Welcome to Cracking Tutorial #77! Hiya guys, Here's a tut77.tKC...enjoy it... OK, let's rave! TOOLS ~~~~~ You'll need the following tools: (I use these tools, I assume you'll use 'em, but it doesn't mean that you'll need to use all those tools, so be sure to get them handy for the examples in this tutorial!) SoftICE v4.05 W32Dasm v8.93 Hacker's View v6.30 SmartCheck v6.03 ProcDump32 v1.6.2 Windows Commander v4.03 (I use it coz of easier to multitask) Delphi, VB, C++, or TASM to code a keygen or a patch.. Don't ask me where to download all these tools since you had a chance to get them when you used my older tutorials. Here is a good site where you can grab tools from: http://protools.cjb.net http://w3.to/protools http://www.crackstore.com or ask any crackers to get you these tools! Are you ready?! OK! ;) PART 1 ~~~~~~ how to crack (look at the list ) by FaT[BiT] \ TNT!CRACKTEAM!: ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ karlitoxZ this tut is dedicated to U! thanx alot! u are a true friend! Wellcome to my 4th tut in this tut we will learn how to crack the following progz and every prog that has the same protection : Norton Antivirus v5.0 trial http://www.symantec.com Norton Uninstall Delux v1.01 trial http://www.symantec.com Macromedia Fireworks v1.0 trial http://www.macromedia.com Macromedia Fireworks v2.0 trial http://www.macromedia.com Macromedia Flash v3.0 trial http://www.macromedia.com Macromedia Flash v4.0 trial http://www.macromedia.com Macromedia Dreamweaver v2.0 trial http://www.macromedia.com and in this tut we will crack _MACROMEDIA FLASH v3.0_ toolz : ~~~~~~~ SoftIce v4.01 *only* (or 3.x will do!) o.k let the crack begin : -------------------------------------------------------------------------- 1) install macromedia flash 3 and run it! 2) u will be hit (ohhh!) with a screen at start up! with 3 button (buy now ) and (try) and (cansel) <--- hehehehe 3) o.k click on buy now , to see a form that u have to fill! (oh shit!) o.k try to find a file called rsagent.ini and open it! 4) in the rsagent file try to find something like this : mailStat-391842=0 <-- change this to 1 and save the file if u found more than one line change it also! never mind the numbers 391842 it could be diffrenet depend on the prog that u are crackin' 5) run the prog again , and click on buy now the prog will tell u to enter ur name and lastname and it will give a code something like this : 1001779729 <-- this is ur personal code 6) and it needs now the unlock code , o.k [Ctrl+d] to get in to softice , and set a breakpoint 'bpx getdlgitemtexta' , then press F5 to quit SI 7) now enter any code u like in my case i entered TNT!CRACKS and click on o.k 8) SI will break so press F11 to get the caller and u should see something like this : :10005602 mov edi,10030E40 :10005607 or ecx,-01 :1000560A xor eax,eax :1000560C REPNZ SCASB :1000560E not ecx :10005610 dec ecx :10005611 cmp ecx,0A <--- compair our unlockcode with 10 :10005614 jz 10005655 <--- if equal then jump *must jump it* :10005616 lea edx,[esp+10] 9) note : if u fail this jump then u won't find the serial so if u do fail , do a 'bc *' then enter any 10 digit as an unlock code 10) trace with the F10 key until 1005611 , i.e here: :10005611 cmp ecx,0A :10005614 jz 10005655 here do '? ecx' it will give u something like this : 0000000A 0000000010 " " 11) now after u make the jump u should see something like this : :10005655 mov edi, 1002B060 :1000565A or ecx, -01 :1000565D xor eax, eax :1000565F lea edx, [esp+0000010C] :10005666 REPNZ SCASB :10005668 not ecx :1000566A sub edi, ecx :1000566C mov eax, ecx 12) now trace with F10 until u reach this code : :10005691 lea ecx, [esp+000000D8] :10005698 push ecx :10005699 push edx :1000569A push eax :1000569B call 1000B950 :100056A0 add esp, 0C :100056A3 lea ecx, [esp+000000D8] :100056AA push 10030E40 :100056AF push ecx <----- here is ur serial now do 'd ecx' and in the data window u will see ur unlock code like this one : YFYBKIKCSS <--koool! 13) and at the end , i would like to say that this method also works in the list at the first of this tut! but with a diffrent offsets ofcourse and maybe a longer trace with the F10! 