Welcome to Cracking Tutorial #70! Hiya guys, Sorry about previous tuts (#58-68) which I used the unregistered AHM Tritontools components, I forgot to install the cracked shit, after I cleaned my hard drive...but the one (#69) and up are fixed... Anyway here is a new interface, thanks goto DnNuke.. I think this time it looks like better, I must say I'm not a kool GFX artist! *g* Oh yea, *please note* - when next tutorials, please keep this TUTOR.EXE file handy coz I'll release Data files (*.tKC) only. On that way, it'll save your download time and your space (OMG?!) :-) Allright, enjoy it... TOOLS ~~~~~ You'll need the following tools: (I use these tools, I assume you'll use 'em, but it doesn't mean that you'll need to use all those tools, so be sure to get them handy for the examples in this tutorial!) SoftICE v4.05 W32Dasm v8.93 Hacker's View v6.20 SmartCheck v6.03 ProcDump32 v1.6.2 Windows Commander v4.03 (I use it coz of easier to multitask) Delphi, VB, C++, or TASM to code a keygen or a patch.. Don't ask me where to download all these tools since you had a chance to get them when you used my older tutorials. Here is a good site where you can grab tools from: http://protools.cjb.net http://w3.to/protools http://www.crackstore.com or ask any crackers to get you these tools! Are you ready?! OK! ;) PART 1 ~~~~~~ Reversing SpyNet v3.12 (packed with ASPack v1.08.3) This tutorial is entended for people having a basic knowledge of cracking, using SoftIce, W32Dasm and so on easily. So I won't explain step by step the most common actions I did... Tools used: =========== SoftIce v4.01 W32Dasm v8.93 ProcDump v1.6.2 Unaspack (or you can also use ProcDump unpack feature) RegmonEx (or any other Registry Monitor) PESniff (or any program able to tell you wich compressor was used on an EXE file) your fav Hex Editor First Approach: =============== Let's install the program. We have two EXE files, PeepNet.EXE and CaptureNet.exe. well, I'll work with PeepNet, with no special reason... The program is launched, and says it's unregistered version in the big right window. In Help menu, we click on Register, and get a so classical box asking for Name, Company and Serial. I entered bogus infos: Pirated as name, Version as company, and 12121212 as Serial. We hit OK, and the program ask to restart it... here we have our first clue! This program doesn't check our infos when we enter them, it just stores them somewhere (in a file or in the registry) and read them at startup, and then check them. Well, we need to find where are stored the infos, then. in the Registry or in a File located somewhere. 1st possibility: the Registry. Let's launch RegmonEx (or your favorite Registry Monitor) then we go again in Register menu and enter our bogus infos. Back to RegmonEx, we can see it wrote the infos in the following locations: HKCU\software\MLSoft\PeepNet\User\Nume "Pirated" HKCU\software\MLSoft\PeepNet\User\Registration "12121212" HKCU\software\MLSoft\PeepNet\User\Company "Version" Well, now we can have a more precise idea of what is happening. When the program is launched, it reads these keys and verify if the serial matches with name and company. If we have to patch this program, it would be better to have the dead listing of its code. but if you try to open it in W32Dasm, you'll see that it can't disassemble it! yes, we have another of these damn packed programs! Unpacking: ========== Let's open PeepNet.exe in PESniff and check compressors. We'll find it's ASPack that was used on this little program. Because I am lazy, I didn't use ProcDump to unpack the program, but UnAspack. We copy PeepNet.exe to PeepNet2.EXE, then we unaspack it. We now have an unpacked file called PeepNet2.exe (the original file was overwritten). If we try to load our new PeepNet2.exe in W32Dasm, we'll see that it can't disassemble it. It's because we have to modify the PE header of the EXE file. (I won't enter in the PE Header and PE Editing part. For more infos, please see tutorials at HTTP://procdump32.cjb.net - [thanks _tornado_]). We launch procDump, open the PE Editor menu, and load in it PeepNet2.exe. Let's have a look at the sections. The first section is .text, and its characteristic has number C0000040. We right click on the .text section, choose Edit, and change this to E0000020. We can click OK twice, then exit procdump. Now we can disassemble PeepNet2.exe with W32Dasm. let's do a copy of PeepNet2.exe (I called the copy PeepNet2.w32) and open this copy in W32Dasm. We now have the dead listing! Fishing for our Serial: ======================= Well, we know how to set a breakpoint in SoftIce now, using BPX RegQueryValueExa (API used to read a Registry key's value). So we could use that, but there's a little annoying point. This program access the Registry so many times! We would spend hours to find wich call to the registry is the good one! We'd better have a look at the string references in W32Dasm, and try to see what could help us... I noticed a thing: the name I entered is stored in a Key called Nume. That's not common. It can be a typo error from the prorammer, or, more probably, Nume means Name for people in Romania (the author's name is typically Roman name). Anyway we don't care, we have a good point to watch. The program needs to read the Key called Nume, so we will look for Nume in the disassembled text! I found 5 places for Nume (always remember to double click several time a string in W32Dasm, cause a same string can be found on several locations). We have the lines: 0040EE81 0040F23A 0040F3E1 0040F9C6 0040FAE6 So we will set our 5 breakpoints on these lines. To set them, we have to be in PeepNet2.exe code. Well, we will use the old GetWindowTextA to enter then. And a good location to have this breakpoint to work is... in the registration box :) OK, let's go to Menu/Register. The box is open. Enter our bogus informations Pirated / Version / 12121212. Now we hit CTRL+D to bring up SoftIce, and enter BPX GetWindowtextA. We hit F5 to come back to PeepNet2.exe, and we hit the OK button. SoftIce pops up. Let's hit F12 to be in our proggy code... hmmmm not exactly, we landed in MC42.DLL... well, we kill our previous breakpoint (bc *) then let's hit F10 a few times, and we're now in the program's code. We can enter our five new breakpoints: BPX 40EE81, BPX 40F23A, and so on... We have our breakpoints ready, but we don't need them immediately, cause we know the program won't test our serial now, but only at startup. So we disable the 5 breakpoints (we don't erase them!). Type BD * and hit F5 to quit SoftIce. Close PeepNet2.exe and hit CTRL-D to open SoftIce. We enable our 5 breakpoints, typing BE * then hiting F5 to leave SoftIce. Launch PeepNet2.exe, and SoftIce pops up: We see it stopped at the line 0040F3E1. we can see, on the line just following, LEA ECX, [ESP+1]. hit F10 twice to pass over this line, then type D ECX to see what's stored in it. You see another address: 006A4340 (note: this address can be different on your own computer). Then we will look in it too, typinng D 006A4340... and what we see ? our bogus serial! It's not what I expected at first, but well, it's here, so we'll use it :) let's disable all ourprevious breakpoints (BD *) then put a breakpoint on memory range where is our serial: BPR 006A4340 006A4340+7 RW This line means: if the program read or write in the address where is stored our bogus serial, then break! We hit F5, and SoftIce is back immediately. We are in MSVCRT.DLL this time. We can see the following code: MOV EAX,[EDX] COMP AL, [ECX] JNZ ... Is our serial copared to the true one ? type D ECX, here is our bogus 12121212 Type D EDX, and you find a marvellous number... the good serial itself! Copy this serial somewhere (in My case, it's 4330025362), disable all the breakpoints in SIce, and goto Help/Register. I entered Pirated / Version and the serial. let's restart the program, and we have a nice message saying Registered Copy in the big right window :-) PART 2 ~~~~~~ WINZAP http://www.winzap.com/ Tutor by PinguTM (PinguTM@hotmail.com)(cyx.8k.com) This is my 19th tutorial Type: Time Limit, 30 Day.. i think? Tools: WinDASM, Hiew 1. Since this has nowhere to enter reg codes it is just a trial so put your computer clock forward a few months and run WINZAP. Take note of the error message. Now fire up winzap into WinDASM! 