Welcome to Cracking Tutorial #85! Hiya guys, Sorry for delays, again I was busy with coding and all shit.. And now, I would like to present my tKC's Tutorial Viewer 2000 v1.1! It's a fast, better Viewer and Tutor Editor, and more features added! Also released tKC's Tutorial Viewer 2000 Lite, for those who have problems with their 3D cards. You can find them at http://www.crackersinaction.org... enjoy it! Here's a tut85.tKC... OK, let's rave! ...or crack babes? :) You'll need the following tools: (I use these tools, I assume you'll use 'em, but it doesn't mean that you'll need to use all those tools, so be sure to get them handy for the examples in this tutorial!) SoftICE v4.05 W32Dasm v8.93 Hacker's View v6.50 SmartCheck v6.03 ProcDump32 v1.6.2 TRW2000 v1.22 IDA v4.04 Windows Commander v4.03 (I use it coz of easier to multitask) Delphi, VB, C++, or TASM to code a keygen or a patch Don't ask me where to download all these tools since you had a chance to get them when you used my older tutorials. Here are a few good sites where you can grab tools from: http://protools.cjb.net http://w3.to/protools http://www.crackstore.com or ask any crackers to get you these tools! Are you ready?! OK! ;) How to crack ConfigSafe 3.06.04 - make big eyes - this is a SuperTool A crack for it in Borland Pascal 7.0 Target: ConfigSafe 3.06.04 WWW: http://www.configsafe.com Cracker: --..__J_o_h_n_n_y__A_U_M__..-- Protections to be removed: 2 expiration nags & splash Tools: Hiew, W32Dasm & Windows Commander 4.03 --------Last News------- The mondial occult iudeo-masonic government collect right now all the quantity of gold from everywhere; the bells of a new fascist order are singing! See what's happening in Swissland! The price of gold "is going down". Who buy it? ------------------------ Ya, this is one of the crackers SuperTool, you must have it! Grab it now! Tomorrow maybe you will not have the chance! Let's crack this fast! First: install.exe of mine is already expired: I'll tell you - at install.exe adress (hiew) 949 - 7E -> EB. A gift to you! 1. 1st expiration nag (method A). Disassemble Cfgsafe.exe (32768 bites) in W32dasm. We look at this piece of code between 4011FC-40124F. At me Configsafe is expired and show me this nag: "Your evaluation period has...". If at you is unexpired, set year 2002. OK. So, the piece of code from 4011FC. Go with cursor at 401213 and press button CALL from w32dasm. Bingo! The words from 1st expiration nag are there. Return to principal code. Three lines above our call is 40120A is jne 401222. Make it EB & test if nag appears. Working like fire! 1st nag is gone forever! So you get my point: I found these adresses looking after the words from nag. But remember our piece of code. So, hiew 80A, 75 -> EB. But don't modify anything yet. Method B: We look a litle more around: if we search with word "time" we found in IMPORT MODULE DETAILS that the file cw3220.dll is responsible for the functions about time, strings, access, remove, etc. Nice, very nice. Let's see what is with cw3220 and access, this could be something about access if the time is correct, right? Search with word "cw3220" from start. Interesting, first we meet cw3220_time, cw3220_strchr, cw3220_lstrcatA, cw3220_access, cw3220_remove. So, the code do this: get the right time, compare time strings from a file with current time and gives you access or remove access and show you that uggly nag. Look now at w32dasm adress 401148 jne 40115B. If we jump function which remove the access, we can continue with no nag, ya? Let's try this: hiew 748 - - 75 -> EB. Works good! We have disabled the nag - more proffesional approach. 