Welcome to Cracking Tutorial #44! Hiya peepz, Argh, I just received 6 tuts today, will u never let me rest in peace? :) I'll be offline tomorrow for a few months, so don't mail me your tutors for a while.. ... but don't worry, you'll hear from me again! OK, let's go! You'll need the following tools: (I use these tools, I assume you'll use 'em, but it doesn't mean that you'll need to use all those tools, so be sure to get them handy for the examples in this tutorial!) SoftICE 4.01 W32Dasm 8.93 Hacker's View 6.20 SmartCheck 6.03 TASM 5.00 Windows Commander 4.01 (I use it coz of easier to multitask) Don't ask me where to download all these tools since you had a chance to get them when you used my older tutorials. Here is a good site where you can grab tools from: http://mercury.spaceports.com/~quel/protools/ or ask any crackers to get you these tools! Are you ready?! OK! ;) Flodata's Solitaire Crack Tutorial by Bubba Hack, Sept.99 ========================================================= Tools required:- Smartcheck 6.0x Software located at:- http://www.flodata.se/utv/ Instructions:- Usual Smartcheck setup, everything except mouse reporting switched on and away we go. Running the program, the splash screen displays the registered name (ok so it's not spelt correctly, but we are not here to pick on someone elses grasp of the English language or their spelling!). Clicking on OK gets us to the main screen and we can see the "Register" button demanding our attention. Clicking on Register gives us the usual name & serial input boxes. Type in Bubba Hack and the serial code of 123123. "Unvalid registration" pops up .. so guessing the code is not going to be the strategy of the day. On to Smartcheck :) Run the program through Smartcheck and you will see that the serial code is checked during the start up of the program by opening up the solitare.cfg file and checking for the name (on the first line) and the correct code on the 2nd line of the file. You will notice that the order of play is:- a) Get in Name and get ASCII character of first char (- = 45) b) Get string "Flodata AB" and get ASCII of first char (F = 70) c) Get serial code from file (0000) d) Get length of serial code e) Then it closes the file Does the above sound like some sort of mathematics being done in the background based on the Name and code .. and their relevance to "Flodata AB" ? Somewhere between steps (d) and (e) this mathematics is comparing the result with the code from the file. Right .. so on with the program. Click on Register and type in the same code as above "Bubba Hack" and "123123" .. ok so we got it wrong again, but now look at the Smartcheck window and you will see some nice string manipulation and some addition and multiplication from the content of our Name. The mathematics are very simple. Get the ASCII of the current character and multiply it's position within the name string to get the first part of the code. Multiply this new value by the ASCII value of the "F" (which is 70) from "Flodata AB" and the result is given on the next line below. Can it be this simple ? Yes, I am afraid it is. On the last line that does the mathematics, the character we have used is "k" .. ASCII value of 66. The maths therefore is:- 66 (ASCII of last character) * 10 (length of string) * 70 (ASCII of "F") The result in this case is 46200. So click on Register once more and type in the correct value which is:- Bubba Hack 46200 We are now registered and here's the source code for a keygen. -o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o Dim regkey as String Dim key As String Dim keylen As Integer Dim dummy As String Dim keyvalue As Integer Dim realkey As Long key = Text1.Text Text2.Text = "" regkey = "" keylen = Len(Text1.Text) dummy = Mid$(key, keylen, 1) ' get last char keyvalue = Asc(dummy) ' get