Welcome to Cracking Tutorial #73! Hiya guys, What do you think of Tutor #70? Good or bad? Do you find *.tKC useful? And Sounds? Anyway here's a tut73.tKC, enjoy it! OK, let's rave! TOOLS ~~~~~ You'll need the following tools: (I use these tools, I assume you'll use 'em, but it doesn't mean that you'll need to use all those tools, so be sure to get them handy for the examples in this tutorial!) SoftICE v4.05 W32Dasm v8.93 Hacker's View v6.30 SmartCheck v6.03 ProcDump32 v1.6.2 Windows Commander v4.03 (I use it coz of easier to multitask) Delphi, VB, C++, or TASM to code a keygen or a patch.. Don't ask me where to download all these tools since you had a chance to get them when you used my older tutorials. Here is a good site where you can grab tools from: http://protools.cjb.net http://w3.to/protools http://www.crackstore.com or ask any crackers to get you these tools! Are you ready?! OK! ;) PART 1 ~~~~~~ Name : eXeScope Version : 5.11 Target : exescope.exe Tools : Softice Brain Cracker : LW2000 Tutorial : No.64 http://www.protools.cjb.net *** Tutorial was requested by PinguTM *** --- DISCLAIMER For educational purposes only! I hold no responsibility of the mis-used of this material! --- 1. Let's do it fast! Goto the regscreen and enter your details: Your Name: LW2000 [CiA] ID: 1230099 *BOOM* 'Invalid ID or Name ' 2. Disassemble the file with W32Dasm and make a deadlisting * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:0047CDC3(C), :0047CDD7(C) <-- here we go | :0047CE56 6A00 push 00000000 :0047CE58 8D55F8 lea edx, dword ptr [ebp-08] * Possible StringData Ref from Code Obj ->"Invalid ID or Name" 3. k, lets take a look at 0047CDC3 and 0047CDD7 :0047CDBA 8B00 mov eax, dword ptr [eax] :0047CDBC E84B770000 call 0048450C reg check routine :0047CDC1 84C0 test al, al al=0 ??? :0047CDC3 0F848D000000 je 0047CE56 error msg :0047CDC9 A1E8704800 mov eax, dword ptr [004870E8] :0047CDCE 8B00 mov eax, dword ptr [eax] :0047CDD0 E8A76DF8FF call 00403B7C :0047CDD5 85C0 test eax, eax :0047CDD7 7E7D jle 0047CE56 :0047CDD9 8D55F4 lea edx, dword ptr [ebp-0C] 4. We see over the first jmp a call followed by a check of al. k, lets go into the call 0048450. bpx hmemcpy Then press F12 until u're in the eXeScope code. bpx 48450C F5 to break there.... :0048450C 55 push ebp :0048450D 8BEC mov ebp, esp :0048450F 51 push ecx :00484510 53 push ebx :00484511 8955FC mov dword ptr [ebp-04], edx :00484514 8B45FC mov eax, dword ptr [ebp-04] :00484517 E814F8F7FF call 00403D30 :0048451C 33C0 xor eax, eax :0048451E 55 push ebp :0048451F 6876454800 push 00484576 :00484524 64FF30 push dword ptr fs:[eax] :00484527 648920 mov dword ptr fs:[eax], esp :0048452A 33DB xor ebx, ebx :0048452C 8B45FC mov eax, dword ptr [ebp-04] fake s/n :0048452F E848F6F7FF call 00403B7C :00484534 83F80A cmp eax, 0000000A 10 chars long? :00484537 7527 jne 00484560 if not error 5. k, we must start again with a 10 char serial. Then we bypass the check: :00484539 8B45FC mov eax, dword ptr [ebp-04] eax = fake s/n :0048453C 803841 cmp byte ptr [eax], 41 IF not first char = A (41h) :0048453F 751F jne 00484560 then error 6. k, we must start again with A as first char in serial. Then we bypass the check: :00484541 8B45FC mov eax, dword ptr [ebp-04] :00484544 0FB64008 movzx eax, byte ptr [eax+08] 9.char -> eax :00484548 8B55FC mov edx, dword ptr [ebp-04] :0048454B 0FB65209 movzx edx, byte ptr [edx+09] 10.char -> edx :0048454F 03C2 add eax, edx eax = eax+edx :00484551 B90A000000 mov ecx, 0000000A :00484556 99 cdq :00484557 F7F9 idiv ecx :00484559 83FA04 cmp edx, 00000004 edx=4 ? :0048455C 7502 jne 00484560 if not error :0048455E B301 mov bl, 01 if true bl,1 7. All right boys & girls... u understand? -> A???????44 will always