BiSHoP's Tutorial # 1 (May 8, 2000) Target: Winzip Self-Extractor 2.1 Where: http://www.download.com or www.winzip.com Index: 1. Introduction 2. Basics 3. Requirements 4. Starting to crack 5. Cracking the program 6. Finale 7. Greetz & Thanx --------------------------------------------------- 1. Introduction- Well, this is the first tutorial I wrote so I'll explain the basics first. I've seen lots of tutorials written by crackers online, some of them were simple and helped me alot, some were just messed up and don't know what the heck they're talking about. This tutorial is ba- sically for newbies who have atleast the basic knowledge of the Windows operating system. If you've just got your first new computer a week ago and want to learn cracking, forget about it (yes i'm serious!). OK sorry 'bout that, let's get to the important stuff. 2. Basics- Cracking in my opinion is understanding how (shareware) programs work and the ability to reverse code it. We mostly crack programs because of their annoying messages that keep on bugging you to register or buy the full program. The software industries has found that useful and now more and more companies are using that SHAREWARE method. They are also (trying) to increase their program's protection so it's harder to crack the program (but of course, as long as there's crackers, program protections are lame!). So there you go! 3. Requirements- The programs crackers use to crack can be found all over the Internet for free (cracked). One is called Softice or SICE for short. Softice is a debugger, it's a program that can breakpoint right at the point you tell it to, allowing you to browse through your CPU's memory. If you need more information about debuggers, learn how to use a search engine and go look for manuals and tutorials on debugging. Here's the complete list of requirements: Low level debugger: recommended: Softice (I use 3.24) 32bit Disassembler: recommended: W32Dasm (I use 8.93) Hex Editor: recommended: Hiew (I use 6.00) As you get advance, you might also want to get an ASM compiler so you can make key generators for the programs you crack. And oh yeah, last but not least, you need a little bit of ASM knowledge too, you don't need to know all of it, just the basics, but knowing lots of ASM is the best start of a cracking career! That just covers about the requirements (I hope). 4. Starting to crack OK, if I were you, I would of gone and gotten all those wonderful debuggers and disassemblers already. Starting this part of this tutorial, I really suggest you have at least Softice. Our target is Winzip Self-Extractor 2.1 by Nico Mak Computing, the company that makes the worsiest protection ever! So this will be an extremely easy target for newbies. Hey, don't worry, it's easy but you'll still learn from it :) I also found other tutorials online that uses MessageBoxA as the breakpoint and they work fine too, but I'll just stick with my method for now. 5. Cracking the program OK, start Winzip Self-Extractor, and the nasty shitty nag appears. If yours is registered, you can delete winzipse.dat in the program folder and it will be unregistered. Click OK and you are takened to the welcome screen. Given the 'Enter Registeration Code', of course we're gonna go for it! Click on it and type your name and a 6 numbers long serial number. We'll stick with 6 numbers because we are using GetDlgItemTextA and the program will check and if you don't type 6, you'll end up jumping to the wrong location. I typed: Organization: BiSHoP Registeration#: 121212 OK, wait, now what kind of breakpoint should we set? Well from past experiences, most of the Winzip programs I cracked uses the GetDlgItemTextA function to get the serial, so why not give it a shot. OK, Ctrl-D to Softice, set a breakpoint on GetDlgItemTextA (32bit!) bpx GetDlgItemTextA [ENTER], F5 to get out of Softice, now goto the Winzip SE (Self-Extractor) Registeration box and click OK. Poof! Softice takes over, press F11 to get to the part where Winzip SE executed the call. Below is a disassembled part of the codes: * Reference To: USER32.GetDlgItemTextA, Ord:00F5h | :00408DDE FF15A0F64200 Call dword ptr [0042F6A0] <== Call to GetDlgItemTextA :00408DE4 0FB60520C74200 movzx eax, byte ptr [0042C720] <== Where you start :00408DEB 85C0 test eax, eax <== Checks if you typed anything :00408DED 0F851F000000 jne 00408E12 <== If so, jump to 407e12 :00408DF3 6A10 push 00000010 --If not, displays a messagebox :00408DF5 6A00 push 00000000 :00408DF7 68CE130000 push 000013CE :00408DFC E8FDD8FFFF call 004066FE <== Determines what message will display :00408E01 50 push eax :00408E02 FF7508 push [ebp+08] * Reference To: USER32.MessageBoxA, Ord:0195h <== Messagebox | :00408E05 FF15E0F64200 Call dword ptr [0042F6E0] :00408E0B 33C0 xor eax, eax :00408E0D E92E020000 jmp 00409040 ---------------------------------------------------- * Reference To: USER32.GetDlgItemTextA, Ord:00F5h | :00408E24 FF15A0F64200 Call dword ptr [0042F6A0] :00408E2A 6810C64200 push 0042C610 :00408E2F E84C2D0100 call 0041BB80 :00408E34 83C404 add esp, 00000004 :00408E37 6810C64200 push 0042C610 :00408E3C E8AFA60000 call 004134F0 <== Checks fake serial :00408E41 83C404 add esp, 00000004 :00408E44 83F808 cmp eax, 00000008 <== Checks if fake serial length is 8 :00408E47 0F8530000000 jne 00408E7D <== If not 8, jump, if it is 8 show error ----------------------------------------------------- OK, sorry about all the messed up codes, the others aren't important, when SICE breakpoints on GetDlgItemTextA, you'll end up in the code functions. Press F11 to return to the call that was made by the program and you should end up on line 00408DE4. Trace (F10) through the codes until you reach the conditional jump to 408e7d and jump to 408e7d. * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00408E47(C) | :00408E7D 0FB60510C64200 movzx eax, byte ptr [0042C610] :00408E84 83F859 cmp eax, 00000059 :00408E87 0F8562000000 jne 00408EEF <== Another conditional jump ------------------------------------------------------ * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:00408E87(C), :00408E96(C) | :00408EEF 0FB60520C74200 movzx eax, byte ptr [0042C720] :00408EF6 85C0 test eax, eax :00408EF8 0F850F000000 jne 00408F0D :00408EFE 0FB60510C64200 movzx eax, byte ptr [0042C610] :00408F05 85C0 test eax, eax :00408F07 0F845D000000 je 00408F6A * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00408EF8(C) | :00408F0D 6A00 push 00000000 :00408F0F E8D2FCFFFF call 00408BE6 :00408F14 85C0 test eax, eax <== Test serial :00408F16 0F854E000000 jne 00408F6A <== If serial match, jump -------------------------------------------------------- OK, now trace the codes (F10) until you reach the call to 408be6 on line 408F0F. And trace into the call (F8). -------------------------------------------------------- * Referenced by a CALL at Addresses: |:0040422C , :00408E8F , :00408F0F | :00408BE6 55 push ebp :00408BE7 8BEC mov ebp, esp :00408BE9 81EC04010000 sub esp, 00000104 :00408BEF 53 push ebx :00408BF0 56 push esi :00408BF1 57 push edi :00408BF2 837D0800 cmp dword ptr [ebp+08], 00000000 :00408BF6 0F8405000000 je 00408C01 :00408BFC E8A0FCFFFF call 004088A1 ------Took out some gibberish--------------------------- * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00408C47(C) | :00408C66 8D85FCFEFFFF lea eax, dword ptr [ebp+FFFFFEFC] :00408C6C 50 push eax :00408C6D 6820C74200 push 0042C720 :00408C72 E837FDFFFF call 004089AE <== Generate real serial :00408C77 6810C64200 push 0042C610 :00408C7C 8D85FCFEFFFF lea eax, dword ptr [ebp+FFFFFEFC] :00408C82 50 push eax --------------------------------------------------------- Continue to trace (F10) until you reach line 408C72, the call to make the real serial #. Trace 2 times onto 408C7C and take a look at the contents of EAX (d eax). There you go, the first 6 letters that you see is the real serial number. Now get outta SICE and change the fake serial to the real one and click OK, walla! Click on About, it's registered to you. 6. Finale- Sorry about all the codes, just read them carefully one by one, and you should understand it. It is also possible to patch the program so it accepts any serial number but with a protection so easy to crack, I won't bother patching it. 7. Greetz & Thanx- Greetinz: UCF, Mexelite, Phrozen Crew, CiA, CORE, ODDITY, CookieCrK, Prophecy, RTD, HellForge, and to any of ya I left out! Thanx to: tKC for all his tutorials, CookieCrK for providing me with some cracking toolz, and to all the sites in the Reverse Engineering Web ring for all their tuts, and oh yeah thanx for reading this tut! Peace out 'til next time yall! -BiSHoP- diablo337@hotmail.com