L ZZZZZZ RRRRR SSSSS L Z R R S L aaa Z aaa R R u u S L a Z a RRRRR u u SSSSS XX L aaaa Z aaaa R R u u S XXXX L a a Z a a R R u u S XXXXXX LLLLLLL aaaaa ZZZZZZZ aaaaa R R uuuuu SSSSSS XXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXX XXXXXX XXXX proudly presents his 1.Cracking Tutorial (20.01.1999) XX I. Introduction I.1 What is cracking and how can I learn it I.2 Is cracking illegal ? I.3 Aims of this document I.4 Tools you need for my tutorial II. Cracking(?), the lamer(?) way III. Cracking with Win32Dasm IV. Cracking with Soft-Ice for Windows IV.1 Installing Soft-Ice IV.2 Let's start cracking V. Writing a patch in C++ VI. BTW I. Welcome to my first cracking tutorial. I.1 What is cracking and how can I learn it: Cracking is the editing of - most time - shareware programs to use them when time limit exceeds, to remove nag-screens, to remove copy protections or to get the password to register it directly. Actually I can't say how to become a good cracker because I'm still a newbie, but there are two important thing you should do: Read, Read, Read, Read as many cracking tutorials you can find !!! (Start at www.fravia.org or http://Qserve.8m.com) and practice. Install programs only to crack them, then try your skills and remove them if you got the crack or you lost hope (Patience is very important). I.2 Is cracking illegal ? There are several opinions on the web that say that it is illegal and there are several that say it's not. I believe that manipulating the code of a program or patching it with a Hex-Editor is absolutely illegal. The searching of correct registration numbers should be not illegal or even legal. Who cares when I look at my RAM and see - accidentally of course ;-) - the correct serial number for a program. I.3 Aims of this document: In the very beginning of my cracking time I searched for tutorials to learn from them, but most of them were so bad, that no newbie could follow them, also they were for newbies. Now I want to write a tutorial for all these newbies that think that cracking is way too hard for them, only because they can't find a good example of a crack. I want to write down every single step from the installing of the tools, the first start of a program to crack to the crack, and do this in several ways. I.4. Tools you need for my tutorial Win32Dasm 8.9 (get at http://Qserve.8m.com) Soft-Ice for Windows (get at http://Qserve.8m.com) A hex-editor, I prefer Hex Workshop 2.54 (get at www.bpsoft.com, change bytes 909A and 256B4 to 85; then you can register it with every serial#) Jaylock, the program to be cracked (get at http://Qserve.8m.com; Tutorials section; you download it with another tutorial from Quantum-X) Get a Windows-API reference. (Included in any Borland/Inprise programming languages) II. Cracking(?), the lamer(?) way The first way is no real cracking. There are several shareware programs that have a really sucking process of calculating the correct serial#. It seems that they use only multiplication in there process, so when you use 0 in every textfield the correct serial will also be 0. No joke, I've seen several appz that use such a kind of process, especially if the serial doesn't depend on a name or other string, but on a number, for example a Product-ID (Jaylock does this). Try this way at first, so you can save time if you're lucky. Don't try this on Jaylock, because it works and you needn't read this tutorial further. If you really want to try, delete the entry HKEY_LOCAL_MACHINE\Software\Jaytown\Jaylock\SeedPadding in the Windows-Registry. If you don't know how to do this try to handle Windows perfect at first and come back to cracking when you know how to use the Windows-Registry. OK, don't want too much from this way of cracking(?). It will only work with 0.5% of the programs you try it out. The Questionmarks in the headline: I don't think it is real cracking, but it can save you time and thus it's no lamer way. III. Cracking with Win32Dasm: First make a copy of Jaylock.exe, because you can't use Win32Dasm and a hex-editor at the same time on the file. Then start Jaylock. A registering screen appears where you should input the serial# you received. You didn't register it ? Bad Boy. Seems you need to crack it to get the full version. You can see a Unique (HAHAHA, it stands in the windows registry: HKEY_LOCAL_MACHINE\Software\Jaytown\Jaylock\PrimeFactor; at least he didn't use obvious keynames) product ID. If you want you can change it to whatever you want in the registry, but then you have to restart Jaylock. OK, below the ID you see a textfield, where you can put in your serial number. Put in any number you want and press the OK-Button. Now a messagebox should appear that this is not the correct registration code. If it doesn't then you already got a cracked version, or you guessed the correct serial#: Congratulations. Write down the error message saying that it was the wrong serial#, or at least the first four words. Now end Jaylock and start Win32Dasm. Open Jaylock.exe to disassemble. Now search the words you noticed saying it