work to bypass all checks. I choose A0LW200044 <- heya my name in s/n :)))) Try your serial! Congratulation! You are a registered user. FINISH! Easy, or? cu LW2000 Any comments? Send a mail to LW2000@gmx.net or go to http://www.LW2000.cjb.net or come to the channel #c.i.a in EFNet! ---- tKC, thx for your tutors! I started with tutor 1 and i still read them... PART 2 ~~~~~~ Name : WinRescue 98 Version : 4.18 Editor : Super Win Software Target : Rescue98.exe Tools : W32Dasm Brain Cracker : LW2000 Tutorial : No.65 http://superwin.com/ --- DISCLAIMER For educational purposes only! I hold no responsibility of the mis-used of this material! --- 1. Ok, try to register 'WARNING - Incorrect Key Entered' Load the Program into W32Dasm and search in the SDR for the string. * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0046A422(C) <-- here we go | * Possible StringData Ref from Code Obj ->"WARNING - Incorrect Key Entered" | :0046A451 B84CA54600 mov eax, 0046A54C :0046A456 E84940FDFF call 0043E4A4 :0046A45B A14CAA4900 mov eax, dword ptr [0049AA4C] :0046A460 8B00 mov eax, dword ptr [eax] :0046A462 E89961FCFF call 00430600 2. OK, go to 0046A422. * Possible StringData Ref from Code Obj ->"SvetCHRISTA" | :0046A416 B8F8A44600 mov eax, 0046A4F8 :0046A41B E8949BF9FF call 00403FB4 :0046A420 85C0 test eax, eax :0046A422 742D je 0046A451 <-- Bad Boy :0046A424 33D2 xor edx, edx :0046A426 8B83F4010000 mov eax, dword ptr [ebx+000001F4] :0046A42C E82B60FBFF call 0042045C * Possible StringData Ref from Code Obj ->"Registration Key Accepted" | :0046A431 B80CA54600 mov eax, 0046A50C :0046A436 E86940FDFF call 0043E4A4 :0046A43B A1F8AA4900 mov eax, dword ptr [0049AAF8] :0046A440 8B00 mov eax, dword ptr [eax] :0046A442 8B8014020000 mov eax, dword ptr [eax+00000214] :0046A448 C7400C64000000 mov [eax+0C], 00000064 :0046A44F EB16 jmp 0046A467 3. Mhmm, 'SvetCHRISTA' what could this be *g*. Another plaintext coded serial... Try the serial or patch the program by NOPing the je at :0046A422. Congratulation! You are a registered user. FINISH! Easy, or? cu LW2000 Any comments? Send a mail to LW2000@gmx.net or go to http://www.LW2000.cjb.net or come to the channel #c.i.a in EFNet! ---- tKC, thx for your tutors! I started with tutor 1 and i still read them... PART 3 ~~~~~~ -= Dedicated to : H3llsp4wn =- Who was very patient with me, the IRC newbie. He helped me a lot to get around with this IRC stuff... thx man :) Name : Remote Snap Shot Version : 1.0 Editor : puresoftware Target : remoteSnapShot.exe Tools : Softice W32Dasm Hiew Brain Cracker : LW2000 Tutorial : No.66 --- DISCLAIMER For educational purposes only! I hold no responsibility of the mis-used of this material! --- 1. I'd like to thank all of u for the mass feedback i got... but please, now stop msg'ing me on irc, only 4 to say "thank you" or "i like the tuts", "i enjoy them", or whatever. With the time this is pretty annoying! So save my and your time and talk to me only about serious things. Thx! 2. So now lets do it quick (hey, most u feedbackjunkies, said that it is k00l that u get the facts in my tuts, instead of long and annoying text. If u like it so, i'll do it so, coz this are ur tuts) Fire up remote Snap Shot. *BOOM* "IF YOU FIND THIS PROGRAM USEFULL PLEASE REGISTER." Let's get rid of this msgbox. Close the program and press [ctrl]+[d] to enter Sice and set a breakpoint on messageboxa 'bpx messageboxa' F5 to return to windows. 3. Start the app again. *BOOM* Sice pops up. Press F11 to get the caller. Close the nasty msg and ur back in code: 0167:00402410 56 push esi * Reference To: USER32.MessageBoxA, Ord:01BEh 0167:00402411 8B3534B64300 mov esi, dword ptr [0043B634] 0167:00402417 57 push edi 0167:00402418 6A00 push 00000000 * Possible StringData Ref ->"Remote Snap Shot" 0167:0040241A 68A8A14400 push 0044A1A8 * Possible StringData Ref ->"IF YOU FIND THIS PROGRAM USEFULL " ->"PLEASE REGISTER." 