Welcome to Cracking Tutorial #58! Hiya guys, Ah finally, a first cracking tutorial in year 2000! As you can see, here's a new version *again* and I hope you like this one! :) And today for a bonus, I give you 7 tutors, #58-64! OK, let's rave! TOOLS ~~~~~ You'll need the following tools: (I use these tools, I assume you'll use 'em, but it doesn't mean that you'll need to use all those tools, so be sure to get them handy for the examples in this tutorial!) SoftICE v4.01 W32Dasm v8.93 Hacker's View v6.20 SmartCheck v6.03 ProcDump32 v1.6 Windows Commander v4.03 (I use it coz of easier to multitask) Delphi, VB, C++, or TASM to code a keygen or a patch.. Don't ask me where to download all these tools since you had a chance to get them when you used my older tutorials. Here is a good site where you can grab tools from: http://protools.cjb.net or http://w3.to/protools or ask any crackers to get you these tools! Are you ready?! OK! ;) PART 1 ~~~~~~ Hello Guys (Crackers) This is my first tutorial and my name is DRaCooLa. I've decided to write this tutorial because I've readed tKC's tutorials and I can only SaY: You're DA best! This tutorial is kind of " newbie for newbie" so don't expect to much! Please excuse my english , it's not my motherlanguage , I'm an europen cracker (NOT FROM ENGLAND)! Target=Norton AntiVirus 5.00.00 What=a very good AntiVirus (i use it) Protection=30-Days Trial Where=www.symantec.com TOOLS: -W32Dasm 8.9 (I use 8.93) -Hiew 6.xx (I use 6.04) -A little bit of brain (NO CIGGY because It'll only harm you) O.K. Let's Crack! 1.Install the program and run it . 2.There is a nag screen but no O.K. buttons ,restriction or an reminder of the remaining days. 3.Now let's play a little bit with the clock: put it a week in the future and run NAV and it'll give you this nag message: Norton AntiVirus has kept your PC virus-free for the last 30 Days ... press OK.Don't put your clock back. 4.Restart your computer so AutoProtect is not on , fire up W32Dasm and load Navapw32.exe 5.Click the String Data References (SDR) button (from the Refs menu) and search that nag message from step3 and double-click it.Then close the SDR Window. 6.You'll find this: * Possible Reference to String Resource ID=00021:"Norton AntiVirus has kept your PC...." : 0040123D 6A15 push 00000015 : 0040123F FF7508 push [epb+08] Scroll up a little bit and you'll be over here: * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00401223 (C) 7.Open , from the GoTo menu , the "GoTo Code Location" option and write 000401223. You'll be over here: :000401223 7512 jne 00401237 <= BAD BOY Now note the first offset from the lower bar. It should be 00000623h (we don't need those 0's and that "h". 8.Reopen the SDR window and double-click the nag mesage TWICE (from step3) 9.You'll be over here : * Possible Reference to String Resource ID=00021:"Norton AntiVirus has kept your PC ..." : 00401D2F 6A15 push 00000015 : 00401D31 FF7508 push [epb+08] : 00401D34 FFD6 call esi : 00401D36 8D4598 lea eax, dword ptr [epb-68] 10.Scroll up a little bit until you land over here: * Referenced by a (U)nconditional or (C)onditional Jump at Address: |: 00401D02 (C) 11.Open the GoTo Code Location and write 00401D02 And you'll land over here: : 00401D02 7504 jne 00401D08 <= BAD BOY Note the second offset (00001102h) 12.Close W32Dasm and open Hiew , load Navapw32.exe , press F4 and select DECODE. Press F5 , write the first offset (623) , press F3(edit) to change the 75(jne) code with the 74(je) code then F9 to save. 13.Now do the same with the second offset. But we must crack 2 files so read on how to crack the second file. 14.Open W32Dasm and load , from the NAV dir , the Navw32.exe file. 15.Open the SDR window and 2-click that s**t nag screen from step 3. You will fly over here: * Possible Reference to String Resource ID=02860:"Norton AntiVirus has kept your PC.." : 0040375D 682C0B0000 push 00000B2C : 00403762 FF35E81E4100 push dword ptr [00411EE8] : 00403768 FFD6 call esi .... Scroll up a little bit until you see : * Referenced by a (U)nconditional or (C)onditional Jump at Address: |: 00403745 (C) 17.Open the GoTo Code Location and write 00403745 and land here: : 00403745 7504 jne 0040374B <= BAD BOY Note the third offset (00002B45h) Close W32Dasm 18.Open Hiew , load the navw32.exe file , press F4 and select DECODE. Then press F5 and write the third offset (2B45) . Press F3 (edit) and change 75(Jne) code to 74(Je) code then F9 to save. Change your date back. Now it should work.If it doesn't work play with your clock (put it back and run NAV , put it in the future and run NAV and then put your date normal ; that should do