2. Into string data refrence and look for "Your evaluation period is over" Now scroll up and you will now see the following... * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0040584D(C) | :00405860 83BD5CF3FFFF1E cmp dword ptr [ebp+FFFFF35C], 0000001E :00405867 0F8EAD000000 jle 0040591A * Possible StringData Ref from Data Obj ->"Your evaluation period is over." | :0040586D 6888A24000 push 0040A288 :00405872 8D8D60F3FFFF lea ecx, dword ptr [ebp+FFFFF360] :00405878 51 push ecx 3. Hmmm, notice the jle. Well this compares the usage to the trial. Note down the offset "4C67" and fire up winzap into hiew. If you dunno how to werk hiew read back to older tuts. Once you get to the offset we want to change the jle to jno (Jump on no overflow) so replace 0F8E with 0F81 Now reload WinZap........ FUCK there's a modification check. Back to WinDASM 4. Into string data refrence and look for "Program has halted" Now you will now see the following... * Possible StringData Ref from Data Obj ->"Program has Halted" | :0040207C 6844884000 push 00408844 :00402081 8D85FCFDFFFF lea eax, dword ptr [ebp+FFFFFDFC] :00402087 50 push eax :00402088 8B8DF0FDFFFF mov ecx, dword ptr [ebp+FFFFFDF0] Scroll up till you see............... :0040204F 7561 jne 004020B2 :00402051 68CC874000 push 004087CC :00402056 8D8DFCFDFFFF lea ecx, dword ptr [ebp+FFFFFDFC] :0040205C 51 push ecx 3. Well i think you know what to do with than jne.. Change it to a je. Note down the offset "144F" Back into hiew, change that 75 (jne) to 74 (je) Reload WinZap again. You will get the usual Reg nags but change the clock to any date now and the program still wont expire. 4. Remember the purpose of this tut was to kill the time limit. Its up 2 u to kill the nags now :) hehe -=-=- PinguTM -=-=- PART 3 ~~~~~~ PsPar Ver.1.32 http://www.hh.iij4u.or.jp/~masaya/appz/PsPar.zip (PSX Action Replay, Comms Link Software) Tutor by PinguTM (PinguTM@hotmail.com)(cyx.8k.com) This is my 20th tutorial Type: Limitations Tools: WinDASM, Hiew 1. Run PsPAR.exe and you encounter a Enter reg details nag. Fill it out to get the nag telling us its the wrong code. Notice it has "Setting breakpoints wont work" LOL, who cares! Fire up WinDASM 2. Into string data refrence and look for "Code not valid!" Now scroll up and you will now see the following... * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00412503(C) <--- Hmmmm! | :0041255C 6A00 push 00000000 * Possible StringData Ref from Data Obj ->"PsPar" | :0041255E 6848704200 push 00427048 * Possible StringData Ref from Data Obj ->"Code not Valid!" | :00412563 68BC8E4200 push 00428EBC :00412568 8BCE mov ecx, esi 3. Notice my Hmmmm! :) well hit the GoTo location button and put in "412503" now you will jump here..... * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004124FA(U) | :00412501 85C0 test eax, eax :00412503 7557 jne 0041255C <----- Ahhhhh :00412505 892DBC994300 mov dword ptr [004399BC], ebp 4. Heh, guess what you need to do to that jne.. Make at a je. You should know by now how to byte change.. if not go back to my older tutorials.. 5. Once changed Reload proggie, enter any shit into the reg screen hit ok.. Boom... Registered. And thats that! :) -=-=- PinguTM -=-=- PART 4 ~~~~~~ Name : Total Recorder Version : 2.2 Beta Editor : HighCriteria Target : Totalrecorder.exe s/n saved : HKEY_CURRENT_USER\Software\HighCriteria\TotalRecorder\RegKey Tools : W32Dasm Hiew Brain Cracker : LW2000 Tutorial : No.61 http://www.highcriteria.com/ --- DISCLAIMER For educational purposes only! I hold no responsibility of the mis-used of this material! --- 1. Go to the regscreen and enter the details: Name: LW2000 Key : 1230099 *BOOM* 'Invalid name or registration key' Seems, that we have found a bug... ;) Let's fix it! 2. Open the file with