Welcome to Cracking Tutorial #71! Hiya guys, What do you think of Tutor #70? Good or bad? Do you find *.tKC useful? And Sounds? Anyway here's a tut71.tKC, enjoy it! Oh yea, however I've released a fixed tut #69 and Octavius v2.01 on 3 Feb, Johnny Aum was so friendly to send me his tuts how to remove time limits in my old tuts #58-68 and Octavius v2.00. I don't care what you want to do with my files, but at least you can learn a bit about reversing time limits. Sorry about!@#!@# AHM Tritontools shit... :) OK, let's rave! TOOLS ~~~~~ You'll need the following tools: (I use these tools, I assume you'll use 'em, but it doesn't mean that you'll need to use all those tools, so be sure to get them handy for the examples in this tutorial!) SoftICE v4.05 W32Dasm v8.93 Hacker's View v6.20 SmartCheck v6.03 ProcDump32 v1.6.2 Windows Commander v4.03 (I use it coz of easier to multitask) Delphi, VB, C++, or TASM to code a keygen or a patch.. Don't ask me where to download all these tools since you had a chance to get them when you used my older tutorials. Here is a good site where you can grab tools from: http://protools.cjb.net http://w3.to/protools http://www.crackstore.com or ask any crackers to get you these tools! Are you ready?! OK! ;) PART 1 ~~~~~~ Target: Hotdog 6.0 professional edition, first public alpha url: www.tucows.com bothers you: a lot / time limited We do: we break time limit Yowza, I was making the CiA website when suddenly hotdog pro 6.0 expired..auch..As lame as I am (bussy I mean), I just requested it, and got a crack after a couple of days.. used it by a mate.. it worked.. tried it at home, it didn't.. I still had that anoying msgbox telling me I had to register..*NOT* so, what do we do.. launch W32Dasm and load hotdog6.w32 == copy of hotdog6.exe (and make a hotdog6.exx == backup). Get out, do a dog walk, and come back in around 20 minuts (it took that long on my pc, which is more than powerfull enough, so..) Go to the SDR window and search the error message (The trial period for...) click on it, once, twice.. the offset doesn't change. Close the SDR window and you're here: :005EDB6D 6880DE5E00 push 005EDE80 scroll up until you see a reference (looks like this) * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:005EDB40(C) jump to that address (search the right button on your toolbar) and you'll see this: :005EDB40 7411 je 005EDB53 <= we could change this :005EDB42 A1444F6F00 mov eax, dword ptr [006F4F44] :005EDB47 8B00 mov eax, dword ptr [eax] * Possible StringData Ref from Code Obj ->"Checking Registration Status..." | :005EDB49 BA54DE5E00 mov edx, 005EDE54 :005EDB4E E86529F9FF call 005804B8 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:005EDB40(C) | :005EDB53 C645FE01 mov [ebp-02], 01 :005EDB57 E8DCD7E1FF call 0040B338 :005EDB5C D81D74DE5E00 fcomp dword ptr [005EDE74] :005EDB62 DFE0 fstsw ax :005EDB64 9E sahf :005EDB65 7654 jbe 005EDBBB <= or this What would happen if we patch that JBE => JA (76 => 77) ?? open the exe file in hiew and press F5 and enter the offset 001ECF65 Press F3 and replace 76 with 77. F9 to update and F10 to quit hiew. Test it.. (execute hotdog6.exe == the file you edited in hiew) what do we see?? A no nagging version of hotdog 6.0?? Isn't that what we want (besides a registered version, but this has the full functionallity - as far as I know -) Enjoy life! iNNU3NDo // Computers are not intelligent. They only think they are. // Greets: Northpole (sorry.. It didn't work here), tKC (I learned it from his tut's some time ago), BuLLeT (see tKC), iCEPiC (iRL RoX!),.... and... #C.i.A #DREAD #EXECUTiON #COROSiVE PART 2 ~~~~~~ Name : Account Pro Version : 7.30f Editor : AccSoft Target : ShrLk20.DLL Tools : W32Dasm 8.93 The Customiser Snooper for Windows Brain Cracker : LW2000 Tutorial : No.63 http://www.accsoft-ch.com --- DISCLAIMER For educational purposes only! I hold no responsibility of the mis-used of this material! --- 1. Let's do it the fast way =) I always get the message box "Please register soon!" Let's take this out first! I snooped in the account.exe (as i always do at the beginning.. *g*) I found some interesting strings: MSVBVM50.DLL ShareLock ShrLk20 Mhmm, what does this tell us? First, we have a VB5 Proggy, second it is secured with Sharelock! No Problem =) I searched for 'ShrLk20.