Welcome to Cracking Tutorial #49! Tons of tutors today, good to keep me busy, also as you can see, I've played a little with Delphi, I think this time it looks better than older interface. :) Oh yea, to publish your tutors in next versions, please remember to do 75 chars per line in textfile! And don't miss Tutor #50 soon! OK, let's go! You'll need the following tools: (I use these tools, I assume you'll use 'em, but it doesn't mean that you'll need to use all those tools, so be sure to get them handy for the examples in this tutorial!) SoftICE 4.01 W32Dasm 8.93 Hacker's View 6.20 SmartCheck 6.03 TASM 5.00 Windows Commander 4.01 (I use it coz of easier to multitask) Don't ask me where to download all these tools since you had a chance to get them when you used my older tutorials. Here is a good site where you can grab tools from: http://protools.cjb.net/ or ask any crackers to get you these tools! Are you ready?! OK! ;) // Written by: FileCAT // Issue: Basic Cracking with some of the most popular tools. // Tools to use: SmartCheck 6.01, SoftICE 4.01, Hiew 5.16, Win32Dasm, Pascal, C++. // Date: 10/19/99. This tutorial isn't - like almost everyone else - about one specific program. In this tutorial I will try to raise your skills as cracker. Just read, if there is something you don't understand, then read it again. Most of the text we will fight us self through is for beginners, but I promise that also more experienced crackers will have use of this. This tutorial contains: [1] Basic of Win32Dasm [2] Basic of SmartCheck [3] Basic of Hiew [4] Basic of SoftICE [5] How to patch using Pascal [6] How to patch using ASM [7] FAQ [8] Good tools to have [9] End & Greetings [1]: Basic of Win32Dasm Win32Dasm is one of the most powerful windows disassembles on the market. Normally its being used by programmers, but it can also be used to cracking, which I will try to teach you here. To disassembler a program, you simply need to open Dasm, press Disassembler, Open and choosing your file. When its loaded, which probably take some time, next time to do is finding the offset you need to change. Normally you use Dasm if the programs protection is, timelimit, serial fix, or Nag. Lets take an examples. First timelimit, when the 30days trial period is over, you will get a text box saying that its expired and you can't use it anymore. In this example it says "Sorry, trial period is expired please register", to find this we look in Refs, String Data References(SDR). Here you can look after so called strings in the program. We found "Sorry, trial period is expired please register", and when we double click on it, we see this: * Possible StringData Ref from Data Obj ->"Sorry, trial period is expired please register" | :004041BA 6830834400 push 00448330 This we don't care about, but scroll up a bit till you come to the next, which in this case is: * Referenced by a (U)nconditional or (C)onditional Jump at address: |:00404158(C) We need 404158, now Shift F12 (Goto code location) and enter 404158. Usually you will get to a JE. This is what we need. Then double click on the JE so it turns green. Look at the buttom in Dasm which will say: Line: xxxx Pg xx and xx of xxx Code Data @:xxxxxxxxx @Offset xxxxxxxxxh in File xxxxxxxx.exe Which will say: Line: "line" Pg "page" and "page" of "total" Code Data @:"Data Code" @Offset: "Offset" in File "File" We concentrate on the offset, write it down or remember it. In this example the offset is: 4B5A. Now goto the Hiew section, on how to change the JE. [2] Basic of SmartCheck Setup: It is very important that SC is set up right. So check this: First goto Program, then Settings where you should fill everything, next in the Settings push Reporting and fill out everything except Report MouseMove events from OCX controls. And your ready to begin. How to open and run a program: First you goto File and push open, next you choose the file you want to run. When you get this press F5 to run the program. Asc: Normally when your open a program with Name & Serial protection you will get the Asc for each character. With a protection with only Serial you should look in the box's right before you get the Error Message. [3] Basic of Hiew Opening a program in HIEW: Find Hiew.exe and run it, now you should stand in the directory called C:\Directory of Hiew\ Choose the program you want to crack/look in and push Enter. How to operate in Hiew: And the bottom line there will be a line with numbers like 1 (Help) 2 (Unwrap) And so on you should only look at the 4 (Mode), Now try to press F4 and you will see a dialog box come with the choices: Text, Hex and Decode. Normally when you have found the offset (look in my W32Dasm section) you will have to change it. To do this choose Decode, and all the functions below changed so now is F3 (Edit) and F5 (Goto) F7 (Search) And so on... If you already have the offset to change press F5 and enter the offset that you got, and you will land where you should. Now if you press F3 (Edit) you can change it, and if you now type F2 (in the Edit) you will see F2 (Asm). For a normal patch it should be something with a je that should be changed to jne. Now type F3 where you land after typing the offset, and simply write 75 (0F85) instead of 74 (0F84), Now when your done push F9 (Update, Also Safe), And simply quit Hiew with F10 (Quit). Now run the program and if you have changed it right there should not be anymore... Ok, now we got that straight. Lets try an example. We found the offset(look in the Dasm section on how), and now we want to make changes. Our offset in this example is: 4B5A. Open Hiew press F9(Open) find the program you want to change in and press Enter, Now your in Text mode, push Enter Twice to get in Decode section, Push F5 and enter the offset. Then we will land in something that looks like this: :0040415843 7443 JE or something like it. Now we change the 74(JE is also 84 sometimes) into a JNE. To do this you push F3(edit) and simply change 74 to 75. Then push F9(upload) and quit Hiew. Then your done. [4] Basic of SoftICE Finally we got to the SoftICE section. First we need to configure Winice.dat. Here is my winice.dat for SoftICE 4.01 ** Cut from my Winice.dat ** PENTIUM=ON NMI=ON ECHOKEYS=OFF NOLEDS=OFF NOPAGE=OFF SIWVIDRANGE=ON THREADP=ON LOWERCASE=OFF WDMEXPORTS=OFF MONITOR=0 PHYSMB=128 SYM=1024 HST=256 TRA=8 MACROS=32 DRAWSIZE=2048 INIT="X;" F1="h;" F2="^wr;" F3="^src;" F4="^rs;" F5="^x;" F6="^ec;" F7="^here;" F8="^t;" F9="^bpx;" F10="^p;" F11="^G @SS:ESP;" F12="^p ret;" SF3="^format;" CF8="^XT;" CF9="TRACE OFF;" CF10="^XP;" CF11="SHOW B;" CF12="TRACE B;" AF1="^wr;" AF2="^wd;" AF3="^wc;" AF4="^ww;" AF5="CLS;" AF8="^XT R;" AF11="^dd dataaddr->0;" AF12="^dd dataaddr->4;" CF1="altscr off; lines 60; wc 32; wd 8;" CF2="^wr;^wd;^wc;" ; WINICE.DAT ; (SIW95\WINICE.DAT) ; for use with SoftICE Versions greater than 3.0 (Windows 95) ; ; ************************************************************************* ; If your have MORE than 32MB of physical memory installed, change ; the PHYSMB line to the correct # of Megabytes. ; If you have LESS than 32MB you can save a bit of memory by ; specifying the correct # of Megabytes ; Example: PHYSMB=32 ; ************************************************************************* ; ***** Examples of sym files that can be included if you have the SDK ***** ; Change the path to the appropriate drive and directory ;LOAD=c:\windows\system\user.exe ;LOAD=c:\windows\system\gdi.exe ;LOAD=c:\windows\system\krnl386.exe ;LOAD=c:\windows\system\mmsystem.dll ;LOAD=c:\windows\system\win386.exe ; ***** Examples of export symbols that can be included ***** ; Change the path to the appropriate drive and directory EXP=c:\windows\system\vga.drv EXP=c:\windows\system\vga.3gr EXP=c:\windows\system\sound.drv EXP=c:\windows\system\mouse.drv EXP=c:\windows\system\netware.drv EXP=c:\windows\system\system.drv EXP=c:\windows\system\keyboard.drv EXP=c:\windows\system\toolhelp.dll EXP=c:\windows\system\shell.dll EXP=c:\windows\system\commdlg.dll EXP=c:\windows\system\olesvr.dll EXP=c:\windows\system\olecli.dll EXP=c:\windows\system\mmsystem.dll EXP=c:\windows\system\winoldap.mod EXP=c:\windows\progman.exe EXP=c:\windows\drwatson.exe ; ***** Examples of export symbols that can be included for Windows 95 ***** ; Change the path to the appropriate drive and directory EXP=c:\windows\system\kernel32.dll EXP=c:\windows\system\user32.dll EXP=c:\windows\system\gdi32.dll EXP=c:\windows\system\comdlg32.dll EXP=c:\windows\system\shell32.dll EXP=c:\windows\system\advapi32.dll EXP=c:\windows\system\shell232.dll EXP=c:\windows\system\comctl32.dll EXP=c:\windows\system\crtdll.dll EXP=c:\windows\system\version.dll EXP=c:\windows\system\netlib32.dll EXP=c:\windows\system\msshrui.dll EXP=c:\windows\system\msnet32.dll EXP=c:\windows\system\mspwl32.dll EXP=c:\windows\system\mpr.dll ** Cut from my Winice.dat ** Normally there is a ; before the EXP's like this: ;EXP=c:\windows\system\mpr.dll ; means disabled, so if you don't delete those it will be the same as not having them. Afterwards you need to secure your Autoexec.bat. Add this line in Autoexec.bat: c:\pathtoSoftICE\Winice.exe Restart and your ready to begin. When this is done open Loader32.exe, goto File, Open Module, then Module and Load. No need for that anymore, you can now execute SoftICE by pushing: Ctrl + D. In the programs we will use is the protection Name & Serial. Do not use Visual Basic