tKC Cracking Tutorial (Lesson 4)
Hi ya dudes!
Long time no tutor in 4 months! Phew, but as you can see I'm back to the
cracking scene (yea I'm back in PC, aren't you happy? :-)) Ok, let's rock, in
this tutor I'll teach you how to remove timeout limits and how to enable
crippled features in some apps (and how to register your babe :-))
(No SoftIce, still my little ol' laptop :-)) In the next tutor #5 we'll talk
about IDA (Interactive Disassembler, it r0x!!)
Sorry for my bad grammatical errors, I hope you'll understand this piece! :-)
Ok, let's go!
TOOLS:
For tools you need the followings: (I use these tools, I assume you'll use 'em)
W32Dasm 8.9 or high version (use FTP search: W32DSM89.ZIP)
Hacker's View 5.66 (E-mail: sen@suslikov.kemerovo.su)
FAR 1.50b (ftp://ftp.elf.stuba.sk/pub/pc/utilfile/far140b.exe) It's real nice!
or use Windows Commander 3.50 ßeta 5 in stead of FAR (http://www.ghisler.com)
Ask any crackers to get you these tools, they'll be happy to serve you! :-)
CONTENTS:
1) a. How to crack Date Expiration in System Cleaner 1.21 (with W32Dasm)
URL: http://infortech.reedcs.com
b. How to bypass NAG about Invalid Date in System Cleaner 1.21 (w/W32Dasm)
URL: http://infortech.reedcs.com
2) How to enable crippled features in Macro Schedular 4.3.11 (with W32Dasm)
URL: http://www.mjtnet.com
3) How to crack TrayCal 1.0 (to enter any codes)
URL: http://www.spaeder.com
4) Why I copy *.EXE to *.W32 files
5) ASM Source Code for a Patcher by Nop/PC '97
PART 1a: To crack Date Expiration in System Cleaner 1.21 (with W32Dasm)
Step 1. Run SystemCleaner.EXE
Step 2. You'll see the error message which it says that it has expired. (You
should write down this message) and exit the program.
Step 3. Ok, exit the program.
Step 4. Run WC, go to System Cleaner directory.
Step 5. Copy SystemCleaner.EXE to SystemCleaner.EXX (for backup) and copy
SystemCleaner.EXE to SystemCleaner.W32 (for use by W32Dasm)
Step 6. Run W32Dasm and disassemble SystemCleaner.W32
Step 7. Once it's disassembled, click STRING DATA REFERENCE, look down for the
string "The trial period has ended. Please..".
(You should remember that error message), double click on it.
Step 8. Close SDR window, you should see the line:
:00464BB6 668B0DE44B4600 mov cx, word ptr [00464BE4]
:00464BBD B202 mov dl, 02
* Possible StringData Ref from Code Obj ->"The trial period has ended. Please "
->"register this software!"
Step 9. Ok, press UP arrow key till you see:
:00464BA8 53 push ebx
:00464BA9 8BD8 mov ebx, eax
:00464BAB 80BB0C01000000 cmp byte ptr [ebx+0000010C], 00
:00464BB2 741C je 00464BD0
:00464BB4 6A00 push 00000000
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00464B4F(C)
Step 10. Look above at Referenced Jump at 00464B4F(C), press PgUp key 2 or 3
times till you see:
:00464B4F 7065 jo 00464BB6
And look below till you see:
:00464B54 64 BYTE 064h
If you see the string "BYTE xxxh", ignore it!! It's not a real jump,
it's only strings, ok go back to 00464BA8 address. Now you'll find a
comparison, look at 464BB2, it's where it will jump to when it has
expired. Let's try.
Make sure the green color bar is on 00464BB2 741C je 00464BD0
and you should see Offset address below on the screen like @Offset
00063FB2h. It's where you can patch it in SystemCleaner.EXE.
Step 11. Go back to WC, run HIEW SYSTEM~1.EXE, press F4 to select Decode mode
(ASM), press F5 and enter 63FB2. You should see like:
.00064BB2: 741C je .000064BD0 ---------- (1)
.00064BB4: 6A00 push 000
.00064BB6: 668B0DE44B4600 mov cx,[000464BE4]
Step 12. That's where you can change the bytes, press F3, enter EB, press F9
to update SYSTEM~1.EXE. Exit HIEW.
Step 13. Run SystemCleaner.EXE, does it expire? Voila! You've made it!!
