======================================================== +HCU Maillist Issue: 11 09/11/1997 -------------------------------------------------------- Send Articles To:......................... ************* Info, Help, Unsubscription, etc:....... **************** ======================================================== CONTENTS: #1 Subject: What every cracker should have #2 Subject: issue #9 #3 Subject: System Marking #4 Subject: help with Nsce #5 Subject: Re: +HCU ML Issue 9 ARTICLES: -----#1------------------------------------------------- Subject: What every cracker should have Quoteth Malattia: > Do you think there's something > every cracker should have? You don't have to tell me your "secret > tricks"... just something to help me to learn and crack better, > maybe! :) byez, "Si vis pacem para bellum" Well, the other day, while drinking a kerosene cocktail and meditating on naked women, I had a zen insight for your question: I recommend: 1) WinICE 3.01 (or is it called 3.1?) which allows you to use a mouse; 2) HIVEW, which allows you to say 'bye bye, debug' and which is easier to use; 3) the help file from the win32 SDK, which has a nice reference for API calls; 4) a86 and d86, which are freeware assemblers & disassemblers, and include very nice reference files; 5) Win32DASM, which everyone has and you should have too, and disassembles nicely; 6) then you should study and write proggies in ASM to understand how ASM works 7) ah, get also FILEMON and REGMON from Fravia's page. now, the best way is have been using something like a Vic20 in 1980, so you would have had to write in ASM. I will tell you the rest of the tricks IF and only IF you contact me through psychic means and tell me where to download the German game SKAT2095 regged (before anyone faints at this lack of purity - why doesn't he register it HIMSELF - the shareware version is crippled). Wafna of FCA -----#2------------------------------------------------- Subject: issue #9 Yesterday .MaLaTTiA. wrote: "what are the tools you have programmed that you find most useful? Do you think there's something every cracker should have? You don't have to tell me your "secret tricks"... just something to help me to learn and crack better" IMHO, the first two questions are very useful, because everyone should know which tools are best, what they do, and how to use them. It's the next statement that bothers me. The GOAL of this news letter should be to SHARE our "secret tricks", not to offer a format for "wanna-bes" to ask us to crack programs for them. It makes me sick to see, or listen to, warez people or hackers explaining the reasons they do what they do. They always end up somewhere saying "ALL knowledge should be free", a FACT I agree with, with all of my heart. Even +ORC has expressed this point of view. Yet the warez people hide thier files, and "lock" us out with "secret" pass words. And ask a hacker how to hack... He'll tell you to "read whats on the web and learn!" Like we've all got nothing better to do than sit around sorting through megabytes of old literature, trying out hacks that stoped working years ago. We, the crackers, should share EVERY "secret trick" we know of. No matter how "simple" it might seem to us, someone might find it's "just the trick" they've been looking for. Our goal should be to educate, if not the "new-bes", then each other. Any trick that speeds up the cracking process only speeds our work, allowing us to move on, hopefully a little wiser. Have you ever "given up" on a "hard" crack, because you just couldn't figure it out, only to see that someone else HAS found the crack? Wouldn't it have been nice if YOU knew what HE knew, so you wouldn't have wasted all that time? Let the lamers who want a program cracked go to the IRC channels to find a cracker. And let's concentrate on sharing knowledge here at the +HCU news letter. Let's throw away our "pride" and "secrecy" and do whatever we can to TEACH those who WANT to learn! We are each individual "islands" of knowledge. Isolated in a sea of greed, sensorship, and commercialism. And we'll stay that way as long as we hoard our "individual" knowledge. But as we share our knowledge, we drift closer and closer together, until we form a "continent" of knowledge, then nothing can stand in our way. Thanks to all of you for all the great work and essays at +HCU, including this news letter. Hackmore Readrite DataMiners Inc. -----#3------------------------------------------------- Subject: System Marking I'm currently attempting to crack a package with a 30-day trial limit. The software somehow marks the system so that if you reinstall it, it knows you installed it before. The marking is based on the Serial number of the Hard Drive (the DOS serial no. that is) so changing that results in the ability to reinstall. The problem is I can't figure out how it's doing it. The methods I have tried are: 1. Keys in the registry (it's win95) 2. Dummy files placed in win95 - definitely no files created on install date (not surprisingly). 3. Residual directories/files after uninstall. None of these APPEAR to contain any information about the install date. Does anyone on this list know of any other win95 methods which might be used by this package? Or can anyone suggest any software which could monitor what the package checks for? Thanx in advance. Noose. -----#4------------------------------------------------- Subject: help with Nsce Hi All! :) Could you teach me some tricks or techniques to crack this proggie? It's Netscape cache explorer, the crack is still out somewhere but I'd like to learn to crack it myself... the address is: ************************************* I tried live cracking and dead listing too... I think there's something that tricked me, 'cause I can't figure out where is the check for the reg key :-? Please, be patient... maybe it's extremely easy for you but it can be a good cracking lesson for me if you explain it :) Thanx in advance! byez, .MaLaTTiA. -----#5------------------------------------------------- Subject: Re: +HCU ML Issue 9 > > Subject: ******* > > Hello Everyone! > > I greatly appreciate all the help I got on cracking the internet > commander. I need some more help however. I found a pretty interesting > program on the web called ******* by Farallon > ********************************************************************************* > What it allows you to do is observe someone else's desktop in real time > over the network. It is cross-platform too (can observe mac from PC and > vise versa). Although this program is free, it has couple of drawbacks. > First of all it is a 16 bit program (they didn't even bother building a > 32 bit version). Second, it displays a dialog box telling you to upgrade > it to some other prog for only $49.95 every time you run it. Whatever I > tried, I could not get rid of the dialog. Borland Resource Workshop will > painlessly delete any other dialog from the prog, but deleting this one > causes a crash. Patching fails too. > > Can you guys help me with this one please. Thanks in advance. > > Great Dalmuti Solution: You will need: 1. Softice for Windoze (I use V3.0) Fire up Softice and load the file "Lookatme.exe" into the module loader. Softice will break when the program is loaded. Press G to go. Then the splash screen will appear for ******** Press CTRL and D. Then type the following: TASK This should display a list of tasks. One of them will be "Observe" if you have done this correctly. HWND Observe This lists all of the windoze (and objects that belong to those windoze) that are open which belong to ******* (well Observe actually). The very top one is the window you want (You'll see it contains two buttons and some statics). BMSG XXXX WM_DESTROY Replace the "XXXX" with the hexadecimal number of the splash window (the one at the top). G This restarts the program. The program will run and you'll see the splash window still there. Click on the "Continue" button. The program will drop back to Softice. Now you need to type: P RET This proceeds until the current routine returns. You need to repeat this command until you reach this piece of code (you'll need to scroll up a little from the current location - you'll be on the "PUSH DS" command): LEA AX,[BP + FF58] ; Points AX to the Dialog MOV [SI + 1E],AX PUSH AX ; C requires the variables ; to be on the stack CALL XXXX:4980 ; This displays the dialog PUSH DS ; <- You'll be here. Now, all you need to do is bypass this call (and the PUSHes onto the stack). So you need to put a JMP where the LEA is which jumps to the PUSH DS. This should be something like: JMP 022A Do this by typing: A XXXX where "XXXX" is the address where the LEA is (you don't need to put in the segment). Then type the JMP command. You can find out what the op codes for the commands are by typing: D XXXX where "XXXX" is the address where the LEA is again. Anyway, the crack is: Search the file Lookatme.exe for the following codes (using your fav. hex editor): 8D 86 58 FF 89 44 1E 50 9A And replace the "8D 86" with: EB 0B This will stop the dialog appearing. Noose. =====End of Issue 11==================================== ======================================================== +HCU Maillist Issue: 12 09/12/1997 -------------------------------------------------------- Send Articles To:......................... ************* Info, Help, Unsubscription, etc:....... **************** ======================================================== CONTENTS: #1 Subject: Registy tips for MaLaTTiA #2 Subject: Reply to Noose about disk serials.... #3 Subject: Cracking tools.... #4 Subject: Problems with the list? #5 Subject: RE: NSCE and other things ARTICLES: -----#1------------------------------------------------- Subject: Registy tips for MaLaTTiA Hello MaLaTTiA, > Could you teach me some tricks or techniques to crack this proggie? > It's Netscape cache explorer, the crack is still out somewhere but > I'd like to learn to crack it myself... the address is: > ************************************* I tried live cracking and dead > listing too... I think there's something that tricked me, 'cause I > can't figure out where is the check for the reg key :-? Please, be > patient... maybe it's extremely easy for you but it can be a good > cracking lesson for me if you explain it :) Thanx in advance! Don't give up hope! :-) I've cracked this program before (see my webpage: ***************************** but sadly I've lost my notes - however, I can confirm that the reg key is stored in the registry, and I can give you some basic tips to help pinpoint the location where the reg key is read/written: 1) make *sure* you have the exports for ADVAPI32.DLL loaded (this DLL contains the registry functions) 2) try setting breakpoints as below - BPX RegOpenKeyA ; this opens the key! BPX RegOpenKeyExA ; this opens the key, creating a new one if necessary (read the WIN32 API reference for more info) BPX RegQueryValueA ; this reads in a value from the open key (this is probably the one you want) BPX RegCreateKeyA ; this creates a new key (surprise!) :-) Good Luck, +ReZiDeNt -----#2------------------------------------------------- Subject: Reply to Noose about disk serials.... Hi there Noose, I can tell you that there are a number of commercial/shareware DLLs available which allow changing of the disk serial no - you might want to look at the DLLs used and see if any suspicious calls are made... BTW, what package is it you are cracking? I have come across similar programs before (eg System Commander, which I suspect uses the same technique)... +ReZiDeNt -----#3------------------------------------------------- Subject: Cracking tools.... Hi there MaLaTTiA, > I've got a question for you all, boyz... what are the tools you have > programmed that you find most useful? Do you think there's something > every cracker should have? You don't have to tell me your "secret > tricks"... just something to help me to learn and crack better, > maybe! :) byez, TBH, tools are secondary - knowledge and especially intuition (or 'Zen') are the best tools :-) although I'm working on a 'Cracker's GREP' program - something to *quickly* (and recursively) search through your drives/files/dirs for text strings (both standard and multibyte) as well as hex (binary) strings....so far I've not found a suitable program for this purpose, so I've had to make my own. The beta version works fine at the moment, apart from some trouble I'm having parsing the path/filename (it's a console mode app, but I'm considering making it a GUI app using C++Builder) +ReZiDeNt -----#4------------------------------------------------- Subject: Problems with the list? Hi ZERO! >with an invalid address is, that the bouncing back letters are >not comming to me, but to the postmaster of our domain :( "Apparently to *************** The rest of incoming messages don't include the "Apparently to" :-m Maybe checking the "To" (or "Cc") field could help... and Hi everybody! I need a program written (and of course protected :-) in Delphi... I'm trying to prove a new (I think so) trick to accelerate cracks for this type of programs. C++Builder too. I don't mind if the program is cracked by anyone before. The idea is to find a new, maybe faster, approach. bye trurl -----#5------------------------------------------------- Subject: RE: NSCE and other things Hi boys! Before anybody starts to look for the missing issue #10, I want to tell you that there is no such issue. Yesterday, I put my hands into the maillist and screwed up the numbering :( so the system sent issue 11 after the ninth. Sorry! I also want to tell you that I agree with every word Hackmore wrote last time. In fact he spoke so well, that I will include his thoughts (if he agrees) in the guidelines of this maillist, which I will write sooner or later :) OK, lets talk about cracking! Noose looked for programs monitoring file and registry traffic. I usually use Regmon and Filemon ( you can get it from Fravia), but Winexpose-IO and Winexpose-REG works well, too. Look for Wxi95-20.zip, Wxr95-10.zip on the ftp sites. These are sharewares, you have to crack something in them, but I have already forgot what exactly. You could also write us what kind of program you try to crack, so we can have a look at it. Malattia asked about NSCE. I had a little time yesterday to check it out. I did not analysed every details of the registration, but I think I can point you to the right direction. This protection has two tricks. First, it countinously monitors the entering of the key and when the 8th character is entered it calculates a checksum which is the important thing and used for checking when you press the ok button. The characters over 8 has no relevancy. So by the time you entered the 9th character of the key, everything is decided. Therefore, if you type the whole key and try to set breakpoints on the entered key to see when the fun begins it fails, because the program does not even bother to get the key from the dialogue when you press the ok button. This prevents us from attacking the registration from the begining, but we can surprise it from the back (more about it later.) Second trick, the rutin which calculates the checksum monitors the execution speed of itself and fucks up the checksum of even the right key if the program is executed too slowly. This disturbs checksum calculation if you debug the rutin with wdasm. (Softice is immune to this protection. YEAH!) The checksum is finally compared to the number 0190h and if not equal than you are a bad guy. I had no time to find where this number comes from, but it seems to be a constant. So it seems that if you patch the function which calculates the checksum to give back always 0190h in EAX at the end the registration it will work for every name and key pair. (I haven't actually done the patch, so you have to check this out.) Or you can understand the checksum calculation which is not very complicated, but I got bored at the very begining of it. Ok, lets see how you get into the middle of the registration from behind. Load NSCE into Softice, run it, type something into the registration dialog. Press CTRL-D to break in. Set a breakpoint on BPX MESSAGEBOXA. Back to NSCE. Press the ok button and we pop up in Softice before the bad guy message is displayed. With F12 (^p ret) set through the code until you back in NSCE code and you get to 41f921. The protection is before this messagebox call. I commented it here. The rutin which gives back the final checksum is at 41FBCF. This rutin is also called when the program starts so very likely the key and the name is stored somewhere and rechecked everytime the program is started. Interestingly, there is a second verysimilar rutin in the program with execution time checks, but I had no time to figure out what it is for. If you can find out what this second rutin actually does, let me know. Well, have a nice work! :0041F88F push 00000009 :0041F891 lea eax, dword ptr [ebp-0C] :0041F894 push eax :0041F895 push [ebp+10] * Reference To: USER32.GetWindowTextA, Ord:0000h | :0041F898 Call 00424EE7 IMHO, the first two questions are very useful, because everyone > should know which tools are best, what they do, and how to use them. > It's the next statement that bothers me. The GOAL of this news letter > should be to SHARE our "secret tricks", not to offer a format for > "wanna-bes" to ask us to crack programs for them. > > It makes me sick to see, or listen to, warez people or hackers > ... > we hoard our "individual" knowledge. But as we share our knowledge, we > drift closer and closer together, until we form a "continent" of > knowledge, then nothing can stand in our way. Thank you, Hackmore, for your message: I think you're right, and that everybody of us should share his knowledge with others to make them not just "crack-indipendent" or "hack-indipendent", but also to help them in EVERY situation in their life (when it is possible, of course :). I think what you wrote is a great lesson for every cracker who thinks his tricks have to remain secret 'cause he just want to be "better" than others... I don't know if this kind of people really exist (I'm afraid so), but when I was writing the message you quoted I thought that maybe somebody could think I was too intrusive. I'm sorry if now you're reading a message which can be considered off-topic, but I thought I had to justify myself and tell others I agree with you :) > Thanks to all of you for all the great work and essays at +HCU, > including this news letter. Thank you for your message, I hope we'll read you again :) byez, .MaLaTTiA. -----#2------------------------------------------------- Subject: What every cracker should have Hi! :) > I recommend: > > 1) WinICE 3.01 (or is it called 3.1?) which allows you to use a > mouse; Great! I've got version 3.1, but I really didn't know you could use the mouse! :) > 4) a86 and d86, which are freeware assemblers & disassemblers, and > include very nice reference files; Yes, they are really great, I started programming with A86 about two years ago, but as reference I prefer to use a DOS program called HELLPC: it's an hypertext help file which contains reference for ASM and C programming, hardware and data specifications, interrupt services, formats used by DOS & BIOS and so on. > 5) Win32DASM, which everyone has and you should have too, and > disassembles nicely; Sure! It's really great, even if I prefer just disassembling the file, then browsing in it with LIST, a DOS program which has a VERY fast search (IMHO, at least i think faster than any windoze proggie!). > 6) then you should study and write proggies in ASM to understand how > ASM works Well, It's about two years I'm working on it, but only in the spare time... I think (I hope!) I know enough things to crack simple programs (not written in ASM), I think I'll still have some problems with self-modifying code and so on. I think I could study some viruses to learn some nice tricks and maybe undestand better how self-modifying code works. byez, .MaLaTTiA. -----#3------------------------------------------------- Subject: Words from the world of h/p/w Well, fellow crackerz, recent posts have seen some attacks on hackerz and warez traderz. "Horrid people," somebody said, "they don't tell their secrets and keep the filez in secret FTP's". Here's a confession: I hack, I phreak and I trade warez. And I did this long before I started cracking. Here's the story: a) why hackers say 'read what you find on the net and don't bug me'? Well, writing cracks is not per se illegal, while hacking is. Furthermore, once a demo version of a program exists and is crackable, once a crippled/new crack version is released, it won't make the crackable demo disappear. Eg suppose you have a 'cracked' Program version 2.1 and a crippled 2.1a is released, in which the crack is impossible, there will still be many 2.1 available. In hacking, however, once a crack is revealed, the sysadmin patches the system, and nothing works. So while a cracker can have a nice page with "here's how to crack WinICE", a hacker can't have a page on "how to get into Chemical Bank". And we can really tell our secrets to people we know very well (notice how many hackerz are getting jailed and what a large percentage because of narcking). b) which leads us to phreaking - which is ALWAYS illegal, no possible exceptions or excuses. Furthermore, the phone companies will instantly change tones, codes or trunk lines once these are discovered. Sure, there are many plans for boxes, but that's 'silly' phreaking, not the kind that makes you call lower Bhutan for nothing. c) and then warez trading. Here the main commodity is time. OK, you say, warez should be free, but warez is, however you put it, illegal. I mean, you can buy a Photoshop 4 for $600 or get it while trading. Since the software companies get very angry about this, FTP sites have to be very secure. However, I should note that, apart from the mythical distro or HQ sites, which are closely hidden, there are many pages on the web with 'dump' sites, which last only one day or two. Dump sites are those where, let's say, suppose everyone on the list wants a copy of Photoshop, then I upload it to an innocent FTP site, where it will stay until the sysadmin deletes it, and then I notify you. You rush there and d/l how much you can. So warez is not 'that' secret. Another reason why warez people trade and rarely give leech is time. Let's take again Photoshop, which in the warez version is about 35 MB, if I'm not mistaken. Depending on your location and connection, you can take 24 hours to download it, taking up your phone line, and especially costing $$$ of telephone and ISP (again, it depends). Note that you take the same time to upload it to a public FTP site, where probably the sysadmin will erase it ASAP. Unfortunately it *is* a capitalist society, and time and money are not free - so why would I keep my computer online for 60 hours for you to d/l Windows NT server? Just because you asked me on #warez? OK, it's really nasty, but that's how things work. So why I crack for free? Well, cracking is different, the patches are usually small enough just to send to someone, small enough to post on USENET, and, especially, cracking involves intelligence, it's a challenge, it's entirely different. Warez is, after all, very dumb, once you know where to get your proggies, you just FTP there and you look for whatever is new. Cracking is for humans, and warez for bots... WAFNA of FCA =====End of Issue 13==================================== ======================================================== +HCU Maillist Issue: 14 09/14/1997 -------------------------------------------------------- Send Articles To:......................... ************* Info, Help, Unsubscription, etc:....... **************** ======================================================== CONTENTS: #1 Subject: C++Builder & Delphi protections.... #2 Subject: Thanx! #3 Subject: an "off topic" reply #4 Subject: Softice break point #5 Subject: Re: thanx for nsce! ARTICLES: -----#1------------------------------------------------- Subject: C++Builder & Delphi protections.... Hello trurl, > I need a program written (and of course protected :-) in Delphi... > I'm trying to prove a new (I think so) trick to accelerate cracks > for this type of programs. C++Builder too. I don't mind if the > program is cracked by anyone before. The idea is to find a new, > maybe faster, approach. If you want a ready-made 'real-world' program, try FlexED web editor - it is created with Delphi. If you want something in C++Builder, I'll see if I can make one...how difficult do you want it? ;-) BTW, what is your idea? +ReZiDeNt -----#2------------------------------------------------- Subject: Thanx! Zero wrote: I also want to tell you that I agree with every word Hackmore wrote last time. In fact he spoke so well, that I will include his thoughts (if he agrees) in the guidelines of this maillist, which I will write sooner or later :) Thank you for the compliment! Feel free to re-print or use my statements in any way you desire. Please allow me to point out that THIS news-letter is doing EXACTLY what I was describing, both in my letter (issue #9) and in my essays