Welcome to Cracking Tutorial #97!


Hiya guys

Sorry for delays, again I was busy with coding and all shit..

Here's a tut97.tKC...

OK, let's rave! ...or crack babes? :)


You'll need the following tools:

(I use these tools, I assume you'll use 'em, but it doesn't
mean that you'll need to use all those tools, so be sure to
get them handy for the examples in this tutorial!)

SoftICE v4.05
W32Dasm v8.93
Hacker's View v6.55
SmartCheck v6.03
ProcDump32 v1.6.2
TRW2000 v1.22
IDA v4.04
Windows Commander v4.51 (I use it coz of easier to multitask)
Delphi, VB, C++, or TASM to code a keygen or a patch..

Don't ask me where to download all these tools since you had
a chance to get them when you used my older tutorials. Here
are a few good sites where you can grab tools from:

http://protools.cjb.net
http://w3.to/protools
http://www.crackstore.com

or ask any crackers to get you these tools!

Are you ready?!

OK! ;)


 -->Tutorial number 2--<

Name     : WinRAR

Version  : 2.70

Target   : WinRAR.exe

Tools    : W32dasm
         : Hiew
         : Brain

Cracker  : KlimaX v2000

Get it at: http://www.winrar.com



      ==>DISCLAIMER<==
For educational purposes ONLY!
I hold NO responsibility for the misuse of this material!


About program:

WinRAR 2.70 is a program simular to WinZip, which is used to compress/decompress files.
This program (WinRAR v2.70) is shareware, but contains only one limitation, but not a limitation
that will directly affect the compressing/decompressing procedure.



1) OK let's crack the beast
   After opening WinRAR.exe, you recieve a "Please Register" box, but where's the "Enter
   Reg. Code" box at???. Well I don't know, but let's move on from what we have. These types
   of programs often use these kind of messageboxes, as a REMINDER on how many days you have
   left/used of the trial period.

   Alright, go to your WinRAR dir. and make a copy of the .exe file. Why?, because if you
   make any mistakes in the cracking process, it's nice to have a backup;)

   Now fire up Wdasm and open WinRAR.exe, open StringData Ref box and scroll down
   searching for something that can be linked with the messagebox shown when we started
   WinRAR.
   AHA! After nearly hitting the bottom of the scrollbar with a great splash, we find it.
   "REMINDER", that may be it!
   Doubleclick on it and you'll be warped to this place:

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401529(C)  <-- We'll need this Jump
|
:0040152F C6057430460001          mov byte ptr [00463074], 01
:00401536 6A00                    push 00000000
:00401538 68C0B94000              push 0040B9C0
:0040153D 8B1504B94600            mov edx, dword ptr [0046B904]
:00401543 52                      push edx

* Possible StringData Ref from Data Obj ->"REMINDER"
                                  |
:00401544 68E73B4600              push 00463BE7  <-- You are here
:00401549 8B0D00CC4600            mov ecx, dword ptr [0046CC00]
:0040154F 51                      push ecx

   Right now you should be at 00401544 which is where the "Please Register" box is shown
   from, but it isn't the address we want!. If you scroll a couple of lines up, you'll see
   the (C)onditional Jump Address 00401529, that's where we want to go, so press shift+F12
   and enter 00401529. Press OK.

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004011B2(C)
|
:00401506 833DA0CC460000          cmp dword ptr [0046CCA0], 00000000
:0040150D 7546                    jne 00401555
:0040150F 803D7430460000          cmp byte ptr [00463074], 00
:00401516 753D                    jne 00461555
:00401518 803DAC6C460000          cmp byte ptr [00466CAC], 00
:0040151F 7534                    jne 00401555
:00401521 A188F54600              mov eax, dword ptr [0046F588]
:00401526 83F828                  cmp eax, 00000028
:00401529 7F04                    jg 0046152F  <-- You'll be here
:0040152B 85C0                    test eax, eax
:0040152D 7D26                    jge 00401555

   Now you're at the Jump address which we want to modify, so write down the @Offset
   00000B29 (Never mind all the zeroes in front of the B29, and the small h in the end,
   you only need the B29)


   Fire up Hiew and open WinRAR.exe.
   Now press F5 and type the @Offset number you wrote down a minute ago (B29, in case you
   forgot), and press enter. You should now be at 00401529.
   Now what we want, is to change the offset number (press F3)

   from: 7F04 <=> jg (jump to "badboy" if today is greater than the 40 day trial)

   to  : 7C04 <=> jl (jump to "badboy" if today is less that the 40 day trial)

   Press F9 to save changes and F10 to exit Hiew.

