tKC Cracking Tutorial (Lesson 8)
Welcome to Cracking Tutorial #8!
Yikes! Here we are again! More newbees.. *cough .. cough* Ok, not a biggie problem ;)
I'm glad people love the style of this version! So I'll stay on this book style! ;)
Warning, this tutorial is a real mother!! *grin*
In this tutor I'll teach you everything more about W32Dasm and SoftIce. Without knowledge, no power! ;)
Sorry for my bad grammatical errors, I hope you'll understand this piece!
Ok, let's rave!!
CONTENTS:
1) How to unlock CaptureEze97 6.0
Using SoftIce.
URL: http://www.screencapture.com/c97setup.exe
2) How to register in MPEG Player 1.76
Using SoftIce.
URL: ftp://ftp.simtel.net/pub/simtelnet/win95/mmedia/mpegp176.zip
3) How to register in WinXFiles 2.8
Using SoftIce & W32Dasm.
URL: http://www.pepsoft.com/wxf32_28.zip
4) How to register in CD-R Diagnostic 0.1.1.3
Using SoftIce.
URL: http://www.enteract.com/~pcrowley/windows/cdrdiagver113.exe
5) Tips for SoftIce
6) My last words
TOOLS:
For tools you need the followings:
(I use these tools, I assume you'll use 'em)
W32Dasm 8.9 - http://www.fortunecity.com/bally/waterford/18/w32dsm89.zip
Hacker's View 5.66 - ftp://ftp.cdrom.com/.27/sac/utilprog/hiew566.zip
FAR 1.50 - ftp://rwntug.quarta.msk.ru/WinUtil/Rar/far150.exe
or Windows Commander 3.51 - http://www.ghisler.com
or ask any crackers to get you these tools, they'll be happy to serve you!
BTW: You can find another tools eg. SoftIce 3.22, IDA 3.75 and useful programs at:
http://cracking.home.ml.org
Be sure to get all these tools for the next tutor!!
PART 1: How to unlock CaptureEze97 6.0
BTW: Once the program is unlocked, it's still a trial, only Time Limit is removed. You'll
have to order Full Retail program, so it sux too :-/
Step 1. Run CAPEZE97.EXE
Step 2. You'll see 45 Days Remaining BOX. Ok, no problem, click on Purchase button. Enter
"tKC" as User Name, "PC '98" as Company, and "12345" as Unlock Code.
Step 3. Press CTRL-D to Softice.
Step 4. Type BPX GETWINDOWTEXTA and press F5 to return back to CAPEZE.
Step 5. Click OK, and now you're back at Softice, press F5.
Step 6. You can press F11 if you want but it'll take you longer to trace, so the best is to
press F5 again and then F11 to get to the caller.
Step 7. Do you see EAX=00000006 in Register Window? It's the lenght for our company.
We know we're near the bitch's nest. We're getting there ;)
Step 8. Trace downward (press F10) till you see:
015F:00633FC1 LEA EAX,[EBP-14] ^P11<---our false code^p
015F:00633FC4 LEA ECX,[EBP-28] ^P11<---our code!!^p
015F:00633FC7 PUSH EAX
015F:00633FC8 PUSH ECX
Step 9. Now type D EAX. Do you see "12345" in Data Window? Ok kewl.
Step 10. Type D ECX. What do you see in Data Window? *Our code*
Step 11. Type BD* and press F5 to return to CAPEZE.
Step 12. Enter "4422028906994041" *unlocked!*
Step 13. If you don't want unlock, you can find a code to restore your
trial periode by pressing F10 till you see:
015F:00634034 LEA EAX,[EBP-14]
015F:00634037 LEA ECX,[EBP-28]
015F:0063403A PUSH EAX
015F:0063403B PUSH ECX
Step 14. Type D ECX and you'll find a code to restore trial periode. As I said, it sux too!
{Our code might be different, since it asked for your name when installing first time!)
