Welcome to Cracking Tutorial #47! What can I say more? 1 more tutor for you today. OK, let's go! You'll need the following tools: (I use these tools, I assume you'll use 'em, but it doesn't mean that you'll need to use all those tools, so be sure to get them handy for the examples in this tutorial!) SoftICE 4.01 W32Dasm 8.93 Hacker's View 6.20 SmartCheck 6.03 TASM 5.00 Windows Commander 4.01 (I use it coz of easier to multitask) Don't ask me where to download all these tools since you had a chance to get them when you used my older tutorials. Here is a good site where you can grab tools from: http://protools.cjb.net/ or ask any crackers to get you these tools! Are you ready?! OK! ;) ************************** #### MaNuAL UnPaCkinG #### <<<< UsiNG ProcDump32 >>>> ************************** Name: PowerStrip Version: 2.51.02 but crack works with other versions... Availability: CD Pro No 49 of the PC-TEAM magazine (a french mag) or on the web,but probably an other version that 2.51.02 . http://www.entechtaiwan.com/ps.htm Target: Pstrip.exe (468Ko) Protections: Compressed with ASPACK 10.08.03 Nagscreen Tools: Procdump 1.5 (Http://Procdump32.cjb.net) Softice 4.0 (Http://Crackfr.cjb.net) Hexa Editor (Hview etc...) Brain if available...o)) PowerStrip is a small shareware which proposes advanced adjustments of your zindoze. The version that we're going to crack is found in PC-TEAM 's CD No 49 , a French Magazine. You may find more recent versions on Web,but steps are EXACTLY the same ones...I Have tested this crack with versions 2.51.04,2.51.06 and 2.51.07.... The principal protection of the software comes from his format .It was compressed with Aspack (10.08.03). This trick compresses the exe from 50 to 70%... And of course, an exe which was compressed (with aspack or other) is not possible to pach: it is necessary already to unpack it.That's we will see in this tutor. I mean that, Procdump 1.5 is completely able to unpack exes compressed with Aspack. But I find always more interressant to unpack it manually. Step 1 We start already by copying ' Pstrip.exe',which is in the Windows's directory,in the root of our hard disk : that will prevent a mistake on the original exe . Take Symbol loader (delivred with softice) and open Powerstrip. Normally softice give you the hand: except that here, the prog runs directly... We don't care, take Procdump 1.5 and click on ' PE Editor'.Open our exe, and click on ' Sections'. Procdump indicates to you the sections of your proggy. Make a Right-Button click on your mouse on section ' CODE' and choose the option ' Edit section' . In the box ' Section characteristics',Procdump indicates to you: C0000040. Replace this value by E0000020. To record your change, leave ' PE Editor'. Take again Symbol loader and open PowerStrip: this time, Softice takes the hand well. Step 2 Now that our debugger gave us the hand, we can trace the routine of unpacking. Press on the key F10,we arrive quickly at this first loop: 015f:005b72f2 or ecx,ecx ------ beginning of the loop 015f:005b72f4 jz 005b7312 015f:005b72f6 js 005b7312 015f:005b72f8 lodsb 015f:005b72f9 cmp al,e8 015f:005b72fb jz 005b7305 015f:005b72fd cmp al,e9 015f:005b72ff jz 005b7305 015f:005b7301 inc ebx 015f:005b7302 dec ecx 015f:005b7303 jmp 005b72f2 ----end of loop The loop starts at 5b72f2 and finishes at 5b7303 (jmp 5b72f2). If you trace this mini loop with the F10 key you will quickly see that the trace is quite long . To trace over this routine, put a Breakpoint at the address 5b7312. Under softice,enter BPX 5b7312. Why do we put a breakpoint at this address and not to another? Because this address corresponds to the first conditional jump of the loop (in 5b72f4, jz 5b7312).The second conditional jump (in 5b72fb,jz 5b7305) is not interressant : at the end, there is a jmp 5b72f2, the beginning of our mini loop...We deduce that the mini loop ends in 5b7312 .Run the whole with the key F5,and softice stops again in 5b7312. While continuing to trace the proggy with the F10 key , we arrive at this: 015f:005b734a cmp dword ptr [esi],00 015f:005b734d jz 005b7299 015f:005b7353 mov ebx,[ebp+00444adf] When you arrive at the address 5b734a, a comparison is made,followed by a conditional jump. As previously you will be taken in a loop. Put a breakpoint after the conditional jump: under softice, type BPX 5b7353 .And start again the whole with F5 and softice is blocked in 5b7353. We continue the trace with F10 and we arrive at this (Caution! The trace is long to arrive there!): 015f:005b7520 add dword ptr [ebp+00445172],04 015f:005b7527 jmp 005b7493 ------------- and we go up ... 015f:005b752c xor eax,eax 015f:005b752e mov [esi],eax 015f:005b7530 mov [esi+0c],eax 015f:005b7533 mov [esi+10],eax 015f:005b7536 add esi,14 015f:005b7539 mov edx,[ebp+004450ac] 015f:005b753f jmp 5b73fc 015f:005b7544 mov eax,[ebp+00444aef] 015f:005b754a push eax 015f:005b754b add eax,[ebp+004450ac] 015f:005b7551 pop ebx 015f:005b7552 or ebx,ebx 015f:005b7554 mov [esp+1c],eax 015f:005b7558 popad 015f:005b7559 jnz 005b7563 015f:005b755b mov eax,00000001--------- hum... 015f:005b7560 ret 000c 015f:005b7563 push eax----------------- entry point... 