Welcome to Cracking Tutorial #51! What do we have here? Ah yes, a new interface! What a long way since I started a first tutor way back in 1997.. Oh yes, I've written 2 quick tuts today, can't believe I've written my owns so long time ago, let's see... ah in tutors #10, #15, and #20. What a lazy boy I was hehe, as long as you enjoy other tutors, who cares then? :) And yes, CiA is 1 year old today! Let's celebrate with #50, #51, and #52 :) OK, let's rave! TOOLS ~~~~~ You'll need the following tools: (I use these tools, I assume you'll use 'em, but it doesn't mean that you'll need to use all those tools, so be sure to get them handy for the examples in this tutorial!) SoftICE v4.01 W32Dasm v8.93 Hacker's View v6.20 SmartCheck v6.03 ProcDump32 v1.5.0 Windows Commander 4.01 (I use it coz of easier to multitask) Delphi, VB, C++, or TASM to code a keygen or a patch.. Don't ask me where to download all these tools since you had a chance to get them when you used my older tutorials. Here is a good site where you can grab tools from: http://protools.cjb.net or http://w3.to/protools or ask any crackers to get you these tools! Are you ready?! OK! ;) PART 1 ~~~~~~ Name : CrackTips for Newbies Cracker : LW2000 Tutorial : No.8 --- DISCLAIMER For educational purposes only! I hold no responsibility of the mis-used of this material! --- Please excuse my poor english, its not my mother language.... Advanced crackers, don't laugh and remember the titel 'CrackTips for Newbies'! --- You can place the green bar in W32DASM with a doubleclick on a line. --- Hiew can be started automaticly in decode mode. Simply open hiew.ini and change the 'StartMode' value from 'Text' to 'Code'. --- An easy way to defeat Nagscreens: Load your program and wait till the Nag is shown. Write down the caption of this window and the first words of the message. Open the exe (or sometimes dll) in a hexeditor and search for the noted string. If you have found the string, scroll up and search for the hexstring 'FF FF FF 80'. If you found it replace it with 'FF FF FF 90'. Usually this way won't work if you have to press a button. --- When you get your offset in W32DASM, you see in the statusbar something like 'Offset E346Ah'. The 'h' means only hex - don't write it in Hiew, too. Your Offset is E346A! --- OK, i answered this question a dozen of times, so read this! ... and tell all your friends (if you have any *g*). In nearly all types of INI or CFG Files the ';' and '//' means the line is disabled! This is used for comments! Yeah, you check it! In the winice.dat is the ';' for comments, too. And i swear, the next one which is asking me something like: "I have added this line to the winice.dat, why does it not work? ;EXP=c:\windows\system\vbrun300.dll" must spend me a new PC! --- Try to understand the code! --- By serial catching always use the same serial number, so that you know what it looks like in hex. I prefer 123789. In hex it is 1E38D. What a serial you ever choose, try to avoid something like 123456789. --- Learn assembly! Learn assembly! Learn assembly! Learn assembly! --- If you step over a Call, check the content of any changed register. You may find the serial number here. --- Don't give up to fast, learn to crack needs time! --- In W32DASM, always look, if your reference exists more than once. You search for your message in the SDR window, you doubleclick your message and W32DASM goes to this location. Finish? NO! Doubleclick again on your string in the SDR window, to be sure this is the only reference! --- Most programmers are lazy. Whenever a task must be done, the write a procedure or function. They call them when the task must be done. Usually programs that use the serial/name check, perform this tasks twice. Once when the serial is entered and the second one when the program is fired up. So patch the function and save a lot of work. To patch a function is often from advantage by CD-Checks, Nag Screens, Time or Date Checks, too. --- In W32DASM can all Call and Jump Cross Reference Addresses jumped by simply double right clicking on the reference address. To return to the reference, press F12. --- If a function returns as a value -1 by a registration check, this means normally not registered. 