The world of
the Crack - |
- By GEnius |
---------------------------------------------------------------------------------------------
INDEX
CH. 1: SOME WORDS ABOUT THE WORLD OF
CRACKING
CH. 2: TOOLS REQUIRED
CH. 3: CRACKING EXAMPLES
- Quintessential
CD - Password crack
- Inforia
Quest 98 - Time trial remover
- Help &
Manual - Limited version to full
- Winamp
2.05 - Tips to make a Key Generator
CH. 4: API REFERENCE
GREETINX
---------------------------------------------------------------------------------------------
--==CHAPTER 1: SOME WORDS
ABOUT THE WORLD OF CRACKING==--
- What crack is. -
The market of software is covered by an incredible number of protected
applications, which don't allow you to use all features of programs if you
aren't a registered user of these. Cracking is simply the art of removing
protection from programs. There are different protection schemes contained in
the application. These can be represent schematically in the following way:
- Time trial check
- Function disabled check
- Hardware key check
- Cdrom check
- other.. (such as cdrom copy protection, annoying nag screen etc.).
The first type of protection (the most used) can be found in shareware programs
that allow you to try the product for a limited period of time and after this
period it do not work. The second one is usually used in shareware programs to
disable important functions, such as save or print. The last three protection
schemes are used by normal applications or games to protect the software from
copy. In all these cases the cracker is the person who checks the code of the
programs and removes the protection; so the application will be able to be used
with all functions enabled or copied.
----------------------------------
- The reasons of cracking. -
The most of crackers are not very interested in the applications that they are
cracking. Their interest is in protection schemes and the challenge between them
and the coder of the program (it's my case!). Only in few cases the cracker is
really interested in the application and in this case the crack is funnier!
----------------------------------
- Crackers. -
To become a cracker will take several months, but becoming a good cracker will
take much more. Generally we can discern from two types of crackers: the normal
cracker and the advanced cracker. The normal cracker has a simple knowledge of
the assembler. He could know no high level programming languages, he doesn't
know everything about the operating system and how an application is written.
The advanced cracker is an assembly master (he understands all lines of assembly
code). He knows several high level programming languages (or their logic), the
operating system and he has coded at least one real application. Several
cracking tutorials say that a simple knowledge of assembly and the operating
system is enough to be a good cracker. That is partially real but a good cracker
must understand all the disassembly code!!. It is necessary he know which OS
functions the coder must call to do a specified operation. But all of this
cannot be done only with intuition! I think the best cracker is also a programmer!
----------------------------------
- The approaching to crack. -
There are different ways to crack. These approaches are determinated from
different knowledge, different type of cracker, different personal preferences.
An example can be more useful than thousand of words. There are two type of
approaches in cracking shareware programs that need serial number to register:
the brutal bypass of the check or to make a key generator. The first method is
simplest and fastest and it can be used by normal cracker. The second one is
more complex. In fact, you need to understand all the serial number check
routine and reverse it. The advantage of this method is that the serial number
can be usually used for further versions of the program. So, the choice is
determined from the level of knowledge, the time the cracker has and his style
of cracking.
----------------------------------
- Web cracker. A new cracking generation? -
Nowadays there are several cracking groups specialized in reverse web scripts.
There is nothing of new in this because the web pages are written in java or
something else. So, they can be considered as small programs. Consequently, this
is only another type of crack.
The web cracker usually reverses the protection schemes of web pages creating
cracked passwords, which are distributed on the web. I don't know how complex is
to do that, but I think that the main goal is don't allow administrator to
discover the cracker.
----------------------------------
- Reverse engineering -
When you create a program you engineer it, in fact you build the executable from
the source-code. The reverse engineering is simple the art of generate a
source-code from an executable. The reverse engineering is used to understand
how a program does an action, to bypass protection etc. Usually it's not
necessary to disassemble all code of the application nut only the part of the
application that we are interested must be reversed. The reverse engineering is
used by cracker to understand the protection scheme and break it, so it's a very
important thing in the whole world of the crack.