2. Splash of ConfigSafe, tralala, with a lot of words. Look again in our piece of code few lines down, at call 40124A, put cursor on it. Enter with the help of button CALL. We see there words like "splash.ini" and API functions that attest the construction and destruction of a window. OK. Let's test if this is the right place. Return to 40124A. A few lines above is 40123B with je 401252. Make it EB (jump for shore over our call). OK! The splash is gone also, and all it's so easy! So, hiew 83B, 74 -> EB. 3. Removing the 3rd nag, with the same words as the 1st one. Because I don't see here (in Cfgsafe.exe) any repetition for nag words and the adress 401164 is called only from one place, maybe the 3rd nag is in other dll file. Let's see. It's necessary first to make the both modifications explained above on a copy of Cfgsafe.exe, y.exe. Do it now. Execute y.exe, you see the words from 3rd nag. Quit and load y.exe with w32dasm. From w32dasm do Debug\Load Process\Load and after loading press Run, nag appear, now press F7 to see in what file is the caller: is cfgcheck.dll. Good, press Terminate, exit. Load a copy of this dll, cfgcheck.dlo in w32dasm. Once it's loaded, we see the same code history as in 1. - method B, with cw3220_access. Go at w32dasm adress 401212. You see now clearly. At 401228 is our jump over cw3220_remove, jne 40123B with hiew 828; change 75 with EB and ConfigSafe 3.06.04 is ready for scanning after hidden informations. Job done! Enjoy this fine tool! PS. Here is the pascal code for ConfigSafe 3.06.04 crack (just in case you need it - with minor adequated modifications works on any program who needs 2 files patched at a time): >>> Borland Pascal 7.0 <<< ---cut here--- Uses Crt, Dos; Const A: Array[1..2] of Record A:Longint; B:Byte; End= ((A:$748;B:$EB), (A:$83B;B:$EB)); Const C: Array[1..1] of Record C:longint; D:Byte; End= ((C:$828;D:$EB)); Var Ch:Char; I,J:Byte; F:File; Size:longint; Info:searchrec; Begin Writeln(' Johnny AUM Labs presents:'); Writeln(' Multicrack for ConfigSafe 3.06.04'); FindFirst('cfgsafe.exe',archive,info); if info.size <> 32768 then begin writeln(' î The file cfgsafe.exe isn`t authentic or isn`t in this subdirectory!'); FindNext(info); halt(1); end; FindFirst('cfgcheck.dll',archive,info); if info.size <> 325664 then begin writeln(' î The file cfgcheck.dll isn`t authentic or isn`t in this subdirectory!'); FindNext(info); halt(1); end; Assign(F,'cfgsafe.exe'); {$I-} Reset(F,1); {$I+} for I:=1 to 2 do begin Seek(F,A[I].A); Ch:=Char(A[I].B); Blockwrite(F,Ch,1); end; Assign(F,'cfgcheck.dll'); {$I-} Reset(F,1); {$I+} for J:=1 to 1 do begin Seek(F,C[J].C); Ch:=Char(C[J].D); Blockwrite(F,Ch,1); end; Writeln(' î OK! The files were cracked succesfully!'); end. ---cut here--- ---------------- Greets: tKC & CIA (nice guys!), to all crackers, PRO or newbies, all cracker teams (keep going, we must eliberate from iudeo-masonic tirany, all must become free), we are great guys, and nice too. I love you all but be a good soul! Romanian Greets: Toate cele bune oamenilor inimosi din Romania! O sa vina si zile mai bune! Incercati sa evoluati spiritual daca vreti sa fiti fericiti! At last, but from all my heart: I love you Heavenly Father, I know you are with me all the time! God is pure love! Try this: www.geocities.com/john_aum Incredible infos for YOUR EYES ONLY! Critics, comments, anything at: johnny_aum@yahoo.com ---------------Sorry if my english is not perfect!------------------------------ How to crack ConfigSafe 3.06.04 - make big eyes - this is a SuperTool A crack for it in Borland Pascal 7.0 Target: ConfigSafe 3.06.04 WWW: http://www.configsafe.com Cracker: --..__J_o_h_n_n_y__A_U_M__..-- Protections to be removed: 2 expiration nags & splash Tools: Hiew, W32Dasm & Windows Commander 4.03 --------Last News------- The mondial occult iudeo-masonic government collect right now all the quantity of gold from everywhere; the bells of a new fascist order are singing! See what's happening in Swissland! The price of gold "is going down". Who buy it? ------------------------ Ya, this is one of the crackers SuperTool, you must have it! Grab it now! Tomorrow maybe you will not have the chance! Let's crack this fast! First: install.exe of mine is already expired: I'll tell you - at install.exe adress (hiew) 949 - 7E -> EB. A gift to you! 1. 