   Try and start WinRAR and you will notice that the "Please Register" box is gone, just
   what we wanted right, but I'm not satisfied yet;)
   If you take a look at the top of the WinRAR screen, you'll see it says "evaluation copy",
   and that is not downright beautiful, so let's get rid of that to:)


2) Open WinRAR.exe in Wdasm and search for "evaluation copy" in SDR, when found doubleclick
   on it.
   You should now be around here:

:0041B845 E87A0B0400              Call 0045C3C4
:0041B84A 83C40C                  add esp, 0000000C
:0041B84D 803DAC6C460000          cmp byte ptr [00466CAC], 00
:0041B854 752E                    jne 0041B884   <-- We want to change this one

* Possible Reference to StringData Resource ID=00873: "evaluation copy"

:0041B856 6869030000              push 00000369  <-- You are here
:0041B85B E874C7FEFF              Call 00407FD4
:0041B860 50                      push eax


   Place the bar on 0041B854, note the @offset 1EA54, exit Wdasm, and fire up Hiew.

   Open the WinRAR.exe, press F4, select decode. Now press F5 and enter 1AE54.
   Now you're at 0041B854 where the jne is placed.
   Press F3 and change the 75 (jne) <=> 74 (je), press F9 to save changes and F10 to exit.

   Now we can finally open WinRAR, and not see any trial messages, or the "evaluation copy"
   in top of the window. (Don't we just love it)



   =>LAST WORDS:

   If you have any comments on this tut, feel free to mail at KlimaX_v2000@mail.com
   _ _ _ _ _ _ _ _

   tKC & LW2000, thanks for releasing those great tut's, keep on making 'em!. They are the
   BEST!


How to find sn for SWF Browser v2.93 by Grooveware Multimedia
(for beginners only!)

by whistler aka vasudan

Target URL:
-----------
http://codersdomain.cjb.net/ or
http://www.swifftools.com/stools/

Tools:
------
TRW2000 by Liutaotao and Zhunanhao (http://www.knlsoft.com/)
M$ Notepad


A few words from Grooveware Multimedia about this program:
"The SWF Browser is a handy tool for everybody that uses Macromedia's
Flash. The Browser has a Explorer like interface enabling you to quickly
browse thru all SWF's on your harddrive or network. It also gives you
ways of browsing thru a .SWF file's "guts". Finally you can extract many
parts from the file (i.e. bitmaps, sounds, movieclips). Please note that
although SWF-Browser can extract movieclips and unlock SWF's, Flash's
support for importing SWF's is limited."

Now start your TRW. Click on browse. Choose SWFBrowser. Click on 'Load'
in TRW. TRW will pop up at program entry point. Press F5 to continue
loading SWF. Now you will see splash screen saying that this is SWF
Browser which is freeware but you have to pay 25$ (??......hmmmmm...
interesting) for this prog. You have to pay to remove that splash (nag)
screen too. Now click on 'Register'. You have to enter 'User Name'
(un) and 'Serial Number' (sn).

