Welcome to Cracking Tutorial #63! Hiya guys, Ah finally, a first cracking tutorial in year 2000! As you can see, here's a new version *again* and I hope you like this one! :) And today for a bonus, I give you 7 tutors, #58-64! OK, let's rave! TOOLS ~~~~~ You'll need the following tools: (I use these tools, I assume you'll use 'em, but it doesn't mean that you'll need to use all those tools, so be sure to get them handy for the examples in this tutorial!) SoftICE v4.01 W32Dasm v8.93 Hacker's View v6.20 SmartCheck v6.03 ProcDump32 v1.6 Windows Commander v4.03 (I use it coz of easier to multitask) Delphi, VB, C++, or TASM to code a keygen or a patch.. Don't ask me where to download all these tools since you had a chance to get them when you used my older tutorials. Here is a good site where you can grab tools from: http://protools.cjb.net or http://w3.to/protools or ask any crackers to get you these tools! Are you ready?! OK! ;) PART 1 ~~~~~~ Name : WinBoost 2000 Gold Version : generic Editor : Magellass s/n saved : win.ini Tools : Filemon Brain Cracker : LW2000 Tutorial : No.32 www.magellass.com --- DISCLAIMER For educational purposes only! I hold no responsibility of the mis-used of this material! --- 1. Ok, boys and girl. Let's try a new way to crack... ;)) Let Filemon take a look on WinBoost 2000 Gold. Then start it. Mhmm, WinBoost 2000 tries to read Owner and RegGold from the win.ini and failed! Let's change the WinBoost Part in the win.ini to: [WB] Owner=LW2000 RegGold=True Start the Proggy, again. Congratulation! You are a registered user. Mhmm, i'm a little bit embarrased... So I think i'll try to get the correct serial in the next tut... FINISH! Easy, or? cu LW2000 Any comments? Mail me LW2000@gmx.net !!! ---- tKC, thx for your tutors! I started with tutor 1 and i still read them... they are the best! PART 2 ~~~~~~ Name : WinBoost 2000 Gold Version : generic Editor : Magellass s/n saved : win.ini Tools : Softice Brain Cracker : LW2000 Tutorial : No.33 www.magellass.com --- DISCLAIMER For educational purposes only! I hold no responsibility of the mis-used of this material! --- 1. Ok, boys and girl i felt very embarrased about the easy way to crack the Proggy in my tut 32! So mhmm... I thought let's do it the hard way ;) Enter the following details: User Name: LW2000 WB98 Registration Code: 1239900 WB2000 Registration Code: 1230099 I always try to break on GetDlgItemTextA and GetWindowTextA, you should do the same... it saves a lot of time =) Try to validate the code. *BOOM* Sice pops up. We'll have to hit F12 about 13x times till we get a usefull piece of code: .004D33D9: 8B80C8020000 mov eax,[eax][0000002C8] .004D33DF: E88CB9F5FF call .00042ED70 .004D33E4: 8D55F0 lea edx,[ebp][-0010] <- .004D33E7: 8B45FC mov eax,[ebp][-0004] .004D33EA: 8B80D8020000 mov eax,[eax][0000002D8] .004D33F0: E87BB9F5FF call .00042ED70 .004D33F5: 8D55EC lea edx,[ebp][-0014] .004D33F8: 8B45FC mov eax,[ebp][-0004] .004D33FB: 8B80CC020000 mov eax,[eax][0000002CC] .004D3401: E86AB9F5FF call .00042ED70 .004D3406: 8D45F4 lea eax,[ebp][-000C] .004D3409: 8B55EC mov edx,[ebp][-0014] .004D340C: E81B07F3FF call .000403B2C .004D3411: 8B55F8 mov edx,[ebp][-0008] .004D3414: 8B45FC mov eax,[ebp][-0004] .004D3417: E8F8FCFFFF call .0004D3114 .004D341C: 8D55E0 lea edx,[ebp][-0020] .004D341F: E83C4DF3FF call .000408160 .004D3424: 33C0 xor eax,eax .004D3426: 5A pop edx .004D3427: 59 pop ecx .004D3428: 59 pop ecx .004D3429: 648910 mov fs:[eax],edx .004D342C: 686E3F4D00 push 0004D3F6E .004D3431: 837DF000 cmp d,[ebp][-0010],000 .004D3435: 0F84F7090000 je .0004D3E32 2. Only bullshit, because we don't want to write a keygen, we only want to have one serial ... .004D343B: 8B45F0 mov eax,[ebp][-0010] <- WB98 key .004D343E: 8B55E0 mov edx,[ebp][-0020] <- correct key .004D3441: E8DA09F3FF call .000403E20 <- compare string .004D3446: 0F851F010000 jne .0004D356B There are about 17 more checks after this. The checked key will not work, because Magellass has found them in the Web! 3. Mhmm... great! Then just step until you are by .004D3441. Then type 'd edx' and write your key down and set a bpx on it. Ok.. lets type the new key as WB98 code... Back in SoftIce we step through the next code: .004D35DB: 8B45EC mov eax,[ebp][-0014] <-- WB2K Key .004D35DE: E82D07F3FF call .000403D10 <-- length .004D35E3: 83F814 cmp eax,014 .004D35E6: 0F8E5A030000 jle .0004D3946 4. Mhmm.. does that mean we must have 14h (= 20) or more characters? maybe, but let the jump do ... .004D3946: 8D45E8 lea eax,[ebp][-0018] .004D3949: 8B55EC mov edx,[ebp][-0014] .004D394C: E8DB01F3FF call .000403B2C .004D3951: 8B45EC mov eax,[ebp][-0014] .004D3954: E8B703F3FF call .000403D10 .004D3959: 83F817 cmp eax,017 .004D395C: 0F8EEA030000 jle .0004D3D4C 5. Next check.. this time with 17h (=23) or more chars? Let it be ... trace on with F10 .004D3D4C: 8D45E4 lea eax,[ebp][-001C] .004D3D4F: 8B55EC mov edx,[ebp][-0014] .004D3D52: E8D5FDF2FF call .000403B2C .004D3D57: 33DB xor ebx,ebx .004D3D59: 8D4DDC lea ecx,[ebp][-0024] .004D3D5C: 0FBFF3 movsx esi,bx .004D3D5F: 8BD6 mov edx,esi .004D3D61: A110684D00 mov eax,[0004D6810] .004D3D66: 8B00 mov eax,[eax] .004D3D68: 8B8054020000 mov eax,[eax][000000254] .004D3D6E: 8B4024 mov eax,[eax][00024] .004D3D71: 8B38 mov edi,[eax] .004D3D73: FF570C call d,[edi][0000C] .004D3D76: 8B55DC mov edx,[ebp][-0024] <-- our key .004D3D79: 8B45E4 mov eax,[ebp][-001C] <-- a key .004D3D7C: E89F00F3FF call .000403E20 <-- compare .004D3D81: 7427 je .0004D3DAA .004D3D83: 8D4DDC lea ecx,[ebp][-0024] 6. *g* 'd eax' ... so just write the key down. Let's try it! Congratulation! You are an registered user. FINISH! Easy, or? cu LW2000 Any comments? Mail me LW2000@gmx.net !!! ---- tKC, thx for your tutors! I started with tutor 1 and i still read them... they are the best! PART 3 ~~~~~~ Name : Winhacker Version : 2.03 Editor : Wedge Software Target : wh95.exe s/n saved : HKEY_LOCAL_MACHINE\Software\Wedge Software\WinHacker95 Tools : W32Dasm Hiew Brain Cracker : LW2000 Tutorial : No.34 http://www.winhacker.com/ --- DISCLAIMER For educational purposes only! I hold no responsibility of the mis-used of this material! --- Today we'll try to fix the wh95 to accept all codes. 1. Go to the regscreen and enter the details: Name: LW2000 Company: tKC's Cracking Tutorial Serial Number: 1230099 *BOOM* 'Invalid Serial Number!' Seems, that we found a bug ;) Let's fix it. Load W32Dasm with wh95.exe. Click on the SDR and search our message text. Doubleclick on it and close the SDR Window. * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00412D97(C) <<-- We go there | :00412DD7 8D4DF0 lea ecx, dword ptr [ebp-10] :00412DDA 895E6C mov dword ptr [esi+6C], ebx :00412DDD 895E74 mov dword ptr [esi+74], ebx * Reference To: MFC42.Ordinal:021C, Ord:021Ch | :00412DE0 E883A90000 Call 0041D768 * Possible StringData Ref from Data Obj ->"Invalid Serial Number!" 