February 1999
... Basic Methods in cracking ...
Code Reversing Engineering
 
 
bY widYa-cL 2011 [ wOrLd CrackInG linK 99 ]
  
 
0 1 0 1 0 1 0
Tools Used : Softice V3.24 - W32Dasm V8.93
0 1 0 1 0 1 0
Tutorial Title
... D N A ...
... from newbees to another ...
Rating
Extremely Easy ( X )   Easy (    )    Medium (   )   Hard (   )
Date : 103BC2F
 
INTRO
 
... sorry if there's any grammaticals errors ... thiz is my 2'nd tuts .. hope you'll understand this piece ...
In this tuts  i'd like to show u an easy & the fastest method to find serial (we're not talking about VB proggies in here). I written thiz  for newbies / anyone out there that :
- wants to 'learn' the art of cracking ... 
- wants to know cracking basic methods/works ...
- said "cracking is hard to 'learn' "
...i assume u already have tools needed. About Sofice setting u can learn it in Softice Resource Center in the SandMan page or u can simply edit your winice.dat (located in directory u have installed softice) into like thiz :
PENTIUM=ON 
NMI=ON 
ECHOKEYS=OFF 
NOLEDS=OFF 
NOPAGE=OFF 
SIWVIDRANGE=ON 
THREADP=ON 
LOWERCASE=OFF 
WDMEXPORTS=OFF 
MONITOR=0 
VERBOSE 
PHYSMB=48         ; i have 48 MB physical memory (RAM)....change thiz to the correct size 
SYM=1024 
HST=256 
TRA=8 
MACROS=32 
DRAWSIZE=4096 ; i have 4MB graphics card ...change thiz to the correct size 

INIT="WR;WL;WD;CODE ON;X;FAULTS OFF;ALTSCR OFF;WATCH EAX;WATCH DS:SI;WATCH ES:EDI;" 

F1="h;" 
F2="^wr;" 
F3="^src;" 
F4="^rs;" 
F5="^x;" 
F6="^ec;" 
F7="^here;" 
F8="^t;" 
F9="^bpx;" 
F10="^p;" 
F11="^G @SS:ESP;" 
F12="^p ret;" 
SF3="^format;" 
CF8="^XT;" 
CF9="TRACE OFF;" 
CF10="^XP;" 
CF11="SHOW B;" 
CF12="TRACE B;" 
AF1="^wr;" 
AF2="^wd;" 
AF4="^s 0 l ffffffff 56,57,8B,7C,24,10,8B,74,24,0C,8B,4C,24,14,33,C0,F3,66,A7;" 
AF5="CLS;" 
AF8="^XT R;" 
AF11="^dd dataaddr->0;" 
AF12="^dd dataaddr->4;" 
CF1="altscr off; lines 60; wc 32; wd 8;" 
CF2="^wr;^wd;^wc;" 

EXP=c:\win99\system\kernel32.dll ; my windows directory is win99....what yours.... 
EXP=c:\win99\system\user32.dll 
EXP=c:\win99\system\gdi32.dll 
EXP=c:\win99\system\comdlg32.dll 
EXP=c:\win99\system\shell32.dll 
EXP=c:\win99\system\advapi32.dll 
EXP=c:\win99\system\shell232.dll 
EXP=c:\win99\system\comctl32.dll 
EXP=c:\win99\system\crtdll.dll 
EXP=c:\win99\system\version.dll 
EXP=c:\win99\system\netlib32.dll 
EXP=c:\win99\system\msshrui.dll 
EXP=c:\win99\system\msnet32.dll 
EXP=c:\win99\system\mspwl32.dll 
EXP=c:\win99\system\mpr.dll 
EXP=c:\win99\system\msvbvm50.dll 
EXP=c:\win99\system\vb40032.dll 
EXP=c:\win99\system\vbrun300.dll
 
