Welcome to Cracking Tutorial #89! Hiya guys, Sorry for delays, again I was busy with coding and all shit.. Here's a tut89.tKC... OK, let's rave! ...or crack babes? :) You'll need the following tools: (I use these tools, I assume you'll use 'em, but it doesn't mean that you'll need to use all those tools, so be sure to get them handy for the examples in this tutorial!) SoftICE v4.05 W32Dasm v8.93 Hacker's View v6.50 SmartCheck v6.03 ProcDump32 v1.6.2 TRW2000 v1.22 IDA v4.04 Windows Commander v4.03 (I use it coz of easier to multitask) Delphi, VB, C++, or TASM to code a keygen or a patch.. Don't ask me where to download all these tools since you had a chance to get them when you used my older tutorials. Here are a few good sites where you can grab tools from: http://protools.cjb.net http://w3.to/protools http://www.crackstore.com or ask any crackers to get you these tools! Are you ready?! OK! ;) How to find a serial for Malz++Kassner CAD 4.7 Economy? ======================================================== by M.o.D. [f2f] tools used : - SoftIce 4.05 ( protools.exit.de) Ok, let's start! First start out target and goto the registerbox! Enter your Name and as serial 1122334455. Now open Softice and set a breakpoint on GetDlgItemTextA(bpx GetDlgItemTextA). Press the button to register and *boom* you're in SI. Press two times F5 and you should see a nice box telling us that our code was wrong. SI breaked two times that means that the programm grabs our entered name and serial and after this it compares the serial with the good one. So now press the registerbutton again and SI should break again. Now press one times F5 to get the next GetDlgItemTextA. Press F12 and we're in the programm. You should see this code: * Reference To: KERNEL32.lstrlenA, Ord:02A1h 00429D17 8B3D3C225200 mov edi, dword ptr [0052223C] 00429D1D 8D85E8FBFFFF lea eax, dword ptr [ebp+FFFFFBE8] -> ptr to our name 00429D23 50 push eax 00429D24 FFD7 call edi 00429D26 83F804 cmp eax, 00000004 -> in EAX is the length of our name 00429D29 7D16 jge 00429D41 -> jmp to next check if name is longer as 4 Characters. So, the programm checks whether our name is longer then 4 Characters. If your name isn't then fix this problem ;). 00429D41 8D85ECFDFFFF lea eax, dword ptr [ebp+FFFFFDEC] -> ptr to our serial 00429D47 50 push eax 00429D48 FFD7 call edi 00429D4A 85C0 test eax, eax -> tests whether we entered anything as serial 00429D4C 7524 jne 00429D72 I think this check isn't a real problem :). We should jmp to the following code: * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: :00429D4C(C), :00429D54(C) 00429D72 8D85ECFDFFFF lea eax, dword ptr [ebp+FFFFFDEC] -> ptr to serial 00429D78 50 push eax 00429D79 8D85E8FBFFFF lea eax, dword ptr [ebp+FFFFFBE8] -> ptr to name 00429D7F 50 push eax 00429D80 E865390D00 call 004FD6EA -> keycheck-routine 00429D85 59 pop ecx 00429D86 85C0 test eax, eax -> tests if we entered the correct key 00429D88 59 pop ecx 00429D89 7530 jne 00429DBB ->! jump to register user! Ok, at 00429D80 the programm checks our serial and jumps/jumps not to good/bad message! Clear your breakpoints ( bc * ) and set one on the serialcheck-call! When you break on the call, press F8 to look what happens in it! We see this: 004FD6EA 55 push ebp 004FD6EB 8BEC mov ebp, esp 004FD6ED 81EC04020000 sub esp, 00000204 004FD6F3 8D85FCFDFFFF lea eax, dword ptr [ebp+FFFFFDFC] 004FD6F9 50 push eax 004FD6FA FF7508 push [ebp+08] 004FD6FD FF750C push [ebp+0C] 004FD700 E84CFFFFFF call 004FD651 -> break here and press F8 to go in the call After going in the call you see this: 004FD663 8A0C02 mov cl, byte ptr [edx+eax] -> first char of our serial 004FD666 80F930 cmp cl, 30 -> compare with 0 004FD669 7C79 jl 004FD6E4 004FD66B 80F939 cmp cl, 39 -> first char of our serial 004FD66E 7F74 jg 004FD6E4 -> compare with 9 004FD670 0FBEC9 movsx ecx, cl 004FD673 8D34BF lea esi, dword ptr [edi+4*edi] 004FD676 42 inc edx 004FD677 83FA05 cmp edx, 00000005 -> 5. char of our serial? 004FD67A 8D7C71D0 lea edi, dword ptr [ecx+2*esi-30] 004FD67E 7CE3 jl 004FD663 -> jump to next char Ok, here the programm checks whether the first 5 chars of our serail contains only numbers. So we should pass this check successfully! The next check looks like this: 004FD680 8078052D cmp byte ptr [eax+05], 2D -> compares 6. char with a '-' 004FD684 755E jne 004FD6E4 -> jump to bad serial We see that the 6. char of our serial have to be a '-'. So enter as new serial 11223-3445566. Then break at this cmp again and you see that we don't jump. Now comes this check: 004FD684 755E jne 004FD6E4 004FD686 81FF204E0000 cmp edi, 00004E20 -> type ? edi in SI & you see '11223' 004FD68C 7C56 jl 004FD6E4 004FD68E 81FF14500000 cmp edi, 00005014 -> type ? edi in SI & you see '11223' Type also in SI ? 4E20 and ? 