Welcome to Cracking Tutorial #94!


Hiya guys,

Sorry for delays, again I was busy with coding and all shit...

Here's a tut94.tKC...

OK, let's rave! ...or crack babes? :)



You'll need the following tools:

(I use these tools, I assume you'll use 'em, but it doesn't
mean that you'll need to use all those tools, so be sure to
get them handy for the examples in this tutorial!)

SoftICE v4.05
W32Dasm v8.93
Hacker's View v6.55
SmartCheck v6.03
ProcDump32 v1.6.2
TRW2000 v1.22
IDA v4.04
Windows Commander v4.51 (I use it coz of easier to multitask)
Delphi, VB, C++, or TASM to code a keygen or a patch..

Don't ask me where to download all these tools since you had
a chance to get them when you used my older tutorials. Here
are a few good sites where you can grab tools from:

http://protools.cjb.net
http://w3.to/protools
http://www.crackstore.com

or ask any crackers to get you these tools!

Are you ready?!

OK! ;)


  How to crack Easy CD-DA Extractor 4.2.0 build 15

Target: Easy CD-DA Extractor 4.2.0
WWW: http://www.poikosoft.com/cdda
Cracker: --..__J_o_h_n_n_y__A_U_M__..--
Protections to be removed: begining nag, expiration
Tools: Hiew, W32Dasm & Windows Commander 4.51

--------New infos: Silent Wars for gaining total control-------
The theory behind silent wars was elaborated of 300 years ago by iudeo-masonery. Then was
declared a total war against the masses of people around the Earth, because "they are so stupid
& animalic that they must be conducted & manipulated in the direction we wish forever".
This war was restart in modern age in 1989 and is the 3rd mondial war and is given in economical
& menthal plane for conquering the whole world and to declare the begining of New World Order -
- the worshipers of Satana Order - and must be finished around year 2035 or in the worst case in
2050(worst for these bastards). Fight hard against any abuse in human rights and autority abuses!
Fight back instantly even with a process (trial) if necesarry! And don't give away your
protection weapons! And also fight against governs who hides the high technology of new era!
--------------------

  Nice CD audio tracks grabber, this Easy CD-DA Extractor. From my many test results that in many
cases is better than WinDac 1.52 and absolutely (in copying after audio CD I mean) better than
Audio Catalyst 2.1. Ya, this results from tests; I really don't know why so many consider that
Catalyst is so great; I agree, is great at wav -> mp3 encoding, but not on copying from CD.
  Anyway let's crack this 4.2.0 version; it's very easy to crack but I do this for attracting
attention on this good grabber. If you deal with recording audio CD's it'a must!
  Now let's get over with it!

1. We see first nag, this with the words "Thank you for trying Easy CD...". Let's disassemble a
copy of ezcddax.exe -> y.exe with W32Dasm. Let's search (Alt-S-Enter); I found them at w32dasm
adress 4233FA and above, at line 4233F2 is je 423421, our jump. Let's modify this: hiew 229F2 -
- 74 -> EB. We test now, and what do you know? Nag is gone forever. Good. Next.

2. Now we encounter some words in w32dasm about expiration, line 423393 jbe 4233EA (our jump)
and words below: "This trial version has expired!". Let's modify for unexpiring: hiew 22993 -
- 76 -> EB. A small test, funny nothing seems to expire... OK!

3. Optional: words from url (with blue characters): "Click here to buy the full version". I found
that is nice to transform them in this: "Easy CD-DA extractor  Homepage". OK in this way?
Now hex is looking like this:
0019CDA8: 43 20
0019CDA9: 6C 20
0019CDAA: 69 45
0019CDAB: 63 61
0019CDAC: 6B 73
0019CDAD: 20 79
0019CDAE: 68 20
0019CDAF: 65 43
0019CDB0: 72 44
0019CDB1: 65 2D
0019CDB2: 20 44
0019CDB3: 74 41
0019CDB4: 6F 20
0019CDB5: 20 45
0019CDB6: 62 78
0019CDB7: 75 74
0019CDB8: 79 72
0019CDB9: 20 61
0019CDBA: 74 63
0019CDBB: 68 74
0019CDBC: 65 6F
0019CDBD: 20 72
0019CDBE: 66 20
0019CDBF: 75 20
0019CDC0: 6C 48
0019CDC1: 6C 6F
0019CDC2: 20 6D
0019CDC3: 76 65
0019CDC4: 65 70
0019CDC5: 72 61
0019CDC6: 73 67
0019CDC7: 69 65
0019CDC8: 6F 20
0019CDC9: 6E 20

  Ok, all seems to be OK! Bye now, see you!

----------------
Greets: tKC & CIA (nice guys!), to all crackers, PRO or newbies, all cracker
teams (keep going, we must eliberate from iudeo-masonic tirany, all must become
free), we are great guys, and nice too. I love you all but be a good soul!
Romanian Greets: Toate cele bune oamenilor inimosi din Romania! O sa vina si
zile mai bune! Incercati sa evoluati spiritual daca vreti sa fiti fericiti!
At last, but from all my heart: I love you Heavenly Father, I know you are with
me all the time! God is pure love!
Try this: www.geocities.com/john_aum   Incredible infos for YOUR EYES ONLY!
Critics, comments, anything at: johnny_aum@yahoo.com
---------------Sorry if my english is not perfect!------------------------------


                              How to keygen PC-Adreázz! v4.x
                              ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
                                     by M.o.D. [F2F]

tools used  :   - SoftIce 4.05  ( protools.cjb.net )
                - Delphi 5      ( for the Keygen   )
                - pen & paper   ( optional :)      )


Ok, lets start!

Click on "Extras" and "Registration". We see a nice Registerbox, where we can enter our name
and serial. Press Ctr+D to fire up SI and set a breakpoint on Hmemcpy ( bpx hmemcpy ). Leave
SI by pressing F5 and enter your name and as serial "1122334455". Press the OK-Button and
we're back in SI. Press F5 and we break again on "Hmemcpy". The programm grabbed our name
first and then our serial. Now press F12 14 times to go back to our target programm and then
press F5 and trace to line "4834A5".
You should see this code:

004834A5 E8FAC7FFFF  call 0047FCA4 -> calculates key & checks them :)
004834AA 5A          pop edx
004834AB 0AD0        or dl, al
004834AD 7422        je 004834D1   -> test if we're a good/bad user

Now clear your breakpoints ( bc * ) and set one at the keycheck-call ( bpx 4834A5 ). Press F5
to leave SI and press the Ok-Button in the RegistrationBox again. We break at line "4834A5".
Now press F8 to go inside the call. It's time to start understanding the keycalculation.
In SI we're at line "47FCA4". I will save some time. That means we can set a breakpint
at line "47FD22" ( bpx 47FD22 ). Here starts the real fun :)! Press F5 to leave SI and click
on the OK-Button again.
You should see the following code:

0047FD22 8B55FC      mov edx, dword ptr [ebp-04] -> type "d edx" & you see "PCA21"
0047FD25 E8CA40F8FF  call 00403DF4
0047FD2A 33DB        xor ebx, ebx
0047FD2C 8B45EC      mov eax, dword ptr [ebp-14] -> type "d eax"

If you typed "d eax" at line "0047FD2C" you see in the Data-Window "PCA21[our name]". That
means that our programm set "PCA21" for our name before the real key-calculation starts.
So we can note as first part of the keygen: paste "PCA21" before our name!
Now comes the real calculation ( sn & tmp are only for the explanation):

0047FD42 0FB64C01FF    movzx ecx, byte ptr [ecx+eax-01] -> character from "PCA21[our name]"
0047FD47 03C9          add ecx, ecx                     -> tmp=ascii-value*2
0047FD49 8D0CC9        lea ecx, dword ptr [ecx+8*ecx]   -> tmp=tmp*9
0047FD4C 03D9          add ebx, ecx                     -> sn=sn+tmp
0047FD4E 03D8          add ebx, eax
0047FD50 40            inc eax      -> go to the next character
0047FD51 4A            dec edx      -> edx contains length from "PCA21+Name"
0047FD52 75EB          jne 0047FD3F -> test if last character is reached

Ok, here we see the calculation from the first part of our key:
The programm takes the ascii-value from every character and multiplies the value with 18 and
adds every result for each character together.
The result is stored in EBX!
Now we trace to line "0047FD71".
We see this:

0047FD71 8DB3E0930400  lea esi, dword ptr [ebx+000493E0] -> add 300000 to EBX!