A DROP from ASSEMBLY OCEAN
... before we continue ... allow me to show you short theory about General Purpose Register 
... since u will deal with them in every steps ...... 
- Accumulator : EAX (32 bit) Extended of AX (16 bit).  
AX split into two 8 bit registers :  AH (Acc high) & AL (Acc low)
use for arithmetic and logical computations
- Base : EBX (32 bit) Extended of BX (16 bit). 
BX split into two 8 bit registers : BH (Base high) & BL (Base low)
hold indirect addresses
- Count : ECX (32 bit) Extended of CX (16 bit).  
CX split into two 8 bit registers : CH (Count high) & CL (Count low)
to count off the number of iterations in a loop or specify the number of characters in a string.
- Data : EDX (32 bit) Extended of DX (16 bit). 
DX split into two 8 bit registers : DH (Data high) & DL (Data low)
holds the overflow from certain arithmetic operations, and it holds I/O addresses when 
accessing data on the I/O bus.
- Source Index : ESI (32 bit) Extended of SI (16 bit)
use  as pointers (much like the bx register) to indirectly access memory. You’ll also use these 
registers with the string instructions when processing character strings. This is a pointer within a segment (usually DS) that is read from by the CPU.
- Destination Index : EDI (32 bit) Extended of DI (16 bit)
use  as pointers (much like the bx register) to indirectly access memory. You’ll also use these 
registers with the string instructions when processing character strings. This is a pointer within a segment (usually ES) that is written to by the CPU.
- Base Pointer : EBP (32 bit) Extended of BP (16 bit) ; similiar to Base Register
use  to access parameters and local variables in a procedure.
- Stack Pointer : ESP (32 bit) Extended of SP (16 bit)
maintains the program stack. Normally, you would not use this register for arithmetic 
computations. The proper operation of most programs depends upon the careful use of this 
register.
wpe1.jpg (38490 bytes)
Note that the eight bit registers do not form an independent register set. Modifying al will change the value of ax; so will modifying ah. The value of al exactly corresponds to bits zero through seven of ax. The value of ah corresponds to bits eight through fifteen of ax. Therefore any  modification to al or ah will modify the value of ax. Likewise, modifying ax will change both al and ah. Note, however, that changing al will not affect the value of ah, and vice versa.  

This statement applies to bx/bl/bh, cx/cl/ch, and dx/dl/dh as well. The si, di, bp, and sp registers  
are only 16 bits. There is no way to directly access the individual bytes of these registers as you 
can the low and high order bytes of ax, bx, cx, and dx. (The Art of Assembly) 
 
DNA ( DEADLISTING IN ACTION ]
 
...let's say we have a programs called target.exe...we are now launch target.exe, enter the registration dialog, fill out the entries (name/key/etc) with our favor, then a window pop up says "sorry, your name.." or "invalid.." or "Registration unsuccesful.." or "wrong code"....etc. write down the message 'n quit target.exe. We're gonna do a "fast" serial cracking...fire up W32Dasm and disassemble target.exe...wait..wait.... once it's disassembled, click REFS - STRING DATA REFERENCE, look down for the message, double click on ur message text ...'n soon we'll see thiz form :
 
* Referenced by a (U)nconditional or (C)onditional Jump at Address: 
:XXXXXXXX(C) ; ..goto thiz address 

* Possible Reference to String Resource ID=XXXX: "........................."
:XXXXXXXX ????  ????????
* Possible StringData Ref from Data Obj ->"...ur  message..."
:XXXXXXXX ????  ????????
...ur next step is ... go to  Referenced  Address::XXXXXXXX(C) by pressing [SHIFT+F12] goto code location XXXXXXXX.......'n we'll see the CMP/TEST in thiz form :
XXXXXXXX TEST  ..... , ..... ; Test one register or address to another. 
XXXXXXXX JE / JNE / etc .......  ; If equal /   if not equal ... then jump to good/bad cracker ...
              OR 
XXXXXXXX CMP ..... , .....  ; Compare one register or address to another. 
XXXXXXXX JE /   JNE / etc .......  ; If equal / if not equal ... then jump to good/bad cracker ... 
... from now on let's call thiz  condition as CGATE (CRACKERS GATE ) ..  so when u try to find a serial then the first thing u need 2 know is CGATE address ...since it determines are we a good cracker  or a bad ones ...
...if u can find your serial in here then u need to trace some instructions code above the CGATE (usually we only need to trace the last CALL before it) ... 
.. one thing i need to tell u  is "the routines" that worked  behind just before ur message pops up ... we can say there's 3 of them :
1. routine which  read  ur input 
2. routine which  calculate the input  in a unique formula to generate a valid serial (most of prog only calculate the name we entered) ..we  call this      a key generator routine (my favour)
3. routine which compare the valid serial with serial we entered 
... so let's say  u want to make a keygen then u need to know where 1'st routine is start/end &  2'nd routine is start/end. Well  .. in thiz tutor we're only discussed the 3'rd routine .. though thiz routine examination makes me boring but i hope it can help someone out there ...
.. hmm ... are u thinking what i'm thinking ?! ... yeah ... u are talking 2 much theory ... 
.. here we go then ... let's see what we can do with all that easy theory above.. let's jazzy guys ....
 
