Reverse Code Engineering RCE CD +sandman 2000

home *** CD-ROM | disk | FTP | other *** search

/ Reverse Code Engineering RCE CD +sandman 2000 / ReverseCodeEngineeringRceCdsandman2000.iso / RCE / Library / +HCU / 041-050.TXT < prev next >

Wrap

Text File | 2000-05-25 | 116.3 KB | 2,999 lines

======================================================== +HCU Maillist Issue: 41 10/27/1997 -------------------------------------------------------- Send Articles To:......................... ************* Info, Help, Unsubscription, etc:....... **************** ======================================================== CONTENTS: #1 Subject: Free software! An update on the generic Corel crack #2 Subject: ida37crk.rar fails CRC test...... #3 Subject: Students' essays #4 Subject: +HCU ML #5 Subject: Programers ARTICLES: -----#1------------------------------------------------- Subject: Free software! An update on the generic Corel crack Hi all! If you can, you might want to consider buying the December issue of PC Pro (a UK magazine, probably available throughout most of Europe), priced at 2.99 UK pounds (3.50 pounds overseas). It has the full Corel Office 8 (with Paradox) - and it can now be cracked :-) The CD also has a whole load of Symantec/Norton 30-day trials, including, pcANYWHERE, Norton Utilities, Crashguard, Norton AntiVirus and a load more. Might be worth looking into if you need some new utils :-) Ah yes, an update on the generic Corel crack (post me a message with your email address and I'll mail you the beta version) - I've successfully tested it on Corel Office 8 trial version (on the above CD), but I've just realised I made a mistake in the PATCH.NFO file - so if you have the crack (Noose, base+metal) you might like to know that if the target program already runs, you should *not* put in the current date as I incorrectly stated, but rather the next day. There is a reason for this, I'll elaborate on it later - but make sure you use the following day or the program will expire and you'll probably need to replace the LIC files and delete the reg keys... Cya, +ReZiDeNt -----#2------------------------------------------------- Subject: ida37crk.rar fails CRC test...... Well, subject says it all.... ida37crk.rar has errors, unfortunately WAFNA -----#3------------------------------------------------- Subject: Students' essays Hi boyz! I think it would be useful both for +Fravia and for all the guys who reach his site if we try to catalogue the students' essays dividing them both by subject and difficulty, and maybe telling what lessons from +ORC's tutorial are useful to understand each essay. What do you think about it? Do you want to join me? byez, .+MaLaTTiA. -----#4------------------------------------------------- Subject: +HCU ML First, here is a bit of MS humor to lighten up your day. Too bad it didn't happen to a nicer guy. While the Gates's are moving in from their temporary quarters nearby, final construction of their new house is not expected to be completed until the end of the year. Now if I were a contractor with a sense of humor... ---------------------------------- Bill: "There are a few issues we need to discuss." Contractor: "Ah, you have our basic support option. Calls are free for the first 90 days and $75 a call thereafter. Okay?" Bill: "Uh, yeah... the first issue is the living room. We think its a little smaller than we anticipated." Contractor: "Yeah. Some compromises were made to have it out by the release date." Bill: "We won't be able to fit all our furniture in there." Contractor: "Well, you have two options. You can purchase a new, larger living room; or you can use a Stacker." Bill: "Stacker?" Contractor: "Yeah, it allows you to fit twice as much furniture into the room. By stacking it, of course, you put the entertainment center on the couch... the chairs on the table...etc. You leave an empty spot, so when you want to use some furniture you can unstack what you need and then put it back when you're done." Bill: "Uh... I dunno... issue two. The second issue is the light fixtures. The bulbs we brought with us from our old home won't fit. The threads run the wrong way." Contractor: "Oh! That's easy. Those bulbs aren't plug and play. You'll have to upgrade to the new bulbs." Bill: "And the electrical outlets? The holes are round, not rectangular. How do I fix that?" Contractor: "Just uninstall and reinstall the electrical system." Bill: "You're kidding!?" Contractor: "Nope. Its the only way." Bill: "sigh Well... I have one last problem. Sometimes, when I have guests over, someone will flush the toilet and it won't stop. The water pressure drops so low that the showers don't work." Contractor: "That's a resource leakage problem. One fixture is failing to terminate and is hogging the resources preventing access from other fixtures." Bill: "And how do I fix that?" Contractor: "Well, after each flush, you all need to exit the house, turn off the water at the street, turn it back on, reenter the house and then you can get back to work." Bill: "That's the last straw. What kind of product are you selling me?" Contractor: "Hey, if you don't like it nobody made you buy it." Bill: "And when will this be fixed?" Contractor: "Oh, in your next house - which will be ready to release sometime near the end of next year. Actually it was due out this year, but we've had some delays..." --------------------------------------------------- I hope that this mail list group don't turn into a usenet group clone. I've read most of +Fravia's essays and some of the names on the first mail list received are already familiar to me. Yes, I read your works on Fravia's web and I am impressed. Using some of these techniques and tools I've managed to crack a few simple programs and preparing myself for more. Without your efforts, I would have given up and lost interest long ago. Why work and think when you can plug in serial numbers and apply the patches found in the Newsgroups? What better way for the Microsoft Empire to render us ineffective than to make us complacent? Give us the easy way out and eventually we will lose interest and be at one with the consuming masses. The biggest reverse engineer is Microsoft. Eventually they will own everything. If they do it, it is legal. Money talks and they have a lot of it. We will be driven back to the dark ages. Remember how hard it was at one time before the Net to find any info and tools on the topic of cracking? The time is now to share your knowledge and expertise before they are able to shut us down. How much of these cracked apps do we ever keep and use? Can we live without Softice and Wdasm? Most of us probably use these two popular tools without documentation and have over time accumulated some niffty do's and don't tips. It would be a better service to all to articulate on these than to give away crackz. A new map to guide us through the darkwood of code is more appreciated than pointing to the answer marked Serial Number X. Recently I read one of +Fravia's essay about Boundschecker 5.02 and went to download it off the Numega site. The server didn't accept my request but the next day I got emails from Numega asking me about the evaluation. I guess they are tracking downloads. What's to stop them from setting up a blacklist or sending trojans from those who tell them to buzz off. Thanks Mammon for posting Tasm50. Rather get it off your link than elsewhere. wlc -----#5------------------------------------------------- Subject: Programers Wafna; I try to protect the small companies which offer us many nice programs to crack. For example, read my essay on NetScanTools. On the other side of the coin, I do not like "greedy" companys or programers at all. Read my esays on NTWorker, or PCAnywhere. Before I send an essay to Fravia, I usualy deal directly with the company or programer that wrote the program, to determine what kind of people I'm dealing with. It's not hard to sort out the greedy ones. If I feel sending an essay to Fravia might somehow damage someone who does not deserve it, I don't write the essay. Do you REALY believe I've only cracked four programs? This is the case with Ida Pro. I have delt directly with Tark, and I have determined that releasing his program to our little clan probably wont hurt him a bit. And, if "somehow" his program gets released to the public at large, perhaps it might "humble" him just enough to realize that his greed wasn't worth it. Hackmore Readrite =====End of Issue 41==================================== ======================================================== +HCU Maillist Issue: EDITORIAL 27/10/1997 -------------------------------------------------------- Send Articles To:......................... ************* Info, Help, Unsubscription, etc:....... **************** ======================================================== Hi all! Lately the number of subscribers/writers of the list increased (about 30 now) so did the traffic. A number of topic surfaced - from the question of the repository to forming a cracker group - which topics can only be addressed properly if we remember the principles this list was based upon. The most important principle (as a matter of fact the only one I can remember :) was that the list should be a new media for the HCU to discuss and disseminate reverse engineering/cracking knowledge. As +ORC told us: "If you give a man a crack he'll be hungry again tomorrow, but if you teach him how to crack, he'll never be hungry again." While this principle is simple it's easy to get confused when we are writing letters to the list at 3 :45 am after a long and successful cracking session :). Now as the number forty issue is sent I think we have a clearer idea how this list should work to fullfill its aim. Therefor I would like to set up a few practical guidelines which can help the writers to remember what's the main idea behind the list. This guide lines should also serve to encourage people to learn the ancient art of cracking and to keep the beggars out off the list. As always the guidelines are subject to discussion, but I think the list has been running for enough time that we can see in which way it can be useful for us and to agree upon some definitive rules to ensure that it remains useful when it grows even more. Here are my suggestions to the guidelines: - Asking for a help to crack something (but not for a ready made crack) is encouraged especially if the protection is tough. These kind of requests are the initiators of small threads where the two or three people comes together to analyze and defeat the protection. The guy who asks for help should analyse the protection, tell us what he could find out, where he got stucked etc. This has several advantages: he indicates that he is willing to learn, the others can see if the protection is interesting enough for them to work on, it spares a great amount of work for the others by telling what has already been checked etc. - When somebody answers to a cracking request should try to explain the solution not just deliver a patch (like change EB to NOP at offset XYZ). It's even better if he just shows the otherguy how he can move on himself and let him finish the crack. When a few crackers are working together on a crack they can exchange sort letters with highly technical info which is difficult to follow for the others, who are not deeply in volved in that cracking. To make the accumulated knowledge available to the others at the end of the cracking a report should be made describing the protection and the crack by one of the participants (if none of them wants to do that, then the guy who asked for help at the first place should feel responsible for it :) If the protection was interesting the report should be a full grown assay sent to +Fravia with an indication sent to the list that its up on +Fravias pages. If the protection turned out to be relatively uninteresting then only a short 10-15 sentence description of it containing the important elements like the entry point of protection rutin, final jump etc. should be written. The reports should contain enough info for a cracker to replicate the crack in 5 min ,but not a ready made patch or key generator which can be applied by anyone. It will not be easy to find the balance between these two ends, but I think its important that if a new guy wants to work on the same program later we don't have to start everything from the begining, but we can still be technical enough to keep crack hunters out of the list. - Some more thoughts on distributing cracks and forming a cracker group. I personally don't make crack for others, don't want to be in any "usual" cracker group, and I don't want the list to be the place to exchange or disseminate ready made cracks and I don't think the HCU wants to be associated with the distribution of cracks instead of knowledge. On the other hand every cracker group is welcomed until they seek for knowledge or want to teach us. Similarly the members of the list are not restricted in any way to use the info they obtained from the list to make cracks for the public and distribute it on the USENET or on their pages, just keep in mind that people come to this list to learn not to pick up cracks (at least I hope.) - The question on warez trading on the list is difficult. From one point of view by telling each other where to find a particular warez saves so much time and trouble that it would be foolish not to use the list for this, on the other hand it does not really fit in the profile and certainly the best way to attract undesirable elements to the list. A little bit more on this later issue. If we start to distribute cracks and links to warez we will attract a great number of people who will only read the list just to pick up this info, but will not contribute (probably they don't even have the knowledge). This can lead to the unfortunate situation that while the value of the list is not growing the due to the great number of subscribers its technically more difficult to deliver it. My nightmare is a list (similar to another one I know about) where approx. 