Welcome to Cracking Tutorial #112! Hiya guys, Hmm from Tuts #105-110 it seemed I forgot to replace Tutor #numbers in Welcome Screen. So excuse me please :) Well, here is another tut112.tKC... Let's rave! ...or crack babes? :) You'll need the following tools: (I use these tools, I assume you'll use 'em, but it doesn't mean that you'll need to use all those tools, so be sure to get them handy for the examples in this tutorial!) SoftICE v4.05 W32Dasm v8.93 Hacker's View v6.55 SmartCheck v6.03 ProcDump32 v1.6.2 TRW2000 v1.22 IDA v4.04 Windows Commander v4.51 (I use it coz of easier to multitask) Delphi, VB, C++, or TASM to code a keygen or a patch.. Don't ask me where to download all these tools since you had a chance to get them when you used my older tutorials. Here are a few good sites where you can grab tools from: http://protools.cjb.net http://w3.to/protools http://www.crackstore.com or ask any crackers to get you these tools! Are you ready?! OK! ;) SERIAL NUMBER IS FISHY - DECLINE YOUR PATCH'ITCH'ING. Close Popup 4.0 A Cracking Tutorial by ASTAGA [D4C/C4A] DISCLAIMER This reading material is not intended to violate Copyrights and/or it is law, but educational purposes only. I hold no responsibility ( by all means and in any shape whatsoever ) of the mis-used of this material. ABOUT THE PROGRAM RegSpanner - a Windows 98 tweaking utility. With RegSpanner it is possible to customise your Windows 98 user interface. You can:  Remove unwanted items from the Start Menu, Desktop, Control Panel etc.  Fine tune many aspects of the system performance  Add extra functionality to menus  Restrict access to certain parts of the computer  Speed up Dial-up Internet connections (beta)  ..plus many other enhancements In this release of RegSpanner there are over 100 different things you can customise. In future versions I am hoping to add a great deal more features to further enhance the Windows 98 operating system. A Windows NT version will also be available and hopefully support for Windows 2000 and Windows ME. Most features will work with Windows 95, but some options are Windows 98 dependen WHERE TO DOWNLOAD Author : Ryan Martinsen Copyright : Take a Hike Software. Homepage : http://www.homeonthewww.com/ryan/ URL : http://www.hotwww.com/ryan/close_popup4.zip Size : KB as of ,2000 HOW TO GET VALID SERIAL NUMBER by using SoftIce This is a Visual Basic 6 based program. Before you apply this tutorial you better edit your WINICE.DAT and enable MSVBVM60.DLL export statement accordingly. At least your WINICE.DAT should be looked as follow : EXP=c:\windows\system\msvbvm50.dll EXP=c:\windows\system\msvbvm60.dll In some cases enabling these two statements will confused Soft Ice, so, use them thoroughly. Please take my note, this tute is not to generalize that cracking VB application is easy - there are lot of program can be cracked not by this way . ( By coincidence ClosePop Up is the simple one ) 1. Run CLOSE POPUP.EXE, click REGISTER tab , in the registration dialog box type these below informations : User name : Pirates Order Reg Code : 98032749807 Do not click OK button yet 2. Fire up SoftIce by pressing [ CTRL + D ], set a breakpoint as follow : bpx __vbastrcat [enter] bpx __vbastrmove [enter] Press X or F5 to return to the main program 3. Now it's time to click OK button... you'll return back into SoftIce! In within SoftIce press F11, F5, F11 once until you see these below snippet codes : ______________________________________________________________ 015F:00410AAE FFD6 CALL ESI <== break here 015F:00410AB0 8B55E8 MOV EDX,[EBP-18] ==> d eax 015F:00410AB3 8D4DE0 LEA ECX,[EBP-20] 015F:00410AB6 895DE8 MOV [EBP-18],EBX _____________________CLOSE POPUP!.text+FAAE___________________ Break due to BPX MSVBVM50!