PART 2: How to register in MPEG Player 1.76
Step 1. Run MPEGP32.EXE
Step 2. You'll see the NAG screen, very annoying, right? Ok, no problem, click on About/Registration.
Step 3. Enter "tKC/PC '98" as UserName and "12345" as UserCode.
Step 4. Press CTRL-D to Softice.
Step 5. Type GETDLGITEMTEXTA and press F5 to return back to MPEGP32.
Step 6. Click on Register and now you're back at Softice, press F5.
Step 7. Now press F11 to get to the caller. Do you see EAX=00000005 in Register Window?
Easy to guess what it is. The length of our code.
Step 8. Ok, now we should see:
015F:0040A161 PUSH 00449140
015F:0040A166 PUSH 0043CCC0
Step 9. Type D 449140 and you should see "12345" in Data Window. Also type D 43CCC0 to see
our name.
Step 10. Ok, press F10 till you're at:
015F:0040A16B CALL 0040E6D0
Step 11. We need to go into this call 'coz this is the last call before
the error message pops up. Ok, now press F8 to go into the call.
Step 12. Trace down (F10) till we see:
015F:0040E75D MOV ESI,[ESP+0C]
015F:0040E761 MOV EDI,[ESP+10]
015F:0040E765 LEA EDX,[ESP+0C]
Step 13. What do we get? We see ESI=13EE3B42 and EDI=BE096ACF in Register Window.
We're entering the bitch's nest ;) Ok, press F10 till we come at:
015F:0040E79F LEA EAX,[ESP+0000010C]
015F:0040E7A6 MOV DL,[EAX]
Step 14. Type D EAX and what do we see in Data Window? *CODE*
Step 15. Type BD* and press F5 to return to MPEGP32.
Step 16. Enter "13ee3b42-be096acf" *boom* Registered!!
PART 3: How to register in WinXFiles 2.8
BTW: This program is written in Delphi, and sometimes it uses their own exp handlers. So we'll
use W32Dasm and Softice to enter a bitch's nest. ;)
Step 1. Run WXFILES.EXE
Step 2. Click on Register, enter "tKC/PC '98" as UserName and "12345" as Key.
Step 3. Press CTRL-D to Softice, type BPX GETWINDOWTEXTA and also BPX GETDLGITEMTEXTA.
Step 4. Press F5 to return back to WXFILES and click OK.
Step 5. Hmm, nothing happened. Delphi doesn't like those GETxxxxxxx exp's.. (GOD knows why
I love Delphi!) ;) Ok, not a big problem, open W32Dasm and disassemble WXFILES.EXE.
Step 6. Once it's disassembled, click STRING DATA REFERENCE, look down for the string:
"Invalid Registration Password" and double click it.
Step 7. Close SDR window, you should see the line:
:00482A1A 668B0DAC2A4800 mov cx, word ptr [00482AAC]
:00482A21 B202 mov dl, 02
* Possible StringData Ref from Code Obj ->"Invalid Registration Password."
Step 8. Now press PgUp key and we see:
:00482990 8D95D4FBFFFF lea edx, dword ptr [ebp+FFFFFBD4]
:00482996 8B45FC mov eax, dword ptr [ebp-04]
---
---
---
:004829C8 754E jne 00482A18 ^P11<---jump if wrong code^p
:004829CA 8B45FC mov eax, dword ptr [ebp-04]
Step 9. Ok, we have the address (482990) and we'll use this one for Softice. Close W32Dasm.
Step 10. Go back to WXFILES, enter our name and code again. Don't click OK yet.
Step 11. Press CTRL-D to Softice, type BPX SHOWWINDOW and press F5. And now you may click OK.
Step 12. *boom* You're now at Softice. Ok, type G 482990 (no need to press F5!) You'll be back
at WXFILES. Enter the code, and click OK again.
Step 13. *boom* You see Break due to G (ET=x.xx seconds) Kewl, we're enter the bitch's nest!
