Welcome to Cracking Tutorial #92!


Hiya guys,

Sorry for delays, again I was busy with coding and all shit..

Here's a tut92.tKC...

OK, let's rave! ...or crack babes? :)


You'll need the following tools:

(I use these tools, I assume you'll use 'em, but it doesn't
mean that you'll need to use all those tools, so be sure to
get them handy for the examples in this tutorial!)

SoftICE v4.05
W32Dasm v8.93
Hacker's View v6.55
SmartCheck v6.03
ProcDump32 v1.6.2
TRW2000 v1.22
IDA v4.04
Windows Commander v4.51 (I use it coz of easier to multitask)
Delphi, VB, C++, or TASM to code a keygen or a patch..

Don't ask me where to download all these tools since you had
a chance to get them when you used my older tutorials. Here
are a few good sites where you can grab tools from:

http://protools.cjb.net
http://w3.to/protools
http://www.crackstore.com

or ask any crackers to get you these tools!

Are you ready?!

OK! ;)


 -{ How To Reverse }-
     bY fuzzyCaT
 
 
 Target...: GraphCalc 2.11
 Tools....: Win32Dasm, Hiew, eXecope and Brain (4000 CC is better :P)!
 
 
 
So our target is GRAPHCALC, i don't feel like loading a file monitor or a
registry monitor, so lets go directly to Win32Dasm.
Ok make 2 copies of GrphCalc.exe [Win32Dasm], one GrphCalc.crk.exe [for HIEW] and 
the other GrphCalc.bak. [SAFE]
Run GraphCalc try to register it, hmmm, looks like a bug to me what do you think?
Lets give a hand to the programmer and correct it :P
Load GrphCalc.exe into Win32Dasm goto to the String Reference window look for that 
string, found it? Cool!
Double-Click on it, again, looks like we ended at the same spot, so it probably 
doens't have another check.
So you got to this piece of code:
 
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0046DADB(C)  <-- ? what do you think? (C)=Conditional [Jne,Je,Jz,etc]
|
:0046DC15 6A10                    push 00000010
 
* Possible StringData Ref from Data Obj ->"Unregistered Version of GraphCalc"
|
:0046DC17 68502A4C00              push 004C2A50
 
* Possible StringData Ref from Data Obj ->"Invalid Registration Code" <-- The String
|
:0046DC1C 68742A4C00              push 004C2A74
:0046DC21 8B8D74FFFFFF            mov ecx, dword ptr [ebp+FFFFFF74]
:0046DC27 E88A3C0200              call 004918B6

Did you seen the Conditional shit? Open GOTO CODE LOCATION window input "46DADB"
yee, we reached a Je by other words a compare Jump If Equal:
 
:0046DAD9 85C0                    test eax, eax
:0046DADB 0F8434010000            je 0046DC15  <-- Looks like the bug! :P
:0046DAE1 C60584534C0001          mov byte ptr [004C5384], 01
 
Ok, run Hiew load GrphCalc.crk.exe press F4 to DECODE mode, press F5 enter "46DADB" now 
press F3 then F2 and change the JE to JNE press ENTER, ESC now F9 to update.
Run it, looks ok, try to register it, hmm cool it accepted! Exit, enter again, damn!
Didn't stay registered.
Ok, will be back to this soon!
GraphCalc says that you can only use it for 30 days after that.... But lets try to put
the pc clock up to 1 year more... Run GraphCalc and ..? Nothing! It doesn't check if
you're using for 1 day or 1000 years!
But it still doesn't keep registered... Damn! Ok lets go to the AboutBox any important
information there?
.
.
.
.
Yes! The text "GraphCalc is a shareware....", remember when u regist it this disappears
right? Ok back to Win32Dasm, look out for that string.......
Nothing! But what is the inverse of that? Hmmmm.... Find "Registered To:" string
So u arrived here:
  
* Possible StringData Ref from Data Obj -> "Registered To: "
  
:00456999 68F4034C00            push 004C03F4
.
.
.