1 (and sometimes 0) means usually check passed. --- Read all of tKC's Tutorials! --- A program allows you i.e. a 20 days trial. Remember: most programmers are lazy! And lazy programmer might check the trail period like this: CMP DWORD PTR register, 14 <<-- 14 is 20 in hex JLE/JGE address <<-- usually one of these conditional jumps Lets thing in hex *g*: what we've got is 83 for CMP, only several likely register options, 14 for the 20 days and 7E for JLE or 7D for JGE. Load you favorite Hexeditor and do a little search. You may find this on one or more locations. Lets make the JLE (7E 33) that we've found into an unconditional jump (EB 33). I would check it, but normally it is cracked... --- Most crackers say: read all you can get about cracking if you want to become a real cracker! But my tip is: first read only the best tutors (newbie releated), the others will only confuse you in the beginning. Going this way you'll save a lot of time! So, as I said befoe, read all tKC's tutors! Otherr very nice tut's are from BuLLeT, Tornado, HarvestR, The Saint Man and Acid Brun. --- Never, i said never, use NOP unless it is totally necessary. There are usually many better ways! For example you could write instead of 2x NOP better INC ECX, DEC ECX, or something like this. --- So, you read the tips? OK! Another tip from me is, to use specialized tools. It saves a lot of time, and when they exists, why do not use them??? Here are the tools I prefer: W32DASM 8.93 (in two Versions, one with SDR Enabler for VB Apps and one without, because of the problems by some non VB Apps) SmartCheck 6.03 (cracking VB apps is fun with this tool!) Softice 4.0 (no explanation required!) Hiew 6.16 (because this is the best hexeditor in the world) PE-Sniffer 1.06 (fine proggy to identify compiler/packer) THE CUSTOMISER (the tool for playing with windows) ProcView 3.1.1.2 (to trough apps perfect out of memory, sometimes your crack was &%$#! and the app is death... much better than [ctrl]+[alt]+[del]) RegMon (to controll registry entries) FileMon (to controll files) GetType (to identify files) Opcodes (knowledge is power!) ProcDump 1.5 (cool tool for unpacking / pe header plays) BlindRead (good to read crippeled files from cd's) OpenList (take a look at the shit windows loads up, nice to find trojans!) Snooper for Windows (get the text out of files) ... it looks like a lot, but most of this tools are quiet small. FINISH! Get everything? If not, read again *g*. cu LW2000 Any comments? Mail me LW2000@gmx.net! ---- tKC, thx for your tutors! I started with tutor 1 and i still read them... they are the best! PART 2 ~~~~~~ Name : MightyFax Version : 2.9q Editor : RKS Software Target : mf.exe s/n saved: mf.ini Tools : Softice Brain Pen & Paper (old school ;) Cracker : LW2000 Tutorial : No.9 http://www.rkssoftware.com/ --- DISCLAIMER For educational purposes only! I hold no responsibility of the mis-used of this material! --- Please excuse my poor english, its not my mother language.... 1. Launch MightyFax, a nag appears. There's an interesting button... 'Enter Serial Number' *g*. Let's do so. 2. Name: LW2000 Serial: 1230099 *BOOM* You have entered an incorrect name and/or serial... Press OK. Wrong serial? Typical program bug ;) 3. [Ctrl]+[d] to Softice and set a Breakpoint on Messagebeep: bpx messagebeep [F5] to retur to the application. 4. Name: LW2000 Serial: 1230099 *BOOM* Softice pops up. [F11] to get the Caller. 