view this document with Notepad 800*600 L ZZZZZZ RRRRR SSSSS L Z R R S L aaa Z aaa R R u u S L a Z a RRRRR u u SSSSS XX L aaaa Z aaaa R R u u S XXXX L a a Z a a R R u u S XXXXXX LLLLLLL aaaaa ZZZZZZZ aaaaa R R uuuuu SSSSSS XXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXX XXXXXX XXXX proudly presents his 3.Cracking Tutorial (28.03.1999) XX (AxMan 3.00) I. Introduction I.1 What is cracking and how can I learn it I.2 Is cracking illegal ? I.3 Aims of this document I.4 Tools you need for my tutorial II. Looking at the target III. Cracking the time limit and the nagscreen IV. Getting the serial and making a keygen V. BTW VI. All Tutorials by LaZaRuS I. Welcome to my second cracking tutorial. I.1 What is cracking and how can I learn it: Cracking is the editing of - most time - shareware programs to use them when time limit exceeds, to remove nag-screens, to remove copy protections or to get the password to register it directly. Actually I can't say how to become a good cracker because I'm still a newbie, but there are two important thing you should do: Read, Read, Read, Read as many cracking tutorials you can find !!! (Start at www.fravia.org or http://Qserve.8m.com) and practice. Install programs only to crack them, then try your skills and remove them if you got the crack or you lost hope (Patience is very important). I.2 Is cracking illegal ? There are several opinions on the web that say that it is illegal and there are several that say it's not. I believe that manipulating the code of a program or patching it with a Hex-Editor is absolutely illegal. The searching of correct registration numbers should be not illegal or should even be legal. Who cares when I look at my RAM and see - accidentally of course ;-) - the correct serial number for a program. I.3 Aims of this document: In the very beginning of my cracking time I searched for tutorials to learn from them, but most of them were so bad, that no newbie could follow them, also they were for newbies. Now I want to write a tutorial for all these newbies that think that cracking is way too hard for them, only because they can't find a good example of a crack. I want to write down every single step from the installing of the tools, the first start of a program to crack to the crack, and do this in several ways. I.4. Tools you need for my tutorial Win32Dasm 8.9 (get at http://Qserve.8m.com) A hex-editor, I prefer Hex Workshop 2.54 (get at www.bpsoft.com, change bytes 909A and 256B4 to 85; then you can register it with every serial#) AxMan 3.00, the program to be cracked (get at www.mosaicware.com) II. Looking at the target The first thing you should do when you try to crack something is to look at the target properly. This can give sometimes give you important hints how to crack a program and you don't have to go through ASM code. If you don't believe it, look at BCM Diagnostics. You can crack this without SICE and W32Dasm. Back to AxMan. When you start AxMan you see A nag-screen. 30 days remaining. Good. What do you next when you see a day limit? Right. Add one year to the windows-date and restart AxMan. Now it is expired. Click on "I agree" to close AxMan. (Programmer's stupidity: When you click on the X in the upper-right corner of the nag-screen, AxMan never expires, too.) Change the windows date to the real date again. 30 days left in the evalution period, again. So AxMan doesn't check if the date can be correct. Fire up Registry Monitor and look at the registry values AxMan reads out. Important are: HKEY_LOCAL_MACHINE\SOFTWARE\Mosaic Software Solutions\AxMan\3.00\License\Key HKEY_LOCAL_MACHINE\SOFTWARE\Mosaic Software Solutions\AxMan\3.00\License\Name HKEY_LOCAL_MACHINE\SOFTWARE\Mosaic Software Solutions\AxMan\3.00\License\Company HKEY_LOCAL_MACHINE\SOFTWARE\Mosaic Software Solutions\AxMan\3.00\License\InstallDate Thanx for the obvious name-funtion relation. Don't try to input anything for Key/Name/ Company. AxMan is clever enough to check the serial at the start (not just if the values