Welcome to Cracking Tutorial #68! Hiya guys, I had problems with no internet (cafe network was down).. so here are 4 tutors finally, #65-68, enjoy them! OK, let's rave! TOOLS ~~~~~ You'll need the following tools: (I use these tools, I assume you'll use 'em, but it doesn't mean that you'll need to use all those tools, so be sure to get them handy for the examples in this tutorial!) SoftICE v4.01 W32Dasm v8.93 Hacker's View v6.20 SmartCheck v6.03 ProcDump32 v1.6.2 Windows Commander v4.03 (I use it coz of easier to multitask) Delphi, VB, C++, or TASM to code a keygen or a patch.. Don't ask me where to download all these tools since you had a chance to get them when you used my older tutorials. Here is a good site where you can grab tools from: http://protools.cjb.net or http://w3.to/protools or ask any crackers to get you these tools! Are you ready?! OK! ;) PART 1 ~~~~~~ MP3-Explorer v3.1.01 http://www.mp3-explorer.com/ Tutor by PinguTM (PinguTM@hotmail.com) This is my 17th tutorial, IM BACK! Type: Time Limit... I Think.... Well it needs registering anyways :) Tools: WinDASM, Hiew Well since my last tut back in tKC #38 i have been competing in the bedroom olympics and various fuck-a-thons with my now ex-girlfriened. The vacation is now over, so back to the tuts 1. Start the proggie. You will notice it scanning your HD for some shit?? Once it finishes and gets into the main proggie select the ? pulldown menu and hit about mp3-explorer. Now hit the registration tab. Fill in the reg details and hit OK.... NO WAY! Wrong details :) 2. Load WinDasm and decomplie mp3 explorer.exe Now select string data references and select "Registration info are not correct! Please try again." 3. You will now see something like this if you scroll up a few lines....... * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004019B4(C) | * Possible Reference to String Resource ID=00154: "Registration info are not correct! Please try again." | :00401A3F 689A000000 push 0000009A :00401A44 8D4C2410 lea ecx, dword ptr [esp+10] :00401A48 E8B2A40300 call 0043BEFF :00401A4D 8B4C240C mov ecx, dword ptr [esp+0C] :00401A51 6A30 push 00000030 :00401A53 6A00 push 00000000 :00401A55 51 push ecx 4. Notice the 004019B4(C) under the Referenced by.... well we want to go there so hit the GoTo Location button and change whatever is there to.... 004019B4 hit ok, now you will see....... :004019B4 0F8485000000 je 00401A3F :004019BA 8D4C2474 lea ecx, dword ptr [esp+74] :004019BE 8DBE98000000 lea edi, dword ptr [esi+00000098] :004019C4 51 push ecx :004019C5 8BCF mov ecx, edi blah blah 5. Note down the offset which is "19B4" we will change that JE to a JNE, but we are not finished yet. Go back to string data references and select "Registration info are not correct! Please try again.".. Again now scroll up a few lines and you will see..... * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00402F3F(C) | * Possible Reference to String Resource ID=00154: "Registration info are not correct! Please try again." | :00402F95 689A000000 push 0000009A :00402F9A 8D4C2408 lea ecx, dword ptr [esp+08] :00402F9E E85C8F0300 call 0043BEFF :00402FA3 8B4C2404 mov ecx, dword ptr [esp+04] :00402FA7 6A30 push 00000030 :00402FA9 6A00 push 00000000 :00402FAB 51 push ecx :00402FAC 8BCE mov ecx, esi :00402FAE E8816A0300 call 00439A34 :00402FB3 6A00 push 00000000 6. Notice the 00402F3F(C) under the Referenced by.... well we want to go there so hit the GoTo Location button again and change whatever is there to.... 00402F3F hit ok, now you will see....... :00402F3F 7454 je 00402F95 :00402F41 8D4C246C lea ecx, dword ptr [esp+6C] :00402F45 51 push ecx :00402F46 B9CCD34700 mov ecx, 0047D3CC :00402F4B E8378B0300 call 0043BA87 9. Note down the offset which is "2F3F" we will change that JE to a JNE aswell. Ok Close down WinDASM and fire up mp3 explorer.exe into hiew. Press F4 then select DECODE. Now press