Welcome to Cracking Tutorial #72! Hiya guys, What do you think of Tutor #70? Good or bad? Do you find *.tKC useful? And Sounds? Anyway here's a tut72.tKC, enjoy it! OK, let's rave! TOOLS ~~~~~ You'll need the following tools: (I use these tools, I assume you'll use 'em, but it doesn't mean that you'll need to use all those tools, so be sure to get them handy for the examples in this tutorial!) SoftICE v4.05 W32Dasm v8.93 Hacker's View v6.20 SmartCheck v6.03 ProcDump32 v1.6.2 Windows Commander v4.03 (I use it coz of easier to multitask) Delphi, VB, C++, or TASM to code a keygen or a patch.. Don't ask me where to download all these tools since you had a chance to get them when you used my older tutorials. Here is a good site where you can grab tools from: http://protools.cjb.net http://w3.to/protools http://www.crackstore.com or ask any crackers to get you these tools! Are you ready?! OK! ;) PART 1 ~~~~~~ PrivateEXE v2.2 for Win'9X/NT - How to crack it Target: PrivateEXE v2.2 for Win'9X/NT WWW: http://www.midstream.com Cracker: --..__J_o_h_n_n_y__A_U_M__..-- Protections to remove: nag, bypass window, others Used tools: W32Dasm & Hacker's View (backgrounded by Windows Commander 4.03) ---------------- This info is for personal use and can not be forbidden by anyone! If someone tries, sure is on black side (men from govern, army, sservices or another Satan crazy instruments). I'm for free & freedom in any domain, we can do it, we need only love & God. If older generations cannot understand, their minds are on black side, too. ---------------- Hi, guys, I'm back! Now we have a nice proggie here, this Private. After instalation, we quickly observe that the setup it has dropped the principal files in subdirectory you named and 2 others in C:\WINDOWS\SYSTEM, 006.dll and 007.dll. I delete the file 006.dll. We have no interest in it and Private & passworded progs works without it. Fast observer: on program entry we take a look and we notice 2 things: a nice (^&(**!@?zbang) NAG and disturbing titlebar EVALUATION COPY. If we make a passworded program, we also observe 2 things: mess in titlebar and a bypass window sometimes sticked by the normal (at random). Let's do this babe! Search in Private (a copy of it, for example y.exe) after word "f e e" (with 00 between characters) from NAG, you see it, no? Bingo, found word on hiew 14F44 (nice weird e). We make 82 -> 7E trick, so, we put instead 82 -> 7E. Ok, test, right, NAG's gone forever. Bye-bye, babe! Search now for C O P Y (with 00 between). Bingo! We found it on hiew 13C8C. We put 20,20,20... (spaces) instead characters, don't modify 00s between! Now we take a general look at this program, looks nice, like a regged one! The author says in his help that we don't have time limit anyway, we believe it! One remain to go! Now we remark that words from bypass window (uggly thing, bleah!) looks like that "the button below..." tralala, are in 007.dll, if we search after them, how I did (word " b e l o w" with 00 between - in hiew). So, we must dissasemble this babe, 007.dll with W32Dasm 8.93. Do it! Quick job! Hmmm... We are smarts, guys, ha? Cause we are crackers! So, what we think? We think, no? Brain is around, good to have it! We think that program use a random time calculation based on clock, most probably. So we must find a function about time, if we are lucky. I'm sure is something in connection with time! Let's search for this, first: GETLOCALTIME. ALT-F-S, write this word, Ok. Yoopie! We found at w32dasm adress 10001980 (remember, we are in 007.dll) reference about this. First GETLOCALTIME was in the text before code, so we are not interested about that. So, from here seems to be calculations about random time and when appear that *$&#@zbang! BYPASS WINDOW! And no GETLOCALTIME in other place. Let's try! Quick modification (we go out from w32dasm) on 1001980, meaning hiew D80 - 83 -> C3 (return to base fast as you can!). Let's passwording a program! Test and YABADABADOOO! Working like clock! Fine job, Johnny boy! The BYPASS WINDOW don't appear even after many, many tries, and of course, will not be around forever! We still have these words in passworded program - EVALUATION COPY. Quick search, found on hiew 5546 (007.dll, for sure!). Space them forever! Now, appears that my job is done! What I want to point is next: when cracking a program, creative, intuitive and sharpened approach is welcomed! So you better think a little, before shot with modifications all around! Methodic, clean and disciplinated habits if you have, thats very helpfull too! Note every modification (and the reason - logical step) on a notebook. In time you will observe that for cracking, also can be defined a few methods (logical approach) but also creative and innovative thinking is neccesary. PS. Because