---------------------------------------------------------------------------------------------
--==CHAPTER 2. TOOLS REQUIRED==--
There are a lot of tools for crackers, but only two tools are essential:
debugger and disassembler. In this chapter I quote only tools for Win32's OS.
The MUST in this "world" is Softice and Ida. The Softice is the best debugger
for WIN9x, NT and even DOS, that allow you to do all you want with the data in
memory. IDA (Interactive Disassembler) is the best choice for a disassembler
because you can manage the code, as you want with a script language. Another
very good disassembler is WDasm 32. It's very simple and user friendly unlike
IDA; it can be used by newbies or when the target application is not very
complex or protected. Other interesting tools are ExeSpy 98 or ApiVision, File
Monitor, Registry Monitor, ProcDump and finally Hacker View or other Hex editor.
Exespy 98, Api Vision, File Monitor, Registry Monitor are applications that spy
the win32 API and report what a program does, the differences are that the first
two are generic and the last are used to spy the Api concerning file and
registry. Procdump is a new tools used to create a PE file (a W9x/NT executable)
from a process in memory, it's used to defeat crypted or packed executables.
Finally, Hacker View is one of best hex editor with a built-in assembler that
allows you to patch the executable. These are only some useful tools but a
cracker can create their own tools to defeat particular protection or to
automate a process.
---------------------------------------------------------------------------------------------
--==CHAPTER 3. CRACKING EXAMPLES==--
The following examples are presented only for educational purpose. I assume the
reader knows what Softice and WDasm is how to use them and he has a basic
knowledge of windows Api and assembler. These four examples are not intended to
train newbies to crack, but only to explain them what the crack is.
Note: The commands between brackets are Softice command for newbies and the
sentence after -) are actions. For a summary of most important Api go to Chapter
4 - Api Reference.
----------------------------------
(-) QUINTESSENTIAL CD. Password crack. (-)
The first and simple program to crack is Quintessential CD ver 1.1 (now I call
it QCD). This is a very useful CD Player, it's shareware and can be registered
with a username & password. These are the steps to follow to crack it:
-) Load the program and then set a breakpoint to GetdlgitemtextA (bpx
GetdlgitemtextA);
-) Click on register button that you can find at register section of the window
menu
-) Enter a random name and a password
-) Now code is blocked and Softice is showed
-) press F11 in Softice to leave the function and return to QCD code
-) you can see this code
---------------------------------- Cut Here ----------------------------------
:0040E2E6 8B35A4524200 mov esi, USER32.GetDlgItemTextA
:0040E2EC 8D4C2424 lea ecx, dword ptr [esp+24]
:0040E2F0 6A64 push 00000064
:0040E2F2 51 push ecx
:0040E2F3 684C040000 push 0000044C
:0040E2F8 53 push ebx
:0040E2F9 FFD6 call esi **USER32.GetDlgItemTextA
:0040E2FB 8D54240C lea edx, dword ptr [esp+0C]
:0040E2FF 6A0A push 0000000A
:0040E301 52 push edx
:0040E302 684D040000 push 0000044D
:0040E307 53 push ebx
:0040E308 FFD6 call esi **USER32.GetDlgItemTextA
:0040E30A 8D442424 lea eax, dword ptr [esp+24]
:0040E30E 8D4C2418 lea ecx, dword ptr [esp+18]
:0040E312 50 push eax
:0040E313 51 push ecx
:0040E314 E877E4FFFF call 0040C790
:0040E319 8D7C2420 lea edi, dword ptr [esp+20]
:0040E31D 83C9FF or ecx, FFFFFFFF
:0040E320 33C0 xor eax, eax
:0040E322 83C408 add esp, 00000008
:0040E325 F2 repnz
:0040E326 AE scasb
:0040E327 F7D1 not ecx
:0040E329 49 dec ecx
:0040E32A 0F8494000000 je 0040E3C4
:0040E330 8D54240C lea edx, dword ptr [esp+0C]
:0040E334 8D442418 lea eax, dword ptr [esp+18]
:0040E338 52 push edx
:0040E339 50 push eax
:0040E33A E811580100 call 00423B50 **check the serial number
:0040E33F 83C408 add esp, 00000008
:0040E342 85C0 test eax, eax
:0040E344 757E jne 0040E3C4 **if not the right serial number
jump
:0040E346 8D4C240C lea ecx, dword ptr [esp+0C] **if you are here
you have
registered qcd!