User Name:
Serial Number:

Enter anything you want. I use whistler for user name and 1234567890
for serial number. Click on 'Register SWF Browser'. Message box pop up
saying that 'The serial number is invalid'. Click 'OK'. Now you enter
SWF Browser. Click on About then choose 'Register' again. Same register
window. Now before you click on 'Register SWF Browser' again, press
CTRL+N to fire up trw's debug window. In TRW's window type

        bpx hmemcpy

CTRL+N again or F5. Click on 'Register SWF Browser'. You've been fired up
in TRW. Press F5 once more. We have to enter and 'User Name' and 'Serial
Number' in memory. Now press F12 to go out first from kernel and the
from user. Now you are in SWFBrowser!Code+xxxxx (xxxxx - hex number).
Press F10 until you catch this line:

:004A998A mov eax,dword ptr [ebp-08] ; sn in EAX
:004A998D call 00403E54              ; length of sn in EAX
:004A9992 cmp eax, 00000003          ; compare length of sn with 3
:004A9995 jle 004A9A7C               ; less or equal, then not respond
                                     ; must enter again
...
...
:004A99A9 mov eax,dword ptr [ebp-0C] ; sn in EAX
:004A99AC push eax                   ; on stack
...
...
:004A99BB mov edx,dword ptr [ebp-10] ; un in EDX
:004A99BE mov eax, ebx
:004A99C0 pop ecx                    ; on stack
:004A99C1 call 004A97CC

At location 4A99C1 press F8 to examine this procedure. You will se this
piece of code:

:004A97CC push ebp
:004A97CD mov ebp, esp
:004A97CF push 00000000
:004A97D1 push 00000000
...
...
:004A97E0 mov dword ptr[ebp-08], ecx
:004A97E3 mov dword ptr[ebp-04], edx
:004A97E6 mov eax,dword ptr [ebp-04] ; un in EAX
:004A97E9 call 00404008
:004A97EE mov eax,dword ptr [ebp-08] ; sn in EAX
:004A97F1 call 00404008
:004A97F6 xor eax, eax
:004A97F8 push ebp
...
...
...
:004A9842 lea ecx,dword ptr [ebp-10]
:004A9845 mov edx,dword ptr [ebp-04] ; un in EDX
:004A9848 mov eax, ebx
:004A984A call 004A8B44
...
...
...
:004A988C lea ecx,dword ptr [ebp-18]
:004A988F pop edx
:004A9890 call 004A9518              ; calculate sn (??)
:004A9895 mov eax,dword ptr [ebp-18] ; REAL sn in EAX
:004A9898 xor edx,edx
:004A989A push edx

At location 4A9895 type d eax and you will see real serial number.
In my case it is CB70223A. Enter your serial number exactly as it appear
in register.

P.S.
----
Maybe all programs from Grooveware Multimedia uses this protection (??).
I don't know. I will try, then i will tell you.


Target pROGRAM Advanced Dialer version 2.4 for Windows 95,98,2000 or NT
location :http://www.pysoft.com
Size: 910 KB


Registration cost: 29 $
Protection : Name/Serial combination
Level:dead easy
TuTor No. --> 1 (yap its my first one)

Sorry for my bad english but im Macedonian

Essay for Program : This Program is for manupalation with your Dial-Up connections.
Can calculate spend money on Internet,shows graph for Internet
usage(Send & recieved bytes)
automaticly reconect and other cool things .A must for Duial-Up connections.

Ok Leets Start the whole thing.
we start and we see a program interface and a bar that tells that if we registered
it wont be shown any more.
This is completly operative version so you can leave that SPONSOR message.
but we want to reg the progie so lets gogogogo

ok fire Up Adialer.exe and see progies start ok lets go on the
 Reg.Info Button (the one with $ picture)
and choose <Registration Key ...> and you'll see the Name/Serial dialog Box.
So lets enter something for it like :
Registration Name:VIRTUAL RACKER (THE PROGRAM UPERCASES AUTOMATICLY SO WRITE WITHIOUT SHIFT KEY)
Registration Key :110022

lets fire up Soft Ice (Ctrl-D) and place a breakpoint on Hmemcpy (bpx Hmemcpy)
leave Sice (Ctrl-D) and press the  OK button.