5014. This reveals that the first 5 chars must be a number between 20000 and 20500. So enter as new serial 20100-11223. Now clear also your breakpoints and set one at 004FD68E. The next check please: 004FD69B 8A0C02 mov cl, byte ptr [edx+eax] -> 7. char of our serial 004FD69E 80F930 cmp cl, 30 -> compare with 0 004FD6A1 7C41 jl 004FD6E4 004FD6A3 80F939 cmp cl, 39 -> compare with 9 004FD6A6 7F3C jg 004FD6E4 004FD6A8 0FBEC9 movsx ecx, cl 004FD6AB 8D34B6 lea esi, dword ptr [esi+4*esi] 004FD6AE 42 inc edx 004FD6AF 83FA0A cmp edx, 0000000A -> 10. char of our serial? 004FD6B2 8D7471D0 lea esi, dword ptr [ecx+2*esi-30] 004FD6B6 7CE3 jl 004FD69B -> jumps to next char 004FD6B8 8A400A mov al, byte ptr [eax+0A] -> compare 11. char with '-' 004FD6BB 3C2D cmp al, 2D 004FD6BD 7404 je 004FD6C3 -> jump to good serial . . . 004FD6C3 81FEC2010000 cmp esi, 000001C2 -> type ? esi in SI & you see '11223' 004FD6C9 7C19 jl 004FD6E4 004FD6CB 81FEF4010000 cmp esi, 000001F4 -> type ? esi in SI & you see '11223' 004FD6D1 7D11 jge 004FD6E4 This code looks similar to us! Here the programm checks whether the 7.-10. character of our serial is a number. Then it checks the 11. character -> must be a '-'. Futhermore the compares at 004FD6C3 & 004FD6CB reveal that the characters 7-10 have to be a number between 0450-0500! So enter as new serial 20100-0455-11223! Ok, last part follows now. You should break again at 004FD68E. Now press F10 until you reach at line 004FD700. There you see this code: 004FD700 E84CFFFFFF call 004FD651 004FD705 83C40C add esp, 0000000C 004FD708 85C0 test eax, eax 004FD70A 7419 je 004FD725 004FD70C 8D85FCFDFFFF lea eax, dword ptr [ebp-0204] At line 004FD70C type in SI d eax! Look at the Data-Window and what we see there... yes, it's our regcode! For me it is: ~~~~~~~~~~~~~ M.o.D. 20100-0455-5996-9636-82 Enter your name and serial, press the register button and you are a registered user! Ok, that's it! For questions and comments mail me : MoD_f2f@gmx.net cu M.o.D. ps: english isn't my mother tongue! How to crack Sounder for Windows 1.1d (demo) Target: Sounder for Windows 1.1d (demo) - exe with 565040 bytes WWW: http://www.sounder.com Cracker: --..__J_o_h_n_n_y__A_U_M__..-- Protections to be removed: 5 minute nag, few uggly words Tools: Hiew, W32Dasm & Windows Commander 4.03 --------Secret infos about mondial occult govern and facts------- USA and it's strategic partners, including factions of aliens has on Earth orbit a very powerfull system of weapons (something like Star Wars) which was builded in 90% with alien technology from reptiliens (masters of dreams) and dominated species of Small Greys. This system consists in special alien lasers and guns with Ultra High Frequency which are very succesfull in shooting and throwing down the ships and UFOs of High Spiritual Galactic Confederation. This is no SF, is true. And part of energy of this system is supplyed from giant instalations from Alaska (Haarp project). Next time about this Haarp of Death. -------- Hi guys, the forces of divine are ready for a new lesson of cracking (crack everything, go deeeper, experience more, this is the power of wiseness). I know this program is so easy to crack but because I don't know a better way to make it to be known by more man posible, here it is... Few words about this program: through this you can have really the music of New Age, a music of spheres, calmness, peace and happiness. You can hear due to facilities offered by this program, a great varieties of sounds, tranquilizant sounds who inspire us and you to advance on the road to God and beatitude, which is always the same . Let's see what protections has this Sounder... So, expiration no, only a nag which reminds us that "This is the demo version of Sounder" and yeah, eventually these uglly words with demo stuff. I really don't like these words, let's see what we can do... 1. First, the nag. Disassemble the copy of sounder.exe -> y.exe and search for the words above -> "This is the demo...". Bingo! We found them at w32dasm adress - 3.3A06 (TPascal program, looks like Delphi). So, we inspect the code, look at this piece of code above: 3.39C0 - 3.3A06. When time nag coming, program run through here and come at this point: 3.39C0 jl 39CB. The program passes and arrive at the next code line 3.39C2 jg 39CD and then jump at 39CD and it shows that uglly (*&^#@%zbang) nag. Good, so we must make this conditional jump to be no more. W32Dasm adress 3.39C2 is hiew 475D2, making 7F09 -> 9090. Good, let's take a deeeper look! At 3.39C9 is another conditional jump -> jnb 39CD. We must anihilate this too, so hiew 475D9 - 7302 -> 9090. We test for more than 5 minutes or 10 minutes and we notice that the nag is gone forever! 2. The disturbing words like "demo", etc. I quickly found them for you (but you can search on your own): a.- at hiew 3E1AF - "(Demo)" from begining and about splash; b.- at hiew 463D1 - "(Demo)" from titlebar; c.