Step 14. Now type BD* and press F10 down till we see:
015F:004829AB LEA EAX,[EBP+FFFFFBD8]
Step 15. Type D EAX and we see "12345" in Data Window. Kewl, getting on..
Step 16. Press F10 down till we come at:
015F:004829C2 POP EAX
Step 17. Now type D EDX and what do we see in Data Window? *bitch!*
Step 18. Press F5 to return to WXFILES.
Step 19. Enter MCGBVPFMWBAMYXQ *boom* Registered!!
PART 4: How to register in CD-R Diagnostic 0.1.1.3
Step 1. Run CDRDIAG.EXE
Step 2. You'll see the NAG screen, shit, right? Ok, no problem, click on Help/Registration.
Step 3. Enter "tKC/PC '98" as Name and "12345" as Code.
Step 4. Press CTRL-D to Softice.
Step 5. Type GETDLGITEMTEXTA and press F5 to return back to CDRDIAG.
Step 6. Click on OK and now you're back at Softice.
Step 7. Now press F11 to get to the caller. Do you see EAX=00000005 in Register Window?
Easy to guess what it is. The length of our code.
Step 8. Ok, now we should see:
015F:00408AC0 MOV DL,[0041B640]
Step 9. Type D 41B640 and you will see "12345" in Data Window.
Step 10. Ok, now press F10 down till you're at:
015F:00408B26 ADD ESP,04
Step 11. You should see EAX=0000204C in Register Window.
Step 12. Now type ? EAX and we get:
0000204C 0000008268 " L"
Step 13. What do we see? 8268 is a part of our 4 digits code. The Author isn't so
clever as what we thought. If you look closely at the coding, it needs 8 digits
for a correct code. It takes 1st and 2nd digit out of "8268" to add to the code,
and we get 6 digits code. And again it takes 1st and 2nd digit out of "828268" to add
to the code and we get 8 digits code. Example:
1)
Digits: 1 2 3 4
Code: 8 2 6 8
2)
Digits: 1 2 3 4 5 6
Code: 8 2 8 2 6 8
3)
Digits: 1 2 3 4 5 6 7 8
Code: 8 2 8 2 8 2 6 8
Step 14. Now our code should be 82828268. Let's try, type BD* and press F5 to go back to CDRDIAG.
Step 15. Enter "82828268" *boom* Registered!!
PART 5: Tips for Softice
Here are some functions that you should breakpoint in Softice when cracking programs.
Reading/Writing files:
ReadFile
WriteFile
CreateFileA
Reading data from INI file:
GetPrivateProfileStringA
GetPrivateProfileIntA
WritePrivateProfileStringA
WritePrivateProfileIntA
Registry Access:
RegCreateKeyA
RegDeleteKeyA
RegQueryValueA
RegCloseKeyA
RegOpenKeyA
DialogBoxes:
GetWindowTextA
GetDlgItemTextA
GetDlgItemInt
MessageBoxes:
MessageBox
MessageBoxA
MessageBoxExA
MessageBeep
Time And Date:
GetLocalTime
GetSystemTime
GetFileTime
Creating a window (like a NAG):
CreateWindowExA
ShowWindow
Thanks go to THE_q for this tips...
LAST WORDS:
I really hope you've enjoyed this tutorial too much as I did!
In next tutorial, I'll give you more advanced lessons.
If you ask me nicely, then you'll get a tutor #9 ;)
I've got wise words from somebody, here it says:
If you give a person a crack,
he will be hungry again.
If you teach a person to crack,
he will never be hungry again!
And as I said last time: Without knowledge, there's no power! ;)
PersGreetz go to:
Taha, Taylor, Kim, Tracy, Nitallica, Kristina & everyone at PC98 channel! Yea babes again! *sigh* ;)
You can find me at #pc98 or email me at tkc@reaper.org
Enjoy it,
The Keyboard Caper,
The Founder of PhRoZeN CReW '94-98
7-4-1998