tKC Cracking Tutorial (Lesson 6)
Hi ya!
Phew, long time no tutor!
More newbees *cough..*
In this tutor I'll teach you everything about W32Dasm. Sorry, no SoftIce or IDA this time, due
of too short time (damn coding in Delphi 3). But I've got a new machine *superPC!!*
Next tutor we'll rave about SoftIce for sure. :-)
Sorry for my bad grammatical errors, I hope you'll understand this piece!
Ok, let's rock!
CONTENTS:
1) How to register DocSweep 3.0
Using WIN Registry without patching a program.
URL: http://www.spaeder.com
2) How to register Cover Your Tracks 2.0
Using INI file without patching a program.
URL: http://www.geocities.com/SiliconValley/Vista/5610/
3) How to crack CD Check in Quake 2 3.10
Patching your game that you can play it without your CD.
URL: http://www.idsoftware.com
4) How to register TrayRun 2.0.1
Patching a program to accept your regcode but still unregistered after restart
your program and how to fix it. Most shareware programs make use of this reg
scheme.
URL: http://www.mjtnet.com
5) Pascal Source Code for a Patcher by tKC/PC '98
You'll need Turbo Pascal 7.0 to compile this source.
6) My last words
TOOLS:
For tools you need the followings:
(I use these tools, I assume you'll use 'em)
W32Dasm 8.9 - http://www.fortunecity.com/bally/waterford/18/w32dsm89.zip
Hacker's View 5.66 - ftp://ftp.cdrom.com/.27/sac/utilprog/hiew566.zip
FAR 1.50b - ftp://rwntug.quarta.msk.ru/WinUtil/Rar/far150b.exe
or Windows Commander 3.50 Beta 7 - http://www.ghisler.com
or ask any crackers to get you these tools, they'll be happy to serve you!
BTW: You can find another tools eg. SoftIce 3.22, IDA 3.70 and useful programs at:
http://cracking.home.ml.org
Don't tell me that you haven't got these tools for the next tutor! :-)
PART 1: How to register DocSweep 3.0
Step 1. Run DOCSWEEP.EXE
Step 2. You'll see that you have 30 evaluation launches remaining. Right click on DS, and click Reg Number. Enter your name/any code. *boom* Invalid registration code.
Step 3. Ok, exit the program.
Step 4. Run WC, go to DocSweep directory.
Step 5. Copy DOCSWEEP.EXE to DOCSWEEP.W32
Step 6. Run W32Dasm and disassemble DOCSWEEP.W32
Step 7. Once it's disassembled, click STRING DATA REFERENCE, look down for the string:
"Invalid registration code.". (You should remember that error message), double
click on it.
Step 8. Close SDR window, you should see the line:
* Possible StringData Ref from Code Obj ->"Invalid registration code." <---- bad boy
:0043578D A138784300 mov eax, dword ptr [00437838]
:00435792 E89952FFFF call 0042AA30
Step 9. Ok, let's find out what happens if you entered valid codes. Press PgUp key 1 or 2
times till you see:
:004356E1 0F859B000000 jne 00435782 <---- if invalid code, goto bad boy
* Possible StringData Ref from Code Obj ->"Software\Spaeder"
:004356E7 8B0D34784300 mov ecx, dword ptr [00437834]
:004356ED B201 mov dl, 01
:004356EF B86C394300 mov eax, 0043396C
:004356F4 E8CFE8FFFF call 00433FC8
:004356F9 A398864300 mov dword ptr [00438698], eax
:004356FE C6059C86430001 mov byte ptr [0043869C], 01 <---- good boy
:00435705 A09C864300 mov al, byte ptr [0043869C]
:0043570A 50 push eax
* Possible StringData Ref from Code Obj ->"Enhanced Hard Drive"
Step 10. Enteresting.. do you see what I see?? Let's run REGEDIT and have a look at
HKCU\Software\Spaeder\DocSweep:
SectorsPerPartition="178" <---- remaining evaluation launches
Hmm, ok let's add a new key string. It should look like:
Enhanced Hard Drive="1"
SectorsPerPartition="178"
Ok, press F5 to update registry.
Step 11. Run DOCSWEEP.EXE. Right click on DS, and click About. WoW, it's registered now!!
