Welcome to Cracking Tutorial #80! Hi guys, Sorry for delays, I was busy with coding and all shit, and still no phone at home.. Ah now, I'm proudly to present you tKC's Cracking Tutorial 2000! It's a fast, better Viewer, it can read old *.tKC files too. Also you can view *.NFO or *.TXT with this viewer! It has many features eg. change colors, load skins, print etc, you can find it at http://www.crackersinaction.org... enjoy it! Here's a tut80.tKC... OK, let's rave! ...or crack babes? :) You'll need the following tools: (I use these tools, I assume you'll use 'em, but it doesn't mean that you'll need to use all those tools, so be sure to get them handy for the examples in this tutorial!) SoftICE v4.05 W32Dasm v8.93 Hacker's View v6.40 SmartCheck v6.03 ProcDump32 v1.6.2 Windows Commander v4.03 (I use it coz of easier to multitask) Delphi, VB, C++, or TASM to code a keygen or a patch.. Don't ask me where to download all these tools since you had a chance to get them when you used my older tutorials. Here are a few good sites where you can grab tools from: http://protools.cjb.net http://w3.to/protools http://www.crackstore.com or ask any crackers to get you these tools! Are you ready?! OK! ;) target : Warzone 2100 version : 1.10 protection : cd-check tools : WDasm 8.93 -> www.crackstore.com Hiew -> www.crackstore.com cracker : M.o.D. ok, let's start. First install warzone full , take out the cd and start our target! select singleplayer - new game. Oh no, warzone needs a cd! select multiplayer. Oh no, the same message! Let's fix this! Open wdasm, disassemble warzone.exe and click on imports. Search for Kerne32.GetDriveTypeA and doubleclick on it. Many games use GetDriveTypeA to find installed cd-rom drives. The return value of these api shows what kind of drive you have, eg 3 means hardrive, 5 means!cd-drive!. You should see these code: * Reference To: KERNEL32.GetDriveTypeA, Ord:0104h | :0040839E FF1550304F00 Call dword ptr [004F3050] :004083A4 83F805 cmp eax, 00000005 <-!compares with cd-drive! :004083A7 756F jne 00408418 :004083A9 83BC242C08000001 cmp dword ptr [esp+0000082C], 00000001 :004083B1 0F8481000000 je 00408438 :004083B7 8D8C2428020000 lea ecx, dword ptr [esp+00000228] :004083BE 6800010000 push 00000100 :004083C3 8D542414 lea edx, dword ptr [esp+14] :004083C7 51 push ecx :004083C8 8D44242C lea eax, dword ptr [esp+2C] After the GetDriveTypeA you should see a GetVolumeInformationA. These api returns diffrent informations (label...)about a drive in your pc; in our case about the!cd!. The cd-check sets eax to 1 if the test was successful.(you can find that in many other games) So we only have to do that these funtion always returns 1 in eax. Crack: Search for the start of these function (line: 408280,here the code is called). Note the offset (8280), open warzone.exe in hiew, press F4 and select DECODE. Now press F5, enter the offset and then press F3. Enter the following text: 33C0 - clears EAX ( EAX=0) 40 - increments EAX with 1 ( EAX=1) C3 - return from the function Now save warzone.exe and start it. Select singleplayer- new game and ... it runs without cd! Select multiplayer and ... oh, whats this - another cd-check! Go back to wdasm, click on imports an search for Kernel32.GetVolumeInformationA. Doubleclick on it several time until you see this code: * Reference To: KERNEL32.GetVolumeInformationA, Ord:0177h | :00408BB8 8B1D4C304F00 mov ebx, dword ptr [004F304C] :00408BBE 6800010000 push 00000100 :00408BC3 50 push eax :00408BC4 51 push ecx :00408BC5 8D442418 lea eax, dword ptr [esp+18] . . . * Possible StringData Ref from Data Obj ->"Wz2100"<-warzone cd-label | :00408C10 68489D4F00 push 004F9D48 :00408C15 E8C69F0E00 call 004F2BE0 :00408C1A 83C408 add esp, 00000008 :00408C1D 85C0 test eax, eax :00408C1F 747E je 00408C9F The same here again. If the cd-check was successful the function retuns 1 in EAX. So we have to search the part of the code where EAX is set to 0. Mostly EAX is cleared with a " xor eax,eax". You find this at line: 00408C95. Note the offset from this line. Crack: Open warzone.exe in hiew, press F4 and select DECODE. Now press F5, enter the offset(8C95) and then press F3. Enter the following text: 40 - increments EAX with 1 ( EAX=1) 90 - no operation Save warzone.exe start the game, select multiplayer and ... yeah, it runs! Congratulations!, you have cracked Warzone 2100. If you have questions or comments then mail me : MoD_f2f@gmx.net Ps: excuse my bad english! Cu M.o.D. šššššššššššššššššššššššššššššššššššššššš ç ç ç TNT!CRACK!TEAM ç ç ~~~~~~~~~~~~~~~~~~~~~ ç ç * Author: thE WiShMakEr ç ç ç ç * Program: HTML BUILDER v2.1 ç ç ç ç * WWW: http://gnuline.hypermart.net/ ç ç ç šššššššššššššššššššššššššššššššššššššššš *dISCLAMER: ~~~~~~~~~~ THIS IS FOR EDUCATIONAL PURPOSE ONLY . I'LL NOT BE BLAMED FOR A MIS-USE OF THIS MATERIAL. * tOOLS tHAT yOU wILL nEED: ~~~~~~~~~~~~~~~~~~~~~~~~~~ = W32dasm patched with SDR enabler for VB apps by _dulelist = Hiew 3.XX or any other hex editor = Notepad or any other editor = A little spare time * Introduction: ~~~~~~~~~~~~~~ Well, well, well....this is my second tutorial. ;D Sorry for the mistakes that you may see in this tutorial. I will show you just two easy way on how to register this program: * First way: ~~~~~~~~~~~~ Make a copy of the Hbdr21.exe and disassemble it with W32dasm. Now, try to enter a false registration name and key...you will see a messagebox saying: "Invalid registration key!" Keep this in mind and in W32dasm press ALT+S+F and enter that message you just saw.You should see this: * Possible StringData Ref from Code Obj ->"Invalid registration key!" :0059F7AC C745804C394200 mov [ebp-80], 0042394C ----------------------------------------------------------------------- Scroll up a little bit...a little bit more...;D until you will see this: * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0059F631(U) | * Reference To: MSVBVM50.__vbaVarDup, Ord:0000h :0059F786 8B35B4F45A00 mov esi, dword ptr [005AF4B4] ----------------------------------------------------------------------- Ok...now press SHIFT+F12 and enter this Referenced Address 0050F631. After that you should see this: * Reference To: MSVBVM50.__vbaFreeVarList, Ord:0000h :0059F60D FF15D8F25A00 Call dword ptr [005AF2D8] :0059F613 83C410 add esp, 00000010 :0059F616 663BFB cmp di, bx :0059F619 741B je 0059F636 ->Jumps to valid reg. :0059F61B B904000280 mov ecx, 80020004 :0059F620 B80A000000 mov eax, 0000000A :0059F625 894D90 mov dword ptr [ebp-70], ecx :0059F628 894588 mov dword ptr [ebp-78], eax :0059F62B 894DA0 mov dword ptr [ebp-60], ecx :0059F62E 894598 mov dword ptr [ebp-68], eax :0059F631 E950010000 jmp 0059F786 ->Jumps to invalid reg. -------------------------------------------------------------------- Ok...you must change "je 0059F636" into "jmp 0059F636", that is obvious why, isn't it? Now let's change that byte. Run the program and try to register it.It worked? Huh...what..what's wrong? You change this and you still can't register this program? Well......If you scroll up you will see this: * Possible StringData Ref from Code Obj ->"0000000000" ---------------------------------------------------------- Hmm....what's with this? Is this your registration key? Well...i guess you should try it.... First change that byte with Hiew or your favourite hex editor and then run the program.Enter any name you want and then enter 0000000000 as your key. What do you know....it was your registration key! ;D Now, if you want to enter any number you want...follow this jump "je 0059F636", pressing the right arrow of the keyboard, until you will see this: * Reference To: MSVBVM50.