*' in my system and found c:\windows\system\ShrLk20.DLL c:\windows\system\ShrLk20.OCX 2. Mhmm, let's take a look at the DLL. Open it in W32Dasm and go to the SDR! YEEEESS! We have our msg! Got there. * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004295B8(C) | :0042961B 803DA4D6420000 cmp byte ptr [0042D6A4], 00 :00429622 0F8476010000 je 0042979E <- Bad Boy :00429628 803D60D6420003 cmp byte ptr [0042D660], 03 :0042962F 7515 jne 00429646 :00429631 6A00 push 00000000 :00429633 668B0DD0974200 mov cx, word ptr [004297D0] :0042963A B202 mov dl, 02 * Possible StringData Ref from Code Obj ->"Please register soon!" | :0042963C B8DC974200 mov eax, 004297DC :00429641 E892D2FFFF call 004268D8 3. Pooooor. Really easy! Write down the offset from :00429622 and go there in hiew. Change the je to jmp and we'll jump everytime over this nag! =) So now lets take a look at the other startup NAG! It has a disabled checkbox. If the box is checked we could hide this splash. Mhmm, let's enable it! 4. Start The Customiser and enable this checkbox. Check the box and press OK. Mhmm, start Account Pro, again. Nag gone! =)) Account Pro has writen the string '123' into the account.ini. If you delete this string the nag appears, again! Congratulation! You are a Nag Buster ;P FINISH! Easy, or? cu LW2000 Any comments? Mail me LW2000@gmx.net or go to http://www.LW2000.cjb.net ---- tKC, thx for your tutors! I started with tutor 1 and i still read them... they are the best! PART 3 ~~~~~~ FireBurner v1.05 www.Fireburner.com Tutor by PinguTM (PinguTM@hotmail.com)(cyx.8k.com) This is my 21th tutorial Type: Time Limit Tools: WinDASM, Hiew, ProcDump 1. Load FireBurner.exe into Hiew and check the PE header hehe... its UPX! Sweet. Close down Hiew and now load up Procdump. Hit the Unpack button and select UPX. Next choose Fireburner.exe.. Follow the instructions and save the unpacked file. Delete the original too! 2. Ok fill out the reg details in fireburner. Ack it needs to reload to verify... Fuck it, into WinDASM 3. Into string data refrence and look for "This Copy Registered To" Now scroll up and you will now see the following... :0049A269 A1D4F74900 mov eax, dword ptr [0049F7D4] :0049A26E 803800 cmp byte ptr [eax], 00 :0049A271 7458 je 0049A2CB <----- Hmmmmm! * Possible StringData Ref from Data Obj ->"This Copy Registered to" | :0049A273 BA7CA34900 mov edx, 0049A37C :0049A278 8B83D8020000 mov eax, dword ptr [ebx+000002D8] 4. Notice my Hmmmm! :) well we wanna change that to a jne so fire up hiew with offset "99871" and change it! Now reload Fireburner and goto About.. Look Registered to whatever name you put in.. sweet.. You will notice though in the main title bar it still has Unregistered well back into good ole WinDASM... 5. Into string data refrence and look for "FireBurner v1.05 (Registered)" Now scroll up and you will now see the following... * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0049AC10(C) | :0049AC21 A1D4F74900 mov eax, dword ptr [0049F7D4] :0049AC26 803800 cmp byte ptr [eax], 00 :0049AC29 740E je 0049AC39 <------ Ahhh! * Possible StringData Ref from Data Obj ->"FireBurner V1.05 (Registered)" | :0049AC2B BA80AF4900 mov edx, 0049AF80 :0049AC30 8BC7 mov eax, edi :0049AC32 E84D6CF9FF call 00431884 :0049AC37 EB0C jmp 0049AC45 6. Notice my ahhh! :) well we wanna change that to a jne so fire up hiew with offset "9A229" and change it! Now reload Fireburner.. Never looked better. Fully Registered! -=-=- PinguTM -=-=- PART 4 ~~~~~~ Backgammon, by George 1.70 - How to crack it Target: Backgammon, by George 1.70 WWW: http://www.geocities.com/john_aum (at the end of page) or other url's ??? Cracker: --..__J_o_h_n_n_y__A_U_M__..-- Protections to remove: time limit & entry NAG Used tools: W32Dasm & Hacker's View (backgrounded by Windows Commander 4.03) ---------------- This info is for personal use and can not be forbidden by anyone! If someone tries, sure is on black side (men from govern, army, sservices or another Satan crazy instruments). I'm for free & freedom in any domain, we can do it, we need only love & God. If older generations cannot understand, their minds are on black side, too. ---------------- What we observe at this program (nice backgammon proggie) is this: on entry we remark a nice NAG (?!