Welcome to Cracking Tutorial #54! Hiya guys, Sorry for delays but I was really busy last days. Here are 3 tutors (#53, #54, and #55) for today, enjoy it... OK, let's rave! TOOLS ~~~~~ You'll need the following tools: (I use these tools, I assume you'll use 'em, but it doesn't mean that you'll need to use all those tools, so be sure to get them handy for the examples in this tutorial!) SoftICE v4.01 W32Dasm v8.93 Hacker's View v6.20 SmartCheck v6.03 ProcDump32 v1.5.0 Windows Commander 4.01 (I use it coz of easier to multitask) Delphi, VB, C++, or TASM to code a keygen or a patch.. Don't ask me where to download all these tools since you had a chance to get them when you used my older tutorials. Here is a good site where you can grab tools from: http://protools.cjb.net or http://w3.to/protools or ask any crackers to get you these tools! Are you ready?! OK! ;) PART 1 ~~~~~~ Name : ACDSee Version : 2.41 Editor : ACD Systems Target : acdsee32.exe Tools : Softice W32Dasm Hiew Brain Cracker : LW2000 Tutorial : No.13 http://www.acdsystems.com --- DISCLAIMER For educational purposes only! I hold no responsibility of the mis-used of this material! --- Please excuse my poor english, its not my mother language.... 1. Start Acdsee and go to Help | About | Register Now Username: LW2000@GMX.NET Serial: 1230099 Klick on OK. *BOOM* "Your name and registration code do not match" Typical program bug ;) Press ok to close the message box. Let's fix it... Press [ctrl]+[d] to switch to Softice. Now set a breakpoint on getdlgitemtexta with 'bpx getdlgitemtexta'. Press F5 to continue. Press ok, again. Softice pops up. Now press F11 to get the caller. :00459049 FFD5 call ebp :0045904B 8B15C0035000 mov edx, dword ptr [005003C0] <-- here :00459051 8D442414 lea eax, dword ptr [esp+14] :00459055 8D4C2410 lea ecx, dword ptr [esp+10] :00459059 50 push eax 2. Trace with F10 to the code, till you are here: :004590A0 8D54241C lea edx, dword ptr [esp+1C] :004590A4 85D2 test edx, edx <-- here :004590A6 741E je 004590C6 EDX and EAX are compared. 'd edx' will show our name. Seems, that the proggy checks, if you have entered a name. Press F10 till you are here: :004590C6 8D8424F4000000 lea eax, dword ptr [esp+000000F4] :004590CD 85C0 test eax, eax <-- here :004590CF 7424 je 004590F5 Looks familar: 'd eax' will show our fake serial. :00459105 6A00 push 00000000 :00459107 3BF8 cmp edi, eax <-- here :00459109 0F85E7000000 jne 004591F6 3. Use F10 till you are here: :00459121 E8FAEFFFFF call 00458120 :00459126 83F801 cmp eax, 00000001 <-- here :00459129 7443 je 0045916E Looks interesting. Enter 'bc *' to clear all bpx. Then doubleclick on :00459126 83F801 cmp eax, 00000001 to set a new bpx on this line. Now enter 'r eax=1' to change eax to 1. Press F5. Wow, seems to be any very easy crack. But wait, take a look at titelbar from ACDSEE! Still unregistered... 4. Mhmm, close Acdsee and start it again. But it is still unregistered, so let's take a look at the code again! :00459121 E8FAEFFFFF call 00458120 <-- mhmm, what's this... :00459126 83F801 cmp eax, 00000001 <-- our manipulation :00459129 7443 je 0045916E Before our manipulated compare is a call to a function. Go on this line: :00459121 E8FAEFFFFF call 00458120 and press F8 to step into this call. :00458120 83EC24 sub esp, 00000024 <-- here we are :00458123 53 push ebx :00458124 55 push ebp :00458125 56 push esi :00458126 8B742434 mov esi, dword ptr [esp+34] Now, the same procedure as everytime ;) 5. Trace with F10, till you are here: :00458177 83C410 add esp, 00000010 :0045817A 85C0 test eax, eax <-- here :0045817C 740F je 0045818D Let's try again. 'bd *' to disable all other bpx. Doubleclick on :00458177 83C410 add esp, 00000010 to set a new bpx. Now, enter 'R EAX=1'. Press F5 to continue. Mhhm, registered! =) Close Acdsee and start it again. Sice pops up, at the same part, where you stopped. 