a one who thinks that is a smart guy can take a original 007.dll from setup of Private and replace yours and bypass your passworded program we make a final move: - rename for example 007.dll -> sys.dll and in pexe32.exe (or how you have the cracked file - y.exe) at hiew 103EB put instead 007 -> sys. Delete old pasworded program and make a new one. Now this works with the help of our cracked sys.dll (old 007.dll). Ok! Job done! PS 2. I recommand that pexe32.exe, sys.dll and the passworded program to be crypted or packed by you with a specialized program for more safety. Keep a clean orginal unpasworded exe of the program to be passworded, also! ---------------- Greets: tKC (my love too!), CIA, PC, CORE, all crackers, PRO or newbies, all cracker teams (keep going, we must eliberate from iudeo-masonic tirany, all must become free), we are great guys, and nice too. Love you all (but you must be a good soul!). Romanian Greets: Salutari tuturor crackerilor din Romania! Mergeti inainte, o sa ne astepte si zile mai bune, ginditi optimist, Dumnezeu e aici cu noi! At last, but from all my heart: I love you Heavenly Father, I know you are with me all the time! God is love! E-mail: johnny_aum@yahoo.com ---------------Sorry if my english is not perfect!------------------------------ PART 2 ~~~~~~ Sketch Effect 1.00 - How to crack it Target: Sketch Effect 1.00 WWW: http://www.forwarddesign.com Cracker: --..__J_o_h_n_n_y__A_U_M__..-- Protections to remove: splash, nag, SE signature on image, unoperational buttons Used tools: W32Dasm & Hacker's View (backgrounded by Windows Commander) ---------------- This info is for personal use and can not be forbidden by anyone! If someone tries, sure is on black side (men from govern, army, sservices or another Satan crazy instruments). I'm for free & freedom in any domain, we can do it, we need only love & God. If older generations cannot understand, their minds are on black side, too. ---------------- I'm back again! This time we have here a beautifull art maker program who will do from your image, a Van Gogh or a pointilistic painting or else. Pretty, ha? Let's teach people how to crack nice! We start... about now! 1) Splash to remove (optional for you): we quickly observe that this splash window is a dialog window. Let's dissasemble a copy of sketch effect.exe, let's say y.exe, with w32dasm. Searching in the begining with ALT-F-S and word "DialogID_" to find something. It's a list here, DIALOG INFORMATION, bingo! From here we must search for splash. We notice that only DialogID_0068 it has no text in caption "". If your good observer, you noticed before that splash window has no name in it and the other dialogs have (purchase, etc). So, let's search for this "DialogID_0068". Quickly ALT-F-S, put word and... bingo! one million bucks for Johnny! On w32dasm adress 40776E is instruction push 68. Let's change 68 to 00 and see what's happend. Hiew adress 6B6F. Great job! Splash removed forever! 2) OK. NAG is the next. This with "Purchase Sketch Effect today...". Let's search after this word in 32bit "t o d a y" with 00 instead 20 in hiew. Bingo! We found something on hiew adress 1971C (word is below) and we make 82 -> 7E trick and we found that NAG is gone. Absolutely! 3) SE Signature on picture after it has been modified or sketcheffected. You probably think is a hard job. It's incredible easy. If you catch the point. Like my most methods, there are developed and discovered by me, because I now to practice, to observe and to learn. Practice too if you wanna learn really! And don't expect that cracking is a one day learn job! Here can be applied more methods, but a quick one: let's search after "28 00 00 00" in hiew, F7, down. We found 3 stops. From my experience, first don't look like a bmp begining, second must be bmp splash (in order), and the 3rd should be the one we looking for, the bmp for SE signature. Change 28 -> 29 (works on icons too). The adress is 33118. Let's sketcheffect something (the fast is black & white method). Wow, it's working perfectly! Fine and quick too! Signature SE is gone too! And we transformed an demo Sketch Effect in a working one. But we cannot save our work because we not have functional save in this demo code. If you are clever, you can save your work! How? You don't get it? PrintSceen and MSPaint paste way. And after, AcdSee for resizing uppon your needs - fast method - and again PrintScreen-paste MSPaint and save. Of course, you can resize with others prgs like IPhoto, Lview Pro. 4) Unoperational buttons: yes, we have "Purchase", and "Print", "Save" from Paint Window. I'll tell you the method for "Purchase", experience and find and modify yourself the others two. What we observe at "Purchase" button? That "u" character is underlined. So, let's