0177:004B24A0 E8833BF5FF CALL USER32!MessageBeep 0177:004B24A5 B201 MOV DL,01 0177:004B24A7 8B45F4 MOV EAX,[EBP-0C] 0177:004B24AA E805FBFFFF CALL 004B1FB4 0177:004B24AF 8B45F4 MOV EAX,[EBP-0C] 0177:004B24B2 8B80B0010000 MOV EAX,[EAX+000001B0] 5. Scroll up till you see: 0177:004B242B 8B4DF8 MOV ECX,[EBP-08] 0177:004B242E 8B55FC MOV EDX,[EBP-04] 0177:004B2431 E872770000 CALL 004B9BA8 <- doubleclick on this line 0177:004B2436 84C0 TEST AL,AL 0177:004B2438 7464 JZ 004B249E 0177:004B243A 6A00 PUSH 00 Type 'bd 0'. Press [F5] to return to app. 6. Next try... Name: LW2000 Serial: 1230099 Press OK. *BOOM* Softice breaks on our line *g* 7. Let's look what we've got: 'd eax' nothing important 'd ebx' nothing important 'd ecx' WHAT THE HELL IS THIS??? *g* Take a look on the Data Window! We see there our dummy serial (1230099), our Name (LW2000). Mhmm, then 'RKS-1230099' [remeber RKS is the Editor... *g*] But we've got more! 2478645 (mhmm, look interesting), then RKS-2478645. And RKS-2142351. Looks like we've found the serials... Ok, so check it out! Name: LW2000 Serial: RKS-2478645 Press OK. *BOOM* Serial Number Accepted! 8. 6 minutes till here, i love stupid software =) RKS-2142351 works, too. You can try it yourself, simply del the serial in the MF.ini under [Registration32], and enter the new details in the dialog. Or change the ini... ;) Congratulation! You are a registered user! FINISH! Easy, or? cu LW2000 Any comments? Mail me LW2000@gmx.net! ---- tKC, thx for your tutors! I started with tutor 1 and i still read them... they are the best! PART 3 ~~~~~~ Name : Text Cleaner Version : 1.0.1 Editor : CFL (Computers for Learning) Target : Text Cleaner.exe s/n saved : [HKEY_CURRENT_USER\Software\Computers for Learning\ Text Cleaner\Settings] Tools : Softice Brain Cracker : LW2000 Tutorial : No.10 www.comp4learn.com/cleaner Please excuse my poor english, its not my mother language.... --- DISCLAIMER For educational purposes only! I hold no responsibility of the mis-used of this material! --- Overview of Text Cleaner ~~~~~~~~~~~~~~~~~~~~~~~~ Text Cleaner is a program to clean up badly formatted text from a variety of sources, such as: - Removal of unwanted line breaks. - Removal of extra spaces at the beginning of lines. - Removal of extra spaces in between words. - Cleaning up spacing between sentences. - Identifying and formatting lists within the text. - Removal of e-mail reply marks (> symbols). - Multiple, simultaneous, find and replace. 1. Text CLeaner, a nag appears. There's an interesting button... 'Register...' *g*. Let's do so. 2. Name: LW2000 Company: (leave blank) Serial: 1230099 *BOOM* The information you entered is not correct.... Press OK. Wrong serial? Typical program bug ;) 3. [Ctrl]+[d] to Softice and set a Breakpoint on getwindowtexta: bpx getwindowtexta [F5] to retur to the application. 4. Name: LW2000 Company: (leave blank) Serial: 1230099 *BOOM* Softice pops up. [F5] First textfield (name) [F5] second textfield (company) Now we are @ the third textfield. Now press [F11] to get the Caller. 0177:00430C33 50 PUSH EAX 0177:00430C34 56 PUSH ESI 0177:00430C35 FF15C4DB4500 CALL [USER32!GetWindowTextA] 0177:00430C3B 8B4D10 MOV ECX,[EBP+10] 0177:00430C3E 6AFF PUSH FF 0177:00430C40 E8DD47FFFF CALL 00425422 0177:00430C45 EB0B JMP 00430C52 0177:00430C47 8B4510 MOV EAX,[EBP+10] 0177:00430C4A FF30 PUSH DWORD PTR [EAX] 0177:00430C4C 56 PUSH ESI 5. Press [F10] to trace till you are on: 0177:0040A69B 89642420 MOV [ESP+20],ESP 0177:0040A69F 53 PUSH EBX 0177:0040A6A0 C744243000000000 MOV DWORD PTR [ESP+30],00000000 0177:0040A6A8 E8F9A70100 CALL 00424EA6 0177:0040A6AD 8D442418 LEA EAX,[ESP+18] 0177:0040A6B1 B958864500 MOV ECX,00458658 0177:0040A6B6 50 PUSH EAX 0177:0040A6B7 C7442430FFFFFFFF MOV DWORD PTR [ESP+30],FFFFFFFF 0177:0040A6BF E8BC330000 CALL 0040DA80 <- mhmm... 0177:0040A6C4 8B742410 MOV ESI,[ESP+10] <- looks very 0177:0040A6C8 8B475C MOV EAX,[EDI+5C] <- interesting *g* 6. Let's look what we've got: 'd esi' nothing important Press once more [F10]. You should me on this line now: 0177:0040A6C8 8B475C MOV EAX,[EDI+5C] 'd esi' take a look on the Data Window! Looks like a serial... 