- at hiew 8268C - ": Demo Version" from info window, press when you are in Sounder, button "Composition Wizard" to see this text. All 3 texts must be replaced with spaces, 20 20 20 20 ... tralala. OK, enjoy this nice program, bye now! ---------------- Greets: tKC & CIA (nice guys!), to all crackers, PRO or newbies, all cracker teams (keep going, we must eliberate from iudeo-masonic tirany, all must become free), we are great guys, and nice too. I love you all but be a good soul! Romanian Greets: Toate cele bune oamenilor inimosi din Romania! O sa vina si zile mai bune! Incercati sa evoluati spiritual daca vreti sa fiti fericiti! At last, but from all my heart: I love you Heavenly Father, I know you are with me all the time! God is pure love! Try this: www.geocities.com/john_aum Incredible infos for YOUR EYES ONLY! Critics, comments, anything at: johnny_aum@yahoo.com ---------------Sorry if my english is not perfect!------------------------------ How to crack NoiseKiller 1.3 (a quick method to crack - for newbies) Target: NoiseKiller 1.3 WWW: don' now precisely but is not important - read Cracker: --..__J_o_h_n_n_y__A_U_M__..-- Protections to be removed: unregistered style Tools: Hiew, W32Dasm & Windows Commander 4.03 --------Secret infos about mondial occult govern and facts------- USA and it's strategic partners, including factions of aliens has on Earth orbit a very powerfull system of weapons (something like Star Wars) which was builded in 90% with alien technology from reptiliens (masters of dreams) and dominated species of Small Greys. This system consists in special alien lasers and guns with Ultra High Frequency which are very succesfull in shooting and throwing down the ships and UFOs of High Spiritual Galactic Confederation. This is no SF, is true. And part of energy of this system is supplyed from giant instalations from Alaska (Haarp project). Next time about this Haarp of Death. ---------- Yeah, this is a method very usefull to be learned by newbies (beginners in cracking). This quick method once learned, can be applied on many other programs. So, you don't really need the program, just pay atention to learn this... 1. Disassemble the exe -> noisek.exe (100336 bytes) with W32Dasm. 2. Now we try to register and we have an answer, in this case: "Incorrect identification key!". 3. Search after this in w32dasm with Alt-S-Enter. We found the words on a adress, this case is 1.18A2 (cause it's in Delphi). OK, what we see now? Look at the next piece of code: :0001.1888 6A08 push 0008 :0001.188A 8D4688 lea ax, [bp-78] :0001.188D 50 push ax :0001.188E 8D46A2 lea ax, [bp-5E] :0001.1891 50 push ax :0001.1892 9A68E68318 call 0001.E668 <---- WE SEE HERE THE CALL RESPONSIBLE WITH :0001.1897 83C406 add sp, 0006 SERIAL CALCULATION :0001.189A 3D0000 cmp ax, 0000 :0001.189D 7503 jne 18A2 <---- THE TRICKY JUMP (HIEW 1DFD) :0001.189F E90F00 jmp 18B1 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0001.189D(C) | * Possible Reference to String Resource ID=32773: "Incorrect identification key!" | :0001.18A2 680580 push 8005 :0001.18A5 6A40 push 0040 As you can see, the responsible call for calculating the serial is (adress of function) 1.E668. Note aswell the conditional jump below -> 1.189D jne 18A2 (hiew 1DFD). Must be changed or noped. 4. Now let's search from begining after the adress obtained, because most of the programs have more then one serial check, maybe many. So put "1.E668" in search window and go! Bingo! We found on this program only 2 checks - first above - and the other at w32dasm adress 1.0290. See code: :0001.0284 6A08 push 0008 :0001.0286 8D8618FE lea ax, [bp+FE18] :0001.028A 50 push ax :0001.028B 8D86DCFE lea ax, [bp+FEDC] :0001.028F 50 push ax :0001.0290 9A68E67F02 call 0001.E668 <---- HERE IS CHECKING FIRST TIME :0001.0295 83C406 add sp, 0006 WHEN PROGRAM START RUNNING :0001.0298 3D0000 cmp ax, 0000 :0001.029B 7503 jne 02A0 <---- THE TRICKY JUMP (HIEW 7FB) :0001.029D E90600 jmp 02A6 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0001.029B(C) | :0001.02A0 B80000 mov ax, 0000 :0001.02A3 E95D03 jmp 0603 We observe very fast what's happening; here is the first check when program starts, and above is the second check when serial is imputed. You also observe the conditional jump which must be changed or noped - the best! So, now you know what to do : the both jumps must be noped: put 9090, 9090 instead. Now you can put any random serial and all working just fine. You must notice that on another programs, could be more serial checks, search carefully. If you have no words for start with, put a breakpoint with Softice and identify the call responsible with serial check and search after it's adress. Another: first time search if the exe is crypted or packed (with File Info 2.30, put fi.exe in c:\windows\command and check writing in Windows Commander "fi *.*" in program subdirectory). My hope is that this lesson will prove usefull to you guys! To beginners, I mean! PS. Description of program: this is an old program which stops the motors of hdd when you need! Interesting program, but this version works only on Win 3.x. Search WEB for a new version after name if you're interested! I'll do this myself soon! ---------------- Greets: tKC & CIA (nice guys!), to all crackers, PRO or newbies, all cracker teams (keep going, we must eliberate from iudeo-masonic tirany, all must become free), we are great guys, and nice too. I love you all but be a good soul! Romanian Greets: Toate cele bune oamenilor inimosi din Romania! O sa vina si zile mai bune! Incercati sa evoluati spiritual daca vreti sa fiti fericiti! At last, but from all my heart: I love you Heavenly Father, I know you are with me all the time! God is pure love! Try this: www.geocities.com/john_aum Incredible infos for YOUR EYES ONLY! Critics, comments, anything at: johnny_aum@yahoo.com ----------------Sorry if my english is not perfect!