programs with SoftICE, use SmartCheck for VB apps. These breaks a often used: GetWindowText / GetWindowTextA GetDlgItemText / GetDlgItemTextA These breakpoints are used in about 90% of all programs you will meet. Now lets go into SoftICE, Push Ctrl + D when you got your program running with registration box. Type BPX GetWindowText. And BPX GetDlgItemTextA Now push F5(Go). If you should get an error msg, you got Winice.dat wrong. Fill out the registration box and SoftICE should pup up. Type R to see Data and Registration Windows. Press F11 to trace the call. If you remember the functions below, your on your way to the elite. F8 = Trace Into F10 = Trace Over F11 = Return ? EAX = Show EAX info D EAX = Show EAX info S 0 L XXXXXXXXXX "String" S 0 L XXXXXXXXXX XX,XX,XX,XX (XX = HEX) I think that was about the basic in SoftICE, for more questions mail me. [5] How to patch using Pascal Pascal is/was one of the most used tools to code the cracks in, many people still use Pascal. i.e. Crackers. That is why I want to teach you how to make a crack in Pascal. Here is the source, original code by tKC(thx!). *** Source code to a 2 Byte Crack *** Programname PATCH; <- Put in the program name Uses Crt; <- It use Crt Const A: Array[1..1] of Record <- Description of Byte 1 A : Longint; B : Byte; End=((A:$XXXX;B:$XX)); <- A = Offset (Byte1), B = Byte (Byte1) C: Array[1..1] of Record <- Description of Byte 2 D : Longint; E : Byte; End=((D:$XXXX;E:$XX)); <- D = Offset D(Byte2), E = Byte(Byte2) Txt:array[0..3] of byte =($XX,$XX,$XX,$XX); <- Text in HEX Var Ch:Char; I:Byte; F:File; Size:Longint; { GemExitProc: Pointer;} begin Assign(F,'EHM.EXE'); <- Instead of EHM.EXE type in the filename to patch {$I-} Reset(F,1);{$I+} If IOResult <> 0 then begin writeln('Can Not find EHM.EXE'); <- This is saying if it isn't the right filesize halt(1); end; For I:=1 to 1 do <- Here we start Byte1 begin Seek(F,A[I].A); ch:=Char(A[I].B); Blockwrite(F,Ch,1); end; <- Ends byte1 For I:=1 to 1 do begin <- Starts byte2 Seek(F,C[I].D); ch:=Char(C[I].E); Blockwrite(F,Ch,1); end; <- Ends byte2 begin Seek(f,$XXXX); Blockwite(f,txt,4); end; Writeln('Patching Complete!'); <- What do say if complete patched end. *** Source code to a 2 Byte Crack *** Try to go through the code, and you will see that it isn't that hard to code a crack. If you still can't code, then get tHE EGOiSTE's patcher. [6] How to patch using ASM ASM is with time getting bigger and bigger, the most cracker use ASM to code. My personal favorite is also ASM, if you want good coding then learn ASM, here is a little source to a crack coded in ASM. Original Code By tKC(thx!) *** Source to a 1 byte crack in ASM *** ; - Original Code by tKC - ; <- absolutely no matter for code DOSSEG .MODEL SMALL .STACK 500h .DATA .CODE PatchL EQU 6 Buffer Db PatchL Dup(1) handle dw ? intro db "Coded By YOU!",0dh,0ah,"Crack for "programname + version" Cracked By "Name" With A Coded From tKC$" <- Text to show while patching FileName db "PROGRAM.EXE",0 <- Put in the FileName. notfound db 0dh,0ah,"File not found!$" <- Shows when run wrong cracked db 0dh,0ah,"File Successfully patched. Enjoy!$" <- Shows when its done Cant db 0dh,0ah,"Can Not Write to File.$ <- Error message Done db "File has been made.$" String db 075h,0 <- "75" Byte to be patched START: mov ax,cs mov ds,ax dx,offset intro ;point to the time prompt mov ah,7 ;DOS:print string int 21h jmp openfile openfile: mov ax,cs mov ds,ax mov ax,3d02h mov dx,offset FileName int 21h mov handle,ax cmp ax,02h je filedontexist jmp write filedontexist: mov ax,cs mov ds,ax mov dx,offset notfound mov ah,9 ;DOS:print string int 21h ;display the time prompt jmp exit Write: mov bx,handle mov cx,0000h mov dx,3DCDh <- Offset "3DCD" mov ax,4200h int 21h mov cx,patchl mov dx,offset String mov ah,40h mov cx,01h int 21h mov ax,cs mov ds,ax mov dx,offset cracked mov ah,9 ;DOS:print string int 21h ;display the time prompt jmp Exit Exit: mov ah,3eh int 21h mov ax,4c00h int 21h END START *** Source to a 1 byte crack in ASM *** I hope you will read it through and try to understand it. Again thx to tKC for letting me show this. I really hope you learned something in this code. If you want to be a good cracker, then my advise is: Learn ASM. [7] Friendly asked Questions I get a lot questions by mail, I hope to answer some of them here. Question: How do you find the offset in a program? Answer: That is one of the reasons I wrote this tutorial, if you just read and think at ones, then you will learn. Question: Can you crack a program for me? Answer: Please don't contact me for requests, if you want a program cracked then join #C.i.A on Efnet, and ask someone to crack it, also please do not bug those people, their busy people, so be friendly, then they will respect you. Question: Can you email me when you done a crack? Answer: No I can not. You can find my releases on #C.i.A. Question: How can I contact you? Answer: You can maybe find me in #C.i.A Question: If I want to use your cracks on my site, is it ok then? Answer: Sure, feel free to use my releases everywhere. Question: Can you send me some cracking tools? Answer: Absolutely No! SoftICE is about 15megs, But you can get tools from www.protools.cjb.net. Question: How to I join a group? Answer: The most cracking groups has an irc channel, mostly by their name like, LAXiTY got #Laxity99 etc. You find the most of them on server Efnet. But you most have some skills, normally you get a crackme, they proof that you got some experience. I hope you wont bug me for this anymore. [8] Good tools to have Besides the most common tools like: SmartCheck, Win32Dasm, SoftICE and Hiew, there are a few goodies that you can use with cracking. ProcDump: is brand new type of tool that allows u to Dump, Unpack some Protected PE files without any need of debugger. PECRYPT32: is a Packer/Encrypter for (P)ortable (E)xecutable Files Bye PE-Crypt: Decrypter for PECRYPT32 COGEN II - WIN32 SOURCE-CODE GENERATOR: is a real easy patcher to make your cracks with. BreakICE: is a simple patch that will modify SoftICE so that you could set any kind of Breakpoints. Windows Commander 4.01: Windows Commander is a file manager for Windows, a tool like the Explorer or file manager, which comes with windows Visual Basic: Easy tool to code your future programs in. C++: My favourite to program in. MASM: A ASM Compiler. ASPatch: ASPack made it's entrance in the shareware-scene. During that time it has grown to become one of the most popular .exe-packersSince it's such a popular packer, and pretty hard to patch without some knowledge of ASM-programming, I've made this tool.. It is not capable of unpacking the files, but it makes it possible to patch them in memory after they've been unpacked, without using any loaders or standalone inmemory-patchers. This is accomplished by making a hook at GetProcAddress and make an inmemory-patch when the hook is called from a special location. Octavius: Because its so cool. Bad Religion, Sublime: To make you chill while your finding the offset. The most of the tools above is download able on www.protools.cjb.net Another good site to find tools is, www.msjessca.da.ru where you will find SmartCheck and all tKC's tutorials. [9] End & Greetings Finally I reached the end of all this mess. Your free to contact me by mail to; filecat@usa.net, where I will try to answer your questions. As you perhaps noticed, I'm a member of CiA, I joined a few weeks ago. It is really great to be there, and I get programs to crack. If you need a program cracked, and your experienced isn't so big, then make a request on: www.crackrequest.cjb.net, so I can get even more busy ;). I don't really know who to greet, 'cause so many people have supported me. But I made a list anyway. I hope that I remembered everyone. Else you could try to remind me. Greetings fly out to: tKC - For letting me use sources tHE EGOiSTE - For the best patcher out there, you are the ASM KING Robin Hall - For Support Intern - I learned a lot from your tutorial DnNuke, DaVinci, LagPRO, AcidHac, Socko and PeeWee - Kewl Graphics, keep it going. ARiSTOTELES - Moral Support Nitallica - For making URL list(helped me getting into cracking). Ringer - He was there from the beginning FileCAT - For making this tutorial T0RN@DO - For his tutorials #Cracks friends (Efnet) #CrackZ friends (Undernet) #Crackers, the nicest people (Undernet) #TMG friends (Efnet) #C.i.A members (Efnet) And YOU!