50 people is writing the list and 50 000 is reading it. Don't be afraid the situation here is quite good and I intend to keep it that way :). To make it short I suggest that we make warez trading at a minimum and strictly on programs which fit in the "tools of the trade" bag. If now somebody reminds me that everything can fit in that bag (as Fravia proved us with ruler.exe) I kick his ass :) - Huh, I am getting tired now by writing so much (and you too reading, I guess), so I only want to write about the question of the repository. I think it's a great idea, because as the list goes on its inevitable that questions will surface which had already been discussed in great detail. Then we can just point to the old issues and say here it is. The problem as you pointed out that it is difficult to follow the threads and the old issues are containing a great number of useless info as time goes on. Because of this and security reasons I think its better if the reposit containes not the raw issues, but some kind of digestion of the list, like a collection of tipps and tricks as some of you suggested. It could contain the small reports I was talking about earlier which contain the accumulated knowledge of a cracking session. For example if I remember correctly at the begining of the list there was a discussion about the description of Delphi buttons containing the address of the function or something like that. Now if somebody is interested in a Delphi crack he could use this knowledge. But first he has to remember that there was something about it, then he has to find the issues, put the thread together (if he can because if I remember correctly some of the the discussion was taken to private correspondance), he might has to get the program which has been cracked to understand some of the issues the cracker was talking about. All this could be spared to him if we could have a small report with all the relevant info once published on the list then put in a repository. I send these guidelines in a separate editorial issue, because its too long and I don't want to mix it into important cracking material :), but you can send your short :) suggestions to the list. Bye Zer0+ =====End of Editorial Issue ============================== ======================================================== +HCU Maillist Issue: 42 10/28/1997 -------------------------------------------------------- Send Articles To:......................... ************* Info, Help, Unsubscription, etc:....... **************** ======================================================== CONTENTS: #1 Subject: help for Wafna #2 Subject: Silent reader ... #3 Subject: BPX on Mouse-click #4 Subject: +HCU ML Editorial Issue #5 Subject: VCL Appz #6 Subject: Good Words, and an Update #7 Subject: Student Essays & Editorial #8 Subject: Crackers paradise ARTICLES: -----#1------------------------------------------------- Subject: help for Wafna Hi All, hi WAFNA! :) >excellent on Assembly and pathetic on Windows, etc. How do I set a >BPX to a mouse click? Eg I choose 'option A' by clicking the mouse, >and that click would get me straight into SoftICE. well, I usually use bmsg on wm_gettext/wm_command with the handles of the objects I want to "follow". For instance, if I have a button, I first type TASK to see the name of the program I'm working with, then I type HWND <name> to see all the objects of the prog (the first ones are usually the ones in the active window) and their handles, at last I do bmsg <handle> wm_gettext if it's a text box, or bmsg <handle> wm_command if it's a button, or bmsg <handle> wm_gettext wm_command if I want to jump immediately to softice. This is quite useful if a window appears (maybe telling you the serial number is wrong ;)) and you want to break in without trying to bpx on messageboxa or other calls... then you just need a few "P RET" to trace back :) byez, .+MaLaTTiA. -----#2------------------------------------------------- Subject: Silent reader ... Hi all !!! After I read Zero's editorial issue, I thought a bit about it. For the first thing I agree that the list can not became a warez trading list and that we should try to protect it from people only reading it for such info. As You can see this is my first conribution to the list, but I have been reading the ML from the start and I dont think that the problem Zero mentioned (50 writers 50 000 readers) is so important. I simply think that I am not expirienced enough to post anything to the ML. I have cracked one polish comercial demo, quickview (practically no protection at all), TeleportPro and some dumb protections in sherware utls. With such knowlage I can read the list and learn, but an interesting conribution is unlikely come out of my hands. Allright enough, with the cries. As I have regained the acces to the net only a few days ago, a +Fravias page mirror in Poland should be up and running in a matter of week or so (sorry +Fravia for the delay, but i had some problems of technical matter with the net acces). It could also host the ML archives, but I'll think about it when the mirror will be running (there could be also some space maybe for IDA) the site should not be censored so if You have some ideas feel free to post them to me or the ML. Well, the letter got a bit long and I guess you're dying of boredom by now. But there is another thing: i stubeld on a proggy called TechFacts 95 which could be helpful in our trade. Traces heaps, spu on tasks threads and MUCH more. It is shareware but the protection is a bit more complex then bpx getdlgitemtext and r fl+z, and i did not have the time to explore it. Found it on a PL CHIP magazine CD-ROM so I dont know where to get it from. Sorry for such long text but i had to get it off my chest. KUBAK ********************** -----#3------------------------------------------------- Subject: BPX on Mouse-click R.E. breaking on mouse-click The best way to break on a mouse click in Soft-Ice is to use the BMSG (Break on Windows Message) command, with the following syntax: BMSG (hwnd) (message) for example, BMSG 3D0C WM_NCLBUTTONDBLCLK Note that you have to know the handle of the window in order to set this breakpoint; the handle can be found "the hard way" by typing HWND (task name) in soft-ice, or "the easy way" by using sysinfo (sysinfo.zip, look for it) which has crosshairs that allow you to pick the target window and get its handle. Note that you usually want to get the handle of the button ("OK", "Cancel", etc) that you are targetting (playing around with sysinfo.exe or scout.exe will teach you a lot about windows/messaging). The relevant WM_ messages for mouse clicks are: WM_LBUTTONDBLCLK (Left Button Double-Click) WM_LBUTTONDOWN (Left Button Down/Held) WM_LBUTTONUP (Left Button Up/Released) WM_MBUTTONDBLCLK (Middle Button) WM_MBUTTONDOWN WM_MBUTTONUP WM_RBUTTONDBLCLK (Right Button) WM_RBUTTONDOWN WM_RBUTTONUP ....there are also "NC" messages (by adding NC to the above WM_ messages, such as WM_NCRBUTTONUP) that occur when the mouse is clicked in a "non-client" area of the window, but they are not useful for cracking purposes.... ______________________________________________________ Get Your Private, Free Email at ********************** -----#4------------------------------------------------- Subject: +HCU ML Editorial Issue >If the protection turned out to be relatively uninteresting then only a short 10-15 sentence description of it containing the important elements like the entry point of protection rutin, final jump etc. should be written. The reports should contain enough info for a cracker to replicate the crack in 5 min ,but not a ready made patch or key generator which can be applied by anyone.< Right so! And I'll open a section (1998, new server! Lotta space for us all) for "reversing snippets" that are intersting yet not an essay worth. > I don't think the HCU wants to be associated with the distribution of cracks instead of knowledge. On the other hand every cracker group is welcomed until they seek for knowledge or want to teach us. Similarly the members of the list are not restricted in any way to use the info they obtained from the list to make cracks for the public and distribute it on the USENET or on their pages, just keep in mind that people come to this list to learn not to pick up cracks (at least I hope.)< Right so once more +Zero! We are NO group, and we will NOT be a group, our aim is to teach every single one the difficult (white) art! They may be complete newbyes (like many good reverser of to-day were yesterday :-) or they may be eminente crackers like Saltine. They are all welcome so long they want to LEARN and to TEACH. I would add some sound advices: No warez whatsoever (we are all capable to find whatever we need wherever it is, and if some of you are still not able to do it, I'll personally write a couple of lessons on how to search and how to comb (and how to "kleb") the web as soon as I have some time. Repository: just keep it simple: upload avery number (stripping all email addresses and page addresses, of course) somewhere (say chez.com, 10 megabytes for ever and ever , you just need a front french page to keep them quiet) and use a good string search utility on that "raw" material. This is IMO the most effective and labour NOT intensive way. +HCU itself is composed by +ORC (who is now cracking alt-egyptian gerogliphics and seems completely uninterested in software at the moment, let's hope that he'll open 1998 courses as he should) fravia+ +gthorne +sync (That's the 1997 "levy") +Alistair and who knows who else (that's the "java group" that never worked much) Maybe TheOwl And all the new people that are on my solution.htm/solutions.htm page plus +SNIKKEL that has already corrected his entry. That's it later fravia+ -----#5------------------------------------------------- Subject: VCL Appz Hi!=20 >NB. to trurl: did u check your VCL approach with 16 bit apps.how can u = locate the begining=20 >of a procedure in 16 bit code.(sel:offset) No. But I suppose it's the same... (almost sure). I can=B4t check it now because I haven't an D16 exe.=20 If you have, please try. Just browse the executable file looking for something looking like a button name followed by "Click" (e.g. "OkBtnClick"). It should appear twice. In one of the occurrences you'll find the address of the routine. Remember: address-one byte-name. Looking at the dead listing for this address, you should see a standard stack frame: Push BP Mov BP,SP ....=20 Sorry, I can't tell you more right now, but I will soon. greetings trurl -----#6------------------------------------------------- Subject: Good Words, and an Update Friends; My compliments to wlc and Zer0+ for thier comments yesterday. Although I've tried to say it alot, you guys have said it much better. Ida Pro has been ordered, should be in my hands by Thursday, and uploaded to my website by this weekend. Get TASM 5.0 from mammon's site before then if you need it, because I'll have to remove those files to make room for Ida Pro. By the way, the distributor of the program here in the U.S. offers the trial download of Ida Pro 3.7 in three parts, part 1 is 1.4 Mb, part 2 is 1.4 Mb, and part 3 is 400 Kb. Also interesting, from a crackers point of view, they said ALL of the disks will be labeled "3.64" except the LAST disk, which will be labeled "3.7", sounds like nothing more than an "update" to me. And finaly, they said ALL of thier bug fixes and updates are ONLY available on the web. They DO NOT send updates to registered users. Hackmore Readrite -----#7------------------------------------------------- Subject: Student Essays & Editorial Hail +MaLaTTia: I guess you must be collecting and saving all the essays on +Fravia's Web Site. Do you have all his material and essays? I started July 97 basically using File/Save in Netscape. Some links are invalid but I think I got most of them. Wanna compare notes and file directory? At times I feel like using one of those web downloader like Webzip or GetRight to grab all his files but if I did, I probably wouldn't bother with checking what's new and reading the essays, and that would take the joy out of collecting them. Categorizing them would be helpful as a cross referencing tool. There were times when I wish I could remember which essay contained the tip I wanted. One idea I had was to create single htm documents with links in a more organized manner to his essays. When I retrieve additional essays I would insert more links. Another idea was to edit and summarize the crack technique itself, especially when there are more than one submission on the same target. Do you have a better idea? Drop me a note ************************** Hail Zero+: I applaud and support your effort to maintain a high standard with this Mail List. No need for push technology if push means quantity and not quality. If everyone participates in a genuine manner the problems you envisioned in your editorial of Oct/27/97 will not happen. Above all, we must deal with current issues but that is not to say that we forget about the old. Rather than set up a repository or shall we say the Recycle Bin, there will be some of us who are natural born collectors who will step forward and offer their services to update newcomers and to rehash old issues. Knowledge is a living, growing thing which thrives on intelligent interaction, let's not bury it. We are gathered here mainly in the spirit and tradition of +Orc and +Fravia. Dare we refuse a knowledge seeker a few minutes of our time and effort to help that person catch up? The problems you perceive will disappear because those who share your ideals and goals will support you with your work. Hail WAFNA: If the purpose of using Softice is to break into the registration code section of a target, why would you want to bpx on a mouse click? Wouldn't that just land you into the input