'R EAX=1', again. Press F5 to contine. *Boom* Sice pops up again, so again 'r eax=1'! If you have started the browser, you need to do the same shit, twice again. Ok, take a look at the titelbar! *g* Only the Name! You are registered! So let's fix it permanent. Take a look at the code: :00458177 83C410 add esp, 00000010 :0045817A 85C0 test eax, eax <-- here :0045817C 740F je 0045818D <-- mhmm, *g* Enter 'bd *' and press F5. Close Acdsee and start W32Dasm. Disassemble acdsee32.exe. Now press Shift-F12 and enter 0045817C 6. Place the green bar on this line: :0045817C 740F je 0045818D and take a look at the statusbar. ...@Offset 0005817Ch in File: ACDSee32.exe Our Offset is '0005817C'. Close W32Dasm and start hiew with acdsee32.exe. Press Enter twice to go to decode mode. Press F5 and enter 0005817C. Ok, now you are at the right location. Press F3 to edit the file. Change 740F to 750f. This changes je to jne. Now Acdsee accepts only fake serials... ;)) Press F9 to update and F10 to quit. Start Acdsee and enter your details. Congratulation! You are an registered user! FINISH! Easy, or? cu LW2000 Any comments? Mail me LW2000@gmx.net! ---- tKC, thx for your tutors! I started with tutor 1 and i still read them... they are the best! PART 2 ~~~~~~ -----T U T O R I A L No.1-------- Most interesting way for finding serial number written by glupi! This is tutorial on how to find serials for game PetWings PROGRAM: PetWings VERSION: 1.0 EMAIL: jjsoft.geo@yahoo.com URL: http://welcome.to/jjsoft/ Tools needed: W32Dasm 8.93 Pen & Paper Notepad.exe Brain - not nessecary Something about the game: OVERVIEW PetWings is a classic arcade style shooting game with cute cartoonish graphics, 53 game levels,5 huge bosses and 6-level fire power-up. This game is Shareware but you can play the entire Episode1 (consists of 16 stages) without registration. HOW TO PLAY Select an episode to play at the title screen. Each episode consists of 16 stages. You will encounter a huge boss at stage 8 and stage 16. Shoot the flying creatures and they will drop magic potions. Your fire power will be increased after collecting 60 potions. The maximum fire power you can gain is 6. The game is over when your life energy is gone. You may continue the game if you have more than 60 potions. You will lose 60 potions after continue and that implies your fire power level will be decreased too. REGISTRATION PetWings is Shareware. You need to register to play all three episodes. The registration fee is $5 (US currency) and it will give you more challenging levels with new tricky creatures and new tougher bosses! Online registration using a credit card is available at JJsoft homepage. It is simple, secure and quick. Please visit JJsoft homepage for more information. After registration, you will receive a registration key via E-mail. Select "Register" at the title screen and enter the registration key. Let's examine the game a little: Start game. You will be able to play only episode one (unregistred version). If you choose episode 2 or episode 3 you it will be brought to you that it is not registred version and you can choose to go >back to menu< or >read manual< in which case it will open Manual_E.htm in your favorite www-browser. On Main menu you can choose also RANKING or REGISTER or simply EXIT. If you enter any serial number on REGISTER it creates in directory where the game is, file Register.dat. If you open it later with Notepad you will see your wrong serial or.... if you are exstremly lucky right serial! If you go to RANKING you will see that dude by the name jjsoft is on each eight place, but if you open Ranking.dat with Notepad you will not be able to read shit from this! it looks like this: and actualy means this: 725F4055382314071254 --> JJSOFT 100 7A5F5C33381A080E00 --> JJSOFT 90 7B5F5C33381A080E00 --> JJSOFT 80 745F5C33381A080E00 --> JJSOFT 70 755F5C33381A080E00 --> JJSOFT 60 