14) finally i would like to thank : tKC ( ur tuts ROX! , i have them all!) LW2000 ( Thank u for showing me how to use my brain! ) R!SC ( if only ur tut is more compleX! MAn! u rox!) XasX ( ur toolz is great ) karlitoxZ ( u r a true friend!) BoneZ ( thanx for ur support! it ment alot!) and to all TNT!CRACK!TEAM! members and 2 all the cracking groups in the world! that's it enjoy! FaT[BiT] \ TNT! written on 4/18/2k at 9:50 PM and remeber : 2 much cracking will kill u! PART 2 ~~~~~~ HOW TO GET THE SERIAL FOR PCWallet 5.0 Welcome to yet another cracking tutorial, written by some guy in South Africa. This time I'll show you how to find the serial and register PCWallet 5.0 Tools Used: W32Dasm Web: http://www2.go-concepts.com/~tima/ Ok..back from another short break but this time I was coding a patching engine and an nfo maker for The NeXus Division (TnD). This tut is for beginners who are trying to find their way around W32Dasm and the easy serial check routines. Cool...lets get started. We start off by running pcwallet.exe and trying to register the program with some fake information. Click OK on the shareware nag and once inside the program, click the menu button. Then select the About choice. "Would you like to register now?" .. select YES and enter a code. I used 10111978. hmm...cool..a nice little error message. Make a note of the message and click OK. You dont need to exit the program because we will not be editing it at all..so just open W32Dasm and load the pcwallet.exe file. Once everything has been loaded, click the Strn Ref button or push Alt-R and then S. Scroll down till you find the error message which popped up a bit earlier. "Invalid Registration Number" - (push page down about 7 times) Double click on the string twice to check how many times it has been reference inside the program and also where in the program it can been found. You should have noticed that on both double clicks you ended up in the same place...so this should be obvious that the string was only found once inside the code. * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0044A688(C) | * Possible StringData Ref from Code Obj ->"Invalid Registration Number." | :0044A6F1 B844A84400 mov eax, 0044A844 :0044A6F6 E869EBFEFF call 00439264 Ok cool.. we can now see that the error message was called from somewhere else because of the "* Referenced by" line at the top. So push Shift-F12 and enter the address which appears under the word Referenced. (44A688) Hit OK and you'll jump a bit higher up in the code to that address. :0044A674 E8133BFDFF call 0041E18C :0044A679 8B55FC mov edx, dword ptr [ebp-04] * Possible StringData Ref from Code Obj ->"808086" | :0044A67C B828A74400 mov eax, 0044A728 :0044A681 E81A96FBFF call 00403CA0 :0044A686 85C0 test eax, eax :0044A688 7467 je 0044A6F1 ** You land here! :0044A68A 8D55FC lea edx, dword ptr [ebp-04] Ok...this looks interesting. Take a look a bit higher up. I see another string reference, a call, a test and then the jump to the error message. You thinking what I'm thinking? Lets go back to the program and try "808086" inplace of our fake code. Boom! "Thank You! Your copy is now registered!" etc Now thats what I like to see *grin* *************************************************************** * Thats all for now! * *************************************************************** Greets to: fREkaZ0iD, siward, Zombie, Mithrandi, [Shiver], Warchild, zero_grip, Skiller, AnachromY, LandR, GI-Joe, psyclone, pepsi, |cepick, lesley and nj and all other members of CrackZA and TnD BTW: Thanks a Million for the Cell phone nj! Its sooo cool! *efg* * Special Greets to tKC for his VERY cool lookin' tuts! Thanks man Cracking Tutorial Written by JayT [CrackZA-TnD] Email: CZ-JayT@iname.com irc: hotice.co.za Channel: #TnD PART 3 ~~~~~~ HOW TO GET THE SERIAL FOR CD/Spectrum Pro v2000.0306 Welcome to yet another cracking tutorial, written by some guy in South Africa. This time I'll show you how to find the serial and register CD/Spectrum Pro v2000. Tools Used: Softice 4.01 Web: http://www.synthesoft.com/ Cool...lets get started. We start off by running