:0040E34A 8D542424 lea edx, dword ptr [esp+24]
:0040E34E 51 push ecx
:0040E34F 52 push edx
:0040E350 E89B000000 call 0040E3F0
---------------------------------- Cut Here ----------------------------------
-) Press F5 to go to another breakpoint and then F11
At this time you are at 40E30A. Now you can trace the program flow with F8, F10.
After some test, you understand that:
a) the call at 40E33A checks the serial number
b) the jump at 40E344 must be removed
So if you change the jump at 40E344 with two nop, you can insert everything in
the serial number to register.
-) change the jump at 40E344 with two nop (A 40E344; nop; nop)
But there is a problem: if you close qcd, and then restart it, the info box says
that you have an unregistered version of the application. Therefore, qcd checks
the serial before the program start, so to crack it follows this steps:
-) go to Softice and place a breakpoint to 40E33A (bpx 40E33A, IT'S THE CHECK
PROCEDURE)
-) try to register it again
The Softice is showed, blocked at 40E33A
-) press F8 and place a breakpoint to 423B50 (bpx 423B50)
-) leave Softice (f5), then close and restart qcd
The Softice is showed, blocked at 423B50
-) press F11 so you can see:
---------------------------------- Cute Here ----------------------------------
:0040AD5E 8D542428 lea edx, dword ptr [esp+28]
:0040AD62 685CDC4200 push 0042DC5C
:0040AD67 52 push edx
:0040AD68 E8E38D0100 call 00423B50 **check the serial number
:0040AD6D 83C408 add esp, 00000008
:0040AD70 85C0 test eax, eax
:0040AD72 7506 jne 0040AD7A **jump if it's not the right
serial
:0040AD74 893D58DB4200 mov dword ptr [0042DB58], edi
:0040AD7A 8B442410 mov eax, dword ptr [esp+10]
:0040AD7E 50 push eax
---------------------------------- Cut Here ----------------------------------
How you can see to crack this you must only replace the jump at 40AD72 with two
NOP (opcode 90).
-) Change the jump at 40AD72 with two NOP (A 40AD72; nop; nop)
Now you've cracked QCD. Congratulations!
------------------------------------------------------------------------------------------------------
(-) INFORIA QUEST 98. Time trial remover. (-)
Inforia Quest 98 is a very useful Internet search utility. The demo version is
30 day limited. Let's go to crack it:
-) Go in Softice symbol loader and load Inforia Quest executable from
application directory.
Be sure that the option "stop at winmain, main ecc." in debugging
page of
module->setting menu is enabled.
-) Place a breakpoint to Getlocaltime and press F5
Softice is blocked at GetLocalTime begin addres
-) press f11 to go to the Api caller
Now Softice at 4089e5 shows:
---------------------------------- Cut Here ----------------------------------
:004089E0 E863D1FFFF Call kernel32.GetLocalTime
:004089E5 668B4C240E mov cx, word ptr [esp+0E]
:004089EA 668B54240A mov dx, word ptr [esp+0A]
:004089EF 668B442408 mov ax, word ptr [esp+08]
:004089F4 E81FFEFFFF call 00408818
:004089F9 DD1C24 fstp qword ptr [esp]
:004089FC 9B wait
:004089FD DD0424 fld qword ptr [esp]
:00408A00 83C418 add esp, 00000018
:00408A03 C3 ret
---------------------------------- Cut Here ----------------------------------
**It's a simple substitute of getlocaltime from the high level languages in
which this application is written.