015f:005b7564 ret If you trace the proggy correctly, you arrive at the address 005b7527 jmp 005b7493. If you to carry out this jump, you will be taken in a loop again(to change...). Personally, the first time that I have traced a proggy compressed with aspack 10.08.03, there was a trick wich rang me a bell: in 5b755b there is a register (eax) that the prog puts has 1. Generally,coders is useful (it 's not always true) of this register to put ' flags' to announce that a routine is finished. Moreover this setting is followed by a push eax (5b7563) and a ret...Put a breakpoint at the address 5b7563: under softice,type BPX 5b7563.Run the proggy with F5. Softice is blocked in 5b7563. Under softice type ? EAX .Softice indicates to you 4D1F5C .It's the entry point of our program once this one is unpacked. Write this value in a corner, we will need it. Step 3 Now it will be necessary to make a DUMP of our proggy .Before executing the ret to the address 5b7564, type A 5b7564. You are in ASM editor of softice,in 5b7564 .Type ' jmp eip' and enter. Escape to come out of ASM editor . The prog will make an infinity loop at the address 5b7564, before executing. Run again the whole with F5. Launch Procdump 1.5. It must indicate to you all proggyz running at this time. In the window of procdump, we locate our prog easily : pstrip.exe .Before Dumping,change an option of procdump: in ' option', choose ' Rebuild Import Table' .To dump the prog, make a right click above your proggy and choose the option ' Dump (Full) '. Give a name to your exe (Dump.exe for me) .Now,you must have an exe of 1674 KB... Now, it is necessary to put the right entry point of your new exe .With procdump,go in the option ' PE Editor' and open the dump that you have made .Procdump indicates to you that ' Image Base' 00400000. A few moments ago (Step 2), we had noted that the entry point was 4D1F5C. Thus your entry point is equal to : 4D1F5C-400000=D1F5C. In the box ' Entry point' of procdump, enter D1F5C. To check that your exe unpacked is valid, launch it . He should be run without problem... Step 4 The other protection of the software is a nagscreen which is posted at all loadings .In more ,it is not really easy to crack it : breakpoints on current APIs , like DialogBoxParamA,MessageBoxA and others, do not have any effect... I have used the breakpoint which give the hand to softice when the button of the mouse is activated. Launch your exe and before to click on ' ok' when the nag is posted, launch softice with Hotkeys: CTRL D .We will see all programs which run under zindows: under softice,type TASK. We locate easily our exe (' dump.exe' for me) .Now ,type HWND DUMP. This order will post you all APIs that the prog uses at this moment. CAUTION! Screen below will be inevitably different on your computer : addresses on the left, will change from a config to an other. Personnaly, in typing HWND DUMP,i obtain this : Window Handle hQueue SZ QOwner Class Name Window Procedure 0270(1) 3967 32 Dump TPSSplash 13ff:00000298 02A0(2) 3967 32 Dump Button 13ff:00000A72 029C(2) 3967 32 Dump Button 13ff:00000A5C 0298(2) 3967 32 Dump Button 13ff:00000A46 0294(2) 3967 32 Dump TGroupBox 13ff:00000A30 0288(2) 3967 32 Dump TGroupBox 13ff:000009D8 0290(3) 3967 32 Dump Edit 13ff:00000A1A 028C(3) 3967 32 Dump Edit 13ff:00000A1A 0284(2) 3967 32 Dump TGroupBox 13ff:000009C2 0278(2) 3967 32 Dump TRadioGroup 13ff:00000980 0280(3) 3967 32 Dump Button 13ff:000009AC 027C(3) 3967 32 Dump Button 13ff:00000996 0274(2) 3967 32 Dump Button 13ff:0000096a We search a class having as name ' Button', beacause we want to block the software when there is an activity on the mouse (like a click on button ' ok' or other). Softice indicates several class having this name ' button'. Take one but ,probably, it will be necessary that you make several tests before finding the right BP. I took the window procedure which has a window handle equal to 280(3).To place your breakpoint , type: BMSG 280 0202 .The number 280 corresponds to the window handle of the button and 0202 is the breakpoint's name (WM_LbuttonUp). If you put the right breakpoint, when you click above ' ok' ,softice must take the hand .But at this time, you are not in the principal code of the proggy.We are at the beginning of API. To go back in the code of our proggy, we need to go up using F12. Caution! To come out of the nag, it is necessary to support 64 TIMES on F12! If you make the operation well, you arrive at this: 015f:004a8856 cmp byte ptr [eax+00000530],0 ------ user registered ? 015f:004a885d jnz 004a8904 ------------ Year ! we jump... | ---- cut ------ | 015f:004a88c7 mov eax,[004d8b00] 015f:004a88cc call 0042522c------- Nagscreen ! 