search in hiew, this way (32 bit): "P & u r c h a s e", (with & before u and with 00s between letters) go for it! Bingo at adress 1912B. It is there a 40, change to 00 and WOW, it worked! Button is gone! Same method to use on the other buttons. Sometimes is a P (50) to be modified. Works(P, 50 -> 00) on text too! You can center the buttons remained with Exescope 5 (watch my tutorial on how to crack it, if tKC will include it in his tutorials)! Great tool, Toshi! Smart and great guy! Job's done! Until next tutorial, goodbye! PS. Right now, after finishing tutorial I did an interesting discovery! You can exescope the paint window in such a way that the sketcheffected picture can be increased in dimension, more than permits the original program, this way: enter with Exescope in y.exe (modified file by us) and enlarge (Exescope - dialogs) in the paint window the frame which keeping the image as long as you wish and move buttons (stop button in fact), describing frame too, to fit to redimensioned frame of image. Good ideea, Johnny AUM. Enjoy! ---------------- Greets: tKC (my love too!), CIA, PC, CORE, all crackers, PRO or newbies, all cracker teams (keep going, we must eliberate from iudeo-masonic tirany, all must become free), we are great guys, and nice too. Love you all (but you must be a good soul!). Romanian Greets: Salutari tuturor crackerilor din Romania! Mergeti inainte, o sa ne astepte si zile mai bune, ginditi optimist, Dumnezeu e aici cu noi! In curind, Romanian Cracking Team la www.geocities.com/john_aum, sfirsitul paginii. At last, but from all my heart: I love you Heavenly Father, I know you are with me all the time! God is love! E-mail: johnny_aum@yahoo.com ---------------Sorry if my english is not perfect!------------------------------ PART 3 ~~~~~~ Exescope 5.0 - How to crack it Target: Exescope 5.0 WWW: http://www.protools.cjb.net Cracker: Johnny AUM Protections to remove: writes a code in the header of a file & reads this code What we observe at this program (great proggie, thanks Toshi) is this: first time when we modify a program we can do as many modifications as we wish without going out. In the moment of attemptimg the second set of modifications and we entering in Exescope for the second time, we notice that we cannot save those second set of modifications on the way out. What's happening? On every time when getting out after modifications, Exescope search for it's code in the header of file & if it's not found, the program writes this code (hiew CC -> 8F 05) in the header of modified file. So, on second time when geting out, Exescope, after some new changes in the file verifies if code is present, and if it is, will tell you to register & also that it cannot save these new modifications. So, let's find this protection that writes on header of the file. Must be something with write a file, like API function WRITEFILE. Let's search after this function. Dissasemble Exescope with w32dasm, make combination ALT-F-S and put this text: "kernel32.WRITEFILE", because we don't need interference with other texts in the begining of code. We find 5 WRITEFILEs. Many, ha? But we think that the real function WRITEFILE will write on the exescoped file many times (the other modifications), so above the needed function WRITEFILE must be a lot of calls. If we take a look we see that only the 3rd function is the one who has many calls above. Let's test it! The adress (w32dasm) is: 40512C. Corespondence in hiew: 452C. Let's nope it with 90 90 90 90 90 - 5 times. We entry in Exescope and modify a file. When getting out, Exescope try to save and to put first the code in the header, but the function is gone, so we have an error message. Bingo! That's it! Now what? Remeber the calls above the 3rd WRITEFILE? One of this, probably at the begining or near is writing the header. Let's find which one! I've checked for you quickly and I found that 5th call, I mean call 4566FA is the one who writes the header of exescoped files. We going at adress 4566FA in w32dasm. We observe that above call 405108 (from adress 4566FA) is the next instruction: mov ecx,000000E0 meaning ecx=E (14 zecimal). Let's change the value, first trying with ecx=0. This will give further in the code of Exescope some calculations with null values, meaning that function WRITEFILE will not be activated. Let's see if this work. Hiew adress for mov ecx,e is 55AF5, and value E0 is at 55AF6. Making EO -> 00. I hope you use an unmodified Exescope and a fresh file (not already exescoped, remember that program writes the code in header). Finally, works! Yohoo! Working! Goodbie writing headers on exescoped files! One protection bye-bye. We know that the writing on headers of files is down. But if we have an exescoped file with the unmodified shareware