Welcome to Cracking Tutorial #65! Hiya guys, I had problems with no internet (cafe network was down).. so here are 4 tutors finally, #65-68, enjoy them! OK, let's rave! TOOLS ~~~~~ You'll need the following tools: (I use these tools, I assume you'll use 'em, but it doesn't mean that you'll need to use all those tools, so be sure to get them handy for the examples in this tutorial!) SoftICE v4.01 W32Dasm v8.93 Hacker's View v6.20 SmartCheck v6.03 ProcDump32 v1.6.2 Windows Commander v4.03 (I use it coz of easier to multitask) Delphi, VB, C++, or TASM to code a keygen or a patch.. Don't ask me where to download all these tools since you had a chance to get them when you used my older tutorials. Here is a good site where you can grab tools from: http://protools.cjb.net or http://w3.to/protools or ask any crackers to get you these tools! Are you ready?! OK! ;) PART 1 ~~~~~~ Welcome to another cracking tutor written by .......... ME! This time WE'll crack WinAmp Skin Maker v1.05 ------------------------------------------------------------------------ Please excuse my English , it's not my mother language! ------------------------------------------------------------------------ What a fine New Year's Eve I had. I was at Keio's party with many friends of mine. We had a GREAT time and I hope you all had a good time like us. We had party till Saturday night *COOL HUH ???* Now for this little sucka! I've found a very good cure for it : the REAL SERIAL NUMBA! Tools: - Soft-Ice (3.x or greater) - Pen and paper - A little bit of brain ( this is the hardest part *COUGH* ) So let's nail this little sucker: 1.Install the proggie and run it. It's a pretty cool proggie : you can make skins for WinAmp with only your imagination and a little bit of art skill. 2.Try to register it: write your name , in my case DRaCooLa , and write a serial ex: 2244. 3.If SI ( Soft-Ice ) is loaded you now should press Ctrl+D and write: BPX GETDLGITEMTEXTA and press ENTER.. Then press Ctrl+D. If you don't know what this is then I'll tell you what this is : it's a BREAKPOINT! It will break in SI when WSM ( WinAmp Skin Maker ) when it checks the serial. Now press OK. 4.When back in SI press F5 then press F10 till you find this: CMP EDI,EBX I think you must press F10 about 27 times. When the green line is on the CMP EDI,EBX line write ? EBX. You should see : 002E2ABB 0003025595 5.Write down the second code ( 0003025595 ) but whitout the 0's. Now go back to WSM and write: Name:DRaCooLa Code:3025595 Now you should see: This program is licensed to DRaCooLa 3025595 Thanks for reading this tut. I hope you learned something from this tut. Greetz to: tKC <-- a big THANKS for your tuts and all other progz coded by you! Keio <-- for your support and for your help! ACiD BuRN <-- for his mega cool tuts! Socko <-- For his graphix tuts and the new cool interface of the tKC's tuts! C.i.A members <-- for their hard work making the standards rise in the sky! All crackers in the universe <-- for being there when newbies want to learn! CRACKERS FROM ROMANIA <-- for their hard work in the most hard conditions in witch you work. "Daca dai cuiva un patch il ajuti sa sparga un program , daca il inveti sa sparga el singur poate atunci sa-si faca un patch! Cautati-ma!" You can reach me at : writetoalex@hotmail.com PART 2 ~~~~~~ Name : Silver (Photoshop Plugin) Version : generic Editor : Sandwater Target : Silver-100.8bf Tools : W32Dasm Hiew Brain Cracker : LW2000 Tutorial : No.41 http://www.sandwater.com/download.html --- DISCLAIMER For educational purposes only! I hold no responsibility of the mis-used of this material! --- 1. Ok, start Photoshop and try the