PART 1b: To bypass NAG about Invalid Date in System Cleaner 1.21 (with W32Dasm)
(This is used only if you changed Date to 12/25/98 for example and changed back
to 12/25/97, and you'll see a NAG which it says "The system clock has been
moved back. Please reset system clock to correct blah blah")
Step 1. Run SystemCleaner.EXE
Step 2. You'll see the error message which it says that your date is fucked up,
and you should write down this message) and exit the program.
Step 3. Ok, exit the program.
Step 4. Run WC, go to System Cleaner directory.
Step 5. Copy SystemCleaner.EXE to SystemCleaner.EXX (for backup) and copy
SystemCleaner.EXE to SystemCleaner.W32 (for use by W32Dasm)
Step 6. Run W32Dasm and disassemble SystemCleaner.W32
Step 7. Once it's disassembled, click STRING DATA REFERENCE, look down for the
string "The system clock has been moved back".
(You should remember that error message), double click on it.
Step 8. Close SDR window, you should see the line:
:00464E56 668B0D884E4600 mov cx, word ptr [00464E88]
:00464E5D B201 mov dl, 01
* Possible StringData Ref from Code Obj ->"The system clock has been moved "
->"back. Please reset system clock "
->"to correct time before re-running "
Step 9. Ok, press UP arrow key till you see:
:00464E48 53 push ebx
:00464E49 8BD8 mov ebx, eax
:00464E4B 80BB0C01000000 cmp byte ptr [ebx+0000010C], 00
:00464E52 7421 je 00464E75
:00464E54 6A00 push 00000000
:00464E56 668B0D884E4600 mov cx, word ptr [00464E88]
Step 10. Look at 00464E52, it's where it will jump to when it has fucked. Let's
see. Make sure the green color bar is on 00464E52 7421 je 00464E75
and you should see Offset address below on the screen like @Offset
00064252h. It's where you can patch it in SystemCleaner.EXE.
Step 11. Go back to WC, run HIEW SYSTEM~1.EXE, press F4 to select Decode mode
(ASM), press F5 and enter 64252. You should see like:
.00064E52: 7421 jmps .000064E75 ---------- (1)
.00064E54: 6A00 push 000
.00064E56: 668B0D884E4600 mov cx,[000464E88]
Step 12. That's where you can change the bytes, press F3, enter EB, press F9
to update SYSTEM~1.EXE. Exit HIEW.
Step 13. Run SystemCleaner.EXE, does it complain? Voila! You've made it!!
PART 2: To enable crippled features in Macro Schedular 4.3.11 (with W32Dasm)
Step 1. Run MSCHED.EXE
Step 2. Try to add more macros and it'll say that it has limited to 2 macros.
Write down this message and exit the program.
Step 3. Run WC, go to MSCHED directory.
Step 4. Copy MSCHED.EXE to MSCHED.EXX (for backup) and copy MSCHED.EXE to
MSCHED.W32 (for use by W32Dasm)
Step 5. Run W32Dasm and disassemble MSCHED.W32.
Step 6. Once it's disassembled, click STRING DATA REFERENCE, look down for the
string "Unregistered copies of MS are limited to..".
(You should remember that error message), double click on it.
Step 7. Close SDR window, you should see the line:
* Possible StringData Ref from Code Obj ->"Unregistered copies of Macro.."
->"have a limit of 20 lines per.."
:00448AED B860954400 mov eax, 00449560
Step 8. Ok, press UP arrow key till you see:
:00448ACA 7530 jne 00448AFC
:00448ACC 8B8370020000 mov eax, dword ptr [ebx+00000270]
:00448AD2 8B80FC000000 mov eax, dword ptr [eax+000000FC]
:00448AD8 8B10 mov edx, dword ptr [eax]
:00448ADA FF5210 call [edx+10]
:00448ADD 83F813 cmp eax, 00000013
:00448AE0 7E1A jle 00448AFC
:00448AE2 6A00 push 00000000
Step 9. Look at 00448ACA and 00448AE0 addresses. It's where it will jump to
when it complains. Let's find out.
Make sure the green color bar is on 00448ACA 7530 jne 00448AFC
and you should see Offset address below on the screen like @Offset
00047ECAh. It's where you can patch it in MSCHED.EXE.
Step 10. Go back to WC, run HIEW MSCHED.EXE, press F4 to select Decode mode
(ASM), press F5 and enter 47ECA. You should see like:
.00048ACA: 7530 jne .000048AFC ---------- (1)
.00048ACC: 8B8370020000 mov eax,[ebx][000000270]
.00048AD2: 8B80FC000000 mov eax,[eax][0000000FC]
.00048AD8: 8B10 mov edx,[eax]
.00048ADA: FF5210 call d,[edx][00010]
.00048ADD: 83F813 cmp eax,013
.00048AE0: 7E1A jle .000048AFC ---------- (2)
Step 11. That's where you can change the bytes, press F3, enter EB and go below
till 7E1A (offset 47EE0), enter EB and press F9 to update MSCHED.EXE.
