Welcome to Cracking Tutorial #67! Hiya guys, I had problems with no internet (cafe network was down).. so here are 4 tutors finally, #65-68, enjoy them! OK, let's rave! TOOLS ~~~~~ You'll need the following tools: (I use these tools, I assume you'll use 'em, but it doesn't mean that you'll need to use all those tools, so be sure to get them handy for the examples in this tutorial!) SoftICE v4.01 W32Dasm v8.93 Hacker's View v6.20 SmartCheck v6.03 ProcDump32 v1.6.2 Windows Commander v4.03 (I use it coz of easier to multitask) Delphi, VB, C++, or TASM to code a keygen or a patch.. Don't ask me where to download all these tools since you had a chance to get them when you used my older tutorials. Here is a good site where you can grab tools from: http://protools.cjb.net or http://w3.to/protools or ask any crackers to get you these tools! Are you ready?! OK! ;) PART 1 ~~~~~~ Name : JD-Tricks Version : 3.271.7.0 Editor : JDTOOLS Target : jdtricks.exe s/n saved : HKEY_LOCAL_MACHINE\Software\JD\JDTricks Tools : Softice Brain Cracker : LW2000 Tutorial : No.50 http://www.jdtools.de/ --- DISCLAIMER For educational purposes only! I hold no responsibility of the mis-used of this material! --- 1. Ok, go to the regscreen and enter the details. Name : LW2000 [CiA] Key Code: 123009988 Press OK! *BOOM* Error msg. Press OK - JD-Tricks quits. 2. Next try. Ok, go to the regscreen and enter the details. Press [ctrl]+[d] to switch to Sice and set a bpx on hmemcpy. 'bpx hmemcpy' F5 to return to app. Now Press OK. *BOOM* Sice pops up. Press F5 seven times then F12 seven times, too. OK, now you're in the 32-Bit part. But you can press F12 5x more, to come to the interesting part ;) 0177:00495BEE E865ECF9FF call 00434858 0177:00495BF3 8B45E0 mov eax, dword ptr [ebp-20] <-- here you are 0177:00495BF6 8B55FC mov edx, dword ptr [ebp-04] 0177:00495BF9 E8AAE4F6FF call 004040A8 <-- Check Routine 0177:00495BFE 0F85FA010000 jne 00495DFE <-- Bad Boy 0177:00495C04 8B45FC mov eax, dword ptr [ebp-04] 0177:00495C07 E88CE3F6FF call 00403F98 3. Seems, that we have found our check =) Now it is our mission to bypass the Bad-Boy-Check How to do this? The old Flagchange Trick! Trace with F10 on 0177:00495BFE and then type 'r fl z' This changes the zero flag, then press F10 and you have passed the check! Now you press F5, sit back and relax! Congratulation! You are a registered user. FINISH! Easy, or? cu LW2000 Any comments? Mail me LW2000@gmx.net or go to http://www.LW2000.cjb.net ---- tKC, thx for your tutors! I started with tutor 1 and i still read them... they are the best! PART 2 ~~~~~~ Name : UltraEdit 32 Version : 7.00 Editor : ultraedit Target : Uedit32.exe Tools : FileMon Hiew W32Dasm Brain Cracker : LW2000 Tutorial : No.51 http://www.ultraedit.com --- DISCLAIMER For educational purposes only! I hold no responsibility of the mis-used of this material! --- 1. Lets start, go to the regscreen and enter the details. Name: LW2000 [CiA] Code: 1230099 *BOOM* Mhmm, no msg! UE exits! So, what does this mean? Ultra Edit saves the details in a file and checks this when starting up. 2. OK, lets take a close look on this "file". Watch Ultra Edit in Filemon! Filemon speaks from a file called UEDIT32.reg... Mhmm *g*, seems that we have found a good starting point to crack Ultra Edit! 3. Load Uedit32.exe in W32Dasm and search in the SDR for REG. Ok, i get a few different hits. But