B  O   O  M back to softice so lets press F11,and F12 for 6 times until we reached main program
codes, now press F10 ,23(approxamatly) times until this until this lines

XXXX:004B9B4F  MOV   EAX,[EBP-0214] <------ MOVS OUR NAME INTO EAX
XXXX:004B9B55  LEA   EDX,[EBP-0210]
XXXX:004B9B5B  CALL  0046C2E4 <------- THE KEY GEN ROUTINE (ALOT OF CODE HERE)
XXXX:004B9B66  PUSH EAX       <============  B I  N G  O (LETS DO A "D EAX" HERE
                                           AND WE SEE SOMETHING LIKE THIS <BA917100>
WOW WE GET THE SERIAL SO LETS CHECK ENTER

REGISTRATION NAME:VIRTUAL RACKER
REGISTRATION CODE:BA917100

WOWOOOOOOOOOOWWWWWWWWWW THERE ISNT ANY BANNER ANY MORE AND WE A REGISTERD USERS

DONT BE LAME AND USE MY SERIAL FIND OUT ONE FOR YOUR SELF.

GREETZ:
tKC for provideng the best tuts (you rule), The Sandman(cool tuts also), Dirty T,
 DeMos(for beeing real cool friend),Macedonian Reverse Engeneers,
 and every one on #cracking4newbies and #crackers on EFNET
(becuse their help for the NEWBIES)

you didnt get it , comments,questions dont be shy to mail me at :
virtualracker@usa.net


TARGET PROGRAM : DNS WORK SHOP V.??
LOCATION:WWW.EVOLVE.CO.UK
Size: 376 KB


Registration cost: 24.95 UK POUNDS(39.95 $)
Protection : 30 DAY PERIOD/SERIAL
Level:easy
TuTor No. --> 2 (yap its my SECOND one)
TOOLS:W32DASM,HIEW(ANY HEX EDITOR WILL GO)

Sorry for my bad english but im Macedonian

ESSAY FO PROGRAM : THIS LITTLE BABE CAN LOOK ALOT OF
IP ADRESS ON THE NET, LOOKUP FOR WEBSITES IP'S AND OTHER
THINGS.

SO LETS CRACK THIS PROGIE.

RUN DNSWORKSHOP.EXE AND LETS SEE EVAL PERIOD OF 30 DAYS COOL,AND IT HAS REGISTER.
(CODE PROTECTION IS NOT OUR INTEREST).WE JUST WANT TO KILL THAT TRIAL SO LETS
START EXAMING THE PROGIE.
CLOSE AND MOVE DATE A MOUNTH UP.(TO PASS TRIAL PERIOD)

Ok now ?
lets start we see a little message box that is saying
Your evalution period has expired.Please register.
press OK we are in the program
lets press Search button its says again
Your evalution period has expired.Please register

ok now make a copy od DNSworkShop.exe called CRACK-COPY.exe(FOR FUTHER USAGE)
and disassemble tha(using w32dasm File/Open File ->browse to dnsworkshop.exe)

lets click on Str.Ref. button(StringDataReference)

and look up for the message found
(OK ILL HELP ITS ON THE BOTTOM)

double click on it.
lets do another to see if it is another caller
yap it is
another doubled click
yap it is 3rd caller
another double click
wow this calls 4 times (Your evalution period has expired.Please register)
message so lets do a little research(we are looking for CMP,TES followed by
TJE,JNE,JZ,JNZ,JL,JG,JLE,JG)
go on the first found

and lets look
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0043D375(C)
|
:0043D396 8B45F4                  mov eax, dword ptr [ebp-0C]
:0043D399 E8B6E5FFFF              call 0043B954
:0043D39E 84C0                    test al, al <------ some testing and then a conditional jump
:0043D3A0 EB0F                    je 0043D3B1 <------- Looking interesting write offset(03C7A0)
:0043D3A2 8D45F8                  lea eax, dword ptr [ebp-08]

* Possible StringData Ref from Code Obj ->"Your evaluation period has expired. "
                                        ->"Please register to continue using "
                                        ->"DNS Workshop."
                                  |
:0043D3A5 BAA0D44300              mov edx, 0043D4A0
:0043D3AA E86160FCFF              call 00403410
:0043D3AF EB29                    jmp 0043D3DA