Remember that EBX contains the result of the calculation above. The programms add 300000 to
the result and we have the first part of the key :).
The second part of the key is calculated at line "0047FD93".
Code:

0047FD93 2D50850200  sub eax, 00028550 -> EAX contains first part of the key

The programm subtracts 165200 from the first part of our key and we have the second part.
Ok, we are nearly ready.
First the programm puts a "-" between the to parts of the key ("-"first part"-"second part).
Last part is that the programm puts "V4"+firswt letter before the two keyparts.
Sound a little bit strange, therefor an example:
name: M.o.D. ( you )
key : V4M-first part-second part (V4y-first part-second part)

Yeah, thats it. Programm successfully cracked :)!

Now comes the Delphi 5 source of the keycalculation:

////////////////////////////////////////// cut here /////////////////////////////////////////

procedure calculatekey;
var         i,sn,tmp       : integer;
            name           : String;
begin
//edit1.text contains the username
if length(edit1.text)=0 then
 begin
  // error that no name was entered
 end;
name:='PCA21'+edit1.text;
sn:=0;tmp:=0;
for i:=1 to length(name) do
 begin
  tmp:=ord(name[i])*18+i;
  sn:=sn+tmp;
 end;
sn:=sn+300000;
edit2.text:='V4'+edit1.text[1]+'-'+inttostr(sn)+'-'+inttostr(sn-165200);
end;

////////////////////////////////////////// cut end //////////////////////////////////////////

For questions and/or comments mail me : MoD_f2f@gmx.net

to be continued...

cu
M.o.D.

ps: english isn't my mother tongue!


    òòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòò
    òò    ____                     __       __           òòáë
    òò   /  _/_ _  __ _  ___  ____/ /____ _/ /           òò ëáë
    òò  _/ //  ' \/  ' \/ _ \/ __/ __/ _ `/ /            òò ë ë
    òò /___/_/_/_/_/_/_/\___/_/  \__/\_,_/_/             òò ë ë
    òò   ____                          __          __    òò ë ë
    òò  / __ \___ ___ _______ ___  ___/ /__ ____  / /____òò ë ë
    òò / /_/ / -_|_-</ __/ -_) _ \/ _  / _ `/ _ \/ __(_-<òò ë ë
    òò/_____/\__/___/\__/\__/_//_/\_,_/\_,_/_//_/\__/___/òò ë ë
    òò                                                   òò ë ë
    òò      Web: http://www.ImmortalDescendants.org      òò ë ë
    òò                Author: ACiD BuRN                  òò ë ë
    òò                Date: 23/05/2000                   òò ë ë
    òò         Topic: Adding function to a program!      òò ë ë
    òò               Level: intermediate                 òò ë ë
    òò                                                   òò ë ë
    òòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòò ë ë
      ëšššššššššššššššššššššššššššššššššššššššššššššššššššššë ë
        ëšššššššššššššššššššššššššššššššššššššššššššššššššššššë


        Reverse Engineering: Reversing my little exemple :)


tools used:
                - Soft ice 3.23 (best version for me :)
                - Hexeditor (hexworkshop or hview)
                - Wdasm32 8.9x
                - Procdump 1.6
                - a brain
                - Some good music :)

Note: I assume you know how to use this tools , else you gotta find some easy
tutorials that teach you how to use them and come back once your ready :)



Oh yeah , another tutor from your lil ACiD BuRN :) the frog is back from hell heh!
You may wonder where the heck i was...
Well , i don't have Internet anymore, phone bills get me this time :((
i won't be back online until 6 months or more..That sucks bigtime!
And the worse is that i am still sick (ill as hell since december)
Doctors don't even know what the fuck i got and my illness has since worsened..
Anyway , i'm trying to get back in cracking and reversing stuff!
I am back to kick some ass hehe :)
Info: I am finishing my keygen for the Official and *Final* CORE's Crackme!
Ph34R!

In this tut , i will show you how to add some new code to an app.
i have wrotte a lil reverse me for this tut!
It ain't a C++ or asm32 file!
This time it's a delphi32 exe! i choose this , coz it is full of garbage in it!
delphi does pretty big exe files! (i.e : one dialog and a button = 300kb!)
looks more real (like an application) than a 3kb asm file totaly clean!


So, when we run our target we can see one button in the form.
Push on it , and we see a messagebox telling us our Goal which is to kill the messagebox
and to make the button end the process instead of showing us this hint!
Of course, we ain't gonna redirect the action to a call on Exitprocess but we will add code
to the target instead!



1) Looking where to put a jmp to our new added code:



Disasm the target with wdasm32 and look in the string data references!
We'r looking for the msg it gives us when we press the button!
Ok , i think you found it and it looks like that :

-------------------------------Snip----------------------------

:0043F053 6A00                    push 00000000
:0043F055 6A00                    push 00000000
:0043F057 33C0                    xor eax, eax
:0043F059 55                      push ebp
:0043F05A 68A9F04300              push 0043F0A9
:0043F05F 64FF30                  push dword ptr fs:[eax]
:0043F062 648920                  mov dword ptr fs:[eax], esp
:0043F065 8D45FC                  lea eax, dword ptr [ebp-04]

* Possible StringData Ref from Code Obj ->"Rulez"
                                  |
:0043F068 BABCF04300              mov edx, 0043F0BC
:0043F06D E8DA48FCFF              call 0040394C
:0043F072 8D45F8                  lea eax, dword ptr [ebp-08]

* Possible StringData Ref from Code Obj ->"Kick the msgbox and add code to "
                                        ->"this exe to make the Button exit "
                                        ->"!"
                                  |
:0043F075 BACCF04300              mov edx, 0043F0CC
:0043F07A E8CD48FCFF              call 0040394C
:0043F07F 6A00                    push 00000000
:0043F081 FF75FC                  push [ebp-04]   ;'Rulez'
:0043F084 FF75F8                  push [ebp-08]   ;'Kick the msgbox and add code to ...'
:0043F087 6A00                    push 00000000

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0043F018(C)
|

* Reference To: user32.MessageBoxA, Ord:0000h
                                  |
:0043F089 E83275FCFF              Call 004065C0       ;call the messagebox!
:0043F08E 33C0                    xor eax, eax
:0043F090 5A                      pop edx
:0043F091 59                      pop ecx
:0043F092 59                      pop ecx
:0043F093 648910                  mov dword ptr fs:[eax], edx


Ok! so now what to do ?! we don't want the nag to come pissing us off and we want to redirect the
button on our new added code...


let's have a closer look near the messagebox and we see this:


:0043F075 BACCF04300              mov edx, 0043F0CC
:0043F07A E8CD48FCFF              call 0040394C
:0043F07F 6A00                    push 00000000
:0043F081 FF75FC                  push [ebp-04]  ;'Rulez'
:0043F084 FF75F8                  push [ebp-08]  ;'Kick the msgbox and add code to ...'
:0043F087 6A00                    push 00000000  ;why not puting a jmp here ?(to our code area)

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0043F018(C)
|

* Reference To: user32.MessageBoxA, Ord:0000h
                                  |
:0043F089 E83275FCFF              Call 004065C0       ;call the messagebox!
:0043F08E 33C0                    xor eax, eax



Ok, we have to redirect before the nag is shown, so we will patch on the push 00...
double click on the line ":0043F087 6A00        push 00000000 " and look the offset ...
We got it , it is 3E487.Writte it down on a paper we will use it later!





