Welcome to Cracking Tutorial #61! Hiya guys, Ah finally, a first cracking tutorial in year 2000! As you can see, here's a new version *again* and I hope you like this one! :) And today for a bonus, I give you 7 tutors, #58-64! OK, let's rave! TOOLS ~~~~~ You'll need the following tools: (I use these tools, I assume you'll use 'em, but it doesn't mean that you'll need to use all those tools, so be sure to get them handy for the examples in this tutorial!) SoftICE v4.01 W32Dasm v8.93 Hacker's View v6.20 SmartCheck v6.03 ProcDump32 v1.6 Windows Commander v4.03 (I use it coz of easier to multitask) Delphi, VB, C++, or TASM to code a keygen or a patch.. Don't ask me where to download all these tools since you had a chance to get them when you used my older tutorials. Here is a good site where you can grab tools from: http://protools.cjb.net or http://w3.to/protools or ask any crackers to get you these tools! Are you ready?! OK! ;) PART 1 ~~~~~~ Target: Sentry II Professional version 2.2 Location: http://www.fs.arez.com Date: 28 December 1999. Tools used: SoftICE 4.01 Download the program, install it and run it. I assume that you have SoftICE running, if not so I refer to one of my previous tutorial which were published in #49. Step one.: Go to 'About', push 'More' and finally press 'Register', now a little registration box will appear, enter any name, company and serial. I'll use 'Cicero', 'XCrypt' and '12345678'. Step two.: When done, push 'Ctrl+D' so you can enter SoftICE and set a breakpoint on 'hmemcpy'. Step tree.: Push 'F5' and you'll be back in Sentry's registration box, now press the 'Ok' button. Step four.: Press 'Ctrl+D' four times and then 'F12' 7 times, you will now be in the right place. Step five.: Trace down to '0187:0047FCF0 MOV ECX, 0047FE3C' look at the nice 'EAX=00C85B20' and type 'd eax', your name. Step six.: Press 'F10' once and type 'd ecx', you will now realize that the Serial # will also take letters. Step seven.: Press 'F10' twice and the type 'd eax', your fake serial will appear. Step eight.: Press 'F10' once more, look at the EDX and type 'D EDX', your real serial will appear. Step nine.: My registration would be 'Cicero', 'XCrypt' and 'YF72X-SIOEM-WT5MZ-A3H7D-G9QQI-6ST6B. End.: You should be able to code a keygen for this.... If not so, contact me and I will hand out the source coded in ASM, C++, Delphi and Pascal. 'Cicero@Cicero.cjb.net' personal thx dub, in specific order: SiONiDE - Thank you very much tKC - Thank you very much ARiSTOTELES - Thank you very much Crkill - Thank you very much p0SEIDON - Thank you very much T0RN@DO - Thank you very much tHATDUDE - Thank you very much MrNop - Thank you very much G-RoM - Thank you very much Drone - Thank you very much Stone - Thank you very much Ringer - Thank you very much Cartoon - Thank you very much ----------------------------------- CiA - Thank you very much PC - Thank you very much UCF - Thank you very much CLASS - Thank you very much RAZOR - Thank you very much BACKLASH - Thank you very much GZI - Thank you very much XCrypt - Thank you very much PART 2 ~~~~~~ Target: Packager MK1 Location: www.arclab.com Date: 28 December 1999. Tools used: SoftICE 4.01 Download the program, install it and run it. I assume that you have SoftICE running, if not so I refer to one of my previous tutorial which were published in #49. step one.: Run PackMK1. Go to '?' in the file menu and Choose 'Unlock'. step two.: Enter name, last name and serial(leave company black if you want to). I'll use 'Cicero', 'XCrypt' and '123456789'. step tree.: Press Ctrl+D, set a breakpoint on 'GetWindowTextA', press 'F5' once. step four.: Push 'Enter' and you're back in SoftICE, press 'Ctrl+D' 3 times, so we get to the right place. step five.: Press F11 and you will see LEA ECX, [ESP+00000214], push F10 