015f:004a88d1 cmp eax,02--------- YoU ArE HeRe WitH SoFTiCe ! While supporting 64 times on F12,we arrive at the address 4a88d1. Before this address you have the call which starts the nag: call 0042522c. While going up a little in the code,we see that at the address 4a8856 ,there is a comparison followed by a conditional jump ... And if we replace the jnz 004a8904 by a jz 004a8904, to force the proggy to jump on the top of the nag... Take your editor hexa, and edit the dump.exe .Go to the offset a7e5e and put 84 at the place of 85. Launch your crack: it works, nag is not posted... It should be noted that this technique to unpack Aspack 10.08.03 is valid for others proggyz compressed with this shit.... Just memory address change. A+++++++++++ RemarKs,critiKs,contaKts at Samsoul99@Hotmail.com TaMaMBoLo . A Tutorial For Cracking: Nokia Startup Logo Editor v1.0A & Nokia Smart Messaging Agent v0.99B Author: The_Libran [C4A] OK folks I have never written a tutorial before I never would have written one but for the insistence of Mr.Fanatic [Founder Of C4a].... So here I am writing a tutorial for Nokia Startup Logo Editor v1.0A A) Nokia Startup Logo Editor v1.0A 1) Tools required 2) Introduction 3) Voila you have the serial cracked!!!! (1) The tools required: 1) Numega Smartcheck v6.03 (www.numega.com) 2) And of course !! Nokia Startup Logo Editor v1.0A (www.wildies.de/nokia) That's all :) ...... Smartcheck is a real powerful tool for cracking VB programs ... I used softice to crack VB programs before Smartcheck and believe me it wuz one hell of a nightmare... which always succeeded :) ... Anyway That's all you will be needing (2) Introduction: To crack any program you require basic knowledge of programming. If you already know a bit of programming it will help you to develop cracking skills faster. This tut doesn't require you to know much of programming anyway :). If you would like to learn cracking the best way is through tutorials a lotto which you can find at www.corleone.net . Cracking this program wont be difficult for you if you have already done some VB programming .So lets start ...Go to the program folder of Nokia and right click on the Nokia executable file and view it with Quick-view plus (www.inso.com). You will see that there under the import table section there is a reference to msvbvm6.dll, which tells us that we can use Smartcheck for cracking it .. that's the way you check to see which files are used by the program you can also do this with WDASM32 (Windows Disassembler) u can get it at --> ( www.corleone.net ). (3) Serial-trapping begins: 1) Start Numega Smartcheck and load the program Nokia Startup Logo Editor 2) Now run the program by clicking Program > Start or by clicking the greesn button on the toolbar 3) Let the program load. After its finished loading click on Help>Register 4) I have entered this info in the box that pops up Username: The_Libran [C4A] Serial: 1234567890 License: 1111111111 5) Now Click OK 6) Then click on the Smartcheck window and locate "Toolbox_Toolclick" 7) Click on "Toolbox_Toolclick" to expand it, locate "frmregister.show" 8) Click on "frmregister.show" to expand it, locate "cmdOk.click" and expand it 9) Scroll down till you see the following in the window: 10) What is that code??? Is that what's on ur mind right now ... Is it the license key ??? 11) Yes it is :). Note down this number and go back to the Nokia Startup Logo Editor, click Help>Register in the toolbar and enter the code you just found. 12) Press OK ...... No message saying you have registered successfully??? 13) OK now click Help>About on the toolbar and you can see that its still unregistered?????? 14) OK OK don't get angry and delete this tutorial I will explain what s gone wrong here :) 15) Go back to where you had found the number, and click on "Left" i.e. is just above "Len returns long: 28". I wont go into much detail here, will just explain what the Left function does here. Now just look in the debug window i.e. the right window frame and you will see that Left function seeks a long length of 30 characters, but our number is only 28 characters long??? 16) If you scroll through the other functions before calculation of your Key you will find that the Key is generated using your Name and Serial. If you have already done some programming it will help you here. I have found it out here for you that the serial number should be greater than 13 characters to get the correct serial and also the key should include at least one "-" in between these characters. 17) Ok so lets proceed now 18) Enter the following info in the registration box: Username: The_Libran [C4A] Serial: 11111-11111-11111-11111-11111 License: 1111111111 19) Press OK ... now again locate "toolbox_toolclick","frmregister_show","cmdok_click". 20) Scroll down as before till you reach the following code: 21) Now you can see that the code here is 30 characters long, same as required by us :) 22) So now note down this code and enter it in the Registration Box and now click about Do you see Licensed to: The_Libran [C4A] <-- if you have entered same info. Serial: 11111-11111-11111-11111-11111 If not then you must have missed on some character in the 30 characters code :) B) Nokia Smart Messaging Agent v0.99B: 1) Follow same steps as in the Nokia Startup Logo Editor and get the serial for this One too :) (4) Last Words: There's a quote in the world of Cracking: "If you provide a person with a crack he will be hungry for more so instead teach him to Crack and make cracks for himself" But not everyone has the time to write tutorials, especially me cuz I am busy with my work. But if I get a good response for this Tutorial I promise more tuts :) My regards fly out to, Mr.Fanatic, Astaga and all C4A members You can contact me at zeynab@hotmail.com. How to keygen Lan-Box 1.01 by ACiD BuRN [ECLiPSE / CiA] type: Visual Basic 6 