Welcome to Cracking Tutorial #46!
Last week when I burnt a cd with all my source codes, I formatted my
harddrive (for installing NT), then I found out my cd is fokked up.
Last nite I build an ISO file from that cd and I ripped shit, so I saved
important data. *phew* :)
I'm still offline (fok telkom) but as always, you'll hear from me again!
OK, let's go!
You'll need the following tools:
(I use these tools, I assume you'll use 'em, but it doesn't
mean that you'll need to use all those tools, so be sure to
get them handy for the examples in this tutorial!)
SoftICE 4.01
W32Dasm 8.93
Hacker's View 6.20
SmartCheck 6.03
TASM 5.00
Windows Commander 4.01 (I use it coz of easier to multitask)
Don't ask me where to download all these tools since you had
a chance to get them when you used my older tutorials. Here
is a good site where you can grab tools from:
http://protools.cjb.net/
or ask any crackers to get you these tools!
Are you ready?!
OK! ;)
Welcome to Gizmo's Cracking Tutorial #11!
Toolz required:
===============
SmartCheck 6.0x
Win32Dasm
Hiew
Target:
=======
Datei Memo v1.00 - http://www.matthiasrusche.de
Let's r0ck!
===========
Ok, thiz is a shitty program, but who cares? We wanna learn cracking and so we gonna crack thiz fucking
prog.
K, let's look at the program... it's VB! yeah.. Smartcheck...
But what's that? if we start the program by running the DateiMemo.exe a messagebox appears:
Falscher Aufruf! Datei Fehlt! Rufen sie das Programm bitte aus dem Dateikontext (Rechtsklick) auf.
Hmm, this means that it only can be started with a right-click on a file by chosing DateiMemo in the
context-menu.
K, what now? We wanna crack it with smartcheck (cause i don't like softice so much then smartcheck),
but in Smartcheck we can't run it, cause we can't open the EXE...
So we gonna patch thiz shit, so that it starts by clicking the exe and not by right-clicking...
Make a copy of DateiMemo.exe (CTRL + C, CTRL + V).
Fire up Win32Dasm...
Open the copy of DateiMemo.exe and wait till it finished disassembling...
Ok, in the String Ref we only find shit references like VB5! argh.. k, let's have a look at the imports...
Hehe, what's that... sounds good =)
MSVBVM50.__vbaStrCmp
k, double-click on it... hmm, no interesting code... double-click again... Ahh, looks better!
------------------------- Cut of Code --------------------------------------
* Reference To: MSVBVM50.__vbaStrCmp, Ord:0000h
|
:0040CAC5 FF15F4A24100 Call dword ptr [0041A2F4]
:0040CACB 85C0 test eax, eax
:0040CACD 0F8586000000 jne 0040CB59
:0040CAC3 B804000280 mov eax, 80020004
:0040CAC8 89857CFFFFFF mov dword ptr [ebp+FFFFFF7C]
------------------------- Cut of Code --------------------------------------
Hmm, this jump at 0040CACD looks interesting... open Hiew and load DateiMemo.exe. Goto offset [BECD] and
change following bytes:
0F8586000000 to
0F8486000000
k, now the jne is a je.. we have reversed the jump.
Let's try it.. open DateiMemo.exe and Tataa! we can open it with a double-click..
NOTE: There are more references from MSVBVM50.__vbaStrCmp. You're lucky that u patched the right one ;)
... but that had to be the one to patch, because it was the first one in the code. And our compare was
made by starting the prog.. so it had to be the 1st compare...
Ok, Step 1 finished... let's crack thiz shit...
Fire up SmartCheck...
i hope u have already used thiz prog.. otherwise you have to change some settings:
- click "Program", "Settings"
- click Register "Error Detection"
- in "Type of Errors to check for" enable ALL
- "Report Errors immediately" disable
- "Advanced" click
- "Report errors caused by other errors" enable
- "Report errors even if no source code is available" enable
- "Report each error only once" enable
- "Check all heap functions on each memory call" enable
- under "Performance Optimizations" ALL must be DISABLED!