once, and then type "D ECX", our fake serial(123456789). step six.: Now push F10 2 times, so you will stand on the line that looks like this: LEA EAX, [ESP+00000114], type "D EDX" our Name. step seven.: Push F10 one more time, and then type "D EAX", our last name. step eight.: Push F10 2 more times, type "D ECX", and you will see the company name(if you have one). step nine.: Now trace down to "Mov EAX, [0041F14C], and type "D ECX", and you will see your serial, write it down, and enter it in the registration box. step teen.: Registered user! So my registration would be: Name: Cicero Last name: XCrypt Company: Key: 5108-6086-5704-25887 End.: You should be able to code a keygen for this.... If not so, contact me and I will hand out the source coded in ASM, C++, Delphi and Pascal. 'Cicero@Cicero.cjb.net' personal thx dub, in specific order: SiONiDE - Thank you very much tKC - Thank you very much ARiSTOTELES - Thank you very much Crkill - Thank you very much p0SEIDON - Thank you very much T0RN@DO - Thank you very much tHATDUDE - Thank you very much MrNop - Thank you very much G-RoM - Thank you very much Drone - Thank you very much Stone - Thank you very much Ringer - Thank you very much Cartoon - Thank you very much ----------------------------------- CiA - Thank you very much PC - Thank you very much UCF - Thank you very much CLASS - Thank you very much RAZOR - Thank you very much BACKLASH - Thank you very much GZI - Thank you very much XCrypt - Thank you very much PART 3 ~~~~~~ Name : WinXFiles Version : 4.3 Editor : PepSoft Target : WXFiles.exe s/n saved : HKEY_CURRENT_USER\Software\Pepsoft\WXF32\Reg Tools : Softice 4.0 Brain Cracker : LW2000 Tutorial : No.24 http://www.pepsoft.com/ --- DISCLAIMER For educational purposes only! I hold no responsibility of the mis-used of this material! --- 1. We go to the regscreen and enter the details. Name: LW2000 Key : 1230099 *BOOM* 'Sorry... Invalid Registration Password' What the hell is this? Seems, that we found a bug... ;) Let's fix it. 2. Press [ctrl]+[d] and set a breakpoint on hmemcpy. 'bpx hmemcpy' Press F5 to return to the app. Then try to register, again. *BOOM* Sice pops up. Press F11 to get the Caller and F12 about six times, then you should be inside the WinXFilescode. 3. Now go with F10 over all ret's and then you should see this: :00480DB1 8B85D4FBFFFF mov eax, dword ptr [ebp+FFFFFBD4] :00480DB7 8D95D8FBFFFF lea edx, dword ptr [ebp+FFFFFBD8] :00480DBD E8E255F8FF call 004063A4 :00480DC2 8B95D8FBFFFF mov edx, dword ptr [ebp+FFFFFBD8] :00480DC8 8BC3 mov eax, ebx :00480DCA E85943F9FF call 00415128 :00480DCF 8D95D4FBFFFF lea edx, dword ptr [ebp+FFFFFBD4] :00480DD5 8B45FC mov eax, dword ptr [ebp-04] :00480DD8 8B80B8010000 mov eax, dword ptr [eax+000001B8] :00480DDE E81543F9FF call 004150F8 4. Step with F10 and take a look at the registers. :00481071 0FB63B movzx edi, byte ptr [ebx] :00481074 0FBFC7 movsx eax, di :00481077 B917000000 mov ecx, 00000017 :0048107C 99 cdq :0048107D F7F9 idiv ecx :0048107F 8A9415F9FCFFFF mov dl, byte ptr [ebp+edx-00000307] :00481086 8D85D0FBFFFF lea eax, dword ptr [ebp+FFFFFBD0] :0048108C 885001 mov byte ptr [eax+01], dl :0048108F C60001 mov byte ptr [eax], 01 :00481092 8D95D0FBFFFF lea edx, dword ptr [ebp+FFFFFBD0] :00481098 8D85F8FDFFFF lea eax, dword ptr [ebp+FFFFFDF8] :0048109E E8191AF8FF call 00402ABC :004810A3 43 inc ebx :004810A4 4E dec esi :004810A5 75CA jne 00481071 5. Ok, by stepping we see a loop and the register dl is filled with letters. Let's trace a bit more. :004810A7 8D95D4FBFFFF lea edx, dword ptr [ebp+FFFFFBD4] :004810AD 8B45FC mov eax, dword ptr [ebp-04] :004810B0 8B80BC010000 mov eax, dword ptr [eax+000001BC] :004810B6 E83D40F9FF call 004150F8 :004810BB 8B85D4FBFFFF mov eax, dword ptr [ebp+FFFFFBD4] :004810C1 50 push eax :004810C2 8D85D8FBFFFF