Ok go up a little, see anything familiar? Maybe a conditional jump? Yeah!
This:
  
:00456989 A084534C00    mov al, byte ptr [004C5384] <- Hmmm ?!
:0045698E 85C0          test eax,eax <- Very familiar and interesting!
:00456990 744A          je 004569DC <- Yeah! BOOMMM! [Label1]
.
.
.
  
Got the offset from [Label1]?
Run Hiew F4 "Decode", F5 "56990", F3 change 74 -> 75, F9, boom!
Run it cool! Registered to you!
But theres still a prob, the register button isnt disabled and it should be!
This is where eXeScope comes up, open GraphCalc with it and look out for that menu
now just check the GRAYED and DISABLED! oki! done! TIP the menu is the first!
Easy eh?
  
Easy prog dont u think?
A little cheating but u cares? It works, doesnt it? ;)

Now if u want to make a patch and make the menu disabled at same time, u'll
have to use your brain, because if it is DISABLED u cant regist it and so
it'll show "Registered To: " only! TIP: graphcalc.ini it auto fills whats 
missing! 
  
Cya! 
  
A newbie tut written by ONE! :P

Greetz:
iNNU3NDo :: Duelist :: Northpole :: hmemcpy :: Ac|FuSiO :: R!SC :: PROF.X 
tKC :: PinguTM :: DarkShadow :: LaZaRuS :: SiR_DawG :: cokine :: CiA[File] :)
fuzzyCaT [ey it's me! :)] :: All other CiA members :: #C.i.A & #CRACKiNG4NEWBiES
 
CiA :: EVC :: CORE :: Phrozen Crew :: eMINENCE :: MiB :: DREAD :: CLASS :: RAZOR

fuzzyCaT  [fuzzyCaT@Gmx.net] [www.fuzzyCaT.tsx.org]
Crackers In Action 2000


 Win32Asm Tutor?
 Lets do it!

 by fuzzyCaT

 Tools: Masm32 v5.0 or shit
        Tasm v5.0, maybe...

 Start:

$Theory$
Inicializate the code
Declare includes & options
Declare the texts|messages
Start code
Show a message
End prog
End code

$Just Do It!$

<-- START HERE -->

.386 ; Dunno how to explain, there is also 386p, 286, 486 etc (i think!)
.model flat,stdcall ; For 32 bit app, the model must be this (for dos [tiny,small,huge,etc])
option casemap:none ;if u wanna use Windows.inc this has to be here, else... try it! :)

Include \masm32\include\user32.inc  ;my path is [d:\masm32\include...] so just add...
Include \masm32\include\windows.inc  ;// // //....

IncludeLib \masm32\lib\user32.lib  ;include a library....

.Data   ; here we put our data, the messages, vars, etc...
MessageText db "Hello World!",0  ;Always end with 0 (zero) db=define byte
 ;H= 1 byte, e=1 byte, etc, like a array... :P
MessageCap db "Hello",0 ;Same shit, this is for the caption....


.Code
Start:  ;The start of the code we could put:
;Main:  (instead but ....)
INVOKE MessageBoxA,NULL,ADDR MessageText,ADDR MessageCap,MB_OK
; Raw power of MASM! [INVOKE]

INVOKE ExitProcess,NULL
End Start

<-- END HERE -->

Struct of MessageBoxA:
int MessageBox(
   HWND hWnd, // handle of owner window
   LPCTSTR lpText, // address of text in message box
   LPCTSTR lpCaption, // address of title of message box
   UINT uType // style of message box
);
Struct of ExitProcess:
VOID ExitProcess(
   UINT uExitCode // exit code for all threads
);

Show the MessageBox without INVOKE:
u have to reverse the params
so if MessageBoxA(HWND,LPCTSTR,LPCTSTR,UINT);
would be without INVOKE
MessageBoxA(UINT,....);

So:
Push MB_OK
Push Offset MessageCap ;Note Offset instead of ADDR
Push Offset MessageText
Push 0 ;0 (zero)=NULL
Call MessageBoxA ;Then call it..