- click "OK"
- click Register "Reporting"
- "Start event reporting when starting this program" enable
- "Report handled VB Runtime Errors" disable
- "Report Mouse move events from OCX Controls" disable
- "Report Windows Messages" enable
- "Report callback and hook functions" enable
- click "OK"! (and don't forget to save your settings ;))
BTW: Greetz to Andrenalin... thiz settings are from his tutor (i just translated them)...
Ok, open DateiMemo.exe in Smartcheck...
Then click on the green arrow (play)...
If there's a window which bugs you with trial shit... just fire up softice and set a bpx on messageboxa..
Enter a serial and click ok.. back in Softice.. Press F11 and scroll up a bit.. there must be a ADD ESP,
04 ... set a bpx on that... change so smartcheck and click ok once more... back in s-ice... type "d esp"
and you have you're serial!
Ok, that for now.
Let SmartCheck load the program and when it finished, click on "?" then on "Freischalten"...
K, the program wants a name and a serial from us... let's give him one...
Name: Gizmo
Serial: 9876543210
Now DON'T click ok.. change back to SmartCheck and click on the red button [STOP]...
Scroll down till the end of the code which is:
cmdOK_Click <-- you see, our click on ok in the serial window
Ok, now click on the yellow button (SHOW ALL EVENTS)...
if you're still at "cmdOK_Click", stay there :) .. if not, search for cmdOK_Click... found it? ok, let's
continue:
Now you should see this: (after clicking on the "+" left of "cmdOK_Click")
cmdOK_Click
- Silly commands....
- txtPassword.Text <- sound nice, eh ;)
- Mid <- takes the 1st letter from our name (G)
- __vbaStrVarVal returns DWORD:520FE8
- Asc returns Integer: 71 <- Ascii value of the letter (G = 71)
- Hex <- Hex value of it
- Mid <- takes the 2nd letter from our name (i)
- __vbaStrVarVal returns DWORD:520FE8
- Asc returns Integer: 105 <- Ascii value of the letter (i = 105)
- Hex <- Hex value of it
- Mid <- takes the 3rd letter from our name (z)
- __vbaStrVarVal returns DWORD:520FE8
- Asc returns Integer: 122 <- Ascii value of the letter (i = 122)
- Hex <- Hex value of it
- __vbaVarCat returns DWORD:64F304 <- uninteresting
- __vbaVarCat returns DWORD:64F2F4 <- uninteresting
- __vbaVarCat returns DWORD:64F294 <- uninteresting
- __vbaVarTstEq returns DWORD:0 <- interesting! have a look at the right window and
you'll discover the real serial Nr. (4769-7A)
K, now we have a serial.. but it's pretty easy to code a keygen...
What happenes?
G -> 71 -> 47
i -> 105 -> 69
z -> 122 -> 7A
hmm, the serial is: 4769-7A
ah, the - is pushed between the 2nd and the 3rd hex value...
so, here's the source for a keygen:
-------- Cut Here --------
' Gizmo's DateiMemo Keygen source...
For i = 1 To 2
X = Hex(Asc(Mid$(Text1.Text, i, 1)))
S = S + X
Next i
S = S + "-"
S = S + Hex(Asc(Mid$(Text1.Text, 3, 1)))
Text2.Text = S
-------- Cut Here --------
That was it! have phun with your keygen...
Contact me on EFnet at #TbC, #learn2crack, #odt
or e-mail me: e-mailGIZMO@gmx.net
BTW: If you want to enter your own serial just edit following key in the registry:
HKEY_USERS -> .DEFAULT -> software -> VB And VBA Program Settings -> DateiMemo -> Settings
Greetz:
and to following dudes:
aDENOZiN, ACiD_BuRN, cheekey, CrackMagic, fLAIEr, Ghostman 1999, sEVanD0, zikariuz,
Berserka, Crackwarrior, Flagg, PlAyEr, Prof_X, Professor, scarabaeus, skorpien, sn00pee,
sToReMaStEr, SiONiDE, The AntiXryst, WeaxWeasel, Berserka, Flagg, Prof_X, skorpien, sn00pee,
The AntiXryst, [iNC]
If you're not in here.. sorry, a lot of ppl to greet ;)
Bye bye
HOW TO CRACK eNotepad Version 2.1.3
Welcome to yet another cracking tutorial, written by some guy in South Africa.