Ur targets : PolyView 3.20, VCDCutter 3.31 / MPEGPlayer 3.31, WinXfiles 3.7 / TWinExplorer PlusImage 99 1.3IrvanView 32 2.98
                    Win-eXpose-I/O 95 V 2.00
 
POLYVIEW VERSION 3.20
 
OVERVIEW
 
The high performance image viewer and format conversion tool for Windows 95/98/NT from Polybytes®. PolyView’s major features are:
-
 Supports most of the popular graphics image formats , including BMP, GIF, JPEG, PCX, Photo-CD (read-only), PNG, SGI, TARGA, TIFF, and 
many others.
·
 Sophisticated support for animated GIF creation and playback.
·
 TWAIN support for acquiring blocks of images from scanners and digital cameras.
·
 Multiple threads enhance usability and allow time consuming operations, such as image file reading and writing, to be performed in parallel with 
user interface operations.
· 
 Both full screen and windowed slide shows , using specified or random ordering, sound files, and transition effects.
·
 A wide variety of image appearance manipulation and filtering operations.
·
 Highly effective interpolated zooming .
·
 Sophisticated color resolution and image size manipulation algorithms.
·
 Thumbnail and directory browsers and Albums for image file management.
·
 OLE drag-and-drop methods for enhanced compatibility with the Windows desktop and applications.
·
 Automated creation of Web pages.
 
Protection system
Registration is via selecting Registration - License Information. Here you will be asked to enter :
Licensee              :
License number   :
The registration code is based on what you type in for your name...On successful registration the following entries are created within your Registry File:   HKEY_CURRENT_USER\Software\Polybytes\PolyView\Defaults\
KU="User Name"
KV="value"(value)
THE ESSAY
 
Run Polyview - Click Registration - License Information...use thiz entry as example :
Licensee : widYa@cL 2011
License number : 0101010
 
...push [OK]....a window pop up "Registration unsuccessful. Please verify that you have entered the information exactly as shown on your registration letter." ... time to crack .. fire up W32dasm 'n disassemble polyview.exe ...wait...*#!*...done...  click REFS - STRING DATA REFERENCE, look down for ur message , double click on it ...we land here : 

* Referenced by a (U)nconditional or (C)onditional Jump at Address: 
:0044ED53(C) 

* Possible Reference to String Resource ID=00141: "Unregistered"
 
:0044EDF1 688D000000 push 0000008D
:0044EDF6  8BCF  mov ecx, edi
:0044EDF8  E84B800800 call 004D6E48
:0044EDFD  53 push ebx
:0044EDFE  53 push ebx
 
* Possible StringData Ref from Data Obj ->"Registration unsuccessful. Please "
->"verify that you have entered the "
->"information exactly as shown on "
->"your registration letter."
 
... remember ur next steps ... yup .. press [SHIFT+F12] goto code location 0044ED53....we'll see thiz : 
 
:0044ED49 E842B4FEFF call 0043A190 ; ur last call...Trace thiz CALL ( push right arrow )
:0044ED4E 83C408 add esp, 00000008
:0044ED51 85C0 test eax, eax ; Crackers Gate
:0044ED53 0F8498000000 je 0044EDF1
 
... kewl ... we're only see one comparison in here ...
 
:0043A1C1  3BC3  cmp eax, ebx ; this is what we looking for ... Write down the address 
 
... heii .. are u sayin' somethin'...?!... yeah ... amazing we're only use w32dasm so far .. we're only need just one ' sweet final touch '  to finish thiz ...   yup ..we must use debugger ( Softice ) to see what's in EAX & EBX registers. We need to set breakpoint at 0043A1C1...but first we'll have to get into the polyview code in Softice .... now enter the registration screen again ... fill out the entries... DO NOT push [OK]  yet.....press [CTRL+D] to get into softice....  'n set some breakpoints ...
 
