Acid_Cool_178
presents he's
| #12 Tutorial |
| For Hellforge |
This Text Are Only Ment To Edcucational Purpose And Not To Be Used Illegaly, I Take No Response For Illegal Use Of This Text. Move On On Your Risc.
| Athour Information |
| acid_cool_178@hotmail.com | ||
| Age | 17 | |
| Web Page | http://acidcool.cjb.net/ | |
| Date | Febuary 2000 | |
| Member in | Hellforge | Flying Horse Cracking Force |
| Groups Web Page | Hellforge Login | FHCF Login |
| Program Infromation |
| Name | Private Desktop | |||
| privdsk.exe | ||||
| Athour | Tropical Software | |||
| Where to Downlaod | http://www.tropsoft.com/ | |||
| Tools used | File Monitor Registry Monitor W32Dasm Hiew Viper2 Soft Ice 4.xx |
Downlaod At | ||
| 1. Player Tools | ||||
| 2. Programmer Tools | ||||
| Size | 200KB | |||
| What kind of a program | Crackme | Shareware | ||
| Skill | Easy | Not so easy | Hard | X-pert |
| Information about the protection |
This protection got one Name and one Key field And
one Register button, I just wonder what the means ? hmm
Think Acid, damit Acid THINK!
I wrote this
Name Acid_cool_178
Key 2951
and pressed Register, pang ang a NAG came to me. It was a bad nag that
tole the registration key was wrog.
Now i tried to write nothing in the Name field,,, Register
and a NAG came up and told me that i had to write the name. And so i did, and Register.
*BOOM* another NAG did wake up from the dead, on that NAG it stood "Please
enter the registration code".
I tried only to write the key and i got another NAG "Please enter the name"
So this protection are generatin a code from a Name and compares it with the key. It's so
easy as that
I have also founded something strange. First i have patched this program and that worked.
But where are the passwors saved ? I tried to uninstal Private Desktop and installed it
again, hmm, it's tegistred to Acid_Cool_178 [I have cracked it with Soft Ice :) ] So i
tried a search in the win regestry after my serial 54C8CC6011 and i founded nothing. Hmm,
that's strange. Hmm, where is that passwd saved ? I didn't find Acid_Cool_178 in the
regestry. Why ?
Next i tries File Monitor but my system craches, hmm, i remember that protools had a
update. I did download the update and fired up File Monitor adn rune Private desktop from
my shortcut on the Desktop. Cool, it worked :) And not i could see something strange, my
file privdsk.exe are saying something to GERKSEDS.DRU
WHAT THE FUCK ??
I opned the file in my patched Ultra Edit 7.00A in Hex mode and founded this 54C8CC601 and THATS MY SERIAL NUMBER!!
I uninstalles the program and installed it again. Restarten my PC and guess what ? Private Desktop Version 1.5 are noe Unregistred :)
I hope that i have explaing enough now, i have also grown one skill up to the elite after writting this tutorial for my group Hellforge.
| Before we start |
Take a backup og the riginal file! We will need the to create the patch.
Set the clock up one year
Task1 <-- Patching the protection
Task1.1 <-- Fixing something
Task2 <-- Create a patch in VIPer2.xx (The
Easy Way)
Task3 <-- Serial Fishing in Soft Ice 4.01
| The Process |
Task1
I did open the file in W32Dasm privdsk.exe and i went on "String data
References" and founded this string Program registred, thank you
Yeah, thank you too :) Doubble click on that string and you can see this.
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00402367(C)
|
:0040238D 8D4C2424 lea ecx, dword ptr [esp+24]
:00402391 8D542410 lea edx, dword ptr [esp+10]
:00402395 51 push ecx
:00402396 52 push edx
:00402397 E8840C0000 call 00403020
:0040239C 83C408 add esp, 00000008
:0040239F 85C0 test eax, eax
:004023A1 6A00 push 00000000
:004023A3 7432 je 004023D7
<-- If good code then dont jump, else jump to bad code.
* Possible StringData Ref from Data Obj ->"Private Desktop"
|
:004023A5 A114F14000 mov eax, dword ptr [0040F114]
:004023AA 50 push eax
* Possible StringData Ref from Data Obj ->"Program registered, Thank you."
|
:004023AB 68A4F14000 push 0040F1A4
<-- U will land here and here are the good code.
