Welcome to Cracking Tutorial #62! Hiya guys, Ah finally, a first cracking tutorial in year 2000! As you can see, here's a new version *again* and I hope you like this one! :) And today for a bonus, I give you 7 tutors, #58-64! OK, let's rave! TOOLS ~~~~~ You'll need the following tools: (I use these tools, I assume you'll use 'em, but it doesn't mean that you'll need to use all those tools, so be sure to get them handy for the examples in this tutorial!) SoftICE v4.01 W32Dasm v8.93 Hacker's View v6.20 SmartCheck v6.03 ProcDump32 v1.6 Windows Commander v4.03 (I use it coz of easier to multitask) Delphi, VB, C++, or TASM to code a keygen or a patch.. Don't ask me where to download all these tools since you had a chance to get them when you used my older tutorials. Here is a good site where you can grab tools from: http://protools.cjb.net or http://w3.to/protools or ask any crackers to get you these tools! Are you ready?! OK! ;) PART 1 ~~~~~~ Name : Softice Cracking Overview Tools : Softice Brain Cracker : LW2000 Tutorial : No.27 --- DISCLAIMER For educational purposes only! I hold no responsibility of the mis-used of this material! --- Ok, i was asked a lot about the Basics in Softice Cracking, so here is a small(!) overview. Keys in Sice: ------------- Key Function --- -------- F1 Help F2 Toggle Register Window F5 Return to Windows/App F8 Trace to next instruction (step into calls) F10 Step to next instruction (step over calls) F11 Get Caller F12 Run till next ret The Softice Windows: -------------------- WR <<-- show/hide the register window WD <<-- show/hide the data window WC <<-- show/hide the code window WL <<-- show/hide the locals window "ALT-L" Focus WW <<-- show/hide the watch window "ALT-W" Focus CTRL-UP/DOWN/PGUP/PGDN <<-- scrolls the code window SHIFT-UP/DOWN/PGUP/PGDN <<-- scrolls your comand (input) window ALT-UP/DOWN/PGUP/PGDN <<-- scrolls your data window The Registers ------------- Hey! You've got it, the 'e' in i.e. eax is for 32-Bit! AX <<-- Accumulator Register BX <<-- Base Register CX <<-- Count Register DX <<-- Data Register Every 16-bit registers above is split in two 8-bit registers. AH <<-- Accumulator High AL <<-- Accumulator Low AX <<-- AH*256 + AL BH <<-- Base High BL <<-- Base Low CH <<-- Count High CL <<-- Count Low DH <<-- Data High DL <<-- Data Low Index Register: --------------- SI <<-- Source Index DI <<-- Destination Index Stack Register: --------------- BP <<-- Base Pointer SP <<-- Stack Pointer Segment Register: ----------------- CS <<-- Code Segment DS <<-- Data Segment ES <<-- Extra Segment SS <<-- Stack Segment btw: 'd eax' and '? eax' shows whats inside eax.. ;))) The Flags: ---------- O <<-- overflow flag (will be set after math command for example 'sub') D <<-- direction flag (tells CPU if it should accept hardware input) I <<-- interrupt flag (tells the CPU to increment or decrement on a LODSB,STOSB,and similar commands) S <<-- sign flag (tells wheter or not the final value was signed or not) Z <<-- zero flag (tells if the final value was zero or not) A <<-- auxiliary carry flag P <<-- parity flag C <<-- carry flag (like the Overflow Flag but is set if you went overflow on an unsigned integer) Flag manipulation commands: --------------------------- CLC <<-- Clear Carry Flag CLD <<-- Clear Direction Flag CLI <<-- Clear Interrupt Enable Flag CMC <<-- Complement Carry Flag STC <<-- Set Carry Flag STI <<-- Set Interrupt Enable Flag btw: you can't change the Zero/Sign Flag by a command. You must use 'r fl z' to change the Zero Flag and 'r fl s' to change the Sign Flag! The Jumps: ---------- JA Jump Above (unsigned) JAE Jump Above or Equal (unsigned) JB Jump Below (unsigned) JBE Jump Below or Equal (unsigned) JC Jump Carry JCXZ Jump if CX is Zero JE Jump if Equal JZ Jump if Zero (Equal) JG Jump if Greater (signed) JGE Jump if Greater or Equal (signed) JL Jump if Less (signed) JLE Jump if Less or Equal (signed) JNA Jump if not Above (unsigned) JNAE Jump if not Above or Equal (unsigned) (same as JB) JNB Jump if not Below (unsigned) JNBE Jump if not Below or Equal (unsigned) JNC Jump if not Carry JNE Jump if not Equal JNG Jump if not Greater (signed) JNGE Jump if not Greater or Equal (signed) JNL Jump if not Less (signed) JNLE Jump if not Less or Equal (signed) JNO Jump if not Overflow JNP Jump if not Parity JNS Jump if not Signed JNZ Jump if not Zero (Equal) JO Jump if Overflow JP Jump if Parity JPE Jump if Parity Even (PF=1) JPO Jump if Party Odd (PF=0) JS Jump if Signed JZ Jump if Zero (Equal) MOV Operation: -------------- MOV moves a value to a register or memory place. MOV CX,AX <<-- AX is stored in CX MOV [CX],AX <<-- This stores AX into the memory location pointed at by CX. Call/Ret Operation: ------------------- We use CALL and RET to call and return from procedures. If you want a function to return something, it is easier to just store the return value in a register and then RET. i.e. IF a Function should return eax=1 then simply change the call like mov eax,1 ret The Breakpoints: ---------------- Like the registers, the api calls differ by 16-Bit and 32-Bit. If you have a 32-Bit Proggy, simply add 'a' to the end off the call. i.e. getwindowtext -> getwindowtexta btw: 'bl' will list your used breakpoints up! Clear breakpoints: ------------------ bc yourbreakpoint - i.e: bc getdlgitemtexta <<-- that will clear the one bc 0 <<-- will clear the breakpoint labelled 0 bc 1,3 <<-- will clear the breakpoints labelled 1 and 3 bc * <<-- will clear all breakpoints which were set Disable breakpoints: -------------------- bd yourbreakpoint - i.e: bd getdlgitemtexta <<-- will disable the one bd 1,3,4 <<-- disable the breakpoints labelled 1,3,4 bd * <<-- disable all breakpoints Enable breakpoints: ------------------- be yourbreakpoint - i.e: be getdlgitemtexta <<-- will enable the one be 1,4,7 <<-- enable the breakpoints labelled 1,4,7 be * <<-- enable all breakpoints Usefull Breakpoints: -------------------- Rember to put a 'a' at the end for 32-BIT! General ------- bpx messagebox bpx getdlgitemtext bpx getwindowtext bpx hmemcpy bpx showwindow bpx updatewindow bmsg xxxx wm_gettext bmsg xxxx wm_command bmsg xxxx wm_move Key File Related ---------------- bpint 21 if ah==3dh (DOS) bpint 31 if ah==3fh (DOS) bpint 21 if ah==3dh (DOS) bpx ReadFileA bpx CreateFileA Keyboard Input -------------- bpint 16 if ah==0 (DOS) bpint 21 if ah==0xA (DOS) Time Related ------------ bpint 21 if ah==2A (DOS) bpx getlocaltime bpx getfiletime bpx getsystemtime CD-ROM/Disk ----------- bpint 13 if ah==2 (DOS) bpint 13 if ah==3 (DOS) bpint 13 if ah==4 (DOS) bpx GetFileAttributesA bpx GetFileSize bpx GetDriveType bpx GetLastError bpx ReadFile bpio -h (Your CD-ROM Port Address) R Dongle Cracking --------------- bpio -h 278 R bpio -h 378 R FINISH! Easy, or? cu LW2000 Any