755F5C3E3E3C3721 --> GLUPI 60 765F5C33381A080E00 --> JJSOFT 50 775F5C33381A080E00 --> JJSOFT 40 WooW ..... bad thing.....that means that i' can't simply edit (like in the game Minesweeper, winmine.ini and be bether than my sister)......bummer... Not completly you will se later...ok...lets take some sirious business.... Lets start: This tutorial suposes that you are familiar with the cracking and know how to use W32Dasm (it means you know how to open file needed to be disassembled and to find string references) ok! let's disassemble Petwings.exe (it is huge 4,012 kb but it does not take too long). now!lets look at string references (means press button named "Strn Refn", that is button next to the last one) ok! You will get something like this: " ((((( " " " "%s" "]_^[" "<" "0" "0123456789ABCDEF" "120," "725D4055223E4A5C42191C0000" --->looks interesting! "725D405531212229200D050F00" --->and this too! "-CHEAT MODE-" --->this means that we can use "close all" cheat in games I guess "COPYRIGHT 1999 JJSOFT" "Copyright 1999 PetWings" "DIRECTION" "DIRECTION_REVERSE" "DIRECTION_TO_MYCHARA" "Enter Registration Key" --->interesting too us if you "Enter Your Name " wanna crack the game "ERROR" "Failed to create application window." "Failed to create DirectDraw object." "Failed to create DirectInput object." "Failed to initialise palette." "Failed to register Window class." "Failed to restore surfaces." "Failed to set up Full-screen mode." "GOSUB" "GOTO_LABEL" "INCR_FRAME" "It costs 60 potions to continue." "JJWindowClass" "LABEL" "Manual_E.htm" "MOVE" "Music01.mid" "Music02.mid" "Music03.mid" "open %s type sequencer alias MUSIC" "open" "PetWings Message" "PetWings" "play MUSIC from 0 notify" "play MUSIC notify" "PLAY_SOUND" "r" "Ranking.dat" --->here will be stored high scores "Register.dat" --->and there will be stored our serial "REPEAT" number "REPEAT_END" "RETURN" "ROTATE_LEFT" "ROTATE_RIGHT" "SET_BULLET_OFFSET" "SET_FRAME" "SHIFT_X" "SHIFT_Y" "SHOOT" "SPEED" "SPEED_PERCENT" "stop MUSIC" "STOP" "UNREGISTERED" --->this is what we get if we dont know "w" serial "WAVE" Let's look the line I marked! We can't notice that game has the -cheat mode-. You can't guess that cheat mode can be entered pressing right keys or enter right serial (that is in our case what we will see later). The thing that takes my attention are those long number (hex) we first marked 725D4055223E4A5C42191C0000 725D405531212229200D050F00 Maybe it is our serial.... is it really that easy you wonder. Only in some cases, in our case when you try to entered you will be suprised that serial number can't be that long (You can enter max. 10 letter). What are those too long numbers for? In a minute....first I would like to explain that thing isn't stupid like it sounds! Yeah, I hear you programmer will put the serial number right in front of your nose, yeah right.. What a stupid thinking..... NO! In some cases it is exactly that. For example if you disassembly the program PROGRAM: Letter Chase Typing Tutor Version: 3.0 URL:http://www.regsoft.com/ Letter Chase Typing Tutor 3.0 is Copyright 1998, 1999 by David Ray For more than 100 users contact me at: s22k77@granitecity.com you will find six strange strings....... they are : aer758om 5599c33m 5500c33m 57caee9m hb456bnm 1414ytym and when you try to enter them as your Unlock code (all is working!) with any name you will get the "Thank you for registration!" message. ok, so in our case that is not so....don't laugh at me for trying. What now, you wonder?????? If you carefully read the tutorial maybe you will get an idea.......... ok I give you two more minutes........................................... ......................................................................... NO idea! Ok, look at my idea.If you remember at the begining of the tutorial that name and score are entered in file ranking.dat in peculiar way... I can't read