collection and processing routines prior to the entry point of your selection? wlc -----#8------------------------------------------------- Subject: Crackers paradise Starting this month PC Gamer (American) is putting a new thing on it's CD called Try Before You Buy. You may remember the Quake shareware CD that had every piece of software ever published by iD in full. This Try Before You Buy section on the CD's will have full commercial release versions of different software with nothing but time protections. Not just games, this month (first run, they'll have more in the coming months) has two games, Eudora 3.0 and Monolougue '97. Thought you might like to know that, Shadow Stalker =====End of Issue 42==================================== ======================================================== +HCU Maillist Issue: Empty 10/29/1997 -------------------------------------------------------- Send Articles To:......................... ************* Info, Help, Unsubscription, etc:....... **************** ======================================================== You all were lazy, no articles today. =====End of Empty Issue ================================ ======================================================== +HCU Maillist Issue: 43 10/30/1997 -------------------------------------------------------- Send Articles To:......................... ************* Info, Help, Unsubscription, etc:....... **************** ======================================================== CONTENTS: #1 Subject: Zero ML && wlc WebGrap #2 Subject: A response to All #3 Subject: For your +teeth ARTICLES: -----#1------------------------------------------------- Subject: Zero ML && wlc WebGrap Hi All. Hi Zero. Even if I am new in this mailing list, I agree with wlc awarding you for the high standard of your ML (even if I'm not high standard myself :). You're all right : no warez trades here. There's enough elsewhere in the web ; but just some kinds of little hints about new interesting stuff and his place (not an 'riddle' hint, please, I know someone too much hard to find with kind of hint! :-) Hi wlc. I was jumping reading you grabing the Fravia's site with the File!SaveAs function of Netscape! Stop this, for your time and health! There are some good programs in shareware on the web for that. Teleport Pro 1.28 (from Tennyson Maxwell) is a good web spider. I've seen Memobweb, too. But there are many others. Personnaly, with this style of tool, I just refresh one or twice a week the Fravia site on my HD (don't have any Web Site for mirror, sorry). I'm like you, too : I search often reference in these pages. If someone's knows a windoze tool able to find words with boolean operators in a file, i'm interested. A little busy and idle to do my own these days... See ya. -----#2------------------------------------------------- Subject: A response to All Hail +ALL: ---------- First, a couple of apologies are in order. Sorry for the appearance of my previous posting. I see that Fravia+ had a similar problem so I must be in good company. The irregular line wrap must have been caused by the variable width or send mode setting I normally use in Netscape. What I saw wasn't what I got, WISWWIG. Secondly, an apology to WAFNA for not fully understanding the query regarding Bpx on mouse clicks. Good explanations by #3 and +MaLaTTia. Suggest that by hook or by crook to acquire a copy of Windows API Guide. I got one in the trash by Borland V3.0 for MS-Dos Operating System. Amazing what people throw away. May be outdated, but adequate enough to be useful. There is a set of Window's SDK help files zipped up at ********************* HACKERS LAYER)site. Full of neat tools and reference material. Win32 Programer's Reference Guide (I) 3megs Win32 Programer's Reference Guide (II) 3megs Win32 Programer's Reference Guide (III) 2megs Personally found that checking stuff out in hypertext help files to be a pain. Better to have a book or the printed material beside the computer for reference. Hail Kubak: Silent Reader ------------------------- Believe it or not, most outsiders (-minus) probably don't read. They treat their computers like TV, watching color bouncing lines and circles. I know. I pass out some of Fravia's essays when I'm asked for a crack and it's like hey why don't you do it for me instead, since you've read it. Laziness will be their downfall. If you want experience you do the same thing but maybe in fifty different ways. That's how you get experience. If you are serious about learning something you use your imagination to teach yourself. Want a fast way to learn how to read dead listing? Write your own small program and disassemble it? Use your source code to compare and you'll get the hang of it in no time. It took me a hell of a long time to crack my first program and I have yet to uncover a worthy crack for submission to Fravia's HCU. Reading some of those essays, these guys are way ahead of me and into areas too deep to follow. Maybe I'll take +Orc's advice (Academy.HTM at Fravia) and concentrate on some of the earlier Windows and old Dos stuff until I upgrade to a Pentium to tackle the monster apps. Do we measure each other on who can crack the most and the fastest or do we measure ourselves on our own personal triumphs. If you have done one crack on your own no matter how insignificant or trivial the protection is, you are on your way up and one above the -minus. You can't uncover what you can't see and participation in an interactive environment is the best way to open your eyes, stimulate your interest, get your feet wet and above all, learn. The age of working at your computer in the closet is over. If you have something to say or want to talk about it, you know you have at least a reader of one, me. Getting involved here is a prelim in preparation for your submissions. Check out TechFact95 which can be found on Fravia+ site. The essay on it named Siudre2.Htm may help. If no one contribute and participate then poor Zero+ will have nothing to forward and I'll be emailing myself. Hail Hackmore Readrite: ----------------------- I downloaded IDA Pro 3.7 demo off the Fravia essay link (Quine1.Htm) ********************************* 9,884,100 bytes. Would be interesting to see how it compares with your originals and see what's missing? Software getting to be like fingerprints. No matter what version they call it, never two the same or in reverse perversity, two of the same but with different names. Hail Fravia+: ------------- Sound advice given as always. Looks like we are building a global community with everyone chipping in resources and wanting to play an active part. Part of a dream come true and stepping into a new age? I can hear SiuL Hacky in the background with a sermon on 'Give and Ye shall receive.' --------------------- It's not my intention to respond to every thread on this mailing list or to dominate it with my rambling. I'm the type of person who read something interesting more than once so be assured that you haven't been neglected when you write and add to this list. If my writing irritate you I will start off at the top with Hail and sign off with wlc making it easier for you to cut and trash. A light verse to start or end the day. -------------------------------------- I'm a Cracker Don't confuse me with a Hacker Bashing software is my game Got to earn the plus in front of my name Cocktails are served fresh Just add Soft Ice, they are the best And if the Ice last Debug will be a tool of the past When I can't sleep I trace calls no matter how deep A BPX here and a NOP there That Bad Guy code got to disappear Then off to Fravia for goodies to grab Check in on Zero for a bit of gab Aesculapius is a good link But look for essays by master Sync+ Life wouldn't be bad if +Orc was around But he is nowhere to be found. ------------------------------ wlc -----#3------------------------------------------------- Subject: For your +teeth Well, who would like to prepare some snippets or maybe an interesting essay out of this? later fravia+ -------------Forwarded Message----------------- From: Anonymous, ************************** To: , ********************** Date: 29-10-97 4:34 RE: Comments and a future Tutorial Date: Wed, 29 Oct 1997 04:33:49 +0100 (MET) Subject: Comments and a future Tutorial Well, much to my surprise, I saw an essay on HyperChem. I had previously worked on this program, on the request of a friend. Firstmost, you shouldn't slam the question....It is reasonable question...not , many protections accept any reg code and tell you thank you. Of course, the guy shouldve figured out that when it didn't run, there was a protection involved..... I would like to put forth a few more Chem programs for you to exam...one in particular has merit do to a hidden information in the copy command. I'll tell you what i see, and then the name, for you to decide whether or not it's worthy of attention. You draw a molecule, then select it. Copy it, paste it into the document by the program, works fine. Copy it into a word doc, or even just the clipboard viewr, you get a large messages for the synthesis of a morphine compound, and a statement that the demo limits copying to just this message...so I figured, ok, it's just a linked tothe active file. Wrong. Kill the program and restart, you can paste the molecule back into the program, but the clipboard still shows the synthesis procedure. Better still....Save the clipboard (*.clp) file, and u can reload and re-paste the file into the program...and get the _original_ compound back! Intersting, no? Target : Chemdraw 4.0 *************** Or, get the demo the way i did, **************** search for chemdraw **************** Remember my essay on pioneer? well, caligari has released a full demo that does not save of tS3. Interestingly enough, a view with BRW shows all the un-enabled features are there with other screens instead, as in demorender, etc...all in place for them to be re-enabled, but I have spent countless hours getting nowhere...so i pass it to you in hopes you may have more knowledge (of course you do) than i on this. Finally, the simplest (hehe) and most worthless program out there, wintalk, client for windows (goto **************** again) It has the 'pro' screens in it, but I am still unable to connect them to the program. Perhaps if this was examined and explained, i could apply them to the ts3 demo. Or both. Ws_Ftp has the same format, all from the same company. Anyways, enough of my rambling. Oh, and for the essay that didn't come thru? it was completely wiped by IE from the comp i sent it from (damn cybercafe's...) and i have no other one to send, just tell them to search for the fake entered reg code for hotdog4 (all of sausagewear's 'CISM' stuff is protected like this..really weak), and it'll be within 90bytes like +ORC said it would be...just dump them all and search...it's about 20 bytes long (why longer reg codes when they put it in plain site? I'll never know....) +daQ =====End of Issue 43==================================== ======================================================== +HCU Maillist Issue: 44 10/30/1997 -------------------------------------------------------- Send Articles To:......................... ************* Info, Help, Unsubscription, etc:....... **************** ======================================================== CONTENTS: #1 Subject: Zen Cracking #2 Subject: Thanks for the Halloween Treat #3 Subject: Ida is HOME! ARTICLES: -----#1------------------------------------------------- Subject: Zen Cracking Hail +All: As I feared, I must have put everyone to sleep with my sermon and ranting. Got a note from the great Manhcu downgrading us as being too lazy for lack of input. I told him off on all your behalf saying he was in the wrong time zone. Maybe his computer screwed up on the daylight saving time changeover. Probably using a Pentium II, so back me up +All and speak up. I notice that on my computer it skipped forward a day. Didn't yours? Ok. On to Zen Cracking. What is it? Can it be achieved? I've read once something on Zen Archery. A bunch of monks shooting at targets with eyes closed or blindfolds on. I read about a famous Japanese samurai. The guy who founded what is known as the Ninja cult, and wrote their holy manual known as the Book of the Five Rings, who was so good he fought his adversaries with a wooden oar instead of a sword. Later he proclaimed that once achieving the fifth level he didn't even need a oar but a stick or a branch. Read the Fifth Ring to find the answer or ask +Orc. Interesting point about +Orc's study of ancient language by Fravia. He always seems to be at the forefront leading the way. How does one catch up to the master? Does one run behind the master or should one take a different route? What does that have to do with cracking you ask? A lot and at the same time, nothing. Sometimes Zen require the indirect approach to achieve it. +Orc is a masterful writer on this topic of Zen Cracking. He writes to us to 'Feel the code'. One day he will release to us his long awaited Zen Cracking tutorial. To some it will be a disappointment and for others it will only serve to reaffirm what they are in the process of achieving or have already achieved it following his directions. What do you do the day after? Give up on life or look for other pursuits? Sometimes I wish for a time machine to take me to the university library when +Orc was with his friends in the debugging sessions he wrote about in tutorial 9.3. Probably would have achieved Zen by now. But this is what this whole Mail List is about. We have a new library and new friends, so how about it? You and I missed the library sessions with +Orc but have the opportunity of creating our own sessions. I doubt very much that they discussed just cracking material. It probably led to other topic and fields of interest. Why behave like a news group with a singular topic of discussion? Be like +Orc in his tutorials and add in some personal insights. I