comments? Mail me LW2000@gmx.net! ---- tKC, thx for your tutors! I started with tutor 1 and i still read them... they are the best! PART 2 ~~~~~~ Name : eCatch Version : generic Editor : eCatch Target : eCatch.exe Tools : Softice Brain Cracker : LW2000 Tutorial : No.28 www.ecatch.com/index --- DISCLAIMER For educational purposes only! I hold no responsibility of the mis-used of this material! --- 1. Ok, load eCatch and click on '?' then register. Name: Cracked by LW2000 Serial: 1230099 Press [ctrl]+[d] to switch to sice and then 'bpx hmemcpy'. F5 to retur to app. 2. Click on validate. *BOOM* Sice pops up. Now press F12 until you are in the code (i think it was about 7 times). Now trace with F10 to the code until you're in Prot16. This reads the name, but we want to have the serial... so nearly the same again! Press F12 until you're back in the code (i think it was about 7 times). Ok, trace with F10 to: E8CAB7FEFF CALL 004ADB94 8B45F4 MOV EAX, [EBP-0C] 8B45F4 PUSH EAX Ok, trace 1 instruction more and then 'd eax'. Mhmm, cool number! Let's write it down. 'bc *' and then press F5 to return to the app. Now try to register with our new number. Congratulation! You are a registered user. FINISH! Easy, or? cu LW2000 Any comments? Mail me LW2000@gmx.net! ---- tKC, thx for your tutors! I started with tutor 1 and i still read them... they are the best! PART 3 ~~~~~~ Name : Alert Link Runner Version : 3.0 Editor : Alertbookmarks Target : linkchek.exe Tools : SmartCheck Brain Cracker : LW2000 Tutorial : No.29 http://www.alertbookmarks.com/ --- DISCLAIMER For educational purposes only! I hold no responsibility of the mis-used of this material! --- 1. Go to the regscreen and enter the details: Name: LW2000 Serial: 1230099 *BOOM* Not regged ??? Seems that we have found a bug... ;) Let's fix it! 2. Start SmartCheck and load linkchek.exe. Click on the green Arrow in the taskbar of Smartcheck to run Alert Link Runner. Now press on the speakingbubble Symbol to record all things. Change to Alert Link Runner and enter the details, again! *BOOM* The Error message pops up. Do not press ok! Instead change to SmartCheck and scroll down. Yeah, you must scroll a lot, because of the many operations... Do you see ThunRT_Main? Fine, the is a '+' before, click on it. Goto DispatchMessageA and click on the '+' before it. Then CheckForm.Activate and click on the (i think you know what is comming next *g*) '+' before it. ShareForm.Show and the '+'. Then DispatchMessageA and '+'. Then scroll down to Command4_Click what's similar to our 'Register Now'. 3. Scroll down to RegisterForm.Show and click on the '+', because the is our InputBox. 'ComOkay_Click' is the point where we put our data. Ok, when you take a close look, you see that our fake code etc. Scroll down and go on _vbaVarDup. There is shown, that our serial was incorrect. But go one up on _vbaVarStrCmp. There is *very* interesting string with the following structure: XXXX-XXXX-XXXXXXXXXX Write it down and close SmartCheck. Load Link Checker and try again to register with LW2000 and the new Code. Congratulation! You are a registered user. FINISH! Easy, or? cu LW2000 Any comments? Mail me LW2000@gmx.net! ---- tKC, thx for your tutors! I started with tutor 1 and i still read them... they are the best! PART 4 ~~~~~~ Name : Need for Speed 3 Target : nfs3.exe Tools : W32Dasm Hiew Brain Cracker : LW2000 Tutorial : No.30 --- DISCLAIMER