What we have done here was to push the params to the stack and then call MessageBox...


Yeah Yeah, i know really fast tut, but i think it's easy to understand and goes directly
into to the business.

In Win32Asm u almost only need to have an API reference, u have it? U can code!
But ey, u have to understand certain structs, like CreateWindow, damn it! To create
a window need ~15 lines of code...
Alot ey?
hehe cya!

Greetz:
iNNU3NDo, tKC, Duelist, DYCUS, hmemcpy, Northpole, R!SC, Prof.X, LaZaRuS, CEREbRi, Dya-Blo,
Ac|dFuSiO, NU|<EM, _masta_, PinguTM, DarkShadow, SiR_DawG, H3llSp4wn, AgentData, etc...


fuzzyCaT 2000
fuzzyCaT@Gmx.Net    |    www.fuzzyCaT.tsx.org


w00f w00f!
grrrr, w00f w00f waaf grrrrrrrr
i learned this while talking to my dog about a prob i had in ASM, he told me that this means:
(in order): greetz all!
hmmm, all cool?hmmmmm

hope u enjoyed this tut!
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
.
hehe!
just.... idling! =) (trying to beat up r!sc) :P
ok now lets see, in this tut i'll write about win32asm POINTERS (thkx Z-Wing!), he really
helped me with them, and not only that some other stuff, u rox!
needed tools?
Masm v?? (my MASM v6.4.8444)
and if u dont have QEditor then Notepad
nothing else i think....

ok lets jam!
start
introduction
what are POINTERS in a real simple way POINTERS serv to point (duh!) to something, to it's
memory address (like in sice 00445554), a pointer can point to a byte, word, etc.
an example:

<-- start here -->

.386
.model flat,stdcall
option casemap:none

include \masm32\include\user32.inc   ;change this path to your's
include \masm32\include\windows.inc
includelib \masm32\lib\user32.lib  ;change this path to your's

.data
 string1 db "win32asm roxx!",0  ;always terminate with a '0'
 string2 db ?

.code
start:
 mov ecx,0  ;reset ECX
a_loop:
 mov al,byte ptr[string1+ecx]  ;if is BYTE PTR then we must use a byte register EAX=DWORD,
                               ;AX=WORD, AL or AH =BYTE, thankx Z-Wing! *g* :)
                               ;this will load al with the 1­ byte of string1, 'w', because
ecx=0

 mov string2,al
 invoke MessageBoxA,NULL,addr string2,NULL,MB_OK
 inc ecx      ;incremeant ECX (ECX->loops, counter,etc)
 cmp ecx,15   ;the number of chrs in string1 is 15, so if ECX>15 exit the loop
 jne a_loop   ;jump if lower or equal, if ECX<=15 jump to a_loop

end start  ;end the prog

<-- end here -->
by the way this code didnt worked on my pc, maybe i need a reboot...
but it should! it just breaks on 'i' and repeat it .....
try to put ecx=4 or another value and you'll see that it works.

ok, so we have another 1
and if you wanted to do something like adding text to a var (+/-), like make it:
ax=ax+"p"
ax=ax+"p"
ax=ax+"l"
this is equ to
ax="ppl"

so how to do it? this is the way (once again thkx Z-Wing!)

<-- start here -->

.386
.model flat,stdcall
option casemap:none

include \masm32\include\windows.inc  ;change....
include \masm32\include\user32.inc
includelib \masm32\lib\user32.lib

.data
string1 db "win32asm roxx!",0
string2 dd ?