hate it when I see a ton of dead listing in an essay. I would skip those segments for later review. I remember the personal touches and can easily associate it with the author but not the dead listing. Have a good day and don't go to bed until you send something in. Ok? wlc -----#2------------------------------------------------- Subject: Thanks for the Halloween Treat Wow! This thing works better than +Orc's FTP Mail. Talk about a program and a kindred soul out there took the time to write me about Teleport Pro v1.28. Not a bad response rate. I owe you one. It even have a protection scheme for me to play with to make it work better. Guess I won't be playing Pooldemo tonight. But with the time saved maybe just a game or two. The info exchange is greatly appreciated. May I have to work more efficiently. No wonder I never read about missing links and complaints to Fravia+ and it explain why you guys have so much time to dedicate to cracking. Also the same reason why none of you submitted an essay for this program. Got to be real dedicated if using Netscape File/Save to be coming back for more, hey? Time for the next dumb question. When I first visited at Fravia+, he said MS Explorer hostile so I figure I might as well use Netscape Communicator. Hardly ever use the Email feature until now but if Zero+ wants daily input does any one have any more suggestions for good grabs to replace this monster. Those guys at ZDNet got a big stash of stuff but who can trust their judgement on practicality when they splash so much ads at you. Need something practical, not flashy and bloated. Maybe also a good discussion topic for what is out there that rates other than our tools of the trade. ------------------------ wlc -----#3------------------------------------------------- Subject: Ida is HOME! Hello everyone; Ida Pro has been uploaded to my home-page at: **************************************************** Click on the graphics to download part1.zip (5.51 Mb) AND part2.zip (3.96 Mb). The File-1 through File-4 links are just some trash icons I picked up on the web to satisfy lamers. Each graphic contains one half of the program, so BE SURE to get BOTH parts. After you download BOTH files, unzip them to a temporary directory and READ the hackmore.txt file to learn how to install the program, how to get it running, and how to get updates, along with some other interesting information. These files have NOT been modified in ANY way, other than the addition of the hackmore.txt file. I copied them from floppy's onto my hard drive, zipped them into two files, then uploaded them to my web site, and mammons web site. I haven't even installed MY copy yet! Please read hackmore.txt BEFORE installing in case you want to reverse the "registered to" name. Enjoy! Hackmore Readrite =====End of Issue 44==================================== ======================================================== +HCU Maillist Issue: 45 10/31/1997 -------------------------------------------------------- Send Articles To:......................... ************* Info, Help, Unsubscription, etc:....... **************** ======================================================== CONTENTS: #1 Subject: +Orc Sighting - Oct/29/97 #2 Subject: IDA, considerations, by fravia+ #3 Subject: Ginsu and the Art of Zen ARTICLES: -----#1------------------------------------------------- Subject: +Orc Sighting - Oct/29/97 Hail +All I better take Fravia's advice and write first in UltraEdit and then cut and paste into my email. Netscape Communicator sucks. I wonder what other problems I will have with it. Bear with me for a while. This Mail List is like a Mars probe. Send out a message and when the reply comes back it may not be revelant. A friend likes to write on the same fax and expect a reply on the same fax. I, however use a fresh page and he has to back track to find out what I was talking about. We piss each other off, but we are still friends. Timing can be such a crucial factor in misunderstanding. An apology to Zero+ for sending in double by pushing the Send Text and HTML button in Netscape. I hope you don't mind when I use Hail to greet you en masse or individually. The phrase "Hail, Caesar! We who are about to die salutes you." kinda got stuck in my mind when I first came across the name Fravia and +Orc's Latin inserts. Just mindless association on my part and not meant as a sign of disrespect. I read the October 29 +Orc message on Fravia's page, another masterpiece to help set our sights on. He said it better than what I wrote ML#44. Got to love the guy and his purpose in life. He wanted us to form little groups to tackle this baby. He must have intercepted my thoughts when I wrote ML#44. This guy is a mind reader. We don't have to look for him. He finds us. So how about it? Anyone started a group that I can join or can we start one now? wlc -----#2------------------------------------------------- Subject: IDA, considerations, by fravia+ Well, Hackmore, as it seems you have been too quick: Quine has reversed crippled-ida so good (third lesson is coming) that it will work like the real version now and BETTER than the real version as soon as he adds functionalities to it. Thanks for the complete version anyway, I'm using IDA right now for the acrobat project, hope you all will do the same. Anyway: Please Hackmore: Take OFF the web as soon as possible your complete version. Else you'll start a snowball that will completely destroy the good russian guy that made it. Please all of you that did fetch it: Do not give it NEVER to others outside this maillist. The guy that wrote IDA deserves respect, as you'll soon realise using IDA. If you want to offer some 'presents' to some friends, just download some hot warez wherever you want, do not spread IDA complete. If they need IDA, they will follow the 'Quine's' essays and get it using their BRAIN, not their FINGERS. later my friends fravia+ -----#3------------------------------------------------- Subject: Ginsu and the Art of Zen I have read the book of five rings in the past note that it is definately an interesting historical war guide, akin to THE PRINCE and THE ART OF WAR Though the Ronin style of our intrepid hero is quite different, note also that his idea of becoming scarey to his one-on-one opponents required no bathing, and shaving out of the question. Draw your own conclusions to this one :) +gthorne =====End of Issue 45==================================== ======================================================== +HCU Maillist Issue: 46 11/01/1997 -------------------------------------------------------- Send Articles To:......................... ************* Info, Help, Unsubscription, etc:....... **************** ======================================================== CONTENTS: #1 Subject: Thanks, ang fravias mirror .. #2 Subject: An essay on the Corel/Elan generic crack #3 Subject: Norton protections #4 Subject: Cracker without a cause #5 Subject: A letter of Intent, Motivation, and Precations #6 Subject: Where did +everyone go? #7 Subject: cracking pdf ARTICLES: -----#1------------------------------------------------- Subject: Thanks, ang fravias mirror .. Hi all !! For the first thing thanx wlc for Your advice. Altough i hate writing proggies for windows i'll try to do that. (ALL :Where could i find some sample (& simple) source code in asm for windows ??) Secondly: someone wrote about teleporting entire fravia's site with teleport pro. How did You set it up ?, For me it only fetches the first page and says that it was everything to d/l. If anyone's interested there will be a full mirror of fravia's site at: ***************************** i asked my friend to mirror the site for me, but as he didn't do that i'll do it myself so the page should be up tommorow. (BTW: sorry fravia for the **** in the adress (bad habit)) I intend to put some things there to: like ice bins and docs, maybe some reference mans. If You have anything worth to put it online then e-mail me ********************** there should be a place for it (and lots of it). There is also possibility for using CGI, but as i'm not familiar with it if someone has an idea how to put in in GOOD use hes is welcome. Another thoght is to maybe set up the ML's home page. If someone has an idea and would like to maintain it with me then feel free to drop me a letter. Alrighty then, it was a bit off topic but I think the idea is worth talkin about. Read 'ya later KUBAK -----#2------------------------------------------------- Subject: An essay on the Corel/Elan generic crack /* NOTE: Please don't publish this just yet, as it may */ /* not be quite finished - Thanks! */ Cracking the Corel/Elan protection scheme, by +ReZiDeNt A 'brute force' approach :-) Special thanks to Noose and base+metal! Hello all! For many months now I've been seeing messages in use net groups from lamers begging for cracks for Corel trial applications. I have yet to see a working crack for any Corel trial product (except fo one which I have been unable to test - if you have made a working crack then please accept my apologies), and I used to spend many hours attempting to crack this scheme when I first started crackin I failed :-). However, recently someone posted a message to the +HCU mailing list asking about this protection scheme - I had actually already intended to write a short essay on what I already kne about the protection scheme, but I instead began to discuss the various aspects of the protection with other list subscribers, notably Noose and base+metal. Armed with my new-found knowledge, tog r with the information I had already accumulated, I began to work on a generic crack, which is what I will describe in this essay. I don't want to get into too much detail yet, but I would like to ke it clear that this crack is only the 'tip of the iceberg' so to speak...there is *much more* to be learned about this protection scheme, but for now I will limit myself to how to break the pro ion. There are doubtless others more qualified than myself to make a fuller investigation and report into the scheme (Noose?). Corel have been releasing quite a large number of their applications on a 30-day trial basis, including WordPerfect 7, WebMaster Suite, Corel Draw 7, Corel Suite 8 etc. This may seem unusual to a dy familiar with Corel's disgraceful business practises (while they are appalling, it should be noted that Corel's behaviour pales into insignificance when placed alongside that of its rival, Mic ft, who seem to seek nothing less than world domination!) - I know someone who not-very-long-ago purchased (at not inconsiderable expense) a Corel application known as 'Games Factory'. This Windows 5 program sounds very impressive - it claims to enable the user to make *freely distributable* games with ease...of course, anybody who is even vaguely familiar with games programming will realise at this notion is over-optimistic at best. But that fact, although indicative of the sad state of the 'software industry', is irrelevant; the point I wish to make clear here is that Corel do not ally grant you a 'license' to sell the games you create using this software. Rather they tell you (on a piece of paper *inside* the shrink-wrapped box, I might add) that you must fork out yet *more of your hard earned grinkles (or EMUs if the dangerous, greedy, megalomaniacal lunatics behind the 'EU' have their way...this is another very interesting subject, the way various governments and th mass media have fooled millions of Europeans into believing that the so-called 'European Union' is a benign cooperation for the benefit of all and that this ridiculous but all too popular mantra of internationalisation' and 'globalisation' is somehow mankind's ultimate attainment. Nothing could be further from the truth! - but I digress...) for this privilege, and purchase another program kno as 'Click-N-Create'. Now, this person I know downloaded a warez copy of Click-N-Create from the Internet after he discovered he would need it to distribute his games. Imagine his disgust when he in alled it and discovered that he would have to pay *yet another* huge amount of grinkles in order to be allowed the privilege of distributing his games 'royalty-free'! This Micro$oft style theft is wnright vile... Anyway, all that to say that until software companies have a change of heart and start giving their software away cheaply or freely (a change that I regret I do not expect to be made), us +crackers ill continue to crack them inside-out, and warez groups will continue to thrive. OK, so lets get started on the crack proper. I will use WordPerfect 7 30-day trial version...but you will find that things should be very much the same with *any* (fairly recent) Corel trial applic ion. This is because Corel, in their blind and stupid greed, decided to buy a commercial 'licensing management' package, doubtless sold as 'uncrackable'. Well, as we know, and +ORC said, *nothing i uncrackable*. So don't even try - just make it cheap, or even better, free. This protection scheme is made by a company called Elan (how do I know? Just browse around the target EXE file with your vourite hex/text editor, you'll soon see it all over the place), who seem to specialise in protectionist software. Let's hope that we can become their Nemesis, and continue to sound the death-knell f all protection schemes...incidently, I have been told that Elan make a trial version of this protection program available for download from their website ********************* - investigation of is demo version may prove worth the effort, we shall have to wait and see, and investigate further. Now, having established its origins, I want to first discuss the behaviour of this protection. If you have tried to make a dead listing of the target you will find that WD32Dasm chokes with a mes to the effect that the EXE header is non-standard, and the data references will therefore no be shown. This means that there are no strings such as 