1st expiration nag (method A). Disassemble Cfgsafe.exe (32768 bites) in W32dasm. We look at this piece of code between 4011FC-40124F. At me Configsafe is expired and show me this nag: "Your evaluation period has...". If at you is unexpired, set year 2002. OK. So, the piece of code from 4011FC. Go with cursor at 401213 and press button CALL from w32dasm. Bingo! The words from 1st expiration nag are there. Return to principal code. Three lines above our call is 40120A is jne 401222. Make it EB & test if nag appears. Working like fire! 1st nag is gone forever! So you get my point: I found these adresses looking after the words from nag. But remember our piece of code. So, hiew 80A, 75 -> EB. But don't modify anything yet. Method B: We look a litle more around: if we search with word "time" we found in IMPORT MODULE DETAILS that the file cw3220.dll is responsible for the functions about time, strings, access, remove, etc. Nice, very nice. Let's see what is with cw3220 and access, this could be something about access if the time is correct, right? Search with word "cw3220" from start. Interesting, first we meet cw3220_time, cw3220_strchr, cw3220_lstrcatA, cw3220_access, cw3220_remove. So, the code do this: get the right time, compare time strings from a file with current time and gives you access or remove access and show you that uggly nag. Look now at w32dasm adress 401148 jne 40115B. If we jump function which remove the access, we can continue with no nag, ya? Let's try this: hiew 748 - - 75 -> EB. Works good! We have disabled the nag - more proffesional approach. 2. Splash of ConfigSafe, tralala, with a lot of words. Look again in our piece of code few lines down, at call 40124A, put cursor on it. Enter with the help of button CALL. We see there words like "splash.ini" and API functions that attest the construction and destruction of a window. OK. Let's test if this is the right place. Return to 40124A. A few lines above is 40123B with je 401252. Make it EB (jump for shore over our call). OK! The splash is gone also, and all it's so easy! So, hiew 83B, 74 -> EB. 3. Removing the 3rd nag, with the same words as the 1st one. Because I don't see here (in Cfgsafe.exe) any repetition for nag words and the adress 401164 is called only from one place, maybe the 3rd nag is in other dll file. Let's see. It's necessary first to make the both modifications explained above on a copy of Cfgsafe.exe, y.exe. Do it now. Execute y.exe, you see the words from 3rd nag. Quit and load y.exe with w32dasm. From w32dasm do Debug\Load Process\Load and after loading press Run, nag appear, now press F7 to see in what file is the caller: is cfgcheck.dll. Good, press Terminate, exit. Load a copy of this dll, cfgcheck.dlo in w32dasm. Once it's loaded, we see the same code history as in 1. - method B, with cw3220_access. Go at w32dasm adress 401212. You see now clearly. At 401228 is our jump over cw3220_remove, jne 40123B with hiew 828; change 75 with EB and ConfigSafe 3.06.04 is ready for scanning after hidden informations. Job done! Enjoy this fine tool! PS. Here is the pascal code for ConfigSafe 3.06.04 crack (just in case you need it - with minor adequated modifications works on any program who needs 2 files patched at a time): >>> Borland Pascal 7.0 <<< ---cut here--- Uses Crt, Dos; Const A: Array[1..2] of Record A:Longint; B:Byte; End= ((A:$748;B:$EB), (A:$83B;B:$EB)); Const C: Array[1..1] of Record C:longint; D:Byte; End= ((C:$828;D:$EB)); Var Ch:Char; I,J:Byte; F:File; Size:longint; Info:searchrec; Begin Writeln(' Johnny AUM Labs presents:'); Writeln(' Multicrack for ConfigSafe 3.06.04'); FindFirst('cfgsafe.exe',archive,info); if info.size <> 32768 then begin writeln(' î The file cfgsafe.exe isn`t authentic or isn`t in this subdirectory!'); FindNext(info); halt(1); end; FindFirst('cfgcheck.dll',archive,info); if info.size <> 325664 then begin writeln(' î The file cfgcheck.dll isn`t authentic or isn`t in this subdirectory!'); FindNext(info); halt(1); end; Assign(F,'cfgsafe.exe'); {$I-} Reset(F,1); {$I+} for I:=1 to 2 do begin Seek(F,A[I].A); Ch:=Char(A[I].B); Blockwrite(F,Ch,1); end; Assign(F,'cfgcheck.dll'); {$I-} Reset(F,1); {$I+} for J:=1 to 1 do begin Seek(F,C[J].C); Ch:=Char(C[J].D); Blockwrite(F,Ch,1); end; Writeln(' î OK! The files were cracked succesfully!'); end. ---cut