Welcome to Cracking Tutorial #55! Hiya guys, Sorry for delays but I was really busy last days. Here are 3 tutors (#53, #54, and #55) for today, enjoy it... OK, let's rave! TOOLS ~~~~~ You'll need the following tools: (I use these tools, I assume you'll use 'em, but it doesn't mean that you'll need to use all those tools, so be sure to get them handy for the examples in this tutorial!) SoftICE v4.01 W32Dasm v8.93 Hacker's View v6.20 SmartCheck v6.03 ProcDump32 v1.5.0 Windows Commander 4.01 (I use it coz of easier to multitask) Delphi, VB, C++, or TASM to code a keygen or a patch.. Don't ask me where to download all these tools since you had a chance to get them when you used my older tutorials. Here is a good site where you can grab tools from: http://protools.cjb.net or http://w3.to/protools or ask any crackers to get you these tools! Are you ready?! OK! ;) PART 1 ~~~~~~ How to find a serial 4 Windows Sniper with SoftIce bY +SEKt0r Hey!, i havn't written any tuts for a while cos of sk00l :(( but dun worry i'm back and kicking. Once you perform an action, you can teach Windows Sniper to automatically perform that action each time it detects that the scenario is occurring. For example, if every time a window pops up, and you know you want to click a particular button each and every time it pops up (for example a dialog that only presents an "OK" choice), you teach Windows Sniper to do this, and when it sees the dialog, it will press the button for you. Fast and easy! bah, taken from it's help phile, fook this, lets crack. PART 1: TOOLS ============= You need the following tools: SoftIce (4.0x) Windows Sniper (v.2.0) Get the philes from here: www.protools.cjb.net (Great site for cracking shit!) www.unhuman.com (550k) After you have gotten the above tools kontinue. PART 2: FINDING THE SERIAL =========================== STEP 1: Install Windows Sniper. STEP 2: Open up exe, mine was already expired :(, so the reg dialog came up automatik. STEP 3: Put in a fake name + serial (eg. +SEKt0r). STEP 4: Put a BPX on our 2 fav API's GetDlgItemTextA and GetWindowTextA. STEP 5: Click the OK button,!BOOM! were in SIce now, with the GetWindowTextA API in use. STEP 6: Press F5 twice (because we have 2 textboxes) and F11 once (to get to the caller). STEP 7: You will be here now: :00427B82 MOV ECX,[EBP+10] Keep pressing F10 (trace) till we come to here: :00427B9C RET 000C STEP 8: Bah nothing interesting... keep tracing with F10 till you come to here: :00402287 RET 0004 Still nothing interesting, keep going past the RET till you come to: :004233FD JMP 00423426 STEP 9: Ok, take that jump with F10, we come to: :00423426 MOV EAX,[EBP-18] Keep tracing till we come here: :00423440 RET 0004 STEP 10: Keep going past the RET, we now come to here: :00402AA5 CALL 00402B20 ;the reg calulation call :)) STEP 11: Step into the call with F8, we land here: :00402B20 PUSH FF STEP 12: Oki, now keep tracking till you come to: :00402B9D JNZ 00402BD3 ;jump to goodboy if z=1, otherwise goto next line *NOTE* if needed, change the Z flag so that it jumps, eg. r fl z STEP 14: Keep tracing with F10 to: :00402BE1 CMP DL,[ESI] ;hoho Now type d eax or d esi What do we have in the data window?!@#?!