F5 and type in the first offset 19B4. Press F3 and type "0F84" now press F9 to update. Ok, now press F5 again and type in the next offset 2F3F. Press F3 and type "75" update this with F9 then F10 to quit. 0. ReLoad the modified MP3 Explorer and fill out the registration details again. BANG.. Thanx 4 Reg'ing :) so now that 20 bucks you were going to send to register it, you can send me 5 for my efforts! LOL! -=-=-=- PinguTM -=-=-=- PART 2 ~~~~~~ How to Crack "Advanced Video Poker v1.2" by 0blivi0n Notes: ------ This is my first Tutorial so please be gentle. Best viewed with "notepad" with word wrap. The Toolz: ---------- NuMega SmartCheck v5.0 The Target: ----------- Advanced Video Poker v1.2 http://www.alhademic.com/download/avpoker.exe About Program: -------------- Advanced Video Poker is a kind of computer card game that simulates gamble machines. This game contains perfect sound effects and music of high quality, which will not disturb you and help to relax playing Advanced Video Poker. This product includes 3 the most popular variations of video poker game and additional 4 new variations, which were invented by us in order to diversify mundane line of video poker games. So, we are glad to present you all 7 variations of video poker game and two additional Double Up Games which were made to make you happy playing our game. Outstanding graphic is one more advantage, which will bring you to the world of pleasure and fun, to the world of Advanced Video Poker. (Taken directly from web site.) The Setup: ---------- First thing that you may need to do is make sure that you have SmartCheck set up correctly. You will need to go to the "Program" meny and select "Settings..." on hte first screen you are on you will need to make sure everything is checked except for "Report errors immediatley". Then you will need to click on the "Advanced..." button. In this screen you will need to make sure that the first four options are checked and the option "Supress system API and OLE calls" is NOT checked. Finally you will need to go to the "Reporting" tab and make sure everything EXCEPT "Perform analysis of handled Visual Basic runtime errors" and "Report MouseMove events from OCX controls". After this is done you will need to load the program "Apoker.exe" into SmartCheck. The Crack: ---------- There are two methods that you can use to get the serial number. The first method is more in depth and the second method is quicker and they both end up in the same area. Method 1: --------- After you have the program loaded lets run it and see what we get. When we run it we see a splash screen and then a registration screen. Look, there is a "Register" button lets click there. When we click there we get another form that has where we enter a "name" and "code". For this exercise we will use "Pirated Copy!" for the name and "123123123123123123" for the code. Then we will click the "OK" button and wait for the message box that will tell us that we have entered an invalid code. When the message box appears we can close the application from within SmartCheck. Now we should be back in SmartCheck. While looking over the information we can see that the last operation executed was loading of a form "frmSplashScreen_Load". Well lets check it out and see what is happening in there. When we look into this further we find that another form was loaded ("frmJacksOrBetter_Load") it should be close to the bottom of the branch. We open this puppy up to find close to the bottom there are 2 operations dealing with a form ("frmNug_Load" and "frmNug.Show"). The one we want to investigate is the "frmNug.Show". Open this one up and we find a bunch of "tmrInsertCoin_Timer" and "tmrUnreg_Timer" but located in there somewhere is a "cmdRegister_Click" that we are looking for. Now there are two form operations "frmFun_Load" and "frmFun.Show". We need the "frmNug.Show" when we