(wow!, got that fix). tARGET pROGRAM : QControl 1.01 pROTECTION : Registration Number cURE : Registration Number and KeyGen uRL : http://www.andtechnologies.com pROGRAM sIZE : 1.01 MB tOOLS uSED : - SoftICE 4.01 - Delphi 3.0 dESCRIPTION : Qcontrol is a Win32 program which allows you to manage print queues/jobs on microsoft Windows and Novell NetWare networks. You can access all printers/queues from a central, browsable administration point which you can quickly navigate, and you don't need to install drivers on your desktop in order to be able to manage jobs on all of your printers. cOMPILED bY : Watcom C++ rEGISTRATION fEE : $195 Hi Again! I hope you will enjoy my third TuT and helps you learn more! Registration Number: ŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽ First - Install the program. - Run it! Now, Go Utility/Register and put your company name and a fake registration number. I entred: Company Name: tBS '99 Registration Number: 11223344 DO NOT PRESS OK YET!, Press CTRL-D, Type bpx GetDlgItemTextA to break when that function is called. CTRL-D again or F5 to return to QC. Click on " oK ". Bang! now we should look at the funny SI window, press F12 two times and trace with F10 a bit till you land here... :0041013D 0FB705483B4300 movzx eax, word ptr [00433B48] <-- Calculat & Put Bt of our company name in EAX :00410144 8945F0 mov dword ptr [ebp-10], eax <-- Put Bt in EBP-10 :00410147 C745F400000000 mov [ebp-0C], 00000000 <-- Emptying the place for the serial :0041014E C705245B4300483B4300mov dword ptr [00435B24], 00433B48 <-- Useless :00410158 A1245B4300 mov eax, dword ptr [00435B24] <-- Put our company name in EAX :0041015D 803800 cmp byte ptr [eax], 00 <-- Check if we entered nothing or if we are at the end of the company name :00410160 7416 jz 00410178 <-- if equal jump :00410162 A1245B4300 mov eax, dword ptr [00435B24] <-- Useless (repetition with line 00410158) :00410167 0FB600 movzx eax, byte ptr [eax] <-- Put the 1st char in EAX 't' :0041016A 6BC049 imul eax,eax,49 <-- Multiplies EAX with 49h :0041016D 0145F4 add dword ptr [ebp-0C], eax <-- Put & add the result in EBP-0C :00410170 FF05245B4300 inc dword ptr [00435B24] <-- Increment position of the company name to 'B' :00410176 EBE0 jmp 00410158 <-- Just redo it (there is no condition) :00410178 8B45F4 mov eax, dword ptr [ebp-0C] <-- Put the result of the total multiplication of our company name in EAX :0041017B 0FAF45F0 imul eax, dword ptr [ebp-10] <-- Multiplies again, this time with 'Bt' and put the real serial in EAX :0041017F 8945F4 mov dword ptr [ebp-0C], eax <-- Put the real serial in EBP-0C :00410182 8B45F4 mov eax, dword ptr [ebp-0C] <-- Useless (repetition again Arghh!) :00410185 50 push eax <-- Save the real serial into the stack After this code there are some pushs & movs so let's us suppose the line 0041017B is the last one in the serial creation routine, so do a ? EAX and write down the decimal one "middle part 214F4928 0558844200 "!OI(" this Go to QC, type it! :( what's wrong with that, Hmmm! think a little bit, let's try the Hex numbers 214F4928 0558844200 "!OI(" this Go to QC, type it! Yeah! it's says 'thank you for registering', you've just cracked it. (note that the letters in the serial must be Capital ones) Wow! You see that is very easy protection, this TuT is to show you a little of how to use intuition when reverse-engineering a program. It might be wise to periodically check on the decimal or hex values that the registers hold. But anyway there is another job for us is the DeathBlow. in line 00410167 EAX <= 116 // t is 116 dec ;EAX=116 0041016A EAX <= 116 * 73 // 49h is 73 dec ;EAX=8468 0041016D EBP-0C <= EBP-0C + 8468 // EBP-0C = 0 ;EBP-0C=8468 00410170 Inc by 1 to reach B 00410176 redo repeat it until the end of the company name // EBP-0C = 32850 in line 0041017B EAX=32850 * EBP-10 // EBP-10 = Bt ;Bt is 17012 dec ;EAX=558844200 so if we convert it to hex, it will look like this 214F4928 Now! we have all the rules to make a KeyGen Here is my source code for delphi but before... 1ý) Create a form 2ý) Create two edit boxes, 1st for Company name and the 2nd for the registration number 3ý) Click on the 1st edit box in the form 4ý) Go to events in Object Inspector 5ý) Dbl Click on the right side of OnKeyUp , you should be between begin and end, right! please if not try again! 6ý) Copy/paste this code 7ý) Delete the first begin wish came after: procedure TOKBottomDlg.Edit1KeyUp(Sender: TObject; var Key: word; Shift: TShiftState); So, there is no button, Esc to quit and for the Reg Num just type what do you want! The KeyGen: ŽŽŽŽŽŽŽŽŽŽŽ ----------------------Cut Here-------------------------------------------------------------------- var CNValue : LongInt; CNValue1 : LongInt; Serial : LongInt; L,position : Byte; begin if key<>vk_escape then // Detect if any key was pressed except the Escape key begin L:=length(edit1.text); // What's the length of our company name if l=0 then edit2.text:='Please Enter Your Company Name' // If equal to 0 then write a message else // Else continue begin CNValue1:=0; position:=1; While position <= L do begin CNValue:= Ord(edit1.text[position])* $49; CNValue1:=CNValue1+CNValue; position:=position+1; end; CNValue:= Ord(Edit1.Text[2]); // This four lines reverse the 1st two chars Serial:=CNValue * 256; // of the Company Name, CNValue:= Ord(Edit1.Text[1]); // and convert them Serial:=Serial + CNValue; // to Decimal Value Serial:=CNValue1 * Serial; edit2.text:=inttohex((Serial),8); // Prints the serial in hex format with eight Digits end; end else close; // If Esc key was pressed then Quit ----------------------Cut Here----------------------------------------------------------------- Ending: ŽŽŽŽŽŽ Well, that's that. I hope you could follow it all, For any comments or if there's anything that I didn't explain too well then don't hesitate to mail me at: tBS@iquebec.com. Face of the Day: ŽŽŽŽŽŽŽŽŽŽŽŽŽŽŽ _õ_ /_^_\ ()–() \å/ When I was Martian. Greetingz to: tKC , NETRUNNER , MinIfoo , apoKalipse , wAvEr , Ivanopulo , rEd , schUmU , TeeJi , MonoMeow , and all the crackers around the world Special Greetingz to: DaVinci , Nitallica , LagPRO , Socko , Fli7e , DnNuke , tony2000 , and all the GfXs around the world Extra Greetingz to : CoOkIeE , Marta , CeLLuLaiR , BeNe , and all the ATGIHL around the world I would like to thankx tKC for his kindness and all the members of CiA This TuT is dedicated to MonoMeow! My far friend! £ £ - -- A C i D B U R N - P R O D U C T i O N S -- - š £ £ ø š ø š š š ø šø ø š š Ýëš š ø šëëòááëëëíšòëáááëëëíÝëíÝëëëáááëòšÝòëëááëëëšøšòëí áš Ýëëëááëëëšøòëëš Ýëòš ëëëí øòëëíëëë øáááá ááá ëëë ø ëëëíëëë Ýëëòøòëë ø ëëíÝëëëí Ýëëò ëëëáëšëëëí òëëáááëëëíëëëíø øòëíëëëíëëë ø ëëëíëëëáááëëšÝëëë ø ëëëÝëëëááòëëš ëëëí áëëëí øòëëíø ëëë òëëíø ëëëíëëëøòëë øÝëëëíëëëí šëëëÝëëëíøøòëëøòëëí Ýëëëíëëëíø ëëëš Ýëëëíø ëëëÝëëëíø ëëëÝëëòÝëëë øÝëëëøòëëíøÝëëëÝëëëí Ýëëëíëëëíø ëëëíëëëíø ëëòáš Ýëëëíø ëëëÝëëëíø ëëëÝëëòÝëëë øÝëëëÝëëë øÝëëëÝëëëí Ýëëëíëëëíøøòëë òëëíø ëëí Ýëëò øÝëëòá+ëëšššëëë+ëëòÝëëëššëë+áòëëëššëëëëáëëëëšòëëëáòë+š Ýëá øòëëë Ýëá á áø á á á á á á ø á á á £ £ - -- A C i D B U R N - P R O D U C T i O N S -- - £ £ SRT - CRO Phrozen Crew Trial Crackme 1: Calculation of a valid Serial! Tutorial by ACiD BuRN [Immortal Descendants] (October 19th, 1999) Introduction: Since , this crackme is expired (PC trial crackme 2 is out) , i can writte a tut on the registration part! I will only show how to crack the serial / name part , because i didn't look the rest of the crackme yet and i don't like keyfile though :p Tools needed: - Soft ice 3.2x - Brain (some maths knowledge) - an hexeditor (serial is not typable) - calculator (windows one in scientific mode will do ;) ok , Run the pC crackme , enter name : ACiD BuRN , and serial : 1234 Ctrl+D and u are in soft ice , bpx hmemcpy and then F5... Press the check button , and you are back in soft ice, trace until you are here: //Operations on serial: 025F:004020F9 8A18 MOV BL,[EAX] 025F:004020FB C1C308 ROL EBX,08 025F:004020FE 03D3 ADD EDX,EBX 025F:00402100 40 INC EAX 025F:00402101 803800 CMP BYTE PTR [EAX],00 025F:00402104 75F3 JNZ 004020F9 025F:00402106 8BCA MOV ECX,EDX 025F:00402108 33DB XOR EBX,EBX 025F:0040210A 33D2 XOR EDX,EDX 025F:0040210C B83C2E4000 MOV EAX,00402E3C //Operations on name: 025F:00402111 8A18 MOV BL,[EAX] 025F:00402113 C1CB08 ROR EBX,08 025F:00402116 03D3 ADD EDX,EBX 025F:00402118 40 INC EAX 025F:00402119 803800 CMP BYTE PTR [EAX],00 025F:0040211C 75F3 JNZ 00402111 025F:0040211E C1CA08 ROR EDX,08 025F:00402121 663BD1 CMP DX,CX 025F:00402124 7520 JNZ 00402146 well , i think this asm code it easy enough to understand what 's going on , so when u are tracing , at 402113 you see: AA5C0993 in EDX. Trace a bit until u pass the second ROR EDX,8 (40211E) , and you will see : 93AA5C09 in EDX 025F:00402121 663BD1 CMP DX,CX this compare the value calcultated from your name and the one from your fake serial! Now , the question is how to get a valid serial ?! Easy , hehe.. Lemme explain what's going on! i entered: 1234 as serial so during the loop on my serial (same loop than for the serial) it is doing something like this. 1st: loop on serial: 00 00 31 00 + 00 31 32 00 + 31 32 33 00 + 32 33 34 31 ----------- 63 96 CA 31 <> AA5C093 so it is not good Lets call X3, X2, X1, X0, the 4th ascii values of our entered serial... so it is like this : 00 00 X3 00 + 00 X3 X2 00 + X3 X2 X1 00 + X2 X1 X0 X3 ----------- 93 AA 5C 09 <---- The Good value we saw in memory Here comes the maths! : Par identification, on obtient: X3 = 09 X2 = 93 - X3 = 93 - 09 = 8A X1 = AA - X3 - X2 = AA - 09 - 8A = 17 X0 = 5C - X3 - X2 - X1 = 5C - 09 - 8A - 17 = FFFFFFB2 (just take B2) So, the serials is : 09 8A 17 B2 this are the ascii values of the good serial for: ACiD BuRN but the serial si not typable with the keyboard! how to enter it so ?? well , make a new text file for exemple , enter 1234 and save it. open this file with an hex editor , u will see: 31 32 33 34 this are the ascii of 1234 , we entered in the file. replace them with our calculated serial : 31 becomes 09 32 becomes 8A 33 becomes 17 34 becomes B2 and save! If you hexedit this file you must see : 09 8A 17 B2 ok it is good , now open the file selects all the text (crapy text though coz serial is not typable) press ctrl+c to copy the text in Clipboard and then go in the serial field of the Crackme! Paste the serial from clipboard , for this press ctrl+d and the serial appears in the crackme! it