---------------------------------------------- 6/18/00 Crack Update for Stardust Screensaver Toolkit version 2.153 Trial Edition, based on the awesome crack of version 2.030 by Phrozen Crew's madmax. Phrozen Crew is an amazing amazing group. I'm sure madmax would have done a better job with this, I do this only to show admiration for the work of this group, and to educate people on how to handle the dreaded curse of version updates. And needless to say, madmax is not responsible for any flaws that might be introduced by my update. Stardust Screensaver Toolkit can be found at www.stardustsoftware.com This is a very polished, simple, clean screensaver builder. Also fairly expensive ($250). ------------------------------------------------------------------------- Okay, here is our dilemna: Several cracks have been released for this proggie. To my knowledge the only recent working ones are based on mad max's (i know that someone derived a crack for 2131 but i couldn't find a copy of that. Whiskey con Tequilla is a good group, and they've released a crack for 2131, which seems to crack the main program, but the nag screen remains on screensavers produced with the program, which is less than ideal. Anyway, we find ourselves wanting the newest version of the software. So we want to update madmax's PC crack to work on the newest version. how do we do it? Tools needed: Hex Workshop (or any other hex editor, and binary file comparer - hex workshop is nice like that) Win32Dasm (or equivelant disassembler) Like my other tutorialz, i tell this like a story, with my mistakes and missteps, so you get a better feeling of how you might do it if you are a semi-newbie like me. This is for educational purposes only. As always, if you use the software then buy it. ------------------------------------------------------------------------- Step 1: we get the PC crack from astalavista. Step 2: We find a copy of sst20te.exe, which is version 2.030 of the screensaver toolkit, using any search engine. Step 3: We install the screensaver toolkit trial edition, back up the executable (wizard.exe), and then crack it. Step 4: We compare the cracked and uncracked version of wizard.exe in hex workshop. file location bytes different ----------------------------------- 0x00025CB7 5 bytes 0x001358ED 2 bytes 0x00139AC0 2 bytes 0x00139AC0 2 bytes 0x00139B3F 1 byte Step 5: Now we install the newest version of the screensaver toolkit trial edition (2.1.53) Step 6: Now we examine the bytes that have been changed in the old version of wizard.exe and look for similar strings in the newest version (2.1.53) of wizard.exe. Luckily we find clear indications of the analagous locations in the new version of wizard.exe. old file location 0x00025CB7 new file location 000390CF change E8F2FEFFF->E9F5000000 old file location 0x001358ED new file location 0015482B change 740A->9090 old file location 0x00139AC0 new file location 0015B530 change 8B8E->EB6F old file location 0x00139B3F new file location 0015B5AE change 27->00 Step 7: Okay, so having found the analagous locations, we make the same changes that we can see were made to version 2.0.30 to the new wizard.exe Step 8: Now we run wizard.exe, and it SEEMS to be cracked BUT when we build a screensaver and run it, it is just blank, no pics! INTERESTING... Step 9: Normally when updating a crack, there are jumps that need to be modified, so we load all versions of wizard.exe into win32dasm and look for the changes. Step 10: The first change is easy, the code in win32dasm was changed analagously by our hex workshop byte replacements. Step 11: BUT something interesting. We can't find the code locations for the other changes. Step 12: Then we build three screensavers with the old versions of the screensaver toolkit version 2.0.30, both the cracked and uncracked version, and one with our newly cracked version of 2.1.53. Step 13: We compare the three screensavers in hex workshop, which nicely finds differences for us. We can see the exact changes we made to wizard.exe in the .scr files! as keyboard caper would say, we are getting near the bitch's nest. Step 14: The .scr files are readable by win32dasm, as they are just windows applications. Just like we did with the wizard.exe files, we now load in the two .scr files into win32dasm and look for the code that represents the changes in the files. AND this reveals the mystery of why we didn't see the code using win3wdasm in wizard.exe file, because this is code that gets built into the .scr file. We can locate changed assembly code