version of Exescope, is bad, because first we need to delete the code in the header (we can do this with a *.bat and a patch - automatized - work also without cracking Exescope - Toshi, find a better protection) or second - we must crack the read function to stop Exescope reading this code in order to permit us to do as many modifications we need. Let's make this proggie to never read this own header code or search for it. After looking in code well, I observed that the procedure of registering is like that: put name and good serial and Exescope will create in it's ini a few lines at the end: [Reg] Name=your name ID=your good serial from Toshi and also that has two places were reg and name are founded: 1st when you are registering the program (this is the order in ASM code at the end) and 2nd when the program is searching for REG, name and serial in it's exescope.ini. Here are two situations: a) unregistered - the program after verifying tell through a CALL to the code to read header of file; b) registered - the program tell through that CALL that now is registered and stop reading. If this CALL or CALLs can be identified and killed, the code cannot go further to process for any case. This CALL must be around the two places mentioned above, it is and I found it: - 1st case - when registering the program - CALL from line 47CDBC; - 2nd case - when Exescope look in its ini - CALL from line 48433C; Both CALLs are calling for the same w32dasm adress: line 48450C. Let's kill this path (for stopping functions from here to execute) and reopen cracked Exescope with a exe modified by unregistered version. Change at hiew 8390C - 55 -> c3. Test... aha... Working! So reading code from headers is blocked. Job done! [ Enjoy this fine program now full featured! Toshi, don't be angry on me, I would not be in your place! If you have something which is really good, people deserve to have it from all our hearts! Love must be the engine for all the actions! With more men thinking this way, we will advance more quickly on the road of real peace, love and happyness! You all must now that this is happening already, no matter on what side you are! Don't let your ego to make oposition to your soul happiness! Ego is the hell! Listen to your heart first and then think all you from there! Love you! Bye now! ] ---------------- Greets: tKC (my love too!), CIA, PC, CORE, all crackers, PRO or newbies, all cracker teams (keep going, we must eliberate from iudeo-masonic tirany, all must become free), we are great guys, and nice too. Love you all (but you must be a good soul!). Romanian Greets: Salutari tuturor crackerilor din Romania! Mergeti inainte, o sa ne astepte si zile mai bune, ginditi optimist, Dumnezeu e aici cu noi! In curind, info despre Romanian Cracking Team la www.geocities.com/john_aum, sfirsitul paginii. At last, but from all my heart: I love you Heavenly Father, I know you are with me all the time! God is love! E-mail: johnny_aum@yahoo.com ---------------Sorry if my english is not perfect!------------------------------ PART 4 ~~~~~~ The cracking of Apx_Reveal v1.0 from Integrity Software by L!M!T The Exterminators 2000 ------------------------------------------------------------ FOREWORD Apx_Reveal is an Internet detection application. In short, the program scans the HD for images, history files and so on. This program is suited for parents, who are anxious about what their children 'do' on the Internet. This is my first tutorial in a long time, in the past I have only written three tutorials, so please forgive me for any typo's or my bad english ;) ------------------------------------------------------------ This tutorial will not contain so much of the explanations of any assembler language, patching or programming, so this one is really suited for newbies that might be scared of such 'advanced' stuff. I consider the difficulty of this tutorial to be VERY easy. TOOLS USED: WDasm v8.93 ------------------------------------------------------------ THE FIRST LOOK Download the program at http://www.protectyourfamily.net and install it. This first thing that hits you when you run the program is a nice warm welcoming splash screen, telling you that if you want to use the program to it's fully extent you got to pay, as always. If you want to, you can always try to fish a serial for it, using Soft-Ice. But, as you will see further down, we will register it with any name and number without modifying a single byte of code. Let's continue; Choose 'OK' and let the messagebox hit you with the 'greatly limited' message. Take a look at the program, note the 'Unregistered version' and so on, get familiar with it. When you are done, close the program and fire up good old WDasm. ------------------------------------------------------------ THE DISSECTION Open the file 'apx_reveal.exe' in WDasm. Click the 'Strn ref' button in WDasm's toolbar and you will get a list of strings that exist in 'apx_reveal.exe'. If you doubleclick on any string in this list, WDasm will go to the address where the string appears in the disassembly listing, but I guess you already knew that. Doubleclick some of the strings and take a look around. You will find some very interesting strings that you normally would find useful when reversing a program. ------------------------------------------------------------ THE REVERSING You might want to go and take a look at the code that resides near the 'Application Already Registered' or 'Registration number was invalid!' and start patching high and low. But the strings that caught my interest is the GUID's that are in the string list. These two; {4E3E4954-F9B5-11d2-A085-00500402F30B} and {D47C2BCE-3C52-11F0-9210-848C1D0FE000} Doubleclick the first one (in WDasm's string list). You will end up here; ------------------------------------------------------------ :004036DF 8D54244C lea edx, dword ptr [esp+4C] :004036E3 52 push edx * Reference To: _ISource._ISGetDLLVersion, Ord:0036h | :004036E4 E84D260200 Call 00425D36 * Possible StringData Ref from Data Obj->"{4E3E4954-F9B5-11d2-A085-00500402F30B}" | :004036E9 68089F4600 push 00469F08 * Reference To: _ISource._ISInitialize, Ord:005Eh | :004036EE E83D260200 Call 00425D30 * Possible StringData Ref from Data Obj ->"Creating the matte." | :004036F3 68F49E4600 push 00469EF4 :004036F8 56 push esi ------------------------------------------------------------ Hmm.. Not so interesting as the second one; ------------------------------------------------------------ * Possible StringData Ref from Data Obj->"{D47C2BCE-3C52-11F0-9210-848C1D0FE000}" | :004175D6 6800DB4600 push 0046DB00 * Possible StringData Ref from Data Obj ->"System Settings" | :004175DB 68FCD84600 push 0046D8FC * Possible StringData Ref from Data Obj ->"Software\Active\ActiveY" | :004175E0 68E4D84600 push 0046D8E4 * Possible StringData Ref from Data Obj ->"HKEY_LOCAL_MACHINE" | :004175E5 6870BA4600 push 0046BA70 :004175EA E8714DFFFF call 0040C360 :004175EF 8B942408010000 mov edx, dword ptr [esp+00000108] :004175F6 8D86DC000000 lea eax, dword ptr [esi+000000DC] :004175FC 52 push edx * Possible StringData Ref from Data Obj ->"Registered User: "%s"." | :004175FD 68A8DA4600 push 0046DAA8 :00417602 50 push eax :00417603 E84E570200 call 0043CD56 :00417608 8B442430 mov eax, dword ptr [esp+30] :0041760C 83C420 add esp, 00000020 :0041760F C6867508000001 mov byte ptr [esi+00000875], 01 :00417616 EB34 jmp 0041764C ------------------------------------------------------------ This is much more interesting! If you take a look at the code preceeding the GUID you will see this; ------------------------------------------------------------ :00417567 8B9424F4000000 mov edx, dword ptr [esp+000000F4] :0041756E 55 push ebp :0041756F 52 push edx * Possible StringData Ref from Data Obj ->"Name" | :00417570 6828714600 push 00467128 * Possible StringData Ref from Data Obj->"Software\Integrity Software\Apx_Reveal" | :00417575 6800714600 push 00467100 * Possible StringData Ref from Data Obj ->"HKEY_LOCAL_MACHINE" | :0041757A 6870BA4600 push 0046BA70 :0041757F E8DC4DFFFF call 0040C360 :00417584 8B442420 mov eax, dword ptr [esp+20] :00417588 55 push ebp :00417589 50 push eax * Possible StringData Ref from Data Obj ->"Number" | :0041758A 68E0704600 push 004670E0 * Possible StringData Ref from Data Obj->"Software\Integrity Software\Apx_Reveal" | :0041758F 6800714600 push 00467100 * Possible StringData Ref from Data Obj ->"HKEY_LOCAL_MACHINE" | :00417594 6870BA4600 push 0046BA70 :00417599 E8C24DFFFF call 0040C360 :0041759E 8B4C2444 mov ecx, dword ptr [esp+44] :004175A2 55 push ebp :004175A3 51 push ecx * Possible StringData Ref from Data Obj ->"Version" | :004175A4 680CD94600 push 0046D90C * Possible StringData Ref from Data Obj->"Software\Integrity Software\Apx_Reveal" | :004175A9 6800714600 push 00467100 * Possible StringData Ref from Data Obj ->"HKEY_LOCAL_MACHINE" | :004175AE 6870BA4600 push 0046BA70 :004175B3 E8A84DFFFF call 0040C360 :004175B8 55 push ebp * Possible StringData Ref from Data Obj ->"YES" | :004175B9 683CD94600 push 0046D93C * Possible StringData Ref from Data Obj ->"Registered" | :004175BE 6828DB4600 push 0046DB28 * Possible StringData Ref from Data Obj->"Software\Integrity Software\Apx_Reveal" | :004175C3 6800714600 push 00467100 * Possible StringData Ref from Data Obj ->"HKEY_LOCAL_MACHINE" | :004175C8 6870BA4600 push 0046BA70 :004175CD E88E4DFFFF call 0040C360 :004175D2 83C450 add esp, 00000050 :004175D5 55 push ebp ------------------------------------------------------------ What we have here is an addition (or a check) made in the registry for the following things; At the 'HKEY_LOCAL_MACHINE' 'Software\Integrity Software\Apx_Reveal' position the program retrieves the following information; (starting at the top of the code snippet above) 'Name' - (Registered) Username. 