2)Finding where we are gonna put the new code!




Hexedit your file and go at the offset we have just found!
Go at 3E487 and start scrolling down.we'r looking for free space (i.e: place full of '00')
Scroll down 'till you see that:

---------------------- Snip --------------------------------------

0003E6D0  008B 15CC EE43 00E8 6CE5 FFFF A1D8 0B44 .....C..l......D
0003E6E0  008B 00E8 E0E5 FFFF E88F 44FC FF8D 4000 ..........D...@.
0003E6F0  0000 0000 0000 0000 0000 0000 0000 0000 ................
0003E700  0000 0000 0000 0000 0000 0000 0000 0000 ................
0003E710  0000 0000 0000 0000 0000 0000 0000 0000 ................
0003E720  0000 0000 0000 0000 0000 0000 0000 0000 ................
0003E730  0000 0000 0000 0000 0000 0000 0000 0000 ................
0003E740  0000 0000 0000 0000 0000 0000 0000 0000 ................
0003E750  0000 0000 0000 0000 0000 0000 0000 0000 ................
0003E760  0000 0000 0000 0000 0000 0000 0000 0000 ................

---------------------- Snip --------------------------------------

As you can see , we started to scroll down at 3E487 and we can see a place full of 00
not so far of it! Good...
So, where to add our code ? i propose the offset 3E700...
Ok , we will add new code at 3E700! and we will call this location with a jmp!
we already have the jmp emplacement! let's Rock :)
Good , we know where to put the jump , and where it must go! but hell, in soft ice
we can't put "jmp 3E487" so how to have the good place ?!
Easy.. Fire up procdump and use the PE editor! open our target and look the 1st section
Here , it's .Code...
We need some value like : virtual offset , Raw offset.

Here comes the formula:

Good place in memory = Imagebase + Virtual offset + offset we found - Raw offset
(note for dummies: use the windows calculator in scientist mode and select hex!)


give us:

400000 + 1000 + 3E700 - 400 = 43F300

Goody eheh! we got it :)




3)Setting the jump!




With your hexeditor go at 3E487 ( the place we will use to redirect...) and put a CC (int3)
we will use this to break at the good place in soft ice (there are several ways to break though)
Ctrl+D and sice is back :) put a "Bpint 3" and press F5 (Bpint 3 = break point on int 3h)
Run our target and we are back in soft ice!

you don't have to type the ' '.

Now enter 'A' and press 'enter'.
enter : 'jmp 43F300' press enter
you now see the hex of this jmp.It is "E9 74 02 00 00"
writte them down and now do this :

A eip "enter"
jmp eip "enter"
F5

this will make the app loop in memory... You may wonder why i do this.
It is simple. we redirected the app on a location filled with '00' and it was gonna Crash
like hell ehe!
We didn't patch the file yet , so better to make a infinite loop in memory and then
kill the process using Procdump!
Run procdump , right click on our target in the process list and click on 'kill Process'.
Done! process killed , no crash and we have the opcode of the jump!
Life is great heheh!

Now, we go back in our hex editor and we go at the offset where we are going to put
the jump (3E487).we see: CC00E83275FCFF ( originally it was : 6A00E83275FCFF).
CC = int 3 remember ?! hehe
So we patch here:

CC00E83275 become E974020000 ( the opcode we found with soft ice!)

Save your exe now! But don't run it , else it will crash miserably!
Still because of the redirection to '00' place!





4)Adding the NEW code :)


ok , the final part is to add the new code!
We have a free emplacement , but it just has '00'.
Here will come the code to add!
ermmmm, what the hell are we going to add to make it close the process ?!
hehe, time to be back in Wdasm and look for kernel32.ExitProcess in 'import references'
found it ? ok double click on it and we land here :



* Referenced by a CALL at Address:
|:00403859
|

* Reference To: kernel32.ExitProcess, Ord:0000h
                                  |
:0040122C FF2564214400            Jmp dword ptr [00442164]  <-- hmm , intresting!
:00401232 8BC0                    mov eax, eax




let's have a look at 403859:


* Reference To: kernel32.ExitProcess, Ord:0000h
                                  |
:00403859 E8CED9FFFF              Call 0040122C      <-- it calls the exitprocess function...


ok, it is enough for us ;)
we will use the line :

0040122C FF2564214400            Jmp dword ptr [00442164]

writte down the opcode on a paper: FF2564214400

now , back in the hex editor and go to the offset where we are going to add some code :)

0003E700  0000 0000 0000 0000 0000 0000 0000 0000 ................


you see this! 1st before writting the code of the jump to the exitprocess function
we have to put a 'push 00'! opcode is '6A00'

so it becomes:

0003E700  6A00 FF25 6421 4400 0000 0000 0000 0000 j..%d!D.........


(for dummies: 000000000000 become FF2564214400)

Save your target and run it... Press the button and enjoy!
WOW! it closed the fucker :) hehe
we did it , the button doesn't show us that ugly messagebox but exit the app instead!
Rulez :)


This tutorial is over and i hope you learnt something from it...
I don't think it is too hard to understand for the newbies too
Anyway , as i don't have internet anymore, don't mail me your question coz i don't
know when i would read them!
But Go on #Cracking4newbies and go nag an OP there ;-Ý
i don't say nick of the ones who can help you hehe, i don't wanna have some problems :)
But , if you want to send feedbacks , no problem! just do it :) hehehe


This tutorial is dedicated to my girly!
Celine , you own me!:)


Greets fly out to:

no specific order)

CyberBlade,R!SC , ^INFeRNo^ , AB4DS , Klefz , Volatility ,
TORN@DO , T4D , Jeff , [Virus] , JaNe , Appbusta , Duelist , tKC , BuLLeT ,
Lucifer48 , MiZ , DnNuke , Bjanes , Skymarshall , afkayas , elmopio ,
SiFLyiNG , Fire Worx , CrackZ , neural_en , WarezPup , _y , SiONIDE ,
SKORPIEN , Lazarus , Eternal_Bliss , Magic Raphoun , DEZM , Bisoux ,
Carpathia , K17 , theMc , noos , Xmen , TeeJi , JB007 , Arobas , T0AD , ytc ,
Kwai_lo , Killer_3K , TaMaMBoLo , gizmo , Gota , ExtaBrain , Alpine ,
WarezPup , zoltan , [yAtes] , TarGon , Icecream , Punkguy2 , Sortof ,
TRDdonjuan , Lord Soth , Judged , G-Rom , Quantico , Christal , psike , Leo0n ,
Albator , +Spath , +Frog's Print , toutim , Pulsar , Night , psike , Uno , F|SH ,
Lixus , LosT , RD-116 , Ben0 , Whizkid , [MandKind] , alpine , Alsindor ,
Stone , Elraizer , Fravia+ , Iczelion , nody , Asphalt , Rhythm ,
rudeboy , X-Calibre , Cirus , shaoni...
...
"Put your name here! :P" ...



last words:

i hope i will finish to keygen that goddamn CORE official Crackme i am working on!
hehehe ;)

last words2:

hehe , CORE crackme Keygened ;)
i worked on it all the night and this morning as well.. And guess what ?! i got it eheh
Took me Ages to keygen it , but i own it now ;) Keygen Works on all Puters i tested it on!
(4 PC!)
Ph34r! and enjoy The day ;)


Take Care,


                        ACiD BuRN [Immortal Descendants / ECLiPSE ]


    òòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòò
    òò    ____                     __       __           òòáë
    òò   /  _/_ _  __ _  ___  ____/ /____ _/ /           òò ëáë
    òò  _/ //  ' \/  ' \/ _ \/ __/ __/ _ `/ /            òò ë ë
    òò /___/_/_/_/_/_/_/\___/_/  \__/\_,_/_/             òò ë ë
    òò   ____                          __          __    òò ë ë
    òò  / __ \___ ___ _______ ___  ___/ /__ ____  / /____òò ë ë
    òò / /_/ / -_|_-</ __/ -_) _ \/ _  / _ `/ _ \/ __(_-<òò ë ë
    òò/_____/\__/___/\__/\__/_//_/\_,_/\_,_/_//_/\__/___/òò ë ë
    òò                                                   òò ë ë
    òò      Web: http://www.ImmortalDescendants.org      òò ë ë
    òò                Author: ACiD BuRN                  òò ë ë
    òò                Date: 24/05/2000                   òò ë ë
    òò         Topic: Keygening MP3 Explorer 3.2         òò ë ë
    òò               Level: beginners                    òò ë ë
    òò                                                   òò ë ë
    òòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòò ë ë
      ëšššššššššššššššššššššššššššššššššššššššššššššššššššššë ë
        ëšššššššššššššššššššššššššššššššššššššššššššššššššššššë



tools used:
                - Soft ice 3.23 (best version for me :)
                - a C++ compiler
                - a brain
                - Some good music :)

Note: I assume you know how to use this tools , else you gotta find some easy
tutorials that teach you how to use them and come back once your ready :)


Oh yeah , another tutor from your lil ACiD BuRN :) the frog is back from hell heh!
Ok, looks like i am finally back in cracking and reversing stuff hehe ;)
After a goddamn long time without doing anything coz of my illness ( which isn't fixed thought)
i am ready to make others tutorials :)
Enough blabla! let's Rock :)
oh by the way , i keygened CORE trial CrackMe :p


I'm gonna teach you a good way to keygen many shits!
using BPR can help you a lot in keygening, you will see :)


1)Let's Rock


Run mp3 explorer and go in the '?' menu and look in about:)
Here is a place to enter name/serial hehe!
enter name: ACiD BuRN
enter code: 12321

in fact, the bpr technic will put us directly in the generation part of the algo!
without tracing like a fool :)
look that:

Put a bpx on GetWindowtextA and press on the OK button!
Soft ice pop up! Break due to BPX USER32!GETWINDOWTEXTA ..
btw don't press anything! (i.e: F11 or F12)
we're gonna look the stack parameter.for a best lisibility , we will look dword (command = dd)
so , in soft ice: dd esp
Why that ?! huh


"dd" means: display dword and "esp" is the stack pointer!
After pressing "dd esp", the Soft-ice's window change and we can see the parameters :


xxxx:yyyyyyyy  A     B     C     D  ................
xxxx:yyyyyyyy  E     F     G     H  ................


Where A,B,C,D,E... look like:  XXXXXXXX (Of course XXXXXXXX are some numbers hehe)

You should see something like that:

xxxx:yyyyyyyy   0044423B        00000464        015DB338        0000000A  ...........

We will only use this :)

(As you noticed, here A=0044423B , B=00000464, C= 015DB338...)
We can see here the adress where our name ends (015DB338).

type D "adress where the name ends"
For example here is is: D 015DB338


Now , you can press F11 and you should see the name at the address we looked
(where the name ended...)
Good, we are on the good way eheh!

We're gonna put a BPR (break on memory range).
this kind of BP works like this:

bpr "start adress" "end address" RW

RW means:  Read and write.
So, it's gonna stop when something is reading or writting in this adress!

So, under Soft-ice, type this:
bpr 015DB338 015DB338 + (length of the name - 1) RW

ACiD BuRN (length: 9 -> 9 - 1 = 8)
In our target, for ACiD BuRN , we type this :

bpr 15DB338 015DB338+8 RW

Now , you can disable our bpx on getwindowtextA! ( bd 0 )
You just have to press F5 and we will land in directly in the algo :)
well , on this app , not directly , we land in the dll so keep pressing F5 till you are
in DLLs :)

'Coz, we don't give a flying fuck of them :p

Once you are in the App, we are in the good place! and algo starts there :
look my winice.log

----------------------SNiP----- SNiP----- SNiP----------------------------


:bpx getwindowtexta
Break due to BPX USER32!GetWindowTextA  (ET=1.17 seconds)
:dd esp
:d 15f5a18
Break due to G (ET=268.99 microseconds)
:bpr 15f5a18 15f5a18+8 RW
:bd 0
Break due to BPR #0267:015F5A18 #0267:015F5A20 RW
Break due to BPR #0267:015F5A18 #0267:015F5A20 RW
Break due to BPR #0267:015F5A18 #0267:015F5A20 RW
Break due to BPR #0267:015F5A18 #0267:015F5A20 RW
Break due to BPR #0267:015F5A18 #0267:015F5A20 RW
Break due to BPR #0267:015F5A18 #0267:015F5A20 RW
Break due to BPR #0267:015F5A18 #0267:015F5A20 RW
Break due to BPR #0267:015F5A18 #0267:015F5A20 RW
Break due to BPR #0267:015F5A18 #0267:015F5A20 RW
Break due to BPR #0267:015F5A18 #0267:015F5A20 RW
:u eip l 50

comment: here comes the first loop:

025F:0040A173  8B442420            MOV     EAX,[ESP+20]  ; EAX contains the adress of my name
025F:0040A177  0FBE0C06            MOVSX   ECX,BYTE PTR [EAX+ESI] ; ECX = hex value of 1st char
025F:0040A17B  51                  PUSH    ECX
025F:0040A17C  E8E9BB0100          CALL    00425D6A      ; intresting!
025F:0040A181  83C404              ADD     ESP,04
025F:0040A184  03E8                ADD     EBP,EAX      ; add ascii value in hex to EBP
025F:0040A186  46                  INC     ESI          ; next char!
025F:0040A187  3BF7                CMP     ESI,EDI      ; All chars done ?!
025F:0040A189  7CE8                JL      0040A173     ; no, jmp start!


025F:0040A18B  8B4C240C            MOV     ECX,[ESP+0C]         /
025F:0040A18F  BAC0D40100          MOV     EDX,0001D4C0        /
025F:0040A194  2BD5                SUB     EDX,EBP            /   we will look that
025F:0040A196  33C0                XOR     EAX,EAX           /    after!
025F:0040A198  3BCA                CMP     ECX,EDX          /
025F:0040A19A  8D4C2420            LEA     ECX,[ESP+20]    /
025F:0040A19E  0F94C0              SETZ    AL             /


So, we see that it takes ascii value of each chars and add them in EBP.
But there is a Call which looks intresting! let's have a closer look in it :

:u eip l 50

025F:00425D6A  53                  PUSH    EBX
025F:00425D6B  33DB                XOR     EBX,EBX         ; EBX=0
025F:00425D6D  391D74344800        CMP     [00483474],EBX
025F:00425D73  7513                JNZ     00425D88
025F:00425D75  8B442408            MOV     EAX,[ESP+08]  ;move ascii value in EAX
025F:00425D79  83F861              CMP     EAX,61        ;compare it to 61h
025F:00425D7C  7C59                JL      00425DD7      ;less than 61? jump to 425DD7
025F:00425D7E  83F87A              CMP     EAX,7A        ;compare it to 7A
025F:00425D81  7F54                JG      00425DD7  ;greater than 7A? jump to 425DD7
025F:00425D83  83E820              SUB     EAX,20    ;less than 7A but greater than 61 (eax-20)
025F:00425D86  5B                  POP     EBX
025F:00425D87  C3                  RET               ;ret! come out of the call!
025F:00425D88  56                  PUSH    ESI
025F:00425D89  BE88484800          MOV     ESI,00484888
025F:00425D8E  57                  PUSH    EDI
025F:00425D8F  56                  PUSH    ESI



Ok , so what's goin' on ?!
Well it compares the char to 61 , 7A!
61h = a and 7Ah = z  if it is less than 7A but greater than 61 it substract 20 to it
Well , this is just making all the chars in uppercase!
So the serial for ACiD BuRN will be the same than for Acid Burn , acid burn, ACID burn...
So what does the main loop ?
Convert in uppercase and then add ascii value to EBP...
Do all Chars and then we land here:

025F:0040A18B  8B4C240C            MOV     ECX,[ESP+0C]   ; ECX = our fake entered serial
025F:0040A18F  BAC0D40100          MOV     EDX,0001D4C0   ; EDX = 1D4C0h = 12000
025F:0040A194  2BD5                SUB     EDX,EBP        ; EDX = EDX - EBP
025F:0040A196  33C0                XOR     EAX,EAX        ; EAX = 0
025F:0040A198  3BCA                CMP     ECX,EDX        ; Compare fake serial to good one
025F:0040A19A  8D4C2420            LEA     ECX,[ESP+20]
025F:0040A19E  0F94C0              SETZ    AL

it is clear enough!
So the algo is:

- convert all chars to uppercase
- add all ascii value
- Substract the result of ascii added to 12000


Now ,you can easily code a keygen for MP3 Explorer!
As usual , i am gonna give you the source of a working Keygen coded by me :)
No more Visual basic ( i was lazy hehehe!) here it is C++ + inline asm :)


-------------------------start of my source---------------------------------

#include <stdio.h>
#include <string.h>
#include <conio.h>

int main(){
    int i,len;

    unsigned char name[100];

    unsigned long check=128;

    printf("\Mp3 Explorer Keygen By : ACiD BuRN [Immortal descendants] \n ");
    printf("\__________________________________________________________");
    printf("\nEnter name: ");
    gets(name);
    len=strlen(name);

asm
{
       xor ecx, ecx
       xor edi, edi
       mov edx, [len]

start1:
       movsx eax, [name+ecx]
       cmp eax, 97
       jl temp1
       cmp eax, 122
       jg temp1
       sub eax, 32

temp1:
       add edi, eax
       inc ecx
       cmp ecx, edx
       jne start1

       mov eax, 120000
       sub eax, edi
       mov [check], eax

}

    printf("=: %lu" ,check); /* %lu = decimal, check = serial */
    printf("\nEnjoy!");
getch();
return 0;

}

----------------------------end of my source---------------------------------

Info:

if you compil this keygen it will works but if you enter a name with
accents ie: fr‚d‚ric or C‚dric ... the given serial won't work..
Why that ? i dunno ... looks like the compiler fuck up a bit the code hehe
Because if you compil this algo in a 32 bits GUI Keygen it will works for evername!
But hell! i ain't gonna give you my C++ template :p hehe :)




This tutorial is over and i hope you learnt something from it...
btw , as i don't have internet anymore, don't mail me your question coz i don't
know when i would read them!
But Go on #Cracking4newbies and go nag an OP there ;-Ý


This tutorial is dedicated to my girly!
Celine , you own me!:)


Greets fly out to:

no specific order

CyberBlade,R!SC , ^INFeRNo^ , AB4DS , Klefz , Volatility ,
TORN@DO , T4D , Jeff , [Virus] , JaNe , Appbusta , Duelist , tKC , BuLLeT ,
Lucifer48 , MiZ , DnNuke , Bjanes , Skymarshall , afkayas , elmopio ,
SiFLyiNG , Fire Worx , CrackZ , neural_en , WarezPup , _y , SiONIDE ,
SKORPIEN , Lazarus , Eternal_Bliss , Magic Raphoun , DEZM , Bisoux ,
Carpathia , K17 , theMc , noos , Xmen , TeeJi , JB007 , Arobas , T0AD , ytc ,
Kwai_lo , Killer_3K , TaMaMBoLo , gizmo , Gota , ExtaBrain , Alpine ,
WarezPup , zoltan , [yAtes] , TarGon , Icecream , Punkguy2 , Sortof ,
TRDdonjuan , Lord Soth , Judged , G-Rom , Quantico , Christal , psike , Leo0n ,
Albator , +Spath , +Frog's Print , toutim , Pulsar , Night , psike , Uno , F|SH ,
Lixus , LosT , RD-116 , Ben0 , Whizkid , [MandKind] , alpine , Alsindor ,
Stone , Elraizer , Fravia+ , Iczelion , nody , Asphalt , Rhythm ,
rudeboy , X-Calibre , Cirus , shaoni...
...
"Put your name here! :P" ...




Take Care,


                        ACiD BuRN [Immortal Descendants / ECLiPSE ]


    òòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòò
    òò    ____                     __       __           òòáë
    òò   /  _/_ _  __ _  ___  ____/ /____ _/ /           òò ëáë
    òò  _/ //  ' \/  ' \/ _ \/ __/ __/ _ `/ /            òò ë ë
    òò /___/_/_/_/_/_/_/\___/_/  \__/\_,_/_/             òò ë ë
    òò   ____                          __          __    òò ë ë
    òò  / __ \___ ___ _______ ___  ___/ /__ ____  / /____òò ë ë
    òò / /_/ / -_|_-</ __/ -_) _ \/ _  / _ `/ _ \/ __(_-<òò ë ë
    òò/_____/\__/___/\__/\__/_//_/\_,_/\_,_/_//_/\__/___/òò ë ë
    òò                                                   òò ë ë
    òò      Web: http://www.ImmortalDescendants.org      òò ë ë
    òò                Author: ACiD BuRN                  òò ë ë
    òò                Date: 11/06/2000                   òò ë ë
    òò         Topic: Dongle Hunting                     òò ë ë
    òò                                                   òò ë ë
    òò                                                   òò ë ë
    òòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòòò ë ë
      ëšššššššššššššššššššššššššššššššššššššššššššššššššššššë ë
        ëšššššššššššššššššššššššššššššššššššššššššššššššššššššë


                *Dongle* Hunting tutorial by ACiD BuRN


        How to UNdongle Autodesk AUTOCAD 14 French version!

--------------------------------------------------------------
-RATING:  ( )Beginner (x)Intermediate (X)Advanced ( )Expert  -
-                                                            -
-Although it is more Intermediate than Advanced, finding a   -
-breakpoint and then handling it make it a bit advanced.     -
-I don't consider this as difficult anyway.....              -
--------------------------------------------------------------


tools of the trade:

Soft ice 3.x (what else??)
Your own favorite hex-editor (as always i use Hexworkshop)
Asm knowledge (at least the basis)
Wdasm89 (not really needed though)
A brain (you've got one , don't you ? :p )
Some beers :O ( in case of disassembling 'coz it's pretty long!)
Some music ;)


History:

I cracked this app a long time ago...
It was hard for me and it took me several days.The harder part was to
break at the Dongle Check place and i didn't do like i will teach you!
It was a more dodgy way ...  ;O
I cracked it like a moron and it sometimes crashed huh!
A few days ago , i was finishing another keygen and i was kinda bored.
So, i thought about doing other thing than keygen! What about that
dodgy Autocad 14 ?! doh!, it is Dongle protected!
i Phear Dongle coz i don't have lotta practices on them...
BTW, Dongle are the most expensive protection outta here!
this apps cost about 7000 $ ouuuuuuuuuch heheh!

Let's Crack this babe :)

BTW,I cracked it the good way in about 2 hours (including disassembling
: the longest part :p) this time and NO MORE crash ;)



1)Ride the fucker :)

Ok.. Let's look at this target, I start to install which was very
slow ..
Damn CD! supposed to be pretty fast heh! Once it is installed go in
the target directory.there is an executable Acad.exe and lotta dll
files...
I ran the target and yes in came alive by showing me a messagebox
telling us:

 "ERREUR FATALE : Le system de securit‚(verrouillage materiel..."

