tKC Cracking Tutorial (Lesson 1)
Due of many requests I've decided to write this tutorial how to crack Windows
programs but this time I'll teach you how to use W32Dasm. I won't give you
more details how to crack but it should help you mastering the cracking skills.
When using W32Dasm, it WON'T give you the serials or codes, it'll show you
where/how to patch that you can enter any serial. And it's what I do everytime
when I'm cracking programs, this tutorial will show you how I did in steps.
Sorry for my bad grammatical errors, I hope you'll understand this piece! :-)
TOOLS:
For tools you need the followings: (I use these tools, I assume you'll use 'em)
W32Dasm 8.5 or high version
Hacker's View 5.24
Norton Commander or Windows Commander (I'll explain later why I use this one)
Turbo Pascal 7.0
TASM and TLINK 3.0
Ask any crackers to get you these tools, they'll be happy to serve you! :-)
CONTENTS:
1) How to crack Quick View Plus 4.0
2) How to crack HEX WorkShop 2.51
3) How to make your own patchers
PART 1: Quick View Plus 4.0
Step 1. Run ORDER32.EXE
Step 2. Click on $49 Single User License (You can click on $59), then ACCEPT,
then UNLOCK BY PHONE.
Step 3. Enter any code to get the error message. (You should write down this
message) and exit the program by clicking on CANCEL.
Step 4. Run Norton Commander, go to QVP directory.
Step 5. Copy ORDER32.EXE to ORDER32.EXX (for backup) and copy ORDER32.EXE to
1.EXE (for use by W32Dasm)
Step 6. Run W32Dasm and disassemble 1.EXE.
Step 7. Once it's disassembled, click STRING DATA REFERENCE, look down for the
string "You have entered an incorrect code. Please check your entry"
(You should remember that error message), double click on it.
Step 8. Close SDR window, you should see the line:
* Possible reference to String Resource ID=00041: "You have entered...
:004049F8 6A29 push 00000029
:004049FA FF353CCE4000 push dword ptr [0040CE3C]
Step 9. Ok, now you must look for the last comparison like CMP, JNE, JE, TEST,
etc before the error string. Press UP arrow key till you find:
:004049CD 755A jne 00404A29
* Possible reference to String Resource ID=00032: "You must select...
:004049CF 6A20 push 00000020
...
...
* Possible reference to String Resource ID=00040: "Unlock Error"
Step 10. Now you know where it jumps to when you've entered the wrong code.
Now you want see if it will work when you replace "jne" with "je".
Make sure the green color bar is on :004049CD 755A jne 00404A29, you
should see Offset address below on the screen like @Offset 00003DCDh.
It's where you can patch it in ORDER32.EXE.
Step 11. Go back to Norton Commander, run HIEW ORDER32.EXE, press F4 to select
Decode mode (ASM), press F5 and enter 3DCD. You should see like:
00003DCD: 755A jne 000003E29
00003DCF: 6A20 push 020
00003DD1: FF15 call w,[di]
Step 12. That's where you can change the bytes, press F3, enter 74, press F9 to
update ORDER32.EXE. Exit HIEW.
Step 13. Run ORDER32.EXE, enter any code. Voila! You've cracked QVP 4.0!
Beware! What if you've enter the real serials? It'll jump to the error
message dialog! What now?
Step 14. Run again HIEW ORDER32.EXE, press F4, select Decode, press F5 and
enter 3DCD. Press F3, enter EB, press F9. It'll jump directly to
Unlocked dialog.
PART 2: HEX WorkShop 2.51
Step 1. Run HWORKS32.EXE
Step 2. Click on Help, About HEX Wo..
Step 3. Enter any code to get the error message. (You should write down this
message) and exit the program.
Step 4. Run Norton Commander, go to HWS directory.
Step 5. Copy HWORKS32.EXE to HWORKS32.EXX (for backup) and copy HWORKS32.EXE to
1.EXE (for use by W32Dasm)
Step 6. Run W32Dasm and disassemble 1.EXE.