'Number' - The serial number. 'Version' - Programversion. 'Registered' - 'YES'. And at the code snippet above this one; At the 'HKEY_LOCAL_MACHINE' 'Software\Active\ActiveY' position the program retrieves the 'System Settings' information. Directly after this, the GUID appears; {D47C2BCE-3C52-11F0-9210-848C1D0FE000}. And the last line in the WDasm listing says "Registered User: "%s"."? This looks very interesting! ------------------------------------------------------------ WHAT HAPPENS IF...? If you start RegEdit and look at the positions above (HKEY_LOCAL_MACHINE\Software\Integrity Software\Apx_Reveal) you will see that the information we see in the code snippet and the WDasm listing isn't there. Instead of 'Name' there is a '~Name' and the other information is non-existent. And if you look for '\Active\ActiveY' you will not find it. The reason I found the GUID's interesting was because of another program I reversed by adding a GUID found inside it (TakeMe, graphic browser. Remember that one, Chafe?). So I figured that maybe a similar registration check were made here as well, when I spotted them in the string ref's. So, when the information that the program might add or look for is non-existent, try adding it and see what happens. Let's start with the information in the 'Integrity Software\Apx_Reveal' part. First, rename the '~Name' to 'Name' and add your name. Then, add a string value named 'Number' and type something like this '12-34567890'. Add a string value named 'Registered' and enter 'YES' as value. Now, start Apx_Reveal and see if something has happened! Damn, the 'Unregistered..' box pops up. So, entering this information didn't do the trick. Let's add the 'Active\ActiveY' part as well. In the 'HKEY_LOCAL_MACHINE\Software' branch, add a new key named 'Active'. Right-click 'Active' and add a new key named 'ActiveY'. At this position (ActiveY), add a string value named 'System Settings'. Enter the GUID as value '{D47C2BCE-3C52-11F0-9210-848C1D0FE000}'. Start Apx_Reveal again and we'll see if we are right. Yes! No splash nag, no annoying messagebox and there the name you entered is displayed as a registered user! Great! Work done! ------------------------------------------------------------ FINAL WORDS First, I want to thank you for reading this tutorial. It makes the time writing it worthy. I hope you learned something as well :-) Greetings goes out to all people in the scene, and to all the people that I know (noone mentioned, noone forgotten). /L!M!T ------------------------------------------------------------ PART 5 ~~~~~~ $$$$$$$$$$$$$$$ $$$$$$$$$$$$$$ $$$$$$ $TTTTTTTTTTTTT$ $FFFFFFFFFFFF$ $$$$CCCC$$$$ $$$$$$TTT$$$$$$ $FFF$$$$$$$$$$ $CC$$$$$$CC$ $TTT$ $FFF$ $$CC$ $CC$$ $TTT$ $FFF$ $CCC$ $$$$$ $TTT$ $FFF$ $CCC$ $TTT$ $FFF$ $CCC$ $TTT$ $FFF$$$$$$$$ $CCC$ $TTT$ $FFFFFFFFFF$ $CCC$ $TTT$ $FFF$$$$$$$$ $CCC$ $TTT$ $FFF$ $CCC$ $$$$$ $TTT$ $FFF$ $$CC$ $CCC$ $TTT$ $FFF$ $CC$$$$$$CC$$ $TTT$ $FFF$ $$$$CCCC$$$$ $$$$$ $$$$$ !drakmog$$$$ T&&&&&&&&&&&&&&&&&&&&&&&&&&&F&&&&&&&&&&&&&&&&&&&&&&&&&&&&&C T THE FREELANCE CRACKER C T&&&&&&&&&&&&&&&&&&&&&&&&&&&F&&&&&&&&&&&&&&&&&&&&&&&&&&&&&C T C T Cracking Tutorial #1 C T C T&&&&&&&&&&&&&&&&&&&&&&&&&&&F&&&&&&&&&&&&&&&&&&&&&&&&&&&&&C | Release Date: 02/19/2000 | | Difficulty: Easy to Medium | ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Target: Quintessential CD Player v2.1.007 (aka 2.0.200) Tools: Softice 3.23+ Windasm 8.9+ or some other disassembler Hiew or another hex editor (if you want to just crack it) some programming language (gotta code the keygen somehow ;) First of all let's install this thing and see what it has got in the way of protection. Fire it up, go to the about dialog and then the Registration tab. There will be two edit boxes, one for your name and one for a RegKey. Enter in whatever you want for both of them, though I would recommend something that would be easy to keep track of while roaming around in Softice. Press OK and blahhh... the dialog disappears. No error message, no sounds, no nothing. Well, since this is a dialog box, let's enter our name and regkey again and this time set a BPX GetDlgItemTextA before we press OK. Try it and... nothing. There is one more option to try yet. Check to see whether the program reads in the info each time a key is pressed. Disable all the breakpoints, enter your name and all but the last character of your regkey again. Enable the breakpoints again. Enter the last character again and bam... Softice pops up and we're ready to go. Press F12 once to get out