BPX GetWindowTextA [Enter] 
BPX GetDlgItemTextA [Enter] 
BPX MessageBoxA [Enter] 
X [Enter]  ; leave Softice 'n back to Polyview
 
... Push [OK] ... *BOOM* ...Break due to BPX USER32!GetWindowTextA  ... now press F11 to get the caller ...aah... we are in polyview code ... now we can set breakpoint at 0043A1C1 :
 
BC* [Enter]  ; clear all breakpoints 'coz we don't need it anymore...
BPX 0043A1C1 [Enter] 
X [Enter] 
 
.... we are here... .. take a look at register window EAX=A14F1FDC  EBX=00018A92.. it's a value in hexadecimal base... now let's see the value in decimal base ...
 
:0043A1C1 3BC3  cmp eax, ebx ; ? EAX .... 2706317276.....? EBX ....0000101010
.... yup ...ur dummy code compare to the correct code ...write down the correct code... clear all breakpoint ..BC* [Enter] - X [Enter] . Enter registration again fill out entries with the following :
 
Licensee : widYa@cL 2011
License number : 2706317276
 
... [OK] ... *.......* ... " Registration Succesful...."....cracks done....
 
VCDCUTTER 3.31
 
OVERVIEW
 
VCDCutter is a special mini version of MPEGPlayer. It is a MPEG,VCD and Movie Player. This mini version can play MPG,VCD,or other movie files(such as MPG,DAT,AVI,MOV). Very friendly and menu-driven with full featured control with movie file. It can extract MPG, frame from VCD or MPG file, cutting your favourite part or whole MPG file (or track) to disk when playing (now can extract system stream,or video, audio stream only). Some features of VCDCutter:
- Support mostly movie format playing(MPG,DAT,AVI,MOV,M1v,MPV,:::). 
- Many options to fully control the playing operation. 
- Cut mpg clips to disk, and save them as mpg (video&audio),m1v (video only),or mp3 (audio only) files. supported streams include: mpg system     stream, video only stream or audio only stream. 
- You can cut some clips, and then join them into on file. 
- You can capture frames to disk when you are playing. you can merge 4 frames into one big frame by check Merge Soption. 
- Fully control the playback quality and performance . 
- You can resize the display window size to avoid some rubbish on your screen edge. 
- You can control the playing speed in range 0.1X~10X.
VCDCutter supports the following formats.  

MIDI (.mid)  
MPEG-1 (.mpg, .mpeg, .mpv, .mpe)  
Audio-video interleaved (.avi)  
Nonproprietary Apple? QuickTime? files (.mov, .qt)  
Wave (.wav)  
AU (.au, .snd)  
AIFF (.aif, .aifc, .aiff)
 
PROTECTION SYSTEM
 
Registration is via selecting Configuration - Register. Here you will be asked to enter :
User Name   :
User Code    :
 
The registration code is based on what you type in for User Name and User ID...On successful registration the program stores license data in cdplayer.dat located in your windows sytem directory. The User ID is different in each computer .. so u can't use my license data....
 
THE ESSAY
 
Run VCDCutter - Right Click - Configuration - Register ... use thiz entry as example :
 
User Name   : widYa@cL 2011
User Code    : 0101010
... push [Register] ... a window popz up says "Please ensure you have entered ...."  ... disassemble vcdcut.exe ..wait...done...click REFS - STRING DATA REFERENCE, look down for ur message , double click on it ...we land here :
 
* Referenced by a (U)nconditional or (C)onditional Jump at Address: 
:0041330C(C)
 
:00413387  6AFF push FFFFFFFF
 
* Reference To: USER32.MessageBeep, Ord:0194h
 
:00413389  FF155C554700 Call dword ptr [0047555C]
:0041338F A120634400 mov eax, dword ptr [00446320]
:00413394 6A00 push 00000000
 
* Possible StringData Ref from Data Obj ->"Error"
 
:00413396 6898D24200 push 0042D298
 
* Possible StringData Ref from Data Obj ->"Please ensure you have entered "
 
...press [SHIFT+F12] goto code location 0041330C....we see thiz : 
 
:00413302  E829480000 call 00417B30 ; trace thiz call ( right arrow in w32dasm )
:00413307 83C408 add esp, 00000008
:0041330A 85C0 test eax, eax ; Crakers Gate
:0041330C 7479 je 00413387
 