__vbaStrMove Break due to G Press F10 once and display EAX register : : d eax [enter] ==> your name, fake and real code appear in the Data Window's virtual address 0167:00422574. Your valid reg code is at 0167:00422594 upto 0167:004225B4 . Remember they're in wide format and looks like as follow : EAX=00422574 EBX=00000000 ............. ESI=7B30F8DA EDI=005205B4 EBP=0064ED50 ............. o d I s Z a P c CS=015F DS=0167 SS=0167 ..GS=0000 SS:0064ED38=00422518 ----------------------------------dword-------------PROT---(0)-- 0167:00422574 00380039...00390034 9.8.0.3.2.7.4.9. <== fake 0167:00422584 00300038...A0000044 8.0.7...r...D... 0167:00422594 00000022...005E0045 "...1.6.5.5.E.^. <== your 0167:004225A4 00560067...00670044 g.V.i.Z.h.`.D.g. <== real 0167:004225B4 005A0059...00690061 Y.Z.g...A.g.a.i. <== S/N 0167:004225C4 0000006E...0000FFFF n........?...... 0167:004225D4 A0000044...00720072 D.......S.o.r.r. 0167:004225E4 002C0079...00730061 y.,. .P.l.e.a.s. 0167:004225F4 00200065...00670041 e. .T.r.y. .A.g. 0167:00422604 00690061...00000000 a.i.n........... If you failed getting this figure, don't be panic, just press X or F5 key followed with F11 and repeat step#3 above. Repeat them several times if necessary. 4. Disable all breakpoints by typing BD * [enter] Press F5 or X to return to the main program 5. Repeat registration procedure and keyed-in 1655E^gViZh`DgYZg ( case sensitive ) as your S/N . Click OK/REGISTER button ..... ouchh! the screen splash and classic message " thank you .... " . 6. Where the hell is my registration code is stored ?? The correct registration code is stored in the registry as follows : REGEDIT4 [HKEY_CURRENT_USER\Software\VB and VBA Program Settings\Take a Hike Software\Close Popup] "User"="Pirates Order" "Code"="1655E^gViZh`DgYZg" "Version"="4.0" "Netscape"="True" "Netscape 3"="True" "Internet Explorer"="True" 7. How can I practise with my own reg. key ? - I strongly recommended you not to do this! END NOTES Do not distribute your crack release based on this tutorial, because you become a LAMER(s)! ( tHATDUDE (PC97) defined LAMER(s) is the guy who sits in front of personal computer, using Hex Editor, ripping off other group(s) crack release, repacking (distro) them under his name. Adopted from newsgroup alt.cracks, alt.crackers - February 1997 ) More about LAMER(s): lamer /n./ [prob. originated in skateboarder slang] Synonym for luser, not used much by hackers but common among warez d00dz, crackers, and phreakers. Oppose elite. Has the same connota tions of self-conscious elitism that use of luser does among hackers. < SOURCE: http://sagan.earthspace.net/jargon/jargon_27.html > Never attribute to malice that which is adequately explained by stupidity ASTAGA [D4C/C4A] tute-closepopup40.zip [EOF] 11/12/00 5:33:03 PM SERIAL NUMBER IS FISHY - DECLINE YOUR PATCH'ITCH'ING. RegSpanner v1.04 A Cracking Tutorial by ASTAGA [D4C/C4A] DISCLAIMER This reading material is not intended to violate Copyrights and/or it is law, but educational purposes only. I hold no responsibility ( by all means and in any shape whatsoever ) of the mis-used of this material. ABOUT THE PROGRAM RegSpanner - a Windows 98 tweaking utility. With RegSpanner it is possible to customise your Windows 98 user interface. You can:  Remove unwanted items from the Start Menu, Desktop, Control Panel etc.  Fine tune many aspects of the system performance  Add extra functionality to menus  Restrict access to certain parts of the computer  Speed up Dial-up Internet connections (beta)  ..plus many other enhancements In this release of RegSpanner there are over 100 different things you can customise. In future versions I am hoping to add a great deal more features to further enhance the Windows 98 operating system. A Windows NT version will also be available and hopefully support for Windows 2000 and Windows ME. Most features will work with Windows 95, but some options are Windows 98 dependen WHERE TO DOWNLOAD Author : Nick Dilley Homepage : http://www.regspanner.com URL : http://www.regspanner.fsnet.co.uk/binary/regsp104.zip Size : KB as of ,2000 HOW TO GET VALID SERIAL NUMBER by using SoftIce This is a Visual Basic 6 based program. Before you apply this tutorial you better edit your WINICE.DAT and enable MSVBVM60.DLL export statement accordingly. First, I thought this program is tough because he won't break using common breakpoint(s) such as VBASTRCAT, VBASTRMOVE, VBASTRCOMP, RTCMSGBOX, VBAHRESULTCHECKOBJ, vbaVarTextTstEq ,ETC. Until I dediced to use old weapon MULTIBYTETOWIDECHAR with doubt to succeed finding correct serial number. Second, to my surprise by only pressing F10 once and scroll up several lines the codes are lying there side by side with the fake code. Facing this fact, I just think defeating CRACKMEs more challenging rather this prog .... blah bleh bloh . Third, this package requires the Microsoft Windows Installer. Internet Explorer 5 and Office 2000 come with this installer, but if you do not have it, it can be downloaded from : http://download.microsoft.com/download/platformsdk/ wininst/1.1/W9X/EN-US/InstMsi.exe Forth, later on I realized I better utilize WinBoost or InternetTweak2000 ( Magellass Corp ) rather than Nick Dilley' ..... 1. Run REGSPANNER.EXE, click OPTION tab , in the registration dialog box type these below informations : User name : Pirates Order Auth. Number : 73881050 Do not click OK button yet 2. Fire up SoftIce by pressing [ CTRL + D ], set a breakpoint as follow : BPX MultiByteToWideChar [enter] and F5 to return to the main program 3. Now it's time to click OK button... you'll return back into SoftIce! In within SoftIce press F11, F5, F11 once until you see these below snippet codes : ______________________________________________________________ 015F:6601B510 FFD6 CALL ESI 015F:6601B512 8B45FC MOV EAX,[EBP-04] <== break here 015F:6601B515 5F POP EDI ===> D EAX 015F:6601B516 5E POP ESI _____________________MSVBVM60!.text+0001A510___________________ Break due to BPX KERNEL32!MultiByteToWideChar Break due to G Press F10 once - stop at 015F:6601B515 - and display EAX register : : d eax [enter] ==> your name appear in the Data Window @0167:0048EDC0 . Remember they're in wide format as look like this : 0167:0048EDC0 00690050 200073 P.i.r.a.t.e.s. . 0167:0048EDD0 0072004F 000024 O.r.d.e.r...$... 0167:0048EDE0 00000018 650074 ....P.i.r.a.t.e. 0167:0048EDF0 00200073 000000 s. .O.r.d.e..... 0167:0048EE00 A00E1205 000000 ......G.<.G..... Now, scroll up ( CTRL+PgUp ) once , as I told you before .... there your real serial number 16f261e30202L29351-2961 at the virtual address 0167:0048ED20 . One or two line above is your fake code : 0167:0048ECD0 00470AB4 ... A0000026 ..G.f.2...H.&... 0167:0048ECE0 0000001A ... 00650074 ....P.i.r.a.t.e. 0167:0048ECF0 00200073 ... 00000072 s. .O.r.d.e.r... 0167:0048ED00 A0000024 ... 00380038 $.......7.3.8.8. 0167:0048ED10 00300031 ... 00650064 1.0.5.0...r.d.e. 0167:0048ED20 00000000 ... 00360031 ....D.......1.6. 0167:0048ED30 00320066 ... 00320030 f.2.6.1.e.3.0.2. 0167:0048ED40 00320030 ... 00310035 0.2.L.2.9.3.5.1. 0167:0048ED50 0032002D ... 00000000 -.2.9.6.1....... 0167:0048ED60 00000000 ... 0047090C ........Q.....G. ____________________ MSVBVM60!.text+0001A510 _________________ If you failed getting this figure, don't be panic, just press X or F5 key followed with F11 and repeat step#3 above. Repeat them several times if necessary. 4. Disable all breakpoints by typing BC * [enter] Press F5 or X to return to the main program 5. Repeat registration procedure and keyed-in 16f261e30202L29 351-2961 as your S/N . Click OK/REGISTER button ..... ouchh! the screen splash and classic message " thank you .... " . 