posted on Fravias pages. Here, we describe HOW we get things done, and (hopefully) the "tricks" we use to do it. Without a doubt, THIS news-letter is THE best thing to hit the web since Fravia, preceded only by +ORC. I am not a programer, and I've never had a teacher to tell me the short-cuts. But the first 10 issues of this news-letter have opened my eyes to whole new worlds of possibilitys. Keep up the good work guys! Hackmore -----#3------------------------------------------------- Subject: an "off topic" reply WAFNA; Sorry if I upset you. In explanation, I did not refer to hacking "sites", but I found it rather un-friendly in my "early" hacking days when I found it impossible to get help on how to get crackerjack working, or figuring out which unix command to use when trying to hack my own site. There's NO reason a hacker can't share his "tips", without giving away his sites. I didn't mention phreaking at all, but with the abundant free space available on the web, (Fravias site gives you 10 mb FREE), an aplication could be broken up, zipped, and stored in pieces accross many servers, with links of course. Then the warrez bots could still do thier thing. Many ISP's sell unlimited time for under $20.00 U.S., (even I can afford that), so the "capitalist" issue bites the dust also. Granted, ONE guy posting PhotoShop on his web page would get busted, because he's an "island", but if we ALL (the "continent") took every Micro$oft product we've ever had to purchase, and posted them on the web for all to DL free, how many jails will Bill Gates build with his money to put us in? One thing is for sure, we wouldn't have to crack M$ anymore! (But PLEASE leave the "little guys" out of this, many small time programers support thier familys with thier software.) It all boils down to, whether I've bought it or cracked it, whether it's in my head or on my HD, if you've got a place to put it, or a way to use it, it's yours! NO trades, NO hassles, NO "secrets", just ask. I'm glad we can come to terms on cracking though. It takes a brain, it's a challenge, and it's for humans. Hackmore -----#4------------------------------------------------- Subject: Softice break point Hi boys! I have noticed that +Fravia is looking for interesting Softice breakpoints, which reminded me about a funny thing I always wanted to ask. Sometimes I use a break point to make a so called "CALL MAP" of the program. This means that I log every call instruction of the running program and dump it into a file. Then if I can manage to run the program first in goodguy mode then in badguy mode (for example in the case of time protection by changing the system time), I can compare the two CALL MAP file with fc or whatever and I can see at once where the two execution path branch. I do this CALL MAP with the breakpoint BPRW taskname T IF (BYTE(*EIP))==E8 where taskname is the name of the windows task i am interested in and E8 is the first byte of an absolute call instruction. This works beautifully in the case of 32 bit tasks. (I have to mention here that if the task tries to load a module from the disk when this breakpoint is on, it effectively locks the system, so only reboot helps.) The problem is that it does not work in the case of 16 bit tasks. When I try to set this break point BPRW taskname T IF (BYTE(*IP))==E8 Softice says "Expression can not be evaluated", but interestingly sets up a lot of bpr breakpoints, unfortunately the selectors are just not good in them. This should work according to the manual, so it might be a bug in Softice. I am using Softice 3.01 for Windows95. It would be nice if one of you could check this out on another version to see how it works. Thanks in advance ZER0 -----#5------------------------------------------------- Subject: Re: thanx for nsce! Hi All!!! > Don't give up hope! :-) I've cracked this program before (see my > ... > Good Luck, > +ReZiDeNt > ... > Malattia asked about NSCE. > ... > what it is for. If you can find out what this second rutin actually > does, let me know. > Well, have a nice work! > Bye > ZERO THANX GUYS!!! You helped me a lot... you know, I've worked on nsce this evening and studied the algorithms that make up the registration key and... I've made a key generator!!!! :)))) How nice... I LOVE keygens... :) Well, it's not completed yet, but I tried it on my name and IT WORKS :) Now I just have to improve it a little... :) Thanx again! :)) (written the day after... :) YEAH!!! I've done the keygen in C and it seems to work! I've tried a lot of names, spaces, non-alphanumeric chars and IT WORKS!!! Woa... :) NSCE lesson coming soon if you like... :) byez, .MaLaTTiA. =====End of Issue 14==================================== ======================================================== +HCU Maillist Issue: 15 09/15/1997 -------------------------------------------------------- Send Articles To:......................... ************* Info, Help, Unsubscription, etc:....... **************** ======================================================== CONTENTS: #1 Subject: warez for all #2 Subject: Delphi and BC++Builder protections #3 Subject: To Hackmore - FREE web space? #4 Subject: Problem with the list ARTICLES: -----#1------------------------------------------------- Subject: warez for all Well, with all this talk on Warez, here's a point for you all: ***************************************** every day (sort of) you will find a list of FTP sites with stuff inside. If you have patience, you can test them, get the gamez/appz you want, play with them a little, keep or trade. For instance, ftp to 199.1.22.129 and goto directory /pub/users/rrf and you will find shadow warrior, which is meant to be nice (22 disks long). so, besides cracking programs, now you can get lots of nice goodies every day. Wafna of FCA -----#2------------------------------------------------- Subject: Delphi and BC++Builder protections Hello +ReZiDeNT! > If you want a ready-made 'real-world' program, try FlexED web > editor - it is created with Delphi. Thanks, I'll ftpseach it at once :)' > If you want something in > C++Builder, I'll see if I can make one... It ain't necessary. As you said the library is identical. But if you have BCB, you can test what I say later. > how difficult do you want it? ;-) I'm still a beginner "-trurl" :( with THE tool and