'Evaluation' or 'Trial' that we can search for i the dead listing (nevertheless, you should make a dead listing anyway, as we'll refer to it later)...I'm not certain whether this resistance to disassembly is intentional, or whether it is a side ect of the way that the protection scheme is applied - from what I've been able to gather (from the Elan website, what Noose found out from a helpful Elan salesman and my observation), it seems as ough some sort of 'wrapper' is applied to the target, most likely *after* compilation. This argument is, IMHO, strengthened by the fact that the protection code for *all* the Corel products I have me across is almost identical. The wrapper behaves very much like a packer might - except that it checks the date before 'unpacking' the original program cod This unusual approach to protection is actually comparatively secure. The current date is checked with the install date - if your time isn't up, the code proper for the application is loaded and of you go. If however, your time is up (e.g. the time limit has expired) the application code is never loaded at all! So the code is actually self-modifying (in a way). Hmm...this means that we can't mply jump over the time checks - instead it is necessary to delve deeper. Another benefit (for the protectionists) of this scheme is that there is *no* 'go-ahead-nice-guy' jump! Instead the current ate/time seems to be encrypted in some way and the resulting data used in a *massive* jump tree which is traversed *hundreds* of times in the protection. Again, you can't jump over this code, becau hidden in this mess is the code that loads the proper application (assuming your time isn't up). OK, I hope I haven't confused you too much - if you haven't understood all the above then suffice it to say that the protection is very difficult and calls for a different approach in order to c it. Now, assuming you have installed a Corel trial app, set your clock forward 30 days (or back even a minute!) and then try to run the application. Of course, it doesn't work. Now set the clock back in and try to run the program. You'll find that it still doesn't work...obviously the protection has set some value in either a file somewhere or in the monstrous registry. Using Regmon and Filemon you'll find that the relevant keys/files are: HKEY_LOCAL_MACHINE\System\SOFTWARE\RBO (and all values it contains) and a 'LIC' file somewhere on your hard drive (either the \windows\system directory or in the same directory as the protected application). This LIC file seems to always be named '123.LIC' where ' are any different numbers. For example, with WordPerfect 7, the file is called '101.LIC' and located in the \windows\system directory. For Corel Suite 8, the file is called '110.LIC' etc. If yo ke a look at this key you'll see it looks very much like the below: !<Elan-License-Manager-Key> # DO NOT EDIT/COPY/MOVE/TOUCH THIS FILE! # DOING SO WILL INVALIDATE THE KEY! 1495759114997400190218696156651151 G 1 localhost 29409528605026735253388754988463352615578602168050745868 63420417881207022485101836949246508084229387790741495533 9551540371980384961018021882475297 The advertising from the Elan website claims it uses RSA/DES encryption etc. - it may be that the LIC file format could be decoded and a 'universal' one distributed, but I've not got the time for a that :-) Every time you run the protected program, it writes to both the registry *and* the LIC file...so when it expires, both are 'corrupted'. To get the program running again you'll have to delete the stry key 'HKEY_LOCAL_MACHINE\System\SOFTWARE\RBO' *and* replace the LIC file with the original one from the CD-ROM or wherever you installed the trial from. You'll also have to set the date back to round the same time as you acquired the trial version - the reason for this is that the LIC file stores a set of dates (thoroughly encrypted, of course) between which the trial application may run, sort of 'window' in time...these dates are read by the protection code (so you can't just replace the LIC file whenever it expires, unless you also set the date back - and delete the registry keys Let's summarise what we now know: 1) The code is self-modifying 2) Both a license file and registry keys are used 3) There is set 'time window' in which we may run the protected program 4) The protection takes even minutes and seconds into account! 5) Setting the date back doesn't work :-) Taking all the above into account, you might think 'why not use a loader, such as the Date Cracker by +greythorne?' - well, you could use such a program, and it might work, but only if you also fou a way to change the minutes etc...in any case, I don't feel that a loader is a 'real' crack (I mean no offence to +greythorne here)...don't forget that if you use a loader, all the files you save ll have the wrong date etc. All in all, not a very elegant solution. Instead, I propose a somewhat brutal, but nevertheless perhaps more appropriate (IMHO) solution - why not edit the protection code that fetches the date, and force it to return the same date each t e? If you have cracked a lot of time-trial programs before, or have looked at the entry essays for the 1998 +HCU, you'll probably know that many programs use a single function to retrieve the curre date/time and encode it somehow (I believe there may be a standard MFC function which is often used - can anyone confirm this?). Now, as you also are probably aware, parameters are passed to funct ns via the stack (in C/C++ at least) - this means that before the call to the encode date function, we should see a good few 'PUSH' instructions. These will be pushing the necessary values (e.g. nd, minute, hour, day, month, year) onto the stack, where they will be retrieved by the called function. So we can simply locate these pushes and 'hardwire' our own dates into the push instructions nstead. If you step though the program code (of whichever Corel app you use) you'll see that after each call to KERNEL32.GetLocalTime there are indeed a lot of pushes, and a call that returns a val that is suspiciously like an encoded date...look through your dead listing for 'GetLocalTime' (there is probably just one) and a few lines after you'll see the code I mea :007FB596 25FFFF0000 and eax, 0000FFFF :007FB59B 50 push eax ; push seconds :007FB59C 33C0 xor eax, eax :007FB59E 668B442426 mov ax, word ptr [esp+26] ; load minutes :007FB5A3 50 push eax ; push minutes :007FB5A4 8B442428 mov eax, dword ptr [esp+28] ; load hours :007FB5A8 25FFFF0000 and eax, 0000FFFF :007FB5AD 50 push eax ; push hours :007FB5AE 33C0 xor eax, eax :007FB5B0 668B44242A mov ax, word ptr [esp+2A] ; load day :007FB5B5 50 push eax ; push day :007FB5B6 33C0 xor eax, eax :007FB5B8 668B44242A mov ax, word ptr [esp+2A] ; load month :007FB5BD 50 push eax ; push month :007FB5BE 8B44242C mov eax, dword ptr [esp+2C] ; load year :007FB5C2 25FFFF0000 and eax, 0000FFFF :007FB5C7 50 push eax ; push year :007FB5C8 E8F3190000 call 007FCFC0 ; encode date :007FB5CD 8B8C24F0000000 mov ecx, dword ptr [esp+000000F0] :007FB5D4 83C41C add esp, 0000001C :007FB5D7 85C9 test ecx, ecx :007FB5D9 7402 je 007FB5DD :007FB5DB 8901 mov dword ptr [ecx], eax So this is where the date/time is encoded (including the seconds!) - all we need to do now is change the code to push our own values, in this case a valid date/time with the license file 'time wind ' that I mentioned earlier. To find the 'time window' if you don't already know it, try a date near to when the magazine from which you got the CD was distributed. Assuming, as an example, that a v id date within the 'time window' for Corel WordPerfect 7 was 20/6/96 (20th of June 1996), we would alter the above code to look like the belo :007FB596 33C0 xor eax, eax ; set seconds to 0 :007FB598 90 nop :007FB599 90 nop :007FB59A 90 nop :007FB59B 50 push eax ; push second :007FB59C 33C0 xor eax, eax :007FB59E 66B80000 mov ax, 0000 ; set minutes to 0 :007FB5A2 90 nop :007FB5A3 50 push eax ; push minutes :007FB5A4 B800000000 mov eax, 00000000 ; set hours to 0 :007FB5A9 90 nop :007FB5AA 90 nop :007FB5AB 90 nop :007FB5AC 90 nop :007FB5AD 50 push eax ; push hours :007FB5AE 33C0 xor eax, eax :007FB5B0 66B81E00 mov ax, 001E ; set day to 30 :007FB5B4 90 nop :007FB5B5 50 push eax ; push day :007FB5B6 33C0 xor eax, eax :007FB5B8 66B80600 mov ax, 0006 ; set month to 6 (June) :007FB5BC 90 nop :007FB5BD 50 push eax ; push month :007FB5BE 33C0 xor eax, eax :007FB5C0 66B8CC07 mov ax, 07CC ; set year to 1996 :007FB5C4 90 nop :007FB5C5 90 nop :007FB5C6 90 nop :007FB5C7 50 push eax ; push year :007FB5C8 E8F3190000 call 007FCFC0 ; encode date :007FB5CD 8B8C24F0000000 mov ecx, dword ptr [esp+000000F0] :007FB5D4 83C41C add esp, 0000001C :007FB5D7 85C9 test ecx, ecx :007FB5D9 7402 je 007FB5DD :007FB5DB 8901 mov dword ptr [ecx], eax So, we push zeros for the hours, minutes and seconds, and we push a valid day/month/year (one that falls in the 'time window') - so every time the protection calls this routine it will return the y same encoded date each time! BTW, my patching above is rough and ready, with many unnecessary nops (0x90) in it - you should of course try to patch code using few (if any) nops. I'll leave this a a short exercise for ASM newbies, they can try to tidy up my patch a bit, make it more elegant :-) Don't forget, this scheme is applied after the program is created, so the code is *exactly* the same for each application protection with the Elan scheme, making it very easy for us +crackers to c k...I suspect we will soon see a new 'improved' version of this scheme though...wait and see... Thus we render yet another (probably very expensive) protection scheme useless. There are still some (minor) limitations with this crack however; you must delete the registry key 'HKEY_LOCAL_MACH System\SOFTWARE\RBO', and all values it contains. You'll also need to replace the appropriate LIC file with the original, 'uncorrupted' copy. So long as you do that and then patch the application ore running it again it will never expire and you're free to use it as long as you desire (not that you would of course, as that may be illegal ;-) I'll tell you what, let's take this a step further and write a little C program to search the application for the code we need to patch (remember, it will be the *same* for every Corel/Elan appli on - how convenient!), and then patch it with the desired date. Following is the code to my 'generic crack', it's pretty simple but it works fine (sorry if the formatting gets messed up. /* START PATCH.C */ #include<stdio.h> #include<stdlib.h> #define TRUE 0 /* These (hopefully) make the code */ #define FALSE 1 /* more readable :-) */ #define TLEN 7 /* Length of target string */ /* The below (global) array holds the patch which will be applied */ unsigned char patch[]={0x33, 0xC0, 0x90, 0x90, 0x90, 0x50, 0x33, 0xC0, 0x66, 0xB8, 0x00, 0x00, 0x90, 0x50, 0xB8, 0x00, 0x00, 0x00, 0x00, 0x90, 0x90, 0x90, 0x90, 0x50, 0x33, 0xC0, 0x66, 0xB8, 0x00, 00, 0x90, 0x50, 0x33, 0xC0, 0x66, 0xB8, 0x00, 0x00, 0x90, 0x50, 0x33, 0xC0, 0x66, 0xB8, 0x00, 0x00, 0x90, 0x90, 0x90, 0x50}; int cmp(char *buf, char *target); void getdate(void); /* This function gets and validates */ /* a date from the user */ void main(int argc, char *argv[]) { FILE *fp; unsigned char buf[TLEN]; /* The below array holds the target search string */ unsigned char target[TLEN]={0x89, 0x4E, 0x0C, 0x8B, 0x44, 0x24, 0x20}; int c; long int location = 0; long int pos = 0; int match = 0; int found = TRUE; printf("Generic crack for *ALL* Corel trial applications, (c) +ReZiDeNt 1997\n\n"); if(argc < 2) { printf("Usage: PATCH.EXE <TARGET.EXE>"); exit(0); } fp=fopen(argv[1],"r+b"); if(!fp) { printf("ERROR: Unable to open file"); exit(0); } getdate(); printf("\nSearching - please wait, this may take some time...\n"); while((c=fgetc(fp)) != EOF) { if(c == target[0]) { pos=ftell(fp); ungetc(c, fp); if(fread(buf, sizeof(buf)+1, 1, fp) != NULL); { found = cmp(buf, target); if(found == TRUE) { match++; if(match == 1) location = ftell(fp); } else fseek(fp, pos, SEEK_SET); } } } if(match == 0) printf("ERROR: No match found"); if(match == 1) { printf("Target found! Patching..."); fseek(fp, location, SEEK_SET); fwrite(&patch, sizeof(patch), 1, fp); } if(match > 1) printf("ERROR: More than one location was found"); fclose(fp); } /* We can't use 'strcmp' because there are NUL values in the string */ int cmp(char *buf, char *target) { int j=0; while(j<TLEN) { if(*buf++ != *target++) return FALSE; j++; } return TRUE; } void getdate() { int day, month, year; int leap; int invalid = FALSE; /* patch[28] == day */ /* patch[36] == month */ /* patch[44-45] == year (reverse byte order!) */ printf("Enter day: "); scanf("%d",&day); printf("Enter month: "); scanf("%d",&month); printf("Enter year: "); scanf("%d",&year); if((year % 4) == 0) leap = TRUE; else leap = FALSE; if(month < 1 || month > 12) invalid = TRUE; switch(month) { case 1, 3, 5, 7, 8, 10, 12 : { if(day > 31 || day < 1) invalid = TRUE; } ; break; case 2 : { if(leap == TRUE && day > 29 || day < 1) invalid = TRUE; if(leap == FALSE && day > 28 || day < 0) invalid = TRUE; } ; break; default : { if(day < 1 || day > 30) invalid = TRUE; } } if(invalid == FALSE) { patch[28] = day; patch[36] = month; asm { mov ax, year; mov patch[45], ah; mov patch[44], al; } } else { printf("ERROR: Invalid date entered"); exit(0); } } /* END PATCH.C */ Well, I suppose that's about it for now...please let me know if you have any questions about this essay - I know it's not as good as it could be, I've not really investigated things from the Elan v w (e.g. decoding the LIC file format or reg keys etc.) - but I'll try to answer anyone's questions and comments, and then I'll publish this for all. Keep Cracking, +ReZiDeNt -----#3------------------------------------------------- Subject: Norton protections Hi all! The other day I posted a message in here regarding a new PCPro cover CD - it has loads of Symantec (Norton) and Corel programs on it. This message