L ZZZZZZ RRRRR SSSSS L Z R R S L aaa Z aaa R R u u S L a Z a RRRRR u u SSSSS XX L aaaa Z aaaa R R u u S XXXX L a a Z a a R R u u S XXXXXX LLLLLLL aaaaa ZZZZZZZ aaaaa R R uuuuu SSSSSS XXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXX XXXXXX XXXX proudly presents his 2.Cracking Tutorial (31.01.1999) XX I. Introduction I.1 What is cracking and how can I learn it I.2 Is cracking illegal ? I.3 Aims of this document I.4 Tools you need for my tutorial II. Cracking with W32Dasm III. Cracking with Soft-Ice for Windows III.1 Installing Soft-Ice III.2 Let's start cracking V. Writing a patch in C++ VI. BTW VII. All Tutorials by LaZaRuS I. Welcome to my second cracking tutorial. I.1 What is cracking and how can I learn it: Cracking is the editing of - most time - shareware programs to use them when time limit exceeds, to remove nag-screens, to remove copy protections or to get the password to register it directly. Actually I can't say how to become a good cracker because I'm still a newbie, but there are two important thing you should do: Read, Read, Read, Read as many cracking tutorials you can find !!! (Start at www.fravia.org or http://Qserve.8m.com) and practice. Install programs only to crack them, then try your skills and remove them if you got the crack or you lost hope (Patience is very important). I.2 Is cracking illegal ? There are several opinions on the web that say that it is illegal and there are several that say it's not. I believe that manipulating the code of a program or patching it with a Hex-Editor is absolutely illegal. The searching of correct registration numbers should be not illegal or even legal. Who cares when I look at my RAM and see - accidentally of course ;-) - the correct serial number for a program. I.3 Aims of this document: In the very beginning of my cracking time I searched for tutorials to learn from them, but most of them were so bad, that no newbie could follow them, also they were for newbies. Now I want to write a tutorial for all these newbies that think that cracking is way too hard for them, only because they can't find a good example of a crack. I want to write down every single step from the installing of the tools, the first start of a program to crack to the crack, and do this in several ways. I.4. Tools you need for my tutorial Win32Dasm 8.9 (get at http://Qserve.8m.com) Soft-Ice for Windows (get at http://Qserve.8m.com) A hex-editor, I prefer Hex Workshop 2.54 (get at www.bpsoft.com, change bytes 909A and 256B4 to 85; then you can register it with every serial#) Goldwave v4.02, the program to be cracked (get at www.goldwave.com Better get a Windows-API reference. (Included in any Borland/Inprise programming languages) II. Cracking with W32Dasm: First make a copy of Goldwave.exe, because you can't use Win32Dasm and a hex-editor at the same time on the file. Then start Goldwave. A help-file pops up. This is the nag-screen of Goldwave. Close it and load a sound file in Goldwave. In the lower left corner of the main window you can see something like Toll: $X.XX. Every action you make the Toll increases. In the Goldwave helpfile, you can read that you have an amount of 1.50$ every time you start Goldwave. Having exceeded this, another nag-screen appears every time you make an action. I've made a Goldwave 3.24 Crack before and remember that Goldwave writes the serial that fits to your name into the file [WINDIR]\Goldwave.ini when you cracked the serial check. So we first try to do this again. Disassemble Goldwave.exe with W32Dasm. Meanwhile try to register Goldwave. Choose the menu OPTIONS/REGISTER and put in a first name, a last name and a fake serial. Push [ENTER] and you see a messagebox saying 'Invalid...'. Save this message in your brain, switch to W32Dasm and choose the Menu SEARCH/FIND TEXT. Put in the first part of the error message from Goldwave (Invalid r). Now you should see this: :0042D3C3 E83CF8FFFF call 0042CC04 :0042D3C8 59 pop ecx :0042D3C9 84C0 test al, al :0042D3CB 0F85A1000000 jne 0042D472 * Possible StringData Ref from Data Obj ->"Register" | :0042D3D1 8B1560BB4D00 mov edx, dword ptr [004DBB60] :0042D3D7 8B4E66 mov ecx, dword ptr [esi+66] :0042D3DA 8B01 mov eax, dword ptr [ecx] :0042D3DC 6A30 push 00000030 :0042D3DE 52 push edx * Possible StringData Ref from Data Obj ->"Invalid registration! Please " ->"check your password and try again." | :0042D3DF 6852C54D00 push 004DC552 :0042D3E4 8B500C mov edx, dword ptr [eax+0C] :0042D3E7 52 push edx :0042D3E8 8B4868 mov ecx, dword ptr [eax+68] :0042D3EB 51 push ecx :0042D3EC E8958F0500 call 00486386 Here the messagebox that appears when you put in a wrong serial#. Do you see the jne 0042D472, too. (BTW remember the adress 0042D3C3 for the Soft-Ice crack later in