looks like this: " æò" the good serial is between the " Name: ACiD BuRN serial: æò Enter this information , and you get the message: "Well Done , you have passed The Name / Serial Strainer! Well done! =)" Another one cracked :p Ending: i hope you have understood all this essay , and if you got any comments , or questions , just mail me to : ACiD_BuRN@nema.com or acid2600@hotmail.com you can find all of my tuts at : Web page URL: http://acidburn2000.cjb.net Greetings: group greetings : ID - ECLiPSE - CiA - ODT - EXEC - TiTaNe - PWA - PC - UCF- CORE Also greetingz to: (no specific order) R!SC, ^Inferno^, AB4DS, Cyber Blade, Klefz, , Volatility, TORN@DO, T4D Jeff, [Virus], JaNe , Appbusta , Duelist , tKC , BuLLeT , Lucifer48 , MiZ , DnNuke , Bjanes , Skymarshall , afkayas , elmopio , SiFLyiNG , Fire Worx , CrackZ , neural_en , WarezPup , _y , SiONIDE , SKORPIEN Lazarus , Eternal_Bliss , Magic Raphoun , DEZM , Bisoux , Carpathia , K17 , theMc , noos , Xmen , TeeJi , JB007 , Arobas , T0AD ,ytc , Kwai_lo , Killer_3K, TaMaMBoLo , gizmo , Gota , ExtaBrain , Alpine , WarezPup, zoltan , [yAtes], TarGon , Icecream , Punkguy2 , Sortof, TRDdonjuan, Lord Soth, Judged, G-Rom, Quantico... eheh , i bet i forget some peoples :-/ , sorry! Copyright (c) ACiD BuRN and the Immortal Descendants. http://www.immortaldescendants.com/ £ £ - -- A C i D B U R N - P R O D U C T i O N S -- - š £ £ ø š ø š š š ø šø ø š š Ýëš š ø šëëòááëëëíšòëáááëëëíÝëíÝëëëáááëòšÝòëëááëëëšøšòëí áš Ýëëëááëëëšøòëëš Ýëòš ëëëí øòëëíëëë øáááá ááá ëëë ø ëëëíëëë Ýëëòøòëë ø ëëíÝëëëí Ýëëò ëëëáëšëëëí òëëáááëëëíëëëíø øòëíëëëíëëë ø ëëëíëëëáááëëšÝëëë ø ëëëÝëëëááòëëš ëëëí áëëëí øòëëíø ëëë òëëíø ëëëíëëëøòëë øÝëëëíëëëí šëëëÝëëëíøøòëëøòëëí Ýëëëíëëëíø ëëëš Ýëëëíø ëëëÝëëëíø ëëëÝëëòÝëëë øÝëëëøòëëíøÝëëëÝëëëí Ýëëëíëëëíø ëëëíëëëíø ëëòáš Ýëëëíø ëëëÝëëëíø ëëëÝëëòÝëëë øÝëëëÝëëë øÝëëëÝëëëí Ýëëëíëëëíøøòëë òëëíø ëëí Ýëëò øÝëëòá+ëëšššëëë+ëëòÝëëëššëë+áòëëëššëëëëáëëëëšòëëëáòë+š Ýëá øòëëë Ýëá á áø á á á á á á ø á á á £ £ - -- A C i D B U R N - P R O D U C T i O N S -- - £ £ SRT - CRO JAVA REVERSE ENGINEERING: How to defeat java! Tutorial by ACiD BuRN [Immortal Descendants] (October 23th, 1999) Intro: ok , it is really easy to reverse java apps , when u got a decompiler! i will show u how easy can be java reversing , but there is harder things , like name / serial apps.I never seen anyone yet , but there is somes already done! Tools needed: - JAD (java decompiler) - nothing more :) URLS: http://www.lawrencegoetz.com/ (the java target app) http://acidburn2000.cjb.net/ (the java decompiler soon on my site) In this tutor we will crack 3 Things : Goetz's Banner V 2.0 , Goetz's Marquee 1.1, and ManKind java crackme! ok , lets start unzip the Goetz's Banner V 2.0 archive in one directory.You must see some files , and if you run the sample file , (exemple.html) you see the banner effect due of this nice java thingy , but A BIG UNREGISTERED SHIT is shown! hehe Doh :p so, Java files are '.class' , so just click on the gbanner.class file , and move it on Jad.exe to decompile it! But it is better to make a Bat file becoz , the decompiled file might be in the Windows directory! anyway , if you can find it , just do a search on your hard disk on gbanner.jad Ok, now you have this file , open it with notepad , and you see this: --------------------------------------gbanner.JAD------------------------------------------ // Decompiled by Jad v1.5.7. Copyright 1997-99 Pavel Kouznetsov. // Jad home page: http://www.geocities.com/SiliconValley/Bridge/8617/jad.html // Decompiler options: packimports(3) // Source File Name: gbanner.java import java.applet.Applet; import java.applet.AppletContext; import java.awt.*; import java.io.*; import java.net.MalformedURLException; import java.net.URL; import java.util.Vector; public class gbanner extends Applet implements Runnable { public boolean mouseEnter(Event event, int i, int j) { if(info[place]!= null && displaying) getAppletContext().showStatus(info[place]); mouseInside = true; return true; } public void stop() { running = false; if(animate!= null) { animate.stop(); animate = null; } } public gbanner() { m_background = "white"; test_it = ""; drawn = true; zoom = true; pausable = true; m_target = "_self"; } public boolean mouseExit(Event event, int i, int j) { mouseInside = false; getAppletContext().showStatus(""); return true; } public void paint(Graphics g) { if(drawable) { g.drawImage(offImage, 0, 0, this); place = loadImage; } drawn = true; } public String[][] getParameterInfo() { String as[][] = { { "image", "String", "lineN where N is the line number" }, { "background", "String", "Background color" }, { "URL", "String", "URLN where N is the URL for the image N." }, { "target", "String", "Target of URL" }, { "info", "String", "infoN where N is the infomation for the image N." }, { "pause", "String", "pauseN where N is the pause time for the image N." }, { "zoom", "String", "Zoom the images or not." }, { "shuffle", "String", "Shuffle the images or not." }, { "pauseable", "String", "Pause the applet when the mouse is in it." }, { "one", "String", "Display only one image. Good for use with shuffle to display one random image." } }; return as; } public void destroy() { running = false; if(animate!= null) { animate.stop(); animate = null; } } public int[] shuffle() { Vector vector = new Vector(); int ai[] = new int[amount]; for(int j = 0; j < amount; j++) vector.addElement(new Integer(j)); for(int k = 0; k < amount; k++) { int i = (int)(Math.random() * (double)(amount - k)); Integer integer = (Integer)vector.elementAt(i); ai[k] = integer.intValue(); vector.removeElementAt(i); } return ai; } public void update(Graphics g) { paint(g); } public void start() { place = 0; if(offImage == null) { offImage = createImage(d.width, d.height); offGraphics = offImage.getGraphics(); } try { myInfo = new URL(getDocumentBase(), "gboption.ini"); } catch(MalformedURLException _ex) { good = false; } if(myInfo!= null) try { input = myInfo.openStream(); dataInput = new DataInputStream(input); test_it = dataInput.readLine(); dataInput.close(); } catch(IOException _ex) { } if(test_it.equals("InFeb")) good = true; running = true; if(animate == null) { animate = new Thread(this); animate.start(); } } public String getAppletInfo() { return "Title: Goetz's Banner\r\n" + "Author: Lawrence Goetz\r\n" + "E-mail: goetz@lawrencegoetz.com\r\n" + "Web: http://www.lawrencegoetz.com/\r\n" + "Copyright Lawrence Goetz 1998"; } public boolean mouseDown(Event event, int i, int j) { if(locations[place]!= null && displaying) getAppletContext().showDocument(locations[place], m_target); return true; } public void run() { int i = 20; int ai[] = null; if(shuffle) ai = shuffle(); int j1 = 0; if(!shuffle) loadImage = j1; setMyColor(offGraphics, "blue"); offGraphics.fillRect(0, 5, 110, 20); setMyColor(offGraphics, "yellow"); offGraphics.drawString("Loading Image", 5, 20); drawable = true; repaint(); try { Thread.sleep(100L); } catch(InterruptedException _ex) { } Thread.yield(); images = new Image[amount]; while(running) { while(!drawn) try { Thread.sleep(10L); } catch(InterruptedException _ex) { } if(shuffle) loadImage = ai[j1]; if(!shuffle) loadImage = j1; images[loadImage] = getImage(getDocumentBase(), getParameter("image" + Integer.toString(loadImage + 1))); MediaTracker mediatracker = new MediaTracker(this); mediatracker.addImage(images[loadImage], 0); try { mediatracker.waitForID(0); } catch(InterruptedException _ex) { } drawn = false; drawable = false; if(!zoom) i = 1; image_w = images[loadImage].getWidth(this); image_h = images[loadImage].getHeight(this); int j = image_w / i; int k = image_h / i; int l = d.width / 2 - j / 2; int i1 = d.height / 2 - k / 2; setMyColor(offGraphics, m_background); offGraphics.fillRect(0, 0, d.width, d.height); if(i!= 1) offGraphics.drawImage(images[loadImage], l, i1, j, k, this); else if(i == 1) offGraphics.drawImage(images[loadImage], l, i1, this); if(!good) { setMyColor(offGraphics, "blue"); offGraphics.fillRect(0, 5, 200, 100); setMyColor(offGraphics, "yellow"); offGraphics.drawString("UNREGISTERED VERSION!", 5, 25); offGraphics.drawString("Please Register this applet.", 5, 50); offGraphics.drawString("Registration is only $5.", 5, 80); } drawable = true; try { Thread.sleep(50L); } catch(InterruptedException _ex) { } if(i > 1) i -= 2; if(i <= 0) i = 1; else if(i == 1) i = 20; repaint(); displaying = true; if(i == 20) { if(pause[loadImage] > 0) try { Thread.sleep(pause[loadImage] * 1000); } catch(InterruptedException _ex) { } while(pausable && mouseInside) try { Thread.sleep(100L); } catch(InterruptedException _ex) { } while(one && running) { drawable = true; repaint(); try { Thread.sleep(100L); } catch(InterruptedException _ex) { } } if(++j1 == images.length) { j1 = 0; if(shuffle) ai = shuffle(); } } Thread.yield(); } } public void init() { int i = 1; String s4 = "image" + Integer.toString(i); for(String s = getParameter(s4); s!= null; s = getParameter(s4)) { amount++; i++; s4 = "image" + Integer.toString(i); } locations = new URL[amount]; for(int j = 0; j < amount; j++) { String s1 = getParameter("URL" + Integer.toString(j + 1)); if(s1!= null) { try { locations[j] = new URL(getDocumentBase(), s1); } catch(MalformedURLException _ex) { } } else { String s2 = getParameter("URL"); try { locations[j] = new URL(getDocumentBase(), s2); } catch(MalformedURLException _ex) { } } } String s3 = getParameter("target"); if(s3!