ASCII value ' multiply the ASCII value by 70 and the length of the key. realkey = (keyvalue*70)*keylen regkey = Str$(realkey) Text2.Text = regkey -o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o-o Tutorial by: Bubba Hack, Sept. 1999 - bubba_hack@hotmail.com Web Weaver & J-Perk 5.01 Serials Tutorial by Bubba Hack, Sept.99 ================================================================ Tools required:- Hiew 6.xx Software located at:- http://www.mcwebsoftware.com Instructions:- This was a frustrating program to hack .. it's written in VB6 so I immediately went to Smartcheck to hack away to get the serials. But I failed .. so in desperation I examined the files with HIEW and this is how I got the serials (which are hard-coded into the program). 1) Press F7 2) Type in "r", press TAB, type in 00 3) Type in "e", press TAB, type in 00 4) Type in "g", press TAB, type in 00 5) Type in "i", press TAB, type in 00 6) Type in "s", press TAB, type in 00 7) Type in "t", press TAB, type in 00 8) Type in "e", press TAB, type in 00 8) Type in "r", press TAB, type in 00 9) Press enter You should be in the middle of the code and above and below this word will be the two keys for Web Weaver / J-Perk. Both of these codes are valid, with one being the "Gold" edition of Web Weaver and the other being the normal one. After spending a few hours trying to work through this check in Smartcheck I was slightly peeved to find out that the code was not generated, calculated or whatever, but was sat there embedded in the code. Does anyone know of a way in which Smartcheck will show this as a "label" as you would expect in a disassembler ? I've not listed the codes this time, so go find them yourself :) Tutorial by: Bubba Hack, Sept. 1999 - bubba_hack@hotmail.com How to crack MiZ Crackme 2 This tutorial is coming from... ReFleXZ '99 About the essay... Written by: ACiD BuRN Date: 24th April 1999 Program name: MiZ Crackme 2 Program type: W32 Program location: http://surf.to/crackmes Tools required: Soft - ice 3.2x Difficult level: Easy ( X ) Medium ( ) Hard ( ) Pro ( ) Introduction... Hello! time to learn again! , so a long time ago , there ..... lol The Essay... What are the protections ? there are 2 protections in this crackme : 1)anti Smart check 2)Serial 1)how to defeat anti smart check protection ? the anti smartcheck protection is placed at the start of the crackme and when the crackme is ran, it check smart check with a timer! After i see with soft-ice that the smart check protection was based on the check of "NMSCWM50" string which is the ID of the SmartCheck window i have looked at the Crackme with an hexeditor for this string and i found them.but if you look at NMSCWM50 you will not found this because it is a vb program so : w.i.d.e. .c.h.a.r.a.c.t.e.r. .f.o.r.m.a.t look at 4E004D00530043004D005700350030 in hex (who it is the string in hex with the wide format.(00 between caracteres)) Cool! you find it! overwritte all this by 0's for exemple and save. Now the smart check protection eliminated! we can run smartcheck on it! 2)Find the serial! Run smart check on the proggy , and enter a serial like 123456 and press check.now, click on exit. you will go in the SC window , and you will see timer and after: label3_Click but there is nothing good here... but when i have seen getvolumeinforamtionA i thought that the serial is maybe PC dependant! we will see that later .. we will try to find it with Sice because there is nothing good with SC! in vb proggy, the bpx __vbastrcomp is use often , so we will try it! ctrl + D and type bpx __vbastrcomp. F5 to back at the proggy and type 123456 as serial. click on check and we are in Sice cool! you have to press F12 for go in the __vbastrcomp function! you must see esp in color , it is good! now type dd esp (to display memory at esp) you