this tutorial. It is the last call in front of the conditioned jump). This conditioned jump reference jumps somewhere beyond the messagebox. Let's reverse this device and see what happens. Move the highlighted line onto the jne. Now look at the Status Bar at the bottom of the windows. You should see the offset of the jump in the file Goldwave.exe. It is @Offset: 0002C9CBh. If you don't see it, move your mouse in the center of the screen. Open the copy of Goldwave.exe in your Hex-Editor and go to the adress 0002C9CBh. You see 0F85A1000000. This is the hexcode of jne 0042D472. Change it to 0F84A1000000. This is the hexcode of je 0042D472. Now the messagebox shouldn't appear when you put in a wrong serial. Try it. YES! There is another messagebox that says that Goldwave is now registered. Look in the About-Screen and you see that Goldwave is registered to the name you put in. Close Goldwave and restart it. NOOOOO! It is not registered. Seems that the programmers have learned from their mistakes. In this version they don't write the correct serial# in the Goldwave.ini file, but the serial you put in. This means it is not enough to get round the serial check. In the Goldwave help you can see that the shareware version of Goldwave is fully functional. So let's just crack away the nag-screens. The first one is the appearing helpfile. Now the API-Reference would be useful. I tell you, there is a windows-function to start a helpfile. It's called WinHelpA. Search for WinHelpA in the disassembled Goldwave.exe. You find it twice. The first one is the definition in the import functions, the second hit is where the nag-screen appears. You should see this: * Referenced by a CALL at Address: |:00458C08 | :0044150C 55 push ebp :0044150D 8BEC mov ebp, esp :0044150F 53 push ebx :00441510 56 push esi :00441511 8B5D08 mov ebx, dword ptr [ebp+08] :00441514 80BB5707000000 cmp byte ptr [ebx+00000757], 00 :0044151B 752D jne 0044154A :0044151D 6A00 push 00000000 :0044151F E88CF4FFFF call 004409B0 :00441524 59 pop ecx :00441525 8BF0 mov esi, eax :00441527 68AE010000 push 000001AE :0044152C 6A01 push 00000001 :0044152E 56 push esi :0044152F 8B4366 mov eax, dword ptr [ebx+66] :00441532 8B10 mov edx, dword ptr [eax] :00441534 8B4A0C mov ecx, dword ptr [edx+0C] :00441537 51 push ecx * Reference To: USER32.WinHelpA, Ord:0000h | :00441538 E8E52E0900 Call 004D4422 :0044153D 85C0 test eax, eax :0044153F 0F95C0 setne al :00441542 83E001 and eax, 00000001 :00441545 A2342B5000 mov byte ptr [00502B34], al Look for a jump that jumps beyond the * Reference To: USER32.WinHelpA, Ord:0000h and you will find jne 0044154A. This could be the registered/unregistered check for the first nag- screen. Search for the offset 40B1Bh in your hex-editor and change it to EB. This changes the conditioned jump to the unconditioned jump jmp. Save and restart Goldwave.exe. The helpfile doesn't appear. We did it. We cracked the first nag-screen. Now go for the second one. It appears when you exceed your Toll-limit. The fastest way to do this is to load a sound file in Goldwave and push the PLAY button constantly. When you reach your toll limit, a messagebox appears saying 'Shareware Toll Limit'. Search for this string in W32Dasm and you see this: :00458B17 81BB5307000096000000 cmp dword ptr [ebx+00000753], 00000096 :00458B21 7C6C jl 00458B8F :00458B23 F6835307000001 test byte ptr [ebx+00000753], 01 :00458B2A 7563 jne 00458B8F * Possible StringData Ref from Data Obj ->"This shareware has a $1.50 limit " ->"each time the program is started." | :00458B2C A13C784E00 mov eax, dword ptr [004E783C] :00458B31 8945FC mov dword ptr [ebp-04], eax :00458B34 8B4DFC mov ecx, dword ptr [ebp-04] :00458B37 894DF8 mov dword ptr [ebp-08], ecx :00458B3A 8B07 mov eax, dword ptr [edi] :00458B3C 8945F4 mov dword ptr [ebp-0C], eax :00458B3F 6A31 push 00000031 * Possible StringData Ref from Data Obj ->"Shareware Toll Limit" | :00458B41 68D77C4E00 push 004E7CD7 :00458B46 8B55F8 mov edx, dword ptr [ebp-08] :00458B49 52 push edx Look at the jne 00458B8F. This jump refers to somewhere beyond the messagebox. Let's change it that it jumps always beyond this box. Change the offset 5812Ah to EB. This means jmp (always). Save and restart Goldwave.exe. Now you can push the PLAY-button as often as you want, the nag-screen never appears again. We did it! We cracked Goldwave with W32Dasm! IV. Cracking with Soft-Ice for Windows IV.1. Installing Soft-Ice Having installed Soft-Ice. There are several difficulties to master. First you have to load Soft-Ice before you start Windows, second you have to choose your graphics driver and third you have to edit the file 'Winice.dat' in the Soft-Ice directory. For the first difficulty, I would install a software-bootmenu in