= null &&!s3.equals("")) m_target = s3; info = new String[amount]; for(int k = 0; k < amount; k++) { info[k] = getParameter("info" + Integer.toString(k + 1)); if(info[k] == null) info[k] = getParameter("info"); } pause = new int[amount]; for(int l = 0; l < amount; l++) { String s6 = getParameter("pause" + Integer.toString(l + 1)); if(s6!= null &&!s6.equals("")) { pause[l] = Integer.parseInt(s6); } else { String s7 = getParameter("pause"); if(s7!= null &&!s7.equals("")) pause[l] = Integer.parseInt(s7); } } String s5 = getParameter("background"); if(s5!= null) m_background = s5; s3 = getParameter("zoom"); if(s3!= null && s3.equalsIgnoreCase("false")) zoom = false; s3 = getParameter("pauseable"); if(s3!= null && s3.equalsIgnoreCase("false")) pausable = false; s3 = getParameter("shuffle"); if(s3!= null && s3.equalsIgnoreCase("true")) shuffle = true; s3 = getParameter("one"); if(s3!= null && s3.equalsIgnoreCase("true")) one = true; d = size(); place = 0; offImage = createImage(d.width, d.height); offGraphics = offImage.getGraphics(); resize(d.width, d.height); } public void setMyColor(Graphics g, String s) { if(s.equals("white")) { g.setColor(Color.white); return; } if(s.equals("black")) { g.setColor(Color.black); return; } if(s.equals("light gray")) { g.setColor(Color.lightGray); return; } if(s.equals("gray")) { g.setColor(Color.gray); return; } if(s.equals("dark gray")) { g.setColor(Color.darkGray); return; } if(s.equals("red")) { g.setColor(Color.red); return; } if(s.equals("pink")) { g.setColor(Color.pink); return; } if(s.equals("orange")) { g.setColor(Color.orange); return; } if(s.equals("yellow")) { g.setColor(Color.yellow); return; } if(s.equals("green")) { g.setColor(Color.green); return; } if(s.equals("magenta")) { g.setColor(Color.magenta); return; } if(s.equals("cyan")) { g.setColor(Color.cyan); return; } if(s.equals("blue")) g.setColor(Color.blue); } private String m_background; private final String PARAM_imageN = "image"; private final String PARAM_background = "background"; private final String PARAM_URLN = "URL"; private final String PARAM_infoN = "info"; private final String PARAM_pauseN = "pause"; private final String PARAM_zoom = "zoom"; private final String PARAM_shuffle = "shuffle"; private final String PARAM_target = "target"; private final String PARAM_pausable = "pauseable"; private final String PARAM_one = "one"; private Dimension d; private boolean running; private Image images[]; private int place; private Image offImage; private Graphics offGraphics; private boolean good; private URL locations[]; private URL myInfo; private String test_it; private final String option = "InFeb"; private InputStream input; private DataInputStream dataInput; private Thread animate; private boolean drawable; private boolean drawn; private MediaTracker imageTracker; private int image_w; private int image_h; private String info[]; private int pause[]; private int amount; private boolean zoom; private boolean shuffle; private boolean pausable; private String m_target; private int loadImage; private boolean displaying; private boolean mouseInside; private boolean one; } -------------------------------------------End of jad file--------------------------------- ok big huh ? so , for the next files , i will just show the importent part! btw , if you read the Text file goind with this java protected shit , you have seen this is keyfile protected *grin* So , we are looking for a file check , so look this: try { myInfo = new URL(getDocumentBase(), "gboption.ini"); <--- interesting! keyfile name } catch(MalformedURLException _ex) { good = false; } if(myInfo!= null) try { input = myInfo.openStream(); dataInput = new DataInputStream(input); test_it = dataInput.readLine(); dataInput.close(); } catch(IOException _ex) { } if(test_it.equals("InFeb")) <--- hmm , looks like it test the text in the file good = true; <--- if text = InFeb then GOOD , else piss off cracker running = true; if(animate == null) heheh , wow , it sux! just create a file called gboption.ini and writte 'InFeb' in it without the quotes (').Save the file and run the exemple.html file! WOW , no more unregistered fucking lame text :) easy , isn't it ? Part2: Goetz's Marquee V 1.1 Still same things , Keyfile based apps in java! Decompile the class file , and open the gmarquee.jad one with a text editor like notepad! ok , i show you the most important part this time , it is exaclty same shit.. -------------------------------------cut from gmarquee.jad-------------------------------- public void start() { if(offImage == null) { offImage = createImage(d.width, d.height); offGraphics = offImage.getGraphics(); } if(f == null) { f = new Font("Helvetica", 0, m_font); fm = offGraphics.getFontMetrics(f); } try { myInfo = new URL(getDocumentBase(), "gmoption.ini"); <---- hehe :p } catch(MalformedURLException _ex) { good = false; } if(myInfo!= null) try { input = myInfo.openStream(); dataInput = new DataInputStream(input); test_it = dataInput.readLine(); dataInput.close(); } catch(IOException _ex) { } if(test_it.equals("Eggplant")) <--- if cracker put Eggplant jmp goodboy else jmp badboy good = true; if(!good) try { reg = new register(300, 200, "Please Register Goetz's Marquee", "http://www.lawrencegoetz.com/programs/nettools.htm", this); } catch(Exception _ex) { System.err.println("You are missing the file register.class"); return; } if(animate == null) -----------------------------End of quotes from Gmarquee.jad------------------------------------ Again, just create a file called gmoption.ini and writte 'Eggplant' in it without the quotes (').Save the file and run the exemple.html file! It is now registered , and you can enjoy this nice java thingy :p Ok , now enough of this keyfile shits , lets look a crackme coded by Mandkind in java in the text , there is no html to test the serial or something , but it is not needed heh! As always, decompile the .class , and open the jad output file with notepad! and we can see: ---------------------------------Start of CrackMe.jad------------------------------------------- public CrackMe() { } public static void main(String args[]) { if(args.length!= 1) { System.out.println("Usage: java CrackMe Registration Code"); System.exit(0); } System.out.println(""); System.out.println(""); System.out.println("Welcome to ManKind's Java CrackMe 0.1"); System.out.println("====================================="); System.out.println("This is an Alpha Test of ManKind's Java CrackMe, please do send your comments, suggestions, opinions, feedbacks and support words to me!"); System.out.println(""); System.out.println(""); int i = Integer.valueOf(args[0]).intValue(); if(i == 0x7f42b) System.out.println("Congratulations, you succeeded in cracking this!"); if(i!= 0x7f42b) System.out.println("Sorry, invalid registration code. Please try again!"); System.out.println(""); System.out.println(""); System.out.println("This program is Copyright \251 1999 ManKind"); System.out.println("Service for Mankind"); System.out.println("mankind001@bigfoot.com"); System.exit(0); } } ---------------------------------End of CrackMe.jad------------------------------------------- hehe , it looks nice! we can see: " int i = Integer.valueOf(args[0]).intValue(); if(i == 0x7f42b) System.out.println("Congratulations, you succeeded in cracking this!"); if(i!= 0x7f42b) System.out.println("Sorry, invalid registration code. Please try again!"); System.out.println(""); " in Visual basic , it looks like this: IF serial= $7f42b then msgbox "Congratulations, you succeeded in cracking this!" Else msgbox "Sorry, invalid registration code. Please try again!" End if the "0x7f42b" is hexadecimal , but we want the good serial , so convert the serial in decimal with the Windows calculator or using soft ice! Ctrl+d ? 7b42b You will see: 521259 easy isn't it ?? hehe , well i don't have any other java apps or crackme in hands :-( so this tut is finish ... I really hope java cracking is clear for you now! It is something really easy the most of the time! Al of this , coz of the decompiler though! Ending: i hope you have understood all this essay , and if you got any comments , or questions , just mail me to : ACiD_BuRN@nema.com or acid2600@hotmail.com you can find all of my tuts at : Web page URL: http://acidburn2000.cjb.net Greetings: group greetings : ID - ECLiPSE - CiA - ODT - EXEC - TiTaNe - PWA - PC - UCF- CORE Also greetingz to: (no specific order) R!SC, ^Inferno^, AB4DS, Cyber Blade, Klefz, , Volatility, TORN@DO, T4D Jeff, [Virus], JaNe , Appbusta , Duelist , tKC , BuLLeT , Lucifer48 , MiZ , DnNuke , Bjanes , Skymarshall , afkayas , elmopio , SiFLyiNG , Fire Worx , CrackZ , neural_en , WarezPup , _y , SiONIDE , SKORPIEN Lazarus , Eternal_Bliss , Magic Raphoun , DEZM , Bisoux , Carpathia , K17 , theMc , noos , Xmen , TeeJi , JB007 , Arobas , T0AD ,ytc , Kwai_lo , Killer_3K, TaMaMBoLo , gizmo , Gota , ExtaBrain , Alpine , WarezPup, zoltan , [yAtes], TarGon , Icecream , Punkguy2 , Sortof, TRDdonjuan, Lord Soth, Judged, G-Rom, Quantico... eheh , i bet i forget some peoples :-/ , sorry! Copyright (c) ACiD BuRN and the Immortal Descendants. http://www.immortaldescendants.com/ Name : MPEGDJ ENCODER Version : 1.53 Editor : Xaudio Target : encoder.exe Tools : W32Dasm 8.93 Hacker's View 6.01 PEN & PAPER (old school) ;) Brain Cracker : LW2000 Tutorial : No.1 Where to get it: http://www.xaudio.de/encoder Well, this is my first tutorial *ever* Please excuse my poor english, its not my mother