W32Dasm and click on the sdr button. Goto our string. Now you should see this: * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:0040C27B(C), :0040C2B5(C) <--- lets go there | :0040C322 6A00 push 00000000 :0040C324 6A45 push 00000045 :0040C326 6A01 push 00000001 * Possible Reference to String Resource ID=61216: "Invalid name or registration key" 3. Let's go to 0040C27B. :0040C277 8379F827 cmp dword ptr [ecx-08], 00000027 Code = 39 chars ? :0040C27B 0F85A1000000 jne 0040C322 <-- if not then jmp :0040C2AB E8B0EF0000 call 0041B260 <-- check routine :0040C2B0 83C408 add esp, 00000008 :0040C2B3 85C0 test eax, eax <-- eax= 0 ? :0040C2B5 756B jne 0040C322 <-- if not then jmp 4. Go into Call 41B260. Note the offset from the first instruction. Open hiew and goto the offset (F5). Press F3 to edit and F2 to enter Asm Commands. The rest is plain sailing! Simply enter 'mov eax, 0' [Enter] and 'ret' [Enter]. Press Esc to exit the asm input field. Save your work and try it! Congratulation! You are a registered user. FINISH! Easy, or? cu LW2000 Any comments? Mail me LW2000@gmx.net or go to http://www.LW2000.cjb.net ---- tKC, thx for your tutors! I started with tutor 1 and i still read them... they are the best! PART 5 ~~~~~~ Name : ButtonWiz Version : 7.0 Editor : Joel Ryan Software Target : button.exe Tools : W32Dasm RegMon Brain Cracker : LW2000 Tutorial : No.62 http://www.joelryan.com --- DISCLAIMER For educational purposes only! I hold no responsibility of the mis-used of this material! --- 1. Ok, i tried to register the program with 1230099 as serial. *Boom* Sorry, that password was incorrect. Mhmm, i think we found a bug... ;P Lets fix it! 2. Open button.exe in W32Dasm. Huh? No SDRs? Mhmm, what now? Take a look at the imported functions! MSVBVM60.__vbaExceptHandler MSVBVM60.DllFunctionCall MSVBVM60.EVENT_SINK_AddRef MSVBVM60.EVENT_SINK_QueryInterface MSVBVM60.EVENT_SINK_Release MSVBVM60.GetMemStr MSVBVM60.MethCallEngine MSVBVM60.ProcCallEngine MSVBVM60.PutMemStr MSVBVM60.rtcCurrentDir MSVBVM60.rtcDateDiff MSVBVM60.rtcDeleteSetting ... MSVBVM60.DLL that means we have a VB6 Proggy... 3. Ok, first we want to find out, what the proggy is looking for: Open Regmon and enter by Process includes (Regmon Filter): button and check all of the checkboxes. Press Ok. 4. So lets start ButtonWiz! HKEY_CURRENT_USER\Software\VB and VBA Program Settings\BWProt7\Reg Regmon has not found the Keys 'fRC' and 'fPW' .. mmmhmm.... Open regedit, go to the location and make this keys. Enter some dummy data, cause we want to check what our proggy does if he has this information! I added: "fRC"="LW2000 [CiA]" "fPW"="2358238947874812891" 5. Ok, lets check it babe! Start the program again. Mhhmm, registered? Lame protection! Congratulation! You are a registered user (of a lame program...). FINISH! Easy, or? cu LW2000 Any comments? Mail me LW2000@gmx.net or go to http://www.LW2000.cjb.net ---- tKC, thx for your tutors! I started with tutor 1 and i still read them... they are the best! ABOUT ~~~~~ I really hope you've enjoyed this tutorial as much as I did! Don't miss Tutor #71 soon! ;) And as I said last time: Without knowledge, there's no power! ;) Credits go to: DnNuke for Interface. InfErNo for Splash Logo. HarvestR for providing a tut in this version. PinguTM for providing 2 tuts in this version. LW2000 for providing 2 tuts in this version. tKC for coding this version :) All the crackers (non-members of CiA) are welcome to send tutors for the next tutorials .. see below for my email address! *** 80 chars per line in textfile please! *** And all the tutors can be found at: http://www.msjessca.da.ru http://go.to/tKC_tutorials http://www.tkctutsmirror.cjb.net http://tkc.kickz-ass.com http://www.crackstore.com/cia (or on IRC, ask CiA ops for urls!) Greetz goto all my friends! You can find me on IRC or email me at tkc@reaper.org Coded by The Keyboard Caper - tKC The Founder of PhRoZeN CReW/Crackers in Action 2000 Compiled with Delphi 5 on 16 February 2000 Cracking Tutorial #70 is dedicated to all the crackers.