6. Where the hell is my registration code is stored ?? The correct registration code is stored in the registry as follows : REGEDIT4 [HKEY_LOCAL_MACHINE\Software\RegSpanner] "RegisteredTo"="Pirates Order" "RegistrationNo"="16f261e30202L29351-2961" ;"RegisteredTo"="The Burning Cable Car at Kitzsteinhorn" ;"RegistrationNo"="33v350h29233o16350-3859" 7. How can I practise with my own reg. key ? - I strongly recommended you not to do this! END NOTES Do not distribute your crack release based on this tutorial, because you become a LAMER(s)! ( tHATDUDE (PC97) defined LAMER(s) is the guy who sits in front of personal computer, using Hex Editor, ripping off other group(s) crack release, repacking (distro) them under his name. Adopted from newsgroup alt.cracks, alt.crackers - February 1997 ) More about LAMER(s): lamer /n./ [prob. originated in skateboarder slang] Synonym for luser, not used much by hackers but common among warez d00dz, crackers, and phreakers. Oppose elite. Has the same connota tions of self-conscious elitism that use of luser does among hackers. < SOURCE: http://sagan.earthspace.net/jargon/jargon_27.html > Never attribute to malice that which is adequately explained by stupidity ASTAGA [D4C/C4A] tute-regspanner104.zip [EOF] 11/12/00 5:33:03 PM SERIAL NUMBER IS FISHY - DECLINE YOUR PATCHING Shred-X v1.0 A Cracking Tutorial by ASTAGA [D4C/C4A] DISCLAIMER This reading material is not intended to violate Copyrights and/or it is law, but educational purposes only. I hold no responsibility ( by all means and in any shape whatsoever ) of the mis-used of this material. ABOUT THE PROGRAM Shred-X is a security file shredder. Its purpose is to prevent others from breaching your privacy or stealing your secrets by securely removing all traces of any sensitive files from your hard disk. Shred-X does this by using sophisticated overwriting algorithms which obliterate latent data on your hard disk, making your deleted files irrecoverable, even by expensive equipment. The user interface was designed with safety and ease of use as prime criteria. Multi-pass file deletion, (including the Windows SwapFile) is combined with effective disk cleaning. WHERE TO DOWNLOAD Program: Shred-X File and Data Shredder Ver: 1.0 Date: September 24, 2000 Copyright : Business Software Web : http://www.bsoft.ic24.net/shredx.htm Download : http://www.bsoft.ic24.net/shredx10.zip Author : Eddie Bond Status : Shareware Evaluation (30 days) Restrictions : Delayed 'Nag' after extended unregistered period. Platform : Windows 98 or 95 HOW TO GET VALID SERIAL NUMBER by using SoftIce 1. Run SHREDX.EXE, in the registration dialog box type these below information : User Name : Pirates Order Company : Caribbean Buccaneer Reg Key : 73881050 Do not click OK button yet 2. Fire up SoftIce by pressing [ CTRL + D ], create a new breakpoint as follow : BPX hmemcpy [enter] and F5 to return to the main program 3. Now click OK button... you'll return back into SoftIce. In within SoftIce press F11, F5, F11 followed with pressing F12 several (12)times until you these below snippet codes : _______________________________________________________________ 015F:0044FBE2 E80540FCFF CALL 00413BEC 015F:0044FBE7 8B55F0 MOV EDX,[EBP-10] <== break here 015F:0044FBEA 58 POP EAX .... _______________________SHREDX!CODE+0004EBE2____________________ Clear previous breakpoint since you don't need anymore, set a new breakpoint for further usage : : bc * [enter] : bpx 015F:0044FBE2 [enter] Now, do a search string as follows : : s 0 l fffffffffffffffffff E8 79 46 FC FF 8B 45 [enter] SoftIce will response : Pattern found at 0167:0044F56E (0044F56E) Create a new breakpoint again at the new searched memory address : : bpx 0167:0167:0044F56E [enter] : X or F5 to let SoftIce break in this new location ( note : if SoftIce doesn't break at 0044F56E , disable previous breakpoint of 0044FBE2 . Repeat registration procedure if necessary ) 4. If nothing goes wrong you'll break at these below snippet codes : _______________________________________________________________ 