For educational purposes only! I hold no responsibility of the mis-used of this material! --- 1. Ok, install the full Installation of NFS3. Try to play without the CD. *BOOM* error message. Note the text and caption. Then disassemble nfs3.exe with W32Dasm. Click on the SDR Button and search for our text. Text not found? Then search for the caption of the window. Possible StringData Ref from Data Obj ->"Need for Speed 3" 004B637A 683CFE5300 push 0053FE3C 004B637F 8B5485DC mov edx, dword ptr [ebp+4*eax-24] 004B6383 52 push edx 004B6384 6A00 push 00000000 Reference To: USER32.MessageBoxA, Ord:001Fh 004B6368 2EFF1564475300 call dword ptr cs:[00534764] 004B638D 31C0 xor eax, eax 004B638F E870990200 call 004DFD04 Reference by a (U)nconditional or (C)onditional Jump at Adress: 004B6362(C) 004B6394 E807FFFFFF call 004B62A0 004B6399 85C0 test eax, eax 004B639B 755A jne 004B63F7 004B639D 31D2 xor edx, edx 004B639F EB19 jmp 004B63BA Reference by a (U)nconditional or (C)onditional Jump at Adress: 004B63C3(C) 004B63A1 88D0 mov al, dl 004B63A3 0441 add al, 41 004B63A5 8845F4 mov byte ptr [ebp-0C], al 004B63A8 8D45F4 lea eax, dword ptr [ebp-0C] 04B63AB E8809F0300 call 004F0330 <<-- cd check call 004B63B0 85C0 test eax, eax <<-- check 004B63B2 7543 jne 004B63F7 <<-- bad boy! Reference by a (U)nconditional or (C)onditional Jump at Adress: 004B63C5(U) 004B63B4 42 inc edx 004B63B5 83FA1A cmp edx, 0000001A 004B63B8 7D0D jge 004B63C7 Reference by a (U)nconditional or (C)onditional Jump at Adress: 004B639F(U) 004B63BA 89DO mov eax, edx 004B63BC E84F300400 call 004F9410 004B63C1 85C0 test eax, eax 004B63C3 75DC jne 004B63A1 004B63C5 EBED jmp 004B63B4 Reference by a (U)nconditional or (C)onditional Jump at Adress: 004B63B8(C) 004B63C7 B906000000 mov ecx, 00000006 004B63CC 8D7DC4 lea edi, dword ptr [ebp-3C] 004B63CF BEAC564B00 mov esi, 004B56AC 004B63D4 6A30 push 00000030 004B63D6 A1503A7A00 mov eax, dword ptr [007A3A50] 004B63DB F3 repz 004B63DC A5 movsd Possible StringData Ref from Data Obj ->"Need for Speed 3" 004B63DD 683CFE5300 push 0053FE3C 004B63E2 E84F300400 mov ecx, dword ptr [ebp+4*eax-3c] 004B63E6 85C0 push ecx 004B63E7 75DC push 00000000 Reference To: USER32.MessageBoxA, Ord:001Fh 004B63E9 2EFF1564475300 call dword ptr cs:[00534764] 004B63F0 31C0 xor eax, eax 004B63F2 E80D990200 call 004DFD04 <<-- fine ... Reference by a (U)nconditional or (C)onditional Jump at Adress: 004B639B(C), :004B63B2(C) 004B63F7 89EC mov esp, ebp <<-- here we go if the cd is inside 004B63F9 5D pop ebp 004B63FA 5F pop edi 004B63FB 5E pop esi 004B63FC 5A pop edx 004B63FD 59 pop ecx 004B63FE 5B pop ebx 004B63FF C3 ret 2. Take a close look at all jumps. mhmm, 004B63B2 7543 jne let's change the jne to jmp. I think this should be no real problem for you... Open the exe with hiew and change the 7543 to EB43. (EB is for JMP). The CD Check is beaten, but what's this shit? Abort message: openhandlea-OPEN FAILED ON D:\GameData\Audio\pc\show(x).map (x is any number) No prob, we copy this folder into our nfs3 folder. Copy the files from the CD Folder GameData\Audio into your local folder on your HD. Then open insatll.win (it insiede the nfs3 dir) and change the path's like this: .\GameData\ .\GameData\Tracks\ .\GameData\Tracks\Tutor\ .\GameData\CarModel\ .\GameData\Render\pc\ .\GameData\DashHud\ .\GameData\Audio\pc\ .\GameData\Audio\SFX\ .\GameData\Audio\Speech\English\ .\GameData\Audio\Speech\German\ .