__vbaFreeObj, Ord:0000h :0059F765 FF150CF55A00 Call dword ptr [005AF50C] :0059F76B B904000280 mov ecx, 80020004 :0059F770 B80A000000 mov eax, 0000000A :0059F775 6685FF test di, di :0059F778 894D90 mov dword ptr [ebp-70], ecx :0059F77B 894588 mov dword ptr [ebp-78], eax :0059F77E 894DA0 mov dword ptr [ebp-60], ecx :0059F781 894598 mov dword ptr [ebp-68], eax :0059F784 757B jne 0059F801 -> Jumps if serial is good -------------------------------------------------------------- You must change the "jne 0059F801" into "jmp 0059F801" in order to be able to enter any registration key you want. That's pretty much it. * The second way: ~~~~~~~~~~~~~~~~~ Open your notepad or your favourite editor and write this in it: [registered] load=1 status=ok user=thE WiShMakEr Well....ok...you can put your name, instead of mine ;D After that, save the file as reoqp153.dll in the directory. That's it. eASY, hUH? *END ~~~~ Commentes or whatever at this address --> WiShMakEr_Rulez@yahoo.com -------------------------- Another lame tute by _cdk_ ^^^^^^^^^^^^^^^^^^^^^^^^^^ Target: Genocide crew crackme 8 by Gandalf Tools: SICE for cracking, additionally ProcDump and W32Dasm for asm code-listing Level: 2 Protection: Name/Company/Serial/Code URL: http://genocidecrew.cjb.net Background: Met these two nice guys Gandalf and Falcon on IRC.. Gandalf invited me to visit their very nice (!) homepage which I of course did, I never refuse an invitation :) And few moments later I found this "huge database" with crackmes.. so I grabbed few and here we are At the first sight the crackme looks annoying.. four reg boxes to fill with correct values.. well.. actually two.. but lets go. Since its UPX packed file we must use SICE and we'll breakpoint on hmemcpy -> BPX HMEMCPY (I'll save my snippets from here to the keygen algo ;)) :0042BF9C 8B45FC mov eax, dword ptr [ebp-04] :0042BF9F E8D0A5FDFF call 00406574 :0042BFA4 A364E74200 mov dword ptr [0042E764], eax :0042BFA9 33C0 xor eax, eax :0042BFAB A330E74200 mov dword ptr [0042E730], eax :0042BFB0 33C0 xor eax, eax :0042BFB2 A334E74200 mov dword ptr [0042E734], eax :0042BFB7 E814FEFFFF call 0042BDD0 <-- generate "serial" :0042BFBC E883FEFFFF call 0042BE44 <-- generate "code" :0042BFC1 E8E2FEFFFF call 0042BEA8 <-- compare them to the fake ones lets see the 1st serial gen behind the call 42BDD0 Trace a bit and you'll be here :0042BE29 6908800D0000 imul ecx, dword ptr [eax], 00000D80 <-- 1. :0042BE2F 030E add ecx, dword ptr [esi] <-- 2. :0042BE31 81F115A10300 xor ecx, 0003A115 <-- 3. :0042BE37 890E mov dword ptr [esi], ecx <-- 4. :0042BE39 83C004 add eax, 00000004 <-- 5. :0042BE3C FECA dec dl <-- 6. :0042BE3E 75E9 jne 0042BE29 <-- 7. 1. Multiply [eax] with D80 and store the result in ecx 2. Add [esi] (the previous value of ecx) to ecx 3. Xor the number in ecx with 3A115 4. Store the current value of ecx to [esi] 5. Tidy stack 6. Decrease counter 7. Loop until all done Well.. the crackme assigns your name bit weirdly here.. ([eax]).. see the calcs for C_DKnight: First C_DKnight has been transformed to K_nCD (notice only five letters), then: [K] 1. 4B * D80 = 3F480 2. 0 + 3F480 = 3F480 3. 3A115 Xor 3F480 = 5595 [_] 1. 5F * D80 = 50280 2. 5595 + 50280 = 55815 3. 3A115 Xor 55815 = 6F900 [n] 1. 6E * D80 = 5CD00 2. 6F900 + 5CD00 = CC600 3. 3A115 Xor CC600 = F6715 [C] 1. 43 * D80 = 38880 2. F6715 + 38880 = 12EF95 3. 3A115 Xor 12EF95 = 114E80 [D] 1. 44 * D80 = 39600 2. 114E80 + 39600 = 14E480 3. 