Exit HIEW.
Step 12. It's not done yet! Open SDR window and double click on "Unregistered
copies.." again.
Step 13. Close SDR window, you should see the line:
* Possible StringData Ref from Code Obj ->"Unregistered copies of Macro.."
->"have a limit of 20 lines per.."
:0044DB9E B86CDC4400 mov eax, 0044DC6C
Step 14. Ok, press UP arrow key till you see:
:0044DB7D 752C jne 0044DBAB
:0044DB7F 8B83D4090000 mov eax, dword ptr [ebx+000009D4]
:0044DB85 8B80FC000000 mov eax, dword ptr [eax+000000FC]
:0044DB8B 8B10 mov edx, dword ptr [eax]
:0044DB8D FF5210 call [edx+10]
:0044DB90 48 dec eax
:0044DB91 7E18 jle 0044DBAB
Step 15. Look at 0044DB7D and 0044DB91 addresses. It's where it will jump to
when it complains. Let's find out.
Make sure the green color bar is on 0044DB7D 752C jne 0044DBAB
and you should see Offset address below on the screen like @Offset
0004CF7Dh. It's where you can patch it in MSCHED.EXE.
Step 16. Go back to WC, run HIEW MSCHED.EXE, press F4 to select Decode mode
(ASM), press F5 and enter 4CF7D. You should see like:
.0004DB7D: 752C jne .00004DBAB ---------- (1)
.0004DB7F: 8B83D4090000 mov eax,[ebx][0000009D4]
.0004DB85: 8B80FC000000 mov eax,[eax][0000000FC]
.0004DB8B: 8B10 mov edx,[eax]
.0004DB8D: FF5210 call d,[edx][00010]
.0004DB90: 48 dec eax
.0004DB91: 7E18 jle .00004DBAB ---------- (2)
Step 17. That's where you can change the bytes, press F3, enter EB and go below
till 7E18 (offset 47F91), enter EB and press F9 to update MSCHED.EXE.
Exit HIEW.
Step 18. Not done yet! Open SDR window and double click on "Unregistered
copies.." again.
Step 19. Close SDR window, you should see the line:
* Possible StringData Ref from Code Obj ->"Unregistered copies of Macro.."
->"have a limit of 20 lines per.."
:00450D3F B8001D4500 mov eax, 00451D00
Step 20. Ok, press UP arrow key till you see:
:00450D21 74CC je 00450CEF
:00450D23 8BC7 mov eax, edi
:00450D25 E86635FBFF call 00404290
:00450D2A E8C919FBFF call 004026F8
:00450D2F 83FB14 cmp ebx, 00000014
:00450D32 7E1A jle 00450D4E
Step 21. Look at 00450D32 address. It's where it will jump to when it complains
again, let's find out.
Make sure the green color bar is on 00450D32 7E1A jle 00450D4E
and you should see Offset address below on the screen like @Offset
00050132h. It's where you can patch it in MSCHED.EXE.
Step 22. Go back to WC, run HIEW MSCHED.EXE, press F4 to select Decode mode
(ASM), press F5 and enter 4CF7D. You should see like:
.00050D32: 7E1A jle .000050D4E ---------- (4)
.00050D34: 6A00 push 000
.00050D36: 668B0DF41C4500 mov cx,[000451CF4]
Step 23. That's where you can change the bytes, press F3, enter EB and press
F9 to update MSCHED.EXE. Exit HIEW.
Step 24. It's not done yet! (one more :-)) Open SDR window and double click
on "Unregistered copies.." again.
Step 25. Close SDR window, you should see the line:
* Possible StringData Ref from Code Obj ->"Unregistered copies of Macro.."
->"have a limit of 20 lines per.."
:00452D25 B8E82F4500 mov eax, 00452FE8
Step 26. Ok, press UP arrow key till you see:
:00452D01 7531 jne 00452D34
:00452D03 8B45FC mov eax, dword ptr [ebp-04]
:00452D06 8B80D4090000 mov eax, dword ptr [eax+000009D4]
:00452D0C 8B80FC000000 mov eax, dword ptr [eax+000000FC]
:00452D12 8B10 mov edx, dword ptr [eax]
:00452D14 FF5210 call [edx+10]
:00452D17 48 dec eax
:00452D18 7E1A jle 00452D34
Step 27. Look at 00452D01 and 00452D18 addresses. It's where it will jump to
when it complains. Let's find out.
