Welcome to Cracking Tutorial #66! Hiya guys, I had problems with no internet (cafe network was down).. so here are 4 tutors finally, #65-68, enjoy them! OK, let's rave! TOOLS ~~~~~ You'll need the following tools: (I use these tools, I assume you'll use 'em, but it doesn't mean that you'll need to use all those tools, so be sure to get them handy for the examples in this tutorial!) SoftICE v4.01 W32Dasm v8.93 Hacker's View v6.20 SmartCheck v6.03 ProcDump32 v1.6.2 Windows Commander v4.03 (I use it coz of easier to multitask) Delphi, VB, C++, or TASM to code a keygen or a patch.. Don't ask me where to download all these tools since you had a chance to get them when you used my older tutorials. Here is a good site where you can grab tools from: http://protools.cjb.net or http://w3.to/protools or ask any crackers to get you these tools! Are you ready?! OK! ;) PART 1 ~~~~~~ Name : Browserola Version : 1.0 Editor : Coda Target : browsola.exe s/n saved : HKEY_CURRENT_USER\Software\Codo\Browserola\UserInfo Tools : Softice Brain Cracker : LW2000 Tutorial : No.45 http://www.codo.com/browserola/ --- DISCLAIMER For educational purposes only! I hold no responsibility of the mis-used of this material! --- 1. Click the Browserola logo from the main screen. This will bring up the 'About...' box. Click the 'Register' button. Then enter the following details: User Name: LW2000 Reg Number: 1230099 Click on Register. *BOOM* 'The Code does not match.' 2. Switch to Sice and set a bpx on hmemcpy. 'bpx hmemcpy' Press F5 to return to the app and click on register. *BOOM* Sice pops up. Now count how often sice breaks on hmemcpy. Ok, you count 4 times. Now let sice break again on hmemcpy and press F5 until you count this 4 breaks (3x F5). Then press 12x F12 to go to the relevant code. 3. Trace with F10 until you reach this piece of code: 0177:00456CA2 E88DEFFFFF call 00455C34 <-- calculate code routine 0177:00456CA7 8B45F0 mov eax, dword ptr [ebp-10] real code 0177:00456CAA 8B55F8 mov edx, dword ptr [ebp-08] fake code 0177:00456CAD E856CBFAFF call 00403808 <-- check routine 0177:00456CB2 752A jne 00456CDE <-- check Trace till you are on 00456CAD. Mhmm, 'd edx' will show us our fake code (1230099) and 'd eax' will show the correct reg number (CBW95-R03309-0000517). Should i say more? ;) With this knowledge try to register Brwoserola, but first type 'bc hmemcpy' to clear the breakpoint. Congratulation! You are a registered user. FINISH! Easy, or? cu LW2000 Any comments? Mail me LW2000@gmx.net or go to http://www.LW2000.cjb.net ---- tKC, thx for your tutors! I started with tutor 1 and i still read them... they are the best! PART 2 ~~~~~~ Name : Absolute Security Standard Encryption Program Version : 3.3 Editor : Pepsoft Target : Absec.exe s/n saved : HKEY_CURRENT_USER\Software\Pepsoft\AbSec\Reg Tools : Softice Brain Cracker : LW2000 Tutorial : No.46 http://www.pepsoft.com --- DISCLAIMER For educational purposes only! I hold no responsibility of the mis-used of this material! --- 1. Go to the regscreen and enter the details: User Name: Cracked by LW2000 Key: 1230099 Click on OK. *BOOM* 'Sorry... Invalid registration password.' Enter the same key again. 2. Switch to Sice and set a bpx on hmemcpy. 'bpx hmemcpy' Press F5 to return to the app and click on ok. *BOOM* Sice pops up. Press F5 and count how often sice breaks on hmemcpy. Then enter the details again (better to disable the bpxs first... ;) and try it again. Now press F5 one time minor than you count the breaks. If you done so, you should be now at the last call from hmemcpy. Then press F12 until you are in the 32Bit Code. Then trace with F10 until you are here (takes a while... because of a loop) :0048B6B3 E8949BF8FF call 0041524C :0048B6B8 8B85D4FBFFFF mov eax, dword ptr [ebp+FFFFFBD4] :0048B6BE 50 push eax :0048B6BF 8D85D8FBFFFF lea eax, dword ptr [ebp+FFFFFBD8] :0048B6C5 8D95F8FDFFFF lea edx, dword ptr [ebp+FFFFFDF8] :0048B6CB E8F080F7FF call 004037C0 :0048B6D0 8B95D8FBFFFF mov edx, dword ptr [ebp+FFFFFBD8] :0048B6D6 58 pop eax :0048B6D7 E84882F7FF call 00403924 :0048B6DC 757A jne 0048B758 <-- check :0048B6DE 8B45FC mov eax, dword ptr [ebp-04] 3. Trace with F10 trough the code and take a look at eax. btw: with 'd eax' you can display eax... ;) Then simply note the serial (EEYVEBLTULHMEAW) and try it, but first type 'bc hmemcpy' to clear the breakpoint. Congratulation! You are a registered user. FINISH! Easy, or? cu LW2000 Any comments? Mail me LW2000@gmx.net or go to http://www.LW2000.cjb.net ---- tKC, thx for your tutors! I started with tutor 1 and i still read them... they are the best! PART 3 ~~~~~~ Name : URLegal Version : 2.1 Editor : Paul Gerhart Software Target : Urlegal.exe s/n saved : HKEY_LOCAL_MACHINE\SOFTWARE\Paul Gerhart Software\URLegal\User Tools : W32Dasm Hiew Brain Cracker : LW2000 Tutorial : No.47 http://www.worldlynx.net/pgerhart/ --- DISCLAIMER For educational purposes only! I hold no responsibility of the mis-used of this material! --- 1. Ok, go to the regscreen and enter the details: Name: LW2000 Code: 1230099 *BOOM* 'Name / Code mis-match. Try again.' Mhmm, wrong Code? Typical program bug ;) Let's fix it. 2. Load Urlegal.exe in W32Dasm and go to the String Data Reference. Doubleclick on our string: "Name / Code mis-match. Try again." You should be here now: * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:00403170(C), :0040318A(C) <<-- here we go | :004031F6 6A00 push 00000000 :004031F8 6A00 push 00000000 * Possible StringData Ref from Data Obj->"Name/Code mis-match. Try again" 3. Ok, we take a look at the conditional jumps from :00403170(C) and :0040318A(C). Doublerightclick on the first reference to go to the jump. :00403169 E842040000 call 004035B0 :0040316E 85C0 test eax, eax :00403170 0F8580000000 jne 004031F6 <<-- if eax <> 0 then error msg :00403176 8D4DEC lea ecx, dword ptr [ebp-14] :00403179 51 push ecx :0040317A 8D5588 lea edx, dword ptr [ebp-78] :0040317D 52 push edx :0040317E E87D040000 call 00403600 :00403183 25FF000000 and eax, 000000FF :00403188 85C0 test eax, eax :0040318A 746A je 004031F6 <<-- if eax = 1 then error msg :0040318C E8DFEAFFFF call 00401C70 We want to bypass the protection (if you ask why? - close this tut and never read anything else about cracking!), so lets think a bit about the code. If we do not jump, we go on in the reg process. Do you think the same? Lets NOP the jmps! 4. Ok, note the offset from :00403170 and :0040318A and open the file in hiew. Goto the offset (F5) enter editmode (F3). Then change 0F8580000000 to 909090909090 and 746A to 9090. Save your work and try again to register! Congratulation! You are a registered user. FINISH! Easy, or? cu LW2000 Any comments? Mail me LW2000@gmx.net or go to http://www.LW2000.cjb.net ---- tKC, thx for your tutors! I started with tutor 1 and i still read them... they are the best! PART 4 ~~~~~~ Name : Lockdown 2000 Version : 3.01 Editor : LockDown Corp Target : Lockdown2000.exe Tools : W32Dasm Softice Brain Cracker : LW2000 Tutorial : No.48 http://lockdown2000.com --- DISCLAIMER For educational purposes only! I hold no responsibility of the mis-used of this material! --- 1. Ok, start Lockdown and go to the regscreen and type 1230099 as serial. *BOOM* 'The unlock code you have entered '. What the hell is this? Seems, that we found a bug... ;) Let's fix it. Load the file in W32Dasm and go to our string. (you should know how to do this - if not read my tut No.1 first.. ;) * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004C4BAC(U) <-- here we go | :004C4BB0 84DB test bl, bl :004C4BB2 7523 jne 004C4BD7 :004C4BB4 6A00 push 00000000 :004C4BB6 668B0DE44C4C00 mov cx, word ptr [004C4CE4] :004C4BBD 33D2 xor edx, edx *Possible StringData Ref from Code Obj->"The unlock code you have entered" 2. Fine, lets go to :004C4BAC and take a look at the code: :004C4BA2 58 pop eax :004C4BA3 E894F4F3FF call 0040403C <- reg check routine :004C4BA8 