7f59ddc4 Ok, so check it out! Type 'db *' to disable the breakpoints. [F5] to return to the application. Name: LW2000 Serial: 7f59ddc4 Press OK. *BOOM* 'Your software has been registered.' Congratulation! You are a registered user! FINISH! Easy, or? cu LW2000 Any comments? Mail me LW2000@gmx.net! ---- tKC, thx for your tutors! I started with tutor 1 and i still read them... they are the best! PART 4 ~~~~~~ HELLO BOYS AND GIRLS , NOW YOU ARE AT THE CLASSROOM , AND I WILL BE YOUR TEACHER FOR A MOMENT , NOT FOR A LONG , excuse my english it is very bad ! MY FIRST TUTORIAL! Hmmmm lets begin! APP : COOL PAGE 1.9b PROTECTION : HARD-CODED SERIAL NUMBA TOOLZ : W32DASM 8.93 In our days protection like this is realy not often used because and a absolute newbie can crack this kind of protection , but if you haven't read some stuff on hardcoded serials , I suppose that you must get all tKC tutorials , they are great place to start! Hard coded serialz , are build in the program , and the protection used in cool page is the most stupid I have ever seen! In all the prot with hardcoded serial the program compares something (your fake serial ) with other thing (real serial ) . But I will stop here with this bullshit and start explaining how to crack the bastard , and remember it is very EASY! Here I will use W32DASM because , finding the serial with sofice will be harder , and will be hard for you , like it was for me! First time I stared the proggie I saw the nag unlock Cool Page ... blah blah , You see a box with a numbers , that you must fill in the inet site registration and blah blah , as a cracker with some expirience I start , thinking , here I can try to find a serial with softice , but it will be time loose because next time I install this shit, it will change my number in the box , hmmmm , the next thing came into my head was a keygen , but I am not good at this stuff , and I realised that the only thing I can do is a permanent patch! OK let start the show 1.Enter a dummy serial in the box and hit Unlock , You will see some shit like this "Unlock code is incorrect " REMEMBER THIS MESSAGE! , write it down on a paper if you can't remember it! 2. Start W32DASM and hit the first icon from the bar 3. Find the file , and disassemble it , maybe the file is there : C:\Program Files\3Dize\Cool Page\Cool Page 1.9b\coolpage.exe 4.Wait, this monster is about 3,3 Mb and it will take so many time for disassembling that you can take a bath , and when return it will be finished :) 5. When it is disassembled , launch the icon previous by the printer icon (String DATA references ) , and find the message ( I will help you it is number 40286) 6. Click on it , and you will land on something like this : * Possible Reference to String Resource ID=40286: "Unlock code is incorrect" | :0041D01D 685E9D0000 push 00009D5E :0041D022 8D8520FDFFFF lea eax, dword ptr [ebp+FFFFFD20] :0041D028 50 push eax :0041D029 E8D27CFEFF call 00404D00 :0041D02E 83C410 add esp, 00000010 :0041D031 8B4508 mov eax, dword ptr [ebp+08] :0041D034 C60000 mov byte ptr [eax], 00 :0041D037 E905000000 jmp 0041D041 :0041D03C E90F000000 jmp 0041D050 trace up a little , and you will see : first : * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0041C3CA(C) ---L00k HERE | :0041C4FA 83EC04 sub esp, 00000004 :0041C4FD 89A56CFDFFFF mov dword ptr [ebp+FFFFFD6C], esp :0041C503 6A00 push 00000000 :0041C505 8B8D6CFDFFFF mov ecx, dword ptr [ebp+FFFFFD6C] :0041C50B