Make sure the green color bar is on 00452D01 7531 jne 00452D34
and you should see Offset address below on the screen like @Offset
00052101h. It's where you can patch it in MSCHED.EXE.
Step 28. Go back to WC, run HIEW MSCHED.EXE, press F4 to select Decode mode
(ASM), press F5 and enter 52101. You should see like:
.00052D01: 7531 jne .000052D34 ---------- (1)
.00052D03: 8B45FC mov eax,[ebp][-0004]
.00052D06: 8B80D4090000 mov eax,[eax][0000009D4]
.00052D0C: 8B80FC000000 mov eax,[eax][0000000FC]
.00052D12: 8B10 mov edx,[eax]
.00052D14: FF5210 call d,[edx][00010]
.00052D17: 48 dec eax
.00052D18: 7E1A jle .000052D34 ---------- (2)
Step 29. That's where you can change the bytes, press F3, enter EB and go below
till 7E1A (offset 52118), enter EB and press F9 to update MSCHED.EXE.
Exit HIEW.
Step 30. Finally, run MSCHED.EXE and try to add more macros or to add more than
20 lines in a script. Does it work? Kewl, you've made it!!
PART 3: To crack TrayCal 1.0 (to enter any codes)
Step 1. Run TRAYCAL.EXE
Step 2. Enter your name and codes, you'll see the error message which it says
that you've entered invalid codes. (You should write down this message)
and exit the program.
Step 3. Ok, exit the program.
Step 4. Run WC, go to TrayCal directory.
Step 5. Copy TRAYCAL.EXE to TRAYCAL.EXX (for backup) and copy TRAYCAL.EXE to
TRAYCAL.W32 (for use by W32Dasm)
Step 6. Run W32Dasm and disassemble TRAYCAL.W32
Step 7. Once it's disassembled, click STRING DATA REFERENCE, look down for the
string "Sorry, invalid registration code..".
(You should remember that error message), double click on it.
Step 8. Close SDR window, you should see the line:
:0043FD30 7E1A jle 0043FD4C
:0043FD32 6A00 push 00000000
:0043FD34 668B0DE4FF4300 mov cx, word ptr [0043FFE4]
:0043FD3B 33D2 xor edx, edx
* Possible StringData Ref from Code Obj ->"Sorry, invalid registration code."
Look at 0043FD30 address, it's where it'll jump to when invalid codes.
Let's try.
Make sure the green color bar is on 0043FD30 7E1A jle 0043FD4C
and you should see Offset address below on the screen like @Offset
0003F130h. It's where you can patch it in TRAYCAL.EXE.
Step 9. Go back to WC, run HIEW TRAYCAL.EXE, press F4 to select Decode mode
(ASM), press F5 and enter 3F130. You should see like:
.0003FD30: 7E1A jle .00003FD4C ---------- (1)
.0003FD32: 6A00 push 000
.0003FD34: 668B0DE4FF4300 mov cx,[00043FFE4]
.0003FD3B: 33D2 xor edx,edx
Step 10. That's where you can change the bytes, press F3, enter EB, press F9
to update TRAYCAL.EXE. Exit HIEW.
Step 11. Run TRAYCAL.EXE, does it work? Nah, it compares also shit in registry!
Step 12. Go back to W32Dasm, click again on "Sorry, invalid registration.."
Step 13. Close SDR window, you should see the line:
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0043FE34(C)
|
:0043FF1B 6A00 push 00000000
:0043FF1D 668B0DE4FF4300 mov cx, word ptr [0043FFE4]
:0043FF24 33D2 xor edx, edx
* Possible StringData Ref from Code Obj ->"Sorry, invalid registration code."
Do you see above that Referenced Jump at Address? : 0043FE34(C)
Now press PgUp key 2 or 3 times till you see:
:0043FE34 0F85E1000000 jne 0043FF1B
* Possible StringData Ref from Code Obj ->"Software\Spaeder"
:0043FE3A 8B0DDC194400 mov ecx, dword ptr [004419DC]
Step 14. Look at 0043FE34 address, we know that it compares again before adding
a new registration/data to your registry. Now let's try.
Make sure the green color bar is on 0043FE34 0F85E1000000 jne 0043FF1B
and you should see Offset address below on the screen like @Offset
0003F234h. It's where you can patch it in TRAYCAL.EXE.