015F:0044F568 8B80D0010000 MOV EAX,[EAX+000001D0] 015F:0044F56E E87946FCFF CALL 00413BEC <== break here 015F:0044F573 8B45F4 MOV EAX,[EBP-0C] 015F:0044F576 33D2 XOR EDX,EDX 015F:0044F578 E8FB68FBFF CALL 00405E78 015F:0044F57D 3BF8 CMP EDI,EAX ? edi ? eax ..... ..... ______________________SHREDX!CODE+0004E568____________________ Break due to BPX #0167:0044F56E Press F10 2 times - stop at 015F:0044F576 - display EAX register : d eax [enter] ==> lookie the Data Window, your fake code appear at virtual address 0167:0112E3A0. Press F10 2 times again - stop at 015F:0044F57D - yeah whatta classic CMP instruction ... Let's check it out what are their contents : : ? edi [enter] 00C0CE98 0012635800 " " ==> posible valid reg.code, Write it down! : ? eax [enter] 046755DA 0073881050 " gU " ==> your fake code 5. Disable all current existing breakpoint(s) : : bd * [enter] : x or F5 to return to registration dialog box 6. Repeat registration procedure, and keyed-in 12635800 as your registration key. Click OK button... you're registered! see that your trial period is gone. 7. Where the hell is my registration code is stored??? The correct registration code is stored in the registry as follow : 8. How can I practise with my own name and reg. key ? - I strongly recommended you not to do this! END NOTES Do not distribute your crack release based on this tutorial, because you become a LAMER(s)! ( tHATDUDE (PC97) defined LAMER(s) is the guy who sits in front of personal computer, using Hex Editor, ripping off other group(s) crack release, repacking (distro) them under his name. Adopted from newsgroup alt.cracks, alt.crackers - February 1997 ) More about LAMER(s): lamer /n./ [prob. originated in skateboarder slang] Synonym for luser, not used much by hackers but common among warez d00dz, crackers, and phreakers. Oppose elite. Has the same connota tions of self-conscious elitism that use of luser does among hackers. < SOURCE: http://sagan.earthspace.net/jargon/jargon_27.html > Never attribute to malice that which is adequately explained by stupidity ASTAGA [D4C/C4A] tute-shredx10.zip [EOF] 11/9/00 11:44:09 PM WHY PATCHING WHILE SERIAL NUMBER IS FISHY Telos v2.0 A Cracking Tutorial by ASTAGA [D4C/C4A] DISCLAIMER This reading material is not intended to violate Copyrights and/or it is law, but educational purposes only. I hold no responsibility ( by all means and in any shape whatsoever ) of the mis-used of this material. ABOUT THE PROGRAM Telos is a professional quality, highly configurable email filter; aggressively purging your POP3 mail boxes of unwanted or unsolicited emails. Features include: ù Unlimited mailboxes. Purge all your company's mailboxes from one machine. ù User manageable rules with both target and exception lists. ù Hit counting to show the effectiveness of each strategy. ù High speed asynchronous operation. ù Fast scanning - scans mail headers without downloading complete messages. ù Unlimited user-defined rule sets. ù Syntax-highlighted display of downloaded mail headers showing target and exception hits. ù Can be run from system tray in unattended mode, with timed scans from 10 mins to one week. ù Numerous tools to assist in the rapid building of effective, fast rule sets based on your individual requirements. ù Time-stamped Activity log. ù 'Learns' new patterns from unwanted messages. Run prior to downloading your email, and Telos will remove all unwanted items. Options are available to launch your Email Program automatically when Telos is finished, or whenever Telos is opened. WHERE TO DOWNLOAD Program: Telos Ver: 2.00 Date: September 24, 2000 Copyright : Business Software Web : http://www.bsoft.ic24.net/telos.htm Download : http://www.bsoft.ic24.net/telos200.zip Author : Eddie Bond Status : Shareware Evaluation (30 days) Restrictions : Delayed 'Nag' after extended unregistered