hope FlexEd will not be too much for me O:) >BTW, what is your idea? Sorry. It's not supposed to be a "secret". I just wanted to test it before post. Well. Delphi (all the same for BCB) has a lot of design time information passed to run-time as resources. It's similar to traditional resources (menus, dialogs and the like) but more sofisticated and with a proprietary format. +ORC would call this "overbloated decadence" =:) but it accelerates making programs and, let's hope, another tasks >:) The point is that the associated routines for a control are stored by name. For example, a button has an "OnClick" event with names assigned by the programmer, say "OkBtn" for the button and "OkBtnClick" for the service. Theese names are stored in the description of the window the button is placed on. And the last one exists in another location too: the table of "published" methods. Delphi uses this table to associate the code with the run-time created object. There you find the address of the click routine, a few bytes before. The *best* of all: this routine is what the programmer writes for the click, so you don't have to worry about following a long chain of library calls, instead... right between the eyes :=) I wasn't in time for the 98 +HCU so I wanted to write a short essay about this, including a "real world" example and maybe some tools to automatize the proccess. Step by step: 1) Find the descriptions of the windows (in general, not HWnd, sense) This can be done using directly an hex editor (looking for "TPF0") or, better, the Resource WorkShop by Borland. This way you can easily localize them (type "RCDATA") and after extracting the resources to *.res, renaming to *.dfm and deleting the resource header (all before the string 'TPF0'), convert it to a _very_ explicit text description with "convert.exe", a tool included in all Delphi and BCB packages. This could be specially helpful in case of a very large program with many windows. Note that the healthy programming practices ("give descriptive names to variables and functions") help a lot X-D 2) Once located the name ("nomen est omen") we can search again with our favourite hex editor for the other occurrence of the string. Remember that theese are "pascal" short strings, preceded by an length unsigned char. The address is just before: 50EF43000A4F6B42746E436C69636B ^^^^^^^^ O k B t n C l i c k here 3) Now It's obvious. A breakpoint there will fire when the user clicks on the button, skipping all library jumps. Or we can locate it in dead listings. BTW, this is extracted from the infamous ICWSE.EXE, but this time the name "PasswordEntryForm" was confusing :( (maybe related to a screensaver). That's all I'd got. Excuse the, maybe excesive, length of this message. Hope it helps O:) happy cracking trurl -----#3------------------------------------------------- Subject: To Hackmore - FREE web space? Hi Hackmore, > I didn't mention phreaking at all, but with the abundant free > space > available on the web, (Fravias site gives you 10 mb FREE), an > aplication could be broken up, zipped, and stored in pieces accross > many servers, with links of course. Then the warrez bots could still > do thier thing. What's this about 10MB FREE? How does one aquire this space? Thanks, +ReZiDeNt -----#4------------------------------------------------- Subject: Problem with the list Hi boys! Yesterday the list had some problems and there is a possibility that some of your letters disappeared. I somebody has written a letter at the weekend which did not appear at the latest in this issue, please resend it and notify me at the **************** address. Sorry for the inconvenience. ZER0 =====End of Issue 15==================================== ======================================================== +HCU Maillist Issue: 16 09/16/1997 -------------------------------------------------------- Send Articles To:......................... ************* Info, Help, Unsubscription, etc:....... **************** ======================================================== CONTENTS: #1 Subject: issue # 15 #2 Subject: A Hacker replies to Hackmore and tells a secret #3 Subject: Avalanche 3 ARTICLES: -----#1------------------------------------------------- Subject: issue # 15 ReZiDeNt wrote: What's this about 10MB FREE? How does one aquire this space? Simply open a webpage. Most servers limit you to 5 mb, I only mentioned Fravia's because it offers the most space that I know of. Hackmore -----#2------------------------------------------------- Subject: A Hacker replies to Hackmore and tells a secret Hello Hackmore: > WAFNA; > Sorry if I upset you. In explanation, I did not refer to hacking > "sites", but I found it rather un-friendly in my "early" hacking > days when I found it impossible to get help on how to get > crackerjack working, or figuring out which unix command to use when > trying to hack my own site. There's NO reason a hacker can't share > his "tips", without giving away his sites. Oh, I didn't get upset... BTW - for those who don't know, there's a secret fravia's page. Use the normal URL for Fravia, then cancel the ..htm on your browser and write special.htm eg: *************************************** some interesting stuff. Btw, many of Fravia's tools point to non-existant links... hmmm.... WAFNA of FCA -----#3------------------------------------------------- Subject: Avalanche 3 Hello all, by popular request (of the listop...) you can get, for a limited time (until 00:01 GMT of 18 September) Avalanche 3 at the location below. Now, please note this is absolutely the BEST e-mail bomber, so good it's a little hard to find.... URL: ************************************** WAFNA of FCA =====End of Issue 16==================================== ======================================================== +HCU Maillist Issue: 17 09/17/1997 -------------------------------------------------------- Send Articles To:......................... ************* Info, Help, Unsubscription, etc:....... **************** ======================================================== CONTENTS: #1 Subject: more on possible VCL shortcuts.... #2 Subject: Shortcut to cracking VCL apps #3 Subject: Compering files ARTICLES: -----#1------------------------------------------------- Subject: more on possible VCL shortcuts.... Hi trurl, I've been