silver plugin. Ok, all works fine. Close Photoshop and set the systemdate on the next month. Ok, start Photoshop again and try the silver plugin. *BOOM* Trail has expired! Mhmm, seems that we have found a bug... ;) Let's fix it. Load Silver-100.8bf with W32Dasm. Click on the Dialog Referece. Now you should see this: NO_THANKS1, CONTROL_ID:0063, "A valid code was not entered." REG_TIMEOUT, CONTROL_ID:0064, "- Pay by mail to Kagi, 1442-A Walnut Str" REG_TIMEOUT, CONTROL_ID:0065, "Payment is accepted through Kagi, a fee " REGISTER1, CONTROL_ID:0003, "" 2. Ok, lets close this window and goto "REG_TIMEOUT" in the String Data Reference! * Possible StringData Ref from Data Obj ->"REG_TIMEOUT" | :1000D0A5 6844D10110 push 1001D144 :1000D0AA E88190FFFF call 10006130 :1000D0AF 56 push esi :1000D0B0 E8ABFBFFFF call 1000CC60 :1000D0B5 8B0E mov ecx, dword ptr [esi] :1000D0B7 83C418 add esp, 00000018 :1000D0BA 66C7010100 mov word ptr [ecx], 0001 Mhmm, lets scroll up! * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:1000D054(C) <<-- we go there! | * Possible StringData Ref from Data Obj ->"The price is US$20." | :1000D08C 685CD10110 push 1001D15C * Possible StringData Ref from Data Obj ->"Silver" | :1000D091 6818D10110 push 1001D118 * Possible StringData Ref from Data Obj ->"two weeks" | :1000D096 6850D10110 push 1001D150 * Possible StringData Ref from Data Obj ->"Silver" | :1000D09B 6818D10110 push 1001D118 :1000D0A0 E87B8AFFFF call 10005B20 * Possible StringData Ref from Data Obj ->"REG_TIMEOUT" 3. Ok, lets go to 1000D054, because from their Reg_Timeout is called. :1000D054 7D36 jge 1000D08C <<-- Bad Boy! :1000D056 8B54240C mov edx, dword ptr [esp+0C] :1000D05A 56 push esi :1000D05B 81C2807FF1FF add edx, FFF17F80 :1000D061 899054010000 mov dword ptr [eax+00000154], edx :1000D067 8B4604 mov eax, dword ptr [esi+04] :1000D06A 8B500C mov edx, dword ptr [eax+0C] :1000D06D 8B02 mov eax, dword ptr [edx] :1000D06F 89884C010000 mov dword ptr [eax+0000014C], ecx :1000D075 E80661FFFF call 10003180 4. Ok, we have found the first check, let's beat this. Note the Offset (D054) and open hiew and then change the 7D36 to 9090 (2x NOP). Save your work and try, the plugin. *BOOM* A msg Box appears which tell us, that we have a new version, and so we get a new trail! One week more! If you don't get the msgbox, simply set date to next month (why month and not week? It easier to set back in Win than a week.. yeah, sometimes i'm lazy =). Let's take a look at this present. Open the file with W32Dasm and take a close look into the SDR. 'Version_Alert' sounds very interesting! So lets go there. 5. * Possible StringData Ref from Data Obj ->"VERSION_ALERT" | :1000D07A 6870D10110 push 1001D170 :1000D07F E8AC90FFFF call 10006130 <-- settrail and msg inside :1000D084 83C408 add esp, 00000008 :1000D087 5F pop edi :1000D088 5E pop esi :1000D089 5B pop ebx :1000D08A 59 pop ecx :1000D08B C3 ret Mhmm, what have we now? Simply NOP the Call! and we get every time the proggy is called one new trail week - so it can't ever expire. Let's do so. Open Hiew, load the file and goto the Offset (D07F), and enter 5x NOP. E8AC90FFF -> 9090909090 Save your work an try it! Congratulation! You have beaten the restrictions. FINISH! Easy, or? cu LW2000 Any comments? Mail me LW2000@gmx.net! ---- tKC, thx for your tutors! I started with tutor 1 and i still read them... they are the best! PART 3 ~~~~~~ Name : GIF Movie Gear Version : 2.63 Editor : GamAni Target : movgear.exe s/n saved : HKEY_CURRENT_USER\Software\gamani\GIFMovieGear\2.0 Tools : W32Dasm Hiew Brain Cracker : LW2000 Tutorial : No.42 http://www.gamani.com --- DISCLAIMER For educational purposes