easily by watching the bottom line of win32dasm whcih tells us what file offset each line is at and matching this with where the hex workshop told us the changes were. Step 15: Re-examining the third change we made to wizard.exe: The location in (our SST2153 crack created) .scr file is at file location 000090E8, which maps to code location 00409CE8 in the new .scr file. When we check out what our crack did in win3wdasm, we see that the byte for byte copying of cracked bytes from version 2.0.30 was NOT quite the right thing to do, as some of the code locations have changed in the new version. The code is modified to be a jump, and lloking at how the old crack ended up effecting the .scr file, we examine the new .scr file and see what the new crack did. EUREKA! we find that the patch for the new version should patch in a jump instruction that is just one byte shorter. Ie. the patch for the new version should be 8B8E->EB6E, and NOT 8B8E->EB6F! Step 16: We make the change to the .scr file itself and test it. Hmmm, screensaver doesn't run... Let's make the change to the wizard.exe file (file location 0015B530 ????->EB6E) (we use ???? because the value will depend on whether you made the first incorrect patch or not) YEAH! Created screensavers work. Must have been some sort of CRC check that we invalidated when we patched the .scr file directly. Step 17a: Now let's just do some cleanup. "Trial Edition" words that appear on the Preferences About box is at location 000A8D5E. There are lots more places where it says trial edition, but they don't come up, at least not that i can find in the cracked version. We change this to say "Flying Raichu Ed." Step 17b: Words that are used for the user's name and digital ID are at file location 00096D44, and 00096D50. SO, once you install this, user should modify this to reflect their name. For the default user of crack we erase them by replace each of the first 2 bytes of the user name and digital id (which say TRIAL USER and NOT APPLICABLE) with 2000. (the space is nesc. - if we change to 0000, it breaks). We also change 2E at file location 000974201A to 20, changing a period after copyright to a space, and move the "All Rights Reserved" string once space to the right, since this looks better when there is no user name, the default after installing the crack. Step 17c: We want to change the version name that appears accross the top of main window "Stardust Screen Saver Toolkit 2.1.53 TE" which is at location 000A91EE: we change it to "Stardust Screen Saver Toolkit 2.1.53 FR" to denote Free or Flying Raichu. Step 17d: When the user installs the screen saver and clicks on the Properties -> About, they will see and Authentification Certificate which says "NOT LICENSED FOR DISTRIBUTION" YUCK. We don't want this to hang around. The string in question is at location 001BFE3A. At first we thought about changing it to something like "FULL DISTRIBUTION LICENSE", BUT that would make it obvious to anyone who knew better that this was not registered. Instead we change it to the an appropriate number of random numbers with the words "flying raichu" embedded within them. ego is a terrible thing. sorry. anyway, user should change this to their own value. Step 17e: NOTE that you should NOT try to distribute commercially any screensavers with a cracked version of this software. First, stardust could easily tell that your certificate is invalid, and 2nd, if you are going to try to make money of this, you should buy the real software. Step 18: NOW, to get really fancy, we decide to modify the main window bitmap, which says "TRIAL EDITION" on the bottom right. This is a bitmap resource which is embedded inside the wizard.exe file, so to get at it we use Restorator, a very clever program for doing such things. Restorator extracts the bitmap. we bring it into photoshop, splice in a replacement "FLYING RAICHU EDITION" and then use restorator to save the bitmap back into the wizard.exe. Unfortunately restorator changed the size of the file, which can create havock for the patcher, so instead of using restorator to put the bitmap back in, we manually replace it using hex workshop. Don't know if other resource editors would cause the same problem (Restorator is very impressive but also a little wierd). Step 19: We package the crack using Perfx's wonderful PatchFX. thankx perfx! Step 20: No more steps, we're done! Hope you enjoyed this story. Again my highest respect for phrozen crew, keyboard caper, and madmax's brilliant work. Research always. - Flying Raichu 6/23/00 Potentially universal crack for time-locked and registerable screensavers built using stardust screensaver toolkit. (Tested mainly using version 2.1.53) This crack dedicated from Flying Raichu to Dennis Bergkamp, who never gets the credit he deserves. The stardust screensaver toolkit can be found at www.stardustsoftware.com, and a separate crack exists for that program. What this crack does is crack the screensavers themselves that have been built with this program. Story Of the Crack ------------------------------ --------------------------- Searching for registry code for the screensaver where it knows it has expired, etc. using regmon and watching what happens when i enter the proper code: HKEY_LOCAL_MACHINE\Software\ \screensavername HKEY_LOCAL_MACHINE\Software\ \screensavername\Data1 HKEY_LOCAL_MACHINE\Software\ \screensavername\Data2 doesn't access, but also keys exist in: HKEY_CURRENT_USER\Software\ \screensavername OKAY, i made an uninstallscreensaver.reg file, if you delete these keys the screensaver resets to its initial state. GOOD for testing. AND, this will reset any time-expiration that any screensaver has. ------------------- Now we found the file that gets created after you registered a screensaver: C:\Windows\System\screensavername.srg this was hinted at with the above found references to *.srg Looking in this binary file we can actually make out our registration number: 080000003936363531383200 (our # was 9665182 which is "embedded" with the digit 3 before each of our digits, ie as 39 36 36 35 31 38 32; the first byte (8) is probably the length of the key ) Does it create the .srg file even if you enter a bad registration #? we restart and try it. Interesting... If you put in an incorrect registry key, it takes it but doesn't complain, doesn't unlock, and does NOT create an .srg file. Hmm... what would happen if we built our own .srg file? incorrect and correct versions? we try it. Interesting... Doesn't complain, just reverts to trial version. If you go into setting and enter a correct key, it modifies the .srg file again back to good copu. ---------------------------- Well, now we have a game plan. find the code that looks for /reads the .srg file and trick it into thinking it found a good .srg file when really none exists at all! ha! we are sneaky bastards. ------------------------------ ---------------------------- Loading a screensaver *.scr file into win32dasm. references to .srg are at code locations, all VERY close together: 00403854 WSprintf, Create file then Read file soon after 00403A92 WSprintf, Create file then Read file soon after 00403BDF WSprintf, Create file then Write file soon after 00403D0F WSprintf, Create file then Write file soon after -------------------------- The pairing duplication suggests that maybe these checks are paired to the two ways that you can register (either with fixed key or a unique key for each machine). --------------------------- Okay, let's examine each one in more detail. 1) First one at 00403854: Looks like this is test for file at 00403882, and if it doesn't exist, je to 004039EF lot's of conditional jumps during the read of the file which jump to 004039E8, which is probably if something goes wrong. looks like if it gets to the end of the read of serial it: 004039E6 jmp 004039F1 From there it basically cleans up and returns. if i had to guess, i'd say this either after it successfully reads any serial OR reads a valid serial. 2) Second one at 00403A92: Looks similar to first one, with a test for file that if nonexistent does 00403AC0 je 00403B59 but now the read part looks much cleaner, with a repz and cmpb inside it looks like there are tests for badness which all jmp to 00403B45 then at the end of the loop after the repz, cmpsb we have a 00403B2A jne 00403B31 and otherwise it drops through to what looks like a succesful parse at location: 00403B2C mov ebp,00000001 which is where we might jump to try to trick it. *** This looks like if we are lucky all we have to do is set ebp directly the jump around it just skips over the above line. 3) The third and fourth calls look like where the .srg files are created. we leave these alone for now, although clearly the ultimate crack would be if we could trick the darn thing into creating a good serial for us. that would be very cool. ---------------- let's fool around with the first two first. 1) let's scramble one and see if we can figure out which of the two is actually being used for our test screensaver. we will enter the proper serial, then skip each of the read procedures in turn, to see when it fails. we change 00403882 je 004039EF [0F8467010000] to jne 004039EF [0F85] at file location 00002C82 no effect (we thank god that there is no internal crc check in the .scr file). okay, let's try the other one: we change 00403AC0 je 00403B59 [0F8493000000] to jne 00403B59 [0F85] at file location 00002EC0 ****BINGO! program thinks we are a TRIAL version again (ie it thinks there is no .srg serial file) -------------------------- okay, so let's try the simple approach and just try to jump to the part where it looks like a successful return. as a quick test, we will jump to 00403B2C from after it opens the file. from here it does the mov ebp,0000001 and then closes file and returns. if it works we will clean up this idea later. we change 00403AC0 je 00403B59 [0F8493000000] to jne 00403B2C [0F8566000000] at file location 00002EC0 BELIEVE IT OR NOT IT WORKED! we have succesfully unlocked a screensaver without the serial. to test it