... we see there are three CMP (right ?!) : 
:00417B7C 83F908 cmp ecx, 00000008 ; Loop Counter 
:00417B94  3BD1  cmp edx, ecx ; Loop Counter 
... we're only interesting at last comparison before ret... :
* Reference To: USER32.wsprintfA, Ord:0264h  ; we're gonna set breakpoint using wsprintfA function
:00417C20  FF15EC554700  Call dword ptr [004755EC]
:00417C26  8BB4242C020000 mov esi, dword ptr [esp+0000022C]
:00417C2D  83C410 add esp, 00000010
:00417C30  8D842414010000  lea eax, dword ptr [esp+00000114]
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
:00417C59(C)
:00417C37  8A10  mov dl, byte ptr [eax]
:00417C39  8A1E  mov bl, byte ptr [esi]
:00417C3B  8ACA  mov cl, dl
:00417C3D  3AD3  cmp dl, bl
 
now enter the registration box again ... fill out the entries... DO NOT push [ Register ]  yet.....press [CTRL+D] to get into softice.... 
 
BPX WSPRINTFA [Enter] 
X [Enter]
...[Register] ... *BOOM*... press F11 to get the caller....we land here....(use F10 to step over)
 
:00417C26  8BB4242C020000 mov esi,   [esp+0000022C]
:00417C2D  83C410 add esp, 00000010
:00417C30  8D842414010000  lea eax, [esp+00000114] ; EAX now contain data pointed by ESP+114 
.... type D EAX  ... what do u see in Data Window ... in my case ... c32e8403-577c879c ... kewl .. it's the correct code 
:00417C37  8A10  mov dl, [eax] ; copy first char from correct code to dl (dl=00000063)
:00417C39  8A1E  mov bl, [esi] ; copy first char from ur dummy code to bl (bl=00000031)
:00417C3B  8ACA  mov cl, dl ; copy dl to cl 
:00417C3D  3AD3  cmp dl, bl ; compare 'c' to '0'   ....
 
.... write down the correct code ... type BC* [Enter] - X [Enter] . Enter registration again fill out entries with the correct code :
 
... push [Register] ... " Thanks for your support !!! Registeration is Suceed !!! " .... are u thinking what i'm thinking ?! .... yeah..i should ask the author of VCDCutter to join me taking TOEFL course next month ..... cracks done ... heiii .. thiz proggy has a twin brother called MPEGPlayer ... used the same level prot schemes ... similiar codes ... definetely same solution as above ... i'll leave this so u can try to crack it as an exercise...but first u have to delete cdplayer.dat in your windows system dir 'coz it uses the same license data. 
 
WINXFILES VERSION 3.7
 
OVERVIEW
 
WinXFiles with its attractive tabbed-dialog interface features secure encryption to prevent unauthorized access of all type of files and particularly of your image collection. 
"To protect Your Personal Image collection"
Secure Multi Image Viewer Included: 
You can encrypt your pictures once and see them as often as you want with your password and a click of mouse, thanks to the WinXFiles™ Secure Multi Image Viewer inside. It includes a quick thumbnail preview mode.  
Supports BMP, JPG, GIF, Animated GIF, PNG, TIF, PCX, WMF. 
Ultra-Fast Window and Full Screen image display.
"To Protect all Your Personal files"
Application AutoLaunch: 
With a click of the mouse and your password you can select an encrypted file. WinXFiles will decrypt it and run the file with the associated application.
"To Securely Erase The Files You Truly want to Delete"
Secure File Wipe: 
It enables you to completely destroy the contents of any files you truly want to delete. Unlike the normal delete process, which merely replaces the first letter of a filename to allow it to be overwritten, this function obliterates the file contents. It will prevent anyone else from undeleting files you thought you had erased. 
 
Protection system
 
Registration is intro program .. we're asked to enter :
User Name   :
Key                :
 
The registration code is based on what you type in for your name & the date when u entered it...On successful registration the following entries are created within your Registry File:   HKEY_CURRENT_USER\Software\Pepsoft\WXF32\Reg\
"User Name"=
"User Key"=
THE ESSAY
 
.. as usual we use thiz as entry :
User Name   : widYa@cL 2011
Key               : 0101010
... push [ OK ] ... a window popz up says " Invalid Registration Password "  ... disassemble wxfiles.exe ..wait...done...click REFS - STRING DATA REFERENCE, look down for ur message , double click on it ...we land here :
 
* Referenced by a (U)nconditional or (C)onditional Jump at Address: 
:0046F51F(C)
:0046F55A  6A00  push 00000000
:0046F55C  668B0DF0F54600  mov cx, word ptr [0046F5F0]
:0046F563  B202  mov dl, 02
* Possible StringData Ref from Code Obj ->"Invalid Registration Password."
.. [SHIFT+F12] goto code location  0046F51F ...
 