app level: very easy tools needed: Smart check 6 , VB for coding the keygen URL: http://members.tripod.com/LAN-BOX 1)Intro : well , i am tired , i won't nag u lot in the intro ;) it is a vb prog , i will show u how to keygen it ... btw , A friend did a tut German tut too , i am sure it is good , but i can't read read german heh... 2)time to go ! Fire up your smart check , and open this little shit ;) click on Info button , and then on register now , enter name : ACiD BuRN and serial : 112233 click on the button to check serial , this bitch say us : bad serial blablabla... heh , now end lan-box , in smart check do a search on this text : ACiD you will land where the algo start! now , look a bit , and you see it take ascii value from each letter of the name entered... so , click on this line : asc(String:"A") returns Integer:65 To see what the heck this bitch does with ascii value , click on "show all event" in View menu.. now u see this : asc(String:"A") returns Integer:65 now , you see the crackme taking ascii value of the current char (1st it is "A" from ACiD BuRN) and then it add it to previous ascii value from others chars... 1st it add "65" to "0" coz no chars before "A" ... in smart check you see this with this line : __vbavaradd(VARIANT:Empty,VARIANT:Integer:65) this add 65 to 0 (empty means : no value yet) if you look down , you see same with the next chars of the name "C" (C from ACiD BuRN) Asc(String("C") returns Integer: 67 <== take ascii value of the current char , here "C" then add it to the last add of ascii value: __vbavaradd(VARIANT:65,VARIANT:Integer:67) then u see the result : __vbavarmove(VARIANT:integer:132,VARIANT:Integer:65) the result is : 132 , and the value:65 is the old result.So we can assume it replace 65 by the new value : 132 Well it does this for each char ascii value , so this loop take each char ascii value in decimal from your name , and add them... -------------------------------- A = 65 + 0 C = 67 + 65 = 132 i = 132 + 105 = 237 D = 237 + 68 = 305 space = 305 + 32 = 337 B = 337 + 66 = 403 u = 403 + 117 = 520 R = 520 + 82 = 602 N = 602 + 78 = 680 --------------------------------- so , the final value from this addition of ascii value is : 680 in decimal .... Now , scroll down until the end of the loop on each ascii value of the name ! this is where u see the value '680' :) heh , now look a bit , and scroll down until you see this : __vbavarmul(VARIANT:680,VARIANT:232354) : this multiple the result of ascii value with 232354 the result of this multiplication is : 158000720 __vbavarmul(VARIANT:158000720,VARIANT:653435) : this multiple the result of 1st multiplication with 653435 the result is: 103243200473200 __vbavardiv(VARIANT:1.03243e014,VARIANT:23446534) : this divise the result of 2nd multiplication with 23446534 (note: 1.03243e014 is same than 103243200473200 , it is for this it is good to do calculs)... the result is: 4403345.947558817 (u see this value in smart check) and finaly you see : __vbavarmove(VARIANT:Double:4.40335e+006,VARIANT:Integer:680) this move the final result (good serial) where the value "680" was written , it overwritte it! so , 1st time , i though it was good serial , but it is now !! i entered : 4403345.947558817 it sucked !! bad serial msg box , and shit :-/ if we scroll down a bit you will see this value : 4403345,94755882 let's try it , IT WORKS !! so , i was wondering how 4403345.947558817 become 4403345,94755882 , so i coded the keygen to see how can i fix this prob... i coded it in vb5 , entered : ACiD BuRN as name , and i genrated a serial with my keygen and it give me : 4403345,94755882 Great !! , dunno why it works , maybe coz it is a vb apps , and the keygen is in vb too but we don't care , it works ! i am tired , i don't want to think more! Lemme explain the algo : --------------------------ALGO--------------------------------- 1st : add all ascii value of the name 2nd : multiply the value (of 1st part of algo) with 232354 3rd : multiply the value (of 2nd part of algo) with 653435 4th : divise the value (of 3rd part of algo) with 23446534 ---------------------END OF ALGO------------------------------- the result of 4th is the final serial !! 3)BONUS SOURCE OF THE KEYGEN IN VISUAL BASIC : -----------------------------START OF SOURCE----------------- For i = 1 To Len(Text1.Text) temp = Asc(Mid(Text1.Text, i, 1)) final = final + temp Next i final = final * 232354 final = final * 653435 final = final / 23446534 Text2.Text = final -----------------------------END OF SOURCE-------------------- to make this work , do a new project in VB , and put 2 text box and one button text1.text = place to enter your name text2.text = the serial will be shown there! nothing more ! Enjoy !! 