It is in french , it means:

 "FATAL ERROR : security system is missing! blablabla"

Well, it nag us 'coz that shitty piece of hardware (*Dongle*) is
missing! hahah ;)

ok... let's get have a deeper look ;)
I fired up softice and set the usual breakpoint on LPT1:
(BPIO -H 378 R). We land here :


0028:CE5AA885  88442405          MOV     [ESP+05],AL       ; here.
0028:CE5AA889  66C746680100      MOV     WORD PTR [ESI+68],0001
0028:CE5AA88F  8A442405          MOV     AL,[ESP+05]
0028:CE5AA893  884615            MOV     [ESI+15],AL
0028:CE5AA896  884614            MOV     [ESI+14],AL
0028:CE5AA899  5E                POP     ESI
0028:CE5AA89A  83C404            ADD     ESP,04
0028:CE5AA89D  C3                RET
0028:CE5AA89E  CC                INT     3
0028:CE5AA89F  CC                INT     3
0028:CE5AA8A0  83EC04            SUB     ESP,04
0028:CE5AA8A3  56                PUSH    ESI
0028:CE5AA8A4  8B74240C          MOV     ESI,[ESP+0C]
0028:CE5AA8A8  56                PUSH    ESI
0028:CE5AA8A9  E832000000        CALL    CE5AA8E0
0028:CE5AA8AE  668B465C          MOV     AX,[ESI+5C]
0028:CE5AA8B2  83C404            ADD     ESP,04
0028:CE5AA8B5  6689442406        MOV     [ESP+06],AX
0028:CE5AA8BA  8A4658            MOV     AL,[ESI+58]
0028:CE5AA8BD  243F              AND     AL,3F
0028:CE5AA8BF  88442405          MOV     [ESP+05],AL
0028:CE5AA8C3  8A442405          MOV     AL,[ESP+05]
0028:CE5AA8C7  668B542406        MOV     DX,[ESP+06]
0028:CE5AA8CC  EE                OUT     DX,AL
0028:CE5AA8CD  5E                POP     ESI
0028:CE5AA8CE  83C404            ADD     ESP,04
0028:CE5AA8D1  C3                RET


We are in the chat_to_dongle routine and if we look below the data
section , we see: SENTINELXXX...
huh, where the fuck are we ?!
You prolly know than there are several companys out here who provide
dongle protection like:
Hasp, Sentinel, DesKEY, Activator/Unikey and many others.

So, we can conclude that we are dealing with a SENTINEL dongle!
We are in the SENTINEL.VXD file...
back to the essay , we landed here :

0028:CE5AA885  88442405            MOV     [ESP+05],AL   ;  here..
0028:CE5AA889  66C746680100        MOV     WORD PTR [ESI+68],0001
0028:CE5AA88F  8A442405            MOV     AL,[ESP+05]
0028:CE5AA893  884615              MOV     [ESI+15],AL
0028:CE5AA896  884614              MOV     [ESI+14],AL


we want to see the call that is responsible for the execution so we
have to hit 3 or 4 times F12 and we now are here:


0028:CE5B35D6  50            PUSH    EAX
0028:CE5B35D7  55            PUSH    EBP
0028:CE5B35D8  57            PUSH    EDI
0028:CE5B35D9  E8D2FEFFFF    CALL    CE5B34B0    ; our call :)
0028:CE5B35DE  C06C241F01    SHR     BYTE PTR [ESP+1F],01  ;back here.
0028:CE5B35E3  83C40C        ADD     ESP,0C
0028:CE5B35E6  0AD8          OR      BL,AL
0028:CE5B35E8  664E          DEC     SI
0028:CE5B35EA  75E1          JNZ     CE5B35CD
0028:CE5B35EC  C0EB01        SHR     BL,01
0028:CE5B35EF  6A64          PUSH    64
0028:CE5B35F1  57            PUSH    EDI
0028:CE5B35F2  E8C979FFFF    CALL    CE5AAFC0
0028:CE5B35F7  8A44241B      MOV     AL,[ESP+1B]
0028:CE5B35FB  83C408        ADD     ESP,08
0028:CE5B35FE  2401          AND     AL,01
0028:CE5B3600  50            PUSH    EAX
0028:CE5B3601  55            PUSH    EBP
0028:CE5B3602  57            PUSH    EDI
0028:CE5B3603  E8A8FEFFFF    CALL    CE5B34B0
0028:CE5B3608  83C40C        ADD     ESP,0C
0028:CE5B360B  0AD8          OR      BL,AL
0028:CE5B360D  66BE0300      MOV     SI,0003
0028:CE5B3611  6A64          PUSH    64
0028:CE5B3613  C06C241701    SHR     BYTE PTR [ESP+17],01
0028:CE5B3618  57            PUSH    EDI


IN the CALL:

0028:CE5B35D6  50                  PUSH    EAX
0028:CE5B35D7  55                  PUSH    EBP
0028:CE5B35D8  57                  PUSH    EDI
0028:CE5B35D9  E8D2FEFFFF          CALL    CE5B34B0
0028:CE5B35DE  C06C241F01          SHR     BYTE PTR [ESP+1F],01
0028:CE5B35E3  83C40C              ADD     ESP,0C
0028:CE5B35E6  0AD8                OR      BL,AL
0028:CE5B35E8  664E                DEC     SI
0028:CE5B35EA  75E1                JNZ     CE5B35CD
0028:CE5B35EC  C0EB01              SHR     BL,01
0028:CE5B35EF  6A64                PUSH    64
0028:CE5B35F1  57                  PUSH    EDI
0028:CE5B35F2  E8C979FFFF          CALL    CE5AAFC0
0028:CE5B35F7  8A44241B            MOV     AL,[ESP+1B]
0028:CE5B35FB  83C408              ADD     ESP,08
0028:CE5B35FE  2401                AND     AL,01
0028:CE5B3600  50                  PUSH    EAX
0028:CE5B3601  55                  PUSH    EBP
0028:CE5B3602  57                  PUSH    EDI
0028:CE5B3603  E8A8FEFFFF          CALL    CE5B34B0
0028:CE5B3608  83C40C              ADD     ESP,0C
0028:CE5B360B  0AD8                OR      BL,AL
0028:CE5B360D  66BE0300            MOV     SI,0003
0028:CE5B3611  6A64                PUSH    64
0028:CE5B3613  C06C241701          SHR     BYTE PTR [ESP+17],01
0028:CE5B3618  57                  PUSH    EDI
0028:CE5B3619  E8A279FFFF          CALL    CE5AAFC0
0028:CE5B361E  83C408              ADD     ESP,08
0028:CE5B3621  C0EB01              SHR     BL,01
0028:CE5B3624  8A442413            MOV     AL,[ESP+13]
0028:CE5B3628  2401                AND     AL,01
0028:CE5B362A  50                  PUSH    EAX
0028:CE5B362B  55                  PUSH    EBP
0028:CE5B362C  57                  PUSH    EDI
0028:CE5B362D  E87EFEFFFF          CALL    CE5B34B0
0028:CE5B3632  C06C241F01          SHR     BYTE PTR [ESP+1F],01
0028:CE5B3637  83C40C              ADD     ESP,0C
0028:CE5B363A  0AD8                OR      BL,AL
0028:CE5B363C  664E                DEC     SI
0028:CE5B363E  75E1                JNZ     CE5B3621
0028:CE5B3640  6A05                PUSH    05
0028:CE5B3642  80E380              AND     BL,80
0028:CE5B3645  68DF000000          PUSH    000000DF
0028:CE5B364A  57                  PUSH    EDI
0028:CE5B364B  FF5718              CALL    [EDI+18]
0028:CE5B364E  83C40C              ADD     ESP,0C
0028:CE5B3651  B900000000          MOV     ECX,00000000
0028:CE5B3656  80FB01              CMP     BL,01
0028:CE5B3659  5D                  POP     EBP
0028:CE5B365A  83D1FF              ADC     ECX,-01
0028:CE5B365D  5F                  POP     EDI
0028:CE5B365E  6683E103            AND     CX,03
0028:CE5B3662  5E                  POP     ESI
0028:CE5B3663  668BC1              MOV     AX,CX
0028:CE5B3666  5B                  POP     EBX
0028:CE5B3667  83C404              ADD     ESP,04
0028:CE5B366A  C3                  RET

okay, now having a look at the code below won't help us a lot :(
i have seen several dongles essay that are almost done when we do the
step we did!
i mean , sometimes after the call we have a dodgy CMP register, value
if_dongle_plugged and jmp_beggar_off if not equal setting a bad boy
flag ...
Anyway , we ain't lucky, this won't be that simple! After playing a
bit with this code ( tracing the call , looking for some compare
routine) i pressed F12 some times more but couldn't find anything
really good!
BTW , i couldn't get out of this motherfucking Sentinel VXD!
Keep pressing F12 didn't change anything!
That goddamn VXD was kinda driving me nuts ....
I want to come back in the Acad.exe! i ain't going to crack the Dongle
driver 'coz most of the time the weakness in dongles protection is in
the target himself!

i tryed BPIO -h 378 R
let's try the other breakpoints on I/O-port :

 378   already tested
 3BC   this one ;)
 278   and this one too ;o)

okay , fire up the app and it didn't break at all ;( oh my god!