-) press f12 to go to caller of this function:
---------------------------------- Cut Here ----------------------------------
:00461E39 E89A6BFAFF call 004089D8
:00461E3E DC65EC fsub qword ptr [ebp-14] **you are here!
:00461E41 E8960CFAFF call 00402ADC
:00461E46 85C0 test eax, eax
:00461E48 7D04 jge 00461E4E
:00461E4A 8BD8 mov ebx, eax
:00461E4C EB20 jmp 00461E6E
:00461E4E 8B5350 mov edx, dword ptr [ebx+50]
:00461E51 2BD0 sub edx, eax
:00461E53 7105 jno 00461E5A
:00461E55 E89A10FAFF call 00402EF4 **all this is very interesting!!
---------------------------------- Cut Here ----------------------------------
-) press f12 again and again until you see this code:
---------------------------------- Cut Here ----------------------------------
:004A396F E87CE4FBFF call 00461DF0
:004A3974 8BF0 mov esi, eax **You are here!!
:004A3976 85F6 test esi, esi
:004A3978 7D41 jge 004A39BB **an interesting jump?
:004A397A 8D55F0 lea edx, dword ptr [ebp-10]
:004A397D 8BC3 mov eax, ebx
:004A397F E8BCE7F7FF call 00422140
:004A3984 FF75F0 push [ebp-10]
:004A3987 68783A4A00 push 004A3A78
:004A398C 8D4DF8 lea ecx, dword ptr [ebp-08]
---------------------------------- Cut Here ----------------------------------
Now if your trial time is finished at 4A3978 the CPU don't jump, but if you
change the system date and try again the CPU jump at that location! After some
test with an expired and not expired version of the applications, you can
understand that at 004A397A in eax there is the number of days left to use
Inforia Quest. You can simply change the jump with Softice but it isn't enough,
because if you try to search something a ugly dialog box is showed remembering
to you that the program is expired. So you must check for another code location.
At this time you have only understand that the code above is used only to
display in the caption bar of the main window the number day remaining or the
string "Expired!".
-) ignore all getlocaltime breakpoint pressing f5
-) try to search something in the appz
Softice is blocked...
-) press f11 and then f12
Now you can see:
---------------------------------- Cut Here ----------------------------------
:00461B07 E8CC6EFAFF call 004089D8
:00461B0C DD5DF0 fstp qword ptr [ebp-10] **You are Here!
:00461B0F 9B wait
:00461B10 DB4650 fild dword ptr [esi+50]
:00461B13 DC45F8 fadd qword ptr [ebp-08]
:00461B16 DD5DE8 fstp qword ptr [ebp-18]
:00461B19 9B wait
:00461B1A 837E3000 cmp dword ptr [esi+30], 00000000
:00461B1E 7428 je 00461B48
:00461B20 8B5630 mov edx, dword ptr [esi+30]
:00461B23 8BC6 mov eax, esi
:00461B25 E88A010000 call 00461CB4
:00461B2A DD5DDC fstp qword ptr [ebp-24]
:00461B2D 9B wait
:00461B2E E8056FFAFF call 00408A38
:00461B33 DC5DDC fcomp qword ptr [ebp-24]
:00461B36 DFE0 fstsw ax
:00461B38 9E sahf
:00461B39 730D jnb 00461B48
:00461B3B DD45E8 fld qword ptr [ebp-18]
.
.*** other code
.
:00461B64 8B465C mov eax, dword ptr [esi+5C]
:00461B67 FF5658 call [esi+58]
:00461B6A EB13 jmp 00461B7F
:00461B6C 84DB test bl, bl
:00461B6E 750F jne 00461B7F **Here you must jump!!!
:00461B70 66837E6200 cmp word ptr [esi+62], 0000
:00461B75 7408 je 00461B7F
:00461B77 8BD6 mov edx, esi
:00461B79 8B4664 mov eax, dword ptr [esi+64]
:00461B7C FF5660 call [esi+60] **display the ugly box & close
the app!