This time I'll show you how to Register eNotepad Version 2.1.3 by editing the registry
so that the program thinks it is registered.
Tools Used:
Regmon 4.13 by Systems Internals (http://www.sysinternals.com)
Web:
http://www.edisys.com
Run Regmon and keep it running in the background. Now run enotepad.exe and wait till it
stops on the nag screen
"Evaluation Instructions
This product is provided for a 30 day free evaluation"
etc.
Go back into Regmon and click the 2nd and 3rd buttons (Capture and Autoscroll) so that it
pauses monitoring the registry.
Look towards the buttom of Regmon and you'll notice eNotepad appears quite a few times.
These are the paths you should be looking for.
"HKLM\Software\ediSys\eNotepad"
"HKLM\Software\ediSys\eNotepad\RegCode"
"HKLM\Software\ediSys\eNotepad\KeyCode"
"HKLM\Software\ediSys\eNotepad\Company"
"HKLM\Software\ediSys\eNotepad\User"
You should have a lot more than these 5 because a few of them get repeated along the
way. I have just used each line once to save some space. :)
Looking at the above lines, can you see what I can see?
The words "RegCode", "Company", "User" seem to be read during our trace.
Cool....so lets see what happens when we enter our details into these keys.
Double click on "HKLM\Software\ediSys\eNotepad\RegCode" and Regmon will take you right to
the spot in RegEdit.
Ok..cool...all three keys are in one place. So we dont have to waste time hunting for stuff
later. Right click on the empty keys and modify the values to anything you like
I used:
Company "[CrackZA]"
RegCode "10-11-1978"
User "JayT"
KeyCode "36304" (This should be filled in for you)
Ok...we seem to be done in RegEdit so lets try run eNotepad again and see what happens.
Perfect! It goes through the nag...
Check in the about screen to double check....boom!
Licensed to:
JayT
[CrackZA]
* Dizzy...this one's for you bud!
Greets to: siward, Zombie, GI-Joe, members of CrackZA and all IRC dudes
Special Greets to tKC for his totally cool tuts! Thanks man
Cracking Tutorial Written by JayT
Email: CZ-JayT@iname.com
irc: efnet Channel: #CrackZA
HOW TO CRACK Teleport Pro v1.29 (build 1107)
Welcome to yet another cracking tutorial, written by some guy in South Africa.
This time I'll show you how to Register Teleport Pro v1.29 (build 1107) by using
W32dasm and softice
Tools Used:
W32dasm 8.93
Softice 4.01
Web:
http://www.tenmax.com
Run pro.exe and click Help->Register. Enter some details and click ok.
I used -
Name: JayT99
Company: [CrackZA]
Reg Code: 10111978
I first tried JayT as my name, but got an error saying that my name must be 6 or more
characters.
If your name is correct...then you should get another error message.
"We're sorry! The registration number you have entered appears to be invalid"
etc.
Ok..cool...lets startup W32dasm and disassemble pro.exe.
Now we can either try and find that sentence in the String Reference or we can
get the search to find it for us. I, being lazy, chose the search option *grin*
Ok...push Alt-S and then press Enter. Enter "We're sorry" as the string to
search for and press find next.
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004256D7(C)
|
:0042570A 8945F0 mov dword ptr [ebp-10], eax
* Possible Reference to String Resource ID=07033: "We're sorry! The registration number
you entered appears to"
|
:0042570D 68791B0000 push 00001B79
Ok...so you can see that this has been called from somewhere else. Lets go and find
whats calling it. Push Shift-F12 and enter 004256D7.
Oh...we land just above at another error message.