of GetDlgItemTextA and into our main program. You should see code that looks like this: :0040EEB7 FFD6 call esi <-- this is the GetDlgItemTextA call :0040EEB9 8D4C2470 lea ecx, dword ptr [esp+70] :0040EEBD 51 push ecx :0040EEBE E89DAD0200 call 00439C60 :0040EEC3 8D54242C lea edx, dword ptr [esp+2C] :0040EEC7 8BF0 mov esi, eax :0040EEC9 52 push edx :0040EECA E841AC0200 call 00439B10 :0040EECF 83C408 add esp, 00000008 :0040EED2 3BF0 cmp esi, eax :0040EED4 7564 jne 0040EF3A F8 or F10 down to line 0040EEBE where it calls 00439C60. Right before it is a push ecx, which is the parameter passed to this function. Do a d ecx in Softice. Hmmm... looks to me like it's our name! Now step into this call with F8. The first 18 instructions or so get the length of the name. From the cmp ecx, 00000006 line we can tell that our name has to be at least 6 characters long. The next section of code is much more interesting ;) * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00439CAD(C) | :00439C8B 85FF test edi, edi /are we at the end? :00439C8D 7420 je 00439CAF /yes, then go to next section :00439C8F 8A17 mov dl, byte ptr [edi] /put next character into dl :00439C91 80FA20 cmp dl, 20 /is it a space? :00439C94 7411 je 00439CA7 /if yes, then skip it :00439C96 0FBED2 movsx edx, dl /make sure only thing in edx :00439C99 8BDA mov ebx, edx /copy it to ebx :00439C9B 0FAFD9 imul ebx, ecx /multiply it by ecx :00439C9E 03DE add ebx, esi /add esi to that result :00439CA0 8D0C49 lea ecx, dword ptr [ecx+2*ecx] /ecx = ecx * 2 + ecx :00439CA3 03C3 add eax, ebx /add that whole thing to eax :00439CA5 03F2 add esi, edx /add the char to edx * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00439C94(C) | :00439CA7 8A5701 mov dl, byte ptr [edi+01] /get the next char :00439CAA 47 inc edi /update the pointer :00439CAB 84D2 test dl, dl /at the end of the name? :00439CAD 75DC jne 00439C8B /if no, then go to beginning Trace through this section and it becomes pretty obvious we're at the part that makes the correct regkey for us. Just to make things clear, I'll run through what's going on here. The routine goes through the name character by character. The ASCII value of each character is multiplied by an accumulating multiplier (ecx). Then the sum of all the ASCII values of the previous characters (esi) is added to that result. These values are then summed up in eax. This next section finishes up the regkey: :00439CAF 99 cdq :00439CB0 BFFFFF0000 mov edi, 0000FFFF :00439CB5 F7FF idiv edi /divide eax by 0xFFFF :00439CB7 8BC6 mov eax, esi /put the ascii sum into eax :00439CB9 BEFF000000 mov esi, 000000FF :00439CBE 8BFA mov edi, edx /move the remainder into edi :00439CC0 99 cdq :00439CC1 F7FE idiv esi /divide eax by 0xFF :00439CC3 C1E710 shl edi, 10 /slide the 1st remainder into the high word of edi :00439CC6 8BC1 mov eax, ecx /put the mulitplier into eax :00439CC8 B9FFFF0000 mov ecx, 0000FFFF :00439CCD 5E pop esi :00439CCE 5B pop ebx :00439CCF 0BFA or edi, edx /or the remainder of the 2nd div with edi :00439CD1 33D2 xor edx, edx :00439CD3 F7F1 div ecx /divide eax by 0xFFFF :00439CD5 0BFA or edi, edx /or the remainder of the 3rd div with edi :00439CD7 8BC7 mov eax, edi /return that final result :00439CD9 5F pop edi :00439CDA C3 ret This last part takes our grand total from the first section modulo 0xFFFF and puts it into the high word of our doubleword result. It then or's that with the ascii sum modulo 0xFF and the multiplier modulo 0xFFFF. Now we go back from this call and take a look at the next function call. Note that our good regkey is put into esi. Next do a d edx in softice and you'll see that this is our entered regkey. Looks like call 00439B10 will do something with our regkey. In the first part of this function, a call is made where our regkey is compared to 'ffffffff' to make sure each character in our regkey is less than 'f'. Notice that it's compared to something 8 characters long. This implies that our regkey should probably be 8 characters long too. The second call makes our regkey lowercase. After all that messing around we come to something more interesting: * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00439B80(C) | :00439B4D 85FF test edi, edi * Possible Reference to String Resource ID=00001: "2.1" | :00439B4F B901000000 mov ecx, 00000001 :00439B54 7E08 jle 00439B5E :00439B56 8BD7 mov edx, edi * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00439B5C(C) | :00439B58 C1E104 shl ecx, 04 :00439B5B 4A dec edx :00439B5C 75FA jne 00439B58 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00439B54(C) | :00439B5E 8A16 mov dl, byte ptr [esi] :00439B60 80FA61 cmp dl, 61 :00439B63 7C08 jl 00439B6D :00439B65 0FBED2 movsx edx, dl :00439B68 83EA57 sub edx, 00000057 :00439B6B EB0B jmp 00439B78 