was also posted on +fravia's blackboard. Now, I've already written about how to defeat the Corel protection, and I thought I'd mention a few things I discovered while cracking the Symantec products - this is *not* an essay, I just thought I'd let everyone know, perhaps save some time and frustration if you need the proggies in a hurry ;-) Firstly, don't even try to get ready made cracks (they probably won't work, since the protection used in these versions is different, and *not* all the same 'IRATRIAL.DLL') - in any case, we don't need to, we're +crackers :-) Secondly, the different programs all use *different* protections - some (NU, AntiVirus) use a scheme which can be reversed to 'unlock' the full versions, while others (Visual Page) use run-of-the-mill moronic date checks, which are dead easy to crack. OK, both Norton Utilities and AntiVirus are, as I already said, 'unlockable' - when the program starts, you are given an option to buy the full version using a modem or Internet connection - but with phone bills being so high, you might want to avoid the cost of phone calls and simply unlock them yourself. Now, if you look in the directory where you installed NU you'll see that many of the files appear to be redundant - there are EXE files with 'pop' in the end of the filename, there are files with the extension 'DL_' etc. This made me think a bit, so I snooped inside the EXE 'pop' files and saw a text string like so: 'Turnkeyexe progam popper' or words to that effect. In short, this program is executed to unlock the full version, and it uses some of the redundant files to cobble together these full versions. If you look inside these pop files with BRW you'll see a dialog box asking for a name and serial - now, this probably is shown to you *after* you make the phone connection to purchase the full version - obviously, we can't make a phone call to get to this dialog, so we'll have to trick our way in. If you run any one of these pop files it will give you a message first saying 'preparing your application' and then 'this program cannot be used at this time' - hmm....looks like it wants something - using Filemon and Regmon you'll see that it does indeed look for a license file (named 'license.12345', where '12345' are a collection of numerals) - basically, BPX on MessageBoxA until you get the error message and then using a dead listing or SoftICE trace back - it took me just a few minutes to reach the Dialog box (by jumping over quite a few locations) asking for the familiar name/serial number combination - BPX on GetDlgItemText and you're very near the code check (which is performed by RSAGNT32.DLL) - fix that in memory and your app will unpack itself *and* write a key to the registry which will allow you to unpack all the other EXEs just by running them (yes, automatically)! Sorry if the above is unclear, shoddy, incomplete, stupid or even downright incoherent: I've got the flu and I've been working on the Corel crack, and I've lost the notes I made when cracking the Norton stuff above, so this is all from memory - sorry about that! Anyway, it might help someone to get it sorted properly, which is what I hope. Cheers, +ReZiDeNt PS Hackmore! Please don't remove IDA Pro just yet! I've only a 14.4 modem and I have to wait to the weekends to download (phone costs are prohibitive at all other times) - if I'm going to d/l 10MB I'd rather get the ful version :-) -----#4------------------------------------------------- Subject: Cracker without a cause Before I discovered +Fravia's pages and +ORC's tutorials, I always considered cracking just something a few elite people did to play games for free. Reading +ORC's tutorials got me thinking about cracking in a much larger scale, world cracking, and I realized that cracking isn't just a process, it's a state of mind that can be applied to any aspect of life. After reading the message from +ORC about the Adobe project, I understand what real meaning cracking can have. We aren't just a bunch of misfits who are tired of paying high software prices. We aren't just some fanatic anarchists that want to destroy big corporations. We are trying to make the world better by breaking through walls, by letting the upper-class know that the rest of us won't be repressed for any reason, especially for nothing but their greed, and most of all, by freely and openly educating and training anyone who wants it. By doing this we not only add to our own ranks, but get the public behind us. We will soon no longer be the freaks that are wreaking havoc, but the crusaders of justice, the voice of the people. But that's just my opinion, I could be wrong. Shadow Stalker -----#5------------------------------------------------- Subject: A letter of Intent, Motivation, and Precations Friends; In responce to Fravia's recent posting in the HCU News Letter, and his personal request to me, please let me explain why, and how, I have made Ida Pro a free gift to you. Also, let me point out from the start, Fravia is quite correct when he points out that we should NOT harm the author of this great program by letting it become "public domain" on the web. Ilfak Guilfanov should be commended and well rewarded for his fine work, and the great program he has written. This is NOT intended as an "excuse" for what I've done, it is also NOT intended as an apology. I believe what I have done will benefit ALL of us at HCU, and that very little, if any, damage will come from it. Intentions: My sole intent is to deliver this program, un-corrupted, and fully registered, to the members of the HCU News Letter. As Zer0 pointed out recently, there are about 40 subscribers. I have NO intent, what-so-ever to damage Ilfak Guilfanov in ANY way, financialy or otherwise. Motivation: I have many motivations for doing this. I realize that many of you are young, just starting out, and/or do not have the financial resources to afford a piece of software that costs $200.00. This program cost ME ALL of one weeks paycheck, and half of a second weeks paycheck, so I can understand how you feel about such an expensive tool. I simply felt we should ALL have the same advantages as those WITH the financial resources to afford it. A second reason was greed. DataRescue, the company that distributes Ida Pro, is a VERY greedy company. Those of you who have read my essays on Fravias webpages probably know that "social engineering" is ONE of my cracking methods. Although I will keep the details private, my dealings with DataRescue left me with a very strong dis-like for them. If this sounds like "revenge" to you, I'm sorry but you are mistaken. I have nothing to get "revenge" for. I just do NOT like greedy people. Please keep in mind that DataRescue is the DISTRIBUTOR of Ida Pro, NOT the AUTHOR. Another point is, we SHOULD and NEED to work together. This means sharing our KNOWLEDGE as well as our TOOLS. Why should one GREAT cracker be handicaped because he does NOT own, or can't afford a tool, while another AVERAGE cracker owns the tool, but doesn't know how to use it! Yet another reason is that so many "demo" versions of a product have missing code, missing functions, etc. Even though we can crack a program, how do we know whats missing? An example is my essay on how to crack NetScanTools. By changing the value placed into a single register, you dis-able the "nag" screen in NetScanTools, and add the function of a "help" button to the user GUI. Unfortunately though, when you press the "help" button, all you get is a "file not found" error message. Should we, as crackers, design our own "help" file for this program? How do we add help topics for the functions we don't even know exist? Those of you who have read the hackmore.txt file I placed with the program may have noticed the difference in size between the "demo" and the fully registered version. Is there a cracker alive who can replace the "missing" bytes in the "demo" version without anything to compare to? And how often do we "crack" a program, only to find out months later that we've "missed" something? Precautions: I have taken EVERY precaution I could think of to keep this "free offer" restricted to HCU News Letter members only. The only exceptions to this are that I have sent four "private" invitations to HCU members, (Fravia, Gthorne, and two others). I created a website known ONLY to HCU News Letter members, and SHARED web-space with mammon, who IS a member. I did not even ask Fravia to post a link to my page for HCU members to use, because many "non-crackers" visit his web-pages. I gave the files arbitrary names, part1.zip and part2.zip, and hid them behind ".gif" images to discourage "lamers" from downloading them. If a "lamer" DID notice the link, he would surely think he was getting "part 1" and "part 2" of my ".gif" images, and become discouraged when it was taking a couple of hours just to download a silly picture. In the event the "lamer" did wait it out, it's not likely he would know how to use the product anyway! I've made this "offer" for a SINGLE version (3.7) of Ida Pro. It's not likely that I would pay out another $200.00 just because a new version becomes available. Although I would hope that someone WOULD share a newer version with ME. And finaly, I made it clear right from the start that this offer would last only 30 days (which I will now reduce to 7 days, at Fravias request) and that I WOULD NOT maintain the web-site after that. I do realize that "some" of you might spread the program around on other web-pages, and through warez. In fact, I encouraged this in the hackmore.txt file included in the download. My, perhaps mistaken, assumption was that the program would be shared with people who share our interests, (i.e. "other crackers"), not as a bargaining tool. Please keep this point in mind if you intend to "share" this program. I would also assume that there are thousands of government agencys and corporate and private businesses alike who will PURCHASE this amazing tool. It's not likely DataRescue will miss a mere 40 copies of this program while bathing in all the money those sales will make for them. * * * * * Let me close with a reminder that Fravia IS right when he points out that we could damage the author of this fine tool. However, I feel that I've handled this "free offer" in a manor which not only benefits ALL of US, but also does FAR LESS damage to Ilfak Guilfanov than we at HCU have done with other great tools, like Soft-Ice, and WDASM. Enjoy your new tools, but pay close attention to Fravias (and MY) words, feel free to damage DataRescue, but treat Ilfak Guilfanov with every bit of the respect he deserves! Hackmore Readrite -----#6------------------------------------------------- Subject: Where did +everyone go? Hail +All: Must all be out Trick and Treating. Imagine the honor of sharing space with fravia+ and +gthorne on the same Mail List #45. Got to print this one and save it. I wonder if +Orc subscribes and one day post a reply to this same list? Better watch my writing and make sure to spell check thoroughly just in case. Can't use the excuse of being a newbye forever and disappoint the great mentors. I got so much extra stuff with Teleport Pro, I may have to shut up for a while to research the material and prepare. Shouldn't have fixed that download limitation. Now I'm flooded. As a note to fravia+, be as messy and unorganized as you want with your site (Academy.HTML). I commend you for all the wonderful stuff you have placed there for the taking and all those gems of knowledge that you have elicited from contributors. Should I bite the hand that feed me? Should I ask you to chew my food to make it more palatable, when you have already toiled in the kitchen preparing the feast? Shame on me if I do? Let me spend my time and effort to appreciate it as a sign of respect and compliment to your achievements. If it is a mess it will only discourage the lazy and the weak in spirit. Let it be a weight and burden on me the reader to test my resolve. It will force me in turn to be more organized, more selective and more persevering. I will need dedication will force me to wade through it to make heads and tails out of it. Let me judge and deem what is relevant and prioritized it. If I fail that, I don't deserve to be here and waste your time. As stated in ML #45 I'm the type whose preference would be for you to add new pages to your site no matter how many and in any order. I will be responsible for reading, remembering and storing whatever information I retrieve and need from your site. Personally, I would say that your time better spent to provide a leadership role for us to follow. I for one am running behind you and you must set the pace. Enough said. Time for a workout. wlc -----#7------------------------------------------------- Subject: cracking pdf Hi all! First of all a joke: Why crackers confuse Halloween and Christmas? Because oct 31 = dec 25. :) Now some cracking: I have started to work on the pdf crack +ORC asked us. I downloaded ******************************************************************** file which is a detailed description of the pdf format, so not much cracking on that. (Some of us might start to write the txt -> pdf converter based on the specs.) After reading the security specs I got the next preliminary conclusions: Whether the menubar, toolbar of the reader is present when you open a document is not connected to the security, its controlled by boolean variables HideMenuBar, HideToolBar in the Viewer Preferences section of the file. You can change the true settings to false and they appear when you open the file. Be careful though not to change the lenght of the file when you change the text (you have enough space there fortunatelly), because the file lenght is linked to the security heavily. The restrictions what can be done with a file is contained in the P variable of the Filter section. Its an unsigned word value certain bits representing the writing, copying printing