How the fuck i'm gonna attack this target ???!

                **********************
                * Dura lex , sed lex *
                **********************

I also tryed bpx CreateFileA since it is a VXD but didn't get me far..
Well , why not disassembling it , with some luck the error message
will be in the string data references (don't dream too much! it ain't
gonna be there :p)
Now you can use your liters of beer as i told you in the tools section
;) 'coz it's gonna take age to disassemble! that's why i didn't
used IDA!
BTW , our target executable file is about: 7,24 mb!
Okay, we now understand why it is pretty long..

zZZzZZZzzzZZz buuuuuurp :p ZZzzzZZz burp damn this beer ROcks ;)

ok, after a LOOOOONG time the target has been disassembled!
FIRST, save the result! we ain't gonna wait again , are we ?
If you computer crash or something , your going to wait again! and to
be drunk aswell heheh!
Done ? ok good

So, with fool hope, we look in the string data reference and seek for
our "The shitty piece of harware ain't found!" phrase...
heheh bad luck , can't be found :p i already knew that though.
Ermmm, ok come on think a bit! how can we attack it now ?
What about looking in Import references to see what the dongle use :)
We could find a "l33t0" API to break on it!
hehe, i can't see anything good in USER, lets have a look at Kernel..

GOOOOOOOOD :) i found something kinda intresting :

DeviceIoControl

Never seen this before , but the name sounds pretty good, doesn't it ?
hehe! kick all our old Breakpoits by doing: 'bc *' in soft ice and do:
BPX DeviceIocontrol

Now fire up our target!
rOXXXxxxx , it broke ;) press F12 to get out of the DLL and we are in
ACAD.exe :)
hehe, let's ride the byte now ...

looking the code around , i pressed F12 sometimes 'till i was at
THE FUCKING GOOOD place hehe!
here comes a part of my winice.log :


:bl
00) BPX KERNEL32!DeviceIoControl   // Damn good :)


Break due to BPX KERNEL32!DeviceIoControl
Break due to BPX KERNEL32!DeviceIoControl
Break due to BPX KERNEL32!DeviceIoControl
Break due to BPX KERNEL32!DeviceIoControl
Break due to BPX KERNEL32!DeviceIoControl
Break due to BPX KERNEL32!DeviceIoControl

// you here see how many times i broke in the app before landing IN
// the good place ..
// when you run the target with this bpx , you press F5 3 times and
// then it run a bit to break again ;) 2 others more F5 hiting and
// you land here :


025F:0098B1AF  668B442402      MOV     AX,[ESP+02] ; EAX = some value.
025F:0098B1B4  83C404          ADD     ESP,04
025F:0098B1B7  C20800          RET     0008
025F:0098B1BA  8D9B00000000    LEA     EBX,[EBX+00000000]
025F:0098B1C0  33C0            XOR     EAX,EAX
025F:0098B1C2  8A442408        MOV     AL,[ESP+08]
025F:0098B1C6  83F801          CMP     EAX,01
025F:0098B1C9  7415            JZ      0098B1E0
025F:0098B1CB  83F802          CMP     EAX,02
025F:0098B1CE  7456            JZ      0098B226
025F:0098B1D0  83F803          CMP     EAX,03
025F:0098B1D3  0F8497000000    JZ      0098B270
025F:0098B1D9  C20800          RET     0008


// After the RET we land here :


025F:006ABE9A  0FBFC0              MOVSX   EAX,AX   ; erm :)
025F:006ABE9D  83F8FF              CMP     EAX,-01  ; is EAX = FFFF ?!
025F:006ABEA0  7405                JZ      006ABEA7 ; yeah jump 6abea7
025F:006ABEA2  25FFFF0000          AND     EAX,0000FFFF
025F:006ABEA7  5F                  POP     EDI
025F:006ABEA8  C3                  RET     ; return ....


// the most important part here :


025F:006ABD94  83C404              ADD     ESP,04
025F:006ABD97  85C0                TEST    EAX,EAX
025F:006ABD99  7C36                JL      006ABDD1
025F:006ABD9B  8D44240C            LEA     EAX,[ESP+0C]
025F:006ABD9F  50                  PUSH    EAX
025F:006ABDA0  E8DB000000          CALL    006ABE80
025F:006ABDA5  83C404              ADD     ESP,04
025F:006ABDA8  85C0                TEST    EAX,EAX
025F:006ABDAA  7C25                JL      006ABDD1
025F:006ABDAC  686071A700          PUSH    00A77160
025F:006ABDB1  E8CA000000          CALL    006ABE80
025F:006ABDB6  83C404              ADD     ESP,04
025F:006ABDB9  85C0                TEST    EAX,EAX
025F:006ABDBB  7C14                JL      006ABDD1
025F:006ABDBD  68F470A700          PUSH    00A770F4
025F:006ABDC2  E8B9000000          CALL    006ABE80
025F:006ABDC7  83C404              ADD     ESP,04
025F:006ABDCA  3DFDDC0000          CMP     EAX,0000DCFD ;is eax= DCFD?
025F:006ABDCF  7408                JZ      006ABDD9     ; yeah! dongle
025F:006ABDD1  47                  INC     EDI          ; plugged :)
025F:006ABDD2  83FF04              CMP     EDI,04
025F:006ABDD5  7EA3                JLE     006ABD7A
025F:006ABDD7  EB17                JMP     006ABDF0     ;NAH you fuck.
025F:006ABDD9  8B0D8871A700        MOV     ECX,[00A77188] ;dongle here
025F:006ABDDF  6633F6              XOR     SI,SI
025F:006ABDE2  A18471A700          MOV     EAX,[00A77184]
025F:006ABDE7  8B1481              MOV     EDX,[EAX*4+ECX]
025F:006ABDEA  C70202000000        MOV     DWORD PTR [EDX],00000002
025F:006ABDF0  8B0D8471A700        MOV     ECX,[00A77184]  ;no dongle:/
025F:006ABDF6  A18871A700          MOV     EAX,[00A77188]
025F:006ABDFB  8B1488              MOV     EDX,[ECX*4+EAX]
025F:006ABDFE  8D0C88              LEA     ECX,[ECX*4+EAX]
025F:006ABE01  8B1D8471A700        MOV     EBX,[00A77184]
025F:006ABE07  8B02                MOV     EAX,[EDX]
025F:006ABE09  35A9B50000          XOR     EAX,0000B5A9
025F:006ABE0E  03C3                ADD     EAX,EBX
025F:006ABE10  A3A471A700          MOV     [00A771A4],EAX
025F:006ABE15  8B11                MOV     EDX,[ECX]
025F:006ABE17  833A00              CMP     DWORD PTR [EDX],00
025F:006ABE1A  752F                JNZ     006ABE4B
025F:006ABE1C  E81F010000          CALL    006ABF40
025F:006ABE21  35A9B50000          XOR     EAX,0000B5A9
025F:006ABE26  3D564AFFFF          CMP     EAX,FFFF4A56
025F:006ABE2B  741E                JZ      006ABE4B