the autoexec.bat and config.sys file. Example: @Echo Off AUTOEXEC.BAT: REM Here put in your normal stuff, like drivers :SICE C:\SIW95\WINICE.EXE goto common :NORM goto common :common End of file The lines starting with ':' are places to jump to, when a . The 'goto'-line are the jumps. CONFIG.SYS [menu] menuitem SICE,Soft-Ice menuitem NORM,Normal Mode menudefault NORM,5 [SICE] [NORM] [common] Put your normal stuff here. End of File next difficulty: Start VSetup in the SI directory (Soft-Ice=SICE=SI). If your video-card isn't mentioned here choose VGA, because SI won't work when you choose different. If you need to choose VGA you need a hardware-bootmenu, too, because you have to switch between the video drivers when you start Windows in normal mode or in SI-Node. You can do this in the Windows Control Panel/System. Copy your hardware profile and disable your video card in the new profile. Save. Next time you start windows you can choose the hardware and the software you wish to load. If you disabled your video card and you start Windows-SI there are some error messages to choose graphic drivers. Just [ESC] them away. Third difficulty: No real difficulty. Load the file winice.dat in a text-editor and remove the ; from the lines ;exp=c:\windows\system\kernel32.dll ;exp=c:\windows\system\user32.dll ;exp=c:\windows\system\gdi32.dll standing below the lines ; ***** Examples of export symbols that can be included for Chicago ***** ; Change the path to the appropriate drive and directory IV.2 Let's start cracking Now restart your computer with the SI-Configuration. In Windows press [CTRL]+[D] to see if you can load SI. If nothing happens, you forgot to load SI in your Autoexec.bat, if the screen is black, and you have already chose video drivers, you have a little problem. Try to fix it with the help of the WWW. In SI you can read out the RAM of your PC, set breakpoints on nearly everything and most important CRACK. All offset-parts in this tutorial start with XXXX: because this can be different on different computers. Start SI [CTRL]+[D]. You see many digits and chars. Leave SI with [CTRL]+[D] and start Goldwave. Enter any values in the register dialog, but don't push [Enter], yet. Get into SI and set a breakpoint on hmemcpy (this means SI should appear every time Windows or any application uses the function hmemcpy). You do this with bpx hmemcpy. Now leave SI and hit [ENTER] in Goldwave. BLAM! Now you're back in SI. Goldwave needs three values to calculate the correct serial#. Thus there must be two more hmemcpy. Press [CTRL]+[D] twice and you are inside of the third hmemcpy. Press [F11] and you get out of the routine. Do you remember the adress of the call I told you to remember in the W32Dasm part. I tell you it was 0042D3C3. Step through the SI-code by pushing [F10] until the addresses in one of the SI-windows look like XXXX:XXXXXXXX Assembler-Code. Now set a breakpoint on the adress XXXX:0042D3C3. (The XXXX can be different on every computer. In my case it is 0157). To set the BP enter bpx XXXX:0042D3C3 (in my case: bpx 0157:0042D3C3). Press [CTRL]+[D]. Now a message should appear that SI stopped at the BP. The highlighted line should be XXXX:0042D3C3 call 0042CC04. Enter the call with [F8]. Now you're inside the code- calculating routine. Step through the code with [F10] until you come to adress XXXX:0042CC46. Enter d esi and you see the serial# that fits to the name you entered. Delete all breakpoints with bc*. Enter Goldwave and try to register it with the new serial#. If you have entered the correct name and serial# you have a correct registered Goldwave. Note: Don't think it is always so easy, most time it isn't. V. Writing a patch in C++ In the Win32Dasm-section I told you to write a patch-program for the crack. Here is how I manage this in C++ 5.0 (only important part; no information just crack). FILE *handle; handle = fopen("Filename.exe", "r+b"); if (handle==0) { cprintf("No File Filename.exe found"); } else { fseek(handle, HERE OFFSET IN DECIMAL, SEEK_SET); fprintf(handle,"%c",HERE NEW VALUE IN DECIMAL); fclose(handle); } VI. BTW Hope my tutorial was helpful for you and see you again in my next tutorial. If not see I.1 where you can get more information about cracking. BTW this tutorial is for educational purposes only. Make sure to get the full version legally. I withdraw myself from all responsibility, and trouble if you get into any. Greets to: tKC, Ed!son, Moral Insanity, Jordan, The Sandman VII. All tutorials by LaZaRuS #| date | name |version|W32Dasm|Soft-Ice|kind of crack | -|--------|----------|-------|-------|--------|-------------------| 1|20.01.99|Jaylock |1,0,0,1| (X) | (X) |serial# | 2|31.01.99|Goldwave |4.02 | (X) | (X) |serial#,nag-screens|