investigating that idea of yours some more, I found a few things which may be of some interest. Using BCB, I made a little app that compared the contents of a text box against a string constant. I then extracted the RES file using BRW 4.5 - however, if I tried using the convert.exe program (taken from an old copy of Deplhi 1.0) it wouldn't work :-( So instead I compared the (original) DFM file from the BCB project directory with the RES file I extracted from the EXE file. I found that there were a few differences - the file size of the original DFM was 28 bytes less thatnt he extracted RES file - however, after the 'TPF0' string, they were both identical. But if I removed the data from before the 'TPF0' string, convert.exe would choke on the file :-( Perhaps I did something wrong? Anyway, using the *original* DFM I ran convert and searched in the EXE file for the string 'RegisterClick (the button in the app was named 'Register') - I found two occurences, one which seemed to be a mirror of the DFM file (eg the resource) and one other location, the hex values of which are below: 00 00 14 40 00 0D 52 65 67 69 73 74 65 72 43 6C 69 63 6B ^^ ^^ R e g i s t e r C l i c k I'm not sure what the '00 0D' is for, but I took the '14 40' and set a breakpoint in SoftICE: bpx 00401440 I then clicked the button in my little app and sure enough, I landed very 'near' the correct location (of course, in this case I would normally have used 'bpx hmemcpy', but the point is that your method does seem to work, albeit slightly differently...) I'm going to try a few 'real world' apps and see what happens...there does seem to be a problem with convert.exe, perhaps my version is too old? Cya, +ReZiDeNt -----#2------------------------------------------------- Subject: Shortcut to cracking VCL apps Hello trurl, > It ain't necessary. As you said the library is identical. But if you > have BCB, you can test what I say later. Yes, (as you obviously know) Borland reused the VCL from Delphi (the VCL is coded in Delphi, a fact that irks me not a little :-)), for BCB, which is of course why BCB programs might *behave* and/or *appear* like Deplhi ones...BUT I feel I should make it clear that BCB (in case you're not familiar with it) is *not* simply 'Delphi in C' but a pretty nifty tool in its own right - it can make apps using other frameworks (eg OWL, MFC) as well (but since I don't have the time to learn them I'll stick with the VCL for encapsulating Windoze functions for now :-)) > I'm still a beginner "-trurl" :( with THE tool and hope FlexEd will > not be too much for me O:) I'll tell you something, if you know/have found out this much about Delphi/BCB/VCL, you should have *no* problems learning to crack! > Sorry. It's not supposed to be a "secret". I just wanted to test it > before post. Sure, no worries... > Well. Delphi (all the same for BCB) has a lot of design time > information passed to run-time as resources. It's similar to > traditional resources (menus, dialogs and the like) but more > sofisticated and with a proprietary format. +ORC would call this > "overbloated decadence" =:) but it accelerates making programs and, > let's hope, another tasks >:) Agreed, I've not got the time for other frameworks (as I mentioned previously). > The point is that the associated routines for a control are stored > by name. Ahh yes, I read that in 'Learn BCB in 21 days'....it's a very different approach isn't it? > The *best* of all: this routine is what the programmer writes for > the click, so you don't have to worry about following a long chain > of library calls, instead... right between the eyes :=) Hmm....I suppose that is the primary purpose of your idea - to aid pin-pointing in VCL apps? I know (in my experience) that is the *most* difficult part of cracking VCL proggies, but this idea should make it easier.... > I wasn't in time for the 98 +HCU so I wanted to write a short essay > about this, including a "real world" example and maybe some tools to > automatize the proccess. I didn't want to quote too much of your message, so I'll cut off here and print it out to study. I think you've done a *fantastic* job though, I'd like to discuss it in more detail, and perhaps help you if I can....mail me at the below address and we can discuss it more: ********************** ********************************* Cya, +ReZiDeNt -----#3------------------------------------------------- Subject: Compering files Good evening to all. I noticed in the program Hex Editor a tool to compare two files. I believe it only compares the "dead" files. I am looking for a tool which will compare two files which are loaded in memory, i.e. a sort of snapshot of each. My aim is to see the difference between a registered version and an un-registered version. You may ask "If you've got a registered version, why bother ?". The answer is that the program connects to an Internet server which further checks the registration key. The unregistered version is not checked, but it is limited in what it can do. Please note that although I am very much a newbie, I have NOT asked for a crack but for help to reach the crack myself. Many thanks. ______________________________________________________ Get Your Private, Free Email at ********************** =====End of Issue 17==================================== ======================================================== +HCU Maillist Issue: 18 09/18/1997 -------------------------------------------------------- Send Articles To:......................... ************* Info, Help, Unsubscription, etc:....... **************** ======================================================== CONTENTS: #1 Subject: to Hackmore... #2 Subject: comparing files in memory? ARTICLES: -----#1------------------------------------------------- Subject: to Hackmore... Hello Hackmore, > What's this about 10MB FREE? How does one aquire this space? > > Simply open a webpage. Most servers limit you to 5 mb, I only > mentioned Fravia's because it offers the most space that I know of. > Hackmore Er....what I actually meant was *whom* should I approach to open a webpage? I've looked around Fravia's host ****************** but I've not seen anything on web space.... Cya, +ReZiDeNt -----#2------------------------------------------------- Subject: comparing files in memory? Hello