:0046F51A  E81944F9FF  call 00403938     ; CGATE is in here ... trace this call (right arrow)
:0046F51F 7539 jne 0046F55A
.. we're here ...
:00403938 53 push ebx
:00403939 56 push esi
:0040393A 57 push edi
:0040393B 89C6 mov esi, eax
:0040393D 89D7 mov edi, edx
:0040393F 39D0 cmp eax, edx       ; Crakers Gate .. 
:00403941 0F848F000000 je 004039D6        ; if equal then leave 'bad cracker routine'  'n goto 'good cracker'
 
:004039D6  5F pop edi
:004039D7 5E pop esi
:004039D8 5B pop ebx
:004039D9 C3 ret
 
... just to make clear .. we  can imagine the codes into like this :
 
:0040393F 39D0 cmp eax, edx  ; we're gonna set breakpoint at here..
 
:0046F51F 7539 jne 0046F55A ; if not equal then jump to hell ... if equal then proceed 'the way to heaven'
:0046F521 8B45FC mov eax, dword ptr [ebp-04]
:0046F524 E813040000 call 0046F93C
:0046F529 6A00 push 00000000
:0046F52B 668B0DF0F54600 mov cx, word ptr [0046F5F0]
:0046F532 B202 mov dl, 02
 
* Possible StringData Ref from Code Obj ->"WinXFiles is now registered. Thanks " 
                                                                      ->"a lot!"
 
... once again we need Sice  just to see what's in EAX,EDX ... let's finish thiz out ...we're only need 'one sweet final touch' ...
heii .. are u sayin' somethin' ..?! ..yeah.. i wish i'm a master in assembly so i can make disassembler+debugger in one  proggy..
 
... Call the angle (Sice) to guide us (CTRL+D) ...hmm .. since we have already know the address we want to set BPX at ... u can use any function that u want as long as it can lead us to break in wxfiles code ... here we have good function (HMEMCPY) ... 
BPX HMEMCPY  [ENTER]
..*BOOM* ... F12 7X ...
BC* [ENTER]
BPX 40393F [ENTER]
X [ENTER]
X [ENTER]
 
:0040393F 39D0 cmp eax, edx  ; D EAX u see 0101010 .... D EDX .. in my case shows.. BXUXZWJKPXMNLGP 
 
.... write down the correct code ... clear the garbage from ur planet .. BC* [Enter] - X [Enter] . Enter registration again fill out entries with the correct key ... [OK] ..."WinXFiles is now registered. Thanks a lot!" ... 
are u thinking what i'm thinking ?!... yeah .. everybody greetz to good cracker....
 
... thiz proggy has a twin sister called TwinExplorer ...used the same level prot schemes .. similiar codes .. definetely same solution as above ... i'll leave this so u can try to defeat it as an exercise ...
 
IRVANVIEW 32 V.2.98
 
OVERVIEW
 
IrfanView is a fast FREEWARE image viewer/converter for Win95/NT.  

Supported file formats:  
JPG/JPEG, GIF, BMP, DIB, RLE, PCX, DCX, PNG, TIFF, TGA, RAS/SUN, 
ICO, CUR, ANI, AVI, WAV, MID, RMI, WMF, EMF, PBM, PGM, PPM, IFF/LBM, 
PSD, CPT, EPS, CLP, CAM, MPG/MPEG, MOV, LWF, AIF, G3 and  
Photo-CD(Overview Photo-CD support).  

Some features of IrfanView: 
Preview option, Drag&Drop support, fast directory view (fast moving 
through directory), slideshow, audio CD player, batch conversion,  
print option, change the color depth, scan support, cut/crop,  
capturing, many effects (sharpen, blur, photoshop filter factory) ... 