CDSPro.exe and trying to register the program with some fake information. When the first nag screen pops up, click the "How To Register" button. Once inside, Click the "Enter Code" tab and fill in a fake code. Before you push the submit button, you should set your breakpoints in softice. Hit Ctrl-D and type bpx getdlgitemtexta. Press F5 to return to the program and then push the submit button. I used 10111978 as my code. boom...softice pops up again as we hit the submit button. Press F11 to return to the call 00401D32 CALL [USER32!GetDlgItemTextA] * we land here 00401D38 LEA EAX, [EBP-40] * contains our fake code 00401D3B PUSH EAX 00401D3C CALL 00403644 Press F8 once and then type "d eax". You'll notice your fake code is now in eax. Now press F10 about 8 times till you see the following code. 00401D53 CALL 004030BF Press F8 to go inside that call. Carry on pushing F8 and go inside the next call as well. Press F8 5 more times and you should see the following code 00402D4D MOV EDI, [EBP+08] 00402D50 MOV EAX, 0000C797 00402D55 CMP EDI, EAX Now that value in edi looks familiar. type "? edi" Cool...our fake code again. But what's this. There's a compare using our fake code with the value in EAX. Type ? eax to see whats inside that register. I get "51095". You could have also typed "? C797" which was the hex value moved into EAX hmm..anyway..this looks interesting so lets try it and see what happends. Clear all break points (type bc *), Click OK on the error message and try our new code. Boom! "Thank you for registering! One or more Synthesoft products were successfully registered." Now thats what I like to see *grin* *************************************************************** * Thats all for now! * *************************************************************** Greets to: fREkaZ0iD, siward, Zombie, Mithrandi, [Shiver], Warchild, zero_grip, Skiller, AnachromY, LandR, GI-Joe, psyclone, pepsi, |cepick, lesley and nj and all other members of CrackZA and TnD BTW: Thanks a Million for the Cell phone nj! Its sooo cool! *efg* * Special Greets to tKC for his VERY cool lookin' tuts! Thanks man Cracking Tutorial Written by JayT [CrackZA-TnD] Email: CZ-JayT@iname.com irc: hotice.co.za Channel: #TnD PART 4 ~~~~~~ HOW TO GET THE SERIAL FOR Terrapin Lite v1.2.1 Welcome to yet another cracking tutorial, written by some guy in South Africa. This time I'll show you how to find the serial and register Terrapin Lite v1.2. Tools Used: SmartCheck 6.03 Web: http://www.arcsoftware.co.uk Ok...lets get started. >From the install of the program you should have been able to tell that it was going to be a Visual Basic program. If you not to sure how to tell from the install, open the Terrapin.exe file in W32dasm and check the Strn Ref. It will just confirm what I've just told ya ;) Anyway...you can tell from the msvb*.dll files which get copied to your pc. Also by the same old installer which most of the VB programs make use of. Startup SmartCheck, open Terrapin.exe and press F5 or the green "play" button. At the registration nag screen, click "Register Now" and enter your details. I used: Name: JayT [CrackZA-TnD] Code: 10111978 Click the Register button and wait for the error message. Click OK, Cancel, Register Later and close down the program so that we can go through all the calls and information SmartCheck has gathered. Change your view to Show All Events either by clicking the button with the yellow bubble in the bottom or by pushing Alt-V and then A. In the drop down list, next to the printer image, type in the first part of your name and hit enter. This will do a search for the string you've typed in. I searched for JayT Ok..I landed at the following: UName.Text <-- "JayT [CrackZA-TnD]" (String) Now if you look slightly above that, you will notice that a MsgBox was called. Click on that line to see if there was a message. hmmm...it says the code we entered was wrong. Ok..so the checking of the code must have happend somewhere above this. Lets push up a few more times and see what else we can find. If you pushed up 13 times you should have found something really interesting. Len returns LONG:50 