:00461B7F 33C0 xor eax, eax **jump here!!!!
:00461B81 5A pop edx
:00461B82 59 pop ecx
:00461B83 59 pop ecx
---------------------------------- Cut Here ----------------------------------
After the study of this code you can understand that you must force the jump at
00461B6E to crack it.
Tips: to study this code you can use WDasm, and you can try what happen with
Softice when the application is expired or not expired so you check the right
execution flow for the program.
-) change the jne at 00461B6E with a jmp (A 00461B6E; jmp 00461B7F)
Now the search works but you have a ugly xxx day left on caption bar. To remove
it follow these steps:
-) Restart the program
-) place a breakpoint to 004A3974 (bpx 004A3974)
-) press f5
Do you remember this location? Go above I've already explained about this.
-) change the mov at 4A3974 with xor esi,esi (a 4A3974; xor esi,esi) to force
the jump at 4A3978
After the jump you can see:
---------------------------------- Cut Here ----------------------------------
:004A39BB 8D55F4 lea edx, dword ptr [ebp-0C]
:004A39BE 8BC3 mov eax, ebx
:004A39C0 E87BE7F7FF call 00422140
:004A39C5 8D45F4 lea eax, dword ptr [ebp-0C]
:004A39C8 50 push eax
:004A39C9 8D45F8 lea eax, dword ptr [ebp-08]
:004A39CC 50 push eax
:004A39CD 8D4DEC lea ecx, dword ptr [ebp-14]
:004A39D0 BA983A4A00 mov edx, 004A3A98
:004A39D5 8B835C030000 mov eax, dword ptr [ebx+0000035C]
:004A39DB E80CB5FCFF call 0046EEEC
:004A39E0 8B45EC mov eax, dword ptr [ebp-14]
:004A39E3 8975E4 mov dword ptr [ebp-1C], esi
:004A39E6 C645E800 mov [ebp-18], 00
:004A39EA 8D55E4 lea edx, dword ptr [ebp-1C]
:004A39ED 33C9 xor ecx, ecx
:004A39EF E8344AF6FF call 00408428
:004A39F4 8B55F8 mov edx, dword ptr [ebp-08]
:004A39F7 58 pop eax
:004A39F8 E8DF03F6FF call 00403DDC ***the routine below writes the
days left
:004A39FD 8B55F4 mov edx, dword ptr [ebp-0C] **on the windows
caption
:004A3A00 8BC3 mov eax, ebx
:004A3A02 E869E7F7FF call 00422170
:004A3A07 8D83A8050000 lea eax, dword ptr [ebx+000005A8]
:004A3A0D 8B55FC mov edx, dword ptr [ebp-04]
:004A3A10 E89701F6FF call 00403BAC
:004A3A15 33C0 xor eax, eax
:004A3A17 5A pop edx
:004A3A18 59 pop ecx
---------------------------------- Cut Here ----------------------------------
The routine at 004A39F8 and below writes the days left on the window caption. So
you must jump to 004A3A15 to bypass the changes at caption.
-) change call at 004A39F8 with jmp 004A3A15 (A 004A39F8; jmp 004A3A15)
Now you have cracked Inforia Quest. It's all. Congratulations!
------------------------------------------------------------------------------------------------------
(-) HELP & MANUAL. Limited version to full. (-)
The program we would like to crack is Help & Manual ver 1.4h. This is a very
good help maker that allows you to save in help, rtf and html format. The
downloaded program is only an evaluation copy, with the export and prints
functions disabled. This program has not any dialog that allows you to register;
so it seems to be a limited version of the application. But a cracker knows that
not all "limited version applications" are real "limited". In fact the
most part
of applications include disable functions code even though it isn't used. In
these programs, the application usually checks a flag (a global variable) to
understand what version of program (limited or registered) is running!! The
cracker, simply has to look for a memory location with this information and
change it. Ok, Let's go to crack help & manual!
-) Start the program, load an example then try to export the project in win95
help format.