7504 jne 004C4BAE :004C4BAA B301 mov bl, 01 :004C4BAC EB02 jmp 004C4BB0 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004C4BA8(C) | :004C4BAE 33DB xor ebx, ebx 3. Ok, lets see whats inside the call 0040403C. * Referenced by a CALL at Addresses: |:0041210B , :00416D07 , :0041804D , :0041D59D , :0041E51C |:0042A4CE , :00431F9E , :00432029 , :00432C8F , :00432F04 |:0043DA13 , :0043DFFD , :0043E16D , :0043E2E1 , :00440F89 |:0044104D , :00441428 , :004414E7 , :00441942 , :00441B96 |:00442101 , :004422BF , :0044FD13 , :0045F23F , :0045F676 |:00460C3C , :0046336B , :00463D3C , :004762A8 , :0047668D |:0047E88F , :0047E9D6 , :0047FBAE , :0047FBC0 , :0048079E |:00480A42 , :00480A51 , :00480A60 , :00480A6F , :00480FF2 |:00481F3B , :00488BB7 , :0048AEBB , :0048B712 , :0048B776 |:0048B78E , :0048B8A3 , :004A33F9 , :004A4722 , :004A52A2 |:004A5D12 , :004A620C , :004A68A9 , :004A8382 , :004A8B24 |:004ABD83 , :004AC29F , :004ACA0F , :004ACCD4 , :004ACF05 |:004AD0B5 , :004AD0E0 , :004AD0FC , :004AD149 , :004AD286 |:004AD3C2 , :004B05CD , :004B06D1 , :004B0901 , :004B30C6 |:004B30D5 , :004B30E4 , :004B30F3 , :004B3421 , :004B3861 |:004B3993 , :004B64A0 , :004B6529 , :004B6904 , :004B69C6 |:004B69D8 , :004B6A9F , :004B6AC7 , :004B6B6F , :004B6D34 |:004B6D53 , :004B6D7D , :004B6D9C , :004B71D0 , :004B780E |:004B7880 , :004B85C7 , :004B8BDB , :004B8C18 , :004BC159 |:004BC9AB , :004BD23A , :004BD40D , :004BE3A9 , :004BEC7D |:004BECFB , :004C0E48 , :004C0E97 , :004C156C , :004C158D |:004C3AD2 , :004C3C6D , :004C4BA3 , :004C54A1 , :004C5A0A |:004C5E1E , :004C5E58 , :004C5ECA , :004C5F04 , :004C5F76 |:004C5FB0 , :004C6022 , :004C605C , :004C60C9 , :004C6125 |:004C6181 , :004C61DD , :004C659E , :004C65D0 , :004C99A2 |:004C9E90 , :004CA568 , :004CAF3D , :004CAF72 , :004CB762 |:004CBA39 , :004CBAF2 , :004CBB18 | :0040403C 53 push ebx :0040403D 56 push esi :0040403E 57 push edi :0040403F 89C6 mov esi, eax <- Mov serial1 to esi :00404041 89D7 mov edi, edx <- Mov serial2 to edi :00404043 39D0 cmp eax, edx <- CMP them =) :00404045 0F848F000000 je 004040DA :0040404B 85F6 test esi, esi :0040404D 7468 je 004040B7 :0040404F 85FF test edi, edi :00404051 746B je 004040BE :00404053 8B46FC mov eax, dword ptr [esi-04] :00404056 8B57FC mov edx, dword ptr [edi-04] :00404059 29D0 sub eax, edx :0040405B 7702 ja 0040405F :0040405D 01C2 add edx, eax 4. Ok, write 00404043 down. Exit W32Dasm program and start Lockdown. Press [ctrl]+[d] to switch to sice and set a breakpoint on 00404043. 'bpx 00404043' Then press F5 to continue and try to register. *BOOM* Sice pops up. Then type 'd eax' and 'd edx'. Now you see your fake serial and the correct one. Write it down, kill the bpxs (bc *) and give it a try! Congratulation! You are a registered user. FINISH! Easy, or? cu LW2000 Any comments? Mail me LW2000@gmx.net or go to http://www.LW2000.cjb.net ---- tKC, thx for your tutors! I started with tutor 1 and i still read them... they are the best! PART 5 ~~~~~~ Name : Just Another Commander Version : 2.01 Editor : Klappert Target : jac.exe Tools : W32Dasm Hiew Brain Cracker : LW2000 Tutorial : No.49 http://www.a-l-e-x.de --- DISCLAIMER For educational purposes only! I hold no responsibility of the mis-used of this material! --- 1. Ok, lets do a quick crack on Just Another Commander. Start the Proggy and you see a Nag, write down the text. Load the bitch into W32Dasm and make a Deadlisting. Go to our string: * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00523877(U) | :00523887 803D14E753001E cmp byte ptr [0053E714], 1E :0052388E 7621 jbe 005238B1 <-- Bad Boy :00523890 6A00 push 00000000 :00523892 668B0D103D5200 mov cx, word ptr [00523D10] :00523899 33D2 xor edx, edx Possible StringData from Code Obj->"Sie haben JAC bereits an 30 Tagen" ->"getestet. Wenn Sie das Programm" ->"weiter nutzen m" | :0052389B B8A03D5200 mov eax, 00523DA0 :005238A0 E87B36F6FF call 00486F20 :005238A5 C60500E7530000 mov byte ptr [0053E700], 00 :005238AC