Welcome to Cracking Tutorial #56!

   Hiya guys,

   Xmas time! Enjoy this fine tutors #56 and #57 for a gift.. :)
   And may the year 2000 bring you a great time at cracking!

   OK, let's rave!

   ...err should I say let's jingle? :)

   TOOLS
   ~~~~~

   You'll need the following tools:

   (I use these tools, I assume you'll use 'em, but it doesn't
   mean that you'll need to use all those tools, so be sure to
   get them handy for the examples in this tutorial!)

   SoftICE v4.01
   W32Dasm v8.93
   Hacker's View v6.20
   SmartCheck v6.03
   ProcDump32 v1.6
   Windows Commander 4.02 (I use it coz of easier to multitask)
   Delphi, VB, C++, or TASM to code a keygen or a patch..

   Don't ask me where to download all these tools since you had
   a chance to get them when you used my older tutorials. Here
   is a good site where you can grab tools from:

   http://protools.cjb.net or http://w3.to/protools

   or ask any crackers to get you these tools!

   Are you ready?!

   OK! ;)

PART 1
~~~~~~

ColorSet v1.7
http://www.colorset.cjb.net

What is Color Set?

This shareware utility is made for the background colors and font
size/color selection on the web-page. In this case, it translates
the hex representation of the colors for the basis colors RGB
(and back).

 1) Run COLORSET.EXE and you will see a popup message.

 2) Click on the "Register" button and enter the following:-

    User Name        : mISTER fANATIC [C4A]
    Registration Code: 11223344

 3) Press "CTRL-D" to return into SoftIce, type "bpx hmemcpy",
    and press "CRTL-D" to return into ColorSet. Finally, click
    on the "Register" button to register and you are back to SoftIce.

 4) Press "F12" 13 times until you reach the following:-

    xxxx:0046BD73   837DF800         CMP  DWORD PTR [EBP-08],00
    xxxx:0046BD77   750D             JNZ  0046BD86
    xxxx:0046BD79   8D45F8           LEA  EAX,[EBP-08]
    xxxx:0046BD7C   BA74BE4600       MOV  EDX,0046BE74
    xxxx:0046BD81   E8A67CF9FF       CALL 00403A2C
    xxxx:0046BD86   8D55F0           LEA  EDX,[EBP-10]
    xxxx:0046BD89   8B45F8           MOV  EAX,[EBP-08]
    xxxx:0046BD8C   E8C7FCFFFF       CALL 0046BA58     <-- KeyGen routine
    xxxx:0046BD91   8B45F0           MOV  EAX,[EBP-10]
    xxxx:0046BD94   50               PUSH EAX          <-- real reg code

 5) Type "bd 0" or "bd *" to disable the breakpoint.

 6) Press "F10" until you reach the line below:-

    xxxx:0046BD94   50               PUSH EAX          <-- real reg code

 7) At line xxxx:0046BD94, type "d eax" and you will see something
    interesting like "1Q1913S".

    Hah, its the real registration code.

 8) Press "CTRL-D" to return to ColorSet.  Enter the following and
    click the "Ok" button:-

    User Name        : mISTER fANATIC [C4A]
    Registration Code: 1Q1913S

    BOOM, its registered!

Well, I hope you learned something from this tutorial.
mailto: c4a@iname.com

PART 2
~~~~~~

Winslide 2000 v2.1
http://www.innersky.com/winslide

Winslide is a 32 bit screen saver that can display your own images.
Use it to display your favorite pictures of your family, your pet,
any image you got...

 1) Run Winslide by going to "Display Properties".  Click on
    "Screen Saver" and select "Winslide" as your screen saver.
    Then, click on the "Settings..." button.

 2) Finally, double click on the "x" or cross below the preview window.
    Enter the following:-

    Name    : mISTER fANATIC [C4A]
    Company :
    Serial  : 11223344

 3) Press "CTRL-D" to return into SoftIce, type "bpx hmemcpy",
    and press "CRTL-D" to return into Winslide. Finally, click
    on the "Register" button to register and you are back to SoftIce.

 4) Press "F12" 12 times until you reach the following:-

    xxxx:00443C4B   8B45F4           MOV  EAX,[EBP-0C]
    xxxx:00443C4E   B986000000       MOV  ECX,00000086
    xxxx:00443C53   BA743D4400       MOV  EDX,00443D74
    xxxx:00443C58   E813FDFFFF       CALL 00443D74     <-- KeyGen routine
    xxxx:00443C5D   8B45F8           MOV  EAX,[EBP-08]
    xxxx:00443C60   50               PUSH EAX          <-- real reg code

 5) Type "bd 0" or "bd *" to disable the breakpoint.

 6) Press "F10" until you reach the line below:-

    xxxx:00443C60   50               PUSH EAX          <-- real reg code

 7) At line xxxx:00443C60, type "d eax" and you will see something
    interesting like "869E8E8D8AA29DD153F9210E093FEB60D079C46AAC".

    Hah, its the real registration code.

 8) Press "CTRL-D" to return to Winslide.  Enter the following and
    click the "Ok" button:-

    Name    : mISTER fANATIC [C4A]
    Company :
    Serial  : 869E8E8D8AA29DD153F9210E093FEB60D079C46AAC

    BOOM, its registered!

Well, I hope you learned something from this tutorial.
mailto: c4a@iname.com

PART 3
~~~~~~