it) ------------------------------------------------------------------------- Greets:tKC , BuLLet , MisterE , Flu[X] , PaRKeR , HarvestR , NE(c)RO , AgorA , Merkuur , Ms_Jessca , nIgHtMaRe/dAvid , NovA , NiteHawk , PinguTM , Kwai_Lo and all you great crackers out there who have ever written an CRACKING TUTORIAL! Group greets : C.I.A'99 , P.C'99 , CORE , C4A , d4c , TNO , UCF 2000 , Mexelite and all you great,great,great,great,great CRACKING GROUPS in the SCENE! ==================================================== SPECIAL THANKS : I would like to thank tKC for his great tutorials ( they thaught me the art of cracking) .Keep the good work.You're my teacher and I admire you A LOT! You're tha best man! ==================================================== If you want to contact me for suggestions or questions, write me at: writetoalex@hotmail.com Now , I can only say : "Whitout knowledge , there's no POWER"-tKC DRaCooLa'99 PART 2 ~~~~~~ How to crack World Time 2000 by DRaCooLa NEWBIE to NEWBIE ------------------------------------------------------------------------- | Please excuse my English , it's not my mother language. ------------------------------------------------------------------------- My FIRST tutorial in this COOL ART! This little proggie tells you the time all over the world! But it's a shareware so LET'S CRACK THIS LITTLE SUCKA! For this tutorial tou will need: -a computer -W32Dasm 8.9 -Hacker's View 6.x -a BRAIN (if you can read this I assume you have it) 1.Start the program and go to About-Register box. There enter your name and a boogie serial and press Register. A NaG pop's up saying "Please make sure you use the exact same name ". 2.Make 2 copies of your file:-one called WorldTime2000.w32 to dissasemble it -one called WorldTime2000.exx in case you get trouble with your crack. 3.Open W32DASM and go to Dissasemble menu , there click Open File to dissasemble. There search for the WorldTime2000.w32 file a double click it. When it finishes to load go to the SDR (String Data Reference) in the Refs menu. Here search for your text ("Please make sure ..."). If you find it double-click on the text. Now scroll up until you find a text saying: *Referenced by a (C)onditional or (U)nconditional Jump at Address: |:00406A2E(C) <==Here it generates the error Now open the Goto menu and click Goto Code Location. Awindow pop's up , here you must enter the code you've found (00406A2E). The green line shold now be on line: :00406A2E 7553 jne 00406A83 Note the Offset in the lower right bar it is (on my computer) 00006A2Eh (we don't need the 0's and the h) so the offset is 6A2E. Now we have two options: a)We can replace that Jump If Not Equal to Jump If Equal (jne=75 , je=74 in asm) or b)If you scroll 2 lines up you'll find the line: 00406A2A 3BC1 cmp eax, ecx <== here it compares the serial Now we could chang this to 85C8 test eax,ecx Note this offset too , it is 6A2A. 4.Open Hiew and search for your WorldTime2000.exe file and open it. Now press F4 and select Decode. Press F5 and enter an offset : a)You enter the 6A2E offset. When you arrive at line 6A2E press F3 (Edit) and change the jne(75) to je(74) press F9 to save your work. or b)You enter the 6A2A offset. When you arrive at line 6A2A press F3 (Edit) and change cmp eax,ecx (3BC1) to test eax,ecx (85C8). Then press F9 to save your work. That's it You've managed to crack this little proggie. ------------------------------------------------------------------------- Thanks to: tKC <== for his great work (Tuts,Serial Progz,Cracks and all other cool stuff you've made) , YOU ARE MY TEACHER IN THIS ART! Greetz fly out to: BuLLeT , VoodooKid , HarvestR , ICQ9 , MadSurgeon , LW2000 , Lord Peaceburn and all other crackers out there who write/wrote great tuts Special greetz to: All the hard working crackers in Romania THEY DISERVE IT.. <-=stiu ca la noi nu prea este timp de asa si nici resurse ceva de aceea consider ca toti cracker-ii din Romania sunt niste oameni SPECIALI , cautati-ma=-> E-mail me at : writetoalex@hotmail.com PART 3 ~~~~~~ How to get a serial in a VB program . Target Program is BuLLeT's Crack-me 2! By DRaCooLa -------------------------------------------------------------------------- | Please excuse my English , it's not my mother language. -------------------------------------------------------------------------- VB programs were kind of a pain in the ass because they couldn't be dissasemled with W32DASM and in SoftIce there were necassary a lot of changes. But now the key word is that VB progz WERE hard to crack cause now we have a Secret Weapon : SMART CHECK! This little cool baby could do MIRACLES in good hands! Since this is my First Tut on VB progz I used an older program! Some things that you'll need: -SmartCheck 6.03 THIS IS ONLY AVAILEBLE AFTER YOU OPEN A FILE! First I want to tell you a kind of trick I use: Go to the View menu and press Specific Events. From the window that appears select from the top menu Show Errors and Specific Events. From the new functions that are available in the second window select the boxes 2,3,4,5,6 and 8. Now press Change. You'll see for what we use this in some minutes. 