0167:0040241F 6884A24400 push 0044A284 0167:00402424 6A00 push 00000000 0167:00402426 FFD6 call esi * Reference To: KERNEL32.Sleep, Ord:0296h 0167:00402428 8B3D70B24300 mov edi, dword ptr [0043B270] <-- here we are 4. We go to 00402428 if we pressed ok, so lets try something 'bpx 0167:00402410' So we break just before the apicall messageboxa is called. type 'bd 0' to disable the bpx on messageboxa and press F5 to return to the app. Now close the app and fire it up again. 5. *BOOM* Sice pops up! We're now on 'push esi' 0167:00402410 56 push esi So lets think a bit ... we want to jump over the msgbox... If we press ok in the msgbox we go here: 0167:00402428 8B3D70B24300 mov edi, dword ptr [0043B270] HEYA! Lets jump directly to 00402428 :) Type 'a' and press enter, now we can change the instructions. Type 'jmp 0167:00402410' press Enter, press Enter again and F% to return to the app. *BOOM* ... NO msgbox :) So now we must fix the file to do this everytime... 6. Disassemble remoteSnapShot.exe with W32Dasm. Goto Codelocation 00402410 and note the offset. The Fileoffset is 2410. Now do the same by 00402428. Close W32Dasm and edit the file in Hiew. Press F5 to go to code location 2410. Press F3 for editmode and F2 to enter asm commands. Now enter 'jmp 2428' Enter Enter Esc Press F9 to save your work and F10 to quit. Now try it :) Congratulation! You have beaten the NAG. FINISH! Easy, or? cu LW2000 Any comments? Send a mail to LW2000@gmx.net or go to http://www.LW2000.cjb.net or come to the channel #c.i.a in EFNet! ... u have the choice ;P ---- tKC, thx for your tutors! I started with tutor 1 and i still read them... they are the best! PART 4 ~~~~~~ HOW TO GET THE SERIAL FOR VOCABULIZER 2.2 Welcome to yet another cracking tutorial, written by some guy in South Africa. This time I'll show you how to Patch the Softice check and get the serial to register the program. Tools Used: SoftIce 4.01 W32Dasm Hiew 6.16 Web: http://welcome.to/emmental Back from a short break of chasing a pretty cool babe around for a month and even more keen to get things going again. This is NOT going to be a softice tut but more of how to get around the easier softice detection methods. Cool...lets get started. We start off by running vocab.exe and take note of the stupid error message which pops up. "Access violation at address 0041CE1A in module 'VOCAB.EXE'. Read of address FFFFFFFF". Load vocab.exe in W32Dasm and give it some time to load. Once it's loaded, click on the Strn Ref button or push Alt-R, then S. Now basically we are looking for anything to do with Softice/sice or the WinNT version, NTice. Select one of the text strings and push page down about 6 times. Do you notice anything we mentioned above? yeah! We have a \\.\NTICE and a \\.\SICE You'll find a lot of "Anti-Softice" coding using these text strings. Ok...so we know that there are two text strings we can search for. So fire up Hiew and load vocab.exe . Just make sure you've closed W32dasm down first otherwise you will get a "General Failure" error when trying to edit the file later. Once its loaded, push F7 and type in SICE. Hit enter to continue. Cool...it found the string. Now hit enter once more so that we can get to the Hex and text screen. Note the S of SICE is still highlighted. Anyway...now we want to take the easy way out and just confuse the Anti Softice code by looking for something else. Push F3 and Tab so that we can type something over the SICE text. I used JAYT. Move down to the NTICE and do the same. You only need to change one of the