ANOTHER DOUBLE CLICK

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0043D4EE(C)
|
:0043D558 648920                  mov dword ptr fs:[eax], esp
:0043D55B E8B4F3FFFF              call 0043C914
:0043D560 84C0                    test al, al <------ some testing and then a conditional jump
:0043D562 EB1A                    je 0043D57E <-------- interesting(offset:03C962 NOTE IT)
:0043D564 6A00                    push 00000000
:0043D566 668B0D30D74300          mov cx, word ptr [0043D730]
:0043D56D B202                    mov dl, 02

* Possible StringData Ref from Code Obj ->"Your evaluation period has expired. "
                                        ->"Please register to continue using "
                                        ->"DNS Workshop."
                                  |
:0043D56F B83CD74300              mov eax, 0043D73C
:0043D574 E82F26FFFF              call 0042FBA8
:0043D579 E988010000              jmp 0043D706

ANOTHER DOUBLE CLICK

:0043DF32 E8DDE9FFFF              call 0043C914
:0043DF37 84C0                    test al, al <------ some testing and then a conditional jump
:0043DF39 EB1A                    jE 0043DF55 <----- INTERESTING OFFSET 03D339 NOTE IT TOO
:0043DF3B 6A00                    push 00000000
:0043DF3D 668B0D78E04300          mov cx, word ptr [0043E078]
:0043DF44 B202                    mov dl, 02

* Possible StringData Ref from Code Obj ->"Your evaluation period has expired. "
                                        ->"Please register to continue using "
                                        ->"DNS Workshop."
                                  |
:0043DF46 B884E04300              mov eax, 0043E084
:0043DF4B E8581CFFFF              call 0042FBA8
:0043DF50 E9EC000000              jmp 0043E041

AND THE LAST DOUBLE CLICK

:0043E687 E888E2FFFF              call 0043C914
:0043E68C 84C0                    test al, al <------ some testing and then a conditional jump
:0043E68E EB28                    jE 0043E6B8 <-------IT IS THE FINNAL ONE OFFSET:03DA8E NOTE IT
:0043E690 6A00                    push 00000000
:0043E692 668B0D44E74300          mov cx, word ptr [0043E744]
:0043E699 B202                    mov dl, 02

* Possible StringData Ref from Code Obj ->"Your evaluation period has expired. "
                                        ->"Please register to continue using "
                                        ->"DNS Workshop."
                                  |
:0043E69B B850E74300              mov eax, 0043E750
:0043E6A0 E80315FFFF              call 0042FBA8

OK NOW FIRE UP HIEW
AND OPEN YOUR CRACK-COPY.EXE FILE(THE ONE U COPIED FROM DNSWORKSHOP.EXE )
AND DO F5
03C7A0 THEN <ENTER> ,F3(TO EDIT MODE AND THEN CHANGE 74 TO EB[je to jmp])
F9 TO UPDATE
REPEAT THAT STEPS UNTIL FINALL OFFSET
SO LETS NOW START CRACK-COPY.EXE(THE ONE U COPIED FROM DNSWORKSHOP.EXE )

UUUUUUPPPPPPPPSSSSSSSS ANOTHER MESSAGE SAYING that last day will be xx.xx.2000
(eith this patvhing every time u start trial will be restored on day 1)
OK LETS CHECK OUT IN W32DASM(YOU DIDNT CLOSED DIDNT U)
but its annoying tosee this all the time

CLICK ON Str.Ref and look for

The last day of you evalution period
found ?
yap

ok lets see(double click on it)

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0043E68E(U)
|
:0043E6B8 E89FE3FFFF              call 0043CA5C
:0043E6BD 84C0                    test al, al
:0043E6BF 745A                    jne 0043E71B <------- this is what we need offset:03DABF
:0043E6C1 E826E4FFFF              call 0043CAEC
:0043E6C6 83F806                  cmp eax, 00000006
:0043E6C9 7D50                    jge 0043E71B
:0043E6CB 6A00                    push 00000000

* Possible StringData Ref from Code Obj ->"The last day of your evaluation "
                                        ->"period is "
                                  |
:0043E6CD BAACE74300              mov edx, 0043E7AC
:0043E6D2 8D45FC                  lea eax, dword ptr [ebp-04]
:0043E6D5 E8364DFCFF              call 00403410
:0043E6DA E8D9E2FFFF              call 0043C9B8