Step 7. Once it's disassembled, click FIND TEXT, enter "You have entered an"
(You should remember that error message), find it. (You won't find it
at SDR window!)
Step 8. Now you should see the line:
Name: DialogID_0075, # of Controls=003, Caption:"Registration Unsucce..
001-ControlID:FFFF, Control Class:""Control Text:"You have entered an..
002-ControlID:FFFF, Control Class:""Control Text:"Please confirm you..
Step 9. Ok, now you know what ControlID it'll use when entering wrong codes,
Click FIND TEXT, enter "dialogid_0075" till you find:
* Possible reference to DialogID_0075
:0041E233 6A75 push 00000075
:0041E235 8D8D10FFFFFF lea ecx, dword ptr [ebp+FF10]
Step 10. Ok, now you must look for the last comparison like CMP, JNE, JE, etc
before the error dialog. Press UP arrow key till you find:
:0041E145 837DEC00 cmp dword ptr [ebp-14], 00000000
:0041E149 0F8479000000 je 0041E1C8
:0041E14F 8B8DFCFEFFFF mov ecx, dword ptr [ebp+FEFC]
Step 11. Now you want see if it will work when you replace "je" with "jne".
Make sure the green color bar is on :0041E149 0F8479000000 je 0041E1C8
You should see Offset address below on the screen like @Offset
0001D549h. It's where you can patch it in HWORKS32.EXE.
Step 12. Go back to Norton Commander, run HIEW HWORKS32.EXE, press F4 to select
Decode mode (ASM), press F5 and enter 1D549. You should see like:
0001D549: 0F847900 je 00001D5C6 ---------- (1)
0001D54D: 0000 add [bx][si],al
0001D54F: 8B8DFCFE mov cx,[di][0FEFC]
Step 13. That's where you can change the bytes, press F3, enter 0F85, press F9
to update HWORKS32.EXE. Exit HIEW.
Step 14. Run HWORKS32.EXE and enter any code, does it work? NO?!?
Hehe, don't worry, go back to NC. Copy HWORKS32.EXX to HWORKS32.EXE.
(Now you see why I use EXX file for backup). Now go back to W32Dasm,
you should be there where you were (at 0041E145).
Step 15. Press F3 to search again for "dialogid_0075", you should find:
* Possible reference to DialogID_0075
:00430ADD 6A75 push 00000075
:00430ADF 8D8D10FFFFFF lea ecx, dword ptr [ebp+FF10]
Step 16. Ok, now you must look for the last comparison like CMP, JNE, JE, etc
before the error dialog. Press UP arrow key till you find:
:004309EF 837DEC00 cmp dword ptr [ebp-14], 00000000
:004309F3 0F8479000000 je 00430A72
:004309F9 8B8DFCFEFFFF mov ecx, dword ptr [ebp+FEFC]
Step 17. Now you want see if it will work when you replace "je" with "jne".
(It should work) Move the bar to :004309F3 0F8479000000 je 00430A72.
You should see Offset address below on the screen like @Offset
0002FDF3h. It's where you can patch it in HWORKS32.EXE.
Step 18. Go back to Norton Commander, run HIEW HWORKS32.EXE, press F4 to select
Decode mode (ASM), press F5 and enter 2FDF3. You should see like:
0002FDF3: 0F847900 je 00001D5C6 ---------- (1)
0002FDF7: 0000 add [bx][si],al
0002FDF9: 8B8DFCFE mov cx,[di][0FEFC]
Step 19. That's where you can change the bytes, press F3, enter 0F85, press F9
to update HWORKS32.EXE. Exit HIEW.
Step 20. Run again HWORKS32.EXE and enter any code, does it work? Voila!!
Congratulations! You've cracked HEX WorkShop 2.51!