1.Start the Crack-Me and try to register it. Enter a bogus serial and press Verify. If you fail a message will appear in the registration box saying: "Nope.That's not the one!" Good so now we now what we have to do : CRACK IT! 2.Start SmartCheck and go to File menu and press Open then search for your file (B-crkme2.exe). Before anything unselect the last 2 buttons of the upper menu: Reprts Errors Immediately and Event Reporting. Now go to the Program menu and select START. When it finishes to load the prog write a bogus serial BUT DON'T PUSH VERIFY yet. Before you do that press the last button from the upper menu. Than push Verify. 3.When the "Nope.That's not the one" message appears push the red square button or in the Program menu click on End. Now to our trick: press the buuton with a blue square and a window. A new list appears , here click on the sting called: Command1.Caption<--"Verify" (String) Now go to View menu and select Show All Events. A bigger list will appear and the blue line will be on the same line as before. The serial is now very near. If you scroll a little bit up there you'll find 7 lines called "SysFreeString". Click on the last string of this type and in the info window you'll see your serial (if not you must enlarge your info window witch is located on the right of the main window). In my case the serial was 2rK4HJ4-7n8RgT09IW6a7kSlg33. And another one goes down Because the greetz list fills a DVD I greet EVERYBONE but a special thanks goes to the greatest cracker on the Net - tKC. To all romanian crackers a VERY SPECIAL GREET: "Nu va lasati dezamagiti daca ceva nu merge , incercati de n ori si SIGUR veti reusi , cautati-ma" E-mail: writetoalex@hotmail.com PART 4 ~~~~~~ Hy it's me again and I am back with a brand new tut. This time our target is a well known program: Xara WebStyle 1.2 The author (as always) is DRaCooLa! ------------------------------------------------------------------------ | Please excuse my English , it's not my mother language! ------------------------------------------------------------------------ Ah what fine day is today. I have finished the fucking school and I am in HOLYDAYS. Ooah it's very coooooooooool! I can do now what I want because I do not see those assholes of teachers - THEY REALLY SUCK! So in my joy I decided to bring you all a little part of it! I can make this by writing a tut ( I HOPE ). ------------------------------------------------------------------------ The target program is a very cool web tool. You can make buttons , backgrunds , titles and many more. But the proggie will expire if we don't crack'it (register it <=Bad Ideea) So let's get to work! Tools:-W32Dasm 8.9 -Hview 6.x -a little bit of brain Now for the crack lesson: 1.Start the program and try to register it (the registration box is only availeble at the start up of the prog). So enter an boogie number and note the error message: "Invalid number.Please contact Xara technical ..." 2.Dissasemble the program (file webstyle.w32) but only after you've made 2 backup files of the Webstyle.exe file one called Webstyle.w32 and one called Webstyle.exx . After you've done this and the file is dissasembled search that error string in the String Data Reference window from the Refs menu. You'll find it on String Resource ID=18500. Double click on it and you'll be here: *Possible Reference to String Resource ID=18500: "Invalid number..." :00450290 6844480000 push 00004844 Now scroll up till you will find the plce where it generates the error: * Referenced by a (U)nconditional or (C)onditional Jump a Addresses: |:0045013C(C), :00450150(C), :00450169(C), :00450182(C), :0045019B(C) |:004501B4(C), :004501CD(C), :004501E6(C), :00450251(C) That's a lot of work: Press Shift+F12 (Go To Code Location) and enter each of the 9 addresses. On the first and on the last note the offset of the jne (jump if not equal) and on the other 7 addresses scroll a little bit up till you'll find a string like this " test eax , eax " and put the line on it then note the offset. Now you should have 9 offsets like this: 1.4F53C 2.4F550 3.4F569 4.4F582 5.4F59B 6.4F5B4 7.4F5CD 8.4F5E6 9.4F651 4.Now open the file Webstyle.exe with Hview , press F4 and select Decode. Now press F5 and enter each offset as shown earlier. Press F3 to edit and F9 to save. Now change like this: 1.Press F5, write 4F53C, press F3 & replace 85 with 84 .Than press F9. 