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00425691(C)
|
:004256C9 57 push edi
:004256CA E809090000 call 00425FD8
:004256CF 85C0 test eax, eax
:004256D1 A174B34700 mov eax, dword ptr [0047B374]
:004256D6 59 pop ecx
:004256D7 7531 jne 0042570A *** Jump to "We're sorry error"
:004256D9 8945F0 mov dword ptr [ebp-10], eax
* Possible Reference to String Resource ID=07032: "You haven't entered a valid username.
Your username must be"
|
:004256DC 68781B0000 push 00001B78
hmm...do you see what I see? This error message is also being called from somewhere.
Ok...let's press Shift-F12 again and this time enter 00425691.
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042564C(C)
|
:00425688 8BBFD5000000 mov edi, dword ptr [edi+000000D5]
:0042568E 395FF8 cmp dword ptr [edi-08], ebx
:00425691 7536 jne 004256C9 *** we land here!
:00425693 A174B34700 mov eax, dword ptr [0047B374]
:00425698 8945F0 mov dword ptr [ebp-10], eax
* Possible Reference to String Resource ID=07031: "You must enter your username in
the Name field, exactly as y"
We land at the above code. Damnit! Another error message. Ok...let's see what's
calling this bugger. Shift-F12 and enter 0042564C.
We land in the code below
* Possible StringData Ref from Data Obj ->"User"
|
:00425632 BE88A94700 mov esi, 0047A988
:00425637 0F8406010000 je 00425743
:0042563D FFB7D5000000 push dword ptr [edi+000000D5]
:00425643 E890090000 call 00425FD8
:00425648 3945E8 cmp dword ptr [ebp-18], eax
:0042564B 59 pop ecx
:0042564C 753A jne 00425688 ** Jump to error messages
:0042564E A174B34700 mov eax, dword ptr [0047B374]
:00425653 8945F0 mov dword ptr [ebp-10], eax
* Possible Reference to String Resource ID=07152: "Thank you! Your copy of Teleport
Pro is now registered. Al"
hmm...cool....this looks like the place where we also go if our code was right.
Let's take a closer look.
:00425643 E890090000 call 00425FD8
:00425648 3945E8 cmp dword ptr [ebp-18], eax
:0042564B 59 pop ecx
:0042564C 753A jne 00425688 ** Jump to error messages
We have a call...a compare and then jump is not the same. Are you thinking what I'm
thinking!
Alrighty then...lets write down the address of the cmp statement (425648).
Minimize W32dasm and startup pro.exe again.
Go back to the Registration screen and enter your details again.
But before you push OK, press Ctrl-D to fireup softice.
Set a breakpoint on getwindowtexta so that we can get softice to break when the
reg details are being read.
type "bpx getwindowtexta" for those of you who dont know what I am talking about
*grin*.
Ok....press F5 to return to the Registration Screen and hit OK.
bOOM....softice pops up again. Hit F11 and clear the breakpoint set.
"bc *"
Now set the address we wrote down earlier as your new breakpoint.
"bpx 425648"
Press F5 again and we land at the compare statement!
xxxx:00425648 CMP [EBP-18],EAX
now type "? eax"
I get "0819199119"
Cool...a number which looks like a reg code.
Write it down, clear all breakpoints (bc *) and go back to pro.exe.
You should be at the error message saying that your reg code was wrong.
Click OK and enter the new code.
Name: JayT99
Company: [CrackZA]
Reg Code: 819199119
COOL! Registered
"Thank you! Your copy of Teleport Pro is now registered. All limits have been removed"
Yet again...another easy serial code found and conquered
* Dizzy...this one's for you bud!