.code
 mov ecx,14  ;size of string1
a_loop:
 mov al,byte ptr[string1+edx]  ;you know....
 mov byte ptr[string2+ecx],al  ;lets mov the byte in AL to string2 but instead of 1..14 we
                               ;make 14..1  so the string will be the inverse
 dec ecx    ;decremeant
 inc edx    ;incremeant
 cmp edx,14  ;compare edx with 14 if equ exit loop
 jne a_loop
 invoke MessageBoxA,NULL,addr string2,addr string1,MB_OK  ;lets show the inverse string
                                                          ;(string2) and the original string
                                                          ;(string1)
 invoke ExitProcess,NULL   ;exit the prog, so win doesnt show's a error

end start

<-- end here -->
ok hope u understand it! =)

ok the 1­ code didnt work but this one works *g*!
so i hope u liked this tut and find him usefull, next tut will be about GUI, but not with
API, with resources, i dont like to use CreateWindow it's to complex, more easy to use a
resource. :)

Tools needed for mext tut:
-Visual C++ (6.0?) dunno if another version work (for build the resource, or another
compatible with MASM
-MASM *g*
-Brain 10000 CC ;>

ok, cya!

greetings:
-> Z-Wing <-  thankx man!
iNNU3NDo :: Duelist :: DYCUS :: R!SC :: Northpole :: Prof.X :: tKC :: hmemcpy :: LaZaRuS
PinguTM :: NU|<EM :: DarkShadow :: SiR_DawG :: _masta_ :: hmmm forgot someone? hope not!
DBC, CiA, EVC, CORE, EXEC, eMINENCE
#C.i.A, #CRACKiNG4NeWBiES, #WiN32ASM

ALL MY FRIENDS!

FuzzyCat [DBC]

FuzzyCat@gmx.net
www.FuzzyCat.tsx.org


 *PrograM: Dream OutBar ver2.1
 *TitlE  : hOw tO cRACk dREAm oUTBAr v2.1!
 *CrackeR: thE WiShMakEr
 *PurposE: eDUCATIONAl
 *DatE   : Wednesday, 31.05.2000

    Hi guys, here i am with my third tutorial...
I hope this one will be better then the first two.
Again, sorry for the mistakes you may see in this
tutorial.
First of all let's see what tools you will need...

 éW32dasm=win32 disassembler
 ÆHiew 6.XX or any other hex editor
 ÆDelphi 5 installed
 ÆWindows Commander or you can use Explorer
 èA little spare time

 If you have this tools i think we can begin...
If you didn't install this component yet, install it.
For those of you who don't know how to install a
component, please read the delphi's help files.
Ok, now create a new application project and put one
component from the dream outbar pack on the form.
Compile the program and close delphi. After this run
the compiled project...you will notice a nag screen
with a warning message...write down that message or
keep it in mind. Run w32dasm and open the compiled
project in order to disassemble it. After that press
ALT+S+F and enter the string you saw in the nag screen.
You should see something like this:
Note: the addresses will be different if you put more
      than one component on the form, but the code is the same.
      If you did as i said there should be no problem.

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00448F6A(C)
|
:00448F6C 803D184B450000          cmp byte ptr [00454B18], 00
:00448F73 7523                    jne 00448F98
:00448F75 C605184B450001          mov byte ptr [00454B18], 01
:00448F7C E87BFFFFFF              call 00448EFC
:00448F81 84C0                    test al, al
:00448F83 7513                    jne 00448F98 <--- here we must change
:00448F85 6A30                    push 00000030

* Possible StringData Ref from Code Obj ->"Warning"

:00448F87 689C8F4400              push 00448F9C

* Possible StringData Ref from Code Obj ->"This application uses unregistered "
                                        ->"version of Dream Outbar"
:00448F8C 68A48F4400              push 00448FA4
:00448F91 6A00                    push 00000000