we put bad data in the screensaver.srg file and run it. YEP, IT WORKS. IT THINKS WE ARE REGISTERED! now we need to try it with the other read procedure and see if we are right that that one is invoked if you use the unique key option. ------------------------------ to test this hypothesis about the 2 registration methos, we create another screensaver which uses the unique key method and then try our tricks on it. SURE ENOUGH our fix does not work on this new screensaver. Unfortunately, the trial version of the screensaver toolkit does not inlcude the keymaker that is needed to generate good keys, so we don't have benefit of being able to enter a good code, BUT let's see if we can't make due without it. ----------------------------------- This is trickier. We create a .srg file with the proper name (but invalid data) Going back to the first location: we change 00403882 je 004039EF [0F8467010000] to jne 00403948 [0F85DD000000] at file location 00002C82 NOTHING. Let's verify that this is the place we end up. patch in FF00 which should hang it. YES, IT DOES. so we know we are at the right place. ----------------------------------- whole thing starts from call at 00403A29 observing that the line right before seems to be the decision about which kind of srg read to perform, maybe we can just convince it to always do the kind we know how to crack? we change 00403A27 jne 00403A39 [7510] to jmp 00403A39 [EB10] at file location 00002E27 and also remembering to do the first crack also on this new file. WOW - IT WORKS! yet another case of a scary looking protection on the outside, with an easy protection on the inside. sounds like a candy commerical... -------------------- OKAY - now that we have found the bitch's nest (as the keyboard caper would say), let's do the right thing and find the right place to properly crack it instead of this mess. -------------------- As you may have guessed, we start where we left off, at code location 00403A27. now that we look at it, this is crazy simple. we can see the start of the function call to check registration pushes some stuff on the stack, and then pops it off when it's done. and we previously found that the important thing to seem registered is 00403B2C mov ebp,00000001 [BD01000000] which if we look closely, is really used in 00403B38 mov eax,ebp [8BC5] so let's try shortcutting this crap. we go to the start of the function call at 00403A10 sub esp, 00000418 [81EC18040000] ------------------------ So let's try, rather naively, to put code at the start of this call that just moves 1 into eax, skips the pushing and popping, and just returns so what we want is to change 00403A10 sub esp, 00000418 [81EC18040000] into: 00403A10 mov eax,00000001 [B801000000] 00403115 ret [C3] at file location 00002E10 If it works, that should be the only crack we need for both cases, and would be nice and clean. We patch it. LOOKS GOOD! ------------------------ Does it work on both kinds of registration: yes. Does it work after the expiration time is supposed to have occurred: yes. ------------------------ Now, for the patcher. Looks like all screensavers produced with a given version of the stardust screensaver toolkit are the same size. this is because the actual data is held in an accompanying .msf file. So, we could build a generic patcher which would crack any screensaver which has been built using a specific version of the toolkit. BUT, given what we know from experience with previous versions of stardust screensaver toolkit, the scr files are almost identical, AND, the patched bytes do NOT need to jump to any specific code, so we should be able to use a patcher to search and replace a byte string that might be common in many versions of the toolkit. Let's give it a try shall we? ------------------------ All we need to do is identify a unique set of bytes surrounding our patched area, which will be the same in all versions and won't show up elsewhere in the code. maybe we will get lucky. The exact bytes we want to patch [81EC18040000] into [B801000000C3] at file location 00002E10 are unique in the file! can it be that easy? Well, we won't know until a new version of the toolkit comes out, since older versions (at least those that i can find as recent as 2.1.31, didn't even have the ability to allow registration!). --------------------- OKAY, now we realize something. This patch won't fix time-limited screensavers which are NOT registerable, it is only a crack for givin you the registered version. and although the registry file described earlier will reset the expiration time, we want to accomplish this via a crack. -------------------- We install a screensaver with a time lock but no registration, and then set our clock ahead, run regmon which monitors registry changes online, and we see which regisry entire are looked at and modified. The most promising: .64518320 Crackb OpenKey HKLM\Software\ \crackb SUCCESS hKey: 0xC29C26C0 1.64522480 Crackb QueryValueEx HKLM\Software\ \crackb\Data1 SUCCESS 6F 69 E 9E 9C EB E1 40 1.64525440 Crackb