Welcome to Cracking Tutorial #105! Hiya guys, Well, here is another tut105.tKC... Let's rave! ...or crack babes? :) You'll need the following tools: (I use these tools, I assume you'll use 'em, but it doesn't mean that you'll need to use all those tools, so be sure to get them handy for the examples in this tutorial!) SoftICE v4.05 W32Dasm v8.93 Hacker's View v6.55 SmartCheck v6.03 ProcDump32 v1.6.2 TRW2000 v1.22 IDA v4.04 Windows Commander v4.51 (I use it coz of easier to multitask) Delphi, VB, C++, or TASM to code a keygen or a patch.. Don't ask me where to download all these tools since you had a chance to get them when you used my older tutorials. Here are a few good sites where you can grab tools from: http://protools.cjb.net http://w3.to/protools http://www.crackstore.com or ask any crackers to get you these tools! Are you ready?! OK! ;) Title: Serial Fishing (to display a Real Code on Dialogbox) Level: Piss Easy Target: EasyCD v2.0 URL: http://www.is.lt/linas/easycd/ Ok guyz...this is requested by iNNU3NDo, as you know, normally programs give you an error message eg. Wrong code, invalid registration code etc etc, so in this tutor, I'll show you quickly how to display a real code on that dialogbox. However I've written 1 or 2 tutors for this trick a long time ago, I'll write this new one anyway. Ok, let's go...oh yea, because I don't have shitty shareware programs available, so I took EasyCD for this example, so grab my Tutor #98, Part 5, you'll need that to get started into this... What we'll need: HIEW 6.55 or your fav HEX Editor and 5 minz to spend your time! Step 1. After you studied Tutor #98, Part 5. You will know where is a Real Code stored in memory. Look below: 0047CCEB 8B55FC mov edx, [ebp-$04] <--- your name 0047CCEE E859130100 call 0048E04C 0047CCF3 8B55F4 mov edx, [ebp-$0C] <--- real code 0047CCF6 8B45F8 mov eax, [ebp-$08] <--- your bad code 0047CCF9 E88672F8FF call 00403F84 Step 2. As you can see, ebp-0C contains a code which it copied into edx, right? Ok, remember that one. Look below again: * Possible String Reference to: "Incomplete or incorrect information | ." | 0047CD7C BAFCCD4700 mov edx, $0047CDFC <--- this display shit on box 0047CD81 A14CD54900 mov eax, dword ptr [$49D54C] 0047CD86 8B00 mov eax, [eax] 0047CD88 E827F3FCFF call 0044C0B4 Step 3. Ok great, now let's modify the coding to not display shit on the box. Remember ebp-0C? Now we'll change at 47CD7C. Run your HIEW and open EasyCD.EXE, and edit at $7C17C. In HIEW, in Assembler Edit box, type: mov edx, [ebp][-000C], then nop the next line, again nop the next line. Now we should get like this: 0047CD7C 8B55F4 mov edx, [ebp-$0C] 0047CD7F 90 nop 0047CD80 90 nop 0047CD81 A14CD54900 mov eax, dword ptr [$49D54C] Step 4. Ok, great...now run EasyCD, and enter your name and any code. In stead of getting an error message, you'll get a real code displaying! Write down that code and re-enter the real one. Got it? Kool...piss easy eh? yea right! Enjoy it, tKC... tkc@reaper.org Title: Serial Fishing (to display a Real Code on Dialogbox) Level: Piss Easy Target: Text Cleaner v1.0.1 URL: http://www.comp4learn.com/cleaner Ok guyz...1 more tutor. Again I took Text Cleaner coz no latest shareware shit on my machine available :) This time, I won't tell you how we fish the serial, but in your TRW2000 or SoftICE, at 0040A6C4 you'll get a real serial. Ok let's move... What we'll need: TRW2000 v1.22 or W32Dasm HIEW 6.55 or your fav HEX Editor and 5 minz to spend your time! Step 1. Ok, look below we'll see, we know the real code is stored in esp+10, right? It's copied into esi, so when you type d esi, you get a magic number. 