Welcome to Cracking Tutorial #57! Hiya guys, Xmas time! Enjoy this fine tutors #56 and #57 for a gift.. :) And may the year 2000 bring you a great time at cracking! OK, let's rave! ...err should I say let's jingle? :) TOOLS ~~~~~ You'll need the following tools: (I use these tools, I assume you'll use 'em, but it doesn't mean that you'll need to use all those tools, so be sure to get them handy for the examples in this tutorial!) SoftICE v4.01 W32Dasm v8.93 Hacker's View v6.20 SmartCheck v6.03 ProcDump32 v1.6 Windows Commander 4.02 (I use it coz of easier to multitask) Delphi, VB, C++, or TASM to code a keygen or a patch.. Don't ask me where to download all these tools since you had a chance to get them when you used my older tutorials. Here is a good site where you can grab tools from: http://protools.cjb.net or http://w3.to/protools or ask any crackers to get you these tools! Are you ready?! OK! ;) PART 1 ~~~~~~ Name : Xara 3D Version : 3.04 Editor : UltraEdit Target : xara3d304.exe Tools : W32Dasm 8.93 Hiew 6.16 Brain Cracker : LW2000 Tutorial : No.17 http://www.ultraedit.com/ --- DISCLAIMER For educational purposes only! I hold no responsibility of the mis-used of this material! --- Please excuse my poor english, its not my mother language.... 1. OK, go to the Registrationscreen and enter the details. *BOOM* "You entered an invalid unlock code." Seems, that we found a bug ;) Let's fix it. Load W32Dasm with xara3d304.exe. Click on the SDR and search our message text. Doubleclick on it and close the SDR Window. Now it should look like this: * Possible Reference to String Resource ID=03005: "You entered an invalid unlock code." 2. Scroll up until you see this: * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:0040FA34(C), :0040FA48(C), :0040FA64(C), :0040FA80(C), :0040FA9C(C) |:0040FAB8(C), :0040FAD4(C), :0040FAF0(C), :0040FB5D(C) 3. Let's take a look on it. Goto Code Location 0040FA34. :0040FA34 0F85DC010000 jne 0040FC16 <-- 1. Check :0040FA3A 0FBE10 movsx edx, byte ptr [eax] :0040FA3D 52 push edx :0040FA3E E89D7E0500 call 004678E0 :0040FA43 83C404 add esp, 00000004 :0040FA46 85C0 test eax, eax :0040FA48 0F84C8010000 je 0040FC16 <-- 2. Check :0040FA4E 8B842440010000 mov eax, dword ptr [esp+00000140] :0040FA55 0FBE4801 movsx ecx, byte ptr [eax+01] :0040FA59 51 push ecx :0040FA5A E8817E0500 call 004678E0 :0040FA5F 83C404 add esp, 00000004 :0040FA62 85C0 test eax, eax :0040FA64 0F84AC010000 je 0040FC16 <-- 3. Check :0040FA6A 8B942440010000 mov edx, dword ptr [esp+00000140] :0040FA71 0FBE4202 movsx eax, byte ptr [edx+02] :0040FA75 50 push eax :0040FA76 E8657E0500 call 004678E0 :0040FA7B 83C404 add esp, 00000004 :0040FA7E 85C0 test eax, eax :0040FA80 0F8490010000 je 0040FC16 <-- 4. Check :0040FA86 8B8C2440010000 mov ecx, dword ptr [esp+00000140] :0040FA8D 0FBE5103 movsx edx, byte ptr [ecx+03] :0040FA91 52 push edx :0040FA92 E8497E0500 call 004678E0 :0040FA97 83C404 add esp, 00000004 :0040FA9A 85C0 test eax, eax :0040FA9C 0F8474010000 je 0040FC16 <-- 5. Check :0040FAA2 8B842440010000 mov eax, dword ptr [esp+00000140] :0040FAA9 0FBE4804 movsx ecx, byte ptr [eax+04] :0040FAAD 51 push ecx :0040FAAE E82D7E0500 call 004678E0 :0040FAB3 83C404 add esp, 00000004 :0040FAB6 85C0 test eax, eax :0040FAB8 0F8458010000 je 0040FC16 <-- 6. Check :0040FABE 8B942440010000 mov edx, dword ptr [esp+00000140] :0040FAC5 0FBE4205 movsx eax, byte ptr [edx+05] :0040FAC9 50 push eax :0040FACA E8117E0500 call 004678E0 :0040FACF 83C404 add esp, 00000004 :0040FAD2 85C0 test eax, eax :0040FAD4 0F843C010000 je 0040FC16 <-- 7. Check :0040FADA 8B8C2440010000 mov ecx, dword ptr [esp+00000140] :0040FAE1 0FBE5106 movsx edx, byte ptr [ecx+06] :0040FAE5 52 push edx :0040FAE6 E8F57D0500 call 004678E0 :0040FAEB 83C404 add esp, 00000004 :0040FAEE 85C0 test eax, eax :0040FAF0 0F8420010000 je 0040FC16 <-- 8. Check :0040FB55 69C951ED8764 imul ecx, 6487ED51 :0040FB5B 3BC1 cmp eax, ecx :0040FB5D 0F85B3000000 jne 0040FC16 <-- 9. Check 4. Ok, we have nine checks. Let's fix them! Business as usual! Change the jne to je and the je to jne. I think there is no need to explain how to do this in hiew. If you don't know how to do this, read my old tut's or take a look into other tKC Cracking tutorials... 5. Done? Ok, let's try again to register. Congratulation! You are an registered user. FINISH! Easy, or? cu LW2000 Any comments? Mail me LW2000@gmx.net! ---- tKC, thx for your tutors! I started with tutor 1 and i still read them... they are the best! PART 2 ~~~~~~ Name : Xara Webstyle Version : 1.2 Editor : UltraEdit Target : webstyle.exe s/n saved : HKEY_CURRENT_USER\Software\Xara\WebStyle\Options\ModelFlags Tools : W32Dasm 8.93 Hiew 6.16 Brain Cracker : LW2000 Tutorial : No.18 http://www.ultraedit.com/ --- DISCLAIMER For educational purposes only! I hold no responsibility of the mis-used of this material! --- Please excuse my poor english, its not my mother language.... 1. OK, go to the Registrationscreen and enter the details. *BOOM* 'Invalid number. Please contact Xara ...' Seems, that we found a bug ;) Let's fix it. Load W32Dasm with webstyle.exe. Click on the SDR and search our message text. Doubleclick on it and close the SDR Window. Now it should look like this: * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:0045013C(C), :00450150(C), :00450169(C), :00450182(C), :0045019B(C) |:004501B4(C), :004501CD(C), :004501E6(C), :00450251(C) :00450284 6A02 push 00000002 :00450286 6A01 push 00000001 :00450288 6A00 push 00000000 :0045028A 6A00 push 00000000 :0045028C 6A00 push 00000000 :0045028E 6A00 push 00000000 * Possible Reference to String Resource ID=18500: "Invalid number. Please contact Xara technical support@xara.c" 2. Let's take a look at the code. Goto Code Location 0045013C. * Referenced by a CALL at Addresses: |:0044F9AD , :0044FA28 | :00450100 64A100000000 mov eax, dword ptr fs:[00000000] :00450106 6AFF push FFFFFFFF :00450108 681FB04A00 push 004AB01F :0045010D 50 push eax :0045010E 8B442410 mov eax, dword ptr [esp+10] :00450112 64892500000000 mov dword ptr fs:[00000000], esp :00450119 50 push eax :0045011A 8D4C2414 lea ecx, dword ptr [esp+14] :0045011E E8AC520400 call 004953CF :00450123 8D4C2410 lea ecx, dword ptr [esp+10] :00450127 C744240800000000 mov [esp+08], 00000000 :0045012F E8CC580400 call 00495A00 :00450134 8B442410 mov eax, dword ptr [esp+10] :00450138 8378F807 cmp dword ptr [eax-08], 00000007 :0045013C 0F8542010000 jne 00450284 <-- 1. Check :00450142 0FBE08 movsx ecx, byte ptr [eax] :00450145 51 push ecx :00450146 E8F5F20200 call 0047F440 :0045014B 83C404 add esp, 00000004 :0045014E 85C0 test eax, eax :00450150 0F842E010000 je 00450284 <-- 2. Check :00450156 8B542410 mov edx, dword ptr [esp+10] :0045015A 0FBE4201 movsx eax, byte ptr [edx+01] :0045015E 50 push eax :0045015F E8DCF20200 call 0047F440 :00450164 83C404 add esp, 00000004 :00450167 85C0 test eax, eax :00450169 0F8415010000 je 00450284 <-- 3. Check :0045016F 8B4C2410 mov ecx, dword ptr [esp+10] :00450173 0FBE5102 movsx edx, byte ptr [ecx+02] :00450177 52 push edx :00450178 E8C3F20200 call 0047F440 :0045017D 83C404 add esp, 00000004 :00450180 85C0 test eax, eax :00450182 0F84FC000000 je 00450284 <-- 4. Check :00450188 8B442410 mov eax, dword ptr [esp+10] :0045018C 0FBE4803 movsx ecx, byte ptr [eax+03] :00450190 51 push ecx :00450191 E8AAF20200 call 0047F440 :00450196 83C404 