@ *OUR SERIAL* My info was: User: +SEKt0r Serial: 6his+QNVGp1yk6oBCObi2MYWzew PART 3: NOTES ============= This what a Softice layout screen should look like: |---------------| |Register | R to edit |---------------| |Data Window | D to view an address, E to edit it |---------------| |Code Window | U to view and address, A to insert code |---------------| |Command Window | Type commands |---------------| F5/CTRL + D - Run F8 - Step into functions F10 - Step over functions F11 - Step out of functions *Note* If some of the windows don't come up, just put the above letters eg, E,A then the windows will come up or try WD. You might want to print this tutorial out because you can't read stuff in word while in Softice. PART 4: FINAL THANKS ==================== Many thx goes to these following ppl, again: Gemz -bah. KarnaK -thnx for everything. Xzi -Thnx for being a freind. eFFeCT -being gay? :) ED!SON -For his KICK ASS tutors tKC -For also his tuts and giving me the opportunities, thnx a lot man :) Everyone at #C.I.A #Cracking #Crackers #Cracking4Newbies on EFNet, AND #TeamFortress, #VB on OzOrg. And everyone else that I forgot about :) Contacting Me (Suggestions + Comments): E-Mail: t1cker@hotmail.com IRC: Usually on EFNet as SEKt0r or tIKA if I cant get SEKt0r as my fucken nick :( You can find me usually in the above channels! *This tutorial, as usually, can only be used for educational purposes!* *If yer like the program, support the makers and buy it!* PART 2 ~~~~~~ How to make a Crack for Dirt Bike 3D with Win32DASM By: +SEKt0r Hiya! I'm back again to haunt you with my tuts... well not really! Ok this game has ok graphics but the gameplay is great. You can do jumps, wheelies etc.. It has a L4m3 protection scheme, Ok lets start! PART 1: TOOLS ============= You need the following tools: Win32DASM (I use 8.93!) Dirt Bike 3D A brain (duh!) Get the philes from here: www.protools.cjb.net (Great site for cracking shit!) www.members.aol.com/bradquick/ After you have gotten the above tools continue. PART 2: FINDING THE OFFSET AND PATCHING ======================================= STEP 1: Install DB3D (Durt Bike 3D). STEP 2: Copy DirtBike.exe to 1.exe then run it. STEP 3: Bah, a form asking us for a reg code, enter one and press the OK button, damn a msgbox saying "Invalid Registration Code". STEP 4: Open up W32DASM, and start to dissasemble 1.exe, the file 1.exe is 2.06 mb, so we have to wait a while till the cunt's finished :( STEP 5: Click on the String Data Refrences (SDR) button, look for the deadlist "Invalid Registration Code". STEP 6: Found it?!?! When you have, just double click it. STEP 7: You will come here: * Possible StringData Ref from Data Obj ->"Invalid Registration Code" | :00415EE2 6818324400 push 00443218 :00415EE7 E866D4FEFF call 00403352 :00415EEC 83C410 add esp, 00000010 STEP 8: Now go up till you see: :00415EA4 83C2DC add edx, FFFFFFDC :00415EA7 8B4508 mov eax, dword ptr [ebp+08] :00415EAA 8A5C15BD mov bl, byte ptr [ebp+edx-43] :00415EAE 3A1C08 cmp bl, byte ptr [eax+ecx] :00415EB1 7407 je 00415EBA ;hrmm, jump to badboy STEP 9: The above should be quite easy to understand, what would happen it we changed the je to jne???? STEP 10: Fire up Hiew (best hex editor...i rekon anyway) and open 1.exe STEP 11: Change the je to jne at the offset of: 000152B1 STEP 12: Run 1.exe, enter any reginfo, Click ok, work?? AYYYYY YEAH BABY! PART 3: FINAL THANKS ==================== Many thx goes to these following ppl, again: KarnaK -Yer thnx for the TASM stuff and the help, never forget it man Xzi -Thnx for being a freind. Gemz -ya ya ya.. :p eFFeCT -For being a friend and a newbie ;) ARSN!K -For being there to teach me Pascal :) WoLf -For his help + tuts ED!SON -For his KICK ASS tutor tKC -For also his tuts and giving me the opportunities, thnx a lot man :) Everyone at #C.I.A #Cracking #Crackers #Cracking4Newbies #UCF2000 on EFNet, AND #TeamFortress and #VB on OzOrg. And everyone else that I forgot about :) Contacting Me: E-Mail: t1cker@hotmail.com IRC: Usually on EFNet as SEKt0r or tIKA if I cant get SEKt0r as my fucken nick :( You can find me usually in the above channels! *This tutorial, as usually, can only be used for educational purposes!