--------------------------- 8< ---------------------- snipped :p


Ok, first i thought about changing the :

025F:006ABDCA  3DFDDC0000    CMP     EAX,0000DCFD ; is eax= DCFD ?
025F:006ABDCF  7408          JZ      006ABDD9  ; yeah! dongle plugged

IN:


025F:006ABDCA  3DFDDC0000    CMP   EAX,0000DCFD
025F:006ABDCF  EB08          JMP   006ABDD9 ;who care of EAX i jump :p


but look like the value in EAX is important coz it started to run and
crashed like a bitch :(
We can also see lot of stuff with eax register after the comparaison
and the check might be called several times!
okay, what we have to do is to force EAX to be equal to: DCFD

note for morons who wonder why EAX must be equal to DCFD:
didn't you see that: CMP EAX,0000DCFD ?????! damn it :p
ok now it is clear for everyone!

where the heck are we going to patch our target ?
Remember the place where one value was placed to AX ?
let me refresh your memory with the code snipet below:



025F:0098B1AF  668B442402      MOV     AX,[ESP+02] ; EAX = some value.
025F:0098B1B4  83C404          ADD     ESP,04
025F:0098B1B7  C20800          RET     0008
025F:0098B1BA  8D9B00000000    LEA     EBX,[EBX+00000000]
025F:0098B1C0  33C0            XOR     EAX,EAX
025F:0098B1C2  8A442408        MOV     AL,[ESP+08]
025F:0098B1C6  83F801          CMP     EAX,01
025F:0098B1C9  7415            JZ      0098B1E0
025F:0098B1CB  83F802          CMP     EAX,02
025F:0098B1CE  7456            JZ      0098B226
025F:0098B1D0  83F803          CMP     EAX,03
025F:0098B1D3  0F8497000000    JZ      0098B270
025F:0098B1D9  C20800          RET     0008


'oh yeah! that place' you may say!
*SLAP*!

heheh, so we just gotta make EAX=DCFD for ever and this code become:

66B8FDDC       MOV     AX,DCFD ;  you know what this do, don't you ;)
90             NOP             ;  one NOP not to mess the code up!
C20800         RET     0008    ;  don't change

.......

okay , simple isn't it ?
BTW when you patch do not forget to reverse the byte order
ie: B8FDCD for CDFD   you understand what i mean ?! no ? RTFM :p

Now patch your target executable and run it to see!

                        *********************
                        * Veni, Vidi , Vici *
                        *********************

WOW it works hehehe *Sure it does :p*
test it a bit , try several options in case of there were another
checks!
but the way we patched it,is good :p if there is many checks who call
the same place of code we don't care heheh coz we patched it the
RIGHT way!
I let the prog run 25 mins , didn't crashed or closed :p
Great, i gave my crack to a friend who use this app for his job and i
asked him if it crashed or if it came across some *bugs*! not at all!
Of course this friend got the dongle and the licence! we ain't gonna
use this application without it , are we ;)

                ACiD BuRN [ECLiPSE / Immortal Descendants]

Conclusion:

Poor protection for an about 7000 $ application :P
The dongle could also be replaced by a good serial-scheme or
keyfile protection...
It is more a parasite than other thing!
it is slowing down the program more than protecting it! haha :p
what a crap i'd say ;)
Long time ago i feared it! hahaha how lame was i :p
pretty easy compared to some hard core dongle such as HASP ones..
not every HASP! the one who are well implemented!
But not very efficient against master cracker like +Quine for instance!




2)Greets part (it's gonna be quite LONG :p ) :

Darkeye: My girly! tutorial dedicated to you ;-x
         BEST REVERSER outta here , she reversed my heart haha :p

ACiD BuRN: hey! it's me! for being a lazy ass cracker and tuts
           writter :p oh.. and for this lame tut on dongle :p

CyberBlade: Almighty VB Cracker! this dude doesn't Phear PCDODE :)
            Keep working on your VB5 Pcode discompiler! Bro ;)

R!SC: I phear you! thx for cdilla help time ago! cdilla master ;p

inferno: wait 'till i got a new line! gotta be top keygener in
ECLiPSE as old day ;p

Death aka AB4DS: ltns! nice VBREf thingy ;)

Volatility: 'lo friend! you still like my tut , don't you ? :)

Duelist: you're l33t :P

tKC: ltns brother! hope ur fine bitch heheh :p

BuLLeT: ltns! keep coding good and migthy crackme pal!

Lucifer48: Damn! you own :p french power hehe :)

SiFLyiNG: ltns :( hope all is going good! french power here too ;)

CrackZ:  l33t0! hope to talk to you soon :)

neural_noise: hehe! brother ;p still reversing your girly ?! :p

WarezPup: old bro! hope you are ok! cya soon ...

_y: nice and leet pal ;) is that Hash still good ? heh

Lazarus: good friend :) still making some nice tut ?!

Eternal_Bliss: nice site you got there ;)

Carpathia: that lamers logs are so funny! cya bro

JB007: Bro :p ltns

Kwai_lo: where the fuck are you ?! LTNS bro...

Alpine: unpacking master :p good reverser and good friend!

zoltan: leet keygeners! get ur ass back on IRC plz!

Punkguy2: My beloved Webmaster! thx for all bro

Sortof: AOL against BSA (army of lamers against boy scout ...)
        Remember hehehe ?!

+Spath: French power :p amazing reverser and good friend!

+Frog sprint: French Power! Amazing reverser too :)

All ECLiPSE , All Cracking4newbies , ALL +HCU...

Also thx to numega for their leet Soft ice :)))))


"Put your name here! :P" :   "your comment here" ;p



Also greetings to:

Klefz , TORN@DO , T4D , Jeff , [Virus] , JaNe , Appbusta , MiZ,
DnNuke,Bjanes , Skymarshall , afkayas , elmopio , Fire Worx ,
SiONIDE, SKORPIEN , Magic Raphoun , DEZM , Bisoux , K17 , theMc,
noos , Xmen, TeeJi , Arobas , T0AD , ytc , Killer_3K , TaMaMBoLo
gizmo , [yAtes], TarGon , Icecream , TRDdonjuan , Lord Soth , Judged
G-Rom , Quantico , Christal , psike , Leo0n , , Pulsar , Night ,
psike , Uno , Lixus , LosT , RD-116 , Ben0 , Whizkid , [MandKind] ,
Alsindor, Stone,Elraizer , Fravia+ , Iczelion , nody , Asphalt ,
Rhythm , rudeboy ,
X-Calibre , Cirus , shaoni...
...

I might have forgotten someone :( sorry pal...


#####################################################################
DOH:

I wont even bother explaining you that you should BUY this target
program if you intend to use it for a longer period than the allowed
one.Should you want to STEAL this software instead, you don't need to
crack its protection
scheme at all: you'll find it on most Warez sites, complete and
already regged, farewell.

#####################################################################


Copyright (c) ACiD BuRN and the Immortal Descendants.
ALL rights ReverSed

http://www.immortaldescendants.org


I really hope you've enjoyed this tutorial as much as I did!
Don't miss Tutor #95 soon! ;)

Credits goto:

Johnny Aum for Splash Logo.
Johnny Aum for providing a tut in this version.
M.o.D for providing a tut in this version.
ACiD BuRN for providing 3 tuts in this version.

To ALL the crackers: You are welcome to send me your tutors
to publish them .. see below for my email address!
*** 95 chars per line in textfile please! ***

And all the tutors can be found at:

http://www.crackersinaction.com

(or on IRC, ask CiA ops for urls!)

Greetz goto all my friends!

You can find me on IRC or email me at tkc@reaper.org

Coded by The Keyboard Caper - tKC
The Founder of PhRoZeN CReW/Crackers in Action 2000

Compiled with Delphi 5 on 30 July 2000

Cracking Tutorial #94 is dedicated to Ginny...