tKC Cracking Tutorial (Lesson 7)
Welcome to Cracking Tutorial #7!
Phew, many newbees have asked me to continue on writing tutors. So you're looking at this
new Windows version! I hope you'll like this kewl proggie! :-) More newbees.. *cough*
Warning, this tutorial is a real mother!! *grin*
In this tutor I'll teach you everything more about W32Dasm and SoftIce. Thank GOD
for a new superPC! :-)
Sorry for my bad grammatical errors, I hope you'll understand this piece!
Ok, let's rave!!
CONTENTS:
1) How to remove CD Check in Balls of Steel 1.1
Using W32Dasm.
URL: http://www.pinfllwizards.com/bosdownload.html
2) How to remove NAG and 30 days limit in NeverForget 1.00
Using W32Dasm.
URL: http://www.neverforget.com/trial.html
3) How to register in Phone Plus 2.00
Using SoftIce.
URL: http://www.aros.net/~impulse
4) How to register in WinPatch 1.0.06
Using SoftIce.
URL: http://www.artistry.com/products/winpatch/wp.exe
5) Short Summary
6) My last words
TOOLS:
For tools you need the followings:
(I use these tools, I assume you'll use 'em)
W32Dasm 8.9 - http://www.fortunecity.com/bally/waterford/18/w32dsm89.zip
Hacker's View 5.66 - ftp://ftp.cdrom.com/.27/sac/utilprog/hiew566.zip
FAR 1.50 - ftp://rwntug.quarta.msk.ru/WinUtil/Rar/far150.exe
or Windows Commander 3.51 - http://www.ghisler.com
or ask any crackers to get you these tools, they'll be happy to serve you!
BTW: You can find another tools eg. SoftIce 3.22, IDA 3.75 and useful programs at:
http://cracking.home.ml.org
Be sure to get all these tools for the next tutor!!
PART 1: How to remove CD Check in Balls of Steel 1.1
Step 1. Run BOS.EXE
Step 2. You'll see that you have to insert your CD to play. Ok, no problem, write down error message. ("Please insert the Balls of Steel CD and click...")
Step 3. Ok, exit the program.
Step 4. Run WC, go to BOS directory.
Step 5. Copy BOS.EXE to BOS.EXX, and copy BOS.EXE to BOS.W32
Step 6. Run W32Dasm and disassemble BOS.W32
Step 7. Once it's disassembled, click STRING DATA REFERENCE, look down for the string:
"Please insert the Balls of Steel.." (You should remember that error message),
double click on it.
Step 8. Close SDR window, you should see the line:
:00439882 B9F4984300 mov ecx, 004398F4
* Possible StringData Ref from Code Obj ->"Please insert the Balls of Steel "
Step 9. Ok, let's find out what calls this procedure. Hmm, we should go back to the
beginning of this procedure.
Step 10. Press PgUp key 2 or 3 times, and we find:
* Referenced by a CALL at Address:
|:004399D5 <--- what's it?
:004397A4 55 push ebp
:004397A5 8BEC mov ebp, esp
Step 11. Ok, let's find out what calls this procedure. Look above, referenced by a
call at 4399D5! Click Goto Code Location button, and enter 4399D5.
Step 12. Ah! We find the call here:
:004399D5 E8CAFDFFFF call 004397A4
Step 13. Hmm, ok let's nop out this call and see what happens. Make sure the green color
bar is on 004399D5 E8CAFDFFFF call 004397A4 and you should see Offset address
below on the screen like @Offset 00038DD5h. It's where you can patch it in BOS.EXE.
Step 14. Go back to WC, run HIEW BOS.EXE, press F4 to select Decode mode
(ASM), press F5 and enter 38DD5. You should see like:
00038DD5: E8CAFDFFFF call 000038BA4 ---------- (1)
00038DDA: E8D1FBFFFF call 0000389B0 ---------- (2)
00038DDF: 8B0B mov ecx,[ebx]
00038DD5: E8CAFDFFFF call 000038BA4 ---------- (1)
00038DDA: E8D1FBFFFF call 0000389B0 ---------- (2)
00038DDF: 8B0B mov ecx,[ebx]
Step 15. That's where you can change the bytes, press F3, enter 9090909090 and press F9 to
update BOS.EXE. Exit HIEW.
Step 16. Run BOS.EXE, does it work? *heeyaa* You've made it!!
PART 2: How to remove NAG and 30 days limit in NeverForget 1.00
Step 1. Run NeverForget.EXE
Step 2. You'll see the NAG screen, very annoying, right? Ok, no problem, write down
error message. ("Demo version 1.00 installed on..")
Step 3. Ok, exit the program.
Step 4. Run WC, go to NeverForget directory.
Step 5. Copy NeverForget.EXE to NeverForget.EXX, and copy NeverForget.EXE to NeverForget.W32
Step 6. Run W32Dasm and disassemble NeverForget.W32
Step 7. Once it's disassembled, click STRING DATA REFERENCE, look down for the string:
"Demo version " (You should remember that error message),
double click on it.
Step 8. Close SDR window, you should see the line:
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00408D55(C) <--- what's it?
* Possible StringData Ref from Data Obj ->"Demo version "
Step 9. Ok, let's find out what jumps to this procedure. Look above, referenced by a
call at 408D55! Click Goto Code Location button, and enter 408D55.