3A115 Xor 14E480 = 174595 174595h = 1525141 So that was the calculation for your "Serial", which in my case is now 1525141 If your a coder you could translate the above to a working keygen I think Let's see the "Code" calc too (Just trace the next call before the compare call) :0042BE8D 6908621A0000 imul ecx, dword ptr [eax], 00001A62 :0042BE93 030E add ecx, dword ptr [esi] :0042BE95 81F136DC0D00 xor ecx, 000DDC36 :0042BE9B 890E mov dword ptr [esi], ecx :0042BE9D 83C004 add eax, 00000004 :0042BEA0 FECA dec dl :0042BEA2 75E9 jne 0042BE8D Get it already? The same thing just play with different numbers.. I think the calc routine is unnecessary to show, you should be able to calc it yourself (or just trace thru it). But I finally ended with 2480C0h = 2392256 Name: C_DKnight Company: cLB Serial: 1525141 Code: 2392256 Final Notes: Nice work by Gandalf here.. I admit it was easier than I thought, coz I never knew a russian who couldnt code well :) Well anyways we've come to the end of this tute and I'll be back if i'm as succesful with the other crackmes as I was with this one -C_DKnight, c_dknight@iobox.com I greet the kewl 'crew' of #c4n and other chans i idle at :p 20 seconds method to crack any version of Exescope Target: Exescope 5.xx (probed on 5.00, 5.11 & 5.12) WWW: http://hp.vector.co.jp/authors/VA003525/eindex.htm Cracker: --..__J_o_h_n_n_y__A_U_M__..-- Protections to be removed: write limitation on multiple file modifications Tools: Hacker's View backgrounded by Windows Commander 4.03 --------Motto for my actions:------- I'm for peace, love and prosperity and one global nation but without money to divide us and without ego, who keeps men separated! Be a man of good sense - be naturally, be divine! Try to progress on spiritual way! No God, no freedom! I'm against tyranny under any form, against mondial iudeo-masonic occult domination and against infiltrated bad rase of aliens! Out with Satan from this planet! Real happiness, free and freedom for all! -------- I like very much this program - Exescope 5.x and guess what: I discovered a 20 seconds method to crack all versions that I have in my archive (5.00, 5.11 & 5.12) of Exescope and probably this will work on older (try if you have) and future versions (that's my reason to publish this). I hope Toshi - the author - will not see this, or his friends. Here's the fast method: hiew exescope.exe, press Enter (hex), press F7, TAB & write text "Recent", press TAB and write in continuation 00 00, press Enter, bingo here's text Recent + 2 spaces and after -> "U"=55 (hex), change to C3. That's it! Now the program think it is registered! Easy, ha? (other cracking details in tKC tut 72 part 3.) PS. Aah, you could change shareware text from About with: Registered To: Your Name because Toshi let you unregistered even if you put the right serial. But Toshi is one of the best sw authors! PS 2. For future versions: maybe these will be packed or crypted; use File Info 2.30 to see & if it's the case decrypt or unpack them first! PS3. I love to be usefull to you guys! And I love you all! Hey, you Johnny AUM! Too many PS-s! Pssst! ---------------- Greets: tKC & CIA (nice guys!), to all crackers, PRO or newbies, all cracker teams (keep going, we must eliberate from iudeo-masonic tirany, all must become free), we are great guys, and nice too. I love you all but be a good soul! Romanian Greets: La multi ani de Paste! Sarbatori fericite! O sa vina si zile mai bune! Incercati sa evoluati spiritual daca vreti sa fiti fericiti! At last, but from all my heart: I love you Heavenly Father, I know you are with me all the time! God is pure love! Try this: www.geocities.com/john_aum Incredible infos for YOUR EYES ONLY! Critics, comments, anything at: johnny_aum@yahoo.com ---------------Sorry if my english is not perfect!------------------------------ Find a serial in Resource Scrutator 1.21 Target: Resource Scrutator 1.21 WWW: http://homepages.infoseek.com/~pavk/index.html (or search after name) Cracker: --..