only! I hold no responsibility of the mis-used of this material! --- 1. Go to the registration dialog and enter the following details Name: LW2000 Registration code: 1230099 *BOOM* 'The information you have provided is invalid.' Shit, wrong code, think we found a bug... ;) Let's note the msg and open the bitch in W32Dasm. Go in the SDR to our string: * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0042C353(C) <<-- here we go! | :0042C3FF 6A30 push 00000030 * Possible Reference to String Resource ID=40213: "Invalid Registration Info" | :0042C401 68159D0000 push 00009D15 * Possible Reference to String Resource ID=40212: "The information you have provided is invalid. Please be sure" | :0042C406 68149D0000 push 00009D14 :0042C40B 56 push esi :0042C40C E8DF00FEFF call 0040C4F0 :0042C411 83C410 add esp, 00000010 2. Ok, go to Offset 0042C353. You should now see this: :0042C349 E872FDFFFF call 0042C0C0 <<-- check routine :0042C34E 83C408 add esp, 00000008 :0042C351 85C0 test eax, eax :0042C353 0F84A6000000 je 0042C3FF <<-- check So, when you take a look inside the call 0042C0C0, you will notice, that if the entered serial number is correct, eax=1. Else eax=0 and the check failed. So why not set eax=1 ever, not only by the correct serial numbers? ;) 3. Ok, I think this idea is quite good. Go into the call and note the offset. Open hiew and go to the offset. Now press F3 for edit mode and F2 to enter asm commands. Now type: mov eax, 1 [Enter] ret [Enter] [Esc] If you done so, you will see this: :0042C0C0 B801000000 mov eax,1 :0042C0C1 C3 ret Ok, save your work and try again to register. Congratulation! You are a registered user. FINISH! Easy, or? cu LW2000 Any comments? Mail me LW2000@gmx.net! ---- tKC, thx for your tutors! I started with tutor 1 and i still read them... they are the best! PART 4 ~~~~~~ Name : HTML (Un)Compress Version : 5.0 Target : HTMLcomp.exe s/n saved : HKEY_LOCAL_MACHINE\Software\HTML(Un)Compress\Registration Tools : W32Dasm Hiew Brain Cracker : LW2000 Tutorial : No.43 --- DISCLAIMER For educational purposes only! I hold no responsibility of the mis-used of this material! --- 1. Ok, go to the registration screen and enter the following details: Name: LW2000 Password: 1230099 *BOOM* 'There seems to be a problem...' Mhmm, are all those programs stupid? 1230099 is my personal serial numer and should be always correct... And if not, i'll make my s/n correct =) 2. Load W32Dasm with 'HTMLComp.exe' and make a deadlisting in the SDR. Doublecklick on 'There seems to be a problem...'. * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00466D4F(C) <<-- here we go! | :00466DA0 6A00 push 00000000 :00466DA2 668B0DF46D4600 mov cx, word ptr [00466DF4] :00466DA9 B201 mov dl, 01 * Possible StringData Ref from Code Obj->"There seems to be a problem with" ->"either the name or the password. " ->"Make sure there are no spaces " ->"in front or after you name and/of " ->"password. Pay also special attention " ->"to the differance between O and " ->"0. If the problem persists, please " ->"contact me immediately." 3. To see from where the error msg is called, we take a close look at the reference... 