open this up we will see much like when we opened "frmNug.Show" there will be a bunch of "tmrInsertCoin_Timer" and "tmrUnreg_Timer" and also a "tmrT_Timer" we need to find a "cmdFunOk_Click". Now go almost to the bottom of this branch until you find a section that looks somewhat like this: txtCode.Text txtCode.Text txtName.Text <--""(String) txtCode.Text <--""(String) MsgBox returns Integer:1 Click on the SECOND "txtCode.Text" then select the "View" menu and then select "Show All Events" now the lines that follow where you are sitting should look something like this: txtCode.Text ;<<==This is where you should be! __vbaStrCmp returns DWORD:1 __vbaStrCmp returns DWORD:FFFFFFFF __vbaFreeStrList returns DWORD:30 __vbaFreeObjList Now select the line "__vbaStrCmp returns DWORD:1" and in the right hand window you should see something like this: - - unsigned short * string1 = 00552870 | |_ = "123123123123123123" ;<<==Our Code | - - unsigned short * string2 = 00551D18 |_ = "Cve/p4P/7nkw2yp800071" ;<<==Correct code So the correct code for the name "Pirated Copy!" is "Cve/p4P/7nkw2yp800071". Method 2: --------- After you have the program loaded lets run it and see what we get. When we run it we see a splash screen and then a registration screen. Look, there is a "Register" button lets click there. When we click there we get another form that has where we enter a "name" and "code". For this exercise we will use "Pirated Copy!" for the name and "123123123123123123" for the code. Then we will click the "OK" button and wait for the message box that will tell us that we have entered an invalid code. When the message box appears we can close the application from within SmartCheck. Now we should be back in SmartCheck. Select the "Edit" menu then click the "Find..." option and when the box comes up type in "MsgBox" into the field then click on the "Find Next" button you should come to a place that looks simular to this: txtCode.Text txtCode.Text txtName.Text <--""(String) txtCode.Text <--""(String) MsgBox returns Integer:1 Click on the SECOND "txtCode.Text" then select the "View" menu and then select "Show All Events" now the lines that follow where you are sitting should look something like this: txtCode.Text ;<<==This is where you should be! __vbaStrCmp returns DWORD:1 __vbaStrCmp returns DWORD:FFFFFFFF __vbaFreeStrList returns DWORD:30 __vbaFreeObjList Now select the line "__vbaStrCmp returns DWORD:1" and in the right hand window you should see something like this: - - unsigned short * string1 = 00552870 | |_ = "123123123123123123" ;<<==Our Code | - - unsigned short * string2 = 00551D18 |_ = "Cve/p4P/7nkw2yp800071" ;<<==Correct code So the correct code for the name "Pirated Copy!" is "Cve/p4P/7nkw2yp800071". Final Notes: ------------ As the great GURU's have said "If you like it buy it!" Thanx 0blivi0n@myself.com PART 3 ~~~~~~ Name : DLL Show Version : 4.x Editor : Software By Design Target : dllshow.exe Tools : Softice Brain Cracker : LW2000 Tutorial : No.55 http://www.execpc.com/~sbd --- DISCLAIMER For educational purposes only! I hold no responsibility of the mis-used of this material! --- 1. Ok, click on help and go to the registration dialog. Enter the details: User Name: LW2000 [CiA] Organization: (not needed) Registration: 1230099 Switch to Sice and set a breakpoint on Getdlgitemtexta. 'bpx getdlgitemtexta' 2. Now press F5 to return to the app. Ok, lets try ... press ok. *BOOM* Sice pops up. Remember, 3 Editfields and our serial is in the last. This means for us F5 twice... Ok, Sice breaks at the last edit field. Now press F11 to get the caller. Now trace with F10 and take a look at the registers. 