language.... OK guy's, 16 steps to crack the bitch of a program. BUT remember if you like it - buy it! Ok lets start: 1. Insert any audio-cd in your drive and run MpegDj Encoder. Click on an track i.e. two an then click on Copy & Encode. *BOOM* "You are using the unregistered Version which can only Copy Track ONE.." 2. Quit and copy encode.exe into try.exe. Disassemble try.exe 3. Click on the SDR button and find the string: "You are using the unregistered 4. Doubleclick on it and press close in the SDR window 5. Look at this: * Referenced by a CALL at Address: |:004E8DD5 <<--- We go there | * Possible StringData Ref from Code Obj ->"DoublePlayer" :004E88F0 B81C894E00 mov eax, 004E891C :004E88F5 E8C60AFAFF call 004893C0 :004E88FA 84C0 test al, al :004E88FC 7513 jne 004E8911 :004E88FE 6A30 push 00000030 * Possible StringData Ref from Code Obj ->"Unregistered" | :004E8900 682C894E00 push 004E892C * Possible StringData Ref from Code Obj ->"You are using the unregistered " ->"Version which can only copy Track " ->"ONE of each Audio-CD." | :004E8905 683C894E00 push 004E893C :004E890A 6A00 push 00000000 6. Now go to 4E8DD5. * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004E8DC7(C) <<--- Here is the Jump | :004E8DD1 8BD6 mov edx, esi :004E8DD3 8BC7 mov eax, edi :004E8DD5 E816FBFFFF call 004E88F0 <<--- Here is our call 7. No we go to 4E8DC7 :004E8DAE E8152EF5FF call 0043BBC8 :004E8DB3 85C0 test eax, eax :004E8DB5 0F8E88050000 jle 004E9343 :004E8DBB BB01000000 mov ebx, 00000001 :004E8DC0 803D7F11510000 cmp byte ptr [0051117F], 00 :004E8DC7 7408 je 004E8DD1 <<--- Here we are :004E8DC9 8B1D54C55000 mov ebx, dword ptr [0050C554] :004E8DCF EB09 jmp 004E8DDA 8. If you look at 4E8DC7 you see a jump If equal then jump to 4E8DD1 which will popup this nasty nag. We are going to change this... Place the bar at : :004E8DC7 7408 je 004E8DD1 In the statusbar you will see the offset E81C7h (the h is for hex and you can forget it) Our offset is E81C7. 9. Run Hiew and open encoder.exe. Press enter twice to go to decode-mode. Press F5 and type E81C7. Place the indicator on 74 and press F3. Change 74 to 75 and press F9 to update. Press F10 to save and quit. 10. Run MpegDj Encoder and try encode any track on the CD *BOOM* YOU ARE THE CHAMP! IT WORKS! 11. When running MpegDJ Encoder we see "Unregistered Version" ... Well, i hate this text.... 12. Run Hiew and open encoder.exe 13. Press F7 to search In the ascii field type 'unregistered' It will find the bad messagebox, but we have fixed it Press CTRL+F7 to go to the next string 14. Now you will find Unregistered Version 15. Place the indicator at U Press F3 Press TAB Type '[lw2000] was here! ' Press F9 16. We also want to fix the aboutbox Press CTRL+HOME Press F7 Type 'unlicensed' Like before change it to '[lw2000] ' FINISH! Easy, or? cu lw2000 Any comments? Mail me lw2000@gmx.net! ---- I'd like to thank tKC for his tutors! I started with tutor 1 and i still read them... they are the best! Name : AntiSniff Version : 1.01 Editor : L0pht Target : antisniff.exe Tools : W32Dasm 8.93 Hacker's View 6.01 PEN & PAPER (old school) ;) Brain Cracker : LW2000 Tutorial : No.2 Where to get it: http://www.l0pht.com/antisniff/ Well, this is my second tutorial *ever* Please excuse my poor english, its not my mother language.... OK guy's, lets crack this bitch of a program. BUT remember if you like it - buy it! Ok lets start: 1. Start Antisniff. *BOOM* A "AntiSniff Registration" window appears and says: "AntiSniff is available for a 15 day trial period only. After your 15 day trial, you must register the software to continue using it...." 2. Lets enter something, i.e. LW2000 as an unlock code and press unlock. 3. *BOOM* You get a messagebox with the header: "Bad unlock code!" and with the following text: "You have entered an invalid unlock code. Registration requires purchasing a valid unlock code." 4. Quit and copy antisniff.exe into try.exe. Disassemble try.exe 5. Click on the SDR button and find the string: "Bad unlock code!" 6. Doubleclick on it and press close in the SDR window 7. Look at this: * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00411B93(C) <-- here we go! | :00411BDD 6840000500 push 00050040 * Possible StringData Ref from Data Obj ->"Bad unlock code!" | :00411BE2 6840844800 push 00488440 * Possible StringData Ref from Data Obj ->"You have entered an invalid unlock " ->"code. Registration requires purchasing " ->"a valid unlock code." :00411BE7 68E0834800 push 004883E0 :00411BEC 53 push ebx 8. Now we go to 00411B93. * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00411B52(C) | :00411B8F 3B742424 cmp esi, dword ptr [esp+24] :00411B93 7548 jne 00411BDD <<--- This is our jump! :00411B95 8B4C2414 mov ecx, dword ptr [esp+14] :00411B99 8D442424 lea eax, dword ptr [esp+24] :00411B9D 6A04 push 00000004 :00411B9F 50 push eax :00411BA0 6A04 push 00000004 :00411BA2 53 push ebx 9. If you look at 00411B93 you see a jump If not equal then we go to 00411BDD which will popup this nasty nag and let the program unregistered! We are going to change this... Place the bar at : 00411B93 7548 jne 00411BDD In the statusbar you will see the offset 11B93h (the h is for hex and you can forget it) Our offset is 11B93. 10. Run Hiew and open antisniff.exe. Press enter twice to go to decode-mode. Press F5 and type 11B93. Place the indicator on 75 and press F3. Change 75 to 74 and press F9 to update. This will change jump-not-equal to jump-equal: The program will be registered with any number, but the real unlock code. Press F10 to save and quit. 11. Run AntiSniff and enter anything for the unlock code, i.e. LW2000 and press unlock! *BOOM* a new "Registration complete!" messagebox appears with the following text: "Your software is now registered. The timeout period has been removed." Congratulation! You are an registered user! FINISH! Easy, or? cu lw2000 Any comments? Mail me lw2000@gmx.net! ---- I'd like to thank tKC for his tutors! I started with tutor 1 and i still read them... they are the best! Name : Free2Fax Version : 1.00.03 Editor : Answers 2000 Target : free2fax.exe Tools : W32Dasm 8.93 Hacker's View 6.01 Hex Workshop 2.54 or other Hexcalculator Brain Cracker : LW2000 Tutorial : No.3 http://www.wildcomputer.com/free2fax/ Well, this is my third tutorial *ever* Please excuse my poor english, its not my mother language.... 1. Load free2fax when you are NOT connected with the internet. *BOOM* "free2fax needs to download the advertising data (adverts are placed on the top of faxes sent using the unregistered version of free2fax) from the Internet before it can be used." Hey, what's this, we should download advertising? Nope! Press No! *BOOM* "free2fax is now exiting. When you are ready to download the advertising data please re-start freefax" Exit free2fax and copy free2fax.exe to backup.exe. 2. mhmm, lets try to crack this bitch of a program. Load W32Dasm with free2fax.exe, click the SDR Button, and search for "free2fax needs to download the ". Close the SDRwindow. You get this: * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00418164(U) | :0041816B 85C0 test eax, eax :0041816D 0F84D40D0000 je 00418F47 <-- Here the check if already downloaded! :00418173 6A00 push 00000000 :00418175 6A24 push 00000024 * Possible StringData Ref from Data Obj ->"free2fax needs to download the " ->"advertising data (adverts are " ->"placed on the top of faxes sent " ->"using the unregistered version " ->"of free2fax) from the Internet " ->"before it can be used." 3. Ok lets change this. Place the bar at :0041816D 0F84D40D0000 je 00418F47. In the statusbar you get the offset 1756Dh. The h is for hex, forget it, our offset is 1756D. Quit W32Dasm and load hiew with free2fax.exe. Press Enter twice to go to decode mode. Press F5 to go to codelocation 1756D. Press F3 to edit the file and change the 84 to 85 this makes je to jne. Press F9 to update and F10 to quit. 4. Start free2fax again. Mhmm, some messageboxes, ignore them, go to options, register. Enter your registration password, ok lets try LW2000. Mhmm, letters don't work, we get 2000, ok lets try 2000 out. Press ok. We see a new messagebox with "Invalid Registration Password". OK, lets exit free2fax and load W32DASM with free2fax.exe. 5. Cklick the SDR Button and search for "Invalid Registration Password" We find this string three times. Let's look at the first: :00417CBE 8378F809 cmp dword ptr [eax-08], 00000009 :00417CC2 7430 je 00417CF4 <- lets go there and take a look :00417CC4 8B442420 mov eax, dword ptr [esp+20] :00417CC8 85C0 test eax, eax :00417CCA 740E je 00417CDA :00417CCC 6A00 push 00000000 :00417CCE 6A30 push 00000030 * Possible StringData Ref from Data Obj ->"Invalid Registration Password" 6. Go to the Code location 00417CF4. :00417CF4 50 push eax :00417CF5 E816640000 call 0041E110 :00417CFA 8BF0 mov esi, eax :00417CFC 83C404 add esp, 00000004 :00417CFF 81FED323FD26 cmp esi, 26FD23D3 <<-- mhhm, very interesting... :00417D05 0F8429010000 je 00417E34 <- good boy :00417D0B 81FECB4EFD26 cmp esi, 26FD4ECB <<-- mhhm, very interesting... :00417D11 0F841D010000 je 00417E34 <- good boy :00417D17 81FEC379FD26 cmp esi, 26FD79C3 <<-- mhhm, very interesting... :00417D1D 0F8411010000 je 00417E34 <- good boy :00417D23 85F6 test esi, esi :00417D25 7F30 jg 00417D57 <- bad boy :00417D27 8B442420 mov eax, dword ptr [esp+20] :00417D2B 85C0 test eax, eax :00417D2D 740E je 00417D3D :00417D2F 6A00 push 00000000 :00417D31 6A30 push 00000030 * Possible StringData Ref from Data Obj ->"Invalid Registration Password" <- The second string 7. :00417CFA 8BF0 mov esi, eax :00417CFC 83C404 add esp, 00000004 :00417CFF 81FED323FD26 cmp esi, 26FD23D3 <<-- mhhm, very interesting... :00417D05 0F8429010000 je 00417E34 <- good boy ok what does this mean? The program stores eax on thesource index. He adds to the stack pointer 4 and then he compares our code with the correct code! 26FD23D3 is the hexvalue for the serial. Let's compare it to decimal, remembering, we found out that the program accept only numbers as serial. Ok, start hexworkshop. Click on Tools, Calculator. insert our hex value and click on decimal. We get 654123987. Our correct serial. 