Welcome to Cracking Tutorial #50! What do we have here? Ah yes, a new interface! What a long way since I started a first tutor way back in 1997.. Oh yes, I've written 2 quick tuts today, can't believe I've written my owns so long time ago, let's see... ah in tutors #10, #15, and #20. What a lazy boy I was hehe, as long as you enjoy other tutors, who cares then? :) And yes, CiA is 1 year old today! Let's celebrate ..... with #50, #51, and #52 :) OK, let's rave! TOOLS ~~~~~ You'll need the following tools: (I use these tools, I assume you'll use 'em, but it doesn't mean that you'll need to use all those tools, so be sure to get them handy for the examples in this tutorial!) SoftICE v4.01 W32Dasm v8.93 Hacker's View v6.20 SmartCheck v6.03 ProcDump32 v1.5.0 Windows Commander 4.01 (I use it coz of easier to multitask) Delphi, VB, C++, or TASM to code a keygen or a patch.. Don't ask me where to download all these tools since you had a chance to get them when you used my older tutorials. Here is a good site where you can grab tools from: http://protools.cjb.net or http://w3.to/protools or ask any crackers to get you these tools! Are you ready?! OK! ;) PART 1 ~~~~~~ MultiNet Manager v4.0.1 http://www.globesoft.com This program is mainly used to switch TCP/IP settings in Win95/98, LAN or Dial Up. However it also integrates RAS dialing as well as Windows network settings, so you now have one program that you can use to configure all your network and dial up settings. A Virtual Windows driver is included with the MultiNet Manager and let's you choose network configuration When booting. 1) Run MNETMGR4.EXE, you will see a popup message box. 2) Enter the following License and Key. Do not click on the "Register" button. License: mISTER fANATIC [C4A] Key : 5544-332211 3) Press "CTRL-D" to return into SoftIce, type "bpx getwindowtexta", and press "CRTL-D" to return into MultiNet Manager. Finally, click on the "Register" button to register and you are back to SoftIce. 4) Press "F12" once and you will see the following:- xxxx:00421710 FF1504144300 CALL [USER32!GetWindowTextA] xxxx:00421716 8B4C2408 MOV ECX,[ESP+0C] xxxx:0042171A 6AFF PUSH FF xxxx:0042171C E87F2C0000 CALL 004243A0 5) Type "bd 0" or "bd *" to disable the breakpoint. 6) Press "F10" until the line below:- xxxx:00405249 8D4C240C LEA ECX,[ESP+0C] xxxx:0040524D 8D9EA0000000 LEA EBX,[ESI+000000A0] xxxx:00405253 51 PUSH ECX xxxx:00405254 8BCB MOV ECX,EBX 7) Then, press "F10" until the line below:- xxxx:00405265 E8F60F0000 CALL 00406260 <-- KeyGen routine xxxx:0040526A 83C408 ADD ESP,08 xxxx:0040526D 84C0 TEST AL,AL xxxx:0040526F 7451 JE 004052C2 <-- Jump if bad code At line xxxx:0040526A, type "d ecx" and you will see something interesting like "313764-3766". Hah, its the real registration code. 8) Press "CTRL-D" to return to MultiNet Manager. Enter the following and click the "Register" button:- License: mISTER fANATIC [C4A] Key : 313764-3766 BOOM, its registered! Well, I hope you learned something from this tutorial. mailto: c4a@iname.com PART 2 ~~~~~~ -=How to crack Z-File Camouflage/Encryption System 3.0 Trial=- By: nano This is an interesting way to encrypt your filez. Not only does it use a password protection, but it also 'hides' your file by making it into a bitmap. I don't know how good the encryption is, but who cares-it's a trial version so we must crack it! Things you should have: WDasm 8.93 HIEW RegMon a brain :) get tools from http://protools.cjb.net get file from http://www.in4sec.com I have to say first I tried softice to get the correct serial and failed. So if anyone can get this please email me. After you install you see a nag that requests the correct serial number. But if you enter the wrong one it does not spit out an error window :(. So we choose 'try first'. Another nag pops up telling you how many days you have left to use it - click 'ok' to proceed. Now we notice that the word 'Trial' is in the left frame. Now that we got all this, fire up WDasm and look at string references... Hmmm. I see "Trial", and "Serial". Let's check em out! click on "trial" and you'll land here: * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0040E5DE(C) | :0040E64E 66C745DC2000 mov [ebp-24], 0020 * Possible StringData Ref From Data Obj ->"Trial" :0040E654 BAD5564800 move edx, 004856D5 You thinking what I'm thinking? Let's find the jumper at 0040E5DE: :0040E5DC 84C0 test al, al :0040E5DE 746E je 0040E64E Get the offset at 0040E5DE which is: 0000DBDE and open HIEW. press 'enter' (3)times, then F5 and enter the offset '0000DBDE' and we see our code once again. 