Greets to: siward, Zombie, GI-Joe, members of CrackZA and all IRC dudes
Special Greets to tKC for his totally cool tuts! Thanks man
Cracking Tutorial Written by JayT
Email: CZ-JayT@iname.com
irc: efnet Channel: #CrackZA
// Tutorial for Sunkist Competition DK
// Type: Highscore decrypting / encrypting
// By: BuLLeT
// Date: 10/09/1999
// URL: www.sunkist.dk (or the disk from the sunkist bottle)
// Needed: HIEW
Greetings and salutations! I know i haven't written anything in a while but i
hope you didn't forget me :P This tutorial is not a common protection,
nevertheless it's usefull when getting on top of the highscore list :)
So Sunkist (you know..the drink) made a competition. The goal is to finish the
puzzle as fast as possible and print out the highscore etc. But..what if you
can't finish it fast enough? Don't worry. I'll show you how to get on top of
the list without even finishing the game.
(NOTE: The competition expires on September 26th, but give it a try anyway!)
So..you install the game and see that the highscore is set to:
Name: Time:
SUNKIST 10:00
----- | | ----- * 10
But you want your own name on top of that list so you can win a computer don't
ya? Sure you do. So you quit the game and see that there is a HighScore.hs in
the "\Save" dir. Hmm..just like the old fazion games from the old days :)
So we'd better open that file and look around a bit. But it looks like crap -
at least for now :) You should see something similar (taken from EDIT)
->->->-> HIGHSCORE.HS - Start of file!
¦� ó� ?� ?� '� ÿ� ,� ,� 4� .� · �
«� ó� ç� -� �� «� ÿ� ,� >� >�
«� ó� ç� -� �� «� ÿ� ,� >� >� D�
«� ó� ç� -� �� «� ÿ� ,� >� >� êæ
«� ó� ç� -� �� «� ÿ� ,� >� >� -�r�
«� ó� ç� -� �� «� ÿ� ,� >� >� pT�
«� ó� ç� -� �� «� ÿ� ,� >� >� ™�
«� ó� ç� -� �� «� ÿ� ,� >� >� x B
«� ó� ç� -� �� «� ÿ� ,� >� >� ª�R
«� ó� ç� -� �� «� ÿ� ,� >� >� i�
->->->-> HIGHSCORE.HS - End of file!
Crap, crap and more crap. Sux. Let's do something about that. And here's the
point where i have to disappoint you. You HAVE to finish the game ONCE! This
is due to the fact that we can't just attack the file without comparing it to
another one. (understand??). In other words; if you finish and type your own
name it will write to the file and we can compare them and look at the changes!
So copy HIGHSCORE.HS -> HIGH.HS and run the game. Finish it (the time doesn't
matter, although you MUST note it for later use). Ok..quit the game after
finishing it and go to DOS, where you should type: FC HIGHSCORE.HS HIGH.HS
Now you'll see the bytes where the program has changed the file. I don't recall
the offsets but it's not THAT important :) HIEW the file again and look..hmm
it changed some bytes. In my case Name: BuLLeT / Time: 01:27 (Yeah! I actually
finished the game in 01:27 minutes WITHOUT CHEATING! Maybe i have a chance
to win without cheating at all :D - but maybe YOU don't! :) ) Ok..in my case
it changed 8 bytes (at least 8 bytes are the only important). So what did it
change? Well..this is the place where i'd like to be able to take a screen-
shot of HIEW and show you the HEX..but i can't. So you'll have to try to
understand what i say without any gfx ;( But i'll make it a bit easier.
In HIEW you see (in HEX mode): (I know it's not 100% correct)
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ...............
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ...............
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ...............
..........and so on.
Of course you don't see all 00's but you get the point. So you compare the
original highscore.hs (high.hs) and the new (highscore.hs). In my case i see:
8E A1 98 98 91 A0 2C 2C...and some more unimportant bytes.
And a bit below i see: 1B (coincidental? I think NOT!)
Ok. look at the first line. Hmm..funny, could it be that it encrypts my name?