here--- ---------------- Greets: tKC & CIA (nice guys!), to all crackers, PRO or newbies, all cracker teams (keep going, we must eliberate from iudeo-masonic tirany, all must become free), we are great guys, and nice too. I love you all but be a good soul! Romanian Greets: Toate cele bune oamenilor inimosi din Romania! O sa vina si zile mai bune! Incercati sa evoluati spiritual daca vreti sa fiti fericiti! At last, but from all my heart: I love you Heavenly Father, I know you are with me all the time! God is pure love! Try this: www.geocities.com/john_aum Incredible infos for YOUR EYES ONLY! Critics, comments, anything at: johnny_aum@yahoo.com ---------------Sorry if my english is not perfect!------------------------------ Find a serial in Wallpaper 1.2 Target: Wallpaper 1.2 WWW: search on WEB with www.profusion.com (I don't know exactly) Cracker: --..__J_o_h_n_n_y__A_U_M__..-- Protections to be removed: unregistered state Tools: Softice & Windows Commander 4.03 --------Motto for my actions:------- I'm for peace, love and prosperity and one global nation but without money to divide us and without ego, who keeps men separated! Be a man of good sense - be naturally, be divine! Try to progress on spiritual way! No God, no freedom! I'm against tyranny under any form, against mondial iudeo-masonic occult domination and against infiltrated bad rase of aliens! Out with Satan from this planet! Real happiness, free and freedom for all! -------- Someone send me a tutorial of HarvestR (CIA) were are explained 2 programs but is detailed only one -> ResizeImage 3.3 plus a keygen in QBasic which is not working (HarvestR, you didn't verify?). He asked me for a tutorial for the second, Wallpaper 1.2, because he couldn't find the serial. Here it is... 1. HarvestR used bpx getwindowtexta if I remember well, but I'll use my usual: hmemcpy. So, register with Johnny AUM and 12345 as serial. Write bpx hmemcpy. CTRL-D for register, OK, ...zbang, we pops in Softice. 2. Press F5 once, you know why (because 2 kind of checks, name and serial) and press now for caller, F11. Now we press (at my PC) for 7 times F12 untill you get the program code: 14F: 434176. 3. OK. Good. We follow code untill mov edx, [esi+5c) at adress 14F: 404A6F, where register eax is having our serial. So, we press F10 for aprox. 52 times. Cursor is on 404A6F, remember. Now you can do or d 7B0D2C (highlighted register in up-right corner) or d eax. What we see? Our serial. I prefer d 7B0d2C (on your PC could be another d xxxxx). Our serial is writen here nicely (and what you entered too): C4122305. 4. My job is done, easy, ha? And a gift to you: Anyone, serial: A42223F5. (Unregistering again by deleting file wallpaper.ini, if I remember well). PS. If someone is interested, you must know that a serial for WinXFiles 4.x can be catched also through same method of LW2000 from tut 74/part 3 with "Absolute Security... 3.x" - any version. Good job, LW2000, I like the method! ---------------- Greets: tKC & CIA (nice guys!), to all crackers, PRO or newbies, all cracker teams (keep going, we must eliberate from iudeo-masonic tirany, all must become free), we are great guys, and nice too. I love you all but be a good soul! Romanian Greets: Toate cele bune oamenilor inimosi din Romania! O sa vina si zile mai bune! Incercati sa evoluati spiritual daca vreti sa fiti fericiti! At last, but from all my heart: I love you Heavenly Father, I know you are with me all the time! God is pure love! Try this: www.geocities.com/john_aum Incredible infos for YOUR EYES ONLY! Critics, comments, anything at: johnny_aum@yahoo.com ---------------Sorry if my english is not perfect!