And on the right side of the screen something which looks like a reg code but OMG its a mission to type out. [-] String String1 = 0054FC94 | - = "11927121089315891106814105131101127611252487961997 Dont bother trying to see if its the code. Its not..well..ok it is...kind of. *grin* Push up 3 more times to Mid$ [-] String str = 004563D4 | - = "TPN-###-###-###" hmm...now normally # is part of an edit mask..so lets try using the above string but with the first 9 numbers in the long number above. Oh..just remember the long number above will most probably be different for you so dont panic. Just use your first 9 numbers. So lets start the program again and try using our new reg code. I used: Name: JayT [CrackZA-TnD] Code: TPN-119-271-210 "Registration Successful." Damn I'm good *grin* Now thats what I like to see *grin* *************************************************************** * Thats all for now! * *************************************************************** Greets to: fREkaZ0iD, siward, Zombie, Mithrandi, [Shiver], Warchild, zero_grip, Skiller, AnachromY, LandR, GI-Joe, psyclone, pepsi, |cepick, lesley and nj and all other members of CrackZA and TnD * Special Greets to tKC for his VERY cool lookin' tuts! Thanks man Cracking Tutorial Written by JayT [CrackZA-TnD] Email: CZ-JayT@iname.com irc: hotice.co.za Channel: #TnD PART 5 ~~~~~~ HOW TO GET THE SERIAL FOR CoolFocus Flyer v1.0 Welcome to yet another cracking tutorial, written by some guy in South Africa. This time I'll show you how to KeyGen CoolFocus Flyer v1.0 (java applet) Tools Used: Jad FrontEnd Plus (for JAD "the Java Decompiler") BCB 4 Pro Web: http://www.coolfocus.com Ok...first of all I started off reading the Flyer/docs/reg.htm file which tells you more or less what is needed for the reg code to be sent back to you. "Using The Registered Applet... After we've received your payment, we'll email you two personalized codes. These codes must be added to your HTML page as applet parameters" Ok..so now we know there will be 2 new parameters the applet can accept. Lets decompile the applet and check out what we can find on the inside. Now before we can do anything else, we must find and extract the .class files. I then noticed that the Flyer.cab file was using a winzip icon, so I double clicked on it and found the classes we had to use: (X:\Cool Focus\Flyer\classes\Flyer.cab) contains ryFlyButton.class ryFlyer.class ryFlyItem.class Start FrontEnd.exe and then click the purple button (top left) or push Alt-F and then D. hmm...Java..DOH my worst subject besides Stats. Anyway...back to the decompiled code. One of the first functions I noticed was the one below. Just the use of String s = getDocumentBase().toString(); and s = s.toLowerCase(); . Now if you had read the reg.htm file, you would have remembered that the applet will use the Base Address of your site as well as the Reg Code. ------- snip --------- private void _mth011E() { String s = getDocumentBase().toString(); * get base URL s = s.toLowerCase(); * convert to lowercase boolean flag = false; ------- snip --------- Ok now this looks interesting. I checked in the 2 examples which came with the program and none of them had "Base" as a parameter. This must be the Base URL of our site then. String s1 = getParameter("Base"); if(s1 == null) { s1 = ""; _fld0108 = false; return; } ------- snip --------- Ok this bit just checks to see if the Base parameter has the http included and if it doesn't, it adds it to the address. { String s3 = s1; if(!s1.startsWith("http")) s2 = "http://" + s1; else s2 = s1; ------- snip --------- hmm..scrolling a bit further down I noticed the function being called below had a few calculations and it also used the parameter "Key" which again I could not find in the examples. This must be the 2nd parameter they would send us. try { _fld0108 = _mth011D(s2); return; } ------- snip --------- private boolean _mth011D(String s) throws NoSuchElementException { String s1 = getParameter("Key"); * Gets the Reg Key if(s1 == null) { s1 = ""; * if blank, return return false; } * below just gets the parameter "Key" * and unstrings it into the variables