period. Platform : Windows 98 or 95 (some options not available on 95). HOW TO GET VALID SERIAL NUMBER by using SoftIce In this tute I will not describe a step by step of tracing the code, but directly to the address where the classic CMP instruct ion were located. I know these gonna useless because the address would be different in your PC. At the end of this tute I include how to reach the a/m address' by doing a search string. The above addresses are very important because you'll see how the valid S/N is generated based on your user name and always start with prefix 126x. 1. Run TELOS.EXE, click SETTINGS tab, click on REGISTRATION button. In the registration dialog box type these below information : User Name : Pirates Order Company : Caribbean Buccaneer Reg Key : 73881050 Do not click OK button yet 2. Fire up SoftIce by pressing [ CTRL + D ], create a new breakpoint as follow : BPX hmemcpy [enter] and F5 to return to the main program 3. Now click OK button... you'll return back into SoftIce. In within SoftIce press F11, F5, F11 followed with pressing F12 several (12)times ( try to reach main program's code until you break at 015F:00472EE0 ), then do a search string as follows : Disable / clear previous breakpoint since you don't need any longer : : BC * [enter] : bpx 015F:00472EE0 [enter] : S 0 L FFFFFFFFFFFFF E8 15 1E FA FF 8B 45 [enter] SoftIce will response : Pattern found at Pattern found at 0167:00472DD6 (00472DD6) Set a new one as follow : : bpx 0167:00472DD6 [enter] Press X or F5 to activate this new breakpoint. Repeat registration procedure if necessary. 4. If nothing goes wrong you'll break at these below snippet codes : _______________________________________________________________ 015F:00472DD6 E8151EFAFF CALL 00414BF0 BREAK 015F:00472DDB 8B45F4 MOV EAX,[EBP-0C] <== HERE 015F:00472DDE 33D2 XOR EDX,EDX 015F:00472DE0 E8E334F9FF CALL 004062C8 015F:00472DE5 3BF8 CMP EDI,EAX ==> ? EDI 015F:00472DE7 0F94C3 SETZ BL 015F:00472DEA 84DB TEST BL,BL ..... ..... ______________________TELOS!CODE+00071DE0____________________ Break due to BPX #0167:00472DD6 Press F10 2 times - stop at 015F:00472DDE - display EAX register : d eax [enter] ==> lookie the Data Window, your fake code appear at virtual address 0167:0112E3A0. Press F10 2 times again - stop at 015F:00472DE5 - yeah whatta classic CMP instruction ... Let's check it out what are their contents : : ? edi [enter] 00C0CEA6 0012635814 " " ==> posible valid reg.code, Write it down! : ? eax [enter] 046755DA 0073881050 " gU " ==> your fake code 5. Disable all current existing breakpoint(s) : : bd * [enter] : x or F5 to return to registration dialog box 6. Repeat registration procedure, and keyed-in 12635814 as your registration key. Click OK button ....... you're registered! see that your trial period is gone. 7. Where the hell is my registration code is stored ?? The correct registration code is stored in the registry as follow : REGEDIT4 [HKEY_LOCAL_MACHINE\Software\Business Software\Telos\2.0] "Name"="Pirates Order" "Company"="Caribbean Buccaneer" "left"="0" "top"="0" "MailClient"="f:\\eudora\\eudora.exe /m %1" "CurrentRule"="default" "MailClientClass"="Outlook Express Browser Class" "ScanPeriod"="0" "SplitHeight"="168" "DefaultConnection"="Chris RAW Jericho" "Log"="1" "Append Log"="1" "Split Log monthly"="1" "Background Bitmap"="1" "AutoDial"="0" "AutoDisconnect"="0" "Close Dialler on exit"="0" "Live Hints"="1" "Launch client on Startup"="0" "Launch client on Finish"="0" "Run in System Tray"="0" "Close on Finish"="0" "Auto Run on startup"="0" "Save on Exit"="0" "Add to Startup Group"="0" "Serial"="12635814" 8. How can I practise with my own name and reg. key ? - I strongly recommended you not to do this! END NOTES This program is sold as shareware, so you can try before you buy. This is convenient for you, saves expenses by dispensing with all