0177:0040D5B2 E8B9810000 call 00415770 0177:0040D5B7 8D4C2440 lea ecx, dword ptr [esp+40] 0177:0040D5BB 51 push ecx 0177:0040D5BC E8559C0000 call 00417216 0177:0040D5C1 56 push esi 0177:0040D5C2 8BD8 mov ebx, eax 0177:0040D5C4 E837810000 call 00415700 0177:0040D5C9 83C438 add esp, 00000038 0177:0040D5CC 3D92A71901 cmp eax, 0119A792 0177:0040D5D1 7518 jne 0040D5EB * Reference To: KERNEL32.lstrcpyA, Ord:0302h | 0177:0040D5D3 8B1D28F14100 mov ebx, dword ptr [0041F128] * Possible StringData Ref from Data Obj ->"Gregory Braun" | 0177:0040D5D9 68D42E4200 push 00422ED4 0177:0040D5DE 56 push esi 0177:0040D5DF FFD3 call ebx * Possible StringData Ref from Data Obj ->"Software Design" | 0177:0040D5E1 68C42E4200 push 00422EC4 0177:0040D5E6 57 push edi 0177:0040D5E7 FFD3 call ebx 0177:0040D5E9 EB07 jmp 0040D5F2 * Referenced by a (U)nconditional or (C)onditional Jump at Address: 0177:0040D5D1(C) | 0177:0040D5EB 3D3CCE5F0D cmp eax, 0D5FCE3C 0177:0040D5F0 750C jne 0040D5FE * Referenced by a (U)nconditional or (C)onditional Jump at Address: 0177:0040D5E9(U) | 0177:0040D5F2 57 push edi 0177:0040D5F3 56 push esi 0177:0040D5F4 E8A77B0000 call 004151A0 0177:0040D5F9 83C408 add esp, 00000008 0177:0040D5FC 8BD8 mov ebx, eax * Referenced by a (U)nconditional or (C)onditional Jump at Address: 0177:0040D5F0(C) | 0177:0040D5FE 57 push edi 0177:0040D5FF 56 push esi 0177:0040D600 E89B7B0000 call 004151A0 <-- check routine 0177:0040D605 83C408 add esp, 00000008 0177:0040D608 3BD8 cmp ebx, eax <-- cmp fake and correct serial 0177:0040D60A 5F pop edi 0177:0040D60B 741D je 0040D62A <-- Bad Boy 3. Inside the Call at 0040D600 the correct serial number is generated and saved in eax. Our fake serial number (1230099) is stored in ebx. Trace on 0040D60A. '?ebx' shows our fake serial, and '?eax' shows us the correct one. Note it and then try it! Congratulation! You are a registered user. FINISH! Easy, or? cu LW2000 Any comments? Mail me LW2000@gmx.net or go to http://www.LW2000.cjb.net ---- tKC, thx for your tutors! I started with tutor 1 and i still read them... they are the best! PART 4 ~~~~~~ Name : ArtGem Version : 1.0 Editor : RL Vision Target : artgem.exe s/n saved : HKEY_CURRENT_USER\Software\RL Vision\ArtGem\ Tools : W32Dasm Hiew Brain Cracker : LW2000 Tutorial : No.56 http://www.rlvision.com --- DISCLAIMER For educational purposes only! I hold no responsibility of the mis-used of this material! --- 1. Ok, this is an easy one! Go to help and click on register. Enter the details: Name: LW2000 Company: CiA Key-Code: 1230099 Click on ok. *BOOM* 'Invalid code'. 2. Mhmm, a bug! Yes, we have found a bug! Lets fix it... ;) Open artgem.exe in W32Dasm and go to the SDR. Doubleclick on our string, so you should the this piece of code: * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00403268(C) <--- here we go | :004032F1 8B0DF4204600 mov ecx, dword ptr [004620F4] :004032F7 6A10 push 00000010 * Possible StringData Ref from Data Obj ->"ArtGem" | :004032F9 68A8814500 push 004581A8 * Possible StringData Ref from Data Obj ->"Invalid Key!" | :004032FE 68D4814500 push 004581D4 :00403303 51 push ecx 3. We go to 00403268 and take a look into the code: :00403248 8D542444 lea edx, dword ptr [esp+44] :0040324C 6A10 push 00000010 :0040324E 8D442420 lea eax, dword ptr [esp+20] :00403252 52 push edx :00403253 50 push eax :00403254 E827810400 call 0044B380 :00403259 8D4C2428 lea ecx, dword ptr [esp+28] :0040325D 51 push ecx :0040325E E89DDDFFFF call 00401000 <-- check routine :00403263 83C410 add esp, 00000010 :00403266 85C0 test eax, eax <-- test :00403268 0F8483000000 je 004032F1 <-- Bad Boy :0040326E 8D7C2444 lea edi, dword ptr [esp+44] :00403272 83C9FF or ecx, FFFFFFFF :00403275 33C0 xor eax, eax In 0040325E we have a call, where the serial is checked. If the serial is correct eax=1 else eax=0. So what to do? Go into the Call and note the offset (1000h). Then open the file in Hiew and modify the code... 4. Press F5 inside hiew and go to Offset 1000, then press F3 for EditMode. F2 let you enter asm commands. Now type: mov eax,1 [Enter] ret [Enter] [Esc] will close the edit window. Save your work. What have