Let's do a small compare:
B u L L e T ~ ~
BuLLeT~~ would be 00 00 00 00 00 00 00 00 number of bytes.
we see: 8E A1 98 98 91 A0 2C 2C (2C = space)
See the 98 * 2 ? What's the chance that two bytes are the same at the EXACT
same place as the L's in BuLLeT ? I think we got something here! Now you are
able to change the other names/places to your own name too..right? If not,
ymaybe you should look at the original file again and note the offsets where
SUNKIST and your own name is placed. You'll get it :)
So what did i mean about the 1B ? Well as i told you i finished the game in
1 minutes and 27 seconds. So? 1B equals 27 in HEX. Coincident? Could be..but
let's try anyway. Change 1B to 0B. Now run the game again and watch the time:
does it say XX:11? It should :) So now you just need to find the minutes..but
i'll help ya here. The first "minute" is at offset 2C. So if you change the
byte at offset 2C to 00 you'll have 00:11 in the time field for the first name
in the list.
So..thisshould be just about it. I haven't written an encryption routing,
since i think you can figure it yourself. Just compare and learn :)
Now change all the bytes to your name and a time of your choice and print it.
You should, however, note that you must be carefull with the time. The judges
will know that if the time is below 1 minute you have cheated. So pick a time
carefully.
If any of this does not make any sence or if you have a question feel free to
contact me. IRC #C.i.A (EFNet)
I hope you enjoyed this tutorial and that you will read my future tutorials.
Signed
BuLLeT
// Tutorial for LockDown 2000 v4.0
// Type: "Keygen"
// By: BuLLeT
// Date: 22/09/1999
// URL: www.lockdown.com
// Needed: (W32Dasm), SoftICE, a ProcessPatcher
So..i'm back. Well kinda, but i felt like writing and it resulted in this lil'
tutorial. This time i'm gonna show you how to crack LockDown 2000 v4.0 which
is a nice app - i haven't used it, but people say it's kewl :)
What are we waiting for? Let's GO!
When starting the program you see a UNREGISTERED (image-kinda-like) and you
see an UNLOCK option in the menu. Go there and see. ARG! A unique ID number
on each PC. Sucks. But let's give it a try anyway. Enter your name and a
random serial. (Name: BuLLeT / Serial: 22446688)
"Incorrect/invalid.." <-- Something like that right in your face. But still
everything seems nice. Launch W32Dasm and disassemble the file. What's this?
You can't disassemble the file can ya? (At least i couldn't) It has some kinda
anti-cracking stuff. So..as the programmers say: "If a program has anti-cracking
code it CAN NOT be cracked!" So let's just give up. I failed - couldn't crack
it. And if we believe the programmer NO ONE can. Or can they? I say:
FU(K the lame programmers and let's modify their silly "protection".
GO to the registration menu and again you enter a name and serial. CTRL+D to
SoftIce and set a breakpoint on HMEMCPY (BPX HMEMCPY). F5. Click the OK button
and you're back in SoftIce. Now back to the caller - press F12 a few times.
(if i recall correctly it's 7 times F12). Then F10 a few times...some more..
nah..still not there..a bit further..and STOP! We're there. You see what i
see?
8==============D (___________*____________)
You see it too ? :) The code i mean. What did you think i was thinking of????
Ok..you should see something similar to this:
POP EAX
CALL XXXXXXXX
JE XXXXXXXX
...
JMP XXXXXXXX
If you see this you're at the right place. The CALL moves stuff around and
puts the serials in their places. The JE will take you to the GOOD place and
register the program. The JMP will take you to the BAD place! But what's this?
When tracing over "POP EAX" you see EAX changing. Let's check it out. "d eax"
and watch the data window. Nice :) A serial right where we want it. You could
note the serial, clear breakpoints and register the program for good - OR you
can keep reading and learn how to make the program it's own keygenerator! It's
up to you........but if you wanted to learn it all i suggest you stay!
So..how do we do that. A keygenerator..hmm..i bet it involves some cracking :)
And you're right - it DOES! But how? Well you noted the VALUE in EAX when
tracing over the "POP EAX" line didn't ya? Cause you need that now...so if you
forgot noting it you should go back and do it before continuing. I'll be
waiting for you when you get back :)
Back? No? Then i'll just keep waiting.
Back? Sure? Ok let's go on.