00466D4F. So lets go there. :00466D48 E8336FFFFF call 0045DC80 <<-- check routine :00466D4D 3C01 cmp al, 01 <<-- test :00466D4F 754F jne 00466DA0 <<-- s/n check So what will we do? Let the call always return al=1! This is much better than a change like jne/je. How to do this (short description): Go inside the call, note the offset. Open hiew, go to the offset, F3, F2, then enter: mov al, 1 [Enter] ret [Enter] [Esc] All done? Let's try our bugfix! Name: LW2000 Password: 1230099 Congratulation! You are a registered user. As I said before, 1230099 will always work ;) FINISH! Easy, or? cu LW2000 Any comments? Mail me LW2000@gmx.net! ---- tKC, thx for your tutors! I started with tutor 1 and i still read them... they are the best! PART 5 ~~~~~~ Name : Offline Explorer Version : 1.2 Editor : Metaproducts Target : OE.exe Tools : W32Dasm GetTyp Procdump 1.60 Hiew Brain Cracker : LW2000 Tutorial : No.44 http://www.metaproducts.com. --- DISCLAIMER For educational purposes only! I hold no responsibility of the mis-used of this material! --- 1. Ok, lets try to register. Registered User: LW2000 Registration Key: 1230099 *BOOM* 'Sorry, registration information is invalid'. Seems that we have found a bug... ;) Let's fix it. 2. First check the exe with GetTyp for any exe-packer (i always do this first). AHA! GT has found "ASPack 1.083", ok let's unpack it =) Load Procdump, choose unpack and select our packer.... When Procdump is finished, load the new unpacked file in W32Dasm. Click on the SDR and go to our string: :004B7827 8B45F4 mov eax, dword ptr [ebp-0C] :004B782A E8C5C7F4FF call 00403FF4 :004B782F 8BC8 mov ecx, eax * Possible StringData Ref from Code Obj->"Sorry, registration information" ->"is invalid." | :004B7831 BA90784B00 mov edx, 004B7890 :004B7836 A1F84C4D00 mov eax, dword ptr [004D4CF8] :004B783B 8B00 mov eax, dword ptr [eax] :004B783D E81A7EF9FF call 0044F65C 3. Ok, this looks fine, but scroll up to see where we have come from. * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004B771B(C) <<-- here we go | :004B7782 6A10 push 00000010 :004B7784 8D4DF0 lea ecx, dword ptr [ebp-10] :004B7787 A1FC4A4D00 mov eax, dword ptr [004D4AFC] :004B778C 8B00 mov eax, dword ptr [eax] We go to 004B771B. :004B7714 E8F7B00000 call 004C2810 <<-- Check rountine :004B7719 84C0 test al, al <<-- tests AL :004B771B 7565 jne 004B7782 <<-- Check :004B771D A1FC4A4D00 mov eax, dword ptr [004D4AFC] :004B7722 8B00 mov eax, dword ptr [eax] :004B7724 C680C005000001 mov byte ptr [eax+000005C0], 01 4. So what will we do now? Change the jne to je ??? NO! This is quite silly, because most of the programs check the serial more than once. So, if AL=1 then the test is passed, else we fail. Go into the Call and note the offset (C1C10). Open the unpacked file with hiew and go to our offset: :004C2810 55 push ebp :004C2811 8BEC mov ebp, esp :004C2813 83C4F0 add esp, FFFFFFF0 :004C2816 53 push ebx :004C2817 33DB xor ebx, ebx :004C2819 895DF0 mov dword ptr [ebp-10], ebx Press F3 to edit and F2 to enter ASM Commands. No enter: mov al, 1 [Enter] ret [Enter] [Esc] Save your work and quit. Now try again to register. Congratulation! You are a registered user. FINISH! Easy, or? cu LW2000 Any comments? Mail me LW2000@gmx.net! ---- tKC, thx for your tutors! I started with tutor 1 and i still read them... they are the best! ABOUT ~~~~~ I really hope you've enjoyed this tutorial as much as I did! Don't miss Tutor #66 soon! ;) And as I said last time: Without knowledge, there's no power! ;) Credits go to: tKC for Interface. LW2000 for Splash Logo DRaCooLa for providing a tut in this version. LW2000 for providing 4 tuts in this version. tKC for coding this version :) All the crackers (non-members of CiA) are welcome to send tutors for the next tutorials .. see below for my email address! *** 80 chars per line in textfile please! *** And all the tutors can be found at http://www.msjessca.da.ru! Greetz goto all my friends! You can find me on IRC or email me at tkc@reaper.org Coded by The Keyboard Caper - tKC The Founder of PhRoZeN CReW/Crackers in Action 2000 Compiled with Delphi 5 on 27 January 2000 Cracking Tutorial #65 is dedicated to LW2000.