Easy huh?
Step 12. There is another way to register DocSweep. Now you want enter any code, right?
Change "1" to "0" at Enhanced Hard Drive Key and change JNE to JE at 4356E1 address.
Run DS and enter your name and any code. *boom* Registered!
PART 2: How to register Cover Your Tracks 2.0
Step 1. Run CYT.EXE
Step 2. Now you get Register NAG screen. Click on Register and enter your name/any code. *boom* Sorry invalid code.
Step 3. Ok, exit the program.
Step 4. Run WC, go to CYT directory.
Step 5. Copy CYT.EXE to CYT.W32
Step 6. Run W32Dasm and disassemble CYT.W32
Step 7. Once it's disassembled, click STRING DATA REFERENCE, look down for the string:
"Invalid code.". Hmm, no strings yet, what now? Ok, let's try search "Registered"
click twice on it.
Step 8. Close SDR window, you should see the line:
* Possible StringData Ref from Code Obj ->"Registered" <---- good boy
:0043E7A1 BA6CE84300 mov edx, 0043E86C
:0043E7A6 E841E6FDFF call 0041CDEC
Step 9. Ok, let's find out what does it do. Press PgUp key 1 or 2
times till you see:
* Possible StringData Ref from Code Obj ->"C:\windows\system\system.cyt"
:0043E743 BA34E84300 mov edx, 0043E834
:0043E748 8B08 mov ecx, dword ptr [eax]
....
....
* Possible StringData Ref from Code Obj ->"true" <---- good boy
:0043E769 BA5CE84300 mov edx, 0043E85C
:0043E76E E85153FCFF call 00403AC4
:0043E773 7418 je 0043E78D <---- if not goto bad boy
....
....
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0043E773(C)
:0043E78D C605EC27440001 mov byte ptr [004427EC], 01
:0043E794 A1001C4400 mov eax, dword ptr [00441C00]
:0043E799 8B00 mov eax, dword ptr [eax]
:0043E79B 8B8020020000 mov eax, dword ptr [eax+00000220]
* Possible StringData Ref from Code Obj ->"Registered" <---- good boy
Step 10. Enteresting.. do you see what I see?? What's that "C:\windows\system\system.cyt"?
Let's find a file at C:\windows\system\system.cyt and we find:
6
false
Step 11. Hmm, ok let's try change "false" to "true". Save it and run CYT.EXE
WOW, it's registered!! It's 1 of the stupid protections I even seen.
PART 3: How to crack CD Check in Quake 2 3.10
Step 1. Run QUAKE2.EXE
Step 2. You'll see that you have to insert your CD to play. Ok, no problem, write down
error message. ("You must have the Quake2 CD int he drive to play")
Step 3. Ok, exit the program.
Step 4. Run WC, go to Quake2 directory.
Step 5. Copy QUAKE2.EXE to QUAKE2.EXX, and copy QUAKE2.EXE to QUAKE2.W32
Step 6. Run W32Dasm and disassemble QUAKE2.W32
Step 7. Once it's disassembled, click STRING DATA REFERENCE, look down for the string:
"You must have the Quake2 CD in..". (You should remember that error message),
double click on it.
Step 8. Close SDR window, you should see the line:
* Referenced by a CALL at Address:
|:00429038 <---- what is that?
:0042D4F0 E83BFFFFFF call 0042D430
:0042D4F5 803800 cmp byte ptr [eax], 00
:0042D4F8 750F jne 0042D509 <---- bad boy
* Possible StringData Ref from Data Obj ->"You must have the Quake2 CD in "
->"the drive to play."
Step 9. Ok, let's find out what calls this procedure. Hmm, do you see what I see?
Look above, referenced by a call at 429038!
Click Goto Code Location button, and enter 429038.
Step 10. Enteresting.. what do we get? Here's what we got:
:00429034 85C0 test eax, eax
:00429036 7505 jne 0042903D <---- if not, jump to good boy
:00429038 E8B3440000 call 0042D4F0 <---- bad boy!
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:00428FE5(U), :00428FF5(C), :00429019(U), :00429036(C)
:0042903D E84E710000 call 00430190 <---- good boy!