------------------------------ Target : Apicker Version : 2.0 Protection : Name/Serial Target-URL : http://liusoft.8k.com/ Tools : Numega Smartcheck Cracker : draX eMail : draXXter@gmx.de Group : cRACKERS iN aCTION -=CiA=- Tutorial : #1 <-------------YEAH IT'S MY FIRST ONE! DISCLAIMER : THIS TUTORIAL IS FOR EDUCATIONAL PURPOSE ONLY! I HOLD NO RESPONSIBILITY FOR THE MIS-USE OF THIS MATERIAL. I DON'T WANT TO HARM THE DEVELOPERS OF THIS PROGRAM. THIS TUTORIAL SHOULD HELP THEM TO MAKE THEIR PROTECTION BETTER. IF YOU LIKE THE PROGRAM PLEASE BUY IT. SUPPORT THE DEVELOPERS SO THAT THEY CAN MAKE MORE TRAINING STUFF FOR US! BY READING THIS TUTORIAL YOU DECLARE THAT YOU TAKE THE FULL RESPONSIBILITY FOR YOUR DOING! Essay: Before we start let's have a look at apicker.exe. Open it with your favourite hexeditor (i use Ultraedit 32). Just look a bit around. Somewhere at the top of the file you will see this: MSVBVM60.DLL You may ask what this indicates to us. This shows that the program is a VB6 application. All VB apps use one of these files: VB4---------> don't know the exact name :( VB5---------> MSVBVM50.DLL VB6---------> MSVBVM60.DLL The code of most functions a VB program refers to is in one of these dlls. That's the reason why VB apps are so small. They do not contain the code for their functions themselves, the code is located in the VB dlls. All VB apps need the VB dlls installed on the target PC to run properly. Now let's start cracking this babe. Since this is a VB app, we'll use Smartcheck to crack it. Smartcheck is a very nice utility from our friends at Numega. Most VB apps can be cracked with this program. SmartCheck is a run-time debugging tool that monitors our target from the background, capturing program events and errors. Open Smartcheck and load apicker.exe. After you have loaded the file, start our target and let Smartcheck reveal all its secrets. Under the menu point VIEW you should activate: SHOW ERRORS AND SPECIFIC EVENTS ARGUMENTS SECQUENCE NUMBERS SUPRESSED ERRORS When the program is loaded click on the button "I want to buy". Enter a mail address and a *fake* registration number. My details are: Mail : draX@cRACKERSiNaCTION.org Number : 1029384756 I prefer this number cause every number (1-9) appears only once so you're able to distinguish between each of the numbers. That's for the case that a program does something with your registration number. If you would enter something like 12121212 you're not able to recognize from which position the program took for example a 2. The "Register" button will be activated as soon as you enter a number. Now we click the button to see what happens. As we expected, the program is not registered, instead it displays a message "Register number not valid". Ok, we'll fix that bug now. Go back to Smartcheck and terminate Apicker.exe. Since there are many program events, we can't search by hand (at least i don't search by hand, i'm to lazy) for the point where the program calculates a *real* registration number. We open the search dialog (EDIT -> FIND) and search for our registration name. In my case i searched for draX (taken from -->draX<--@cRACKERSiNaCTION.org). After we found the calculation routine, the *real* registration number is only a few seconds away. We see that the program cuts the characters out of our mail address from the right. After many cuts, we'll see a number. In my case it's: Number : 2486107 Is this the *real* registration number?? Let's try! Start Apicker again (without Smartcheck) and enter the same details as you did before, but this time enter the number you got from Smartcheck. A nice little window appears which tells us "Thank you for purchasing Apicker". Program cracked! Mission complete! The End wasn't hard wasn't it?? some minutes of time and thinking saved us US$9.95 questions?? suggestions?? tips?? or just wanna meet me?? come to efnet #c.i.a Target : TetFun 2000 Version : 1.1 build 4.27.4.00 Protection : Name/Serial Target-URL : http://jaibosoft.8m.com Tools : Softice 4.05 W32DASM Cracker : draX eMail : draXXter@gmx.de Group : cRACKERS iN aCTION -=CiA=- Tutorial : #2 DISCLAIMER : THIS TUTORIAL IS FOR EDUCATIONAL PURPOSE ONLY! I HOLD NO RESPONSIBILITY FOR THE MIS-USE OF THIS MATERIAL. I DON'T WANT TO HARM THE DEVELOPERS OF THIS PROGRAM. THIS TUTORIAL SHOULD HELP THEM TO MAKE THEIR PROTECTION BETTER. IF YOU LIKE THE PROGRAM PLEASE BUY IT. SUPPORT THE DEVELOPERS SO THAT THEY CAN MAKE MORE TRAINING STUFF FOR US! BY READING THIS TUTORIAL YOU DECLARE THAT YOU TAKE THE FULL RESPONSIBILITY FOR YOUR DOING! Essay: Back