746E je 0040E64E let's nop it by replacing '746E' with '9090'. Press F3 and change code, press F9 to update code the press 'esc' to exit. Run the proggy again, we still see the nags, but the word "Trial" is gone. Like I said before, I used softice with bpx hmemcpy to try and get the serial, but instead I got lost in the dark code woods :(. So I decided to see what was happening with the registry when I entered a code. So I started RegMon and saw that it wrote the number I had entered and then referenced it twice after. The proggy was obviously reading the input from the registry to check if the correct number was entered. So back to WDasm. Click on "Serial" in the string references. The first one we see is this: * Possible StringData Ref from Data Obj ->"Serial" | :0041D041 BA5FC04800 mov edx, 0048C05F Scroll up a little and you'll see: *Possible StringData Ref from Data Obj ->"SOFTWARE\Infosec\Z-file Camouflage&Encryption " ->"System\3.0" This is the same registry key that we saw accessed in RegMon, but only one reference to "Serial". And remember it was called upon twice. So lets click "Serial" again and we land here: * Possible StringData Ref from Data Obj ->"Serial" :0041D334 BAE6C04800 mov edx, 0048C0E6 .... CODE .... CODE .... CODE * Possible StringData Ref from Data Obj ->"Serial" :0041D36D BAEDC04800 mov edx, 0048C0ED And if we scroll up well see: *Possible StringData Ref from Data Obj ->"SOFTWARE\Infosec\Z-file Camouflage&Encryption " ->"System\3.0" Which is the registry key we've seen before, only now with two references below it. Scroll up even further and you see: * Referenced by a CALL at Addresses: |:004014CB , :0040E5D6 , :0040EAF4 Let's go to the first caller at 004014CB: :004014CB E8DCBD0100 call 0041D2AC <-- get serial :004014D0 59 pop ecx :004014D1 84C0 test al, al <-- check serial :004014D3 0F846DFFFFFF je 00401446 <-- jump to bad cracker (For those of you who are interested in how I found out that conditional jump was a bad one, read below.) get the offset of the jump: 00000AD3 fire up hiew, press F5 and enter offset, press F3 and change 84(je) to 85(jne), F9 to update and 'esc' to exit. Run the proggy again and voila! no nag, no trial. I advanced my clock past the 30 day trial just to make sure it didn't have another surprise for me, and it didn't. Another proggy successfully transformed! One of the features in WDasm which I never hear mentioned is the debugger. This is how I used it to figure out my bad jump. Press CTRL+L to load the process. Then in the main WDasm window goto 004014D1 (The serial test) and press F2 to set a breakpoint. Click on the 'code address' window and press F9 to run the proggy. You will see the serial nag. Enter whatever you want '11223344', it doesn't matter. Then it stops at the breakpoint. I stepped through the code with F7 and noticed that it took the jump. So I clicked on the 'goto address' button and went back to the conditional jump at 004014D3. Then I clicked on the 'patch code' button and entered jne 00401446 and pressed 'enter' and clicked on 'apply patch'. I press F9 again to run the proggy and... hey where'd the nag go? That's about it. Greetz to: =ã|ã?¯øÏø®ôŽ+=, ZeroGeddon, lo wang, ChiTown, jinsight, Meatgrinder, bogy, haurdcider, BJC525, propain, cyco & everyone else (you know who you are). Special thanks to the master: tKC ...for making the distibution of knowledge possible. As always if you intend to use shareware beyond it's trial period. buy it! (uh-huh) :) email: lagerlarry@hotmail.com PART 3 ~~~~~~ Because Z-Wing (good ol' buddy) asked me tons of questions how to crack the NAGs, I decided to write a tutor how to remove the NAG on this program, INF-Tool v5.3. I'm not writing how to register this program, just only about the NAG for example. Ok, let's go.. What we'll need: INF-Tool v5.3 - http://inner-smile.com/dl_inf.htm W32Dasm v8.93 - http://w3.to/protools (yes, no SoftiCE needed!) HIEW v6.20, or any HEX editor - http://w3.to/protools Windows Commander v4.01 - http://www.ghisler.com (oh my my my.... fav app) Step 1. Run INF-Tool and see what does the NAG say. Step 2. Ok, it looks like shitty to click OK, right? Ok, no problem. Step 3. Quit INF-Tool, copy INFTool.exe