permissions of the user. You can not change this value to eliminate the restrictions because all text and picture data of the file (but not the file itself) is encoded by the RSA algorithm using a key provided by a hash function from a random file ID, the userkey, the permission value etc. This means that if we change permission value the text and data cannot be decoded correctly. (The reader complains of corrupted file, tries to fix it etc.) Therefore, we must let the program to decode the text with the original permission value and patch the program to set itself up with a "let him do everything" value later on. I got all this info only by reading the specs and setting values in the pdf files. Now I try to find the part of the program where he sets itself up according to the permission value. BTW the acrobat reader (being only a reader) does not allow modifying a document independently of the permission value which means this restriction is logically hard coded in it. I wrote this to inform you in which direction I am going with this project and to facilitate quick exchange of information to spare some work for all of us. bye Zer0+ =====End of Issue 46==================================== ======================================================== +HCU Maillist Issue: 47 11/02/1997 -------------------------------------------------------- Send Articles To:......................... ************* Info, Help, Unsubscription, etc:....... **************** ======================================================== CONTENTS: #1 Subject: Time to strike back... #2 Subject: Support for Hackmore #3 Subject: Signs of life detected in ML #4 Subject: gdsgfds #5 Subject: Server based protection checking and more work for us ARTICLES: -----#1------------------------------------------------- Subject: Time to strike back... Hi +all A strange crusade commenced many years ago, crackers have been rejected and disavowed since the burning of the internet and maybe a little before. Throughout the years we've been forced to enter the underground from time to time, disappearing and resurfacing thereafter, again and again... I've been recently, the target of many attacks to my most sacred web locations, banning all the work and dreams of many years in just a matter of weeks. Maybe is time for me to disappear for a while, in case this happens, I don't want to leave without saying this to all my great friends who have unconditionally supported me, and when I say this, I say it from my heart: they can ban my pages, they can ban my email addresses, they can ban my teaching documents, but they cannot and shall not ban my name, my work, my efforts and my teachings, these will survive forever... Best regards... Aesculapius... -----#2------------------------------------------------- Subject: Support for Hackmore Hello Hackmore! I would just like to voice my support for your decision to make IDA Pro available to the HCU mailing list readers. I, for one, would *never* be able to afford such a tool, and I'm sure I speak for many crackers when I say that. I very much appreciate your sacrifice in providing us with it - Thank you! (now we just need to learn how to use it ;-)) In any case, I suspect that you are actually doing the author of IDA Pro a favour; the more people who use and respect the program, the more people (e.g. commercial companies) will want to purchase it... Cheers, +ReZiDeNt -----#3------------------------------------------------- Subject: Signs of life detected in ML Hail Kubak: First, you have to play with Teleport Pro, if you know what I mean. Secondly, it is a worthwhile endeavor to do so until another utility comes along or when we can perfect our own, as if we have time. There is close to 900 files, almost 20 megs which I downloaded in one session. Check your program settings. With Netscape manual File/Save I previously got one quarter of that at about 10 megs but no pretty icons and pictures. If you don't set the level of retrieval properly, you may also get +gthorne and his +Orcpaks and some stuff called jammers. In about half an hour it checks through and retrieve updates now which I can later browse off-line for the changes and additions. Quite a bit of time saved for better use which is the whole point of this exercise. I hope that fravia+ will heed my ML suggestions and use the Add To Format on his site to make our life easier. Other than that I'm not asking for much. Just give me the basic car, with air conditioning and let me get there on my own. Thirdly, don't spend too much time maintaining your mirror. Most of us probably goes directly to fravia+ to check for new postings anyway and hopefully read this Mail List. If you have time, why not join a unit to work on Acrobat. Looks like we have a C specialist in +Rezident and judging from his expose on Corel, a formidable cracker we can also learn from. Let's get him on the team. Shadow Stalker sounds like he's just itching to get in on it also. As for Zero+, he's got the jump on us and is already running with the ball. Me, I'm just a part time Pascal biz apps programer. I study the Art of Cracking for my own enlightenment. Come on guys and girls. Let's not let the opportunity go by. Let's mobilize and kick Acrobat's butt for not doing it the right way. Hail Hackmore Readrite: I failed to include you in the above but saved it as a tribute to you, for last. You've got heart and that is what will count the most among friends. In time, we may get infiltrated and sabotaged. Who knows what forces will align or have aligned already against us? We can get paranoid and trust no one. That is the best way to drive us back into the recluse state from which we came. Isolated in his/her own closet with the computer and communicating with no one on the outside. Again, +Orc is correct. We must quickly form our cells, build up the trust in each other at a very early stage and then be prepared for the worst, for surely it will come once they are aware of our existence and our purpose. In the course we have charted for ourselves, we are John Waynes, sailing into 'In Harm's Way'. Little PT boats against the battleships. It would be an honor to have a guy like you, Hackmore, sailing along side. Anymore cell volunteers out there? At present, Zero+ is the only one with the readers list. In time it will grow and we can only judge each other on what was said and done. As stated before, please contribute something no matter how trite or trivial so that all of us will know that you are out there. Let's have none of this no name crap. If you can't give yourself a handle, plus or no plus name then one will be assigned to you when answering to your posts and you may not like it? If you want trust and friendship you have to open up for others to judge. Kinda like getting up and crossing the dance floor to ask a girl to dance. (Note: not a sexist remark). The fun is out on the dance floor not in the dark. I for one sat out for a hell of a long time. Didn't even bother to THANK FRAVIA on his page or make any waves to attract attention to myself without first reading and deciding if this is where I want to be and meet new friends. Excuse me while I check on Hackmore's gift. wlc -----#4------------------------------------------------- Subject: gdsgfds ---------------------------------------------------------------------------- ----- Hi all. Someone asked the project properties of Teleport Pro to grab the Fravia site, I remember having trouble at the beginning to fix this prog. Here is what it should be done. Create first a browsable HD web site. Then : Starting Adress properties : URL : ************************************** (obviously !-) Exploration depth : 50 (or more) Adress that begin with : ********************* (only) You should'nt have trouble to fix the rest of properties. I hope Fravia don't fall in flames with us in grabing entirely his site. On the contrary, he should be very proud of his popularity on our hard drives! :-) It's great and cheaper, we can browse Fravia off-line! :-) Hi Rezident. Waiting for a great essay from you on this hard Elan's protection. If Fravia is bored with time-protection, I assure him that this one wasn't a stupid kind of : call GetLocalTime, Je GoodTime. Ahem... I forget it isn't my crack... I was unable to hack it... I should say : Rezident can assure him this one was a good one. As he showed us a beginning in his yesterday mailing list letter. Well done again, ++++++Rezident! --FootSteps. ------------------------------------------------------------------------------ -----#5------------------------------------------------- Subject: Server based protection checking and more work for us Our work begins to give fruits. This is good, we'll keep ahead, of course, yet it's time to bite some new tasty protection scheme. In fact: Not all programmers are morons, and some of them have already began to react. Some of these reactions are due, believe it or not, solely to OUR activity, as many new versions which appeared a couple of days after the HCU publishing of the relative target do testify. Let's have a first look at the current "new" trends: FIRST New protection schemes are now relying whenever possible (read 'whenever the application must be used on the web' :-) on a 'server-side' checking of the Win95 registry in order to check if the correct information/version/info has ben stored (uncracked) there. This use is due to spread. For an esay example see quakespy (qspy) version 5.3. Version 5.2 had a simple registration scheme. Version 5.3 de-register the program as soon as you connect on line with your cracked version. Anybody has time for this? SECOND we'll soon have to crack more and more files that have been crypted with RSA, if you want already now to have a taste of it, you may want to investigate ZIPLOCK protected programs, for instance ************** Anybody has time for this? Awaiting your 'probes' in these (may be) difficult fields. Later fravia+ =====End of Issue 47==================================== ======================================================== +HCU Maillist Issue: 48 11/03/1997 -------------------------------------------------------- Send Articles To:......................... ************* Info, Help, Unsubscription, etc:....... **************** ======================================================== CONTENTS: #1 Subject: Acrobat....hmm..... #2 Subject: Time protections aren't dead just yet! #3 Subject: ZipLock #4 Subject: Three Cheers for Aesculapius! #5 Subject: Observations #6 Subject: Kubak/Windows ASM #7 Subject: Teleport Pro ARTICLES: -----#1------------------------------------------------- Subject: Acrobat....hmm..... Hi there wlc, > If you have time, why not join a unit to work on > Acrobat. Looks like we have a C specialist in > +Rezident and judging from his expose on Corel, > a formidable cracker we can also learn from. Let's > get him on the team. I'm flattered :-) hehe, but seriously, as I said before, there is yet *much* to be done on the Corel/Elan scheme (please everyone, tell me if you feel I've written enough, or whether more detail is needed - thanks), I would welcome all the help I can get...as for Acrobat, I've not yet had a chance to look at it (I must admit I'm not a huge fan of the Acrobat format - perhaps its because my monitor is only 14" and the pages seem to small <g>), but it does seem as though there are already a great number of crackers familiar with it... Cheers, +ReZiDeNt -----#2------------------------------------------------- Subject: Time protections aren't dead just yet! Hi FootSteps! > Waiting for a great essay from you on this hard Elan's protection. > If Fravia is bored with time-protection, I assure him that this one > wasn't a stupid kind of : call GetLocalTime, Je GoodTime. Ahem... I > forget it isn't my crack... I was unable to hack it... I should say > : Rezident can assure him this one was a good one. As he showed us a > beginning in his yesterday mailing list letter. Well done again, > ++++++Rezident! Yes, this time-protection is by no means simple; I suspect there are other equally powerful protections just around the corner, so we mustn't neglect any area of cracking - this is particularly important (IMHO) for newbies - they should try to learn as much as they can about *all* different types of protections, don't just stick to one kind, because the protectionists (some of them at least) *are* learning! Cya, +ReZiDeNt -----#3------------------------------------------------- Subject: ZipLock Hello fravia+, > SECOND > we'll soon have to crack more and more files that have been > crypted with RSA, if you want already now to have a taste of it, > you may want to investigate ZIPLOCK protected programs, for instance > ************** > > Anybody has time for this? I'm not sure I have much time ATM, but this field does interest me - I have tried it once before (a long time ago when the protection was weak and easy to crack), but it's *much* more secure now...is there anyone here who has any knowledge about this that they could divulge to us all? ISTR that PC97 used to release cracks for ZipLock stuff, but I've not seen any for awhile.... Cheers, +ReZiDeNt -----#4------------------------------------------------- Subject: Three Cheers for Aesculapius! Hello Aesculapius! > Maybe is time for me to disappear for a while, in case this > happens, I don't want to leave without saying this to all my great > friends who have unconditionally supported me, and when I say this, > I say it from my heart: they can ban my pages, they can ban my email > addresses, they can ban my teaching documents, but they cannot and > shall not ban my name, my work, my efforts and my teachings, these > will survive forever... You are absolutely right; they can't stop us, just as they cannot stop the waves of the sea. I thank you for mantaining such a brilliant site for so long...I'm sure no-one will forget you, even if you have to do a duck-dive for awhile....in the meantime, (at least) THREE