we done? We move the needed 1 into eax and return from the call. So every serial is correct now =) Try it! Congratulation! You are a registered user. FINISH! Easy, or? cu LW2000 Any comments? Mail me LW2000@gmx.net or go to http://www.LW2000.cjb.net ---- tKC, thx for your tutors! I started with tutor 1 and i still read them... they are the best! PART 5 ~~~~~~ Name : WinZip Version : 8.0 Beta 2350 Editor : Nico Mak Computing Inc. Target : winzip32.exe Tools : Softice Brain Cracker : LW2000 Tutorial : No.57 http://www.winzip.com --- DISCLAIMER For educational purposes only! I hold no responsibility of the mis-used of this material! --- 1. OK, i don't like to crack betas, but i was asked and ... mhmm, i promised it, so here is my winzip 8.0 tutorial =) Go to the registration screen and enter the details. Name: LW2000 [CiA] Code: 1230099 Press [ctrl]+[d] to switch to sice and set a bpx on hmemcpy. 'bpx hmemcpy' 2. Press F5 to return to Winzip and press ok. *Boom* Sice pops up, but we have 2 textfields, so we can press F5 again. *Boom* Sice pops up, again. Now press F12 until you're in the 32-Bit Code (9x). Then trace till you see this: 0117:00407A66 BFD0BD4800 mov edi, 0048BDD0 0117:00407A6B 50 push eax 0117:00407A6C 57 push edi 0117:00407A6D E89B020000 call 00407D0D 0117:00407A72 8D85F8FDFFFF lea eax, dword ptr [ebp-0208] 0117:00407A78 50 push eax <-- d eax 0117:00407A79 8D45EC lea eax, dword ptr [ebp-14] 0117:00407A7C 50 push eax 0117:00407A7D E87E040600 call 00467F00 Ok, what is WinZip doing? If you show eax on 00407A78, you'll notice that Winzip cuts our name a bit! LW2000 [CiA] -> LWCiA 3. Good to know ... now trace on, till you see: 0177:00407AFB E8A9000000 call 00407BA9 0177:00407B00 BEFCBD4800 mov esi, 0048BDFC 0177:00407B05 8D85C0FEFFFF lea eax, dword ptr [ebp+FFFFFEC0] 0177:00407B0B 56 push esi <-- d eax 0177:00407B0C 50 push eax 0177:00407B0D E8EE030600 call 00467F00 0177:00407B12 83C410 add esp, 00000010 0177:00407B15 F7D8 neg eax 0177:00407B17 1BC0 sbb eax, eax 0177:00407B19 40 inc eax 0177:00407B1A A334904800 mov dword ptr [00489034], eax 0177:00407B1F 7568 jne 00407B89 0177:00407B21 8D85C0FEFFFF lea eax, dword ptr [ebp+FFFFFEC0] 0177:00407B27 50 push eax 0177:00407B28 57 push edi 0177:00407B29 E818010000 call 00407C46 0177:00407B2E 8D85C0FEFFFF lea eax, dword ptr [ebp+FFFFFEC0] 0177:00407B34 56 push esi <-- d eax 0177:00407B35 50 push eax 0177:00407B36 E8C5030600 call 00467F00 0177:00407B3B 83C410 add esp, 00000010 0177:00407B3E F7D8 neg eax 4. Ok, in 00407B05 the first serial is stored in eax. This serial is calculated on the full name (LW2000 [CiA]). In 00407B2E our second serial is stored in eax. This serial is calculated on our cutted Name (LWCiA). Mhmm, lets try one... (but before desiable or clear our bpx...) Name: LW2000 [CiA] Code: E354128A or 36612102 Congratulation! You are a registered user. FINISH! Easy, or? cu LW2000 Any comments? Mail me LW2000@gmx.net or go to http://www.LW2000.cjb.net ---- tKC, thx for your tutors! I started with tutor 1 and i still read them... they are the best! ABOUT ~~~~~ I really hope you've enjoyed this tutorial as much as I did! Don't miss Tutor #69 soon! ;) And as I said last time: Without knowledge, there's no power! ;) Credits go to: tKC for Interface. LW2000 for Splash Logo PinguTM for providing a tut in this version. LW2000 for providing 4 tuts in this version. tKC for coding this version :) All the crackers (non-members of CiA) are welcome to send tutors for the next tutorials .. see below for my email address! *** 80 chars per line in textfile please! *** And all the tutors can be found at http://www.msjessca.da.ru Greetz goto all my friends! You can find me on IRC or email me at tkc@reaper.org Coded by The Keyboard Caper - tKC The Founder of PhRoZeN CReW/Crackers in Action 2000 Compiled with Delphi 5 on 27 January 2000 Cracking Tutorial #68 is dedicated to LW2000.