8. Load up free2fax. Go to the registration dialog. Insert 654123987 and press ok. "Registration Accepted - Thankyou" Congratulation! You are an registered user! You already checked it, or? 26FD4ECB and 26FD79C3 are two more hex values for serial numbers. FINISH! Easy, or? cu LW2000 Any comments? Mail me LW2000@gmx.net! ---- I'd like to thank tKC for his tutors! I started with tutor 1 and i still read them... they are the best! Name : Gamespy 3D Version : 2.16 Editor : Spy Software Target : gamespy.exe Tools : Softice 4.00 W32Dasm 8.93 Hacker's View 6.01 PE-Sniffer 1.06 DeShrink 1.5 Cracker : LW2000 Tutorial : No.4 http://www.gamespy.com Please excuse my poor english, its not my mother language.... 1. Load Gamespy. *BOOM* "GameSpy - Un-Registered Version GameSpy 3D is unlimited use shareware." 2. mhmm, lets try to register. Be sure that you are offline! Press Register and enter the following: Name : LW2000 Email : LW2000@GAMESPY.COM Key : [LW2000] Now press OK. 3. *BOOM* The Dail-Up Network is opened. It seems to be a kind of Internet protection as well. Click cancel. *BOOM* "The registration server is not responding. Try again later." Quit Gamespy. 5. Lets crack this bitch of a program. Load Softice and start the program again. Press Register and enter the following: Name : LW2000 Email : LW2000@GAMESPY.COM Key : [LW2000] Don't press OK! First change to Softice with [Ctrl]+[d]. And set with "bpx getwindowtexta" a breakpoint. Then press F5 to go back to Gamespy. 6. Click on OK. Softice pops up, because of the first text field (name). Press F5 to return to Gamespy. Softice pops up, because of the second text field (EMail). Press F5 to return to Gamespy. Softice pops up, because of the third text field (key). Press F5 to return to Gamespy. 7. Now we see the Dail-Up Network. Press cancel. Softice appears again. Press F12 to get the Caller. Now be patient and trace through the code (F10) until you get a Call that takes a *very long* time to finish. Wait, it will be worth. 8. When the call is finished, trace a bit more until you come to the following code: :00462F76 3BC5 cmp eax, ebp :00462F78 0F846F010000 je 004630ED <<--- BAD BOY :00462F7E 85C0 test eax, eax :00462F80 0F843C010000 je 004630C2 <<--- BAD BOY :00462F86 8B864C010000 mov eax, dword ptr [esi+0000014C] <- Your reg no. :00462F8C 8B4C240C mov ecx, dword ptr [esp+0C] <- Correct reg number 9. We want to remove the two jump-equal and see the right serial number. Trace on the first je. Enter "a" to edit the code. Type "nop" and then enter. Do this five times more. Now we had six nop's. NOP means no opperation, the computer will do nothing, instead of checking the serial. Why 6 times? The hex code for "je 004630ED" is "0F846F010000" this are 12 divided with 2 we've got 6. Trace on the second je and do the same. Yeah, NOPe it out. 10. Trace just past the lines I have included. Type "d eax" to show your reg number. Type "d ecx" to show the correct serial number. Your serial is: 3Cd5-425G-g973-eh32 11. Type "bd *" to disable the breakpoint. Press F5 to exit Softice. A new messagebox shows tell you that your regcode ([lw2000]) is not correct. But you here nothing like server is not responding. You can now enter the correct serial numer to register gamespy, before(!) you exit gamespy. 12. Let's make this shit permanent. I think I've seen the word shrink in the code, this means that the program is compressed by shrinker. Let's look if i am right. 13. Load Pe-Sniffer. Click on the "..." Button and browse to gamespy. Now click on Shrinker 3.3 and Shrinker 3.4, to scan this file for shrinker. 14. The result ist that the file is packed with shrinker 3.4. Let's unpack it! Load DeShrink 1.5. Check the "unpack Shrinker 3.4" checkbox. Load the Gamespy.exe as input. Save it to unpacked.exe as output. Then press decompress. 15. Exit the program. Load unpacked.exe in W32Dasm. Goto Code Location "00462F76". Remember, this is the location we've got from Softice. :00462F76 3BC5 cmp eax, ebp :00462F78 0F846F010000 je 004630ED <<--- BAD BOY :00462F7E 85C0 test eax, eax :00462F80 0F843C010000 je 004630C2 <<--- BAD BOY :00462F86 8B864C010000 mov eax, dword ptr [esi+0000014C] <- Your reg no. :00462F8C 8B4C240C mov ecx, dword ptr [esp+0C] <- Correct reg number mhhmm, i think i've seen this before ;) 16. Place the bar on ":00462F78 0F846F010000 je 004630ED". In the statusbar you see the Offset "62F78h" write it down. Place the bar on ":00462F80 0F843C010000 je 004630C2". In the statusbar you see the Offset "62F80h" write it down. The h is for hex, forget it, so our offsets are 62F78 and 62F80. 17. Exit W32Dasm and load hiew with unpacked.exe. Press Enter twice to go to decode mode. Press F5 to go to codelocation 62F78. Press F3 to edit the file and type six times "90" this means nop in hex. Press F9 to update. F5 and go to 62F80 and do the same as at 62F78. Press F9 to update and F10 to quit. Run Gamespy and enter the details. Congratulation! You are an registered user! FINISH! Easy, or? cu LW2000 Any comments? Mail me LW2000@gmx.net! ---- I'd like to thank tKC for his tutors! I started with tutor 1 and i still read them... they are the best! Name : A RobFantastic MP3 Encoder Version : 1.4 Editor : Graceland Research Target : encoder.exe Tools : W32Dasm 8.93 Hacker's View 6.01 Brain Cracker : LW2000 Tutorial : No.5 http://www.lorenzini.com/jlorenzi/encoder.html --- DISCLAIMER For educational purposes only! I hold no responsibility of the mis-used of this material! --- Please excuse my poor english, its not my mother language.... 1. Load A RobFantastic MP3 Encoder. Open with "Add Files" 6 Wave files. i.e. c:\windows\media there are often many waves. OK click on Encode. 2. *BOOM* "This is an Evaluation copy of the program. To encode more than 5 songs at a time you need to register. If you have a registration code, press the Enter Reg Code button to do this now or the Cancel button to continue." Mhmm, lets try to register. Press Register and enter the following: Name : LW2000 Key : [LW2000] Now press OK. 3. *BOOM* "The registration code you entered was not correct. Double-check the name and registration code to verify it was entered exactly as it was sent to you." Exit the program. 4. Lets crack this bitch of a program. Copy encoder.exe to try.exe. Load W32DASM with encoder.exe and click the SDR Button. Find "The registration code you entered was not correct. Double-ch" Doubleclick on this string and close the SDR window. 5. You see this: * Referenced by a (U)nconditional or (C)onditional Jump at Address: :0041A460(C) <<-- Here we go :0041A47E 6A40 push 00000040 * Possible Reference to String Resource ID=33007: "A Rob Fantastic MP3 Encoder" | :0041A480 68EF800000 push 000080EF :0041A485 E806290000 call 0041CD90 :0041A48A 83C404 add esp, 00000004 :0041A48D 50 push eax * Possible Reference to String Resource ID=33042: "The registration code you entered was not correct. Double-ch" <<-- Our messagetext | :0041A48E 6812810000 push 00008112 :0041A493 E8D8280000 call 0041CD70 :0041A498 83C404 add esp, 00000004 :0041A49B 8BCE mov ecx, esi :0041A49D 50 push eax :0041A49E E809920100 call 004336AC :0041A4A3 5E pop esi :0041A4A4 81C408020000 add esp, 00000208 :0041A4AA C3 ret 6. OK we go to the code location 0041A460, because we jumped from there. We see this now: * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0041A434(C) | :0041A449 8D8C2408010000 lea ecx, dword ptr [esp+00000108] :0041A450 8D542404 lea edx, dword ptr [esp+04] :0041A454 51 push ecx :0041A455 52 push edx :0041A456 E805030000 call 0041A760 :0041A45B 83C408 add esp, 00000008 :0041A45E 85C0 test eax, eax <<-- Our test :0041A460 741C je 0041A47E <<-- Bad BOY! :0041A462 8D442404 lea eax, dword ptr [esp+04] :0041A466 50 push eax :0041A467 E884020000 call 0041A6F0 :0041A46C 83C404 add esp, 00000004 :0041A46F 8BCE mov ecx, esi :0041A471 E81F760100 call 00431A95 :0041A476 5E pop esi :0041A477 81C408020000 add esp, 00000208 :0041A47D C3 ret 7. If you look at 0041A460 you see a jump. If equal then we go to 0041A47E which will popup this nasty messagebox and let the program unregistered! We are going to change this... Place the bar at : :0041A460 741C je 0041A47E. In the statusbar you will see the offset 1A460h (the h is for hex and you can forget it) Our offset is 1A460. 