__J_o_h_n_n_y__A_U_M__..-- Protections to be removed: unregistered style Tools: Softice backgrounded by Windows Commander 4.03 --------Motto for my actions:------- I'm for peace, love, prosperity and one global nation but without money to divide us and without ego, who keeps men separated! Be a man of good sense - be naturally, be divine! Try to progress on spiritual way! No God, no freedom! I'm against tyranny under any form, against mondial iudeo-masonic occult domination and against infiltrated bad rase of aliens! Out with Satan from this planet! Real happiness, free and freedom for all! -------- Hi guys, Silvester Stallone is back as Rambo! How tKC says (i like this), let's rave! (Wow, rave music is pure energy!) So, let's move fast! 1) Enter in Resource Scrutator (this method may work in older or future versions) and we register with: User Name: Johnny AUM E-mail adress: johnny_aum@yahoo.com Registration ID: 12345 I recommand to enter first my dates (to beginners) and after localization of the right serial you could exercise with your own dates. Don't press OK yet! 2) Enter in Softice with CTRL-D (you know from old tuts how to work and install this, remember some winice.dat are also there). Put bpx hmemcpy. CTRL-D. Press now OK from Scrutator. We pops in Softice. Press F5 two times (we have two sort of names). Now press F11 for caller. OK. Now press F10 aprox. 113 times or keep pressed F10 until you arrive at adress 14F:48C634 -> CALL 403E24. Maybe on your computer & Softice looks a little different, but look for the call and for eax lightning. Good, so we are on 48C634 (on my PC). 3) The trumpets are singing! Ready man? Let`s display eax -> write in Softice d eax. Tam, tam, tam, tam! Bingo! On memory (data) window is a nice number: 111610006011. You cannot guess what it is, I can bet on this! So, this a easy catched serial, piece of cake! 4) Now you can try with your own names. Good luck! My job is done! PS. This program can be very usefull to crackers! Keep it in your archive! It's better than Restorator & Exescope sometimes! It can see more! (*sigh* where have you found these good tools? I've never seen this Scrutator before, I will grab it as soon as possible, tnx ......tKC) ---------------- Greets: tKC & CIA (nice guys!), to all crackers, PRO or newbies, all cracker teams (keep going, we must eliberate from iudeo-masonic tirany, all must become free), we are great guys, and nice too. I love you all but be a good soul! Romanian Greets: La multi ani de Paste! Sarbatori fericite! O sa vina si zile mai bune! Incercati sa evoluati spiritual daca vreti sa fiti fericiti! At last, but from all my heart: I love you Heavenly Father, I know you are with me all the time! God is pure love! Try this: www.geocities.com/john_aum Incredible infos for YOUR EYES ONLY! Critics, comments, anything at: johnny_aum@yahoo.com ---------------Sorry if my english is not perfect!------------------------------ I really hope you've enjoyed this tutorial as much as I did! Don't miss Tutor #81 soon! ;) Credits goto: RSiP for Splash Logo. M.o.D for providing a tut in this version. WiShMakEr for providing a tut in this version. C_DKnight for providing a tut in this version. Johnny Aum for providing 2 tuts in this version. To ALL the crackers: You are welcome to send me your tutors to publish them .. see below for my email address! *** 95 chars per line in textfile please! *** And all the tutors can be found at: http://www.crackersinaction.org (or on IRC, ask CiA ops for urls) Greetz goto all my friends! You can find me on IRC or email me at tkc@reaper.org Coded by The Keyboard Caper - tKC The Founder of PhRoZeN CReW/Crackers in Action 2000 Compiled with Delphi 5 on 17 May 2000 Cracking Tutorial #80 is dedicated to Sonia...