E8907A0600 call 00483FA0 :0041C510 83EC04 sub esp, 00000004 :0041C513 89A568FDFFFF mov dword ptr [ebp+FFFFFD68], esp :0041C519 6A00 push 00000000 :0041C51B 8B8D68FDFFFF mov ecx, dword ptr [ebp+FFFFFD68] :0041C521 E8AA770600 call 00483CD0 for the second string data ref. (SDR) second : * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0041CA36(C)---L00k HERE | :0041CB69 83EC04 sub esp, 00000004 :0041CB6C 89A540FDFFFF mov dword ptr [ebp+FFFFFD40], esp :0041CB72 6A00 push 00000000 :0041CB74 8B8D40FDFFFF mov ecx, dword ptr [ebp+FFFFFD40] :0041CB7A E821740600 call 00483FA0 :0041CB7F 83EC04 sub esp, 00000004 :0041CB82 89A53CFDFFFF mov dword ptr [ebp+FFFFFD3C], esp :0041CB88 6A00 push 00000000 :0041CB8A 8B8D3CFDFFFF mov ecx, dword ptr [ebp+FFFFFD3C] :0041CB90 E83B710600 call 00483CD0 for the third SDR third : * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0041CEBE(C)---L00k HERE | :0041CFF1 83EC04 sub esp, 00000004 :0041CFF4 89A528FDFFFF mov dword ptr [ebp+FFFFFD28], esp :0041CFFA 6A00 push 00000000 :0041CFFC 8B8D28FDFFFF mov ecx, dword ptr [ebp+FFFFFD28] :0041D002 E8996F0600 call 00483FA0 :0041D007 83EC04 sub esp, 00000004 :0041D00A 89A524FDFFFF mov dword ptr [ebp+FFFFFD24], esp :0041D010 6A00 push 00000000 :0041D012 8B8D24FDFFFF mov ecx, dword ptr [ebp+FFFFFD24] :0041D018 E8B36C0600 call 00483CD0 Maybe you will ask : "What the hell is :* Referenced by a (U)nconditional or (C)onditional Jump at Address , this is a place where a jumps go , or not you can thing of the these jumps like TRUE and FALSE , in our program the jump is JNE (JUMP IF NOT EQUAL) this means if the procedure of comparation is not equal the program will show Unlock code is incorrect , and if the serial is right it will go on! The first thing I thinked is : lets change this jump , to JE (JUMP IF EQUAL ) and I will be registered with any serial I want, but when I looked at the code I saw something very interesting : * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:0041CE6C(C), :0041CEA2(U) | :0041CEB4 81BDA4FEFFFF13CD3CA9 cmp dword ptr [ebp+FFFFFEA4], A93CCD13 -comparation :0041CEBE 0F852D010000 jne 0041CFF1 - if strings are not same go to bad boy the program compares something with A93CCD13, and because I have read many tuts I know that this is something very interesting ..... What do you think about this numer A93CCD13 ???? It can be our serial ? lets check the other two places , the same thing, hmmmmmmmm lets try start COOL Page and try for unlock code A93CCD13 Hmmmmmmmmmm it says Unlock code is incorrect , let see again this A93CCD13 It looks like a HEX value , now I've got it! Start windows calculator , choose view , scientific , pres on HEX , enter A93CCD13 in the window , than press Dec , and you will see :2839334163 , return back to cool page enter it , and $BOOM$ you are registered , there is nothing that says thanks or something like this but , go to help , about cool page , and in the corner you see unlocked full version , now you see how it is easy to find a program serials , but I can say that these programs are not very often created because ... You see why! There is another way to crack this bastard , with patching but I will give this to you , HAPPY CRACKING, from The L0rd P.S. If you want to lock your program again start regedit , click find and search for 2839334163 and delete the string when it find it! lord_peaceburn@hotmail.com BYE BYE I know it is not a good tut but sorry.... I will be happy if you mail me to say what is your opinion! PART 5 ~~~~~~ App : DataArmour 1.3.0.1 Web : http://homepages.ihug.co.nz/~nclayton/ Tools used : WDasm Softice Hview Crack : Patch The Patch ---------- After installation has been finished create a backup copy of DataArmour.exe and start WDasm to disassemble. While disassembly is in Progress start DataArmour