will see : aaaaaaaa bbbbbbbb cccccccc dddddddd try to do d aaaaaaaa , and you won't have interesting things in the data window. so , try d bbbbbbbb , and you will obtain for in data window: a phrase that is not the serial , and you will see __vbar8str. hey! it is a break points ? lets try it! ctrl+D and type bc * for kill all bpx. type __vbar8str and press F5. enter 123456 as serial and press on check! cool we are in softice! now press WF for look at floating point stack window. you see : ST0 empty ST4 empty ST1 empty ST5 empty ST2 empty ST6 empty ST3 empty ST7 empty start to trace with F12 for go in the __vbaR8str function! we must see: ST0 123456! cool , continue with F10 and ST0 become : 892935893! <== what is this ? lets try it! bd * for disable all bpx and enter this number! And the message box appears : Mail the solution to : ... Cool crackme Cracked! But wait , we see in smart check that it was maybe PC dependant with getvolumeinforamtionA! Ok, i will try this number on my second computer and it doesn't work! i was Ok! the number depend of the machine! so this number will not work on yours , try to find it , it is a good way to see if you understand all this! Have fun and happy cracking! I hope you understand all in this essay iif you have a problem you can mail me at : ACiD_BuRN@nema.com have fun and happy cracking! ACiD BuRN [ReFleXZ'99] Final Notes... Well , this tut is finish , hope u understand all this piece of shit, but if you have a comment or one question, mail me you can found all my tuts at : MAIL: ACiD_BuRN@nema.com Web page URL: http://acidburn2000.cjb.net/ Enjoy! Greetings to my groups : ECLiPSE / CiA / ODT Also greetingz to: (no specific order) R!SC, ^Inferno^, AB4DS, Cyber Blade, Klefz, , Volatility, TORN@DO, T4D Jeff, [Virus], JaNe , Appbusta , Duelist , tKC , BuLLeT , Lucifer48 , MiZ , DnNuke , Bjanes , Skymarshall , afkayas , elmopio , SiFLyiNG , Fire Worx , Crackz , neural_en , WarezPup , _y , SiONIDE , SKORPIEN Lazarus , Eternal_Bliss , Magic Raphoun , DEZM , Bisoux , Carpathia , K17 , theMc , noos , Xmen , TeeJi , JB007 , Arobas , T0AD ,ytc , Kwai_lo , Killer_3K TaMaMBoLo... if your name is not here sorry! too much ppls to greets! ACiD BuRN [ECL/CiA] you can Found me on IRC : At #C.i.a, #Cracking4Newbies on Efnet Disclaimer... This tutorial is written for EDUCATIONAL purposes only. So if you want to use the program after its trial period ends please BUY IT! Support shareware (and its authors), this is our learning tool! ReFleXZ is not responsible for any damage caused with this essay or any of its parts. So everything what you're doing and 'experimenting' is on your own responsibile! Also, in this tutorial you'll not find any serial numbers, so try to search elsewhere under Cracks and Warez. Copyright c 1999-2000 By ReFleXZ '99 All Rights Reserved How to "Pine" KingPin French version by ACiD BuRN [ECLiPSE / CiA] note : i bet you are wondering what "pine" mean , heh it is french word , kinda equal to : fuck it was just a word game , heh i am so bored ;) Level : easy protection : CD-Check comment : Very cool Doom-like Game! tools needed : Wdasm 8.9 Hex editor (i use hex workshop) Intro: ~~~~~~ well , i just got this nice recent game , and on the cd , i found the crack , but i hate using others ppls crack when i can do it my self! so , lets crack this Cool game! 1)Cracking part: 1st , install the game from a burned copy , and run the game. you must see now the nice message : You must have the KingPin CD in the drive to play... hehe , i love this =) , Fire up wdasm and open the game with it. go in String data reference , and look for this phrase in it. double click on it , and u don't see important things , so double click again on this reference , and u must land here : * Referenced by a CALL at Address: |:0043D5F1 <== hmm