letters so that the text string is different to what it was supposed to be. Hit F9 to save and then F10 to exit. Now try and run the program again. Cool! It goes through :) Click NO if it asks if you want to register Online. Now we must get the serial code to reg the program. I'm only going to skim over this section because its pretty much the same as all other serial hunting tuts. Click Option->Enter registration key and fill in your details. I used: Name: JayT Company: [CrackZA][TnD] Code: 1111-2222-3333-4444 Hit Ctrl-D to popup Softice and enter a breakpoint on hmemcpy. (bpx hmemcpy) Press F5 to return to the program and click OK. boom...softice loads again. Press F5 6 times, F11 and then F12 6 times. This should land you on 0042B9FE POP ESI Now hit F10 till you see the following code. 004CE8EF CALL 0040416C 004CE8F4 MOV EDX, [EBP-14] 004CE8F7 POP EAX Now type d eax and hit enter. Cool hey...a nice little registration code appears Name: JayT Company: [CrackZA][TnD] Code: 3377-6440-6464-6460 Write that down, type bc* to clear all breakpoints and hit F5 to return to the program. Now click OK to get close the error message and enter your new Reg Code. Registered! Now thats what I like to see *grin* *************************************************************** * Thats all for now! * *************************************************************** * hey you poes why didnt you greet me in your tut too hahaha...ok ok..jou ma het n afro...give me a break Greets to: fREkaZ0iD, siward, Arcane, Zombie, Mithrandi, [Shiver], Warchild, zero_grip, Skiller, AnachromY, LandR, GI-Joe, psyclone, lesley & nj dude and all other members of CrackZA and TnD * Special Greets to tKC for his VERY cool lookin' tuts! Thanks man Cracking Tutorial Written by JayT [CrackZA][TnD] Email: CZ-JayT@iname.com irc: efnet Channel: #CrackZA PART 5 ~~~~~~ how to crack Solsuite v5.0 and v5.2 by FaT[BiT] : ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ before i begin this tut. , this tut. is _ONLY_ for the newbies out there cuz it is written by a newbie , and if u r an advanced cracker i think u will find some holes in this tut. cuz there is and easy and a better way to crack this BITCH !! but... remeber i'm a newbie and this is my first tut.......cuz i've carcked this game about 3 time v4.1 , v5.0 and v5.2 NOTE : Never mind the word that starts with the digit 3 and best viewed on 1024 X 768 by FaT[BiT] on 8:15 AM 3/08/00 hi there and wellcome to my first tut. , in this tut. we will crack solsuite v5.0 and v5.2 (ohh man 2 progz at one time !!! kewl)!!! o.k since this is my first tut. i'm sorry for my language and i hope u understand it well to crack solsuite .... _________________________________________________________________________________ Tools : win32dasm hiew 6.16 (anyversion will do ) Target : solsuite 2000 v5.0 & v5.2 URL : http://www.solsuite.com Type of crack : patch for version v5.0 (u should start with this one ) and copy file only for v5.2 (copy file only what is this !!!! a new method ) _________________________________________________________________________________ o.k let's ride !!!!( cracking v5.0 ) - install solsuite 2000 v 5.0 and copy the file solsuite.exe to the win32dasm ... (u can rename it to .w32 if u want .....) - before u start to dasm solsuite.exe , run it first , u will c on the splash screen something like this : This produst is licensed to : Unregisterd Copy - o.k kool !!! , then click on help\Registration Code , enter any code u like to get the error message in my case i wrote ---> fuck2000 - click o.k , and u will see the message : This is not a valid Registeration code , please try again <--- HOW COULD THEY !!! :( - o.k now fire up win32dasm and when it's