after a close look, it was clear that this is the part we need: :0043D61E 6840444E00 push 004E4440 :0043D623 B90CE54E00 mov ecx, 004EE50C :0043D628 E873230500 call 0048F9A0 :0043D62D 83F8FF cmp eax, FFFFFFFF :0043D630 0F841D010000 je 0043D753 :0043D636 FFB78C000000 push dword ptr [edi+0000008C] :0043D63C 8D4D10 lea ecx, dword ptr [ebp+10] :0043D63F E88DA20500 call 004978D1 :0043D644 8B4510 mov eax, dword ptr [ebp+10] :0043D647 8D4D10 lea ecx, dword ptr [ebp+10] :0043D64A C645FC02 mov [ebp-04], 02 :0043D64E 8B40F8 mov eax, dword ptr [eax-08] :0043D651 83C0FD add eax, FFFFFFFD :0043D654 50 push eax :0043D655 8D45E8 lea eax, dword ptr [ebp-18] :0043D658 50 push eax :0043D659 E8A8220500 call 0048F906 * Possible StringData Ref from Data Obj ->"REG" 4. Now scroll up a bit to see this. * Reference To: USER32.CreateWindowExA, Ord:0059h | :0043D5E2 FF1530074C00 Call dword ptr [004C0730] :0043D5E8 A3C8FF4E00 mov dword ptr [004EFFC8], eax :0043D5ED 8D8796020000 lea eax, dword ptr [edi+00000296] :0043D5F3 885810 mov byte ptr [eax+10], bl :0043D5F6 FF3500E54E00 push dword ptr [004EE500] :0043D5FC 6A01 push 00000001 :0043D5FE 50 push eax :0043D5FF FF75F0 push [ebp-10] :0043D602 E8BB11FDFF call 0040E7C2 <-- Check Routine :0043D607 83C410 add esp, 00000010 :0043D60A 85C0 test eax, eax <-- TEST :0043D60C 0F8489010000 je 0043D79B <-- BAD BOY! :0043D612 391D1C004F00 cmp dword ptr [004F001C], ebx :0043D618 0F857D010000 jne 0043D79B * Possible StringData Ref from Data Obj ->"Extension License" 5. The CreateWindowEx function creates pop-up, overlapped or child window with an extended style. If the function succeeds, the return value is the handle of the new window, else it is zero. We see at 43D602 a call. Inside this call our fake serial and the correct one are compared. If the are identical then eax=1 else eax=0. So what to do? Lets change the call, that the return value is 1 - everytime =) Go into the call and note the offset. Open hiew, go to the offset. Enter decode mode, press F3 to edit and F2 to enter ASM commands. Now type: mov eax,1 [press Enter] ret [press Enter] [press Esc] What does this do? This sets eax=1 and returns from the call =) OK, lets try our bug-free version ;) Congratulation! You are a registered user. FINISH! Easy, or? cu LW2000 Any comments? Mail me LW2000@gmx.net or go to http://www.LW2000.cjb.net ---- tKC, thx for your tutors! I started with tutor 1 and i still read them... they are the best! PART 3 ~~~~~~ Name : InternetMETER Version : 2.0b (Build 4.120) Editor : Franusic Target : im20b.exe Tools : GetTyp Procdump Exescope Brain Cracker : LW2000 Tutorial : No.52 http://www.redrival.com/smaster --- DISCLAIMER For educational purposes only! I hold no responsibility of the mis-used of this material! --- 1. Ok, i knew that this program is freeware, but the time delayed splash screen of this bitch anoyed me for over a month now! So I decided to fix this bug! First i made a scan of the exe with GetTyp (i do this by every program!). Aha, iMeter is packed by ASPack 1.05b. This should be no problem. Load procdump, click on unpack and choose ASPack<1.08 and unpack it! 2. Ok, when you have unpacked our proggy open it in Exescope and search for our splash. (the alternative is, to switch to sice when the nag is shown and take a look with the hwnd command...). Ok you should see now: Header (here is the exe-header, the sections