Name      : Norton Antivirus

Version   : 5.0

Editor    : Symantec

Target    : Navw32.exe

Tools     : Softice
            Brain

Cracker   : LW2000

Tutorial  : No.14

http://www.symantec.com


---
DISCLAIMER
For educational purposes only!
I hold no responsibility of the mis-used of this material!
---



Please excuse my poor english, its not my mother language....


Ok! First we must tell Norton Antivirus that we are online with Symantec,
because we would like to enter our Unlock-Code. Our goal is to display
the unlock window.


1.	Start NAV and press "Buy Now". Close Nav. Open the Rsagent.ini,
        that is located in your windows directory and change
        mailstat = 0 to mailstat = 1. Save your work.


2.	Load NAV and press "Buy Now", again. Press [ctrl]+[d] to switch
        to Softice. Type: 'bpx getdlgitemtexta' to set a breakpoint on
        getdlgitemtexta. Press F5 to return to Norton Antivirus.

3.	Enter the details:
	First Name: LW2000
	Last Name: greetz to tKC
	Code: 1234567890

	Press [OK]. Sice pops up.

4.	Press F11 to get the caller.
	Goto 10005681     83F90A    CMP ECX,0A
	Type '? ecx'. You'll see this:
	0000000A 0000 000010 "0"  <-- length of your code


5.	Trace with F10 to this piece of code.


	10005708   51               PUSH ECX
	10005709   52               PUSH EDX
	1000570A   50               PUSH EAX
	1000570B   E870630000       CALL 00BA80
	10005710   83C40C           ADD ESP,0C
	10005713   8D8C24D8000000   LEA ECX,[ESP+000000D8]


6. 	Goto '1000571A   PUSH  10030F40' then type 'd 100030F40'
	Your code will be shown.

	Now goto '1000571F  PUSH ECX' then type d ecx. This will show
        the correct unlock code. Enter 'db *' and press F5 to
        return to NAV. Now enter your correct unlock code.
	Press [OK].


Congratulation! You are an registered user!

FINISH! Easy, or?

cu LW2000
Any comments? Mail me LW2000@gmx.net!
----
tKC, thx for your tutors!
I started with tutor 1 and i still read them... they are the best!