again with a new tutorial! This time our target is a little game. After we have installed the game, we run it to see what happens. We're greeted with a annoying nagscreen. We see two fields where we can enter a name and a serial. Let's enter some *fake* details to see what the program does. I entered: Name : draX[CiA] Serial : 1029384756 After you have entered your details click the "Register" button. A messagebox appears and tells us that we have entered an invalid registration code. Now we'll try to fix this little bug. If you haven't loaded Softice yet, load it now. Enter your details again but before you click on the "Register" button switch to Softice (CTRL-D). We'll set a breakpoint on HMEMCPY. After we've set this breakpoint we'll switch back to our target by pressing CTRL-D or entering x in the command field of Softice. Now click the "Register" button. Softice breaks somewhere in kernel(01). We don't want to see something of the windows-kernel so we have to get into the program code. We'll do this by pressing F12 9 times. Then we'll land at this part of code: :00404095 57 push edi :00404096 E896250300 call 00436631 <-- WE LAND HERE, THIS CALL GETS THE FAKE SERIAL :0040409B 81C688000000 add esi, 00000088 :004040A1 56 push esi :004040A2 6833040000 push 00000433 :004040A7 57 push edi :004040A8 E884250300 call 00436631 <-- GETS OUR NAME :004040AD 5F pop edi :004040AE 5E pop esi :004040AF C20400 ret 0004 After this part of code the program has read our name and serial from the two edit boxes. Now we want to see what the program does with our personal details. Hit F10 until you reach this important part of code. :00404370 8B9684000000 mov edx, dword ptr [esi+00000084] :00404376 8DBE84000000 lea edi, dword ptr [esi+00000084] :0040437C 837AF808 cmp dword ptr [edx-08], 00000008 <-- HERE THE PROGRAM CHECKS THE LENGTH OF OUR *FAKE* SERIAL :00404380 744B je 004043CD <-- IF LENGTH IS NOT 8 THEN DISPLAY ERROR MESSAGE :00404382 6A30 push 00000030 * Possible StringData Ref from Data Obj ->"TetFun 2000" :00404384 68089B4400 push 00449B08 * Possible StringData Ref from Data Obj ->"ERROR! Incorrect Registration " ->"code. Please try again" :00404389 68D09A4400 push 00449AD0 I'll explain now what the program does in this part of code. As we can see there is a check if something is equal to 8. While in Softice look at the value which [edx-8] contains. It's the length of our *fake* serial. If you have entered something that has not the lenght 8, clear all breakpoints and set a new one to 40437c by doubleclicking the line. Let the program run by pressing F5. Enter a new serial and hit the "Register" button again. Now Softice breaks at the compare instruction. This time the length of our serial is equal to 8, so the program performs a jump over the bad serial message. The jump leads us to the following snippet of code: :004043D4 8A0411 mov al, byte ptr [ecx+edx] :004043D7 3C30 cmp al, 30 <-- 0 :004043D9 7426 je 00404401 :004043DB 3C31 cmp al, 31 <-- 1 :004043DD 7422 je 00404401 :004043DF 3C32 cmp al, 32 <-- 2 :004043E1 741E je 00404401 :004043E3 3C33 cmp al, 33 <-- 3 :004043E5 741A je 00404401 :004043E7 3C34 cmp al, 34 <-- 4 :004043E9 7416 je 00404401 :004043EB 3C35 cmp al, 35 <-- 5 :004043ED 7412 je 00404401 :004043EF 3C36 cmp al, 36 <-- 6 :004043F1 740E je 00404401 :004043F3 3C37 cmp al, 37 <-- 7 :004043F5 740A je 00404401 :004043F7 3C38 cmp al, 38 <-- 8 :004043F9 7406 je 00404401 :004043FB 3C39 cmp al, 39 <-- 9 :004043FD 7402 je 00404401 :004043FF 33DB xor ebx, ebx :00404401 41 inc ecx <-- ECX IS THE COUNTER FOR THE LOOP IF ECX IS 8, WE'LL LEAVE THE LOOP :00404402 83F908 cmp ecx, 00000008 :00404405 7CCD jl 004043D4 The byte ptr [ecx+edx] points to our *fake* serial. Now the first character of our serial is stored in al. After the value has been stored in al, al is compared with some values. These values (30 to 39) represent the numbers 0 to 9. This loop checks the serial for characters not equal to 0, 1, 2, 3, 4, 5, 6, 7, 8, 9. If you have entered a letter, ebx is set to 0. Ebx will be tested further in the code, so this would also lead us to a