Step 11. Ok, let's change 75 to EB at 429036 address. Make sure the green color bar is
on 00429036 7505 jne 0042903D and you should see Offset address below on the
screen like @Offset 00028436h. It's where you can patch it in QUAKE2.EXE.
Step 12. Go back to WC, run HIEW QUAKE2.EXE, press F4 to select Decode mode
(ASM), press F5 and enter 28436. You should see like:
00028436: 7505 jne 00002843D ---------- (1)
00028438: E8B3440000 call 00002C8F0 ---------- (2)
0002843D: E84E710000 call 00002F590 ---------- (3)
00028442: 8B0DEC0F4700 mov ecx,[000470FEC]
00028448: A388104700 mov [000471088],eax
Step 13. That's where you can change the bytes, press F3, enter EB and press F9 to
update QUAKE2.EXE. Exit HIEW.
Step 14. Run QUAKE2.EXE, does it work? *eeyaa* You've made it!!
( Byte Ripper personal comment: Hey Michael Abrash I just love your work at ID and
Dr.Dobb's Jornal magazine, keep up the good articles at www.ddj.com)
PART 4: How to register TrayRun 2.0.1
Step 1. Run TRAYRUN.EXE
Step 2. Click Register, and enter your name/any code. *boom* Registration Valid.
Step 3. Ok, exit the program.
Step 4. Run WC, go to TRAYRUN directory.
Step 5. Copy TRAYRUN.EXE to TRAYRUN.EXX and copy TRAYRUN.EXE to TRAYRUN.W32
Step 6. Run W32Dasm and disassemble TRAYRUN.W32
Step 7. Once it's disassembled, click STRING DATA REFERENCE, look down for the string:
"Registration Failed". (You should remember that error message), double click
on it.
Step 8. Close SDR window, you should see the lines:
* Possible StringData Ref from Code Obj ->"RegC" <---- and this?
:0042E6C0 BAACE74200 mov edx, 0042E7AC
:0042E6C5 8BC6 mov eax, esi
....
....
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:0042E64C(C)
* Possible StringData Ref from Code Obj ->"Registration Failed." <---- bad boy
:0042E6F6 B8BCE74200 mov eax, 0042E7BC
Step 9. Do you see what I see? Referenced jump! Ok, let's click Goto Code Location and enter:
42E64C and you'll find:
:0042E64C 0F85A4000000 jne 0042E6F6 <---- if not, jump to bad boy
* Possible StringData Ref from Code Obj ->"Registration Succesful." <---- good boy
:0042E652 B848E74200 mov eax, 0042E748
Step 10. Kewl.. Let's play! Make sure the green color bar is on 0042E64C 0F85A4000000
and you should see Offset address below on the screen like @Offset 0002DA4Ch.
It's where you can patch it in TRAYRUN.EXE.
Step 11. Go back to WC, run HIEW TRAYRUN.EXE, press F4 to select Decode mode
(ASM), press F5 and enter 2DA4C. You should see like:
0002DA4C: 0F85A4000000 jne 00002DAF6 ---------- (2)
0002DA52: B848E74200 mov eax,00042E748
0002DA57: E87CBBFFFF call 0000295D8 ---------- (3)
0002DA5C: B201 mov dl,001
0002DA5E: B870304200 mov eax,000423070
0002DA63: E8BC4AFFFF call 000022524 ---------- (4)
Step 12. That's where you can change the bytes, press F3, enter 0F84 and press F9 to
update TRAYRUN.EXE. Exit HIEW.
Step 13. Run TRAYRUN.EXE. Enter your name/any code, now it says it's registered, right?
Click About and you'll see your name, kewl..
Step 14. Now exit TrayRun and run it again. Hmm, still unregistered? What now? No need to
pee your pants! It checks your name/any code in your WIN registry if it's valid!
They are stored at HKCU\Software\MJTNET\TrayRun\Settings.
Step 15. Go back to W32Dasm and open SDR window, look down for a string: "RegC" (Do you
remember where you have seen it before? You have seen it at 42E6C0 address before
we fixed the first part. Now, double click twice on "RegC".
