tKC Cracking Tutorial (Lesson 5)
Hi ya!
Phew, here are we again at learning crack yer babes! Too many newbees!! *cough*
Ok, let's rock, in this tutor I'll teach you how to play with your WIN Registry
and how to kill Timeouts. :-)
No SoftIce, still my little ol' laptop and I'm getting a new machine soon, then
we'll sing soon! :-)
Sorry for my bad grammatical errors, I hope you'll understand this piece! :-)
Ok, let's rave!
TOOLS:
For tools you need the followings: (I use these tools, I assume you'll use 'em)
W32Dasm 8.9 or high version (www.expage.com/page/w32dasm)
Hacker's View 5.66 (E-mail: sen@suslikov.kemerovo.su)
FAR 1.50b (ftp://ftp.elf.stuba.sk/pub/pc/utilfile/far150b.exe) It's real nice!
or use Windows Commander 3.50 â–€eta 5 in stead of FAR (http://www.ghisler.com)
Ask any crackers to get you these tools, they'll be happy to serve you! :-)
CONTENTS:
1) How to register TrayCal 1.0 using WIN Registry
URL: http://www.spaeder.com
2) How to register CopyPaste 1.20
URL: http://www.wz.com/scriptsoftware
3) How to remove timeout in Radio Destiny 0.2
URL: http://www.destiny-software.com/destiny
4) PASCAL Source Code for a Patcher by tKC/PC '98
PART 1: To register TrayCal 1.0
Step 1. Run TRAYCAL.EXE
Step 2. You'll see that you have 15 evaluation launches remaining. Right click
on TC, and click Register. Enter your name/any code. *boom* Invalid
registration code.
Step 3. Ok, exit the program.
Step 4. Run WC, go to TrayCall directory.
Step 5. Copy TRAYCAL.EXE to TRAYCAL.W32
Step 6. Run W32Dasm and disassemble TRAYCAL.W32
Step 7. Once it's disassembled, click STRING DATA REFERENCE, look down for the
string "Sorry, invalid registration code.".
(You should remember that error message), double click on it.
Step 8. Close SDR window, you should see the line:
* Possible StringData Ref from Code Obj ->"Sorry, invalid registration code."
:0043FD3D A1E8194400 mov eax, dword ptr [004419E8]
:0043FD42 E88D02FFFF call 0042FFD4
Step 9. Ok, let's find out what happens if you entered valid codes. Press PgDn
key 3 or 4 times till you see:
* Possible StringData Ref from Code Obj ->"Software\Spaeder"
|
:0043FE3A 8B0DDC194400 mov ecx, dword ptr [004419DC]
:0043FE40 B201 mov dl, 01
:0043FE42 A128D84300 mov eax, dword ptr [0043D828]
:0043FE47 E880E1FFFF call 0043DFCC
:0043FE4C A3FC274400 mov dword ptr [004427FC], eax
:0043FE51 C605C819440001 mov byte ptr [004419C8], 01
:0043FE58 A0C8194400 mov al, byte ptr [004419C8]
:0043FE5D 50 push eax
* Possible StringData Ref from Code Obj ->"EnhancedSystemDate"
|
:0043FE5E B920004400 mov ecx, 00440020
* Possible StringData Ref from Code Obj ->"TrayCal"
|
:0043FE63 8B15D8194400 mov edx, dword ptr [004419D8]
:0043FE69 A1FC274400 mov eax, dword ptr [004427FC]
:0043FE6E E8ADE5FFFF call 0043E420
:0043FE73 6A01 push 00000001
* Possible StringData Ref from Code Obj ->"RegistrationStatus"
Step 10. Enteresting.. do you see "RegistrationStatus"? Let's run REGEDIT and
have a look at HKCU\Software\Spaeder\TrayCal:
EnhancedSystemDate="0"
RegistrationStatus="0"
What does it mean? You should know what it does! :-) Ok, let's modify
them. Replace "0" to "1". After it should look like:
EnhancedSystemDate="1"
RegistrationStatus="1"
Note, we should have to motify EnhancedSystemDate Key too, otherwise
it won't work. Ok, press F5 to update registry.