StringTokenizer stringtokenizer = new StringTokenizer(s1, "-"); String s2 = stringtokenizer.nextToken(); String s3 = stringtokenizer.nextToken(); String s4 = stringtokenizer.nextToken(); String s5 = stringtokenizer.nextToken(); * get length of getDocumentBase().toString(); int i = s.length(); i = i * 8239 + 54; * This looks interesting..remember this i -= 23703; i *= 21; * if s2 not equal to the value calculated in i, false (error) is * returned. Remember s2 is the first unstring in the reg key. * in other words our code will look something like * 12345-123-123-123 (4 variables, 3 dashes) if(!s2.equals(Integer.toString(i))) return false; * This calls the function below and checks how many times the * letter in quotes appears in the base url. The answer is then * multiplied by either 144, 523 or 622 depending on which letter * we are counting (e, w, s) int j = _mth011C(s, 'e') * 144; if(!s3.equals(Integer.toString(j))) return false; j = _mth011C(s, 'w') * 523; if(!s4.equals(Integer.toString(j))) return false; j = _mth011C(s, 's') * 622; return s5.equals(Integer.toString(j)); } private int _mth011C(String s, char c) { int i = 0; byte byte0 = 120; for(int j = 0; j < s.length(); j++) { char c1 = s.charAt(j); if(c1 == c) i++; } return i; } hmm...so now if we reverse this check...we need something which counts the number of chars, does the small calc using the formula above and then adds the dashes and other totals to the end of the string. This is what I came up with using Borland C++ Builder 4 //------------------------------------------------------------------------- void __fastcall TForm1::Edit1Change(TObject *Sender) { int length; char name[255], NumE = 0, NumW = 0, NumS = 0; long value; char buf[256]; length = Edit1->Text.Length(); strcpy(name, Edit1->Text.LowerCase().c_str()); if(!Edit1->Text.IsEmpty()) { if((name[0] == 'h')&&(name[1] == 't')&&(name[2] == 't')&& (name[3] == 'p')&&(name[4] == ':')&&(name[5] == '/')&& (name[6] == '/')) { for(int i = 0; i < length; i++){ value = length * 8239 + 54; value -= 23703; value *= 21; switch(name[i]){ case 'e': NumE++; break; case 'w': NumW++; break; case 's': NumS++; break; default: break; } } sprintf(buf, "%ld-%d-%d-%d", value, NumE*144, NumW*523, NumS*622); Edit2->Text = buf; } else Edit2->Text = "Please include http:// in your address"; } else Edit2->Text = ""; } //---------------------------------------------------------------------- void __fastcall TForm1::FormShow(TObject *Sender) { Edit1Change(Sender); } //---------------------------------------------------------------------- Ok cool...so now you have your code and everything is ready to be used. Now just add the following to the web page you are wanting to use the applet in and everything should be working. *************************************************************** * Thats all for now! * *************************************************************** Greets to: fREkaZ0iD, siward, Zombie, Mithrandi, [Shiver], Warchild, zero_grip, Skiller, AnachromY, LandR, GI-Joe, psyclone, pepsi, |cepick, lesley and nj and all other members of CrackZA and TnD * Special Greets to tKC for his VERY cool lookin' tuts! Thanks man Cracking Tutorial Written by JayT [CrackZA-TnD] Email: CZ-JayT@iname.com irc: hotice.co.za Channel: #TnD ABOUT ~~~~~ I really hope you've enjoyed this tutorial as much as I did! Don't miss Tutor #78 soon! ;) And as I said last time: Without knowledge, there's no power! ;) Credits go to: DnNuke for Interface. bM[tfgx] for Splash Logo. FaT[BiT] for providing a tut in this version. JayT for providing 4 tuts in this version. tKC for coding this version :) All the crackers (non-members of CiA) are welcome to send tutors for the next tutorials .. see below for my email address! *** 80 chars per line in textfile please! *** And all the tutors can be found at: http://www.crackersinaction.org (or on IRC, ask CiA ops for urls!) Greetz goto all my friends! You can find me on IRC or email me at tkc@reaper.org Coded by The Keyboard Caper - tKC The Founder of PhRoZeN CReW/Crackers in Action 2000 Compiled with Delphi 5 on 25 April 2000 Cracking Tutorial #77 is dedicated to Melany...