done , look for the message (the error message ) - while win32dasm finish , i want to tell u something , u can use softice to find the code , but to tell u the truth i'm a newbie and i'm not that good on softice so this method is mush easier ....... - o.k so ... after we've found the message u should see something like this : *Possible StringData Ref from Code Obj -> " This is not a valid Registtration " -> " code , please try again." <-error msg :004CB6A9 B824B74C00 mov eax,004CB724 :004cb6AE E89573FAFF call 00472A48 :004CB6B3 EB0F jmp 004CB6C4 *Referenced by (U)conditional or (C)onditional jump at address : |:004CB6A7(c) :004CB6B5 83F803 cmp eax,00000003 :004CB6B8 750A jne 004CB6C4 *Possible StringData Ref from Code Obj -> "The previous registration code " -> "you have entered is not valid, " -> "please try again. " <-previous version code ??? what the hell is this message !!!!!!! :004CB6BA B868B74C00 mov eax,004CB768 :004CB6Bf E88473FAFF call 00472A48 - o.k so we have our error message , but do u see what i see , the 2nd message is strange [y ? ] , i'll tell u y , if u enter invalid serial the error message will appear , and the 2nd message is saying " pervious registration code" (3aaaa !!! what pervious code..) get it !!! , solsuite checks if u entered a code from the pervious versions , o.k kool (so what !!!) , when we enter a code if's wrong the error message will appear , and if we entered a pervious version code , it will say it's not valid .... so what if we didn't enter anything ... what will happen ???????? - scroll up just a little bit and u will see something like this : *Referenced by a call at address : | :004D19EE , : 004D2DD8 , :004D2F1E <-- What r these!!! (hmmm !! 3adasat!!!) | :004CB694 83F801 cmp eax,00000001 :004CB697 750B jne 004CB6A4 *Possible StringData Ref from Code Obj -> " Please enter all of your information" -> " into the Registration code dialog " -> " box. " <- if u didn't enter any code :004cb699 B8D0B64C00 mov eax,004CB6D0 :004CB69E E8A573FAFF call 00472A48 :004CB6A3 C3 ret :004CB6A4 83F802 cmp eax,00000002 :004CB6A7 750C jne 004CB6B5 *Possible StringData Ref from Code Obj -> " This is not a valid Registtration " -> " code , please try again." <-error msg :004CB6A9 B824B74C00 mov eax,004CB724 :004cb6AE E89573FAFF call 00472A48 :004CB6B3 EB0F jmp 004CB6C4 *Referenced by (U)conditional or (C)onditional jump at address : |:004CB6A7(c) :004CB6B5 83F803 cmp eax,00000003 :004CB6B8 750A jne 004CB6C4 *Possible StringData Ref from Code Obj -> "The previous registration code " -> "you have entered is not valid, " -> "please try again." <- previous version code :004CB6BA B868B74C00 mov eax,004CB768 :004CB6Bf E88473FAFF call 00472A48 - Yee Haa !!! do u c what i c , there is 3 calls , each on of them put a value of 01, 02 or 03 into eax , and if we look harder at this line (a closer look ) : :004CB6A4 83F802 cmp eax,00000002 :004CB6A7 750C jne 004CB6B5 *Possible StringData Ref from Code Obj -> "This is not a valid Registtration " -> "code , please try again." <- error msg you will c that there is one call from the 3 that put 02 into eax , so let's find where eax is assigend to 02 .... - click on find text and enter 004D19EE , after u find it scroll up a little bit to see : :004D19E0 E85B9EFFFF call 004CB840 :004D19E5 84C0 test al,al :004D19E7 7557 jne 004D1A40 :004D19E9 B8030000000 mov eax,0000003 <- eax = 03 (here entered a previous version code) :004D19EE E8A19CFFFF call 004CB694 <- gose to "The Previous ..." message - at 004D19E9 eax is now 03 , so this check if u entered a pervious version code - let's move on , click on find text and enter 004D2DD8 , after u find it scroll up to see : :004D2DCA E8E910F3FF call 00403EB8 :004D2DCF 