* Reference To: user32.MessageBoxA, Ord:0000h

---------------------------------------------------------
You will have to change the "jne 00448F98" into "jmp 00448F98".
At "call 00448EFC" it is verified if delphi is running or not.
If delphi is running the nag screen will be passed, if delphi
ain't running the the nag screen will be shown. By changing
the conditional jump "jne 00448F98" into "jmp 00448F98", the
program will always pass the nag screen.
Now, with hiew or with your favourite hex editor, change
the "jne" into "jmp" at the address 00448F83.
Run the project....good, the nag screen wasn't shown right?
Patching every project you create with this component is not a
good idea, so you will have to patch the files which have this
routine. With windows commander you will search every file
within the directory where you installed the component for
the string that you saw in the nag screen....and you will find
that only the dcoutcommon.dcu has this string, so you will have
to patch only this file. Open it in the hex editor and search
the string within the nag screen. Scrool up a little bit until
you will find the byte that you have to patch, more exactly in
this case...until you find the "jne 00448F98". Change it as I
said above. Now open delphi, uninstall this component and then
install it again. Create a new application project and use one
or more components within the dream outbar pack. Compile the
project, close delphi and then run the project....the nag screen
doesn't appear anymore....good, you've done it..congratz.!

              òòòòò   The end.  òòòòò
                òòòò           òòò
                   òò          òò
                    òò        òò

Comments or whatever at this address --> WiShMakEr_Rulez@yahoo.com


                    How to crack Lockdown2000 v7.0.0.1?
                    ***********************************
                              by M.o.D. [f2f]

tools used:   - PEditor 1.5  (protools.exit.de or come.to/f2f :)
              - SoftIce 4.05 (protools.exit.de)
              - Hiew    6.x  (protools.exit.de)
              - Filemon 4.28 (www.sysinternals.com)

download:     - www.lockdown2000.com

Hi there!

Ok, install Lockdown and start it. We see a Unlock button and a time limit ( 10 days ).
We want to patch Lockdown so that it runs without a valid unlockcode.
Close Lockdown, open Filemon and use the filter, to see only Lockdowns fileaccesses.
Start our target and look at the fileaccesses. You should recognize that Lockdown opens
"LD2KReg.ini" to look for the valid code. We will use this to set a nice breakpoint in
SoftIce, but first we have to unpack Lockdown (packed with PKLiTE).
I think you can use Progdump, but i did it myself.

Unpacking:
~~~~~~~~~~
We start PEditor, browse to Lockdown2000.exe and click on break'n'enter. Open SoftIce and set
a breakpoint on int3 (bpint 3). Now we click on run and enter the command, which we can read
in the box. Now it's time to trace to the DepackersExitPoint (DEP). At this point the
programm was unpacked, the unpackcode jumps to the OriginalEntryPoint (OEP) and the programm
runs!

We see the following code:
005F6000 6880605F00  push 005F6080
005F6005 68D04A6800  push 00684AD0
005F600A 6800000000  push 00000000
005F600F E8BCEA0800  call 00684AD0 -> unpacks the programm in the memory
005F6014 E9D30EEEFF  jmp 004D6EEC  -> jump to the OEP :)

When we breaked in SI and entered the command in the box we trace to line 5F6014 (Press F5).
Now we have to scribble down the RelativeVirtuellAdress ( RVA ) of the OEP.
The jump goes to 4D6EEC, so we know the VirtuellAdress (4D6EEC) of the OEP;
substract the Imagebase ( 4D6EEC-400000 ) and now we have the RVA of the OEP : D6EEC.
We should be still at line 5F6014. Now we have to enter in SI:
a       - [Enter]
jmp eip - [Enter] - [ESC]

Ok, we assembled a endless loop. This is important to get a virgin data-section.
Now it's time to dump this process. We leave SI by pressing F5. We click on tasks in PEditor,
dump Lockdown2000 and terminate the process after dumpimg. Load the dumped exe into PEditor
and change the Entry Point to our new value (D6EEC). Click on apply changes, close PEditor
and start the dumped file. If we did nothing wrong the file should run without any problems.

Cracking the filecheck:
~~~~~~~~~~~~~~~~~~~~~~~
Yeah, we know already a good breakpoint for SI. So, fire up SI and enter the
following breakpoint: bpx CreateFileA do "d esp->4". Now we see everytime when SI
breaks in the datawindow, which file Lockdown wants to open/create.
Start now our dumped file and look carefully at the datawindow.
Oh, what this! Lockdown didn't opend "LD2KReg.ini", but maybe you recognized that
Lockdown opend "c:\Windows\Ableda.ini". I don't really know what sense this file has,
but if you start our dumped file again and look at the datawindow when we break again
at the CreateFile of "Ableda.ini" then you can see your Registrationcode for Lockdown.
Ok, it's time to patch!
We will break again at the CreateFile of "Ableda.ini". Now we press F12 8 times to go to
the call, which called these code.
We see this:

004C3146 E8B516FEFF  call 004A4800 -> call to the CreateFile
004C314B 48          dec eax
004C314C 7D27        jge 004C3175
004C314E A14C9E4D00  mov eax, dword ptr [004D9E4C]
004C3153 8B00        mov eax, dword ptr [eax]
004C3155 E82AC5F8FF  call 0044F684 -> calls the box telling us we're unregistered :(

Set a breakpint at the call to the CreateFile ( doubleclick on this line in SI).
You should be at line 004C314B. We see that the "jge 004C3175" jumps over the ugly
window. So press F10 to go to line 004C314C and type in SI "r fl o". We should jump now.
Press F5 to continue...but Lockdown is still uunregistered :( .
Ok, Lockdown already knows at this line, that we're unregistered users. Start Lockdown again.
We break at the call. Now scroll up to see what happens above these call.
We see this:

004C3132 687D4F4C00   push 004C4F7D
004C3137 64FF30       push dword ptr fs:[eax]
004C313A 648920       mov dword ptr fs:[eax], esp
004C313D E8321CFEFF   call 004A4D74 -> calcluates our regcode and checks them
004C3142 84C0         test al, al   -> test if good/bad user
004C3144 7546         jne 004C318C  ->!break here! :)

After we breaked at line 004C3144 we see that the jump brings us over the CreateFile-call
and the ugly window. So type in SI at line 004C3144  "r fl z" and we jump. Press F5 in SI to
continue and...yeah Lockdown runs without nasty limits :D!
Last part follows now. Close Lockdown, start it again and we break at line 004C3144. Set a
breakpoint at the call at line 004C313D ( doubleclick on this line ). Start Lockdown
again and after we breaked press F8 to go in the call. The programm check if the call returns
1 in AL, which mean good user ( test al, al ). So we will let return these call always 1 in AL.
This is important, because this routine is called several time from diffrent locations, but
we will always return good user ( al=1 ), so Lockdown believes we're good :).
Scribble down the Adress of the line we are at the moment; should be the first in the call
( 4A4D74 ). Start PEditor and load the dumped file. Click on 'FLC' and enter as VirtuellAdress
our value ( 4A4D74 ). Write down the offset, close PEditor and load the dumped file in
Hiew. Change your view to 'Decode', press F5 and enter our offset. Press F3 and enter:
B001   - [mov al,1]
C3     - [ret]

Save the changes and start Lockdown. Yeah! It runs without nasty limits!
Now you can rebuild the ImportTable with PEditor - READY!

Ok, thats it.

For comments or questions mail me : MoD_f2f@gmx.net

cu
M.o.D.

ps: english isn't my mother tongue :)!


I really hope you've enjoyed this tutorial as much as I did!
Don't miss Tutor #93 soon! ;)

Credits goto:

bM[tgfx] for Splash Logo.
fuzzyCaT for providing 3 tut in this version.
thE WiShMakEr for providing a tut in this version.
M.o.D for providing a tut in this version.


To ALL the crackers: You are welcome to send me your tutors
to publish them .. see below for my email address!
*** 95 chars per line in textfile please! ***


And all the tutors can be found at:

http://www.crackersinaction.org

(or on IRC, ask CiA ops for urls!)

Greetz goto all my friends!

You can find me on IRC or email me at tkc@reaper.org

Coded by The Keyboard Caper - tKC
The Founder of PhRoZeN CReW/Crackers in Action 2000

Compiled with Delphi 5 on 27 July 2000

Cracking Tutorial #92 is dedicated to Ginny...