* *If yer like the program, support the makers and buy the program!* PART 3 ~~~~~~ How to make a Crack for Netbuster 1.31 with Win32DASM By: +SEKt0r Hey Hey! Well, i'm back, again.. :) Ok netbuster is SUPPOSED to stop people from using Netbus on your puter by using some sort of advanced protection. Ok let crack this baby... PART 1: TOOLS ============= You need the following tools: Win32DASM (I use 8.93!) Netbuster 1.31 TurboPascal 7.0 A brain (duh!) Get the philes from here: www.protools.cjb.net (Great site for cracking shit!) http://surf.to/netbuster/???? (533k) After you have gotten the above tools continue. PART 2a: FINDING THE OFFSET =========================== STEP 1: Unzip Netbuster. STEP 2: Copy Netbuster.exe to 1.exe then run it. STEP 3: Hrmm. When we try to enter a fake name and serial we get a msgbox saying "Register to get the code...." STEP 4: Open up W32DASM, and open up Netbuster.exe. STEP 5: Click on the String Data Refrences (SDR) button, look for the incorrect password messagebox. STEP 6: Found it?!?! When you have, just double click it STEP 7: You will come here: Refrenced by a (U)nconditional or (C)onditional Jump at Address: :0045DDD89 (C) *Possible StringData ref from Data Obj ->"Register to get the code...." :0045DDD00 mov, eax, 0045DE9C ;We are here Hrmm, whats that (C)onditional jump?? Well go up to it. STEP 8: We land here: *Possible StringData ref from Data Obj ->"PF-940827-2030" ;possible code?? :0045DD7F mov edx, 0045DE10 :0045DD84 call 00403D54 ;Hrmm a reg info call?!?! :0045DD89 jne 0045DDD0 ;jump to badboy STEP 9: The above should be quite easy to understand, what would happen it we changed the jne to je???? STEP 10: Fire up Hiew (best hex editor...i rekon anyway) and open 1.exe STEP 11: Change the jne to je at the offset of: 0045DD89 STEP 12: Run 1.exe, enter any regnumber or whatever, Click Register, work?!?! YEAH BABY! PART 2b: Patching ================= We have our offset, now we are ready. I have included the Pascal Source Code for all the newbies. Here it is: Uses Crt; Const A: Array[1..1] of Record {<-------- 1 byte to be patched} A : Longint; B : Byte; End = ((A:$0045DD89;B:$74)); {<--------------- Offset "000DAE11" and byte "0F75 = 75 = jne " to be changed} Var Ch:Char; {<----- Defines the variables and what they mean} I:Byte; F:File; FN:file of byte; Size:longint; Begin {<------------ Start of the proggy} textcolor(white); {<----- Changes the textcolor} Writeln(' Crack for Netbuster v1.31 '); textcolor(blue); writeln(' BY: +SEKt0r '); Textcolor(red); writeln('Status:'); Assign(F,'Netbuster.exe'); {<-------------- Filename to be patched} {$I-} Reset(F,1); {$I+} If IOResult <> 0 then begin textcolor(red); writeln('File not found!'); {<--Display error message if file not found} writeln('Put the crack in the same dir as Netbuster.exe'); halt(1); {<------ Quit the proggy} end; If FileSize(F) <> 489984 Then {<----Exact file size} Begin textcolor(red); Write(' Wrong Version/File Size! .. aborted!'); Halt(1); End; For I:=1 to 1 do {<---------------------- 1 byte to be patched} Begin Seek(F,A[I].A); Ch:=Char(A[I].B); Blockwrite(F,Ch,1); End; Writeln('File successfully patched!'); End. PART 3: FINAL THANKS ==================== Many thx goes to these following ppl, again: Gemz -bah. KarnaK -thnx for everything. Xzi -Thnx for being a freind. eFFeCT -being gay? heh :) ED!SON -For his KICK ASS tutors tKC -For his mad tuts, and the new format! Everyone at #C.I.A #Cracking #Crackers #Cracking4Newbies on EFNet, AND #TeamFortress, #VB on OzOrg. And everyone else that I forgot about :) Contacting Me (Suggestions + Comments): E-Mail: t1cker@hotmail.com IRC: Usually on EFNet as SEKt0r or tIKA if I cant get SEKt0r as my fucken nick :( You can find me usually in the above channels! *This tutorial, as usually, can only be used for educational purposes!* *If yer like the program, support the makers and buy it!* PART 4 ~~~~~~ Program : P3TRiCK's CRACKME (VB6) Url : http://dont.have.a.clue.yet Cracker : SiONiDE/CiA Protection(s) : Name/Serial & Serial Only File Size : 16kb Tools Used : Smartcheck v6.01 & SoftIce v4.01 Date : 01/12/99 Introduction : This CrackMe is coded in Visual Basic v6, so we will be using SmartCheck to crack the Name/Serial section. For the Serial Only section, we shall be using Soft-Ice. I suggest that if you don't have either of these tools, you download them before you continue reading this tutorial. Configuring SmartCheck 6.01 : Click "Program/Settings", make sure every box is ticked in "Error detection", and everything except "Report Mouse...." is ticked in "Reporting". If you have never used SoftIce before, I suggest you get get someone's WINICE.DAT before starting. Part 1 - Name/Serial Section : Right, lets get started. Unzip the CrackMe and execute it, we see that is has two sections. 1: A Name/Serial section which we shall be attacking first. 2: A Serial Only Section. Quit the CrackMe, and enter SmartCheck. Select "File/Open" and locate Crackme.exe. I now trust that you have configured your SmartCheck settings, if not, please refer to the Configuration part in this tutorial. Step 1. Select "Program/Start" or just press "F5". This will now run the program through SmartCheck, allowing you to see everything the program is doing. Go into the "Name/Serial" section of the CrackMe as you did before, but this time enter a Name and Serial. I entered "Crack-Tut" as the name, and "11223344" as the serial. Click on "Check", you will get a Message Box saying: "Bad Serial Entered!" Step 2. Exit the CrackMe. Everything you had just done was recorded by SmartCheck. Look at the window which says "Crackme.exe - Program Results". Double click on "Thread 0 [thread id:4294189867 (0xFFF4232B)]" If it is not already expanded. You should now see this: ---------------- Cut from SmartCheck ---------------- - main (Form) created - Form is created.. - NameSer_Click - Command Click to enter Name/Serial Section. - Check_Click - Check if the Serial is correct. -------------------- End of Cut --------------------- We are interested in the "Check_Click" part as it is where the Serial Number is being calculated and checked. Step 3. Double Click on "Check_Click" and you should see this: ---------------- Cut from SmartCheck ---------------- - Text1.Text - Text1.Text - Mid(VARIENT:String:"Crack-Tu...", long:1, VARIENT:Integer:1) - Asc(String:"C" returns Integer:67 - Text1.Text - Mid(VARIENT:String:"Crack-Tu...", long:2, VARIENT:Integer:1) - Asc(String:"r" returns Integer:114 - Text1.Text - Mid(VARIENT:String:"Crack-Tu...", long:3, VARIENT:Integer:1) - Asc(String:"a" returns Integer:97 - Text1.Text - Mid(VARIENT:String:"Crack-Tu...", long:4, VARIENT:Integer:1) - Asc(String:"c" returns Integer:99 - Text1.Text - Mid(VARIENT:String:"Crack-Tu...", long:5, VARIENT:Integer:1) - Asc(String:"k" returns Integer:107 - Text1.Text - Mid(VARIENT:String:"Crack-Tu...", long:6, VARIENT:Integer:1) - Asc(String:"-" returns Integer:45 - Text1.Text - Mid(VARIENT:String:"Crack-Tu...", long:7, VARIENT:Integer:1) - Asc(String:"T" returns Integer:84 - Text1.Text - Mid(VARIENT:String:"Crack-Tu...", long:8, VARIENT:Integer:1) - Asc(String:"u" returns Integer:117 - Text1.Text - Mid(VARIENT:String:"Crack-Tu...", long:9, VARIENT:Integer:1) - Asc(String:"t" returns Integer:116 - Left(VARIENT:Double:3.42937e+011, long:10 - MsgBox(VARIENT:String:"Bad Seri...", Integer:0, VARIENT:Missing)... - Text1.Text -------------------- End of Cut --------------------- Step 4: Click on "Left(VARIENT:Double:3.42937e+011, long:10" and look in the info window on the right hand side of SmartCheck. You *SHOULD* see this: ---------------- Cut from SmartCheck ---------------- ,-- string (varient) | | | `- double .dblVal = 342937452410. <- This is our Serial. | | `- Long length = 10 0x0000000A <- the length of the Serial. -------------------- End of Cut --------------------- Step 5. As you can see by the diagram, "342937452410" is our serial, and 10 is our serial's length. All we have to do is take the first 10 digits off of "342937452410" to give us our Working Serial. ie. "3429374524". Go back to the CrackMe, enter "Crack-Tut" as the name, and "3429374524" as the serial, click "Check", and walla. A nice Message Box saying: "Serial Accepted." Name/Serial Section Complete. 5 Easy steps. Part 2 - Serial Only Section : For this we will need to use SoftIce. As it is a VB program, make sure that your WINICE.DAT is configured correctly as advised earlier in this tutorial. Step 1. Enter the CrackMe, and go into the Serial Only Section, enter any Serial, I entered "11223344" and click on "Check". What's this ? A nasty little Message Box saying "Incorrect Serial Number!" Well, lets get to work. Press "Ctrl + D" to enter SoftIce. As we know, this is a VB Coded CrackMe, so we're going to need some VB Breakpoints. Many VB Programs use the function "__vbastrcomp". Lets set a Break Point on Execution (BPX) on it and see what happens. Type "BPX msvbm60!__vbastrcomp". We type "msvbm60!" as we know it is a VB6 Program. In otherwords, if it was coded in VB5, we would type "msvbm50!" etc. Step 2. Anyway, press "Ctrl + D" again to return back to the CrackMe. Enter another serial and click on "Check" again. You should be kicked right back into SoftIce. Now we have to jump into the __vbastrcomp function, so press "F12" to do this. Now type "DD ESP" to see what is stored in the memory in the ESP. You should now see this in the data window: ---------------- Cut from SoftIce ---------------- 0167:0063F274 661069B8 00000000 0040210C 00410398 .i.f....!@...A 0167:0063F284 00000000 00000000 00000000 00000000 .............. 0167:0063F294 00000000 00000000 00000000 00000000 .............. 0167:0063F2A4 00000000 00000000 00000000 00000000 .............. ------------------ End of Cut -------------------- Step 3. Lets see what's in all of these. Type "D 661069B8". There's nothing interesting there. Now type "D 0040210C", after typing this, you should now see this in your data window: ---------------- Cut from SoftIce ---------------- 0167:0040210C 00370056 002D0053 00330031 00350034 V.7.S.-.1.3.4.5. 