A messagebox appear showing this text "UNREGISTERED VERSION. This
function is
enabled in the registered version only?", ohhh noooo we dislike it!.
-) start WDasm and decompile the executable, then search for the string and find:
---------------------------------- Cut Here ----------------------------------
:00505848 6A00 push 00000000
:0050584A 668B0DA8595000 mov cx, word ptr [005059A8]
:00505851 B202 mov dl, 02
Possible StringData Ref from Code Obj ->"UNREGISTERED VERSION. This function
"
**OUR STRING!!!!!----------------->>> ->"is enabled in the registered
version "
**OUR STRING!!!!!----------------->>> ->"only?"
:00505853 B8B4595000 mov eax, 005059B4
:00505858 E88710F4FF call 004468E4
:0050585D E9C6000000 jmp 00505928
:00505862 8BC3 mov eax, ebx
:00505864 E867FAFFFF call 005052D0
---------------------------------- Cut Here ----------------------------------
-) check a bit back on the code and find:
---------------------------------- Cut Here ----------------------------------
:00505831 B201 mov dl, 01
:00505833 8BC3 mov eax, ebx
:00505835 E8927AFFFF call 004FD2CC
* Referenced by a (U)nconditional or (C)onditional Jump at Addresses:
|:005057CE(C), :00505805(C)
:0050583A 80BBED05000000 cmp byte ptr [ebx+000005ED], 00
***OOOhhhhhh!!
:00505841 751F jne 00505862 ***A memory location check!!
:00505843 E85464F0FF call 0040BC9C
:00505848 6A00 push 00000000
:0050584A 668B0DA8595000 mov cx, word ptr [005059A8]
:00505851 B202 mov dl, 02
Possible StringData Ref from Code Obj ->"UNREGISTERED VERSION. This function
"
->"is enabled in the registered version
"
->"only?"
:00505853 B8B4595000 mov eax, 005059B4
:00505858 E88710F4FF call 004468E4
---------------------------------- Cut Here ----------------------------------
At the location 50583A there is a compare between a byte and 0. It can be the
flag that you're looking for!
-) go to Softice, place a breakpoint to 50583a (bpx 50583a).
-) Try again to export a project
Instead of the messagebox, the Softice is open and blocked at location
50583a.
-) bypass the check changing the eip to 505862 (reip 505862) and leave Softice
(F5).
Magically the export has done! A help (or rtf or html) file has made but if you
look at it, you find an ugly text that says "This help file was created with an
unregistered copy of Help & Manual.". So the bypass of the check is not
sufficient to do a good crack... In fact you've bypassed only the check, but you
haven't changed the flag.
-) click again the export button, after the Softice is blocked at 50583a change
the memory location ebx+000005ED (the flag) with 01 (E ebx+5ed and then change
the first byte with 01) and leave Softice.
Now the project is exported and there isn't any ugly text!! Ok you have found
where the flag is and the value to set it. But where can you set this flag? The
best place to set the flag is in the location where the program initializes it:
so you must look for this place. To do that you must follow these steps:
-) place a breakpoint in write at memory location of the flag (BPMB 0167:f89279
the segment/selector can be different on another system, it is the current value
of ds register) and then restart help & manual.
After some not important breakpoint (repz movsd) you find the right location:
---------------------------------- Cut Here ----------------------------------
:0050039B 648920 mov dword ptr fs:[eax], esp
:0050039E A1D0025100 mov eax, dword ptr [005102D0]
:005003A3 8B00 mov eax, dword ptr [eax]
:005003A5 8A4044 mov al, byte ptr [eax+44] <--) **Here you can
do the modification
:005003A8 8B55FC mov edx, dword ptr [ebp-04]
:005003AB 8882ED050000 mov byte ptr [edx+000005ED], al **FLAG
LOCATION
:005003B1 A1FC035100 mov eax, dword ptr [005103FC]
:005003B6 C6002C mov byte ptr [eax], 2C
:005003B9 8B45FC mov eax, dword ptr [ebp-04]
:005003BC 80B8ED05000000 cmp byte ptr [eax+000005ED], 00 **FLAG
LOCATION
:005003C3 7533 jne 005003F8
---------------------------------- Cut Here ----------------------------------
You can set the value of al at 5003a5, so at 5003ab the flag is set with your
value. You can apply this code:
005003A5 mov al,01
005003A7 NOP **Added because this byte remain empty with the change in the code
The crack is done. :) Congratulations!