etc. inside) Import (shows the import functions) Resource (here are bitmaps, strings, dialogs etc inside) 3. I think you have understand, that we must search under Resource. We search for a form, so we must look under RCData. Mhmm, *g* TSplashForm sounds very interesting... click on it! I the right window we see now a huge list of informations. Scroll down to the end. Do you see this? object SplashCloseTimer: TTimer Enabled = False Interval = 2000 OnTimer = SplashCloseTimerTimer Left = 291 Top = 6 end end I LOVE OBJECT's... Change the value of Interval to 0001. Instead of 2 sec is the splash now shown for 0.001 sec. This is acceptable for me. *g* OK, try it. Congratulation! You have beaten the splash. FINISH! Easy, or? cu LW2000 Any comments? Mail me LW2000@gmx.net or go to http://www.LW2000.cjb.net ---- tKC, thx for your tutors! I started with tutor 1 and i still read them... they are the best! PART 4 ~~~~~~ Name : WinRescue 98 Version : 4.16 Editor : Super Win Software Target : Rescue98.exe Tools : Softice Brain Cracker : LW2000 Tutorial : No.53 http://superwin.com/ --- DISCLAIMER For educational purposes only! I hold no responsibility of the mis-used of this material! --- 1. Ok, try to register the program. *BOOM* 'WARNING - Incorrect Key Entered' Mhmm, seems that we have found a bug, lets fix it! Load the Program into W32Dasm and search in the SDR for the string. * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0046A422(C) <-- here we go | * Possible StringData Ref from Code Obj ->"WARNING - Incorrect Key Entered" | :0046A451 B84CA54600 mov eax, 0046A54C :0046A456 E84940FDFF call 0043E4A4 :0046A45B A14CAA4900 mov eax, dword ptr [0049AA4C] :0046A460 8B00 mov eax, dword ptr [eax] :0046A462 E89961FCFF call 00430600 2. OK, go to 0046A422. * Possible StringData Ref from Code Obj ->"SvetCHRISTA" | :0046A416 B8F8A44600 mov eax, 0046A4F8 :0046A41B E8949BF9FF call 00403FB4 :0046A420 85C0 test eax, eax :0046A422 742D je 0046A451 <-- Bad Boy :0046A424 33D2 xor edx, edx :0046A426 8B83F4010000 mov eax, dword ptr [ebx+000001F4] :0046A42C E82B60FBFF call 0042045C * Possible StringData Ref from Code Obj ->"Registration Key Accepted" | :0046A431 B80CA54600 mov eax, 0046A50C :0046A436 E86940FDFF call 0043E4A4 :0046A43B A1F8AA4900 mov eax, dword ptr [0049AAF8] :0046A440 8B00 mov eax, dword ptr [eax] :0046A442 8B8014020000 mov eax, dword ptr [eax+00000214] :0046A448 C7400C64000000 mov [eax+0C], 00000064 :0046A44F EB16 jmp 0046A467 3. Mhmm, 'SvetCHRISTA' what could this be *g*. Another plaintext coded serial... Try the serial or patch the program by NOPing the je at :0046A422. Congratulation! You are a registered user. FINISH! Easy, or? cu LW2000 Any comments? Mail me LW2000@gmx.net or go to http://www.LW2000.cjb.net ---- tKC, thx for your tutors! I started with tutor 1 and i still read them... they are the best! PART 5 ~~~~~~ Name : Directory Snoop Version : 3.11 Editor : Briggs Softworks Target : DirSnoop.exe Tools : GetTyp Procdump Hiew W32Dasm Brain Cracker : LW2000 Tutorial : No.54 http://www.briggssoft.com --- DISCLAIMER For educational purposes only! I hold no responsibility of the mis-used of this material! --- 1. OK, set the system date to the next month so that Directory Snooper expires. Start DirSnoop. *BOOM* Note the text of the msg. Now run gtw on DirSnoop.exe! Mhmm, packed by Shrinker 3.3 =) Now load my favorite tool PROCDUMP and unpack