Step 16. Close SDR window, you should see the lines:
* Possible StringData Ref from Code Obj ->"RegC"
:004309EC BA9C0B4300 mov edx, 00430B9C
:004309F1 8BC3 mov eax, ebx
....
....
:00430A0C 833DD426430000 cmp dword ptr [004326D4], 00000000 <---- regcode!
:00430A13 750D jne 00430A22
:00430A15 833DD826430000 cmp dword ptr [004326D8], 00000000
:00430A1C 0F84E0000000 je 00430B02 <---- if not, jump to bad boy
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00430A13(C)
:00430A22 A194264300 mov eax, dword ptr [00432694]
Step 17. Now you'll have take a good look. Hmm, 430B02 is too far to jump from 430A1C,
do you think that it'll jump too far if good boy? I don't think so. Look at
430B02 address:
:00430B02 A1A0264300 mov eax, dword ptr [004326A0]
:00430B07 E86C04FFFF call 00420F78
....
....
....
:00430B26 E8C928FDFF call 004033F4
:00430B2B C3 ret
As you see 430B02 is located nearly to 430B2B (it says to go back before it calls
this procedure) So it couldn't be that jump, so what I ussually have to do is, to
find the last comparison before RET command.
Step 18. Now we'll have to look down and find:
:00430ADC 740C je 00430AEA <---- if kewl, jump to good boy
:00430ADE A1A0264300 mov eax, dword ptr [004326A0]
:00430AE3 E89004FFFF call 00420F78
:00430AE8 EB22 jmp 00430B0C <---- jump to bad boy (final part)
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00430ADC(C)
:00430AEA A19C264300 mov eax, dword ptr [0043269C]
:00430AEF 8B80E0010000 mov eax, dword ptr [eax+000001E0]
:00430AF5 8B15D4264300 mov edx, dword ptr [004326D4] <---- regcode!
So we know we'll have to fix 430ADC address! Make sure the green color bar is
on 00430ADC 740C and you should see Offset address below on the screen like
@Offset 0002FEDCh. It's where you can patch it in TRAYRUN.EXE.
Step 19. Go back to WC, run HIEW TRAYRUN.EXE, press F4 to select Decode mode
(ASM), press F5 and enter 2FEDC. You should see like:
0002FEDC: 740C je 00002FEEA ---------- (1)
0002FEDE: A1A0264300 mov eax,[0004326A0]
0002FEE3: E89004FFFF call 000020378 ---------- (2)
0002FEE8: EB22 jmps 00002FF0C ---------- (3)
0002FEEA: A19C264300 mov eax,[00043269C]
That's where you can change the bytes, press F3, enter EB and press F9 to
update TRAYRUN.EXE. Exit HIEW.
Step 20. Now run TRAYRUN.EXE.. No NAG so far, now click About. WOW, it's registered! :-)
PART 5: Pascal Source Code for a Patcher by tKC/PC '98
Uses Crt;
Const A: Array[1..1] of Record {<-------- 1 bytes to be patched}
A : Longint;
B : Byte;
End =
((A:$28436;B:$EB)); {<--------------- offset "28436" and byte "EB" to be changed}
Var Ch:Char;
I:Byte;
F:File;
FN:file of byte;
Size:longint;
Begin
Writeln('Little Patch');writeln('Crack for Quake 2 3.10 by tKC/PC ''98');
Assign(F,'QUAKE2.EXE'); {<-------------- filename to be patched}
{$I-} Reset(F,1); {$I+}
If IOResult <> 0 then
begin
writeln('File not found!');
halt(1);
end;
For I:=1 to 1 do {<---------------------- 4 bytes to be patched}
Begin
Seek(F,A[I].A);
Ch:=Char(A[I].B);
Blockwrite(F,Ch,1);
End;
Writeln('File successfully patched!');
End.
LAST WORDS:
I hope you've enjoyed this tutor too much as I did! :-)
I'll see you next time at Tutor #7!
PersGreetz to Celeste, Hanna, Kandi, Lizel, Taha, PowerLord and everyone at PC98 Channel!
This tutor is dedicated to Celeste .. pretty woman
You can find me at #PC98 or email me at tkc@goplay.com
Enjoy it,
The Keyboard Caper,
The Founder of PhRoZeN CReW '94-98
2-2-1998