Acid_Cool_178
presents he's

#25  Tutorial

 

For Hellforge

This Text Are Only Ment To Edcucational Purpose And Not To Be Used Illegaly, I Take No Response For Illegal Use Of This Text. Move On On Your Risc.

Athour Information
E-mail acid_cool_178@hotmail.com
Age 17
Web Page http://acidcool.cjb.net/
Date March 2K
Member in Hellforge Flying Horse Cracking Force
Groups Web Page Hellforge Login FHCF Login

 

Program Infromation
Name MP3 To EXE
MP3TOEXE.EXE
Size 893 KB (Unzipped and only the EXE file)
Athour Shareit! / Oliver Buschjost
Where to Downlaod http://www.shareit.com
Tools used W32Dasm
Soft Ice
Registry Monitor		 Downlaod At
1. Player Tools
2. Programmer Tools
What kind of a program Crackme Shareware
   
Skill Easy Not so easy Hard X-pert
         

 

Information about the Protection I

This program has one new kind og serial claculation for me.
You got one Name, Serianumber and one Registratin Number.

Before We Start

Here have you some basic Soft Ice (SI) commands

Open CTRL+D
Exit CTRL+D or X
Dump register D Register. (D EAX and so on)
Goto G Location
BreakPoint on eXecution BPX
Clear all BreakPoints BC *
F12 "^p ret;"

 

The Process

Open MP3TOEXE.EXE in W32Dasm and in String Data References can you see this.string "The Registrationinformation is " Dubbleclick on that string and you will end here.

* Possible StringData Ref from Code Obj ->"The Registrationinformation is "
->"wrong. Try again?"
|
:0045468B BA4C4B4500                              mov edx, 00454B4C

Here are the bad messagebox created, now scroll up come lines and you can see this

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:004545ED(C)

That means that somewhere in the program are one command jumping to this location. And we don't want that to happend, the jump are at 004545ED. Scroll up to that locatin and you can see this.

:004545E8 E82BF2FAFF                              call 00403818
:004545ED 0F8591000000                            jne 00454684

D EDX at the call and you can see you real Registrationnumber :)

Run MP3TOEXE.EXE and fill in the information. I wrote this:

Name:                      Acid_Cool_178
Serialnumber:          Norwegian Cracker
Registrationnumber  2951

and opened SI. type in bpx hmemcpy and exit SI
Now, we now that the serial are getting compared at 0040381F so we will put a breakpoint there later.
Click on the "Register Noe" button and you are back in SI.
Now take a look at you location xxxx:xxxx
And now we now that we are in a wrong place. Good code are xxxx:00xxxxxx
So press F12 until you are in good code.
Now when you are in good code so can you clear all breakpoints
do an bpx 004545E8 and exit SI
and you're back again in SI, and now you are AT the call. Just do an D EDX [ENTER] and in the code window can you see you code. I saw 5FD82EEE4024C265

I canged 2951 to 5FD82EEE4024C265 and pressed on the button. Now, If you had your Registry Monitor so would you see this.

3.12482080    Mp3toexe    SetValueEx     HKLM\Software\Oliver Buschjost\MP3TOEXE\Name    SUCCESS     "Acid_Cool_178"   
3.12487520    Mp3toexe    SetValueEx     HKLM\Software\Oliver Buschjost\MP3TOEXE\Serial     SUCCESS    "Norwegian Cracker"    
3.12492720    Mp3toexe    SetValueEx     HKLM\Software\Oliver Buschjost\MP3TOEXE\Free    SUCCESS     "5FD82EEE4024C265"   

You won't get a box that says. "Registered, than you"
No way. But the program have saved the information in the windows regestry.
Just close all of the "Registratin" boxed and click on the "about" button. And there can you see this.
Registered to Acid_Cool_178
Serialnumber: Norwegian Cracker

Well, it's cracked. Try to clode the program and start it with Regestry monitor activated. and now you can see this
3668.77380560    Mp3toexe    QueryValueEx     HKLM\Software\Oliver Buschjost\MP3TOEXE\Name    SUCCESS     "Acid_Cool_178"   
3668.77409280    Mp3toexe    QueryValueEx     HKLM\Software\Oliver Buschjost\MP3TOEXE\Serial     SUCCESS       
3668.77411760    Mp3toexe    QueryValueEx     HKLM\Software\Oliver Buschjost\MP3TOEXE\Serial     SUCCESS    "Norwegian Cracker"    
3668.77424000    Mp3toexe    QueryValueEx     HKLM\Software\Oliver Buschjost\MP3TOEXE\Free    SUCCESS        
3668.77426080    Mp3toexe    QueryValueEx     HKLM\Software\Oliver Buschjost\MP3TOEXE\Free    SUCCESS     "5FD82EEE4024C265"   
3670.64020880    Mp3toexe    OpenKey     HKLM\Software\Oliver Buschjost\MP3TOEXE    SUCCESS     hKey: 0xC69AB420   
3670.64024160    Mp3toexe    QueryValueEx     HKLM\Software\Oliver Buschjost\MP3TOEXE\Name    SUCCESS        
3670.64026400    Mp3toexe    QueryValueEx     HKLM\Software\Oliver Buschjost\MP3TOEXE\Name    SUCCESS     "Acid_Cool_178"   
3670.64030240    Mp3toexe    QueryValueEx     HKLM\Software\Oliver Buschjost\MP3TOEXE\Serial     SUCCESS       
3670.64032480    Mp3toexe    QueryValueEx     HKLM\Software\Oliver Buschjost\MP3TOEXE\Serial     SUCCESS    "Norwegian Cracker"    

And now the "Register" button are gone :).
Mission complete, program cracked

Ending

I guess that you are wondering on what the hell "^p ret;" are. Well, look at this info.

xxxx:xxxxxxxx    Call 12345678

And when you are tracing thet call and when you can see the command RET somewhere in the program and executing it. Then will you go back to the line after the call you were in.

Greetings

LaZaRuS, Wajid, Borna Janes, ManKind, Eddie Van Camper, ACiD BuRN, KoRnFLeX, Eternal_Bliss, Potsmoke, DiABLO. Torn@do, ^AlX^  and all the other i have forgotten