interesting =) | :00442030 56 push esi :00442031 E84AFFFFFF call 00441F80 :00442036 8BF0 mov esi, eax :00442038 85F6 test esi, esi :0044203A 750E jne 0044204A * Possible StringData Ref from Data Obj ->"You must have the KINGPIN CD in " ->"the drive to play." | :0044203C 68C8414500 push 004541C8 <== you land here! :00442041 50 push eax :00442042 E859D7FDFF call 0041F7A0 :00442047 83C408 add esp, 00000008 so , we see the error message , and a little jne just before , but don't think like newbie (don't try to reverse it with je) , but think a bit... you see : * Referenced by a CALL at Address: |:0043D5F1 So , lets see in wdasm the little call calling this shit :) go in "Goto" menu , and click on "goto code location" and enter : 43D5F1 Now , you land here : :0043D5E5 A184274900 mov eax, dword ptr [00492784] :0043D5EA 83C40C add esp, 0000000C :0043D5ED 85C0 test eax, eax :0043D5EF 7505 jne 0043D5F6 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0043D5D2(U) | :0043D5F1 E83A4A0000 call 00442030 <== here! * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:0043D51F(U), :0043D532(C), :0043D55A(U), :0043D5BA(C), :0043D5D0(C) |:0043D5EF(C) hehe , this call is the bitch who call the cd check , so why not noping it ?? click on this call , at the down of wdasm window , u must see offset : 3D5F1 so , fire up your hex editor , goto this offset and replace the : E83A4A0000 by : 9090909090 Now , save the file , and run the game... choose new game shit , and WOW , the game is running! We made it , i said you , a recent game , but with a stupid protection , and very easy to crack ;) Lot of cd checks are lame like this , but if you find a file with ".icd" as extension don't hope cracking it with this way , hehe! It is a cdilla bitch protected game.. this tut was very fast , but it is really easy , i think it doesn't need more explication If you got a prob , ask me! 2)Ending.... Well , this tut is finish , hope u understand all this piece of shit, but if you have a comment or one question, mail me you can found all my tuts at : MAIL: ACiD_BuRN@nema.com Web page URL: http://acidburn2000.cjb.net/ Enjoy! Greetings to my groups : ECLiPSE / CiA / ODT Also greetingz to: (no specific order) R!SC, ^Inferno^, AB4DS, Cyber Blade, Klefz, , Volatility, TORN@DO, T4D Jeff, [Virus], JaNe , Appbusta , Duelist , tKC , BuLLeT , Lucifer48 , MiZ , DnNuke , Bjanes , Skymarshall , afkayas , elmopio , SiFLyiNG , Fire Worx , Crackz , neural_en , WarezPup , _y , SiONIDE , SKORPIEN Lazarus , Eternal_Bliss , Magic Raphoun , DEZM , Bisoux , Carpathia , K17 , theMc , noos , Xmen , TeeJi , JB007 , Arobas , T0AD ,ytc , Kwai_lo , Killer_3K TaMaMBoLo... if your name is not here sorry! too much ppls to greets! ACiD BuRN [ECL/CiA] How to crack Sionide VB crackme 2 by ACiD BuRN [ECLiPSE/CiA] Protections : - Pcode - Name / Serial - Serial only - Code Word - Nag (not done yet coz no time to look) Tools needed : - Soft ice 3.2X or superior (i used 4.01) - Smart check 6 I)Serial Only : Well , lot of VB apps use the __vbastrcomp function... So , this crackme is coded in vb6 so in soft ice type : bpx msvbvm60!__vbastrcomp Now press F5. we return to the prog! cODE: 112233 Enter a serial like 112233 and press Check! now , we are in soft-ice due to the bpx! cool! you have to press F12 for go in the __vbastrcomp function! you must see esp in color , it is good! now type dd esp (to display memory at esp) you will see : aaaaaaaa bbbbbbbb cccccccc dddddddd try to do d aaaaaaaa , and you won't have interesting things in the data window. let's try d bbbbbbbb , and you don't see good thing too... so , try d cccccccc exemple: for me , cccccccc = 00402DE4 so just do in soft ice : d 402dE4 and look the serial : 1RTZ-83DP-QU84-ALS4 yes it look like a code! we will try it! eheh , cool we get : Well Done , correct serial! let's