lea eax, dword ptr [ebp+FFFFFBD8] :004810C8 8D95F8FDFFFF lea edx, dword ptr [ebp+FFFFFDF8] d edx = serial :004810CE E80127F8FF call 004037D4 :004810D3 8B95D8FBFFFF mov edx, dword ptr [ebp+FFFFFBD8] :004810D9 58 pop eax 6. Ok, write down our serial, let's try it =) Congratulation! You are a registered user. FINISH! Easy, or? cu LW2000 Any comments? Mail me LW2000@gmx.net! ---- tKC, thx for your tutors! I started with tutor 1 and i still read them... they are the best! PART 4 ~~~~~~ Name : Web Tacho Version : 1.20.3 Editor : Internolix Target : webtacho.exe s/n saved :HKEY_CURRENT_USER\Software\VB and VBA Program Settings\WebTacho Tools : Softice Brain Cracker : LW2000 Tutorial : No.25 www.Internolix.com --- DISCLAIMER For educational purposes only! I hold no responsibility of the mis-used of this material! --- 1. We go to the regscreen and enter the details. Name: LW2000 Key : 1230099 *BOOM* We get a error message, that our code is not correct. What the hell is this? Seems, that we found a bug... ;) Let's fix it. 2. Close Webtacho. Let's snoop a bit. Mhmm, MSVBVM50.DLL in the import table. This means we have a visual basic 5 proggy. This is no real problem, this means only we can't use W32Dasm very well... but Softice =) Ok, first a little bit knowledge about VB5 proggies. The compare function is NOT in the *.exe, it is in the system file MSVBVM50.DLL. Start Webtacho and enter the details, again. Press [ctrl]+[d] to switch to softice. bpx hmemcpy (hey, I hope you have the MSVBVM5.DLL in your winice.dat....) [F5] to return to app. Now press ok. Sice pops up. Press F11 to get the caller and then trace with F10 to the code until you are in MSVBVM50.DLL. Now 'bd *' the old bpx's. The compare function in VB is always the same: : 56 push esi : 57 push edi : 8B7C2410 mov edi, [esp + 10] : 8B74240C mov esi, [esp + 0C] : 8B4C2414 mov ecx, [esp + 14] : 33C0 xor eax, eax : F366A7 repz cmpsw <<--- (WideChar) String ds:esi Let's search for this code. Enter: 's 0 l ffffffff 56,57,8b,7c,24,10,8b,74,24,0c,8b,4c,24,14,33,c0,f3,66,a7' If you don't like to type it every time, put it into a shortcut in the Winice.dat. I.e. my shortcut is [Alt]+[F4] (i love this window killer shortcut! ;) If you don't know how to add a shortcut for Sice, ask me or take a look in a softice tut in tKCs Cracking tutorials. For Example, Sice found 0517:0E7B8411. Then we will bpx on 0157:0E793B84. 'bpx 0517:0E7B8411'. Then press F5 to return to the app. Sice will pop up at our bpx, then we can take a look at our fake serial ('d esi') and the correct serial ('d edi'). But remember this is the WideCharFormat! This means '1234' is '1 2 3 4'. 4. Ok, all done? Got your serial? Let's try it. Congratulation! You are a registered user. FINISH! Easy, or? cu LW2000 Any comments? Mail me LW2000@gmx.net! ---- tKC, thx for your tutors! I started with tutor 1 and i still read them... they are the best! PART 5 ~~~~~~ Name : MP3-Wolf Version : 1.04 Editor : Trellian Target : mwolf32.exe s/n saved : mwolf.ini Tools : W32Dasm Softice Brain Cracker : LW2000 Tutorial : No.26 http://www.trellian.com/mwolf --- DISCLAIMER For educational purposes only! I hold no responsibility of the mis-used of this material! --- 1. We go to the regscreen and enter the details. Registration Name: LW2000 Serial Number : 1230099 *BOOM* We get a error message, that our code is not correct. What the hell is this? Seems, that we found a bug... ;) Let's fix it. 2. Load W32Dasm with mwolf32.exe, click on the SDR and go to our string. Ok, you should be here now: :00403541 E8DC9D0000 call 0040D322 <<-- Serial Check routine :00403546 59 pop ecx :00403547 85C0 test eax, eax :00403549 59 pop ecx :0040354A 7518 jne 00403564 <<-- Check :0040354C 6A30 push 00000030 * Possible StringData Ref from Data Obj ->"Invalid Registration" | :0040354E 