PART 3: Patchers
Here's the source code for Pascal:
-------------------------------------------------------------------
Uses Crt;
Const A: Array[1..1] of Record {<-------- 1 byte to be patched}
A : Longint;
B : Byte;
End =
((A:$3DCD;B:$EB)); {<--------------- offset "3DCD" and byte "EB" to be changed}
Var Ch:Char;
I:Byte;
F:File;
FN:file of byte;
Size:longint;
Begin
Writeln('TKC''s Little Patch');writeln('Crack for QVP 4.0 by TKC/PC ''97');
Assign(F,'ORDER32.EXE'); {<-------------- filename to be patched}
{$I-} Reset(F,1); {$I+}
If IOResult <> 0 then
begin
writeln('File not found!');
halt(1);
end;
For I:=1 to 1 do {<---------------------- 1 byte to be patched}
Begin
Seek(F,A[I].A);
Ch:=Char(A[I].B);
Blockwrite(F,Ch,1);
End;
Writeln('File successfully patched!');
End.
-------------------------------------------------------------------
Here's the source code for Assembler:
-------------------------------------------------------------------
DOSSEG
.MODEL SMALL
.STACK 500h
.DATA
.CODE
PatchL EQU 6
Buffer Db PatchL Dup(1)
handle dw ?
intro db "TKC's Little Patch",0dh,0ah,"Crack for QVP 4.0 by TKC/PC '97$"
FileName db "ORDER32.EXE",0 ;<------- filename to be patched
notfound db 0dh,0ah,"File not found!$"
cracked db 0dh,0ah,"File successfully patched. Enjoy!$"
Cant db 0dh,0ah,"Can't write to file.$"
Done db "File has been made.$"
String db 0EBh,0 ;<------------- byte "EB" to be patched
START:
mov ax,cs
mov ds,ax
mov dx,offset intro ;point to the time prompt
mov ah,9 ;DOS: print string
int 21h
jmp openfile
openfile:
mov ax,cs
mov ds,ax
mov ax,3d02h
mov dx,offset FileName
int 21h
mov handle,ax
cmp ax,02h
je filedontexist
jmp write
filedontexist:
mov ax,cs
mov ds,ax
mov dx,offset notfound
mov ah,9 ;DOS: print string
int 21h ;display the time prompt
jmp exit
Write:
mov bx,handle
mov cx,0000h
mov dx,3DCDh ;<------------- offset "3DCD"
mov ax,4200h
int 21h
mov cx,patchl
mov dx,offset String
mov ah,40h
mov cx,01h
int 21h
mov ax,cs
mov ds,ax
mov dx,offset cracked
mov ah,9 ;DOS: print string
int 21h ;display the time prompt
jmp Exit
Exit:
mov ah,3eh
int 21h
mov ax,4c00h
int 21h
END START
-------------------------------------------------------------------
LAST WORDS:
Here are some general functions we use for cracking:
Hex: Asm: Means
75 or 0F85 jne jump if not equal
74 or 0F84 je jump if equal
EB jmp jump directly to
90 nop no operation
77 or 0F87 ja jump if above
0F86 jna jump if not above
0F83 jae jump if above or equal
0F82 jnae jump if not above or equal
0F82 jb jump if below
0F83 jnb jump if not below
0F86 jbe jump if below or equal
0F87 jnbe jump if not below or equal
0F8F jg jump if greater
0F8E jng jump if not greater
0F8D jge jump if greater or equal
0F8C jnge jump if not greater or equal
0F8C jl jump if less
0F8D jnl jump if not less
0F8E jle jump if less or equal
0F8F jnle jump if not less or equal
Your little knowledge of assembly will help you more a bit, but you'll need it
badly for Soft-ICE. Anyway you should easily crack pieces of shit using W32Dasm
like a maniac :-) You CAN'T disassemble Visual Basic programs, therefore you
need VB Decompilers which it works like shit.
Enough for now. Next time I'll tell you more how to use W32Dasm (Debugger Mode)
and how to remove NAGS. Then after it, I'll write a tutorial for Soft-ICE 3.0.
(Make my day!) :-)
Have fun,
The Keyboard Caper,
The Founder of PhRoZeN CReW '94 - '97
19-7-1997