CHEERS FOR AESCULAPIUS!!!!! Cheers, +ReZiDeNt -----#5------------------------------------------------- Subject: Observations Hail +All: Today is Sunday, no words from Zero+, must be lonely if one was an atheist. Here are some casual observations to take up space for Monday's ML. If each day I moved one boulder, eventually I will move a mountain. Alas! Some of us don't even see the mountain while others are attacking it with steam shovels. I'm not one to collect useless software, just useful ones if I can find them that will suit my needs and of course have new toys inside of them to play with. In agreement with writer who pointed out Teleport Pro to me. I use the string find utility found in TechFact95 and Grep.com which came with good old Borland's programming languages like C and Pascal. Am I still living in the stone age? I'm not complaining but I will evaluate any helpful suggestions. On further pondering re: fravia+ to Hackmore, why not let him leave his files there? If he gets a lot of outside activity we know how much we are being monitored. Be aware that others not on the list could intercept and read the contents. Time for Hackmore to check and see if that was true. I followed his instructions and downloaded his zips with Netscape. It crapped out on me at 98% and hung on the first zipped file. Why not use Teleport Pro? Got Part2.Zip OK, but Part1.Zip failed to unzip even with PkFix. One more time you say, no way Jose. So they don't work, I don't care. I only wanted to finish evaluating the features of Teleport Pro, not make a fool of myself. Tied up a couple of hours of my other computer's time while I was busy reading the new goodies from fravia+ off another computer. I was allocating resources but not wasting my time. Hey Hackmore, why don't you combine the two files and do something useful with them? You get the picture? If we got 40+ readers, where your the other hits come from? Did you review the essay by fravia+ on tracking before setting up the site? Great intelligence work if you did. wlc -----#6------------------------------------------------- Subject: Kubak/Windows ASM Attn Kubak/Regarding Widnows ASM programming: On a couple of my pages I have posted the source code to Barry Kauler's excellent "Windows Assembly Language Programming" book; it contains a wealth of examples on everything from "Hello World" in windows assembly to practical program skeletons and VXDs. Here are the URLs: ******************************************************** ****************************************************** The book is highly recommended; it is now in its second edition with Win32 assembly * US$45. -Mammon_ ______________________________________________________ Get Your Private, Free Email at ********************** -----#7------------------------------------------------- Subject: Teleport Pro Hi KUBAK, Hi all! :) > Secondly: someone wrote about teleporting entire fravia's site with > teleport pro. How did You set it up ?, For me it only fetches the first > page and says that it was everything to d/l. I use this starting address: **************************** (I bet you didn't know that :)) and tell the program to explore pages up to 15 links from that address. I originally started the wizard, telling I wanted a mirror of the site with the same directory structure. I added some extensions like ".C", ".asm" and so on (there is a file called "browse.c"). I told the program not to download .zip files (I downloaded them from university... :)) I hope it will work fine for you... I think it's the BEST way to keep the page updated on your hd and have all the time you want to browse all the site. Also, Teleport Pro is SO easy to crack! :) byez, .+MaLaTTiA. =====End of Issue 48==================================== -- End -- ======================================================== +HCU Maillist Issue: 49 11/04/1997 -------------------------------------------------------- Send Articles To:......................... ************* Info, Help, Unsubscription, etc:....... **************** ======================================================== CONTENTS: #1 Subject: Couple of thanxx... #2 Subject: Starting A New Week ARTICLES: -----#1------------------------------------------------- Subject: Couple of thanxx... Hi all !!! Hi Aesculapius !!! I have heard a lot about Your page and about You. You are right, they can not stop us, and I think that if we will stay together as one we WILL witnes the DOWNFALL of Necro$oft and other greedy companies. I havent had the pleasure to visit Your site, because whrever I went the page has been censored. So again, if You are so desperate : I could host Your site, and maybe even organize You an e-mail. There's plenty of room, and the site should be safe anough. Hi wlc ! First of all, I think that i will still maintain the site (updates 2 a month or so), just because it was ment for the people from my side of the world. We have a very poor transfer rates from Fravia's site in Poland for example. It sometimes takes up to 8 (eight) MINUTES to show the front page. With the phone costs of 4 zlotys per hour (a cost of a beer in a pub or two in a shop, or as You like it more than 6 HD floppies) it gets really expensive, asspecially for studens who seldom can afford paying their own bills. Internet acces on universities is not so good, I'm studying informatics and I cant get acces to a terminal without written permision of the principal ;( BTW: are there any Polish readers on the list ?? As for the acrobat project I'll have a look at it of course, but I really have very little time due to numerous exams ;((((( Hi FootSteps ! Thanks for the Fravia d/l properties. I'll try it out for sure ! Hi +ReZiDeNt ! Yor essay was pretty good in my opinion, althou it had some letters missing and was tricky to read. I think that this example shows us, how easy it is to crack a protection if You know how to find the CRACK, the weak spot of the sheme. Keep up the good work. This one was great !!! Hi Mammon ! Thanks for the links I'll d/l them as soon as possible. I don't think that i can afford the book because 1) it is not availiable in Poland, 2) if i were to get it from the US it would cost as much as half of 24 speed cd-rom ;( Hi MaLaTTiA ! Thanks for the properties for Teleport Pro. I have cracked it long ago and it was really easy to crack, i think that i even made a keymaker, but i'm not sure. Even if not i have studied the coding routine. PAC (piece a cake ;) Thanx to You all, sorry for such long letter but it is a two issue answer. Keep warm 'ya all. (I heard that this year's winter is going to be the winter of the century !!) Kubak -----#2------------------------------------------------- Subject: Starting A New Week Hail +All: Proposal to work with the Acrobat was only a suggestion and should be treated as such, just a proposal to stir up interest. Forming a tight knit group whereby we get to know each other and to share knowledge is the ulimate goal of being here. To quote fravia+ 'There are many other interesting things on the Web.' Many of you with your contributions to fravia+ and on this ML have proven you can effectively work on your own and your sharing is what brings us together. Hey +ReZiDeNt and -Mammon_, I love reading your stuff so keep it coming. Information and material to grab is a vital part of our investigative process. Just keep pointing me (us) in the right direction. Having evaluated Teleport Pro, I decided to search to see if there were other utilities of the same nature. Found a site called ******************* where they have sample downloads for BlackWidow, Clonemaster and NameWiz. As aways, you have to play with them before they are useful and a study or review of VB5 may help. Some may find certain features in BlackWidow helpful for their method of downloading, and the reorganizing files with Clonemaster and NameWiz. Good Golly, Wow, 15 links with Teleport Pro. Mine was set for 3 links and I got enough stuff to keep me distracted for months. Kindly advice, if you are really new to this, do not gorge. You can lose interest very fast and overlook the obvious. +Others are speed readers and deserve the racing cars that they drive. I'm in cruise mode so that I can enjoy my trip. Just like +ReZiDeNt, I use a humble 14" monitor and occasionally my notebook. With failing eyesight from computer staring I keep the fonts large and try to avoid rolling off the page. I see a big difference in my postings with others on the ML. I hope you don't mind. wlc =====End of Issue 49==================================== ======================================================== +HCU Maillist Issue: 50 11/05/1997 -------------------------------------------------------- Send Articles To:......................... ************* Info, Help, Unsubscription, etc:....... **************** ======================================================== CONTENTS: #1 Subject: OrcPak Upgrade #2 Subject: I think some of you will like this sort of compliments #3 Subject: An interesting tool: Numega's Smartcheck #4 Subject: Good work with mirror, Kubak ARTICLES: -----#1------------------------------------------------- Subject: OrcPak Upgrade I just thought I would let everyone know, I upgraded the SoftICE'95 in the OrcPaks to version 3.21 (and included 2.80 for purely organizational reasons) in OrcPak9A In case I havent mentioned it, 9E is available as well, with SoftIce 3.2 for NT and a few important things that are already available on my website (like an intlist and helppc and PowerC which is my favorite miniature C compiler) More again for my own bookkeeping :) Basically, I did these since our favorite download site has gone down... (Best wishes Aesculapius in repairing that situation) so you guys (and myself as well) have somewhere you can send people who ask for these particular programs. +gthorne ....Petitioning for a new world order where we have the right to peaceably DISassemble... -----#2------------------------------------------------- Subject: I think some of you will like this sort of compliments I'm getting more and more emailings like this one: flattening for us all, yet somehow scaring too, I believe >I honestly have no intention of doing anything for the "piracy" of it, >I just need to know how to make the dammed thing work. (Sorry for >the cussing, but when Micro$oft is involved, I often cuss). Cuz, if >I can't make the thing work, nobody else will either, I won't be able >to get my work done, then I will have to go find another job. Only >thing corporate tech support does for me is waste my time in fruitless >finger pointing sessions. >I think your group and your students hold the last hope for us as far >as being a robust workforce not strangled by digital blackmail. In >a few years, I think your students will be just about the only ones >around that will actually get the machines to work. Well, later fravia+ -----#3------------------------------------------------- Subject: An interesting tool: Numega's Smartcheck Hi +gthorne! Hope you have downloaded (and used) this NEW JUWEL by Numega: Smartcheck (Snatch's essay will help you to crack it in three seconds flat... the protection scheme is a real shame... Ryckman must be kidding us :-) I tried this toy to-day on a couple of real tough targets... it's a BEAST! I still can't believe it. I mean, I'm looking right now at it and I cannot believe it. If you thought that BRW was great, wait until you see what this one does: it RUNS your target and shows you EVERYTHING THAT HAPPENS during the executions of any function in a neat clean windozed way... I mean: you click on 'register' and inside smartcheck you see all the api called and where and from where and which return values and so on and so on... I can't believe it: they have made this thing for us (and they have given it to us too ... could be Numega's contribution to the cause?) I'm excited about this toy... I mean, I knew that it worked well, but I never realized HOW WELL it works... I think I'll send this note to +Zer0's list too. The Hukers ought all to play with it... they will squeeze every other cracker out of the scene with it! +ORC can say whatever he will: I don't believe that he has ever had himself such a toy in DOS or Unix! later fravia+ -----#4------------------------------------------------- Subject: Good work with mirror, Kubak Hail +All and Kubak: Checking my email, I didn't come across ML#47. Was one sent out? That would be the one for Sunday, November 2, 1997. In some time zones some of you would be one day ahead of me. If one was sent, could I trouble you to email me a copy to ************************ at your convenience. I would hate to miss the valuable contributions. Last week the teachers in this province decided to go on strike so all the kids must be causing general havoc playing on the Net. It was tough to get online and the bandwidth was clogged. I appreciate and understand the problems you have, Kubak, especially when my modem crawls at 400bps at times. It was a great idea for you to volunteer your services as a mirror and historic librarian for our activities. Since I came on board at ML#40, do you have ML#1 to ML#39? I usually borrow access and email addresses from people who don't use their accounts. In this case, this account was paid for a year so why not use it for them? I may have to look you up one day if they don't renew. Problem with Teleport Pro is that when you set up a Project Folder for a site you can't edit, sort or modify the Folder unless you want to 'play' with the Project Folder file. If files exists already on the drive because of retrieval with another browser, it will still download the same files. Apparently, it marks and compare the files from the site with the Project Folder files ignoring the fact that you have it already in the directory. Anyone encounter this problem to make it worth the while to look into or a suggestion to get around it? wlc =====End of Issue 50====================================