Step 11. Run TRAYCAL.EXE. Right click on TC, and click About. Wow, it's reg'd
now!! Easy huh?
Step 12. Anyway you can export HKCU\Software\Spaeder\TrayCal to a file. Click
Export Registry File, save it to TC.REG.. See below:
REGEDIT4
[HKEY_CURRENT_USER\Software\Spaeder\TrayCal]
"RegistrationStatus"="1"
"EnhancedSystemDate"="1"
Step 13. You can pass TC.REG to anyone or next time run REGEDIT TC.REG, it'll
import to Registry File..
PART 2: To register CopyPaste 1.20
Step 1. Run CopyPaste.EXE
Step 2. Enter password to register it. *boom* Wrong password - no register.
Step 3. Ok, exit the program.
Step 4. Run WC, go to CopyPaste directory.
Step 5. Copy CopyPaste.EXE to CopyPaste.EXX (for backup) and copy
CopyPaste.EXE to CopyPaste.W32 (for use by W32Dasm)
Step 6. Run W32Dasm and disassemble CopyPaste.W32
Step 7. Once it's disassembled, click STRING DATA REFERENCE, look down for the
string "Wrong password - no register..".
(You should remember that error message), double click on it.
Step 8. Close SDR window, you should see the lines:
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00403427(C), :00403438(C)
:0040346F 8D442430 lea eax, dword ptr [esp+30]
:00403473 68FF000000 push 000000FF
:00403478 50 push eax
:00403479 8B0D1C664100 mov ecx, dword ptr [0041661C]
* Possible Reference to String Resource ID=00014: "Wrong password - no reg.."
Step 9. Did you see Referenced Jump? (403427 and 403438) Ok, press PgUp key
till you see:
:00403427 7446 je 0040346F
:00403429 8D442410 lea eax, dword ptr [esp+10]
:0040342D 50 push eax
:0040342E E81D400000 call 00407450
:00403433 83C404 add esp, 00000004
:00403436 85C0 test eax, eax
:00403438 7435 je 0040346F
:0040343A 8D442430 lea eax, dword ptr [esp+30]
:0040343E 68FF000000 push 000000FF
:00403443 50 push eax
:00403444 8B0D1C664100 mov ecx, dword ptr [0041661C]
* Possible Reference to String Resource ID=00013: "Thank you for regist..."
Step 10. Look at 00403427, it's where it will jump to when it has fucked. Let's
see. Make sure the green color bar is on 00403427 7446 je 0040346F
and you should see Offset address below on the screen like @Offset
00002827h. It's where you can patch it in CopyPaste.EXE.
Step 11. Go back to WC, run HIEW COPYPA~1.EXE, press F4 to select Decode mode
(ASM), press F5 and enter 2827. You should see like:
00002827: 7446 je 00000286F ---------- (1)
00002829: 8D442410 lea eax,[esp][00010]
0000282D: 50 push eax
0000282E: E81D400000 call 000006850 ---------- (2)
00002833: 83C404 add esp,004
00002836: 85C0 test eax,eax
00002838: 7435 je 00000286F ---------- (3)
NOTE: To prevent confusing offset address in HIEW, edit HIEW.INI, following:
ShowOffset = Global
Step 12. That's where you can change the bytes, press F3, enter 9090 and go
below till 7435 (offset 2838), enter 9090 and press F9 to update
COPYPA~1.EXE. Exit HIEW.
Step 13. Run CopyPaster.EXE, does it work? *eeyaa* You've made it!!
PART 3: To remove timeout in Radio Destiny 0.2
Step 1. Run RADIO.EXE
Step 2. *boom* This version has expired. Exit the program
Step 3. Run WC, go to RADIO directory.
Step 4. Copy RADIO.EXE to RADIO.EXX (for backup) and copy RADIO.EXE to
RADIO.W32 (for use by W32Dasm)
Step 5. Run W32Dasm and disassemble RADIO.W32.