add esp, 00000004 :00450199 85C0 test eax, eax :0045019B 0F84E3000000 je 00450284 <-- 5. Check :004501A1 8B542410 mov edx, dword ptr [esp+10] :004501A5 0FBE4204 movsx eax, byte ptr [edx+04] :004501A9 50 push eax :004501AA E891F20200 call 0047F440 :004501AF 83C404 add esp, 00000004 :004501B2 85C0 test eax, eax :004501B4 0F84CA000000 je 00450284 <-- 6. Check :004501BA 8B4C2410 mov ecx, dword ptr [esp+10] :004501BE 0FBE5105 movsx edx, byte ptr [ecx+05] :004501C2 52 push edx :004501C3 E878F20200 call 0047F440 :004501C8 83C404 add esp, 00000004 :004501CB 85C0 test eax, eax :004501CD 0F84B1000000 je 00450284 <-- 7. Check :004501D3 8B442410 mov eax, dword ptr [esp+10] :004501D7 0FBE4806 movsx ecx, byte ptr [eax+06] :004501DB 51 push ecx :004501DC E85FF20200 call 0047F440 :004501E1 83C404 add esp, 00000004 :004501E4 85C0 test eax, eax :004501E6 0F8498000000 je 00450284 <-- 8. Check :004501EC 8B442410 mov eax, dword ptr [esp+10] :004501F0 0FBE4804 movsx ecx, byte ptr [eax+04] :004501F4 8D1449 lea edx, dword ptr [ecx+2*ecx] :004501F7 0FBE4806 movsx ecx, byte ptr [eax+06] :004501FB 8D0CD1 lea ecx, dword ptr [ecx+8*edx] :004501FE 8D1449 lea edx, dword ptr [ecx+2*ecx] :00450201 0FBE4802 movsx ecx, byte ptr [eax+02] :00450205 8D0CD1 lea ecx, dword ptr [ecx+8*edx] :00450208 8D1449 lea edx, dword ptr [ecx+2*ecx] :0045020B 0FBE4805 movsx ecx, byte ptr [eax+05] :0045020F 8D0CD1 lea ecx, dword ptr [ecx+8*edx] :00450212 8D1449 lea edx, dword ptr [ecx+2*ecx] :00450215 0FBE08 movsx ecx, byte ptr [eax] :00450218 8D0CD1 lea ecx, dword ptr [ecx+8*edx] :0045021B 8D1449 lea edx, dword ptr [ecx+2*ecx] :0045021E 0FBE4801 movsx ecx, byte ptr [eax+01] :00450222 0FBE4003 movsx eax, byte ptr [eax+03] :00450226 8D0CD1 lea ecx, dword ptr [ecx+8*edx] :00450229 8D1449 lea edx, dword ptr [ecx+2*ecx] :0045022C 8D8CD067216BFB lea ecx, dword ptr [eax+8*edx-0494DE99] :00450233 8B442414 mov eax, dword ptr [esp+14] :00450237 8BD0 mov edx, eax :00450239 D1E8 shr eax, 1 :0045023B 81E255555555 and edx, 55555555 :00450241 2555555555 and eax, 55555555 :00450246 8D0450 lea eax, dword ptr [eax+2*edx] :00450249 69C00D661900 imul eax, 0019660D :0045024F 3BC8 cmp ecx, eax :00450251 7531 jne 00450284 <-- 9. Check :00450253 8D4C2410 lea ecx, dword ptr [esp+10] :00450257 C705E8FE4D0009000000 mov dword ptr [004DFEE8], 00000009 :00450261 C7442408FFFFFFFF mov [esp+08], FFFFFFFF :00450269 E89C520400 call 0049550A :0045026E B801000000 mov eax, 00000001 :00450273 8B4C2400 mov ecx, dword ptr [esp] :00450277 64890D00000000 mov dword ptr fs:[00000000], ecx :0045027E 83C40C add esp, 0000000C :00450281 C20800 ret 0008 3. Ok, we have nine checks. Let's fix them! Business as usual! Change the jne to je and the je to jne. I think there is no need to explain how to do this in hiew. If you don't know how to do this, read my old tut's or take a look into other tKC Cracking tutorials... 4. Done? Ok, let's try again to register. Congratulation! You are an registered user. FINISH! Easy, or? cu LW2000 Any comments? Mail me LW2000@gmx.net! ---- tKC, thx for your tutors! I started with tutor 1 and i still read them... they are the best! PART 3 ~~~~~~ Name : Quick Note Version : 1.0 Editor : Image Integration Target : QuickNote.exe Tools : Brain Snooper for Windows Cracker : LW2000 Tutorial : No.19 http://www.image-integration.com --- DISCLAIMER For educational purposes only! I hold no responsibility of the mis-used of this material! --- Please excuse my poor english, its not my mother language.... OK, take a look at the about box. There is a place to enter a serial... Fine, let's take a look at the exe. I always snoop in the exe, because i like it, to a take a compact look on the