2. Lets go to 00412D97: * Reference To: MSVCRT._mbscmp, Ord:0159h | :00412D84 8B3D5C074300 mov edi, dword ptr [0043075C] :00412D8A C645FC03 mov [ebp-04], 03 :00412D8E FF75EC push [ebp-14] :00412D91 FFD7 call edi <<-- KEY Check Routine :00412D93 59 pop ecx :00412D94 85C0 test eax, eax :00412D96 59 pop ecx :00412D97 753E jne 00412DD7 IF eax <> 0 then Error message :00412D99 FF75EC push [ebp-14] :00412D9C FF75E4 push [ebp-1C] 3. Ok, go into the Call :00412D91 FFD7 call edi and note the offset. Load hiew and and go to the noted offset. Press F3 to edit and F2 to enter asm commands. Now type: mov eax, 0 [Enter] ret [Enter] Then press Esc to close the Asm input screen. Save your work and then start WH95.exe. Try to register Win Hacker. Congratulation! You are a registered user. FINISH! Easy, or? cu LW2000 Any comments? Mail me LW2000@gmx.net !!! ---- tKC, thx for your tutors! I started with tutor 1 and i still read them... they are the best! PART 4 ~~~~~~ Name : Winhacker Version : 2.03 Editor : Wedge Software Target : wh95.exe s/n saved : HKEY_LOCAL_MACHINE\Software\Wedge Software\WinHacker95 Tools : W32Dasm Softice Brain Cracker : LW2000 Tutorial : No.35 http://www.winhacker.com/ --- DISCLAIMER For educational purposes only! I hold no responsibility of the mis-used of this material! --- Ok, last time we fixed the exe. This time we try to get the correct serial. 1. Go to the regscreen and enter the details: Name: LW2000 Company: tKC's Cracking Tutorial Serial Number: 1230099 *BOOM* 'Invalid Serial Number!' Seems, that we found a bug ;) Let's fix it. Load W32Dasm with wh95.exe. Click on the SDR and search our message text. Doubleclick on it and close the SDR Window. * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00412D97(C) <<-- We go there | :00412DD7 8D4DF0 lea ecx, dword ptr [ebp-10] :00412DDA 895E6C mov dword ptr [esi+6C], ebx :00412DDD 895E74 mov dword ptr [esi+74], ebx * Reference To: MFC42.Ordinal:021C, Ord:021Ch | :00412DE0 E883A90000 Call 0041D768 * Possible StringData Ref from Data Obj ->"Invalid Serial Number!" 2. Lets go to 00412D97: * Reference To: MSVCRT._mbscmp, Ord:0159h | :00412D84 8B3D5C074300 mov edi, dword ptr [0043075C] :00412D8A C645FC03 mov [ebp-04], 03 :00412D8E FF75EC push [ebp-14] :00412D91 FFD7 call edi <<-- KEY Check Routine :00412D93 59 pop ecx :00412D94 85C0 test eax, eax :00412D96 59 pop ecx :00412D97 753E jne 00412DD7 IF eax <> 0 then Error message :00412D99 FF75EC push [ebp-14] :00412D9C FF75E4 push [ebp-1C] 3. So, we have found the correct part. Now we use Softice to get a correct serial number. Enter the details and switch to Sice. We bpx on GetWindowTextA. Press F5 to return to the app. When we press register Sice pops up. Now we set a breakpoint on the serial check routine. (Rember the Code from W32Dasm!) BPX 00412D84 4. Press F5 to execute. Go with F10 to 00412D93 pop ecx. Our serial put off the stack. Press F10 once more and then enter d ecx to get the correct serial number. Note it. Clear the bpx and return to Win Hacker. Now try our code. Congratulation! You are a registered user. FINISH! Easy, or? cu LW2000 Any comments? Mail me LW2000@gmx.net !!! ---- tKC, thx for your tutors! I started with tutor 1 and i still read them... they are the best! PART 5 ~~~~~~ Name : Notepad Version : Microsoft Windows 98 Filesize : 57,344 Byte Editor : Microsoft Target : notepad.exe Tools : W32Dasm Hiew Brain Cracker : LW2000 Tutorial : No.36 --- DISCLAIMER For educational purposes only! I hold no responsibility of the mis-used of