85C0 test eax,eax :004D2DD1 751D jne 004D2DF0 :004D2DD3 B801000000 mov eax,00000001 <- eax=01 (we didn't enter any code) :004D2DD8 E8B788FFFF call 004CB694 <- gose to "please enter all of ..." message - at 004D2DD3 eax is now 01 , so this check if we entered anything in the box or not , if not then the "please enter all of ..." message will appear. - click on find text and enter 004D2F1E , after u find it scroll up to see : :004D2F12 E8B110F3FF call 00403EB8 :004D2F17 745A je 004D2F73 <- here is our good jump (good boy) :004D2F19 B802000000 mov eax,00000002 <- eax=02 (we entered invalid code) :004D2D1E E87187FFFF call 004CB694 <- gose to "This is not a valid..." message - o.k u got the bitch now !!! , look at line 004D2F19 mov eax,00000002 <--- here it is at this line eax will equal to 02 and it will call the erroe message , and if u look at line 004D2F17 je 004D2F73 <-- if the code is good, jump to good boy so if we make this jump we will be registered !!!! - so write down the offset , open hiew , open solsuite.exe , go to 004D2F17 , press F3 then change 745A to 755A , press F9 to update , then copy back the file solsuite.exe to the same installed dir , run it , it will say on the splash screen Unregistred , click on help\Registration Code , enter any code like 24676 , or anything u like , press o.k !!! What !!! no error message , and also no thank u message , only an edit box to write ur name , o.k so write ur name , click o.k , it will say activating solsuite.... with the progress bar, and then it will say the solsuite was registerd succesfully ... YEEEEEEEEEEEEEEE HAAAAAAAAAAAA!!!!!!!!!!!!!!!!! Cracking v5.2 : ~~~~~~~~~~~~~~~ - o.k it is now cracked , but u may ask (if i want to register v5.2 do i have to do all this shit! again ?) , to tell the truth i didn't do all this shit! on v5.2, if u take a look at the installed folder u will see a file (solsuite.cl5) cut this file from the folder and put it in any other folder , and then run the game , u will see it is back to unregisterd , copy the file back to the installed folder , run the game , it is back to registerd ...... so uninstall v5.0 , then install v5.2 , copy the file (solsuite.cl5) to the installed dir , and then run the game , what will u see !!!!! ( 3adasat !!!! ) - o.k !!! that's it , i hope u got the idea of this crack , if u have tKC tut. #14 or #5 u will find a source code for a patch file written on pascal\Delphi , try to code it ur self to make a patch file to crack this bitch !!! FaT[BiT]_FaTsO thanx : tKC (ur tut. ROX !! i have them all) , R!SC , Sandman , Bullet , AcidBurn ...and to all the cackers out there .... ------> REMEMBER TO MUCH CRACKING WILL KILL YOU <------ ABOUT ~~~~~ I really hope you've enjoyed this tutorial as much as I did! Don't miss Tutor #74 soon! ;) And as I said last time: Without knowledge, there's no power! ;) Credits go to: DnNuke for Interface. Laz for Splash Logo. LW2000 for providing 3 tuts in this version. JayT for providing a tut in this version. FaT[BiT] for providing a tut in this version. tKC for coding this version :) All the crackers (non-members of CiA) are welcome to send tutors for the next tutorials .. see below for my email address! *** 80 chars per line in textfile please! *** And all the tutors can be found at: http://www.msjessca.da.ru http://go.to/tKC_tutorials http://www.tkctutsmirror.cjb.net http://tkc.kickz-ass.com http://www.crackstore.com/cia (or on IRC, ask CiA ops for urls!) Greetz goto all my friends! You can find me on IRC or email me at tkc@reaper.org Coded by The Keyboard Caper - tKC The Founder of PhRoZeN CReW/Crackers in Action 2000 Compiled with Delphi 5 on 13 March 2000 Cracking Tutorial #73 is dedicated to all the crackers...