text strings... Whats the fuck is this: GZ3-12003 GZ3-18-xx GZ3-zt-sd GZ3-rh-hz GZ3-al-222 GZ3-zt-654 KGZ3-su-sef dGZ3-lax-oke GZ3-lux-1 GZ3-luy-wq GZ3-luy-23 Let's try GZ3-12003. Congratulation! You are an registered user, now it is your job to find the differences between the serials... btw: GZ3-12003 is also in the deadlisting of W32Dasm. Yeah, hard coded serials ... *g* Not more than 2 minutes, seems that i have enough time to take a look at another 'target' ... FINISH! Easy, or? cu LW2000 Any comments? Mail me LW2000@gmx.net! ---- tKC, thx for your tutors! I started with tutor 1 and i still read them... they are the best! PART 4 ~~~~~~ Name : Online Counter Version : 5.45.1612 Editor : SWR3 Target : OnlineCounter.Exe Tools : Softice 4.0 Snooper for Windows Brain Cracker : LW2000 Tutorial : No.20 http://www.swr3.de/Fun/Downloads/Onlinecounter/ --- DISCLAIMER For educational purposes only! I hold no responsibility of the mis-used of this material! --- 1. Ok, enter the details: Name: LW2000 Code: 1234 *Boom* Shit, wrong code, think we found a bug... ;) 2. Close OnlineCounter. Let's snoop a bit. Mhmm, VB40032.DLL in the import table. This means we have a visual basic 4 proggy. This is no real problem, this means only we can't use W32Dasm very well... but Softice =) Ok, first a little bit knowledge about VB4 proggies. The compare function is NOT in the *.exe, it is in the systemfile VB40032.DLL. Start Online Counter and enter the details, again. Press [ctrl]+[d] to switch to softice. bpx hmemcpy [F5] to return to app. Now press ok. Sice pops up. Press F11 to get the caller and then trace with F10 to the code until you are in VB40032.DLL. Now 'bd *' the old bpx's. The compare function in VB is always the same: : 56 push esi : 57 push edi : 8B7C2410 mov edi, [esp + 10] : 8B74240C mov esi, [esp + 0C] : 8B4C2414 mov ecx, [esp + 14] : 33C0 xor eax, eax : F366A7 repz cmpsw <<--- (WideChar) String ds:esi Let's search for this code. Enter: 's 0 l ffffffff 56,57,8b,7c,24,10,8b,74,24,0c,8b,4c,24,14,33,c0,f3,66,a7' If you don't like to type it every time, put it into a shortcut in the Winice.dat. I.e. my shortcut is [Alt]+[F4] (i love this window killer shortcut! ;) If you don't know how to add a shortcut for Sice, ask me or take a look in a softice tut in tKCs Cracking tutorials. 3. For Example, Sice found 0157:0E793B84. Then we will bpx on 0157:0E793B84. 'bpx 0157:0E793B84'. Then press F5 to return to the app. Sice will pop up at our bpx, then we can take a look at our fake serial ('d esi') and the correct serial ('d edi'). But remember this is the WideCharFormat! This means '1234' is '1 2 3 4'. 4. Ok, all done? My serial is 851118H. Let's try it. Name: LW2000 Code: 851118H Congratulation! You are a registered user. FINISH! Easy, or? cu LW2000 Any comments? Mail me LW2000@gmx.net! ---- tKC, thx for your tutors! I started with tutor 1 and i still read them... they are the best! PART 5 ~~~~~~ Hello there, here is another tut from NamNT. Enjoy it... ______________________________________________________________ | | | Application: Open Sound System v3.9.2.y | | Target : http://www.opensound.com | | Platform : Linux | | Tools : dasm (IDA works fine) | | (download dasm at http://hculinux.cjb.net) | | hex editor (I use Hiew) | | Purpose : remove TIME LIMIT | |______________________________________________________________| (note: i won't hold any responsibility for any reasons from you. This text is made for education and fun only. And in this tut, I don't list the offsets of files because there're many versions of OSS and of course, they're not the same) This is the first tut on cracking Linux progy, rite? So, forgive