E9A1000000 jmp 00523952 2. Mhmm quiet simple! We want to load the program every time - also if we are over the trail period. So we must jump every time! We do this by changing the jbe to jmp. (i don't tell you today how to do this - you should know this already. If not read one of my old tuts!) 3. Ok works fine, but the Nag and this splash is still there... Let's think a bit =) We want to go to the Main Screen, so take a look at the titel bar Just Another Commander - UNREGISTRIERTE SHAREWAREVERSION Make a Deadlisting on "Just Another Commander": :00523A65 FF5250 call [edx+50] * Possible StringData Ref from Code Obj ->"Just Another Commander" | :00523A68 BA403C5200 mov edx, 00523C40 <-- note the offset :00523A6D A130765200 mov eax, dword ptr [00527630] :00523A72 E80554F0FF call 00428E7C :00523A77 B9C0E55300 mov ecx, 0053E5C0 :00523A7C BAD8644E00 mov edx, 004E64D8 4. Note the offset from :00523A68, because we must jump there, if we want to start the main part. But from where we jump to the main part? Mhmm *g*, do you remember the date check ;) Ok, go to :0052388, again. We must change the jbe 005238B1 (or jmp 005238B1 if already changed) to jmp 00122E68 (our new noted offset!) 5. Lets do so. Open Jac.exe in Hiew, enter decode mode. Press F5 and goto Offset 122C8E. Press F3, F2 and enter jmp 00122E68 [Enter] [Esc] Save your work. btw: if you get a msg because of a datechange, note the text and go to the reference. :005237A6 DFE0 fstsw ax :005237A8 9E sahf :005237A9 7331 jnb 005237DC <<--- Bad Boy! :005237AB DD0504E75300 fld qword ptr [0053E704] :005237B1 83C4F4 add esp, FFFFFFF4 :005237B4 DB3C24 fstp tbyte ptr [esp] :005237B7 9B wait :005237B8 8D45F0 lea eax, dword ptr [ebp-10] :005237BB E80843EEFF call 00407AC8 :005237C0 8B55F0 mov edx, dword ptr [ebp-10] :005237C3 8D45DC lea eax, dword ptr [ebp-24] :005237C6 E8DD0CEEFF call 004044A8 :005237CB 8D4DDC lea ecx, dword ptr [ebp-24] :005237CE 33D2 xor edx, edx :005237D0 A1F4E65300 mov eax, dword ptr [0053E6F4] :005237D5 E83A74F2FF call 0044AC14 :005237DA EB1C jmp 005237F8 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:005237A9(C) <-- here we go | :005237DC 6A00 push 00000000 :005237DE 668B0D103D5200 mov cx, word ptr [00523D10] :005237E5 B203 mov dl, 03 Possible StringData Ref from Code Obj->"Sie haben doch wohl nicht an der" ->"Datumseinstellung rumgespielt" ->"um die Shareware-Kontrolle zu" ->"umgehen??" | :005237E7 B81C3D5200 mov eax, 00523D1C Now note the offset from :005237A9 and go there in hiew. Change the 7331 to 9090 and you never hear of this msg again ;) If you don't like the 'UNREGISTRIERTE SHAREWAREVERSION' string, search in the exe with hiew after this string (554E5245474953545249455254452053484152455741524556455253494F4E in Hex) and replace it ( for example with 52656769737472696572742066FC72204C5732303030205B4369415D2020 or whatever you like - but it must have the same length!). Now try it! Congratulation! You have a NAG, Splash and Trail-free version. FINISH! Easy, or? cu LW2000 Any comments? Mail me LW2000@gmx.net or go to http://www.LW2000.cjb.net ---- tKC, thx for your tutors! I started with tutor 1 and i still read them... they are the best! ABOUT ~~~~~ I really hope you've enjoyed this tutorial as much as I did! Don't miss Tutor #67 soon! ;) And as I said last time: Without knowledge, there's no power! ;) Credits go to: tKC for Interface. LW2000 for Splash Logo LW2000 for providing 5 tuts in this version. tKC for coding this version :) All the crackers (non-members of CiA) are welcome to send tutors for the next tutorials .. see below for my email address! *** 80 chars per line in textfile please! *** And all the tutors can be found at http://www.msjessca.da.ru! Greetz goto all my friends! You can find me on IRC or email me at tkc@reaper.org Coded by The Keyboard Caper - tKC The Founder of PhRoZeN CReW/Crackers in Action 2000 Compiled with Delphi 5 on 27 January 2000 Cracking Tutorial #66 is dedicated to LW2000.