68245B4100 push 00415B24 * Possible StringData Ref from Data Obj -> "Invalid Registration Name or Serial " 3. To see where the error message is coming from, we scroll a bit up. In Call 0040D322 our fake serial is compared to the correct one. Are different then is eax=0, else is eax=1. Mhmm, ok, let's leave W32Dasm and start Softice. Go to the regscreen, again. Registration Name: LW2000 Serial Number : 1230099 Press[ctrl]+[d] to switch to softice and 'bpx hmemcpy'. Press F5 to return to the app. Press OK. *BOOM* Sice pops up. Press F11 to get the Caller. Now press F12 until you are in the program code. 4. 'bc *' and then set a breakpoint on 0040D322. Press F5. *Boom* Now we are here: :0040D322 55 push ebp :0040D323 8BEC mov ebp, esp :0040D325 83EC30 sub esp, 00000030 :0040D328 8B450C mov eax, dword ptr [ebp+0C] :0040D32B 53 push ebx :0040D32C 56 push esi :0040D32D 57 push edi :0040D32E 85C0 test eax, eax :0040D330 0F840F010000 je 0040D445 :0040D336 8B5D08 mov ebx, dword ptr [ebp+08] :0040D339 85DB test ebx, ebx :0040D33B 0F8404010000 je 0040D445 :0040D341 80384D cmp byte ptr [eax], 4D <<--1. Char = 4D = 'M' ? :0040D344 0F85FB000000 jne 0040D445 :0040D34A 80780157 cmp byte ptr [eax+01], 57 <<--2. Char = 57 = 'W' ? :0040D34E 0F85F1000000 jne 0040D445 :0040D354 6A13 push 00000013 :0040D356 50 push eax :0040D357 8D45E4 lea eax, dword ptr [ebp-1C] :0040D35A 50 push eax :0040D35B E849A1FFFF call 004074A9 :0040D360 83C40C add esp, 0000000C :0040D363 8D45E4 lea eax, dword ptr [ebp-1C] :0040D366 6A2D push 0000002D <<--3. Char = 2D = '-' :0040D368 50 push eax :0040D369 E8120D0000 call 0040E080 :0040D36E 8BF0 mov esi, eax :0040D370 59 pop ecx :0040D371 85F6 test esi, esi :0040D373 59 pop ecx :0040D374 89750C mov dword ptr [ebp+0C], esi :0040D377 0F84C8000000 je 0040D445 <<--3. Char = 2D = '-' ? :0040D37D 802600 and byte ptr [esi], 00 :0040D380 8D45F8 lea eax, dword ptr [ebp-08] 5. If this is not true the proggy jumps to 0040D445 and here :0040D445 33C0 xor eax, eax <<-- eax=0 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0040D443(U) | :0040D447 5F pop edi :0040D448 5E pop esi :0040D449 5B pop ebx :0040D44A C9 leave :0040D44B C3 ret <<-- ret with eax=0! 6. Ok, we don't want to fail... Let's enter as serial. Then we trace through the code, again... A long time later, we see this: :0040D41E 68F47A4100 push 00417AF4 :0040D423 8D45D0 lea eax, dword ptr [ebp-30] :0040D426 6A14 push 00000014 :0040D428 50 push eax :0040D429 E872040000 call 0040D8A0 :0040D42E 83C410 add esp, 00000010 :0040D431 46 inc esi :0040D432 8D45D0 lea eax, dword ptr [ebp-30] <<-- d eax Ok, we see a number, but what we can do with it? Mhmm, we take the String "MW-" and then we complete it with the new number we found out! 7. Let's try again to register! Congratulation! You are a registered user. FINISH! Easy, or? cu LW2000 Any comments? Mail me LW2000@gmx.net! ---- tKC, thx for your tutors! I started with tutor 1 and i still read them... they are the best! ABOUT ~~~~~ I really hope you've enjoyed this tutorial as much as I did! Don't miss Tutor #62 soon! ;) And as I said last time: Without knowledge, there's no power! ;) Credits go to: tKC for Interface. Northpole for Splash Logo Cicero for providing 2 tuts in this version. LW2000 for providing 3 tuts in this version. tKC for coding this version :) All the crackers (non-members of CiA) are welcome to send tutors for the next tutorials... see below for my email address! *** 80 chars per line in textfile please! *** And all the tutors can be found at http://www.msjessca.da.ru Greetz goto all my friends! You can find me on IRC or email me at tkc@reaper.org Coded by The Keyboard Caper - tKC The Founder of PhRoZeN CReW/Crackers in Action 2000 Compiled with Delphi 5 on 10 January 2000 Cracking Tutorial #61 is dedicated to Mandy.