my all wrong things. Ok, here we go. This Open Sound System is the famous (VERY FAMOUS) program on Linux. If your sound card goes wrong, then you must use this program. It is the small description of OSS. But, the very BIG problem of OSS is TIME LIMIT. Why do 4Front-Tech make such a BIG bug? We must fix it for them, eh :-) You can use it for 3 hours (on the first week) or 20 mins (on successive weeks). So, take your time to test it and find what will appear on your screen... (remember to use the command "dmesg" to find out) Ah, you find it. It is "OSS: xxxx minutes..." or similar. You find it and you know what you will do next. Find it all over your OSS directory. Will it point out the file "modules/sndbase" for you? What do you wait? dasm it right away, use this command: dasm /path/oss/modules/sndbase sndbase.dasm You will have a file sndbase.dasm which contains 'source code' of sndbase. Find that string in sndbase.dasm. You'll find it somewhere and take a look around, there's something like this: call oss_get_jiffies cmp eax, dword [pld+0xDC] jnb xxxxxx jmp xxxxxx Ok, do you notice that before it prints "OSS: ...." it makes a call to oss_get_jiffies? Do you find it strange? It's worth looking at. So, find string "oss_get_jiffies" in your OSS dir. It will list a lot of files, but there are two files we need to look at: sndshield.c modules/sndshield Now, there are two ways for us to fix the BIG bug of OSS: 1. Edit sndshield.c and recompile it. 2. Edit modules/sndshield directly. If you want to make an easy way, take the first way: Edit sndshield.c at method oss_get_jiffies to make it returns 0x7FFFFFFF (just a big enough number). If you don't want to recompile sndshield, you must edit modules/sndshield directly. dasm it right away. You'll find in sndshield.dasm the method oss_get_jiffies like this (just one row): XXXX mov jiffies_R*******, %eax Hey, you know how to do the last. Fire your hex editor and edit modules/sndshield. Goto offset XXXX, change your first 5 bytes to: B8 FF FF FF 7F So, that's all you need to do. But what's the meaning of that? Ok, sndshield is a loadable module, it holds all the information for your sndbase to work fine. And sndbase is another loadable module. sndbase checks if time limit ends. And it checks by calling sndshield's oss_get_jiffies. So, you don't have to edit all the jumps in sndbase, you just need to edit sndshield's oss_get_jiffies. Now, you've learned an easy way to fix the BIG bug of OSS. Enjoy your works... But, that's not all, you must fix its license expired, too. I give you a hint: Find it in sndconf. Ok, that's all. If you have any questions, ideas, ... don't hesitate to contact me at NamNT@yahoo.com _______________________________ Greets fly to: CiA, VNC's members, GZI, SiuL+Hacky, and you. _______________________________ Fun, NamNT - [VNC] ABOUT ~~~~~ I really hope you've enjoyed this tutorial as much as I did! Don't miss Tutor #58 soon! ;) And as I said last time: Without knowledge, there's no power! ;) Credits go to: Socko for Interface. tKC for Splash Logo LW2000 for providing 4 tuts in this version. NamNT for providing a tut in this version. tKC for coding this version :) All the crackers (non-members of CiA) are welcome to send tutors for the next tutorials .. see below for my email address! *** 75 chars per line in textfile please! *** And all the tutors can be found at http://www.msjessca.da.ru! Greetz goto all my friends! You can find me on IRC or email me at tkc@reaper.org Coded by The Keyboard Caper - tKC The Founder of PhRoZeN CReW/Crackers in Action '99 Compiled with Delphi 5 on 22 December 1999 Cracking Tutorial #57 is dedicated to Valencia...