------------------------------------------------------------------------------------------------------
(-) Winamp 2.05. Tips to make a Key Generator (-)
Winamp is one of the best mp3 player of the world, it's shareware and can be
previewed for 14 of days. We would to register Winamp only for educational
purpose because winamp works also after that period. Winamp 2.05 is compress
with petite so we can't patch directly into executable, I so must use another
approach. And now the crack:
-) Start winamp and go to register dialog box
-) Enter Your name
-) Enter a number of 5 digits (or something else).
Note that the ok button is disabled. There isn't a problem.
-) go in Softice (ctrl-d), place a breakpoint to GetDlgItemTextA, and go out
(F5)
-) enter a number in the Number edit box
-) after the breakpoint press f11
---------------------------------- Cut Here ----------------------------------
:0041E6CF FF15A0D64400 Call USER32.GetDlgItemTextA ** YOU are here
:0041E6D5 6A00 push 00000000
:0041E6D7 6A00 push 00000000
:0041E6D9 688C040000 push 0000048C
:0041E6DE 53 push ebx
:0041E6DF FF1570D64400 Call USER32.GetDlgItemInt ** get the serial
number from edit
** box
:0041E6E5 8BF0 mov esi, eax ** esi and eax now
contain your
:0041E6E7 8D442410 lea eax, dword ptr [esp+10] ** false serial
number
:0041E6EB 50 push eax ** Calling a function with a
false serial as
:0041E6EC E8EF7A0000 call 004261E0 ** parameter!!!
:0041E6F1 83C404 add esp, 00000004
:0041E6F4 3BC6 cmp eax, esi ** compare the false serial esi
with the true
:0041E6F6 750B jne 0041E703
:0041E6F8 807C241000 cmp byte ptr [esp+10], 00
:0041E6FD 7404 je 0041E703
:0041E6FF 6A01 push 00000001
:0041E701 EB02 jmp 0041E705
---------------------------------- Cut Here ----------------------------------
Looking at this code we can understand that there is only a procedure that check
the serial (the call at 0041E6EC. After this small piece of code there is
another part that enables the ok button but we are not interested in this
because we don't want to make a brutal crack.
-) Step until 0041E6E5 (pressing F10)
Now you can see in EAX your serial in hexadecimal format.
-) type: ? EAX
And now you can view your serial in hexadecimal and decimal format (the
second
one)
-) Step until 0041E6F4
Now you see in EAX the REAL serial number (make a note of it) and in ESI the
false serial (you can use ? eax, and ? esi).
-) Disable all breakpoints and go out (BD *; F5)
-) Enter the real serial number and press OK
Your Copy of Winamp is registered! Now there is the most difficult: make the
Keymaker. Before you can make a keymaker, you must understand the code of winamp
key generator. I don't explain how to do this but if you want to do that, simply
trace the code at 004261E0 (the call at 0041E6EC). Remember you can rip some
code directly from winamp code!