4)Ending.... Well , this tut is finish , hope u understand all this piece of shit, but if you have a comment or one question, mail me you can found all my tuts at : MAIL: ACiD_BuRN@nema.com Web page URL: http://acidburn2000.cjb.net/ Enjoy! Greetings to my groups : ECLiPSE / CiA / ODT / EXEC / XTM Also greetingz to: (no specific order) R!SC, ^Inferno^, AB4DS, Cyber Blade, Klefz, , Volatility, TORN@DO, T4D Jeff, [Virus], JaNe , Appbusta , Duelist , tKC , BuLLeT , Lucifer48 , MiZ , DnNuke , Bjanes , Skymarshall , afkayas , elmopio , SiFLyiNG , Fire Worx , Crackz , neural_en , WarezPup , _y , SiONIDE , SKORPIEN Lazarus , Eternal_Bliss , Magic Raphoun , DEZM , Bisoux , Carpathia , K17 , theMc , noos , Xmen , TeeJi , JB007 , Arobas , T0AD ,ytc , Kwai_lo , Killer_3K TaMaMBoLo , gizmo , Gota , ExtaBrain... if your name is not here sorry !!! too much ppls to greets ! ACiD BuRN [ECL/CiA] Visual Basic Keygening The Power 1.0 fr Tutorial by ACiD BuRN [Immortal Descendants] (September 30th, 1999) Contents: Introduction ESSAY Coding a Keygen! Introduction: this tutorial is on a VB Serial only protection. the serial is based on the hard drive number... we will study how the the valid serial is calculated , and how does the prog calcul the valid serial ... all this , to make a little keygen! enough blablabla , let's start ... btw : tools of the trade are : - Smart check 6 : must be well configured - Visual Basic to code the keygen - a lil brain - the app: http://www.ifrance.com/vbandjava ESSAY: Fire up smart check , and run our target with it. now you must see a msgbox saying us : "the power est un shareware...." this mean : the power is a shareware , blablabla... so , this is only a little nag , click on OK button , and now you must see , an input box , with some text... lemme traduce you it , we see : "Le numero de votre disque (celui a partir duquel vous avez lanc‚ the power) is : (your hard disk serial number here) Si vous souhaitez vous enreistrez , notez ce numero et blablablabla" In english : "the hard disk number (the one of the computer where the prower has been run) is : (your hard disk serial number here) if you would like to register , writte down this number blablabla..." so , now i think you start to understand , the programme ask you to writte down your hard disk based number , and send it to the author for registering. so , this programme will need a keygen coz , the valid serial of your computer won't work on others computer... now , u understand , enter a fake serial in the input box : 112233 and click on the OK button! you got a msgbox saying us : "Vous vous etes tromp‚(e) blablabla" this mean : "you did an error blablabla"... so , close this little progy , or end the task in smart check , and now we have to look for the algo! In smart check , double click on : Form1_load now , we are looking for something messing with our hard disk serial (the api the most used is GetvolumeinformationA) look down , and you see it !! GetVolumeInformationA(LPSTR:00413BA4....) 2 lines under it you see : Right(VARIANT:Double:8.92936e+008,long:8) well , this look nice , click on it and look the value in the right window you see : 892935893 <== this is our hard disk serial so "Right(VARIANT:Double:8.92936e+008,long:8)" is equal to:"Right(VARIANT:Double:892935893,long:8)" wich means it take value from the right with longer:8 the 8th value from the right of 892935893 are 92935893 (it is the serial we see in input box) Btw , all this value are different on each computer because it is hard disk based! About 2 lines under , you see : Len(String:"92935893")returns LONG:8 click on it , and in view menu , choose , show all events... now you see something like this: Mid$(String:"92935893",long:1,VARIANT:Integer:1) .... String("9") --> Double (9) Double (9) --> Integer (9) ...... Mid$(String:"92935893",long:2,VARIANT:Integer:1) .... String("2") --> Double (2) Double (11) --> Integer (11) ...... Mid$(String:"92935893",long:3,VARIANT:Integer:1) .... String("9") --> Double (9) Double (20) --> Integer (20) ...... Mid$(String:"92935893",long:4,VARIANT:Integer:1) .... String("3") --> Double (3) Double (23) --> Integer (23) ...... Mid$(String:"92935893",long:5,VARIANT:Integer:1) .... String("5") --> Double (5) Double (28) --> Integer (28) ...... Mid$(String:"92935893",long:6,VARIANT:Integer:1) .... String("8") --> Double (8) Double (36) --> Integer (36) ...... Mid$(String:"92935893",long:7,VARIANT:Integer:1) .... String("9") --> Double (9) Double (45) --> Integer (45) ...... Mid$(String:"92935893",long:8,VARIANT:Integer:1) .... String("3") --> Double (3) Double (48) --> Integer (48) ...... so , you must wonder how this value are calculated!! lemme explain a little bit : it take each char of the serial , and add the next char to the previous result, like this : 0 + 9 = 9 (0 coz 9 is 1st char , so nothing to add) 9 + 2 = 11 11 + 9 = 20 20 + 3 = 23 23 + 5 = 28 28 + 8 = 36 36 + 9 = 45 45 + 3 = 48 so , you see how this value is calculated , i just think a bit to find how it does... anyway , just under : Mid$(String:"92935893",long:8,VARIANT:Integer:1) .... String("3") --> Double (3) Double (48) --> Integer (48) there is : Hex(VARIANT:integer:19952) __vbastrVarMove(VARIANT:String:"4DF0") .... ..... so , it take the hex value of 19952 (4DF0) and if you scroll down a little , you will find the final compare : __vbaStrCmp(String:"4DF0",String:"112233") returns DWORD: FFFFFFFF this is the Visual basic function the most used to compare here it compares : 4DF0 with 112233 112233 = fake serial , we entered 4DF0 = the hexadecimal of the serial we saw , few lines above. it is also the valid serial to enter.. so , how can we get , this "19952" ?? lets look again what we saw in smart check : Mid$(String:"92935893",long:8,VARIANT:Integer:1) .... Double (48) --> Integer (48) Hex(VARIANT:integer:19952) __vbastrVarMove(VARIANT:String:"4DF0") .... hmm , lets add 48 and 19952, we obtain : 20000 so , it looks like the programme substract the value from the hd serial to 20000. 