to INFTool.w32, also copy to INFTool.exx for backup. Step 4. Load your W32Dasm and open INFTool.w32, done? Ok, with SDR you won't find any strings found, eg. "unregistered" or "shareware" in W32Dasm, coz this NAG you saw, was created as a form with Delphi, not a messagebox or messagedialog etc! Step 5. Ok, in W32dasm, press CTRL-L (or click Debug/Load Process), wait till the mouse cursor gets back to normal (Debug is loading the necessary DLL files to run INF-Tool). Step 6. Ok, now press F9 (Run), wait till the NAG pops up. Now press F7 (Step Into), then click "Terminate".. if it asks Yes/No, say Yes. Step 7. Ok, back to W32Dasm, you'll see: * Reference To: user32.WaitMessage, Ord:0000h <--- in NAG, it waits till you click OK.. :0045107F E82065FBFF Call 004075A4 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0045107D(C) :00451084 33C0 xor eax, eax :00451086 5A pop edx :00451087 59 pop ecx Step 8. Ok, trace back till you see: * Referenced by a CALL at Address: |:0045080B <--- let's goto this address.. :00450FA4 55 push ebp :00450FA5 8BEC mov ebp, esp Step 9. Now press Shift-F12, enter 45080B. You'll see this: :0045080B E894070000 call 00450FA4 Step 10. Trace back till you see: * Referenced by a CALL at Addresses: |:0044D42B , :00450A09 <--- let's goto the first address.. :004507F4 53 push ebx Step 11. Again Shift-F12, enter 44D42B. You'll see this: :0044D42B E8C4330000 call 004507F4 Step 12. Trace baaaaaack... you'll see some shit like: * Reference To: user32.GetCapture, Ord:0000h xxx xxx * Reference To: user32.SendMessageA, Ord:0000h xxx xxx * Reference To: user32.ReleaseCapture, Ord:0000h xxx xxx * Reference To: user32.GetActiveWindow, Ord:0000h Something like that, this are some functions to create/setup the form.. Step 13. Ok, while we trace, we get here, like this: :0044D2E3 90 nop :0044D2E4 55 push ebp :0044D2E5 8BEC mov ebp, esp :0044D2E7 83C4E0 add esp, FFFFFFE0 :0044D2EB 56 push esi :0044D2EC 33D2 xor edx, edx Step 14. Hmmm, where is Referenced by a Call/Jump before 44D2E3?? Ok, this is because it's created with Delphi, no problem. This is where we'll work. Always when you see that starts with 90, 55, xx, xx etc like above, we'll know that it starts here to create the form. Ok, we can patch the byte here at 55 (44D2E4) and below.. not from 90 (44D2E3)! Step 15. Run HIEW, open INFTool.exe, in ASM Mode (Decode), press F5, enter 4C6E4 (you get this offset address in W32Dasm!). With F3, change 55 to C3. I normally used 2 bytes with C9 and C3. C9 means to leave, and C3 to return.. Step 16. Save the file and run INFTool ..kool.. it works! With this practise, you can remove NAGs on many programs written in Delphi. BTW, when you run INFTool, you'll see v3.22, not v5.3, this is because you changed the bytes in this program, let's say it's CRC check. Not a big problem, just search for 3.22 in the file and change it to 5.3! Also, many groups have released the cracks for this program, older versions, and NOT ONE OF THOSE CRACKS WORKED! So, when a group release a new crack next time on new versions, I'll know you stoled it from this tutor, or from my cracks! :-) Enjoy it, tKC....................tkc@reaper.org PART 4 ~~~~~~ On requested, I'm writing this tutor to show you how to crack Delphi components. I've explained in old Tutor #20 how we cracked, but this is another example. It doesn't matter if you have Delphi 3, 4 or 5, this will do the same way, just different addresses. Ok, let's go.. What we'll need: ZipTV v2.5210 Build 10 - http://www.ziptv.com W32Dasm v8.93 - http://w3.to/protools (yes, no SoftiCE needed!) HIEW v6.20, or any HEX editor - http://w3.to/protools Windows Commander v4.01 - http://www.ghisler.com (oh my my my.... fav app) And Delphi 5 (3 or 4 is okay) Step 1. Run Delphi and install the components. Step 2. Open a new form and put any 1 of the ZipTV components on the form and compile PROJECT1.EXE! Step 3. When you run PROJECT1 in Delphi, the NAG won't pop up. So quit Delphi, run PROJECT1.EXE, ah ugly NAG, unregistered... Step 4. Ok, copy PROJECT1.EXE to PROJECT1.W32, also copy to PROJECT1.EXX for backup. Step 5. Load your W32Dasm and open PROJECT1.W32, done? Ok, click SDR, search for "Unregistered", doubleclick on it. Step 6. Now you'll see like: * Possible StringData Ref from Code Obj ->"Unregistered " :00449621 BA289A4400 mov edx, 00449A28 :00449626 8B45F0 mov eax, dword ptr [ebp-10] Step 7. Trace