JJSOFT 100 from 725F4055382314071254, can you? It is encripted in someway (what soever I can't read that...) Idea is this: why don't we try to use the same decription in our case (we got two long numbers). So let's modify Ranking.dat by putting the two long numbers (strings, call it what ever you want) instead of the two first line, just replace them. After modifying the ranking.dat should look like this: 725D4055223E4A5C42191C0000 --> PW-469-99 120 725D405531212229200D050F00 --> CHEAT-469 120 7B5F5C33381A080E00 --> JJSOFT 80 745F5C33381A080E00 --> JJSOFT 70 755F5C33381A080E00 --> JJSOFT 60 755F5C3E3E3C3721 --> GLUPI 60 765F5C33381A080E00 --> JJSOFT 50 775F5C33381A080E00 --> JJSOFT 40 Woooooouuuuuuw, it looks that it works i think..... lets look go on registration window and enter PW-469-99 and we can play EPISODE 2 and EPISODE 3 ok! if we enter CHEAT-469 we wil be able to play EPISODE 2 and EPISODE 3 and we can cheat a little bit if you press: F1 -you will get Power-Up (stronger weapon, Power 6 is max.) F2 -get extra life F5 -play next level (skip the current level) F6 -replay the level F7 -Play previous level (you are back one level) NOTE: If you can't find "-" on REGISTER window edit manualy with Notepad file Register.dat. When you edit register.dat you must be careful if you get: PW-469-99 OZK 120 or something else that means that you have some free space on the end of first line (hit delete few times to correct it). FINAL NOTE: I played the game on Pentium 166 MMX and I needed cheat badly! When I played on 486/80 MHz then it was more easy, but not too easy to play! Maybe if you want to cheat slow your computer a little bit. Thanks goes to! Jessie (she is a girl, I think so!) for correcting the bunch of errors! tkc for his great tutorial (just keep going, I learned a lot from you) Gretz CrOator & Dr.Jones,RoToR,keySpector,HRVSCORPIO, and all the other crackers from Croatia! and to all crackers all over the world! You can contact me on e-mail: glupii@mailcity.com Sorry for my very bad english. PART 3 ~~~~~~ How to find a serial 4 ClipMate 5 with SoftIce bY +SEKt0r hey hey, i'm back.... Ok this proggy enhances the Windows Clipboard, making it a true power tool. The cut / copy / paste capability of Windows works well for transferring single items of data but is not useful if you want to move a lot of data or keep data longer than until your next cut or copy. Because Windows overwrites the Clipboard whether you were ready or not. It also has a easy way to find out the valid serial..with the help of this tut :). ya ya ya, lotsa shit, lets crack... PART 1: TOOLS ============= You need the following tools: SoftIce (4.0x) ClipMate5 (v.5.0.2) Get the philes from here: www.protools.cjb.net (Great site for cracking!) www.thornsoft.com (550k) After you have gotten the above tools kontinue. PART 2: FINDING THE SERIAL =========================== STEP 1: Install ClipMate5. STEP 2: Open up exe, click on => Help => Enter registration key. STEP 3: Put in a fake name + regkey (eg. +SEKt0r). STEP 4: Put a BPX on our 2 fav API's GetDlgItemTextA and GetWindowTextA, but wait... this proggy doesn't use these two API's, so after a lil bit of searching i decided to use LoadstringA, type BPX LoadstringA. STEP 5: Click the Validate Key button, @#BOOM#@ were in SIce now, with the LoadStringA API in use. STEP 6: Press F11 once (to get to the caller). STEP 7: You will be here now: :00405B69 call USER32!LoadStringA :00405B6E MOV ECX,EAX ;we are here STEP 8: Ok, trace down with F10 till we come to here: :00405B74 call 00403E40 STEP 9: Now comes the k3wl part, type either: d eax d ebp d esi *All you have to do is scroll down a little bit, about 3 lines and you will see your name (+SEKt0r) and your fake serial (12341234) and your real serial (G013902854524) So my user info was: Name: +SEKt0r Registration Key: G013902854524 PART 3: NOTES ============= This