:004023B0 56 push esi
* Reference To: USER32.MessageBoxA, Ord:0195h
|
:004023B1 FF158C544100 Call dword ptr [0041548C] <--
A nag that tell ut that the Code are correct :)
:004023B7 6A01 push 00000001
:004023B9 56 push esi
:004023BA C605DC2D410001 mov byte ptr [00412DDC], 01
What i did here was to change the code at 4023A3 from 7432 to 9090 at offset 17A3
But how did i do that ? well, it was easy.
Open privdsk.exe in Hiew.exe and press enter twice and you will be in decode mode.
Goto (F5) offset 17A3
Now you will stand at the jump.
Edit (F3) and type in 9090 (90 = NOP
NOP = No OPeration)
Update the file (F9)
Quit Hiew (F10 or Esc)
Run the file and go to the registration, i wrote this.
Name Acid_Cool_178
Key 123321
And press on the Registration button and the code will be valid.
Congratulations.
Task1.1
Start the program and it will loaded where the clock are.
Right click and choose "About Private Desktop"
Now you can see a window that says unregistred. Lets change that.
Open privdsk.exe in W32Dasm and in "String Data References" can you see this Registred
I wonder what the hell that is, dubble click on that and you can now see this code.
:004032FD 85C0 test eax, eax
:004032FF 742D je 0040332E
<-- If not correct code then show Unregisterd, If good code
then show Registerd
* Possible StringData Ref from Data Obj ->"Registered"
|
:00403301 BFD0F34000 mov edi, 0040F3D0
<-- U land here
:00403306 83C9FF or ecx, FFFFFFFF
Hehe, guess what.
| Location | Offset | Original Bytes | Replaced with |
| 004032FF | 26FF | 742D | 9090 |
How to replaze ?
hmmrf.
Open privdsk.exe in Hiew.exe and press enter twice and you will be in decode mode.
Goto (F5) offset 26FF
Now you will stand at the jump.
Edit (F3) and type in 9090 (90 = NOP
NOP = No OPeration)
Update the file (F9)
Quit Hiew (F10 or Esc)
Try to run the program. It now stands Registred.
Task2
Open VIPer21.exe adn fill in the information. I wrothe this
Name Of Cracker
:Acid_Cool_178
Name Of Program to Prosuce the Crack :Private Desktop
V1.5
Click on Orginal File and choose the backup you did take.
Click on Cracked File and choose the cracked file
And Create.
Replace the cracked file with the backup and copy the patch into Private Desktop's
directory and run it. Does it wor ?
Whis was the easy way to create a patch, i will explain another way in another tutorial.
Task3
In W32Dasm at this line
:0040239F 85C0 test eax, eax
Something there are getting tested and i wonder what ? Maybe it's my serial :) Lets fint
that out..
Enter in Your Name and Code.
Open Soft Ice CTRL+D and enter BPX HMEMCPY [enter]
Exit Soft Ice CTRL+D and press the Register Button
*BANG* Youre in Soft Ice now.
Clear all breakpoints by typing BC * [Enter]
Press F12 8 Times until you can see some normal code.
Write G 40239F [ENTER]
And what the fuck ia happening ? I'm uotta my normal code!!
Not Press F12 8 New times and write G 40239F [Enter]
And youre back in the good code.
You are now standing on the text line, type D EDX [Enter]
Look in you code windows and you can now see your code, my code was DDE53AE341
And and that code worked :)
| Questions |
1. What is "normal code" ?
Answer: I will define "normal code as this xxx:xxxxxxxx and not this xxxx:xxxxx or
simmular. The last digits must be 8 totally. As in W32Dasm.
| Ending |
If you don't ahve the newest version og VIPer the please Download it, I did create my
patch in VIPer21.exe (A Beta) and thet roks. God work Borna Janes and Eternal Bliss
Set the colck back the today's date.
I want to send best regards to LaZaRuS who did create the keygenerator and spent some
words and time for me
| Greetings |
LaZaRuS, Wajid, Borna Janes, ManKind, Eddie Van Camper, ACiD BuRN, KoRnFLeX, Eternal_Bliss, Potsmoke, DiABLO. Torn@do and all the other i have forgotten