The first graphic viewer WORDLWIDE with Animated-GIF support ! 
The first graphic viewer WORDLWIDE with Multiple-ICO support ! 
One of the first graphic viewers with Multipage-TIFF support ! 
 
Protection system
 
Registration is via selecting About - Registration . Here you will be asked to enter :
Your Name   :
Your Code    :
 
The registration code is based on what you type in for your name...On successful registration the program stores license data in I_View32.ini located in your windows directory ... in the following section  

[Registration] 
Name= 
Code=
 
THE ESSAY
 
Run the proggy - select About - Registration ... use thiz entry as example :
 
Your Name   : widYa@cL 2011
Your Code    : 0101010
 
... [OK] ... "Invalid Registration"  ... disassemble I_View32.exe ..wait...done...click REFS - STRING DATA REFERENCE, look down for ur message , double click on it ...we land here :
 
:0044033D  E8DEF9FDFF call 0041FD20    ;  Trace thiz call
:00440342 83C408 add esp, 00000008
:00440345 85C0 test eax, eax       ; Cracker Gate
:00440347 752C jne 00440375
 
* Possible StringData Ref from Data Obj ->"Incorrect registration !"
... last comparison before ret ...
 
:0041FFA0 3BE8 cmp ebp, eax       ; check thiz out ...
 
... are u feeling what i'm feeling ?! ... yeah .. thiz tutor makes me boring ..
...  Enter Registration again - Fill out the entries - [CTRL+D]  -  BPX GetDlgItemTextA [Enter] - X [Enter] - [OK] - *BOOM* - F11 - BC* [Enter] - BPX 41FFA0 [Enter] - X [Enter] - ? EBP .. 0101010 ... ? EAX .. 0449531208 - u tell me .... 
 
Win-expose-i/o 95 version 2.00
 
OVERVIEW
 
Win-eXpose-I/O is a Windows 95 file I/O Tracing/Debugging SHAREWARE util. that lets you examine in real time what files each running application is using or trying to use.
Win-eXpose-I/O for Windows 95 traces all the file activities in all the application and in all the different VM (even DOS boxes) and gives you a clear picture on problems troubleshooting (like where and what the hell is the help file / INI file that the application is using or complaining that is missing).
Win-eXpose-I/O for Windows 95 is a MUST HAVE tool for anyone who is installing windows software on the computer or just trying to make sure the current software is working properly, Win-eXpose-I/O saves those HUGE amount of hours trying to configure new or existing software by letting you know in real time what files each application is using or seeking.
Win-eXpose-I/O for Windows 95 application has a very intuitive and simple to operate user interface, yet a very powerful one that lets any user novice to guru use the program in just a meter of seconds, just run it and then activate the other applications and you will see on the Win-eXpose-I/O screen a real-time logging of all the file activities and their results.
Win-eXpose-I/O for Windows 95 is also used as a GREAT performance improves by letting you know for each application all the file seeking failures (like searching for a file on the path) and then just by changing a few system settings like PATH or working directory you will gain a performance improvement.
 
Protection system
 
Registration is via selecting the 'Help' menu then choosing the 'Registration' option.   Here you will be asked to enter :
First,LastName  
Company Name  
Address Line #1 
Address Line #2  
Serial Number  
Password 
The actual password is based on the Serial No. Once you've registered the program it will store your User details and the password itself at C:\Windows\wxr95.ini file instead of in your registry file!. 
 
THE ESSAY
 
Run the proggy - select Help - Registration ... we'll use the following entry as example :
 
First,LastName : widYa@cL 2011 The cRuSadER
Company Name : worLd cRaCkinG linK
Address Line #1 : Cracker Galaxy
Address Line #2 : nO wheRe
Serial Number : 0101010
Password : showmeplease
 
...push [OK]....a window pop up says "Wrong password, Please re-enter Information." ...as u wish sir.... time to crack .. fire up W32dasm 'n disassemble wxi95.exe ...wait....done... click REFS - STRING DATA REFERENCE, look down for ur message , double click on it ...we land here :
 
* Referenced by a (U)nconditional or (C)onditional Jump at Address: 
:004061D0(U) 
 
:004061D7  85C0 test eax, eax       ; Crackers Gate
:004061D9 0F84CF000000 je 004062AE       ; if equal then jump to "good cracker"
.
.
          .
.
.
          .
* Possible StringData Ref from Data Obj ->"Wrong Password"
:00406277 6894A64000 push 0040A694
* Possible StringData Ref from Data Obj ->"Wrong password, Please re-enter " 
                                                                     ->"Information."
 