the proggy (I think you know how to do this - if not read my old tuts!) Then Load the unpacked DirSnoop into W32Dasm and make a Deadlisting. Go to our string: * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00494689(U) <-- here we go | :00494698 6A00 push 00000000 * Possible StringData Ref from Code Obj ->"You have used Directory Snoop" | :0049469A 6864484900 push 00494864 :0049469F 8D55E8 lea edx, dword ptr [ebp-18] :004946A2 8BC6 mov eax, esi :004946A4 E81342F7FF call 004088BC :004946A9 FF75E8 push [ebp-18] 2. We came from 0494689 so lets go there and take a look! * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:00494638(C), :0049463E(C) | :00494663 E85453F7FF call 004099BC :00494668 E8D3E3F6FF call 00402A40 :0049466D 8BF0 mov esi, eax :0049466F 83EE1E sub esi, 0000001E :00494672 2B3524904900 sub esi, dword ptr [00499024] :00494678 85F6 test esi, esi :0049467A 7E64 jle 004946E0 <-- jmp all ok :0049467C 83FE01 cmp esi, 00000001 :0049467F 750A jne 0049468B <-- jmp Bad Boy :00494681 8D45FC lea eax, dword ptr [ebp-04] :00494684 E827F5F6FF call 00403BB0 :00494689 EB0D jmp 00494698 <-- jmp Bad Boy 3. In :0049467A is a jle that jumps to 004946E0. This is main-proggy-part, so what should we do? Jump there everytime, if over trail or not? Sounds nice, lets do so! Note the Offset from :0049467A and go there in hiew. Goto decode mode, press F3 to edit, and change 7E64 -> EB64 (jle -> jump). Save your work and try it. 4. Fine! It works! Now lets do some visual face lifting of the program... Search for ** Printed with Unregistered Directory Snoop ** ( in hex this is 2A2A205072696E746564207769746820556E726 56769737465726564204469726563746F727920536E6F6F70202A) and repleace it with 20202020202020202020202020202020202020202020202020202020 202020202020202020202020202020202020 So this nagging text has gone 4-ever! Lets go on... Search for [Unregistered Shareware] (in hex it is 5B556E72656769737465726564205368617265776172655D) and replace it with 437261636B6564206279204C5732303030205B4369415D20 Search for Unregistered Shareware (in hex it is 556E7265676973746572656420536861726577617265) and replace it with 4C5732303030205B4369415D20202020202020202020 If you do not like my face lifting, you can enter your own text, but remember it must have the same length! Congratulation! You have a facelifted version that will never expire. FINISH! Easy, or? cu LW2000 Any comments? Mail me LW2000@gmx.net or go to http://www.LW2000.cjb.net ---- tKC, thx for your tutors! I started with tutor 1 and i still read them... they are the best! ABOUT ~~~~~ I really hope you've enjoyed this tutorial as much as I did! Don't miss Tutor #68 soon! ;) And as I said last time: Without knowledge, there's no power! ;) Credits go to: tKC for Interface. LW2000 for Splash Logo LW2000 for providing 5 tuts in this version. (LW, congratz with your anniversary, #50!) tKC for coding this version :) All the crackers (non-members of CiA) are welcome to send tutors for the next tutorials .. see below for my email address! *** 80 chars per line in textfile please! *** And all the tutors can be found at http://www.msjessca.da.ru Greetz goto all my friends! You can find me on IRC or email me at tkc@reaper.org Coded by The Keyboard Caper - tKC The Founder of PhRoZeN CReW/Crackers in Action 2000 Compiled with Delphi 5 on 27 January 2000 Cracking Tutorial #67 is dedicated to LW2000.