there, You didn't leave a handle with your message....anyway, I don't know whether such a memory compare program exists, and if it does, whether it would help you any.... > The answer is that the program connects to an Internet server which > further checks the registration key. The unregistered version is not > checked, but it is limited in what it can do. Somewhere the program must make a call to a function (very possibly hidden in a DLL) which access's the Internet to call the server etc. Is it not possible to jump over this call? Which program is it you are trying to crack? Good Luck, +ReZiDeNt =====End of Issue 18==================================== ======================================================== +HCU Maillist Issue: 19 09/19/1997 -------------------------------------------------------- Send Articles To:......................... ************* Info, Help, Unsubscription, etc:....... **************** ======================================================== CONTENTS: #1 Subject: 10 megs #2 Subject: Comparing files in memory #3 Subject: packet sniffer ARTICLES: -----#1------------------------------------------------- Subject: 10 megs +ReZiDeNt; ******************* will get you where you want to go. Hackmore -----#2------------------------------------------------- Subject: Comparing files in memory Subject: comparing files in memory? Hello there, >You didn't leave a handle with your message.... Zipper49 >Somewhere the program must make a call to a function (very possibly >hidden in a DLL) which access's the Internet to call the server etc. >Is it not possible to jump over this call? I'm pretty sure the server HAS to be contacted, to carry out the programs fub¡nction. I want to ENABLE the disabled functions and then connect. The program advises you before connecting to the Internet that it is a limited version because it is not registered. So the connection would be merely to carry out the work. The registered version doesn't show any disabled notices,(it gets the reg number from the registry, that's why I want to dump from memory) but once it connects to the Internet, it checks that the reg number is in fact valid, if not it tells you to "beggar off". So I think it matters not that it is unregistered as long as the disabled functions have been reversed. >Which program is it you are trying to crack? Wouldn't that be too tempting for you to just crack expertly and me not learn anything ?!? Let me know directly if you can resist the temptation. ******************** >Good Luck, >+ReZiDeNt Thank you and thanks again for your patience and interest. Zipper49 ______________________________________________________ Get Your Private, Free Email at ********************** -----#3------------------------------------------------- Subject: packet sniffer Hi boys! Since I am working on the mail list I have shifted somewhat my attention from cracking to hacking. At this moment I am busy sniffing on our LAN to understand and maybe hack the firewall. (BTW packet sniffing is a great fun, I have already collected a bunch of passwords.) I am using the ethdump ver 1.4 program for sniffing. It dumps the whole traffic of the net into a text file therefore it is a bit difficult to follow the conversation of two specific computers. My question is : Does anybody know a packet sniffer for DOS or Win 3.1 which can filter the incoming traffic and dump only packets comming from a specific ethernet address to the file. It would be even better if somebody could show me where I can find the source code of ethdump. (According to the author the source code was realeased with the first version some years ago, but because of the flame of realasing the code of a packet sniffer, he stopped this good habit.) Thanks in advance ZER0 ______________________________________________________ Get Your Private, Free Email at ********************** =====End of Issue 19==================================== ======================================================== +HCU Maillist Issue: 20 09/20/1997 -------------------------------------------------------- Send Articles To:......................... ************* Info, Help, Unsubscription, etc:....... **************** ======================================================== CONTENTS: #1 Subject: Hello Zipper49! #2 Subject: Thanks Hackmore.... ARTICLES: -----#1------------------------------------------------- Subject: Hello Zipper49! Hi there, > >You didn't leave a handle with your message.... > > Zipper49 Hello Zipper49! > I'm pretty sure the server HAS to be contacted, to carry out the > programs fub=EDnction. I want to ENABLE the disabled functions and > then connect. The program advises you before connecting to the > Internet that it is a limited version because it is not registered. > So the connection would be merely to carry out the work. The > registered version doesn't show any disabled notices,(it gets the > reg number from the registry, that's why I want to dump from memory) > but once it connects to the Internet, it checks that the reg number > is in fact valid, if not it tells you to "beggar off". Ahhh....I see....can you not breakpoint on the registry read (eg BPX RegQueryValueA) and watch how the reg code is manipulated? > So I think it matters not that it is unregistered as long as the > disabled functions have been reversed. Yes, I see what you mean. But if it can be registered via a code it would of course be better (and very possibly easier) to attack the protection from there. > >Which program is it you are trying to crack? > > Wouldn't that be too tempting for you to just crack expertly and me > not learn anything ?!? Let me know directly if you can resist the > temptation. ******************** hehe, I can resist, especially if it's a large program (I've only got a 14.4 modem :-)). You can reach me directly at ********************** or via my webpage: *************************** > Thank you and thanks again for your patience and interest. No problem, that's what this list is all about - helping others to crack and learn to crack.... Good Luck, +ReZiDeNt -----#2------------------------------------------------- Subject: Thanks Hackmore.... Hi Hackmore, > ******************* will get you where you want to go. > Hackmore Thanks.... Cya, +ReZiDeNt =====End of Issue 20====================================