that packaging, and cuts out the middle person. So it is cheap, but it is not free. If you like the program, and you will, be sure to register and pay. To keep shareware prices low, users must do the right thing: Register, pay up, and smile/grin at yourself in the mirror. Do not distribute your crack release based on this tutorial, because you become a LAMER(s)! ( tHATDUDE (PC97) defined LAMER(s) is the guy who sits in front of personal computer, using Hex Editor, ripping off other group(s) crack release, repacking (distro) them under his name. Adopted from newsgroup alt.cracks, alt.crackers - February 1997 ) More about LAMER(s): lamer /n./ [prob. originated in skateboarder slang] Synonym for luser, not used much by hackers but common among warez d00dz, crackers, and phreakers. Oppose elite. Has the same connota tions of self-conscious elitism that use of luser does among hackers. < SOURCE: http://sagan.earthspace.net/jargon/jargon_27.html > _ Never attribute to malice that which is adequately explained by stupidity _ ASTAGA [D4C/C4A] tute-telos20.zip [EOF] 11/9/00 11:44:09 PM Software Re-engineering for Dummies : An Overview ================================================= by romeo [d4c/97] Before I started "software re-engineering", these questions often popped up in my mind : 1. How the heck can someone figure out the serial numbers? 2. What changes do you make to a program so that it's registered? ------------------------------------------------------------------- INTRODUCTION ------------ I think it's reasonable to believe that the most widely used debugger by all "software re-engineers" or "software reverse-engineers" is SoftIce from Numega. The word "debugger" should tell you what the program does. It debugs bugs. Well, people are often very creative. If it can be used to debug bugs, it can also be used to take a peek at how the software is programmed. The debugger has to be loaded before Windows is loaded. The reason is so that any programs that run under Windows can be stopped at any time (by pressing Ctrl-D) and have it's codes (in Assembly language) revealed to the user. (i don't want to get too complicated) The ironic thing is that SoftIce is a shareware, and being the best debugger is not any good to itself, because it is used by "engineers" to find out what it's serial number is. ------------------------------------------------------------------- INTO THE PROCESS : Starting Point ============== A software is often huge and therefore full of codes. It would be impractical to go down each line of codes and figure out what each line does. Therefore, it's up to the "engineer's" creativity and experience to select a starting point. "Where should I start decipher the codes?" There are lots of techniques, which might just sound greek to you if you're a dummy to this area. So, I'll leave that part out. When a starting point is decided, the "engineer" will pay more attention to "weird, interesting or out of the ordinary" codes. Probing Techniques Simplified ============================= 1. Serial Numbers If you have downloaded a shareware once or twice in your lifetime, you might have come across a "Register" command which resides in the Help|About ... dialog box most of the time. When you click on it, you may be prompted with a box which require you to enter your name and then a serial number that matches your name. Now, this means that somewhere among the codes in the program, there may most probably be lines that says : A compare the serial number that has been entered with the correct serial number that matches the name and goto B B if it is incorrect, goto D C show a thankyou message because the number is correct and goto D D close the box and return to the program As long as the "engineer" can find these lines, it is very likely that (s)he can just write down the number from the screen (it is just that simple! - sometimes ...). This is sometimes referred as to a "soft" approach. 