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00439B63(C) | :00439B6D 80FA30 cmp dl, 30 :00439B70 7C0B jl 00439B7D :00439B72 0FBED2 movsx edx, dl :00439B75 83EA30 sub edx, 00000030 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00439B6B(U) | :00439B78 0FAFD1 imul edx, ecx :00439B7B 03C2 add eax, edx * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00439B70(C) | :00439B7D 46 inc esi :00439B7E 4F dec edi :00439B7F 4B dec ebx :00439B80 75CB jne 00439B4D A rather long piece of code, but it's actually pretty simple to follow. Lines 00439B4F through 00439B5C are a loop to set up what byte is being acted on in the regkey that will result from this routine. Lines 00439B5E to 00439B75 take each character and convert it to it's hexadecimal equivalent (ie, 'f' -> 0xF). Lines 00439B78 and 00439B7B take our new hex number, multiply it by the multiplier, and add it in a sum. If you notice, it turns out that this funciton returns the last 8 characters of our regkey and converts them hex to get the modified regkey. For example, an entered regkey of '9F0D02FD' would be turned into 0x9F0D02FD and returned. Now we know for sure that our regkey must be 8 characters long and be all hexadecimal characters! Return back out of that function and we come right upon a cmp esi, eax. This is where our modified regkey and our good regkey are compared! If all you want to do is crack this app, this is where to do it. Just flip the jne that follows or make this instruction into a cmp esi,esi. However, we want to do a little more and make a keygen. With all the information I've given you in this tutorial so far it shouldn't be too difficult to make your own keygen. For those that are having difficulties with making one I have included the source for my own keygen below. #include #include #include using namespace std; int main() { string Name; string Serial; char temp = 0; unsigned char CurrentChar = '\0'; unsigned int Multiplier = 1; unsigned long Total = 0; unsigned int AsciiSum = 0; unsigned int SubTotal = 0; char tempname[30]; cout << "Keygen for the Quintessential CD Player v2.1.007 (aka v2.0.200)\n"; cout << "Brought to you by The Freelance Cracker!\n"; cout << "2/19/2000 -- TFC\n\n"; while(Name.length() < 6) // This while loop gets your name and rips out spaces { cout << "Your Name (must be at least 6 characters long): "; gets(tempname); for(int z = 0; z < 30; z++) { if(tempname[z] == 0) { break; } if(isalpha(tempname[z]) || isdigit(tempname[z])) { Name += tempname[z]; } } if(Name.length() < 6) { cout << "\nThe name must be at least 6 characters long, please enter a different name.\n\n"; Name = ""; } } // Here's where we come up with our magic sum for our name for(int c = 0; c < Name.length(); c++) { CurrentChar = Name[c]; SubTotal = CurrentChar; SubTotal *= Multiplier; SubTotal += AsciiSum; Multiplier = (Multiplier * 2) + Multiplier; Total += SubTotal; AsciiSum += CurrentChar; SubTotal = 0; } // do those modulos and move junk Total = ((Total % 0xFFFF) << 0x10) | (AsciiSum % 0xFF) | (Multiplier % 0xFFFF); // a simple tohex() routine for(int x = 7; x >= 0; x--) { CurrentChar = (Total & ((0xF << (x * 4)))) / (0x1 << (x * 4)); CurrentChar += 0x30; if(CurrentChar >= 0x3A) { CurrentChar += 0x27; } Serial += CurrentChar; } cout << "\nYour serial number is: " << Serial << " Enjoy! :)\n\n\n"; cout << "Press Enter to continue"; do { temp = cin.peek(); }while(temp == 0); return 0; } Happy cracking everyone! ,/(__, ,/(_____, ,/(______, __) /__ ) ____/ ) _____/ /__ __/ / ____/ / / / / / / / /___ /__ /he /_ /reelance /______ )racker )/ )/ )/ Don't recognize me? Well if you don't know me already.... you don't need to know. ;) Special thanks to those who helped make this possible You know who you are, and props to you all! The Freelance Cracker ABOUT ~~~~~ I really hope you've enjoyed this tutorial as much as I did! Don't miss Tutor #73 soon! ;) And as I said last time: Without knowledge, there's no power! ;) Credits go to: DnNuke for Interface. tKC for Splash Logo. L!M!T for providing a tut in this version. TFC for providing a tut in this version. Johnny Aum for providing 3 tuts in this version. tKC for coding this version :) All the crackers (non-members of CiA) are welcome to send tutors for the next tutorials .. see below for my email address! *** 80 chars per line in textfile please! *** And all the tutors can be found at: http://www.msjessca.da.ru http://go.to/tKC_tutorials http://www.tkctutsmirror.cjb.net http://tkc.kickz-ass.com http://www.crackstore.com/cia/ (or on IRC, ask CiA ops for urls!) Greetz goto all my friends! You can find me on IRC or email me at tkc@reaper.org Coded by The Keyboard Caper - tKC The Founder of PhRoZeN CReW/Crackers in Action 2000 Compiled with Delphi 5 on 25 February 2000 Cracking Tutorial #72 is dedicated to all the crackers.