*%#$&zbang!) which must dissapear, because we don't neeed it. But first we read "demo period is over". So, it's a time limit! Second observation: The menu has all the options blocked now - means it's already expired as you already guessed. Let's try first this: put the year 1995 (set clock-date). Enter again. Fine job! The program looks now that it's clean of all limitations! Let's make to stay this way forever! Time limitation: search (in w32dasm) in imported functions (Imp Fn button) for GETLOCALTIME, for example. Nothing. Look with Alt-S-F for word "date". No semnificative function about that! Let's think: it's a menu disabled, let's find a function with menu disabled, more precisely with menu enabled, like function ENABLEMENUITEM. That's it! This function must give us control on enabling options in menu. Let's search with this word - "enablemenuitem". We think that the right ENABLEMENUITEM must have a jump around it, like jbe, jle, means jump if date is this or below, or date is out of limit of less or equal, etc. Looking from begining of code and we find on 5th ENABLEMENUITEM a jump around it, jle 43BC. Bingo! The process is like this: enable menu, jump if date is out of the limits less or equal. So, if jump works, aleluia with options in menu! Let's kill this frog! Instead jle (7E 03) put 90 90, you now why, you now? I assume after of lots of tKC (great guy! all my love!) tutorials you learned something. Now jump is noped. See if work! Hacker's View - hiew 4A57 -> 90 90. OK! Good job Johnny! Einstein time limitation is gone! NAG limitation: here are two ways of noping this NAG: the easy way and the hard way (but not for me). First way is with 82 -> 7E trick (read tKC tutorials, if you don't understand what's this!). Working all the time! In many cases! So, let's make a search with text "Thank you" with hiew (you now what's a hiew, it's a kind of fish - joking) Bingo! One million bucks for Johnny! At hiew 132D2 is 82 (a small weird e). Turn 82 -> 7E (a kind of jump back, don't process this window). Look for results: NAG is also lost in space forever! Great job! Easy, ha? The program is now with no limitation but a cracker must learn more! So I give you a homework (if you are no lazy chicken!). The hard way: (i'll tell you a secret) look for the function REGISTERDLGBOX & for words from NAG like "demo period has expired", etc; around this function are jumps (like in time limitation from above). PS: if you don't like in titlebar the text ", by George" you can delete it. I prefer without it. Easy job, newbies. I'm newbie (but a little advanced) too, and it's good to learn. ----------------- Answer: if you look down here and you didnt do it on your own, you are really a sunday cracker (this is for newbies who must learn more tricks). More professional approach on removing NAG: hiew B554: 7F -> EB and B5CD: 7D -> EB. May work also (REGISTERDLGBOX) on other programs when nothing else is to be done. ---------------- Greets: tKC (my love too!), CIA, PC, CORE, all crackers, PRO or newbies, all cracker teams (keep going, we must eliberate from iudeo-masonic tirany, all must become free), we are great guys, and nice too. Love you all (but you must be a good soul!). Romanian Greets: Salutari tuturor crackerilor din Romania! Mergeti inainte, o sa ne astepte si zile mai bune, ginditi optimist, Dumnezeu e aici cu noi! At last, but from all my heart: I love you Heavenly Father, I know you are with me all the time! God is love! E-mail: johnny_aum@yahoo.com ---------------Sorry if my english is not perfect!---------------- PART 5 ~~~~~~ tKC Tutorials 58-60 & Octavius 2.0 - Remove time limits Target: tKC tuts 58-60 & Octavius 2.0 (setup.exe also) WWW: http://members.xoom.com/jesscastoyz/ Cracker: --..__J_o_h_n_n_y__A_U_M__..-- Protections: time limits Tools : W32Dasm 8.93 & Hacker's View (backgrounded by Windows Commander) ---------------- This info is for personal use and can not be forbidden by anyone! If someone tries, sure is on black side (men from govern, army, sservices or another Satan crazy instruments). I'm for free & freedom in any domain, we can do it, we need only love & God. If older generations cannot understand, their minds are on black side, too. ---------------- Remove time limits on all tuts (58-64). From date 02/04/2000 all the programs mentioned as target will expire. So, I observed that it's the same modification to be made (same adress and of course, same method). First we get upx 0.94 from http://upx.tsx.org (good compresor but aspack 2000 is great too!) and unpack all the 7 tutorials. The