Having in mind that we can't patch the program in the "normal" way, due to
compression or whatever it might be, we will have to do it in memory. Now to
the patching part. If we're gonna patch it in memory we must know where the
correct serial is stored. Do we know that? YEAH! Cause you noted the VALUE in
EAX didn't ya? So we know where it is..but where should we put it? There's
always ONE place i HATE in a program - the "Sorry..incorrect..invalid" box, so
why not use that and make the program SHUT UP!
Next we need to find where the "Incorrect/invalid..." text is stored. And to
do that we have to trace the BAD jump. Ya i know you hate it but you HAVE to
do it - sorry! Trace the JMP XXXXXXXX right after the JE line and BEWARE!
Soon you'll see this line:
...
MOV EAX, 004B9D18
...
(I think that's how it's written...At least it's VERY similar! Now after
tracing this line you should do a "d eax" again and watch the data window. You
see the message? Ya! So now we just have to change a few bytes don't we? We
only have to change the code like this:
...
MOV EAX, 004B9D18
...
----> TO <----
...
MOV EAX, 01326764 (the value from EAX)
...
This sounds pretty easy doesn't it? Depending on if you're a newbie or a
cracker you'll answer YES or NO. If you know how - go do it. If you don't -
keep reading!
You know that we can't patch the file...so we need to write a memorypatch.
To do that we need information. We need to know WHERE the code is and WHAT to
change it to. We do this by doing a "D" on the lines we need and note the
offset. We need to do this on the VALUE in "POP EAX", cause we need to know
the offset of the REAL serial. So back to the POP line and do it. Note it..
i think it's: "017F:004B9BAA" but i am NOT SURE! Go check for yourself plz.
Now you should note the first 5 bytes. (B8 18 9D 4B 00) (in the DATA/HEX)
The other information we need is the offset of the messagebox (the MOV EAX..-
line) So again you do "D" on the line. I'm sorry but i didn't note the offset,
but i'm sure you'll get it yourself. When you're at the MOV EAX, 004B9D18 line
you simply type: "D" and the offset that is in front of that line.
Now you should note the first 5 bytes. (B8 64 67 32 01) (in the DATA/HEX)
So you have two rows of bytes:
REAL SERIAL : B8 18 9D 4B 00
MESSAGEBOX : B8 64 67 32 01
That should be all! Clear breakpoints and quit the program.
Now we need to make the memorypatch. There are many programs to do that but
which one you use is up to you. I guess this is about it. I don't think i can
teach you anymore. Get the memorypatcher and use the information mentioned
above.
Oh yeah..i was thinking of using ProcDump to dump the whole thing and patch
it from there. But that's no good. After dumping i had a 1.7MB file which
couldn't run and crashed the whole time. Since i wanted a keygen i didn't
wanna spend my time on fixing the header or any other part of the damaged EXE!
Therefore - We're done here. Get the patcher and you have a program that will
show you the REAL serial when entering a FALSE one. So you'll NEVER see the
nasty "Incorrect serial..." box again and i'm sure you like that :)
Greetings go to Disney for making my mousepad :)
Signed
BuLLeT
We really hope you've enjoyed this tutorial too much as we did!
Don't miss Tutor #47 soon! ;)
And as I said last time: Without knowledge, there's no power! ;)
Credits go to:
tBS for Splash Logo.
Gizmo for providing a tut in this version.
JayT for providing 2 tuts in this version.
BuLLeT for providing 2 tuts in this version.
tKC/CiA (hey it's me!) for coding this version :)
All the crackers (non-members of CiA) are welcome to send tutors
for the next tutorials .. see below for my email address!
***(don't send me tutors till I'm back online!)***
And all the tutors can be found at www.msjessca.da.ru!
Greetz goto all my friends!
You can find me on IRC or email me at tkc@reaper.org
Coded by The Keyboard Caper - tKC
The Founder of PhRoZeN CReW/Crackers in Action '99
Compiled on 7 October 1999
Cracking Tutorial #46 is dedicated to Ms_Jessca...