---------------------------------------------------------------------------------------------
--==CHAPTER 4: API REFERENCE==--
These are a categorical list of useful function where you set a breakpoint:
FILE COMMON OPERATION:
CreateFile,CreateFileA,CreateFileW
ReadFile
WriteFile
SetFilePointer
_lcreat
_lopen
_lread
_lwrite
_llseek
DIRECTORY COMMON OPERATION:
GetCurrentDirectory, GetCurrentDirectoryA, GetCurrentDirectoryW
GetSystemDir *16 bit
GetSystemDirectory,GetSystemDirectoryA,GetSystemDirectoryW
GetWindowsDir *16 bit only
GetWindowsDirectory, GetWindowsDirectoryA, GetWindowsDirectoryW
FILE INI COMMON OPERATION:
GetPrivateProfileString, GetPrivateProfileStringA, GetPrivateProfileStringW
GetPrivateProfileInt, GetPrivateProfileIntA, GetPrivateProfileIntW
WritePrivateProfileString, WritePrivateProfileStringA,
WritePrivateProfileStringW
WritePrivateProfileInt, WritePrivateProfileIntA, WritePrivateProfileIntW
REGISTRY COMMON OPERATION:
RegCreateKey, RegCreateKeyA,RegCreateKeyW
RegCreateKeyEx, RegCreateKeyExA, RegCreateKeyExW
RegQueryValue, RegQueryValueA, RegQueryValueW
RegOpenKey, RegOpenKeyA, RegOpenKeyW
RegCloseKey, RegCloseKeyA, RegCloseKeyW
WINDOWS & DIALOG BOXES COMMON OPERATION:
createwindow, createwindowA, createwindowW
CreateWindowEx, CreateWindowExA, CreateWindowExW
ShowWindow
GetWindowPlacement
GetWindowLong, GetWindowLongA, GetWindowLongW
GetWindowWord
CreateDialog, CreateDialogA, CreateDialogW
CreateDialogIndirect, CreateDialogIndirectA, CreateDialogIndirectW
CreateDialogIndirectParam, CreateDialogIndirectParamA,
CreateDialogIndirectParamW
CreateDialogParam, CreateDialogParamA, CreateDialogParam
DialogBox, DialogBoxA, DialogBoxW
DialogBoxParam, DialogBoxParamA, DialogBoxParamW
DialogBoxIndirectParam, DialogBoxIndirectParamA, DialogBoxIndirectParamW
DialogBoxIndirect, DialogBoxIndirectA, DialogBoxIndirectW
EndDialog
MESSAGE BOX OPERATION:
MessageBox, MessageBoxA, MessageBoxW
MessageBoxEx, MessageBoxExA, MessageBoxExW
MessageBoxIndirect, MessageBoxIndirectA, MessageBoxIndirectW
MessageBeep
GET TEXT FORM EDIT CONTROL OR CAPTION:
GetWindowText, GetWindowTextA, GetWindowTextW
GetDlgItemText, GetDlgItemTextA, GetDlgItemTextW
GetDlgItemInt
DISPLAYING A TEXT MESSAGE:
Textout, TextOutA, TextOutW
SendMessage
wsprintf
CDROM COMMON OPERATION:
GetDriveType, GetDriveTypeA, GetDriveTypeW
GetLogicalDrives, GetLogicalDrivesA, GetLogicalDrivesW
GetLogicalDriveStrings, GetLogicalDriveStringsA, GetLogicalDriveStringsW
GetVolumeInformation
TIME COMMON OPERATION:
GetLocalTime
GetSystemTime
GetSystemTimeAsFileTime
SystemTimeToFileTime
CompareFileTime
STRING COMMON OPERATION:
hmemcpy
lstrcpy, lstrcpyA, lstrcpyW
lstrcat, lstrcatA, lstrcatW
lstrcpyn, lstrcpynA, lstrcpynW
Comparestring, ComparestringA, ComparestringW
Note: In several Api there 3 different name for the same operation. The first
are the 16 bit, the last two are 32 bit function. The A or W at the end of the
function name denotes respectively the function with normal string parameter or
wide string parameter. Old 16 bit application can call OS function with the Api
Dos3call or directly the target interrupt with the assembly int operation, so
you can use the breakpoint directly to the interrupt where you want to stop.
---------------------------------------------------------------------------------------------
--==GREETINX==--
- Karlos Pinto [DARKflare]
- Kill3xx
- Marcus
---------------------------------------------------------------------------------------------
The world of the Crack
Written by - GEnius
Gfx & HTML - DARKflare
- EOF - |