method to be used is similar with the one used by tKc in tutorial 20, part 6 (Cracking AHM TritonTools 2000 beta 1.3 for Delphi - in fact cracking projects maded with this proggie). So, let's take tutorial 58 and dissasemble with W32Dasm. Function GETLOCALTIME is the one who must be followed. We search with ALT-S-F (getlocaltime) and I found that the function we need is at 409040 (w32dasm). We can do a test (put 9090909090 instead E85BD2FFFF and notice that program has a runtime eror, so here is the problem. Also, the CALL 467979 from above function GETLOCALTIME is the one who call local time (this is similar as in tKC tutorial, what a nice job). Shift-F12, we put adress 467979 and we go there. We quickly observe that this call has a jbe below. Looks exactly like a condition for time limit. Let's reverse it. I mean 76 -> 77 with hiew (jbe -> ja). We make a test and, bingo! That's all folks! So, recapitulation: at adress w32dasm 467984 -> hiew 66D84 (I hope you see it's on taskbar of w32dasm the hiew adress) change 76 -> 77 is to be made. But just a moment! If we let this modification, the tutorial could look expired if we set the clock (or we forget this way) one year ago. Let's make a modification forever, so we will put EB instead of 77 (EB mean jump anyway at adress ??). We done with this baby. OK! (recompact it with upx 0.94 or I found better packing with aspack 2000 - search with altavista after - your choice!). Now let's look at Octavius 2.0. Looks fine tKC! But 1.4 is even nicer, from my point of view. We search in octavius.exe (decompressed also with upx 0.94) after GETLOCALTIME (I assume you already understood that octavius.exe should be dissasembled first). The method is almost similar with the one above and it is easy to find the correct jump (in this case are 2 jumps). I could tell you step by step, but if you are a beginner I think that you must practice and find these jumps on your own. It is so simple! ----------- (On attempting to reinstall the unmodified octavius.exe I found that setup.exe of Octavius 2.0 is also expired; set clock/date on 1999, OK! Install!) Answer for Octavius 2.0: If you are lazy and you don't want to learn, here is the fast answer: at hiew adress 5314C & 888E0, 76 -> EB on both adresses. At the time when I finish this tutorial I already cracked the setup.exe also. I can give you infos, but I want you to become a good cracker, so I tell you only: the crack method is identically as the one from Octavius 2.0. Discover yourself! No free gifts this time! . . . Come, come here! setup.exe (original date 25.01.2000) uncompressed - 4CE18 si 60C88, both 76 -> EB. That's because I love you! ---------------- Greets: tKC (my love too!), CIA, PC, CORE, all crackers, PRO or newbies, all cracker teams (keep going, we must eliberate from iudeo-masonic tirany, all must become free), we are great guys, and nice too. Love you all (but you must be a good soul!). Romanian Greets: Salutari tuturor crackerilor din Romania! Mergeti inainte, o sa ne astepte si zile mai bune, ginditi optimist, Dumnezeu e aici cu noi! At last, but from all my heart: I love you Heavenly Father, I know you are with me all the time! God is love! E-mail: johnny_aum@yahoo.com ---------------Sorry if my english is not perfect!---------------- ABOUT ~~~~~ I really hope you've enjoyed this tutorial as much as I did! Don't miss Tutor #72 soon! ;) And as I said last time: Without knowledge, there's no power! ;) Credits go to: DnNuke for Interface. tKC for Splash Logo. iNNU3NDo for providing a tut in this version. PinguTM for providing a tut in this version. LW2000 for providing a tut in this version. Johnny Aum for providing 2 tuts in this version. tKC for coding this version :) All the crackers (non-members of CiA) are welcome to send tutors for the next tutorials .. see below for my email address! *** 80 chars per line in textfile please! *** And all the tutors can be found at: http://www.msjessca.da.ru http://go.to/tKC_tutorials http://www.tkctutsmirror.cjb.net http://tkc.kickz-ass.com http://www.crackstore.com/cia/ (or on IRC, ask CiA ops for urls!) Greetz goto all my friends! You can find me on IRC or email me at tkc@reaper.org Coded by The Keyboard Caper - tKC The Founder of PhRoZeN CReW/Crackers in Action 2000 Compiled with Delphi 5 on 16 February 2000 Cracking Tutorial #71 is dedicated to all the crackers.