back, you'll see "&Close", "&Web Page", "Courier New" etc. Those are what you have seen them in the NAG, right? Step 8. Go ahead with tracing back till you see: * Referenced by a CALL at Addresses: |:00449DC5 , :00449E0A , :0044AE30 :00449300 55 push ebp :00449301 8BEC mov ebp, esp :00449303 B908000000 mov ecx, 00000008 Step 9. Ok, kool, this is where it creates the NAG. No need to goto referenced calls' address, so we'll patch here. Step 10. Ok, what now? We'll change 55 at 449300 to C3. The address might be different coz of Delphi' runtime files! Step 11. Run HIEW, open PROJECT1.EXE, press F5 and enter 48700. This offset address is where you have got in W32Dasm! Step 12. Change 55 to C3 by using F3, then save it (with F9). Step 13. Why C3? When the procedures call this address, it'll tell him to go back! (C3 means Return). Step 14. Now run PROJECT1.EXE. Kool, it works! Is it all?? NO! :) Step 15. Don't quit W32Dasm, just run Delphi and UNinstall your ZipTV package. Also don't quit Delphi yet. Step 16. Ok, let's goto your ZipTV folder where you have installed your package. I use Windows Commander to search for strings in files, with ALT-F7. So now in WC, press ALT-F7, click Find Text and enter "unregistered", then search! Step 17. In Search results box, we find TZIPTV5.BPL and ZTVMAIN.DCU. We ignore *.BPL, Delphi will create new BPL, so we'll work on DCU file. Ok, run HIEW and open ZTVMAIN.DCU. Step 18. Look in W32Dasm, at the 449300 address, we take 55, 8B, EC, B9, 08, 00 bytes. In HIEW, press F7 to search, in HEX field, type: 55 8B EC B9 08 00. Search! Step 19. Ok kool, we find this: 00004CE3: 55 push bp 00004CE4: 8BEC mov bp,sp 00004CE6: B90800 mov cx,00008 ;" ?" 00004CE9: 0000 add [bx][si],al 00004CEB: 6A00 push 000 00004CED: 6A00 push 000 00004CEF: 49 dec cx 00004CF0: 75F9 jne 000004CEB -------- (3) 00004CF2: 53 push bx 00004CF3: 56 push si Step 20. Does this match with bytes in W32Dasm? Yes! Kool, let's change the byte at 4CE3. Change 55 to C3 by using F3, then save it. (with F9). Step 21. Back in Delphi, open *.DPK and re-compile the pack. Create a new form again with any ZipTV component, compile the project! Step 22. Run your compiled project. Kool, no NAG! :) With this way, you can defeat other protections in another components. Easy, right? Yup....... Enjoy it, tKC....................tkc@reaper.org PART 5 ~~~~~~ Oh yea, some people asked me what do those bytes mean and what do we do with them etc. Here are some general functions we use for cracking: HEX: ASM: Meaning: EBxx or E9xxxxxxxx jmp jump directly to 71xx or 0F81xxxxxxxx jno jump on no overflow 72xx or 0F82xxxxxxxx jnae/jb jump if not above or equal/jump if below 73xx or 0F83xxxxxxxx jae jump if above or equal 74xx or 0F84xxxxxxxx je jump if equal 75xx or 0F85xxxxxxxx jne jump if not equal 76xx or 0F86xxxxxxxx jna jump if not above 77xx or 0F87xxxxxxxx ja jump if above 7Cxx or 0F8Cxxxxxxxx jnge/jl jump if not greater or equal/jump if less 7Dxx or 0F8Dxxxxxxxx jnl/jge jump if not less/jump if greater or equal 7Exx or 0F8Exxxxxxxx jng/jle jump if not greater/jump if less or equal 7Fxx or 0F8Fxxxxxxxx jnle/jg jump if not less or equal/jump if greater What if you want change to long format jump byte eg. 0F84xxxxxxxx to E9xxxxxxxx? Let's say you have 0F84AD040000. Just run HIEW, open a file, press F3, then press TAB. Change (type) JE to JMP, press Enter. Now you get E9AE040000! :) Easy, right? Yup........ Enjoy it, tKC....................tkc@reaper.org ABOUT ~~~~~ I really hope you've enjoyed this tutorial as much as I did! Don't miss Tutor #51 soon! ;) And as I said last time: Without knowledge, there's no power! ;) Credits go to: Fli7e for Splash Logo. Socko for Interface. Mister Fanatic for providing a tut in this version. Nano for providing a tut in this version. tKC for providing 3 tuts in this version. tKC for coding this version :) (Why do I like to give credits myself? lol) All the crackers (non-members of CiA) are welcome to send tutors for the next tutorials .. see below for my email address! *** 75 chars per line in textfile please! *** And all the tutors can be found at http://www.msjessca.da.ru! Greetz goto all my friends! You can find me on IRC or email me at tkc@reaper.org Coded by The Keyboard Caper - tKC The Founder of PhRoZeN CReW/Crackers in Action '99 Compiled with Delphi 5 on 16 November 1999 Cracking Tutorial #50 is dedicated to Ginny.