Step 6. Once it's disassembled, click STRING DATA REFERENCE, look down for the
string "This version has expired.".
Hmm, no string found, what now? Debugger in W32Dasm won't work due of
16bit program. Grrrr.. Ok, let's try..
Step 7. Don't quit W32Dasm.. Run HIEW RADIO.EXE. Press F4 for HEX Mode, press
F7. Search a string for "This version has exp"
Gotcha! Found it! What now? Ok, locate the offset 6A26 (look above on
HIEW)
Step 8. Go back to W32Dasm, press PgDn key down for f*cking times till you
get offset address "00006A26h" (look below on W32Dasm)
Step 9. Wow, what have we got? We got here:
:0001.63A6 54686973207665727369 DB "This versi"
:0001.63B0 6F6E2068617320657870 DB "on has exp"
:0001.63BA 697265642E00 DB "ired.",0
Press PgUp key 3 or 4 times. Anywhere when you see "BYTE xxxxh" ignore
them, those referenced jumps won't work!!
Step 10. Hmm, what do you see? Call USER.MESSAGEBOX!!
:0001.630A 9AC75B0000 call USER.MESSAGEBOX
So we know it calls messagebox when it has expired.
Press UP key till you see:
:0001.62F1 7C21 jl 6314
:0001.62F3 7F05 jg 62FA
:0001.62F5 3DB40B cmp ax, 0BB4
:0001.62F8 761A jbe 6314
Step 11. Look at 0001.62F1, it's where it will jump to when it has fucked.
Let's see. Make sure the green color bar is on 0001.62F1 address.
and you should see Offset address below on the screen like @Offset
00006971h. It's where you can patch it in RADIO.EXE.
Step 12. Go back to WC, run HIEW RADIO.EXE, press F4 to select Decode mode
(ASM), press F5 and enter 6971. You should see like:
00006971: 7C21 jl 000006994
00006973: 7F05 jg 00000697A
00006975: 3DB40B cmp ax,00BB4
00006978: 761A jbe 000006994
Step 13. That's where you can change the bytes, press F3, enter EB and press
F9 to update RADIO.EXE. Exit HIEW.
Step 14. Ok, run RADIO.EXE *boom* It works!! :-)
PART 4: PASCAL Source Code for a Patcher by tKC/PC '98
--------------------------------------------------------------------
Uses Crt;
Const A: Array[1..4] of Record {<-------- 4 bytes to be patched}
A : Longint;
B : Byte;
End =
((A:$2827;B:$90), {<--------------- offset "2827" and byte "90" to be changed}
(A:$2828;B:$90), {<--------------- offset "2828" and byte "90" to be changed}
(A:$2838;B:$90), {<--------------- offset "2838" and byte "90" to be changed}
(A:$2839;B:$90)); {<--------------- offset "2839" and byte "90" to be changed}
Var Ch:Char;
I:Byte;
F:File;
FN:file of byte;
Size:longint;
Begin
Writeln('Little Patch');writeln('Crack for CopyPaste 1.20 by tKC/PC ''98');
Assign(F,'COPYPA~1.EXE'); {<-------------- filename to be patched}
{$I-} Reset(F,1); {$I+}
If IOResult <> 0 then
begin
writeln('File not found!');
halt(1);
end;
For I:=1 to 4 do {<---------------------- 4 bytes to be patched}
Begin
Seek(F,A[I].A);
Ch:=Char(A[I].B);
Blockwrite(F,Ch,1);
End;
Writeln('File successfully patched!');
End.
--------------------------------------------------------------------
Ok, enough for now. I hope you've enjoyed this tutor too much as I did! :-)
I'll see you next time at Tutor #6!
PersGreetz to Taha, Taylor, ThatDude, Archimede, PowerLord and everyone in PC!!
This tutor is dedicated to Taha.. as always..
You can find me at #pc98 or email me at tkc@goplay.com
Enjoy it,
The Keyboard Caper,
The Founder of PhRoZeN CReW '94 - '98
4-1-1998