0040A6BF E8BC330000 call 0040DA80 0040A6C4 8B742410 mov esi,[esp+10] <--- real code 0040A6C8 8B475C mov eax,[edi+5C] Step 2. Now we need to goto the address where it will display an error message if entered wrong code. Look below: * Possible StringData Ref from Data Obj ->"The information you entered is " ->"not correct. Make sure the name " ->"and company EXACTLY match the " ->"blah blah blah..." ->"blah blah blah..." ->"blah blah blah..." :0040A707 685C344500 push 0045345C <--- display error message etc. Step 3. Ok great, now let's modify the coding to not display shit on the box. Remember esp-10? Now we'll change at 40A707. Run your HIEW and open Text Cleaner.EXE, and edit at $9B07. In HIEW, in Assembler Edit box, type: push [esp][10], then nop the next line. Now we should get like this: 0040A707 FF742410 push d,[esp][00010] 0040A70B 90 nop 0040A70C E8CF050000 call 0040ACE0 Step 4. Ok, great...now run Text Cleaner, and enter your name and any code. In stead of getting an error message, you'll get a real code displaying! Write down that code and re-enter the real one. Got it? Kool...piss easy eh? yea right! ;) Enjoy it, tKC... tkc@reaper.org WHY PATCHING WHILE SERIAL NUMBER IS FISHY AdWizard Version 1.1 A Cracking Tutorial by ASTAGA [D4C/C4A] DISCLAIMER This reading material is not intended to violate Copyrights and/or it is law, but educational purposes only. I hold no responsibility ( by all means and in any shape whatsoever ) of the mis-used of this material. ABOUT THE PROGRAM AdWizard has been designed to help you manage a large number of classified advertisement sites and remind you when you should re-enter your ad. You can sort your entries into groups, and even use the Type function to automatically enter your informa tion and your ad. WHERE TO DOWNLOAD Author : Paul P.M. Beuger Homepage : http://www.wavget.com URL : http://www.wavget.com/adwizard32.exe Size : 754 KB as of October 30,2000 HOW TO GET VALID SERIAL NUMBER by using SoftIce 1. Run ADWIZARD.EXE, right click mouse button at the URL link, in the registration dialog box type these below informations : Name : Pirates Order Code : 73881050 Do not click OK button yet 2. Fire up SoftIce by pressing [ CTRL + D ], set a breakpoint as follow : BPX hmemcpy [enter] and F5 to return to the main program 3. Now it's time to click OK button... you'll return back into SoftIce! In within SoftIce press F11, F5, F11, then F12 11 times until you see and break at : __________________________________________________________________ 015F:0044ECE8 8BC3 MOV EAX,EBX 015F:0044ECEA E845EAFDFF CALL 0042D734 <=== here 015F:0044ECEF 8B55D8 MOV EDX,[EBP-28] 015F:0044ECF2 8B45F8 MOV EAX,[EBP-08] 015F:0044ECF5 E8D64DFBFF CALL 00403AD0 015F:0044ECFA C645F701 MOV BYTE PTR [EBP-09],01 ......... ......... ____________________ ADWIZARD!CODE+0004DCE8 ______________________ Disable / clear previous breakpoint and create the new one : bd* [enter] BPX 015F:0044ECEA [enter] Press F10 then display EDX register : d edx [enter] ==> your fake S/N appear in the Data Window at virtual address 0167:0110F048 . In the Command Line type : BPM 0167:0110F048 [enter] Press X or F5 to let SoftIce break in this new location 4. If nothing goes wrong you'll break again in SoftIce and see these below snippet codes : EAX=00000006 EBX=38383337 ECX=48464555 ESI=011121F8 EDI=0110F048 EBP=006BFC08 ESP=006BFBCC EIP=00403E35 CS=015F DS=0167 SS=0167 ES=0167 FS=2627 GS=0000 __________________________________________________________________ 015F:00403E33 8B1F MOV EBX,[EDI] 015F:00403E35 39D9 CMP ECX,EBX <=== break here 015F:00403E37 7558 JNZ 00403E91 015F:00403E39 4A DEC EDX 015F:00403E3A 7415 JZ 00403E51 ______________________ ADWIZARD!CODE+2E33 _______________________ Break due to BPMB #0167:0110F048 RW DR3 ? ecx [enter] 48464555 1212564821 "HFEU" ==> part of S/N in reverse order ? ebx [enter] 38383337 0943207223 "8837" ==> part of fake code d edi [enter] ===> your fake appear at 0167:0110F048 d esi [enter] did you see UEFHVFVGXJUNJB at virtual address 0167:011121F8 ? 