8. Exit W32Dasm and load hiew with try.exe. Press Enter twice to go to decode mode. Press F5 to go to codelocation 1A460. Press F3 to edit the file and change 741C to 751C. This changed je to jne. Now, he will always jump except you entered the correct serial number. Press F9 to update and F10 to quit. Run Encoder.exe and enter the details. Congratulation! You are an registered user! 9. Like to know your correct serial number? Open regedit and go to: [HKEY_CURRENT_USER\Software\Graceland Research\Encoder] You find "Register RegCode" with "36832761" Mhmm, looks nice! Write down the Code and delete this registry item. Start Encoder.exe (uncracked version!) and enter the following details: Name: LW2000 RegCode: 36832761 Congratulation! You are an registered user with your personal serial! FINISH! Easy, or? cu LW2000 Any comments? Mail me LW2000@gmx.net! ---- I'd like to thank tKC for his tutors! I started with tutor 1 and i still read them... they are the best! Name : Download Accelerator Version : 3.5 Editor : Lidan Target : DownloadAccelerator.exe Tools : W32Dasm 8.93 Hacker's View 6.01 Brain Cracker : LW2000 Tutorial : No.6 http://www.lidan.com/ --- DISCLAIMER For educational purposes only! I hold no responsibility of the mis-used of this material! --- Please excuse my poor english, its not my mother language.... 1. Install Download Accelerator. After installing go online and rightclick on a for example zip file. Save it. You get a new dialog from Download Accelerator. Save it with the Download Accelerator, but choose NOT regular download! 2. *BOOM* Works fine, but what the hell does this advertising data in our window? That's not nice, Download Accelerator load this shit in background. It slows down our connection! 3. Lets crack this bitch of a program. Copy DownloadAccelerator.exe to backup.exe. Mhmm, interesting a ADFiles directory. Lets take a look in it! OK, here stores the program our adverts. But from where comes this shit? Take a look at the registry. Start Regedit and go to [HKEY_LOCAL_MACHINE\Software\Lidan\Download Accelerator]. Mhmm, whats this: "AdSite"="fv4r<8142;942545403641elk/dap1c4u0fn4" i think this key differs by you, but shit lets kill it ;) doubleclick on this string and delete it. "AdSite"="" this we've got now. 4. So, lets go online and check it out! Mhmm, New messagebox: "AD Site is empty, cannot continue" Alright, open our baby in W32DASM. 5. Click the SDR Button. Find "AD Site is empty, cannot continue". Doubleclick on this string and close the SDR window. You see this: * Reference To: MFC42.Ordinal:0320, Ord:0320h | :00402023 E83EEF0000 Call 00410F66 :00402028 8B07 mov eax, dword ptr [edi] :0040202A 8B48F8 mov ecx, dword ptr [eax-08] :0040202D 85C9 test ecx, ecx <-- Mhmm, interesting :0040202F 7534 jne 00402065 <-- Bad Boy :00402031 8B442410 mov eax, dword ptr [esp+10] :00402035 50 push eax * Reference To: ADVAPI32.RegCloseKey, Ord:0145h | :00402036 FF1524D64100 Call dword ptr [0041D624] :0040203C 6A00 push 00000000 :0040203E 6A00 push 00000000 * Possible StringData Ref from Data Obj ->"AD Site is empty, cannot continue" | :00402040 6830A24100 push 0041A230 <-- Here we are 6. OK we go to the code location 0040202F, If you look at 0040202F you see a jump. If not equal then we go to 00402065 else we will popup this nasty messagebox! We are going to change this... Place the bar at : :0040202F 7534 jne 00402065 In the statusbar you will see the offset 142Fh (the h is for hex and you can forget it) Our offset is 142F. 7. Exit W32Dasm and load hiew with DownloadAccelerator.exe. Press Enter twice to go to decode mode. Press F5 to go to code location 142F. Press F3 to edit the file and change 7534 to 7434. This changed jne to je. Now, he will always jump except you have a ADSite. Press F9 to update and F10 to quit. 8. So, lets go online and check it out! Congratulation! No advertising data! FINISH! Easy, or? cu LW2000 Any comments? Mail me LW2000@gmx.net! ---- I'd like to thank tKC for his tutors! I started with tutor 1 and i still read them... they are the best! Name : mIRC Version : 5.61 Target : mIRC32.exe Tools : W32Dasm 8.93 Hacker's View 6.01 Brain Cracker : LW2000 Tutorial : No.7 http://www.mirc.com/ --- DISCLAIMER For educational purposes only! I hold no responsibility of the mis-used of this material! --- Please excuse my poor english, its not my mother language.... 1. Launch mIRC, you might have noticed, that the program has no limitations, even unregistered. But hey, i hate unregistered shareware... So go to HELP | REGISTER and enter LW2000 as username and use 123456 for your serial number. 2. *BOOM* mIRC Registration! messagebox: "Sorry, your registration name and number don't match! Please make sure you're typing them in using the correct capitalization and spacing. Thanks!" Mhmm, lets take a look in W32DASM. 3. Now copy MIRC32.exe to backup.exe and disassemble MIRC32.EXE with W32Dasm. Click on the String Data Reference (SDR) button and find "Sorry, your registration name and number don't match!" doubleclick on this string and close the SDR window. 4. Now you should see this: * Possible Reference to String Resource ID=01913: "Sorry, your registration name and number don't match!" :0043B708 6879070000 push 00000779 :0043B70D E8D2EFFCFF call 0040A6E4 :0043B712 50 push eax :0043B713 8B4508 mov eax, dword ptr [ebp+08] :0043B716 50 push eax 5. Mhmm..this doesn't look like the code we should see! OK, trace up until you see the following piece of asm code: * Referenced by a (U)nconditional or (C)onditional Jump at Address: :0043B621(C) <<-- Here we go! :0043B6C2 6A00 push 00000000 You see, we jumped from 0043B621, so lets go there and take a look. 6. Now you should see this: * Reference To: USER32.SendDlgItemMessageA, Ord:0000h | :0043B60B E80A250A00 Call 004DDB1A :0043B610 6803E14E00 push 004EE103 :0043B615 681CDD4E00 push 004EDD1C :0043B61A E899950600 call 004A4BB8 <<-- Mhmm, a interesting call :0043B61F 85C0 test eax, eax <<-- test eax if zero or one :0043B621 0F849B000000 je 0043B6C2 <<-- Jump if result is equal 7. OK, whatmeans this piece of code? First we've got a call that returns one or zero. This depends on the code thats inside. Then we've got a test, which will test if the result from this call is 1 or 0. And at last we have a JE which will take you either to the CORRECT or to the WRONG registration messagebox. Looks easy, or? Simple Name/Code check... OK, lets try it! Place the bar on :0043B621 0F849B000000 je 0043B6C2 You're Offset is 3AC21 (you see this in the statusbar). Copy mirc32.exe to try.exe. Open try.exe with hiew. Press Enter twice to go to decode mode. Press F5 enter enter 3AC21. OK, now press F3 to edit the file. Change 0F84 to 0F85, this changes je to jump not equal (jne). F9 to update and F10 to quit. 8. Now start try.exe. Enter any name and serial. *BOOM* "Your registration has been entered successfully. Thanks for registering! :)" Hey Cool, you've done it! 9. Mhmm, exit the program and start try.exe again. *BOOM* SHIT! Unlicensed copy! So, this program has a startup check. So, open mirc32.exe in W32DASM, again. So lets go back to: * Reference To: USER32.SendDlgItemMessageA, Ord:0000h | :0043B60B E80A250A00 Call 004DDB1A :0043B610 6803E14E00 push 004EE103 :0043B615 681CDD4E00 push 004EDD1C :0043B61A E899950600 call 004A4BB8 <<-- Mhmm, lets go there... :0043B61F 85C0 test eax, eax :0043B621 0F849B000000 je 0043B6C2 10. What we've go other but the call? Nothing! So lets take a look... Put the bar on the call line and click on the CALL button: Now, it should look like this: :004A4BB8 55 push ebp :004A4BB9 8BEC mov ebp, esp :004A4BBB 53 push ebx :004A4BBC 56 push esi :004A4BBD 57 push edi :004A4BBE 8B750C mov esi, dword ptr [ebp+0C] :004A4BC1 8B5D08 mov ebx, dword ptr [ebp+08] :004A4BC4 53 push ebx :004A4BC5 E87AC20200 call 004D0E44 :004A4BCA 59 pop ecx :004A4BCB 83F805 cmp eax, 00000005 <<-- compare eax with 5 :004A4BCE 7307 jnb 004A4BD7 <<-- jump if not below :004A4BD0 33C0 xor eax, eax <<-- eax goes empty :004A4BD2 E9DA000000 jmp 004A4CB1 <<-- jump to 4A4CB1 11. So lets trace down a bit until you see: :004A4C23 6864205000 push 00502064 :004A4C28 68641F5000 push 00501F64 :004A4C2D E8A6FEFFFF call 004A4AD8 <<-- well I've seen :004A4C32 85C0 test eax, eax <<-- something like :004A4C34 7407 je 004A4C3D <<-- this before ;) :004A4C36 B801000000 mov eax, 00000001 :004A4C3B EB74 jmp 004A4CB1 Hee, i think you have the same idea, like me ;) Lets change je to jne. Place the bar on :004A4C34 7407 je 004A4C3D your offset is A4234. 12. Hiew mirc32.exe. Same procedure as everytime... Enter twice, F5 and enter A4234, F3 to edit and change 7407 to 7507. F9 to update F10 to quit. 13. Fire up Mirc32.exe. Click on Help | register and enter: Name: LW2000 Serial: 123456 Press OK. Congratulation! You are a registered user! FINISH! Easy, or? cu LW2000 Any comments? Mail me LW2000@gmx.net! ---- I'd like to thank tKC for his tutors! I started with tutor 1 and i still read them... they are the best! I really hope you've enjoyed this tutorial as much as I did! Don't miss Tutor #50 soon! ;) And as I said last time: Without knowledge, there's no power! ;) Credits go to: Socko for Splash Logo. tBS for providing a tut in this version. FileCAT for providing a tut in this version. ACiD BuRN for providing 2 tuts in this version. LW2000 for providing 7 tuts in this version. tKC/CiA (hey it's me!) for coding this version :) All the crackers (non-members of CiA) are welcome to send tutors for the next tutorials .. see below for my email address! *** 75 chars per line in textfile please! *** And all the tutors can be found at http://www.msjessca.da.ru! Greetz goto all my friends! You can find me on IRC or email me at tkc@reaper.org Coded by The Keyboard Caper - tKC The Founder of PhRoZeN CReW/Crackers in Action '99 Compiled on 28 October 1999 Cracking Tutorial #49 is dedicated to ACiD BuRN