Step 10. Now we find the jump here:
:00408D55 0F84F30B0000 je 0040994E
:00408D5B 53 push ebx
:00408D5C 53 push ebx
Step 11. Ok, if we look down, we'll find there's also a timeout checking ("Will expire soon")
So, what if we skip this jump, but to where can we jump? Let's get a good look at:
:00408E2B 53 push ebx
Step 12. This could be the end of the timeout checking. Let's find out what happen if
we jump to this address. Make sure the cyan colol bar is on 00408E2B 53 push ebx
and you'll see Offset address below on the screen like @Offset 0000822Bh. Remember
this offset. And go back to 408D55 address, this offset should be 8155h, right?
Step 13. Ok, go back to WC, run HIEW NEVERF~1.EXE, press F4 to select Decode mode (ASM),
press F5 and enter 8155. You should see like:
00008155: 0F84F30B0000 je 000008D4E ---------- (1)
0000815B: 53 push ebx
Step 14. Now press F3, then TAB, enter "jmp 822B" and then press ESC. You'll see:
00008155: E9D1000000 jmp 00000822B
Step 15. And now you can press F9 to update NEVERF~1.EXE. Exit HIEW.
Step 16. Run NeverForget.EXE. *boom* No NAGs, no expire shit! Kewl, you've made it!!
PART 3: How to register in Phone Plus 2.00
Step 1. Run Phone.EXE
Step 2. You'll see the NAG screen, it looks like shit, right? Ok, no problem, click on "Enter
Registration Code.."
Step 3. Press CTRL-D to Softice.
Step 4. Type BPX GETWINDOWTEXTA and press F5 to return back to PhonePlus.
Step 5. Enter "tKC/PC '98" as our name and "12345" as our code, click OK.
Step 6. Now you're back in Softice, type D EAX, now you'll see "12345" in Data Window.
Step 7. Hmm, no.. press F5, type D EAX, ah you find "tKC/PC '98" in Data Window *boom*
Step 8. Press F11 to get to the caller. Do you see EAX=0000000A in Register Window? It's the
length for our name (Try ? A and you get 10)
Step 9. Now we know we're on the right place. Trace downward (Press F10) till you see:
015F:7C69D80F POP EDI
Step 10. Type D ECX and you'll see also our name in Data Window. Trace again (F10) till we
get:
015F:0040EC61 CALL 0040ECBA
Step 11. Since we know this is the last call before the error message pops up. We need to go
into this call. Press F8 to trace the call.
Step 12. Trace down till we see:
015F:7C681D37 MOV ESI,ECX
Step 13. Now type D EAX and what do we see in Data Window? *Our Serial*
Step 14. Type BD* and press F5 to return to PhonePlus.
Step 15. Enter "1P3201795" *boom* Registered!!
PART 4: How to register in WinPatch 1.0.06
Step 1. Run WinPatch.EXE
Step 2. You'll see the NAG screen, it looks like shit, right? Ok, no problem, click on "Enter
Registration Code.."
Step 3. Press CTRL-D to Softice.
Step 4. Type BPX GETWINDOWTEXTA and press F5 to return back to WinPatch.
Step 5. Enter "The Keyboard Caper" as our name and "12345" as our ID, and "Phrozen Crew '98"
as our organization. Then click OK.
Step 6. Now you're back in Softice, type D EAX, now you'll see our name in Data Window.
Step 7. Hmm, no.. press F5, type D EAX, ah you find "12345" in Data Window, not ready yet.
Step 8. Press F5 again, type D EAX *boom* our organization in Data Window. We're ready to rave.
Step 9. Press F11 to get to the caller. Do you see EAX=00000010 in Register Window? It's the
length for our organization (Try ? 10 and you get 16)
Step 10. Now we know we're on the right place. Trace downward (Press F10) till you see:
015F:0040F2A1 PUSH EDX
015F:0040F2A2 PUSH EAX
015F:0040F2A3 CALL 00416B50
Step 11. Since we know this is the last call before the error message pops up. Let's try,
type D EAX and what do we see in Data Window? *Our ID*
Step 12. Type BD* and press F5 to return to WinPatch.
Step 13. Enter "D&L-1121-1941-3638" *boom* Registered!!
PART 5: Short Summary
Once you load Softice, you cannot deactivate it until you reboot your PC. To verify that Softice
is loaded, press the Softice hot key CTRL-D. The Softice screen should appear. To return to
Windows, use the X (exit) or G (goto), or F5.
For help, use the H or F1.
To trace through source code, use the T or F8.
To trace without to step into calls, jumps etc, use the P or F10.
To set breakpoints, use BPX eg. BPX GETWINDOWTEXTA or BPX GETDLGITEMTEXTA.
To view breakpoints, use the BL.
To clear all the breakpoints, use BC*, or the first breakpoint, then BC0 etc.
To activate the breakpoint, use BE0 or BE* for all breakpoints.
To deactivate the breakpoint, use BD0 or BD* for all breakpoints.
To go into the function, use F11.
In the next tutorial I'll give you more details on Softice.
LAST WORDS:
I really hope you've enjoyed this tutorial too much as I did!
If you ask me nicely, then there will be a chance that you'll get a tutor #8 ;)
PersGreetz to Celeste, Nicolene, Taha & everyone at PC98 channel!
You can find me at #pc98 or email me at tkc@reaper.org
Enjoy it,
The Keyboard Caper,
The Founder of PhRoZeN CReW '94-98
7-3-1998