Step 15. Go back to WC, run HIEW TRAYCAL.EXE, press F4 to select Decode mode
(ASM), press F5 and enter 3F234. You should see like:
.0003FE34: 0F85E1000000 jne .00003FF1B ---------- (1)
.0003FE3A: 8B0DDC194400 mov ecx,[0004419DC]
.0003FE40: B201 mov dl,001
.0003FE42: A128D84300 mov eax,[00043D828]
Step 16. That's where you can change the bytes, press F3, enter 0F84, press F9
to update TRAYCAL.EXE. Exit HIEW.
Step 17. Run TRAYCAL.EXE, does it work? Kewl, you've registered it!!
PART 4: Why I copy *.EXE to *.W32 files
I know some people is wondering why I copy *.EXE to *.W32 files. Easily..
I use *.EXX when sometimes the program won't work, then I could copy *.EXX back
to *.EXE files. And when *.W32 I can't patch *.EXE files when it's still used
by W32Dasm, therefore W32Dasm uses now *.W32 files.. Now tell me how I can do
that trick! :-) Also, remember to save disassembled files before exiting
W32Dasm, next time you don't need to disassemble programs again. You can open
saved files by clicking on Open Project Files!
PART 5: ASM Source Code for a Patcher by Nop/PC '97
--------------------------------------------------------------------
;_______________________________________________________________
;
; Patcher by Nop [Pc] - SourceCode 100% free
;
; To use with A86:
; A86 CrkNop.asm
;
; To use with TASM:
; tasm CrkNop.asm
; tlink /t CrkNop.obj
;
; Greetz to all members of the Scene
;_______________________________________________________________
.MODEL TINY
.CODE
.286
ORG 100h
start:
mov ah, 9 ; ■ Show Title ■
mov dx, offset MainTitle
int 21h
mov ax, 3D02h ; ■ Open File ■
mov dx, offset filename
int 21h
jnb Ok
mov ah, 9 ; ■ File Not Found ■
mov dx, offset error
int 21h
mov ax, 4C01h ; ■ Exit with error ■
int 21h
;_______________________________________________________________
Ok:
mov bx, ax ; ■ Move pointer ■
mov ax, 4200h
mov cx, 0 ; segment
mov dx, 565 ; offset
int 21h
mov ax, 4000h ; ■ Write values ■
mov cx, 1 ; number of bytes to write
mov dx, offset BytesToWrite
int 21h
mov ax, 3E00h ; ■ Close file ■
int 21h
mov ah, 9 ; ■ Show msg ■
mov dx, offset done
int 21h
mov ax, 4C00h ; ■ All Done And Exit ■
int 21h
;_______________________________________________________________
MainTitle db 0Dh,0Ah
db ' █▀▀▀▀▀▀▀▀█▄ ▄█▀▀▀▀▀▀▀█▄ █▀▀▀▀▀▀▀▀█▄',0Dh,0Ah
db ' █ █ █ █ █ █',0Dh,0Ah
db ' █ █ █ █ █ █ █ █ █',0Dh,0Ah
db ' █ █ █ █ █ █ █ ▄█',0Dh,0Ah
db ' █ █ █ █ █ █ █ █▀▀▀▀▀ ',0Dh,0Ah
db ' █ █ █ █ █ █ █ proudly',0Dh,0Ah
db ' █▄▄▄▄█▄▄▄▄█ ▀█▄▄▄▄▄▄▄█▀ █▄▄▄█ presents',0Dh,0Ah
db ' ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄',0Dh,0Ah
db '█▀ ▀█',0Dh,0Ah
db '█ PROG NAME █',0Dh,0Ah
db '█ REMOVE CD-CHECK █',0Dh,0Ah
db '█ BY NOP █',0Dh,0Ah
db '█▄ ▄█',0Dh,0Ah
db ' ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀ ',0Dh,0Ah
db 0Dh,0Ah,'$'
error db ' ■ ERROR: Hm... problem with file ? ',0Dh,0Ah,'$'
filename db 'FILE.EXE',0
done db ' ■ Enjoy !' , 0Dh,0Ah,'$'
BytesToWrite db 0EBh
end start
--------------------------------------------------------------------
Ok, enough for now. I hope you've enjoyed this tutor too much as I did! :-)
I'll see you next time at Tutor #5!
PersGreetz to Taha, Taylor, ThatDude, Archimede, PowerLord and everyone in PC!!
This tutor is dedicated to Taha.. without her I couldn't go so much further,
and if it was not her, I couldn't go back to PC for permanent. So I'll stay
in PC, long live PhRoZeN CReW!! Thanx babe :-)
You can find me at #pc98 or email me at tkc@goplay.com
Enjoy it,
The Keyboard Caper,
The Founder of PhRoZeN CReW '94 - '98
25-12-1997