this material! --- 1. Ok, this proggy annoyed me dozen of times! I tried to crack the filesize limit, but it confused me very much and i lost the overview. So i decided to remove the launch wordpad nag. To do this, i tried to open a 600kb file (think minor size had done it, too *g*, but i had this file in the same cracking folder and i'm lazy..) with notepad. *BOOM* Our nag pops up. Ok, let's launch W32Dasm and take a look at notepad.exe. 2. Click the SDR button and take a look at the strings. Normally I would search for the msg text and/or caption or so, but the string wordpad.exe looked suspicious. So lets take a close look. * Possible Reference to String Resource ID=00056: "wordpad.exe" | :004033D5 6A38 push 00000038 :004033D7 FF3540554000 push dword ptr [00405540] 3. Now scroll up. Over the String Resource "wordpad.exe" you see a call for messageboxa. Mhmm, seems that we have found our nag. * Reference To: KERNEL32.GetStartupInfoA, Ord:0140h | :0040339F FF1590634000 Call dword ptr [00406390] * Possible Reference to String Resource ID=00036: "&f" | :004033A5 6A24 push 00000024 :004033A7 A1B4504000 mov eax, dword ptr [004050B4] :004033AC 56 push esi :004033AD 50 push eax :004033AE FF7508 push [ebp+08] * Reference To: USER32.MessageBoxA, Ord:01ACh | :004033B1 FF15A8644000 Call dword ptr [004064A8] :004033B7 83F806 cmp eax, 00000006 :004033BA 0F85A7000000 jne 00403467 :004033C0 6804010000 push 00000104 <<--- here we must go! :004033C5 8D858CFDFFFF lea eax, dword ptr [ebp+FFFFFD8C] :004033CB 837D1001 cmp dword ptr [ebp+10], 00000001 :004033CF 1BFF sbb edi, edi :004033D1 50 push eax :004033D2 83C737 add edi, 00000037 * Possible Reference to String Resource ID=00056: "wordpad.exe" | :004033D5 6A38 push 00000038 :004033D7 FF3540554000 push dword ptr [00405540] 4. Ok, our exercise is to jump to :004033C0, over the msgbox, to run wordpad automatically. How to do this? Mhmm, easy! * Possible Reference to String Resource ID=00036: "&f" | :004033A5 6A24 push 00000024 <-- note the offset :004033A7 A1B4504000 mov eax, dword ptr [004050B4] :004033AC 56 push esi :004033AD 50 push eax :004033AE FF7508 push [ebp+08] We note the offset from 004033A5, instead of this shit we jump to 004033C0. 5. Close the W32Dasm and open hiew with notepad.exe. Press F5 and goto offset 33A5. Press F3 to edit and F2 to enter ASM Commands. Then type: jmp 33C0 [Enter] [Esc] to close the screen. Save your work and exit Hiew. Now try to open the big file, again. Congratulation! Wordpad opens it, without a nag! FINISH! Easy, or? cu LW2000 Any comments? Mail me LW2000@gmx.net !!! ---- tKC, thx for your tutors! I started with tutor 1 and i still read them... they are the best! ABOUT ~~~~~ I really hope you've enjoyed this tutorial as much as I did! Don't miss Tutor #64 soon! ;) And as I said last time: Without knowledge, there's no power! ;) Credits go to: tKC for Interface. tKC for Splash Logo LW2000 for providing 5 tuts in this version. tKC for coding this version :) All the crackers (non-members of CiA) are welcome to send tutors for the next tutorials .. see below for my email address! *** 80 chars per line in textfile please! *** And all the tutors can be found at http://www.msjessca.da.ru! Greetz goto all my friends!!! You can find me on IRC or email me at tkc@reaper.org Coded by The Keyboard Caper - tKC The Founder of PhRoZeN CReW/Crackers in Action 2000 Compiled with Delphi 5 on 10 January 2000 Cracking Tutorial #63 is dedicated to Mandy.