.. scroll up a little bit ...
 
* Referenced by a (U)nconditional or (C)onditional Jump at Address: 
:004061BA(C) 
 
:004061CE 33C0 xor eax, eax
:004061D0 EB05 jmp 004061D7
 
.. hmm .. not interesting ...scroll up a little bit ....we're here....
 
* Reference To: MSVCRT40.sprintf, Ord:043Fh
 
:004061A6 8D85CCFEFFFF lea eax, dword ptr [ebp+FFFFFECC]  ; we're gonna set breakpoint at here 
:004061AC 8D8DCCFDFFFF lea ecx, dword ptr [ebp+FFFFFDCC]
* Referenced by a (U)nconditional or (C)onditional Jump at Address: 
:004061CC(C) 
:0040619D FF15247B6D00 Call dword ptr [006D7B24]
:004061A3 83C40C add esp, 0000000C
:004061B2 8A10 mov dl, byte ptr [eax]  ; copy data to dl  from memory location pointed by EAX
:004061B4 3A11 cmp dl, byte ptr [ecx]   ; compare it to data pointed by ECX
:004061B6 751A jne 004061D2 
:004061B8 0AD2 or dl, dl
:004061BA 7412 je 004061CE
:004061BC 8A5001 mov dl, byte ptr [eax+01]
:004061BF 3A5101 cmp dl, byte ptr [ecx+01]
:004061C2 750E jne 004061D2
:004061C4 83C002 add eax, 00000002
:004061C7  83C102 add ecx, 00000002
:004061CA 0AD2 or dl, dl
:004061CC 75E4 jne 004061B2
 
now enter the registration again ... fill out the entries... DO NOT push [ OK ]  yet.....press [CTRL+D] to get into softice.... set some breakpoints ...
 
BPX GetWindowTextA [Enter] 
BPX GetDlgItemTextA [Enter] 
BPX MessageBoxA [Enter] 
X [Enter] 
 
... Push [OK] ... *BOOM* ...Break due to BPX USER32!GetWindowTextA  ... now press F12 2X ...aah... we're in wxi95 code ...now we can set breakpoint at 4061A6 :
 
BC* [ENTER]
BPX 4061A6 [ENTER]
X [ENTER]
 
*.......* ... we're here ..
 
:004061A6 8D85CCFEFFFF lea eax, [ebp+FFFFFECC]  ; D EAX ..u see .. f413c2da
:004061AC 8D8DCCFDFFFF lea ecx, [ebp+FFFFFDCC]  ; D ECX ..u see .. showmeplease
 
.. hey .. are u sayin' somethin' ...?!... yeah .. i can crack a hundreds softwarez with thiz methods ...
 
FINAL NOTES
 
... phew ..   &*#! ....that was all 4 now guys ...   well .. i hope there's somethin' u can learned from thiz tuts ... whattt  ...r u sayin' somethin' ....!?....   please let me know  your comments/suggestions/critics ... i'll be waitin' 4 your mail ...c u guys ...
 
Greetz flies to  : (no particular order)
SandMan,CrackZ,tKC/All PC members, tHATDUDE, UCF, Torn@do, The Immortal Descendants, +ORC, MiB , Iczelion, GCG, ED!SON, Razzia, +Xoanon, iCECREAM, FraVia, Lord Caligo, Buckaroo Banzai, +gthorne , Mexelite , Corn2, Vizion, Manson69, nIabI, Cyborg, ^pain^, intruder, Yaan, Laxity, JoGy, nIabI [C4N/ME], MR NICK, NaTzGUL [REVOLT], Qapla', The _RudeBoy_ , BigMoM, Aphex Twin [Vandals], vûltû_ë, eXact, YOSHi, Volatility, ZeroDay, Aescu, _CbD_, Gavin Estey, DR. Encryption, Joshua Auerbach, Klee8084, masta_, Chuck Nelson, _HaK_, Nemrod and ReN, R. DeYoung, Hugo Perez, lownoise, Hayras, YOU .....
 
NO BYTES WERE HARMED IN THIS TUTORIAL
 

 
  

 Essay by:         widYa-cL 2011
Page Created: 17th February 1999