was the wrong serial#. I used 'This not the'. You can do this in the menu [Refs], [String Data References] too, but I prefer the search way, because I don't want to step through hundreds of string references in some programs. Win32Dasm should have found the place where the string is located. You should see this: :0040651E 3BC1 cmp eax, ecx :00406520 7438 je 0040655A :00406522 8B8EDC000000 mov ecx, dword ptr [esi+000000DC] :00406528 6A30 push 00000030 :0040652A 41 inc ecx * Possible StringData Ref from Data Obj ->"Notification" | :0040652B 68AC214300 push 004321AC :00406530 898EDC000000 mov dword ptr [esi+000000DC], ecx * Possible StringData Ref from Data Obj ->"This not the correct registration " ->"code. Please go to http://www.jaytown.com " ->"to obtain you registration code" | :00406536 68A8284300 push 004328A8 :0040653B 8BCE mov ecx, esi :0040653D E835A40100 call 00420977 :00406542 83BEDC00000003 cmp dword ptr [esi+000000DC], 00000003 :00406549 7516 jne 00406561 :0040654B 8BCE mov ecx, esi :0040654D E81B5E0100 call 0041C36D :00406552 5E pop esi :00406553 81C4F4010000 add esp, 000001F4 :00406559 C3 ret If you don't see this, something went wrong, or it is the wrong version (1,0,0,1) of Jaylock. If you see only garbage choose another font from the [Disassembler],[Font] menu. The * Possible StringData Ref from Data Obj ->"This not the correct registration " line is colored different. This color shows the active line. Scroll up and down a little (max. 2 seconds) to get a feeling for it. Now look at the code above the line. :0040650F 51 push ecx :00406510 E8CB180000 call 00407DE0 :00406515 8B8ED8000000 mov ecx, dword ptr [esi+000000D8] :0040651B 83C404 add esp, 00000004 :0040651E 3BC1 cmp eax, ecx :00406520 7438 je 0040655A :00406522 8B8EDC000000 mov ecx, dword ptr [esi+000000DC] :00406528 6A30 push 00000030 :0040652A 41 inc ecx Look upwards until you see any jump-device. You can recognize them starting with a 'j' in the third column. The first column shows the code-offset, the second the hex-value of the assembler-device in the third column. Hopefully you found je 0040655A. One line up there is a compare (cmp eax, ecx). Now look at the jump. The jump leads to code-offset 0040655A. If you look at the code you can see, that this jump goes beyond the 'This not the...'-String, and since this beyond the messagebox. Now guess, why should the code compare something and then jump to a section beyond the error-box ? Exactly! Here it compares the serial you entered to the one that is calculated by the program. If the serial is correct it jumps beyond the box, if not then you guessed the wrong serial. Wouldn't it be nice, if we could change this and turn around the jump conditions. Actually we can do this with a hex-editor. Move the cursor in the middle of the Win32Dasm-Window and you can see the offset we have to change. It is 5920h. Write the offset down and load the copy of Jaylock you made in the very beginning in a hex-editor. Search the offset. The value of 5920h will be 75. OK, but how to change it. The assembler code je means 'Jump if equal' reverse it and you get 'Jump if not equal' or jne in assembler. The hex-code of je is 75, the hex-code of jne is 74. So we could change it to 74. STOP! Don't do this. Jaylock wouldn't accept correct serials any- more. Jumping with every serial would be even better. You can realize this by changing the 75 to EB meaning 'Jump' (always) or jmp in assembler. Now save the edited file, exit the hex-editor and start the copy of Jaylock. Input any serial# and you will see it worked. If it doesn't, go through this tutorial and find your mistake. The crack is nice, but what if you want to distribute the crack. What about writing a little patcher (C++) for Jaylock. If you want to do this and need help read chapter V. IV. Cracking with Soft-Ice for Windows IV.1. Installing Soft-Ice Having installed Soft-Ice. There are several difficulties to master. First you have to load Soft-Ice before you start Windows, second you have to choose your graphics driver and third you have to edit the file 'Winice.dat' in the Soft-Ice directory. For the first difficulty, I would install a software-bootmenu in the autoexec.bat and config.sys file. Example: @Echo Off AUTOEXEC.BAT: REM Here put in your normal stuff, like drivers :SICE C:\SIW95\WINICE.EXE goto common :NORM goto common :common End of file The lines starting with ':' are places to jump to, when a . The 'goto'-line are the jumps. CONFIG.SYS [menu] menuitem SICE,Soft-Ice menuitem NORM,Normal Mode menudefault NORM,5 [SICE] [NORM] [common] Put your normal stuff here. End of File Next difficulty: Start VSetup in the SI directory (Soft-Ice=SICE=SI). If your video-card isn't mentioned here choose VGA, because SI won't work when you choose different. If you need to choose VGA you need a hardware-bootmenu, too, because you have to switch between the video drivers when you start Windows in normal mode or in SI-Node. You can do this in the Windows Control Panel/System. Copy your hardware profile and disable your video card in the