5. Disable all breakpoints by typing BD * [enter] Press F5 or X to return to the main program 8. Repeat registration procedure and keyed-in UEFHVFVGXJUNJB as your S/N Click OK/REGISTER button... Simply, YOU'RE REGISTERED now... as a matter of fact it's LLEGAL REGISTRATION! END NOTES This program is sold as shareware, so you can try before you buy. This is convenient for you, saves expenses by dispensing with all that packaging, and cuts out the middle person. So it is cheap, but it is not free. If you like the program, and you will, be sure to register and pay. To keep shareware prices low, users must do the right thing: Register, pay up, and smile/grin at yourself in the mirror. Do not distribute your crack release based on this tutorial, because you become a LAMER(s)! ( tHATDUDE (PC97) defined LAMER(s) is the guy who sits in front of personal computer, using Hex Editor, ripping off other group(s) crack release, repacking (distro) them under his name. Adopted from newsgroup alt.cracks, alt.crackers - February 1997 ) More about LAMER(s): lamer /n./ [prob. originated in skateboarder slang] Synonym for luser, not used much by hackers but common among warez d00dz, crackers, and phreakers. Oppose elite. Has the same connota tions of self-conscious elitism that use of luser does among hackers. < SOURCE: http://sagan.earthspace.net/jargon/jargon_27.html > _ Never attribute to malice that which is adequately explained by stupidity _ ASTAGA [D4C/C4A] tute-adwizard11.zip [EOF] 10/31/00 5:18:12 AM WHY PATCHING WHILE SERIAL NUMBER IS FISHY InternetTweak 2000 v2.0 A Cracking Tutorial by ASTAGA [D4C/C4A] DISCLAIMER This reading material is not intended to violate Copyrights and/or it is law, but educational purposes only. I hold no responsibility ( by all means and in any shape whatsoever ) of the mis-used of this material. ABOUT THE PROGRAM InternetTweak 2000 (previously known as NetMaster) is a special utility designed to configure and personalize Internet secret settings in Windows 2000/98/95. Several of its features: optimize Internet connection performance, access Internet Explorer, Outlook Express, and Netscape Communicator hidden settings. In addition, you will get hundreds of selected Internet Tips & Tricks that will boost your browser and e-mail applications performance and product ivity. WHERE TO DOWNLOAD Author : Magellass Corp Homepage : http://www.magellass.com URL : http://www.magellass.com/it2000.zip Size : 1.2 MB - as of August 8, 2000 HOW TO GET VALID SERIAL NUMBER by using SoftIce FIRSTLY, this program protected with AntiDebugging trick. NO RESPONSE when clicking .EXE file or " No Debug Allowed " message always appear even I had loaded the well known utilities to hide SoftIce from this kind of protection. WDASM83 got stunned when I tried to diassemble and debug this program.... sigh! Until this morning I talk with Carpathia in the IRC, which tell me to download and try small and useful prog called... ... JUST ASK HER ! This small prog is great, I can even run another program i.e CXIE which has similar protection. Iam not stingy to not to tell you, I have to patience and wait until I can solve my stupidity and write this tute... see ... I downloaded this ITWEAK2000 2 months ago. Again, thank you Carphatia... without your help I still deepsinked in the darkness. SECONDLY, I personally expressed my sincere salutation to the Author at Magellass Corp. You guys ... Indonesian and Sundanese people do the great job since you released Win Boost in the mid 1997. You never gave up fighting against the crackers all over the Net. And by the way, send my regards to " Kang Dani nu Ganteng tea ..... " that means " Mr Dani the Handsome Guy " Whatta nice try hiding in the CLSID's registry ............ HOW TO GET VALID SERIAL NUMBER by using SoftIce 1. Run ITWEAK.EXE, in the opening nag screen click that REGISTER button; In the registration dialog box type these below informations : User Name : Pirates Order Key : 73881050 Do not click OK button yet 2. Fire up SoftIce by pressing [ CTRL + D ], create a new breakpoint as follow : BPX HMEMCPY [enter] and F5 to return to the main program 3. Now click OK button... you'll return back into SoftIce. In within SoftIce press F11, F5,and F11 once again. Press F12 several times until you reach the main program's code as follow : _________________________________________________________________ 015F:00486CBA 8B80CC020000 MOV EAX,[EAX+000002CC] <==== you're HERE ! 015F:00486CC0 E86387FAFF CALL 0042F428 015F:00486CC5 8D45F4 LEA EAX,[EBP-0C] 015F:00486CC8 8B55F0 MOV EDX,[EBP-10] 015F:00486CCB E810CEF7FF CALL 00403AE0 015F:00486CD0 8B55F8 MOV EDX,[EBP-08] 015F:00486CD3 8B45FC MOV EAX,[EBP-04] 015F:00486CD6 E8C1FEFFFF CALL 00486B9C __________________________________________________________________ Disable previous breakpoint and set a new breakpoint : bd * [enter] bpx 015F:00486CBA [enter] Now, start tracing the codes. Press F10 4 times and stop at 015F:00486CCB, dump/display EDX register by typing : d edx [enter] Look at the Data Window - at the virtual address 0167:012299C - did you see your fake S/N ? and one line below is 3M9Q3-E858-UW28-2TCT , AF2V2-N263-HJ79-CX4U , 2EAT2-F534-GN88-8JAG ...etc. There are a lot of suspicious reg codes .... just check by yourself . Write down those suspicious reg codes. Disable current existing breakpoint, press F5 to return to the registration dialog box. 4. Repeat registration procedures, keyed-in 3M9Q3-E858-UW28-2TCT as your serial number. Click OK ..... the classic message " Thank you for registering .... " message appear on your screen. 5. Where the hell is my registration code is stored ?? Hahaha gotcha ! .... how hard you're using WXIR/WXIO and REGMON ... you'll never found anywhere in your harddisk. Read my preface in the above ... if you have enough time try search suspected CLSID {e436ebb7-524f-11ce-9f53-1b49 a070a77d8 }. Nice try Kang Dani anu kasep tea euy ...... again and again. Beside, once you're registered they're registered forever, one strange occurances is that if you manually edited registry key and value in the "RegisteredOwner" with your own desired name ..... the prog still accepted ! REGEDIT4 [HKEY_LOCAL_MACHINE\Software\Magellass\InternetTweak 2000] "RegisteredOwner"="Pirates Order" This below registry entry ... IS JUST COSMETIC! [HKEY_LOCAL_MACHINE\Software\Magellass\InternetTweak 2000\2.00] "Name"="" "Company"="" 9. How can I practise with my own user name ? - I strongly recommended you not to do this ! END NOTES This program is sold as shareware, so you can try before you buy. This is convenient for you, saves expenses by dispensing with all that packaging, and cuts out the middle person. So it is cheap, but it is not free. If you like the program, and you will, be sure to register and pay. To keep shareware prices low, users must do the right thing: Register, pay up, and smile/grin at yourself in the mirror. Do not distribute your crack release based on this tutorial, because you become a LAMER(s)! ( tHATDUDE (PC97) defined LAMER(s) is the guy who sits in front of personal computer, using Hex Editor, ripping off other group(s) crack release, repacking (distro) them under his name. Adopted from newsgroup alt.cracks, alt.crackers - February 1997 ) More about LAMER(s): lamer /n./ [prob. originated in skateboarder slang] Synonym for luser, not used much by hackers but common among warez d00dz, crackers, and phreakers. Oppose elite. Has the same connota tions of self-conscious elitism that use of luser does among hackers. < SOURCE: http://sagan.earthspace.net/jargon/jargon_27.html > _ Never attribute to malice that which is adequately explained by stupidity _ ASTAGA [D4C/C4A] tute-it2000v20.zip [EOF] 10/20/00 11:54:23 AM WHY PATCHING WHILE SERIAL NUMBER IS FISHY MemMonster v1.0 A Cracking Tutorial by ASTAGA [D4C/C4A] DISCLAIMER This reading material is not intended to violate Copyrights and/or it is