent to a basic GOTO, jumps to a section of code EXAMPLE : JMP 00402011 JMP is an unconditional jump to a section of code. As simple as that! :) There are tons of variations on this instruction, the most important ones are: JZ - Jump if the zero flag is set. ( Same as JE ) JNZ - Jump if the zero flag is not set. ( Same as JNE ) These usually follow a CMP instruction, ie: CMP RealSerial,BadSerial ; Compare the real serial to our serial JNE GoAwayBadCracker ; If Not Equal then exit. MOV --- USAGE : MOV dest,src PURPOSE : Copies byte or word value from the source to the destination EXAMPLE : MOV AX,DX You will see this a *lot* when you're stepping through code, it basically means ( to use BASIC terms ;) ) LET dest = src There are quite a few variants including MOVSX, but they all basically do the same thing. It might help to get the intel programming specs from their website. If you can't understand this one, you're screwed! ;) OR -- USAGE : OR dest,src PURPOSE : Performs a logical OR on the two inputs replacing the dest with the result EXAMPLE : OR DX, AX Does what it says. RET --- USAGE : RET PURPOSE : To return from a function EXAMPLE : RET You will usually see this at the end of a function, and it simply instructs the processor to return to the address of the call to the function. Useful Stuff ------------ The specs for programming intel processors : www.intel.com Ralph Browns interrupt list : search for it Win32 Programmers Reference : comes with any visual language As far as I know this is about all you'll need to really understand to get started in cracking. We really hope you've enjoyed this tutorial too much as we did! Don't miss Tutor #44 soon! ;) And as I said last time: Without knowledge, there's no power! ;) Credits go to: DnNuke for Splash Logo. tBS for providing a tut in this version. THE SAINT Man for providing a tut in this version. Bubba Hack for providing 2 tuts in this version. also DnNuke for providing a tut in this version. tKC/CiA (hey it's me!) for coding this version :) All the crackers (non-members of CiA) are welcome to send tutors for the next tutorials .. see below for my email address! (don't send me tutors till I'm back!) And all the tutors can be found at www.msjessca.da.ru! Greetz goto all my friends! You can find me on IRC or email me at tkc@reaper.org Coded by The Keyboard Caper - tKC The Founder of PhRoZeN CReW/Crackers in Action '99 Compiled on 19 September 1999 Cracking Tutorial #43 is dedicated to Ms_Jessca... my love...