OK NOW FIRE UP HIEW
AND OPEN YOUR CRACK-COPY.EXE FILE(THE ONE U COPIED FROM DNSWORKSHOP.EXE )
AND DO F5
03DABF THEN <ENTER? ,F3(TO EDIT MODE AND THEN CHANGE 75 TO 74)
F9 TO UPDATE

NOW RUN THE FILE WOOWWWWWWWW WE HAVE 30 DAYS PERIOD .
MOVE DATE UP STILL 30 DAYS .WE GET OUR 30 DAYS UNLIMITED.
EVERYTIME WHEN U STARTDNSWorkShop YOUR PERIOD WILL BE RESTORED.

GREETZ:
tKC for provideng the best tuts (you rule), The Sandman(cool tuts also), Dirty T,
 DeMos(for beeing real cool friend),Macedonian Reverse Engeneers,
 and every one on #cracking4newbies and #crackers on EFNET
(becuse their help for the NEWBIES)

you didnt get it , comments, questions dont be shy to mail me at :
virtualracker@usa.net


-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

-=( Finding an Easter Egg in tKC's Tut Viewer )=-

     Finding an Easter Egg in Octavius 2.xx



      -=( A tutorial by hmemcpy/[CiA] )=-

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-



Hello boys and girls. In this tutorial I will show how to find easter eggs.

What are easter eggs? Well, those are hidden screens or features in programs, that were

hidden on purpose by the programmer. Usually contains something funny, or just shows the

programmers names or something.



Well, tKC has also hidden some easter eggs in his programs. Let's find 'em ;)



Tools: DeDe (Delphi Decompiler by DaFixer)

       UnAspack 1.0.9.0

       SoftIce

       Resource Editor (I prefer Restorator)

And of course some ciggys and music... I'll be hunting the eggs to the sound of

"Dream Theater - Images and Words" CD.



You can get all the tools above at the urls given in the "Tools" section of the tutorial.





Part 1: tKC's Tutorial Viewer 2000 (for all versions)



tKC has given me a major hint: he said to put a string in the "Search" window.

(thanks, tKC ;)



Let's begin by unpacking the file "Tutor.exe". After unpack is done, run DeDe. If you have

never used DeDe before - it is absolutely amazing. If you have Delphi knowledge, you'll be

amazed how easy it is to reverse your Delphi programs with DeDe.



Select the file "Tutor.exe" after you've unpacked it, and press "Process". The program will

then disassemble, and sort the forms like a resouce editor would.



After the dump is done, click on the "Procedures" tab. You will see all the forms used in the

program. Thanks to tKC's hint, let's look at TFindForm

When you click on TFindForm you'll see the following on the right:



epEfBtn2Click

epEfBtn1Click

LMDEdit1KeyDown



Those are the components of the "Extra Pack" and "LMD Pack" for Delphi, which you can

download at http://www.torry.ru - the best Delphi resource on the net.



Let's explore a little bit. Our string is processed after Ok button has been pressed. I

thought (and correctly) that epEfBtn1Click is the Ok button. Double click on "epEfBtn1Click".



You will see the disassembed code of the procedure. Scroll down a bit, until you see some

interesting string:



* Possible Reference to Control 'LMDEdit1:TLMDEdit'

|

004DBB68   8B80D0020000           mov     eax, [eax+$02D0]

004DBB6E   E8B5FFFEFF             call    004CBB28

004DBB73   8B45F8                 mov     eax, [ebp-$08]

004DBB76   50                     push    eax

004DBB77   8D4DF4                 lea     ecx, [ebp-$0C]

004DBB7A   B205                   mov     dl, $05



* Possible String Reference to: "Jrgfxx~"

|

004DBB7C   B81CBC4D00             mov     eax, $004DBC1C

004DBB81   E8B62AF7FF             call    0044E63C

004DBB86   8B55F4                 mov     edx, [ebp-$0C]

004DBB89   58                     pop     eax

004DBB8A   E85984F2FF             call    00403FE8

004DBB8F   752A                   jnz     004DBBBB

004DBB91   A1B40E4F00             mov     eax, dword ptr [$4F0EB4]

004DBB96   8B00                   mov     eax, [eax]



Hmmm.. this looks interesting. "Jrgfxx~". This looks like a key word. Let's try it. But

first, we need to know where the egg will appear. While browsing through DeDe, I found

something interesting in Unit6: TAbouts2.