QueryValueEx HKLM\Software\ \crackb\Data2 SUCCESS 6F 69 E 9E FC EB E1 40 We find that if we delete Data 1 or Data 2, the expiration resets and the screensaver works again. ------------------ Data1 and Data2 are accessed one after the other in TWO places: code location 0040E14B where the values are queried code location 0040E257 where the values are set Lets just worry about where they are read for now, although we have in the past solved these kinds of protections by preventing the program from writing to the registry which is particularly easy to do. ----------------------------------- anyway, after the keys are read the program enters into some code with two main conditional jumps: to 0040E1CD and to 0040E2AE This first jump location looks like it is called when the keys are first created (ie don't exist yet, so let's just patch in a jump to there right after keys are read). change 0040E180 cmp esi,ebx [3BF3] to 0040E180 jmp 0040E1CD [EB4B] at file location 0000d580 VOILA! IT WORKS. ------------------------------------------------ Now again, for a universal stardust patch, we want some unique bytes, not just a specific place in the file: this is a tricky since the patch is to jump codes which may very well change with different versions.... hmmm... Okay, instead of patching in a jump, let's take advantage of the je that is already there: 0040E180 cmp esi, ebx [3BF3] 0040E182 je 0040E1CD [7449] now, the 0040E1CD address may change, but if we can recognize the code preceding it, we can force the je to always be true. so we change 0040E180 cmp esi,ebx [3BF3] to 0040E180 cmp eax,eax [3BC0] which will always be true. ------------------------ we now have a fairly long string of bytes that we should be able to search and replace on starting at code location 0040E172 and running through to code location 0040E182 which is bytes starting at file location 0000D57A: 8BF8 F7DF 1BFF 5147 FFD5 3BF3 which we want to change to: 8BF8 F7DF 1BFF 5147 FFD5 3BC0 that's interesting enough to be unique, so we check for it in hex workshop just in case. it is unique, so we are done except for actually building the patch. ----------------------------------- Now normally i use perfx's patchfx, which has a nice look that i like, but it can't do search and replace. Codefusion is an awesome patcher with a horrible look if you ask me. It's the fonts that really put me off, but other than that it is a VERY poweful patcher. So that is what we use this time, codefusion will look for the two byte strings to replace. Codefusion is also nice in that Older screensavers will have the time limit bytes that need to be cracked, but not the registration bytes, and codefusion handles this with aplumb. Okay, so i say "potentially" universal because i really have no idea on how many screensavers built with 'stardust screensaver toolkit' this will work with. DON'T try running it on a non-stardust created screensaver; probably the bytes to be replaced won't be found, but if they are, wierd things could happen. Run the patch and locate the .scr file which represents the screensaver. It will be in /windows/system/ and have a filename ending in .scr NOTE: There are 3 separate places the crack tried to patch. 1) It patches in the words "and Flying Raichu" in the about box. 2) It patches the time limits if appropriate. 3) It patches the registration check if appropriate. If the patcher says 'unsuccessful' then it didn't work, OR it's already craced. check the about box if you think it's already patched, otherwise sorry, read this story and investigate the files yourself. it will be fun. If the crack runs and just says 54 bytes patched, then it means that only the first patch took, which is pretty useless. it means the file format changed enough that it couldn't find the other patches. If it says "66 bytes patched", it means that the screensaver was made with a version of stardust screensaver toolkit prior to 1.2.53, and thus has no ability to be registered, and can only time limited. The time limit was removed. If it says "72 bytes patched", then it was created with a newer version of the screensaver toolkit (>1.2.31) which had registration capabilities (which have been cracked). The screensaver will think that it is registered to you. I really hope you've enjoyed this tutorial as much as I did! Don't miss Tutor #90 soon! ;) Credits goto: Sir Dawg for Splash Logo. M.o.D for providing a tut in this version. Johnny Aum for providing 2 tuts in this version. Flying Raichu for providing 2 tuts in this version. To ALL the crackers: You are welcome to send me your tutors to publish them .. see below for my email address! *** 95 chars per line in textfile please! *** And all the tutors can be found at: http://www.crackersinaction.org (or on IRC, ask CiA ops for urls!) Greetz goto all my friends! You can find me on IRC or email me at tkc@reaper.org Coded by The Keyboard Caper - tKC The Founder of PhRoZeN CReW/Crackers in Action 2000 Compiled with Delphi 5 on 26 June 2000 Cracking Tutorial #89 is dedicated to Sonia...