law, but educational purposes only. I hold no responsibility ( by all means and in any shape whatsoever ) of the mis-used of this material. ABOUT THE PROGRAM MemMonster is a special utility designed to help you solve the problems of Windows (98/95/NT/2000) memory management. Using easy to use interface you quickly and safely monitor and increase the amount of available physical memory. There are two versions of MemMonster, for Windows 9x and for Windows 2000/NT. Before using it, please make sure you have installed the correct version. WHERE TO DOWNLOAD Author : Magellass Corp Homepage : http://www.magellass.com URL : http://www.magellass.com/mem9x.zip Size : 738 KB - as of August 8, 2000 HOW TO GET VALID SERIAL NUMBER by using SoftIce FIRSTLY, this program protected with AntiDebugging trick. NO RESPONSE when clicking .EXE file or " No Debug Allowed " message always appear even I had loaded the well known utilities to hide SoftIce from this kind of protection. WDASM83 got stunned when I tried to diassemble and debug this program.... sigh! Until this morning I talk with Carpathia in the IRC, which tell me to download and try small and useful prog called... ... JUST ASK HER ! This small prog is great, I can even run another program i.e CXIE which has similar protection. Iam not stingy to not to tell you, I have 2B patience and wait until I can solve my stupidity and write this tute... see ... I downloaded this MEMMONSTER2000 2 months ago. Again, thank you Carphatia... without your help I still deepsinked in the darkness. SECONDLY, I personally expressed my sincere salutation to the Author at Magellass Corp. You guys ... Indonesian and Sundanese people do the great job since you released Win Boost in the mid 1997. You never gave up fighting against the crackers all over the Net. And by the way, send my regards to Dani ( one of the Author (?) who made a sticky note in the virtual address like " Horee Mas Dani deui ..... " that means " Horay .. it's Mr Dani again " in Sundanese language. Further, whatta nice try hiding in the CLSID's registry .. ........ HOW TO GET VALID SERIAL NUMBER by using SoftIce 1. Run MEMONSTER.EXE, in the opening nag screen click that REGISTER button; In the registration dialog box type these below informations : User Name : Pirates Order Key : 73881050 Do not click OK button yet 2. Fire up SoftIce by pressing [ CTRL + D ], create a new breakpoint as follow : BPX HMEMCPY [enter] and F5 to return to the main program 3. Now click OK button... you'll return back into SoftIce. In within SoftIce press F11, F5,and F11 once again. Press F12 several times until you reach the main program's code as follow : _________________________________________________________________ 015F:00484785 E82A89FAFF CALL 0042D0B4 015F:0048478A 8B55F4 MOV EDX,[EBP-0C] 015F:0048478D B884D94800 MOV EAX,0048D984 015F:00484792 E841F4F7FF CALL 00403BD8 015F:00484797 33C0 XOR EAX,EAX ... ... ____________________MEMMNSTR!CODE+0008377F____________________ Disable previous breakpoint and create a new breakpoint : bd * [enter] bpx 015F:00484785 [enter] I just wanna straight to the groin and brings you to where the potential were copied (echoed (?) into virtual address. Remember, I have traced for you. In the SoftIce's Command Line type as follows : s 0 l fffffffffffffff FF 56 0C 8B 55 F8 [enter] SoftIce will response : Pattern found at 0030:004846D1 ( may differ in your PC ) bpx 0030:004846D1 [enter] u 0030:004846D1 [enter] Press F5 or X, to let SoftIce break at new location 4. If nothing goes wrong, SoftIce will splash and break at the memory address as follow : ______________________________________________________________ 015F:004846D1 FF560C CALL [ESI+0C] <===== HERE 015F:004846D4 8B55F8 MOV EDX,[EBP-08] 015F:004846D7 A184D94800 MOV EAX,[0048D984] <== d EDX 015F:004846DC E82FF8F7FF CALL 00403F10 ____________________MEMMNSTR!CODE+000836CF____________________ Press F10 2 times and stop at 015F:004846D7, dump/display EDX register by typing : d edx [enter] Look at the Data Window - at the virtual address 0167:00DA530C - did you see 7K5L2-C3A7-KSAA-9H7N ?? One line below are 6R2E3-C976-HY63-4C2W , CY8D3-S642-PH68-AM9L , 5G4F4-S394-WF82-8G8F , 2XCN4-Y489-UX59-6VCD ...etc. Write down those suspicious reg codes... if you like. You can either repeat the above procedure or scroll up/down too see more potential reg codes. 