2. Changing Bytes Well, it can be very tricky sometimes that the "engineer" has to resort to "hard/brutal re-engineering". This involves changing certain bytes of the original program so that it works the way the engineer wants it to work. This would most likely involve "time-limited sharewares". These sharewares do not offer the option of registering the program by entering a name and a number. Worse, after certain days, they will cease to work. To make your life easier, let us use the previous example : (pretend these are the initial codes) A compare the serial number that has been entered with the correct serial number that matches the name and goto B B if it is incorrect, goto D C show a thankyou message because the number is correct and goto D D close the box and return to the program I'll show you some techniques which have been used : Technique 1 - Reverse the conditions ==================================== Often, there's only one number that matches your name. And you don't get it right 99.9% of the time. So, an "engineer" can change the codes to this : A compare the serial number that has been entered with the correct serial number that matches the name and goto B B if it is incorrect, DON'T goto D C show a thankyou message because the number is correct and goto D D close the box and return to the program Since you know that you'll be incorrect, by reversing the conditions, you'll end up registering the program. Technique 2 - One way conditions ================================ What if you happen to guess the right number? Hmm .. this means technique 1 will not work. So, this can be done : A compare the serial number that has been entered with the correct serial number that matches the name and goto B B if it is incorrect, goto C C show a thankyou message because the number is correct and goto D D close the box and return to the program Now, it doesn't matter whether you're right or wrong, you'll end up registering the program Technique 3 - Tricky conditions =============================== This is an alternative to technique 2 : A compare the serial number that has been entered with the serial number that has been entered B if it is incorrect, goto D C show a thankyou message because the number is correct and goto D D close the box and return to the program hehe .. this sounds funny but it works. Sometimes, due to the complexity of software programming, only one of the described techniques can be used, or only a mixture of 2 or more will work. ------------------------------------------------------------------- [ The only reason why I indulge in "software re-engineering" is because I get pleasure out of it. The first time when I managed to figure out a serial number for a shareware, I was so overwhelmed; I shouted out loud with triumph and I felt so good about myself. All boiled down to the "ummmph" that I get - it's addictive and I wanted more each time. ] - anonymous "engineer" - ------------------------------------------------------------------- -=THE END=- I really hope you've enjoyed this tutorial as much as I did! Don't miss Tutor #113 soon! ;) Credits goto: BrSrK for Splash Logo. ASTAGA for providing 4 tut in this version. romeo for providing a tut in this version. To ALL the crackers: You are welcome to send me your tutors to publish them .. see below for my email address! *** 95 chars per line in textfile please! *** And all the tutors can be found at: http://www.crackersinaction.com (or on IRC, ask CiA ops for urls!) Greetz goto all my friends! You can find me on IRC or email me at tkc@reaper.org Coded by The Keyboard Caper - tKC The Founder of PhRoZeN CReW/Crackers in Action 2000 Compiled with Delphi 5 on 25 November 2000 Cracking Tutorial #112 is dedicated to iNNU3NDo... u deserved it ;)