\GameData\Audio\Speech\French\ .\GameData\Audio\Speech\Spanish\ .\GameData\Audio\Speech\Italian\ .\FeData\art\ .\FeData\text\ .\FeData\text\ .\FeData\save\ .\FeData\stats\ .\FeData\config\ .\FeData\audio\ .\FeData\Art\Slides\ .\FeData\Art\Track\ .\FeData\Art\Showcase\ .\FeData\movies\ .\FeData\stats\prh\ Save your work and try NFS3 without CD. Congratulation! You have done it! FINISH! Easy, or? cu LW2000 Any comments? Mail me LW2000@gmx.net! ---- tKC, thx for your tutors! I started with tutor 1 and i still read them... they are the best! PART 5 ~~~~~~ Name : Total Recorder Version : 2.1 Editor : HighCriteria Target : Totalrecorder.exe s/n saved : HKEY_CURRENT_USER\Software\HighCriteria\TotalRecorder\RegName\RegKey Tools : W32Dasm Hiew Brain Cracker : LW2000 Tutorial : No.31 http://www.highcriteria.com/ --- DISCLAIMER For educational purposes only! I hold no responsibility of the mis-used of this material! --- 1. Go to the regscreen and enter the details: Name: LW2000 Key : 1230099 *BOOM* 'Invalid name or registration key' Seems, that we have found a bug... ;) Let's fix it! 2. Open the file with W32Dasm and click on the sdr button. Goto our string. Now you should see this: * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:00408D1A(C), :00408D2A(C) <-- here we go | :00408D89 6A00 push 00000000 :00408D8B 6A45 push 00000045 :00408D8D 6A01 push 00000001 * Possible Reference to String Resource ID=61216: "Invalid name or registration key" 3. Let's go to 00408D1A. * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00408CF7(C) | :00408D10 8B4E5C mov ecx, dword ptr [esi+5C] :00408D13 8D5E5C lea ebx, dword ptr [esi+5C] :00408D16 8379F827 cmp dword ptr [ecx-08], 00000027 <-RegKey=27h=39 chars? :00408D1A 756D jne 00408D89 <<-- if not, then error message :00408D1C 6A00 push 00000000 :00408D1E 51 push ecx :00408D1F 50 push eax :00408D20 E8FBAB0000 call 00413920 <<-- Check routine :00408D25 83C40C add esp, 0000000C :00408D28 85C0 test eax, eax <<-- eax = 0 ? :00408D2A 755D jne 00408D89 <<-- if not then error message :00408D2C E850B40300 call 00444181 4. Go into Call 413920. Note the offset from the first instruction. Open hiew and goto the offset (F5). Press F3 to edit and F2 to enter Asm Commands. The rest is plain sailing! Simply enter 'mov eax, 0' [Enter] and 'ret' [Enter]. Press Esc to exit the asm input field. Save your work and try to register again! Congratulation! You are a registered user. FINISH! Easy, or? cu LW2000 Any comments? Mail me LW2000@gmx.net! ---- tKC, thx for your tutors! I started with tutor 1 and i still read them... they are the best! ABOUT ~~~~~ I really hope you've enjoyed this tutorial as much as I did! Don't miss Tutor #63 soon! ;) And as I said last time: Without knowledge, there's no power! ;) Credits go to: tKC for Interface. Northpole for Splash Logo LW2000 for providing 5 tuts in this version. tKC for coding this version :) All the crackers (non-members of CiA) are welcome to send tutors for the next tutorials .. see below for my email address! *** 80 chars per line in textfile please! *** And all the tutors can be found at http://www.msjessca.da.ru Greetz goto all my friends!!! You can find me on IRC or email me at tkc@reaper.org Coded by The Keyboard Caper - tKC The Founder of PhRoZeN CReW/Crackers in Action 2000 Compiled with Delphi 5 on 10 January 2000 Cracking Tutorial #62 is dedicated to Mandy.