5. Disable current existing breakpoint, press F5 to return to the registration dialog box. 6. Repeat registration procedures, keyed-in 7K5L2-C3A7-KSAA-9H7N as your serial number. Click OK ..... the classic message " MemMonster has been regis tered successfully.... " message appear on your screen. 5. Where the hell is my registration code is stored ?? Hahaha gotcha ! .... how hard you're using WXIR/WXIO and REGMON ... you'll never found anywhere in your harddisk. Read my preface in the above ... if you have enough time try search suspected CLSID {FD853CDD-7F86-11d0-82F2-0134 940705AB5}. Nice try Kang Dani ...... again and again. Beside, once you're registered they're registered forever, one strange occurances is that if you manually edited registry key and value in the "RegisteredOwner" with your own desired name ..... the prog still accepted ! MemMonster creates two registry entries as follows : REGEDIT4 [HKEY_LOCAL_MACHINE\Software\Magellass\MemMonster] "Dir"="C:\\Program Files\\MemMonster 2000" "RegisteredOwner"="Pirates Order" and This below registry entry ... IS JUST COSMETIC! REGEDIT4 [HKEY_LOCAL_MACHINE\Software\Magellass Corp.] [HKEY_LOCAL_MACHINE\Software\Magellass Corp.\MemMonster 2000] [HKEY_LOCAL_MACHINE\Software\Magellass Corp.\MemMonster 2000\1.00] "Name"="" "Company"="" 9. How can I practise with my own user name ? - I strongly recommended you not to do this ! END NOTES This program is sold as shareware, so you can try before you buy. This is convenient for you, saves expenses by dispensing with all that packaging, and cuts out the middle person. So it is cheap, but it is not free. If you like the program, and you will, be sure to register and pay. To keep shareware prices low, users must do the right thing: Register, pay up, and smile/grin at yourself in the mirror. Do not distribute your crack release based on this tutorial, because you become a LAMER(s)! ( tHATDUDE (PC97) defined LAMER(s) is the guy who sits in front of personal computer, using Hex Editor, ripping off other group(s) crack release, repacking (distro) them under his name. Adopted from newsgroup alt.cracks, alt.crackers - February 1997 ) More about LAMER(s): lamer /n./ [prob. originated in skateboarder slang] Synonym for luser, not used much by hackers but common among warez d00dz, crackers, and phreakers. Oppose elite. Has the same connota tions of self-conscious elitism that use of luser does among hackers. < SOURCE: http://sagan.earthspace.net/jargon/jargon_27.html > _ Never attribute to malice that which is adequately explained by stupidity _ ASTAGA [D4C/C4A] tute-memmonster10.zip [EOF] 10/20/00 11:54:23 AM I really hope you've enjoyed this tutorial as much as I did! Don't miss Tutor #106 soon! ;) Credits goto: cokine for Splash Logo. ASTAGA for providing 3 tuts in this version. tKC for providing 2 tuts in this version. To ALL the crackers: You are welcome to send me your tutors to publish them .. see below for my email address! *** 95 chars per line in textfile please! *** And all the tutors can be found at: http://www.crackersinaction.com (or on IRC, ask CiA ops for urls!) Greetz goto all my friends! You can find me on IRC or email me at tkc@reaper.org Coded by The Keyboard Caper - tKC The Founder of PhRoZeN CReW/Crackers in Action 2000 Compiled with Delphi 5 on 12 November 2000 Cracking Tutorial #105 is dedicated to CiA, all new and old members for the support they gave me all the years!