bad serial message. So we'll have to remove all letters from our *fake* serial. Let's summon what we know about the serial till yet: 1. The serial must have a length of 8 2. The serial must contain only numbers If you haven't fixed your serial, do it now. We passed the first two checks. Let's see what we'll be faced with next. I think the next part of code is not so hard to understand. :0040440D 8DAE88000000 lea ebp, dword ptr [esi+00000088] :00404413 8B40F8 mov eax, dword ptr [eax-08] :00404416 3DFE000000 cmp eax, 000000FE <-- COMPARE EAX WITH 254 :0040441B 7E0E jle 0040442B <-- IF LOWER CONTINUE RUNNING :0040441D 6A30 push 00000030 * Possible StringData Ref from Data Obj ->"TetFun 2000" :0040441F 68089B4400 push 00449B08 * Possible StringData Ref from Data Obj ->"ERROR! Name is too long. Maximum " ->"length is 256" The program test the length of our name. If our name is longer than 254 the program displays an error message. If our name has the right length the program continues here: :0040442B 83F801 cmp eax, 00000001 :0040442E 7D0E jge 0040443E :00404430 6A30 push 00000030 Since eax holds the length of our name, it's easy to understand what the program does now. If we had entered no name, eax would be 0, so the program displays an error message. :0040443E 85DB test ebx, ebx <-- TEST IF EAX IS 0 IF NOT CONTINUE RUNNING :00404440 7547 jne 00404489 :00404442 6A30 push 00000030 * Possible StringData Ref from Data Obj ->"TetFun 2000" :00404444 68089B4400 push 00449B08 * Possible StringData Ref from Data Obj ->"ERROR! Incorrect Registration " ->"code. Please try again" :00404449 68D09A4400 push 00449AD0 As i said before, we would see a test of ebx. If we had entered letters in our serial, we would get a error message here. The following part of code is to big to be listed here so i'll explain short what the program does. Our serial is divided into 4 blocks. I'll show you what the program does with our serial: My *fake* serial is : 18273645 What the proggie does : 18 27 36 45 Let the program run until we reach this point of code: :004045C9 8BCE mov ecx, esi :004045CB E870020000 call 00404840 <-- HEREIN IS OUR FINAL COMPARE :004045D0 85C0 test eax, eax :004045D2 7539 jne 0040460D <-- IF COMPARE SUCCESSFUL JUMP; ELSE DISPLAY ERROR :004045D4 6A30 push 00000030 * Possible StringData Ref from Data Obj ->"TetFun 2000" :004045D6 68089B4400 push 00449B08 * Possible StringData Ref from Data Obj ->"ERROR! Incorrect Registration " ->"code. Please try again" Trace into this call by hitting F8. This is the snippet of code that's inside the call. :00404840 8A442404 mov al, byte ptr [esp+04] <-- RELOAD THE STORED VALUES :00404844 8A4C2410 mov cl, byte ptr [esp+10] <-- OF OUR DIVIDED *FAKE* :00404848 8A54240C mov dl, byte ptr [esp+0C] <-- SERIAL FOR FINAL COMPARE :0040484C 53 push ebx :0040484D 8A5C240C mov bl, byte ptr [esp+0C] :00404851 3C46 cmp al, 46 :00404853 7518 jne 0040486D :00404855 80FB25 cmp bl, 25 :00404858 7513 jne 0040486D :0040485A 80FA41 cmp dl, 41 :0040485D 750E jne 0040486D :0040485F 80F922 cmp cl, 22 :00404862 7509 jne 0040486D :00404864 B801000000 mov eax, 00000001 :00404869 5B pop ebx :0040486A C21000 ret 0010 This part of code reloads the values that the program had generated from our serial before (18 27 36 45). The four values are compared with the listed values. Before we'll get our *real* serial, we have to convert these values to decimal numbers. We'll do this by typing ? XX (XX represents the values) in Softice. 46 HEX == 70 DECIMAL 25 HEX == 37 DECIMAL 41 HEX == 65 DECIMAL 22 HEX == 34 DECIMAL Now we'll test this serial if it's the *real* one. As we can see it works! Since this program has made no use of our name this is not a real name/serial protection. You could have entered any name with this number. Program cracked! Mission complete! The End wasn't hard wasn't it?? some minutes of time and thinking saved us US$10.00 total amount saved with my tutes: US$19.95 questions?? suggestions?? tips?? or just wanna meet me?? come to efnet #c.i.a Author: Chandler Email: chandler@dephocus.com Date: 4th of July 2000. Target Program: iMarkup 1.03 Target Executable Usage: iUtil.exe L Tools Used: Win32Dasm and Hiew 6.16 Cracking Method: Patching ?