2.Press F5, write 4F550, press F3 & replace 8B with 85 .Than press F9. 3.Press F5, write 4F569, press F3 & replace 8B with 85 .Than press F9. 4.Press F5, write 4F582, press F3 & replace 8B with 85 .Than press F9. 5.Press F5, write 4F59B, press F3 & replace 8B with 85 .Than press F9. 6.Press F5, write 4F5B4, press F3 & replace 8B with 85 .Than press F9. 7.Press F5, write 4F5CD, press F3 & replace 8B with 85 .Than press F9. 8.Press F5, write 4F5E6, press F3 & replace 8B with 85 .Than press F9. 9.Press F5, write 4F651, press F3 & replace 75 with 74 .Than press F9. Phew it's done . It's been a very good time cracking not ??? Cool. Now you can enter any serial and it' regged ------------------------------------------------------------------------- Greetz:all carckers in the UNIVERSE (who knows ???) Special greetz: to tKC the best of all crackers in the world ( I mean what I say ). Very special greetz: "Tuturor crackerilor romani care lupta in fiecare zi pentru a sparge programe , nu va lasati o sa reusiti! cautati-ma" E-mail:writetoalex@hotmail.com PART 5 ~~~~~~ How to find sn for Audition for w95/NT v3.5 (for beginners only) Target URL: http://www.execpc.com/~sbd/ Tools: SoftIce v3.xx Authors overview: "Audition for Windows 95/NT is a small utility that will allow you to play sound files located in a disk directory. A play list is created of all sound files found in the selected folder." On Successful registration Audition for Windows 95/NT v3.5 creates the following entries in your System Registry file:- HKEY_CURRENT_USER\Software\Software by Design\Audition for Windows 95/NT.. \Registration Code= Organization= User= When you start Audition you will notice it starts with a little nag-screen telling you that this is 30-day Shareware Evaluation Copy. Open 'Help' menu then press 'Register'. Registration window will pop-up asking you to enter your name, organization and the registration code. user name: organization: registration code: If you press the OK button you will be told that this code was incorrect. When you enter a name, organization and fake registration code press Ctl-D to start up Softice. Type bpx GetDlgItemTextA. OK, you've typed BPX GetDlgItemTextA into Softice so now all you do is type: x (or press F5 or press CTRL+D again) to leave softice and continue running Audition. Now press the OK button and were back into Softice. Now press (or type x or ...) F5 2 times. Press F11 to have Softice finish executing this function and return us to where in Audition this function was originally called from. Now you see this: 0137:0040E24B CALL [USER32!GetDlgItemTextA] 0137:0040E251 POP EDI ; <-- you are here 0137:0040E252 POP ESI 0137:0040E253 MOVE EAX,00000001 0137:0040E258 POP EBX 0137:0040E259 RET . . . 0137:00407B07 LEA ECX,[ESP+40] 0137:00407B0B PUSH ECX 0137:00407B0C CALL 00411B32 0137:00407B11 PUSH ESI 0137:00407B12 MOVE EBX,EAX 0137:00407B14 CALL 0040FEC0 0137:00407B19 ADD ESP,38 0137:00407B1C CMP EAX,0119A792 0137:00407B21 JNZ 00407B3B . . . 0137:00407B4E PUSH EDI 0137:00407B4F PUSH ESI 0137:00407B50 CALL 0040F990 0137:00407B55 ADD ESP,38 0137:00407B58 CMP EBX,EAX ; COMPARE GOOD (EAX) WITH FAKE (EBX) SN 0137:00407B5A POP EDI 0137:00407B5B JZ 00407B7A Now press F10 20 times (or you can type bpx 407b58) so that we land on this line: :00407B58 CMP EBX,EAX Here you can type ? ebx and you will see this: 132C10CB 0321654987 ... --> this is our fake reg. code (dec) After that type ? eax and you will see this: AFE3E8B2 2950949042 ... --> this is our good reg. code (dec) We can now type in Softice bc * which will clear our breakpoints then type x to exit Softice and re-run the Registration screen with our correct registration code. ABOUT ~~~~~ I really hope you've enjoyed this tutorial as much as I did! Don't miss Tutor #59 soon! ;) And as I said last time: Without knowledge, there's no power! ;) Credits go to: tKC for Interface. Nephasto for Splash Logo DRaCooLa for providing 4 tuts in this version. vasudan for providing a tut in this version. tKC for coding this version :) All the crackers (non-members of CiA) are welcome to send tutors for the next tutorials .. see below for my email address! *** 80 chars per line in textfile please! *** And all the tutors can be found at http://www.msjessca.da.ru! Greetz goto all my friends! You can find me on IRC or email me at tkc@reaper.org Coded by The Keyboard Caper - tKC The Founder of PhRoZeN CReW/Crackers in Action 2000 Compiled with Delphi 5 on 10 January 2000 Cracking Tutorial #58 is dedicated to Mandy...