PART 4
~~~~~~

Name      : VirusScan

Version   : 4.0.3

Editor    : McAfee

Target    : Navw32.exe

Tools     : W32Dasm 8.93
            Hiew 6.16
            Brain

Cracker   : LW2000

Tutorial  : No.15

ftp://ftp.nai.com/pub/antivirus/win95/


---
DISCLAIMER
For educational purposes only!
I hold no responsibility of the mis-used of this material!
---



Please excuse my poor english, its not my mother language....


1.	McAfee Virus has no option, to enter a kind of registration
        code, but we see in the aboutbox
        "About McAfee VirusScan Evaluation Copy".
	Write it down. Load W32Dasm with Virusscan and got to the
        String Data Reference. Doubleclick on
        "About McAfee VirusScan Evaluation Copy" and close the SDR Window.


* Possible Reference to Dialog: DialogID_0067, CONTROL_ID:0452,
        "McAfee VirusScan"
|
:004014CD 6852040000 push 00000452
:004014D2 55 push ebp
:004014D3 FFD6 call esi
:004014D5 50 push eax
:004014D6 FFD7 call edi
:004014D8 8D842470010000 lea eax, dword ptr [esp+00000170]
:004014DF 6804010000 push 00000104
:004014E4 50 push eax
:004014E5 E8F6E30000 call 0040F8E0
:004014EA 83C408 add esp, 00000008
:004014ED 85C0 test eax, eax
:004014EF 7411 je 00401502 <---- First Test!
:004014F1 8D4C246C lea ecx, dword ptr [esp+6C]
:004014F5 6804010000 push 00000104
:004014FA 51 push ecx

* Possible Reference to String Resource ID=40120:
"About McAfee VirusScan OEM Edition"
|
:004014FB 68B89C0000 push 00009CB8
:00401500 EB27 jmp 00401529

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004014EF(C)
|
:00401502 8B842488040000 mov eax, dword ptr [esp+00000488]
:00401509 6804010000 push 00000104
:0040150E 83F801 cmp eax, 00000001
:00401511 750C jne 0040151F      <--- jumps to Evaluation Version
:00401513 8D542470 lea edx, dword ptr [esp+70]
:00401517 52 push edx

* Possible Reference to String Resource ID=40102: "About McAfee VirusScan"
|
:00401518 68A69C0000 push 00009CA6
:0040151D EB0A jmp 00401529

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401511(C)
|
:0040151F 8D442470 lea eax, dword ptr [esp+70]
:00401523 50 push eax

* Possible Reference to String Resource ID=40103:
"About McAfee VirusScan Evaluation Copy"


2.	By Adress 4014EF we see a first check. If this check fails the
        proggy jumps to the oem version. Hey, that's not what we want..
        *G* Let's Fix it. I think you know what to do...
	(... note the offset, start hiew, goto offset,
        change je to jmp, save...)

	But there is still a second test in line 401511. Let's fix it,
        too. Nope it! (... note the offset, start hiew, goto offset,
        change 750C (jne) to 9090 (2x NOP), save...)

3.	Looks fine, but after a 30 day trail the proggy shows a msg,
        and exits.

	Note the Msg and click on the SDR window.
        Doubleclick on our message. Close the SDR window.

        This is what we've got:

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040F55F(C)
|

* Possible StringData Ref from Data Obj ->"ECLicenseFunction"
|
:0040F56E 68C4794300 push 004379C4
:0040F573 53 push ebx

* Reference To: KERNEL32.GetProcAddress, Ord:0116h
|
:0040F574 FF1578E84300 Call dword ptr [0043E878]
:0040F57A 8BD8 mov ebx, eax
:0040F57C 85DB test ebx, ebx
:0040F57E 0F84BE000000 je 0040F642
:0040F584 E8B7020000 call 0040F840
:0040F589 85C0 test eax, eax
:0040F58B 7510 jne 0040F59D
:0040F58D 8B842428020000 mov eax, dword ptr [esp+00000228]
:0040F594 85C0 test eax, eax

* Possible Reference to String Resource ID=00002: "In Folder"
|
:0040F596 B802000000 mov eax, 00000002
:0040F59B 7405 je 0040F5A2

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040F58B(C)
|

* Possible Reference to String Resource ID=00005: "&Clean File"
|
:0040F59D B805000000 mov eax, 00000005

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0040F59B(C)
|
:0040F5A2 8D4C2470 lea ecx, dword ptr [esp+70]
:0040F5A6 8D542418 lea edx, dword ptr [esp+18]
:0040F5AA 51 push ecx
:0040F5AB 52 push edx
:0040F5AC 8D8C2488000000 lea ecx, dword ptr [esp+00000088]
:0040F5B3 6814BF4300 push 0043BF14
:0040F5B8 51 push ecx
:0040F5B9 56 push esi
:0040F5BA 50 push eax
:0040F5BB FFD3 call ebx
:0040F5BD 8B44242C mov eax, dword ptr [esp+2C]
:0040F5C1 83C418 add esp, 00000018
:0040F5C4 85C0 test eax, eax
:0040F5C6 7410 je 0040F5D8
:0040F5C8 837C247803 cmp dword ptr [esp+78], 00000003
:0040F5CD 7509 jne 0040F5D8

* Possible Reference to String Resource ID=00100: "YES"
|
:0040F5CF C7400864000000 mov [eax+08], 00000064
:0040F5D6 EB6A jmp 0040F642

* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:0040F5C6(C), :0040F5CD(C)
|
:0040F5D8 837C247001 cmp dword ptr [esp+70], 00000001
:0040F5DD 7563 jne 0040F642
:0040F5DF 8D942420010000 lea edx, dword ptr [esp+00000120]
:0040F5E6 6800010000 push 00000100
:0040F5EB 52 push edx

* Possible Reference to String Resource ID=03145:
"The program license has expired. You must purchase to conti"


We scroll up, to see, where the MSG is called and see two references.
Two Jumps, first by 40F5C6 and the second by 40F5CD. Then we see
0040F5D6 jmp 0040F642, this is the jump to the program start.
Scroll a bit more up to see a reference to adress 0040F59B.
>From there we jump to the piece of code, that pops up the messagebox.
At 40F58B is another check. We'll put here our jump to the program
start (jmp 0040F642). By doing this, we knock out the msg box and
the proggy can be used over the trail time.



Congratulation! You have cracked McAfee Virusscan.

FINISH! Easy, or?

cu LW2000
Any comments? Mail me LW2000@gmx.net!
----
tKC, thx for your tutors!
I started with tutor 1 and i still read them... they are the best!

PART 5
~~~~~~