and take a quick look at it . It comes up with a window telling you that you have 21 days left of your evaluation period. Press the register button, enter any information you like and press ok button. A MessageBox with the following string will appear "registration code not valid" . Okay switch over to WDasm wich should have finished disassembling by now (else wait for it to finish) and chose "String Data Reference" from the Refs Menu. Scroll down until you find the above mentioned string ("registration code not valid") and double click on it. You will find yourself on code line 48149b wich should look like this : :0048149B BAFC144800 mov edx, 004814FC now scroll up a bit and you will see "Reference To : kernel32.Sleep" . Remember that after you had entered your information the mouse pointer changed to hourglas and you had to wait forever and a day till that stupid MessageBox appeared ? well this call is what is causing that. Now scroll up a bit more and you will see the following : :00481463 E8FCD3FFFF call 0047E864 :00481468 84C0 test al, al :0048146a 7542 jne 004814AE This is what we have been looking for. This code does the following : :00481463 E8FCD3FFFF call 0047E864 ; Call the serial check routine :00481468 84C0 test al, al ; test the result :0048146a 7542 jne 004814AE ; if not equal jump to ; registered section else keep ; going wich would show us that ; stupid hourglas and ; MessageBox again. Okay now we could simply replace the jne with a jmp and the program would think that we entered the correct information in the registration screen and give us a goodboy message. But after restarting the program it would come up with the evaluation screen again because the registration information is also tested on every start of the program. For that reason we have to find the second call to the serial check routine or modify the serial check routine itself so that it will always return the expected result. I have chosen to modify the serial check routine so from here we press Shift+F12 to go to the serial routine wich, as you can see in the above code lines, is located at 47E864. Okay once youre at that code line all you have to do now is write down the offset (7dc64) close WDasm and start Hview. In Hview goto 7dc64 and enter the following .0007E864 : B001 mov al , 001 .0007E866 : C3 retn Everytime the serial check routine gets called from now on it will simply return al with a value of 001 wich will cause the program to jump to the location it was ment to jump to if the registration information you entered was correct regardless of whether it is or not. Press F9 to update the file and your done. Close Hview, and start your patched version of DataArmour enter registration information and the program will tell you that you are a goodboy. Next time you start DataArmour the nag will be gone. Final Note ---------- I would like to thank EVERYBODY out there that is writing tutors, KEEP GOING! DEF ABOUT ~~~~~ I really hope you've enjoyed this tutorial as much as I did! Don't miss Tutor #52 soon! ;) And as I said last time: Without knowledge, there's no power! ;) Credits go to: Laz for Splash Logo. Socko for Interface. LW2000 for providing 3 tuts in this version. Lord Peaceburn for providing a tut in this version. DEF for providing a tut in this version. tKC for coding this version :) All the crackers (non-members of CiA) are welcome to send tutors for the next tutorials, see below for my email address! *** 75 chars per line in textfile please! *** And all the tutors can be found at http://www.msjessca.da.ru! Greetz goto all my friends! You can find me on IRC or email me at tkc@reaper.org Coded by The Keyboard Caper - tKC The Founder of PhRoZeN CReW/Crackers in Action '99 Compiled with Delphi 5 on 16 November 1999 Cracking Tutorial #51 is dedicated to Ginny.