48 = value from hard disk 20000 = constant 20000 - 48 = 19952 And after this , it just converts the result in hexadecimal 19952(d) = 4DF0(h) and we get the good serial !!! : 4DF0 this is for my comuter ! let's code a lil keygen! Coding a Keygen: well for this , you need to use Windows API to get the hard disk serial and then do the rest of the calculation... I joined complete source with this tutor , but i will just show the part of code who do calculations on the serial we get from our hard disk!! I used Visual basic 5 to code this keygen... -----------------------------little cut of source--------------------------------- 'Here is normaly the code to get the hard disk number, look the full source joined serial = Right(Format$(lngVolumeSerialNumber), 8) 'serial = our 8 first digits from the right of the full hard disk serial Label1.Caption = "The value from your hard drive is: " + serial For i = 1 To Len(serial) temp = temp + Val(Mid(serial, i, 1)) Next i 'this is the loop to calculate the value from our hard disk Text1.Text = "Your personal unlocking code is :" + Hex(20000 - temp) 'here comes the final serial , in hexadecimal 'ACiD BuRN / ID -------------------------end of little cut of source------------------------------- Now , u got a full Keygenerator for The Power v1.0 i hope you have understood all this essay , and if you got any comments , or questions , just mail me to : ACiD_BuRN@nema.com or acid2600@hotmail.com you can find all of my tuts at : Web page URL: http://acidburn2000.cjb.net Greetings: group greetings : ID - ECLiPSE - CiA - ODT - EXEC - TiTaNe - PWA - PC - UCF- CORE Also greetingz to: (no specific order) R!SC, ^Inferno^, AB4DS, Cyber Blade, Klefz, , Volatility, TORN@DO, T4D Jeff, [Virus], JaNe , Appbusta , Duelist , tKC , BuLLeT , Lucifer48 , MiZ , DnNuke , Bjanes , Skymarshall , afkayas , elmopio , SiFLyiNG , Fire Worx , Crackz , neural_en , WarezPup , _y , SiONIDE , SKORPIEN Lazarus , Eternal_Bliss , Magic Raphoun , DEZM , Bisoux , Carpathia , K17 , theMc , noos , Xmen , TeeJi , JB007 , Arobas , T0AD ,ytc , Kwai_lo , Killer_3K TaMaMBoLo , gizmo , Gota , ExtaBrain , Alpine , WarezPup... eheh , i bet i forget some peoples :-/ , sorry !!! ACiD BuRN / Immortal Descendants Copyright 1999 ACiD BuRN and the Immortal Descendants £ £ - -- A C i D B U R N - P R O D U C T i O N S -- - š £ £ ø š ø š š š ø šø ø š š Ýëš š ø šëëòááëëëíšòëáááëëëíÝëíÝëëëáááëòšÝòëëááëëëšøšòëí áš Ýëëëááëëëšøòëëš Ýëòš ëëëí øòëëíëëë øáááá ááá ëëë ø ëëëíëëë Ýëëòøòëë ø ëëíÝëëëí Ýëëò ëëëáëšëëëí òëëáááëëëíëëëíø øòëíëëëíëëë ø ëëëíëëëáááëëšÝëëë ø ëëëÝëëëááòëëš ëëëí áëëëí øòëëíø ëëë òëëíø ëëëíëëëøòëë øÝëëëíëëëí šëëëÝëëëíøøòëëøòëëí Ýëëëíëëëíø ëëëš Ýëëëíø ëëëÝëëëíø ëëëÝëëòÝëëë øÝëëëøòëëíøÝëëëÝëëëí Ýëëëíëëëíø ëëëíëëëíø ëëòáš Ýëëëíø ëëëÝëëëíø ëëëÝëëòÝëëë øÝëëëÝëëë øÝëëëÝëëëí Ýëëëíëëëíøøòëë òëëíø ëëí Ýëëò øÝëëòá+ëëšššëëë+ëëòÝëëëššëë+áòëëëššëëëëáëëëëšòëëëáòë+š Ýëá øòëëë Ýëá á áø á á á á á á ø á á á £ £ - -- A C i D B U R N - P R O D U C T i O N S -- - £ £ SRT - CRO CDilla Cracking: MidTown Madness French version : Another approach on cdilla Tutorial by ACiD BuRN [Immortal Descendants] (October 6th, 1999) Tools needed : * Original CD of Midtown madness * Soft ice 3.23 * soft ice tool to patch sice (used to dump sections) * Hexwork shop * Frog ice (to hide soft ice) * Procdump (for PE Editor) * Exescope Introduction: hello all , i know there is already a tutor on Midtown madness by black check but the way to crack it is not the same than him , and i will explain more things than he did about pasting our new dumped sections in cracked exe :) i also assume you read this tut , and you know some things about PE file format... let's kick cdilla 's ass : After installing your little game , PE edit the ".icd" files with procdump. (Fire up procdump , click on PE Editor , Browse to your ".icd" file , there it is Midtown.icd ... now , you must see : - Entry Point : 00166C10 - Image Base : 00400000 ok, we will need the OEP (original Entry point) later , so to have it just addition the Image base and the entry poing you get in procdump : 00400000 + 00166C10 = 566C10 now , click on the "sections" Button , to see all sections of the file : you will only need to have the Virtual Offset , Raw Size , and Raw Offset values! - for the ".text" section : Virtual Offset: 00001000 Raw Size: 18D78F Raw Offset: 600 - for the ".Rdata" section : Virtual Offset: 0018F000 Raw Size: 14C99 Raw Offset: 18DE00 - for the ".data" section : Virtual Offset: 001A4000 Raw Size: 3D8A4 Raw Offset: 1A2C00 - for the ".data1" section : Virtual Offset: 00314000 Raw Size: 20 Raw Offset: 1E0600 - for the ".rsrc" section : Virtual Offset: 00315000 Raw Size: CB3 Raw Offset: 1E0800 Now , we will dump all the sections of the ".icd" file , except the ".Rdata" , you will later why.... btw , you need to add the image base to the virtual Offset of all sections: .text : 400000 + 00001000 = 00401000 .rdata : 400000 + 0018F000 = 0058F000 .data : 400000 + 001A4000 = 005A4000 .data1 : 400000 + 00314000 = 