=?=?=?=?=?=?=?=?=?=?=?=?=?=?=?=?=?=?=?=?=?=?=?=? Gathering Information Try running the 'Enter License Key' in the menu shell. It will now load an application, where you got the possibility to enter a license key, which you don't have since you haven't bought the app.. Ok, now try to open a DOS prompt, go to the iMarkup directory and type 'iUtil.exe L', afterwards it will launch the same application as previously. ?=?=?=?=?=?=?=?=?=?=?=?=?=?=?=?=?=?=?=?=?=?=?=?=? Finding the Solutions You now know that it's iUtil which handles the registration, now what? Launch W32Dasm and wait for it to reassemble. Now go to 'String Data References' located in 'Refs' and look for the string "License is valid". Double click on it, and you'll see this: :00432A8F 68F07CD00 push 004D7CF0 :00432A94 56 push esi :0032A95 6A00 push 00000000 etc. etc. Now scroll up a bit till you see this: :00432A27 83C40C add esp, 0000000C :00432A2A 85C0 test eax, eax :00432A2C 0F84A9010000 je 00432BDB <- not registed :00432A32 395C2410 cmp dword ptr [esp+10], ebx :00432A36 753D jne 00432A75 <- mysterious.. etc. etc. Ok, now use Hiew to change 0F84 in offset '32A2C' to 0F85. Launch the app using iUtil.exe L... try to write whatever serial you want... wtf? it doesn't work. Lets go back and see what we've done wrong... Hmmm, remember the mysterious offset published previously? It might be the solution to our problem.. Go to SDI once more and search for the string 'License is not valid', double click on it, and this will appear: :00432BF5 6894/C4D00 push 004D7C94 etc. etc. Ok, scroll up till you see: * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00432A2C(C) | :0043BDB 68F900000000 push 000000F9 Try to 'Shift F12' and type '432A2C'... now you will land at the mysterious offset... hmmm, write down the offset and launch Hiew, but this time try to change '753D' in offset 32A36 to '743D'. Now try to open iUtil.exe using 'iUtil.exe L'. Write any license key and push enter... hmmm, did it work? ?=?=?=?=?=?=?=?=?=?=?=?=?=?=?=?=?=?=?=?=?=?=?=?=? Logging Off You've probably not learnt anything from this tutorial, since most crackers writes stuph like this.. This is extremely basic. Now you may ask: Why is it so f****** basic? The reason to this question, is that I haven't cracked in ñ year. The curious reader would now ask: Why did you stop? Well, I got bored and started learning stuph in the security field. This fact made me realize that you can't get out of cracking when you have something to do concerning computers and I didn't want to use peoples cracks. So I joined the cracking scene once again. However, I'm still in the hacking scene, erm, I mean security ;p If you seek for advice concerning cracking or hacking, simply e-mail me and I'll reply as fast as possible... So... this is MY chance to thank the once who've really helped me on the cracking subject... DnNuke - hey, I'm sps... just using other handle when cracking... tKC - without your tuts, I wouldn't know the basics... good job 'ol man ;) Copyright Killer - thanks for the understanding... STaRDoGG - hmm, wrong category... don't worry, I'll mention you in another community than cracking ;p #c4n - some are fuckwits... the rest seems nice... I really hope you've enjoyed this tutorial as much as I did! Don't miss Tutor #86 soon! ;) Credits goto: Johnny Aum for Splash Logo. Johnny Aum for providing 2 tuts in this version. draX for providing 2 tuts in this version. Chandler for providing a tut in this version. To ALL the crackers: You are welcome to send me your tutors to publish them .. see below for my email address! *** 95 chars per line in textfile please! *** And all the tutors can be found at: http://www.crackersinaction.org (or on IRC, ask CiA ops for urls!) Greetz goto all my friends! You can find me on IRC or email me at tkc@reaper.org Coded by The Keyboard Caper - tKC The Founder of PhRoZeN CReW/Crackers in Action 2000 Compiled with Delphi 5 on 9 June 2000 Cracking Tutorial #85 is dedicated to Sonia...