0167:0040211C 0056002D 00420042 00000000 0000001E -.V.B.B......... 0167:0040212C 006F0043 00720072 00630065 00200074 C.o.r.r.e.c.t... 0167:0040213C 00650053 00690072 006C0061 00000021 S.e.r.i.a.l.!... ------------------ End of Cut -------------------- Step 4. As you can see, our serial is being displayed in the Data Window. Type "BC*" to clear all Breakpoints and then "Ctrl + D" to return back to the CrackMe. Enter the Serial section again, and enter "V7S-1345-VBB" as the serial. Walla, "Another nice Message Box saying "Correct Serial!" This CrackMe is Now Cracked! Part 3 - Ending : I hope you have enjoyed this tutorial, and that it has made you that little bit wiser in your cracking knowledge. Expect more Tutorials from me in the future, and don't hesitate to E-Mail me comments/sugestions on/for my tutorials. My E-Mail address is: - SiONiDE@mail.com I would like to greet the following people, this is going to take for ever... AB4DS, ACiD BuRN, aDENOZiN, Alpine, AppBusta, Asmcoded, AtLANtez, Birojuice, BobjoB, BuLLeT, ByteBurn, Cb[Latin], ChosenFew, Cokine, CrazyK, DarkShadow, DnNuke, Dr_Code, FileCAT, Fli7e, Gizmo, Hades, HarvestR, HellSpawn, Jane, LagPRO, Laz, Nitrus, Natazzz, PRED, NorthPole, PeeWee, Pixl, Rayden, SKORPiEN, Speiks, Syntesi, tKC, TONiC, Trinity, TORN@DO, Yo_oY, zerOOne, zikariuz, Z-Wing, [iNC], [-tROG-], [Yates], ^InFeRnO^ If I've forgotten anyone, I'm sorry, a lot of people to greet :) Just let me know. Cya Next Time... - SiONiDE/cRACKERS iN aCTiON '99 PART 5 ~~~~~~ CoolZip v1.01 http://www.innersky.com/coolzip CoolZip is an easy to use 32 bit compression/decompression program. It can handle zip, cab, lha, uue, xxe, and many more formats. Full drag'n drop support. Windows shell integration. 1) Run COOLZIP.EXE 2) Click on "Help" menu and click on the "Register" button. Enter the following:- Name : mISTER fANATIC [C4A] Registration #: 1122334455 3) Press "CTRL-D" to return into SoftIce, type "bpx hmemcpy", and press "CRTL-D" to return into CoolZip. Finally, click on the "Register" button to register and you are back to SoftIce. 4) Press "F12" 12 times until you reach the following:- xxxx:004B846A 8B45F4 MOV EAX,[EBP-0C] xxxx:004B846D B958000000 MOV ECX,00000058 xxxx:004B8472 BA7C854B00 MOV EDX,004B857C xxxx:004B8477 E8F8010000 CALL 004B8674 <-- KeyGen routine xxxx:004B847C 8B45F8 MOV EAX,[EBP-08] xxxx:004B847F 50 PUSH EAX <-- real reg code 5) Type "bd 0" or "bd *" to disable the breakpoint. 6) Press "F10" until you reach the line below:- xxxx:004B847F 50 PUSH EAX <-- real reg code 7) At line xxxx:004B847F, type "d eax" and you will see something interesting like "58A680BC7DB860E535150C221A193732F45BE04DC6". Hah, its the real registration code. 8) Press "CTRL-D" to return to CoolZip. Enter the following and click the "Ok" button:- Name : mISTER fANATIC [C4A] Registration #: 58A680BC7DB860E535150C221A193732F45BE04DC6 BOOM, its registered! Well, I hope you learned something from this tutorial. mailto: c4a@iname.com ABOUT ~~~~~ I really hope you've enjoyed this tutorial as much as I did! Don't miss Tutor #56 soon! ;) And as I said last time: Without knowledge, there's no power! ;) Credits go to: Socko for Interface. PeeWee for Splash Logo +SEKt0r for providing 3 tuts in this version. SiONiDE for providing a tut in this version. mISTER fANATIC for providing a tut in this version. tKC for coding this version :) All the crackers (non-members of CiA) are welcome to send tutors for the next tutorials .. see below for my email address! *** 75 chars per line in textfile please! *** And all the tutors can be found at http://www.msjessca.da.ru! Greetz goto all my friends! You can find me on IRC or email me at tkc@reaper.org Coded by The Keyboard Caper - tKC The Founder of PhRoZeN CReW/Crackers in Action '99 Compiled with Delphi 5 on 13 December 1999 Cracking Tutorial #55 is dedicated to 9 Pearls in a Oyster... esp Mandy!