what a Softice layout screen should look like: |---------------| |Register | R to edit |---------------| |Data Window | D to view an address, E to edit it |---------------| |Code Window | U to view and address, A to insert code |---------------| |Command Window | Type commands |---------------| F5/CTRL + D - Run F8 - Step into functions F10 - Step over functions F11 - Step out of functions *Note* If some of the windows don't come up, just put the above letters eg, E,A then the windows will come up or try WD. You might want to print this tutorial out because you can't read stuff in notepad while in Softice. PART 4: FINAL THANKS ==================== Many thx goes to these following ppl, again: Gemz -bah. KarnaK -thnx for everything. Xzi -Thnx for being a freind. eFFeCT -being gay? :) ED!SON -For his KICK ASS tutors tKC -For also his tuts and giving me the opportunities, thnx a lot man :) Everyone at #C.I.A #Cracking #Crackers #Cracking4Newbies on EFNet, AND #TeamFortress, #VB on OzOrg. And everyone else that I forgot about :) Contacting Me (Suggestions + Comments): E-Mail: t1cker@hotmail.com IRC: Usually on EFNet as SEKt0r or tIKA if I cant get SEKt0r as my fucken nick :( You can find me usually in the above channels! *This tutorial, as usually, can only be used for educational purposes!* *If yer like the program, support the makers and buy it!* PART 4 ~~~~~~ Cracking MatchWare Screen Corder v2.1 Heya guyz!......This is my first cracking tutorial for newbies..hope ull enjoy it...Excuse my english...it sux ..i know...I have some knowledge of my birth language..romanian...;-)..nad thatz it..Okey... Selected target is a really kewl proggie...so if u like it ..u go buy it. What it does?Capture entire desktop or an area...and save that into a avi or an animated gif.... Enough...!...Letz Crack. TARGeT:MatchWare ScreenCorder v2.1 URl:http://www.matchware.net TOOlS:W32Dasm. Hiew. SiCE. Pen& a piece of paper. When u view that avi i told u about it...in the middle there is an annoying text "MatchWare ScreenCorder Demo" ...red colored.....The easy way is: Open w32dasm...disassembler the Scrncord.exe..and then click on String Data References...look down...until u find that "MatchWare ScreenCorder Demo"..double click on it.U should land here: * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:00407B1F(U), :0040872D(C) | * Possible StringData Ref from Data Obj ->"MatchWare ScreenCorder Demo" :004087C9 6804E64200 push 0042E604 :004087CE 8D8D04FDFFFF lea ecx, dword ptr [ebp+FFFFFD04] :004087D4 E8EF500100 call 0041D8C8 :004087D9 C745FC04000000 mov [ebp-04], 00000004 :004087E0 8B8580FBFFFF mov eax, dword ptr [ebp+FFFFFB80] See that line 004087C9?....push 0042E604....that one shows that annoying text....so...what we have to do is change it to :push 00000000(push nothing).First of all write down the offset:087C9.kewl.Open hiew...choose scrncord.exe...F4...decode....F5....087C9.....change it to 6800000000..... restart the proggie..record a new avi..play it ..see any more demo text crap?..of course not....good work! Now..when u close the proggie...a nag screen pops up...tells you something like this: This is a demo version of MatchWare ScreenCorder for evaluation purpose only....blah blah... We have to nail this one down.. start proggie... enter SiCE and set a break point on createdialogindirectparama (bpx createdialogindirectparama) F5 ...close proggie(click on that "X")..;-)... and SiCE should breake ..press F12 twice..and then press on that okey button..SiCE will breake again....it will look like this... :00409831 E8D198FFFF call 00403107 :0040983A 8D4D98 lea ecx, dword ptr [ebp-68] :0040983D E85D370100 call 0041CF9F<----- hhmmmmm...nice :00409842 6A01 push 00000001 <---- u land here That call on 0040983D in the nasty call...write down some hexz: E85D3701006A01..open hiew..select Scrncord.exe...F4 ..decode..F7...enter E85D3701006A01..F3...and enter 9090909090(5 bytes)..or ..a more class style 4048904048 (inc eax,dec eax,nop,inc eax,dec eax)........ Restart proggie...close it...see any more nagz??!......nice job! U cracked it! Greetingz goes to: Razzia,tKC,SandMan,Quantico,EGOiSTE,TORN@DO ...and 2 all others. Salutari si tuturor crackerilor din Romania cu ocazia asta! P.S.: I hope you learned something from this tut.... If u have any questions..em@il me at: sanion@hotmail.com PART 5 ~~~~~~ Universe v1.62 http://www.diardsoftware.com The latest release of Universe may be downloaded from our website at http://www.diardsoftware.com. There are several alternate download websites listed in case problems occur with our main website. Univ16.zip is the filename. Once unzipped, run unisetup.exe. This installation program will install the program to the directory you specify on your computer. 1) Run UNIVERSE.EXE 2) Click on the "Help" menu and "Register" and enter the following:- User Name : mISTER fANATIC [C4A] User Key : 1122334455 3) Press "CTRL-D" to return into SoftIce, type "bpx getwindowtexta", and press "CRTL-D" to return into Universe. Finally, click on the "Ok" button to register and you are back to SoftIce. 4) Press "F12" once and you will see the following:- xxxx:0046439A 8D4518 LEA EAX,[EBP+18] xxxx:0046439D 50 PUSH EAX xxxx:0046439E 8D45E0 LEA EAX,[EBP-20] xxxx:004643A1 FF7510 PUSH DWORD PTR [EBP+10] 5) Type "bd 0" or "bd *" to disable the breakpoint. 6) Press "F10" 37 times until you reach the line below:- xxxx:0040ADBD 8B45F4 MOV EAX,[EBP-0C] xxxx:0040ADC0 8B8898000000 MOV ECX,[EAX+00000098] xxxx:0040ADC6 51 PUSH ECX xxxx:0040ADC7 8B55F4 MOV EDX,[EBP-0C] xxxx:0040ADCA 81C29C000000 ADD EDX,0000009C xxxx:0040ADD0 52 PUSH EDX xxxx:0040ADD1 B910A14900 MOV ECX,0049A110 xxxx:0040ADD6 E8CABB0000 CALL 004169A5 xxxx:0040ADDB 8945FC MOV [EBP-04],EAX xxxx:0040ADDE 837DFC00 CMP DWORD PTR [EBP-04],00 xxxx:0040ADE2 7438 JZ 0040AE1C Or, you can just type "g 40ADBD' and you will reach the line above. 7) Then, press "F10" until the line below:- xxxx:0040ADD6 E8CABB0000 CALL 004169A5 <-- press "F8" to trace xxxx:0040ADDB 8945FC MOV [EBP-04],EAX xxxx:0040ADDE 837DFC00 CMP DWORD PTR [EBP-04],00 xxxx:0040ADE2 7438 JZ 0040AE1C At line xxxx:0040ADD6, press "F8" to trace. Then, press "F10" until the line below:- xxxx:004169B0 E80FFBFFFF CALL 004164C4 <-- keygen routine xxxx:004169B5 83C404 ADD ESP,04 <-- type "? eax" xxxx:004169B8 33C9 XOR ECX,ECX xxxx:004169BA 39450C CMP [EBP+0C],EAX xxxx:004169BD 0F94CA SETZ CL At line xxxx:004169B5, type "? eax" and you will see something interesting like "696634B4 1768305844". Hah, its the real registration code. 8) Press "CTRL-D" to return to Universe. Enter the following and click the "Ok" button:- User Name : mISTER fANATIC [C4A] User Key : 1768305844 BOOM, its registered! Well, I hope you learned something from this tutorial. mailto: c4a@iname.com ABOUT ~~~~~ I really hope you've enjoyed this tutorial as much as I did! Don't miss Tutor #55 soon! ;) And as I said last time: Without knowledge, there's no power! ;) Credits go to: Socko for Interface. PunkGuy2 for Splash Logo glupi! for providing a tut in this version. +SEKt0r for providing a tut in this version. SandoKan for providing a tut in this version. mISTER fANATIC for providing a tut in this version. LW2000 for providing a tut in this version. tKC for coding this version :) All the crackers (non-members of CiA) are welcome to send tutors for the next tutorials .. see below for my email address! *** 75 chars per line in textfile please! *** And all the tutors can be found at http://www.msjessca.da.ru! Greetz goto all my friends! You can find me on IRC or email me at tkc@reaper.org Coded by The Keyboard Caper - tKC The Founder of PhRoZeN CReW/Crackers in Action '99 Compiled with Delphi 5 on 13 December 1999 Cracking Tutorial #54 is dedicated to 9 Pearls in a Oyster... esp Mandy!