go to next part :) 2)Name Serial : Fire up smart check , open the crack with it , and run it! click on Name-serial , enter as name : ACiD BuRN and serial : 112233 click on the check button , you see : Sorry , try again blablabla... now , exit the crackme , and look in smart check. double click on the "+ _Click" thing , and now u must see something looking like this : Mid(varian:byReF String:"ACiD BuRN",long1,VARIANT:Integer:1) Asc(string:"A")returns Integer:65 Mid(varian:byReF String:"ACiD BuRN",long2,VARIANT:Integer:1) Asc(string:"C")returns Integer:67 Mid(varian:byReF String:"ACiD BuRN",long3,VARIANT:Integer:1) Asc(string:"i")returns Integer:105 Mid(varian:byReF String:"ACiD BuRN",long4,VARIANT:Integer:1) Asc(string:"D")returns Integer:68 Mid(varian:byReF String:"ACiD BuRN",long5,VARIANT:Integer:1) Asc(string:" ")returns Integer:32 Mid(varian:byReF String:"ACiD BuRN",long6,VARIANT:Integer:1) Asc(string:"B")returns Integer:66 Mid(varian:byReF String:"ACiD BuRN",long7,VARIANT:Integer:1) Asc(string:"u")returns Integer:117 Mid(varian:byReF String:"ACiD BuRN",long8,VARIANT:Integer:1) Asc(string:"R")returns Integer:82 Mid(varian:byReF String:"ACiD BuRN",long8,VARIANT:Integer:1) Asc(string:"N")returns Integer:78 and just below , u see : MsbBox(VARIANT:String:"Sorry. Wrong...." blablabla you just have to click on this line , and in smart check , in the view menu choose : "show all events"... now , just scroll down a bit and look in the right window in smart check u must see : 112233 scroll down 2 more times , and you see : ser-81400621 wtf is this ?? it looks like a serial =) run the crackme again , go in name-serial part and enter : name: ACiD BuRN serial: ser-81400621 Click on check , and u see : "Wrong serial blablabla" :-/ duh! what the fuck is wrong ?? click on ok, and now you see: "Well Done. Correct Serial" =))) better now , this crackme is just bugged! we cracked it anyway! Let's go in Code World level.. 3)Code World: well , to crack this , it is similar to the serial only part... do the same technic , and you will get : cracking-up this is the code word :) Enter it , and you get the nice msgbox =) have Fun , and enjoy! 4)Ending.... Well , this tut is finish , hope u understand all this piece of shit, but if you have a comment or one question, mail me you can found all my tuts at : MAIL: ACiD_BuRN@nema.com Web page URL: http://acidburn2000.cjb.net/ Enjoy! Greetings to my groups : ECLiPSE / CiA / ODT Also greetingz to: (no specific order) R!SC, ^Inferno^, AB4DS, Cyber Blade, Klefz, , Volatility, TORN@DO, T4D Jeff, [Virus], JaNe , Appbusta , Duelist , tKC , BuLLeT , Lucifer48 , MiZ , DnNuke , Bjanes , Skymarshall , afkayas , elmopio , SiFLyiNG , Fire Worx , Crackz , neural_en , WarezPup , _y , SiONIDE , SKORPIEN Lazarus , Eternal_Bliss , Magic Raphoun , DEZM , Bisoux , Carpathia , K17 , theMc , noos , Xmen , TeeJi , JB007 , Arobas , T0AD ,ytc , Kwai_lo , Killer_3K TaMaMBoLo... if your name is not here sorry! too much ppls to greets! ACiD BuRN [ECL/CiA] We really hope you've enjoyed this tutorial too much as we did! Don't miss Tutor #45 soon! ;) And as I said last time: Without knowledge, there's no power! ;) Credits go to: tHX for Splash Logo. Bubba Hack for providing 2 tuts in this version. ACiD BuRN for providing 3 tuts in this version. tKC/CiA (hey it's me!) for coding this version :) All the crackers (non-members of CiA) are welcome to send tutors for the next tutorials .. see below for my email address! ***(don't send me tutors till I'm back!)*** And all the tutors can be found at www.msjessca.da.ru! Greetz goto all my friends! You can find me on IRC or email me at tkc@reaper.org Coded by The Keyboard Caper - tKC The Founder of PhRoZeN CReW/Crackers in Action '99 Compiled on 19 September 1999 Cracking Tutorial #44 is dedicated to Ms_Jessca... my love.