00714000 .rsrc : 400000 + 00315000 = 00715000 ok , now we gonna dump all this sections (except the .rdata) For this, we will need to but a breakpoint on the EOP (566C10 for us) btw , i assume you read the black check tutor , and you patched your Frog ice to hidde your soft ice , else go and read the nice tut before... Fire up your patched Frog ice , and run your original game. you will see a little video , at this time , make soft ice appears (ctrl+D) , and set a bpx on the OEP: Bpx 56CC10 for this game! Press F5 to make the game runing again and close it after... now , Run it , and it normally breaks on 56CC10 , if it doesn't , look if you set the bpx to the good place (bl: you must get something like this: #025F:56CC10) i assume it breaked , now u must can dump all the sections. Before dumping , disable all your bpx , we don't want shits in our dumped sections... the pagein command works like this : pagein "address to dump start" "size" "file name" so, just type this in soft ice: pagein 401000 18D78F c:\text.bin pagein 5A4000 3D8A4 c:\data.bin pagein 714000 20 c:\data1.bin pagein 715000 CB3 c:\rsrc.bin ok, this dumped the section to our hard disk!! now , we have to do the "nice" part !! dumping our rdata sections , but it is not like the others !! first of all , you have to get the real address of the fuction , so we will trace into the call to our rdata section. After breaking , we land here: 00566C10 PUSH EBP <-- we break here , on entry point 00566C11 MOV EBP,ESP 00566C13 PUSH FF 00566C15 PUSH 005968D0 00566C1A PUSH 00566724 00566C1F MOV EAX,FS:[00000000] 00566C25 PUSH EAX 00566C26 MOV FS:[00000000],ESP 00566C2D ADD ESP, -5C 00566C30 PUSH EBX 00566C31 PUSH ESI 00566C32 PUSH EDI 00566C33 MOV [EBP-18],ESP 00566C36 CALL [0058F14C] <-- this is the call in our rdata section , trace it (F8) in this call , we land here : 009A6485 pushad 009A6486 push 00000031 009A6488 push 00000000 ---> 0 mean kernels , it will be 1 for users... 009A6490 call [9A64A6] --> get the real address of the function (9A64A6) 009A6496 add esp, 8 009A6499 popad ....... jmp [XXXXXXXX] trace this code , and you see the jmp [XXXXXXXX] becoming jmp [KERNEL32!GetVersion]... ok , it is good , you are on the good way :) we are near done about starting to code te call fixer!! anyway , we need to know how many Kernels and users imports there is in this game!! Ok , to do this , there is severals way , you can dessassemble the ".icd" with wdasm and count them , you can trace in soft ice too , but i used a tool called EXESCOPE to see how many imports it got... anyway , in my midtown.icd , i got : - 127 kernels import - 042 users import ok , but we need to have this number in hexadecimal , coz soft ice use only hexa value =) 127 = 7Fh 42 = 2Ah my favourite part come now !! coding the call fixer. first of all , we don't have writte access (read only access) to the Rdata section , so we will move the rdata section to the data section place.. For coding the call fixer , i start to code at EOP place , so enable your bpx on it , and run the game again , wait until we break... now , we have to move rdata section in data section place in memory. To do this , just type : m "virtual offset of data section + image base" l "rdata size" "data virtual offset" NOTE: For the data virtual offset , use a biger number , it is better... 5A4000 is our normal virtual offset , i used 5B0000 (bigger like i said) so , just type this : m 58F000 l 14C99 5B0000 ok, now time code !! you are at the line : 566C10 PUSH EBP we will code something looking like this : 00 pushad 01 push ebx 02 push 0 04 call [XXXXXXXX] 0A add esp,8 0D mov edx, XXXXXX 12 cmp eax,[edx] 14 je 20 16 inc edx 17 cmp edx, XXXXXX + XXXXX 1D jne 12 1F int 03 20 mov [edx],ecx 22 popad 23 inc ebx 24 cmp ebx, XX 2A jne 00 2C int 03 so , let's go : Type in soft ice: A "press enter" and code : 566C10 pushad 566C11 push ebx 566C12 push 0 566C14 call [009A64A6] <-- real address , we found this when we traced in the call 566C1A add esp,8 566C1D mov edx, 5B0000 <-- address where we copied our .rdata section in 566C22 cmp eax,[edx] 566C24 je 566C40 566C26 inc edx 566C27 cmp edx, 5B0000 + 14C99 <-- adress where we copied our .rdata in + rdata size 566C3D jne 566C22 566C3F int 03 <-- safty, if it found no match, break here. 566C40 mov [edx],ecx 566C42 popad 566C43 inc ebx 566C44 cmp ebx, 7F <-- number of api to fix 566C4A jne 566C10 566C4C int 03 Now set ebx to 0 (R ebx 0) , set your eip to line 0 (line 0 = 566C10 here , so R EIP 566C10) type "i3here on" and press F5 to run it, normaly u should break on 566C4C... Now set your ebx back to 0, change line 02 (56CC12 here) to "push 1" and change line 24 to 'cmp ebx, user_import_number' (2A for us) and set the eip back line 0 (R EIP 566C10). run it again.Normaly , all is ok now , it should break on 566C4C again... now , we can dump our rdata section safely: pagein 5B0000 14C99 c:\rdata.bin hehe !! now we just have to rebuild a working executable file. i tried Procdump to import sections , but this bitch didn't change anything , so i imported manually my sections , i will show you all ;) In first , do a copy of the ".icd" file , for us : Midtown.icd , and rename it with the name you want , but with ".exe" extension. ex: damnit.exe