Name      : Applet Button Factory

Version   : 5.0

Editor    : CoffeeCup

Target    : Applet Button Factory.exe

Tools     : W32Dasm 8.93
            Hiew 6.16
            Brain

Cracker   : LW2000

Tutorial  : No.16

http://www.coffeecup.com/


---
DISCLAIMER
For educational purposes only!
I hold no responsibility of the mis-used of this material!
---



Please excuse my poor english, its not my mother language....


1.	Go to the register screen and enter LW2000 as username and 1234
        as registration code. *BOOM*  Incorrect username and password.
        Note this text and exit Applet Button Factory.
	Fire up W32Dasm with Applet Button Factory.exe and click on
        the string data reference. Doubleclick on
        'Incorrect username and password' and close the SDR window.


* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:004752E4(C), :0047530C(C)  <--- here we come from...


* Possible StringData Ref from Code Obj ->
"Incorrect username and password."


2.	Let's take a look at this two references!



* Possible StringData Ref from Code Obj ->"12aew"
|
:004752D8 BAC8534700 mov edx, 004753C8
:004752DD E82A3BF9FF call 00408E0C
:004752E2 85C0 test eax, eax
:004752E4 0F85B0000000 jne 0047539A   <-- if not equal jmp to msg
:004752EA 8D55FC lea edx, dword ptr [ebp-04]
:004752ED 8B8318030000 mov eax, dword ptr [ebx+00000318]
:004752F3 E80CB8FBFF call 00430B04
:004752F8 8B45FC mov eax, dword ptr [ebp-04]
:004752FB E8B0ECF8FF call 00403FB0

* Possible StringData Ref from Code Obj ->"9j8f5"
|
:00475300 BAD0534700 mov edx, 004753D0
:00475305 E8023BF9FF call 00408E0C
:0047530A 85C0 test eax, eax

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004752A5(C)
|
:0047530C 0F8588000000 jne 0047539A <-- if not equal jump to message
:00475312 A1E04B4B00 mov eax, dword ptr [004B4BE0]
:00475317 8B00 mov eax, dword ptr [eax]
:00475319 8B8038030000 mov eax, dword ptr [eax+00000338]
:0047531F 33D2 xor edx, edx
:00475321 E8CEB6FBFF call 004309F4
:00475326 A1E04B4B00 mov eax, dword ptr [004B4BE0]
:0047532B 8B00 mov eax, dword ptr [eax]

3.	I LOVE THOSE STUPID PROGRAMERS! Seems that we have two very
        hard coded serials *g* 9j8f5 and 12aew, but let's play a
        bit with hiew. Write down the offsets from 4752E4 and
        from 47530C. Fire up hiew and change both jmp's from jne to je.


Congratulation! You are an registered user.

FINISH! Easy, or?

cu LW2000
Any comments? Mail me LW2000@gmx.net!
----
tKC, thx for your tutors!
I started with tutor 1 and i still read them... they are the best!

   ABOUT
   ~~~~~

   I really hope you've enjoyed this tutorial as much as I did!
   Don't miss Tutor #57 soon! ;)

   And as I said last time: Without knowledge, there's no power! ;)


   Credits go to:

   Socko for Interface.
   InfErNo for Splash Logo
   LW2000 for providing 3 tuts in this version.
   mISTER fANATIC for providing 2 tuts in this version.
   tKC for coding this version :)

   All the crackers (non-members of CiA) are welcome to send tutors
   for the next tutorials .. see below for my email address!
   *** 75 chars per line in textfile please! ***

   And all the tutors can be found at http://www.msjessca.da.ru!

   Greetz goto all my friends!

   You can find me on IRC or email me at tkc@reaper.org

   Coded by The Keyboard Caper - tKC
   The Founder of PhRoZeN CReW/Crackers in Action '99

   Compiled with Delphi 5 on 22 December 1999

   Cracking Tutorial #56 is dedicated to Valencia...