It seems that TAbouts2 has also 2 buttons, and FormCreate. But when you look in the about

screen, you can only see 1 button there. Hmmm ;) If you take a look in TAbouts2 form in a

resource editor, you'll see that it's not visible.



I think that the egg appears if you click on the button in the about screen. But how to

enable the button? Well, the button can be enabled by putting the right string in the Search

window. Ok then. We've got the suspicious string "Jrgfxx~". Let's try it. Open Search window

and type Jrgfxx~. Click Ok, and check the about screen. Hmmm.. nothing. WTF?! :)



Then I remembered something. I was reading the Quotes in Tutorial 91, and then I saw

something interesting:



<tKC> a hint.. lenght of string = 255, which every byte is crypted and comparing 1 for 1 too

:p



hehe.. Part joke, part truth. tKC was joking about the 255, but then I thought that the

string is simply encrypted. So then I turned to the mighty softice.



I won't show you the code, cause I'm downloading something at the moment, so I can't use

softice ;)



But here is what I did:


* Possible String Reference to: "Jrgfxx~"

|

004DBB7C   B81CBC4D00             mov     eax, $004DBC1C  <--- I've put a breakpoint here



Then, after softice had breaked on 4DBB7C, I kept tracing until the following calls have been

executed, then I typed "d eax", and saw something very interesting in the data window: I saw

the word "Embassy". (If you check the code, you can see that it adds 5 to each letter, so it

transforms Jrgfxx~ into Embassy).



Ok.. back to Tut Viewer. Type "Embassy" in search, and then check the about window...

*BOOM* This is it ;)





Part 2: Octavius v2.xx



For finding the egg in octavius, we're only gonna need a resource editor. Unpack the file

"Octavius.exe", and load it into the resource editor.



Since it's a Delphi program, you need to go to RCData, and then click on TMain. After a long

wait, and careful observation, I found the following:



object Octa1: TOcta

    ControlKeys = [ssShift, ssCtrl]

    Active = True

    OctaString = 'brainbug'

    OnOcta = Octa1Octa

    Left = 192

    Top = 64

  end



Hmmm... What could this be <G>. Of course it is :)



Run Octavius, hold Ctrl+Shift, and type BRAINBUG. Is this kewl or what? :)



That's it. I hope you've enjoyed this tutor as much as I did writing it.

-=-=-=-=-=-=-=-=-=-=-=-=-

Here comes the pain... :)

Greetings to ALL the crackers in the world and especially those who teach, and
patient to newbies :)

Special greet to tKC, because he's a great man.

Mass Hello flys to all of CiA and everyone who knows me.

-=-=-=-=-=-=-=-=-=-=-=-=-

>> EOF <<


I really hope you've enjoyed this tutorial as much as I did!
Don't miss Tutor #98 soon! ;)

Credits goto:

bM[tgfx] for Splash Logo.
whistler for providing a tut in this version.
KlimaX for providing a tut in this version.
Virtual Racker for providing 2 tuts in this version.
hmemcpy for providing a tut in this version.

To ALL the crackers: You are welcome to send me your tutors
to publish them .. see below for my email address!
*** 95 chars per line in textfile please! ***

And all the tutors can be found at:

http://www.crackersinaction.com

(or on IRC, ask CiA ops for urls!)

Greetz goto all my friends!

You can find me on IRC or email me at tkc@reaper.org

Coded by The Keyboard Caper - tKC
The Founder of PhRoZeN CReW/Crackers in Action 2000

Compiled with Delphi 5 on 26 August 2000

Cracking Tutorial #97 is dedicated to Belinda...