Now , fire up hexworkshop , open "Damnit.exe" , and open the 1st section we dumped. it was : c:\text.bin... it is now , you need the Raw offset of each section , i written them in 1st of the tut but i will rewritte them here , to help you understanding this crap :p for the ".text" section : Raw Offset: 600 size : 18D78F for the ".Rdata" section : Raw Offset: 18DE00 size : 14C99 for the ".data" section : Raw Offset: 1A2C00 size : 3D8A4 for the ".data1" section : Raw Offset: 1E0600 size : 20 for the ".rsrc" section : Raw Offset: 1E0800 size : CB3 ok , you got all shits here !! we want to do the 1st section ".text" so : In hexworkshop , press alt+f5 , enter the Raw offset of the section you want to paste here : 600 , and click on ok. now go in the edit menu , and click on "select block" enter the size of the section , here : 18D78F... now , look at the other opened file (text.bin) , and press 'ctrl+a' to select all.. now , go back to the main executable windown in hexworkshop , and paste the byte u just copied into the clipboard , do : 'ctrl+v' or edit menu , and paste... save your file , GOOD !! u just updated the '.text' section with our dumped section !! ok , i do another section import with you , and you will do the others using the same way ! 2nd section : Rdata! you can close the window 'text.bin' , and open with hexworkshop the file : 'rdata.bin' click on the main exe window , press 'alt+f5' , enter the size of the Raw Offset of the rdata section : 18DE00. Click on ok, go in edit menu , then "select block" , enter the rdata size section : 14C99... look the window of rdata.bin , press 'ctrl+a' to selection all bytes , and go back in main executable (damnit.exe) window in hexworkshop... now , just paste them with 'ctrl+c' or with paste in the edit menu.. ok , i think you understood now , just do the same with all sections , save your executable.. Now , you can unload frog ice , coz the anti sice is not anymore in our rebuilded exe. remove the original cd of midtown madness , and run 'damnit.exe' or 'whateverunameit.exe' WOW , the game run , very quickly , without this lame window, saying us to wait during the cd verification , and voila !! the game is runing very well =) But , to make a perfect executable , you have to rebuild the file's pe like it is written in Black Check tutorial: If you try to run it on another Windows 9x Version. It will crash. it would only run on win98, cause the rdata section contained the address's of all the functions from win98 (can be only on win95 if you cracked it on win95) The addresses we put in the import table are only valid for the Windows version we cracked it on. Let's fix that: -Start Procdump (very good job G-RoM :) go to Options and select: [v]Recompute Object Size [v]Optmize PE Structure [X] Use actual import infos then , click on the OK button... now , we just have to rebuild the file , click on Rebuild PE , and browse to your cracked file (Damnit.exe for my) Procdump make us a valid import table and our executable is now fixed , and perfect !!! (i hope so ;p ) it should run on all win9x version of Windows... Voila !! this tut is finish , but if you have any comments or question , just mail me!! Acid2600@hotmail.com or ACiD_BuRN@nema.com you can also find all of my tutors here : http://acidburn2000.cjb.net/ Now , i want to give special greets to some ppls who helped me about cdilla : - BIG FAT THX goes to R!SC for all the help , and answers to my questions... this dude rox !! he just cracked the new cdilla , PHEAR :p - thx to noos , for some help too :) - Killer_3K : 'lo ;) - G-RoM , for procdump and some nice chat ;p and now , my usual greetings for all my friends : Greetings: group greetings : ID - ECLiPSE - CiA - ODT - EXEC - TiTaNe - PWA - PC - UCF- CORE- +HCU Also greetingz to: (no specific order) Cyber Blade, ^Inferno^, AB4DS, Klefz, , Volatility, TORN@DO, T4D Jeff, [Virus], JaNe , Appbusta , Duelist , tKC , BuLLeT , Lucifer48 , MiZ , DnNuke , Bjanes , Skymarshall , afkayas , elmopio , SiFLyiNG , Fire Worx , Crackz , neural_en , WarezPup , _y , SiONIDE , SKORPIEN Lazarus , Eternal_Bliss , Magic Raphoun , DEZM , Bisoux , Carpathia , K17 , theMc , Xmen , TeeJi , JB007 , Arobas , T0AD ,ytc , Kwai_lo , TaMaMBoLo , gizmo , Gota , ExtaBrain , Alpine , WarezPup , zoltan ... eheh , i bet i forget some peoples :-/ , sorry !!! copyright (c) ACiD BuRN and the Immortal Descendants. http://www.immortaldescendants.com/ We really hope you've enjoyed this tutorial too much as we did! Don't miss Tutor #48 soon! ;) And as I said last time: Without knowledge, there's no power! ;) Credits go to: HackerG for Splash Logo. TaMaMBoLo for providing a tut in this version. The_Libran for providing a tut in this version. ACiD BuRN for providing 3 tuts in this version. tKC/CiA (hey it's me!) for coding this version :) All the crackers (non-members of CiA) are welcome to send tutors for the next tutorials .. see below for my email address! And all the tutors can be found at www.msjessca.da.ru! Greetz goto all my friends!! You can find me on IRC or email me at tkc@reaper.org Coded by The Keyboard Caper - tKC The Founder of PhRoZeN CReW/Crackers in Action '99 Compiled on 10 October 1999 Cracking Tutorial #47 is dedicated to Ms_Jessca...