new profile. Save. Next time you start windows you can choose the hardware and the software you wish to load. If you disabled your video card and you start Windows-SI there are some error messages to choose graphic drivers. Just [ESC] them away. Third difficulty: No real difficulty. Load the file winice.dat in a text-editor and remove the ; from the lines ;exp=c:\windows\system\kernel32.dll ;exp=c:\windows\system\user32.dll ;exp=c:\windows\system\gdi32.dll standing below the lines ; ***** Examples of export symbols that can be included for Chicago ***** ; Change the path to the appropriate drive and directory IV.2 Let's start cracking Now restart your computer with the SI-Configuration. In Windows press [CTRL]+[D] to see if you can load SI. If nothing happens, you forgot to load SI in your Autoexec.bat, if the screen is black, and you have already chose video drivers, you have a little problem. Try to fix it with the help of the WWW. In SI you can read out the RAM of your PC, set breakpoints on nearly everything and most important CRACK. All offset-parts in this tutorial start with XXXX: because this can be different on different computers. Start SI [CTRL]+[D]. You see many digits and chars. Press [CTRL]+[D] fast and get out of SI and recover from the Shock. Don't be afraid it is not as difficult as you often read. Start Jaylock and put in any serial# you wish. Don't hit [ENTER] yet. You should know that there are several executions you can break on in SI. The most common for a string entry are GetDlgItemText and GetWindowText or 16bit programs and GetDlgItemTextA and GetWindowTextA for 32bit programs. If you can't choose them see the Installing SI-Section. Get into SI and put in bpx GetWindowTextA. Get into Jaylock and hit enter. You should be kicked back to SI. Don't care about what you see. Push [F11] and you get back to the point where the function is called. Push [F10] to step through the code. If the offsets you see in the big part of the window are like this: XXXX:XXXX don't care about them. Keep on stepping. If they look like this: XXXX:XXXXXXXX slow your stepping. Step as long through the code as you can't step further and write down the adress of the last conditioned jump-reference. Out of SI. You can't step further on offset XXXX:0040653D. Look at the Win32Dasm crack at offset 0040653D it is the same like in SI. The last conditioned jump was XXXX:0046520. Now go into Jaylock again and hit [ENTER]. BLAM! Back in SI. Press [F11]. Step through the Code until you come close to XXXX:0046520. Stop there. At the right of the SI-Screen should appear NO JUMP if the je line is highlighted. Now we got three ways to crack it. First way: Disable breakpoints with bd * and enable them be *. The je uses the Zero-Flag (ZF) for its conditions. Look in an Assembler reference, if you don't know what a ZF is. We can change the ZF. All flags have only two values: set or not set. Our ZF is not set, so set it. You can do this with r fl z in SI. Now the NO JUMP should change to JUMP. Press [CTRL]+[D] to make Jaylock registered. This change is gone when you restart the computer, but the program stays registered. Second way: Step through the code like in way 1. Don't change the ZF, but the instruction jz XXXX:0046520 to jnz XXXX:0046520. You do this by typing: a XXXX:0046520 [ENTER] jnz XXXX:0046520 [ENTER] [ENTER] When the instruction is changed, just [CTRL]+[D] to register Jaylock. This change is gone when you restart the computer, but the program stays registered. Third and best way: This time we read out the correct serial#. Step through the code like in way 1 and 2, but don't change anything. Stop at adress XXXX:0046520. One line above you see cmp eax,ecx. This registers must contain the correct serial# and the one you gave in (See Win32Dasm-Crack; Beginning). To read out eax input ? eax. Three thing appear. The hex-value of the code you entered, the dec-value of the code you entered and the ASCII-value of the code you entered. Since this ecx must contain the correct code. Type ? ecx. You see the hex-value of the code, the dec-value (the correct code) and the ASCII-value. Get out of SI and put in the correct serial# in Jaylock. Congratulations it is registered. Note: Don't think it is always so easy, most time it isn't. V. Writing a patch in C++ In the Win32Dasm-section I told you to write a patch-program for the crack. Here is how I manage this in C++ 5.0 (only important part; no information just crack). FILE *handle; handle = fopen("Filename.exe", "r+b"); if (handle==0) { cprintf("No File Filename.exe found"); } else { fseek(handle, HERE OFFSET IN DECIMAL, SEEK_SET); fprintf(handle,"%c",HERE NEW VALUE IN DECIMAL); fclose(handle); } VI. BTW Hope my tutorial was helpful for you and see you again in my next tutorial. If not see I.1 where you can get more information about cracking. BTW this tutorial is for educational purposes only. Make sure to get the full version legally. I withdraw myself from all responsibility, and trouble if you get into any. Greets to: tKC, Ed!son, Moral Insanity, Michael T.