contain anything). But look closer at InstallDate. This value contains the (encypted) Installdate. (Did you guess that ? ;-)). What will happen, if we delete this one. I tell you. AxMan will create the InstallDate entry again with the (encrypted) value for the current date. So it will never expire when you delete the value every 30 days. Another thing you could do is to set the date to something "high" like 6666666 (7 chars). Then it never expires, too. This has the same effect like installing AxMan in the year 2002 and then setting the date back to the real value. Now look at the program. Try to register it and remember the "Invalid Registration Information" message. Nothing interesting left, so load AxMan.exe in W32Dasm and start cracking. III. Cracking the time limit I don't like deleting the registry value every 30 days. So we search for the string "has expired". You should see this: :00403080 56 push esi :00403081 8BF1 mov esi, ecx :00403083 E80ED20200 call 00430296 :00403088 85C0 test eax, eax :0040308A 7409 je 00403095 :0040308C 8B10 mov edx, dword ptr [eax] :0040308E 8BC8 mov ecx, eax :00403090 FF5274 call [edx+74] :00403093 EB02 jmp 00403097 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:0040308A(C) | :00403095 33C0 xor eax, eax * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00403093(U) | :00403097 8BC8 mov ecx, eax :00403099 E8E2270000 call 00405880 :0040309E 8BC8 mov ecx, eax :004030A0 E82B080000 call 004038D0 ;;Expired ? :004030A5 3C01 cmp al, 01 ;;NO ? :004030A7 7537 jne 004030E0 ;;Then jump to "keep on testing" :004030A9 6A30 push 00000030 ;;Sorry, time over * Possible StringData Ref from Data Obj ->"AxMan" | :004030AB 6830F34500 push 0045F330 * Possible StringData Ref from Data Obj ->"This copy of AxMan has expired!" | :004030B0 6888F24500 push 0045F288 :004030B5 8BCE mov ecx, esi :004030B7 E8F0A90200 call 0042DAAC :004030BC E8D5D10200 call 00430296 :004030C1 85C0 test eax, eax :004030C3 7409 je 004030CE :004030C5 8B10 mov edx, dword ptr [eax] :004030C7 8BC8 mov ecx, eax :004030C9 FF5274 call [edx+74] :004030CC EB02 jmp 004030D0 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004030C3(C) | :004030CE 33C0 xor eax, eax * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004030CC(U) | :004030D0 8B401C mov eax, dword ptr [eax+1C] :004030D3 6A00 push 00000000 :004030D5 6A00 push 00000000 :004030D7 6A10 push 00000010 :004030D9 50 push eax * Reference To: USER32.PostMessageA, Ord:01DEh | :004030DA FF1560D64400 Call dword ptr [0044D660] * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004030A7(C) | :004030E0 6A01 push 00000001 :004030E2 8BCE mov ecx, esi :004030E4 E8098B0200 call 0042BBF2 :004030E9 5E pop esi :004030EA C3 ret As you easily see, just change the conditioned jump at 004030A7 to an unconditioned jump. You can see the address you have to patch when you select the line in W32Dasm and move the mouse cursor inside the W32Dasm screen. It is 30A7h. So fire up your hex-editor and change the 75 at this offset to EB , which means JMP (always). Now we have to get rid of the nagscreen. (OK if we had deleted the nag-screen first, we would have deleted the time-check, too, but so we could practice twice;-) Ok first we search for a string that appears inside the nag-screen. I have chosen "Welcome to AxMan...". If you search for it you should see this: :00402E8E 90 nop :00402E8F 90 nop :00402E90 B8B8DA4400 mov eax, 0044DAB8 :00402E95 C3 ret :00402E96 90 nop :00402E97 90 nop :00402E98 90 nop :00402E99 90 nop :00402E9A 90 nop :00402E9B 90 nop :00402E9C 90 nop :00402E9D 90 nop :00402E9E 90 nop :00402E9F 90 nop :00402EA0 64A100000000 mov eax, dword ptr fs:[00000000] :00402EA6 6AFF push FFFFFFFF :00402EA8 685BA14400 push 0044A15B :00402EAD 50 push eax :00402EAE B87C170000 mov eax, 0000177C :00402EB3 64892500000000 mov dword ptr fs:[00000000], esp :00402EBA E8C1830100 call 0041B280 :00402EBF 56 push esi :00402EC0 57 push edi :00402EC1 8BF9 mov edi, ecx :00402EC3 E8508E0200 call 0042BD18 :00402EC8 A164164600 mov eax, dword ptr [00461664] :00402ECD 89442408 mov dword ptr [esp+08], eax :00402ED1 C784248C17000000000000 mov dword ptr [esp+0000178C], 00000000 :00402EDC E8A7E90300 call 00441888 :00402EE1 8B400C mov eax, dword ptr [eax+0C] * Reference To: USER32.LoadStringA, Ord:01ABh | :00402EE4 8B3564D64400 mov esi, dword ptr [0044D664] :00402EEA 8D8C24E4070000 lea ecx, dword ptr [esp+000007E4] :00402EF1 68E8030000 push 000003E8 :00402EF6 51 push ecx * Possible Reference to String Resource ID=32774: "Welcome to AxMan v3.00 (Official Release). You will see thi" | :00402EF7 6806800000 push 00008006 :00402EFC 50 push eax :00402EFD FFD6 call esi :00402EFF E884E90300 call 00441888 :00402F04 8B400C mov eax, dword ptr [eax+0C] :00402F07 8D542414 lea edx, dword ptr [esp+14] :00402F0B 68E8030000 push 000003E8 :00402F10 52 push edx * Possible Reference to String Resource ID=32775: "Before you begin using this software, carefully read the ter" | :00402F11 6807800000 push 00008007 :00402F16 50 push eax :00402F17 FFD6 call esi :00402F19 E86AE90300 call 00441888 :00402F1E 8B400C mov eax, dword ptr [eax+0C] :00402F21 8D8C24B40F0000 lea ecx, dword ptr [esp+00000FB4] :00402F28 68E8030000 push 000003E8 :00402F2D 51 push ecx Now let's search for conditioned jump to jump somewhere behind the nag. Strange, there is none and above the routine is a RET which means that is the end of another call. What does that mean? That means W32Dasm doesn't know from where the code segment will be called during runtime. It is something like CALL [EAX] or CALL [EBP+08]. You should we get the correct address we have to patch ? There are of course several ways to get it, but I always use one. Load the program in the W32Dasm debug-mode and choose "Auto step over" as long as the nag-screen appears. Normally the W32Dasm window stops at a CALL. Now remember that call and restart the program in debug mode. This time ENTER the call with "Step into" and then choose "Auto step over" until the nagscreen pops up again. Look if there is a conditional jump that leads somewhere beyond the call that makes the nag appear. If so then try to change the instruction to JMP next time you come to it. If the nag screen is gone and the program starts normal you got. If the program crashes, you have to enter the call again and keep on doing the enter call/look for conditioned jumps/does the program work ?/no then enter call... method. If you do this in AxMan you will come to the address: :004100D7 CALL 0042BA92 Look if there is a conditional jump that leads beyond this call. YES! :00410089 JNE 00410115 This is your jump. Change it to JE and the nag-screen won't appear anymore until you register the program. If you change it to JMP it will NEVER again appear. IV. Getting the serial: First make a copy of AxMan.exe, because you can't use Win32Dasm and a hex-editor at the same time on the file. Search for the "Invalid..." string. You should see this: I try to comment it as good as possible. :0040688B 50 push eax ;;save entered serial :0040688C 51 push ecx ;;save entered company :0040688D 52 push edx ;;save entered name :0040688E 8D4C241C lea ecx, dword ptr [esp+1C] :00406892 C644242803 mov [esp+28], 03 :00406897 E8E4F9FFFF call 00406280 ;;calculate the serial and check it :0040689C 84C0 test al, al ;;al=1 ? :0040689E 6A30 push 00000030 :004068A0 7513 jne 004068B5 ;;if not then jump to right# * Possible StringData Ref from Data Obj ->"AxMan - Error 400" ;;wrong serial | :004068A2 6850F84500 push 0045F850 * Possible StringData Ref from Data Obj ->"Invalid Registration Information" | :004068A7 682CF84500 push 0045F82C :004068AC 8BCE mov ecx, esi :004068AE E8F9710200 call 0042DAAC :004068B3 EB49 jmp 004068FE ;; go on unregistered * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004068A0(C) | * Possible StringData Ref from Data Obj ->"AxMan" ;; you are a good buyer | :004068B5 6830F34500 push 0045F330 * Possible StringData Ref from Data Obj ->"Thank you for registering your " ->"copy of AxMan" | :004068BA 68FCF74500 push 0045F7FC :004068BF 8BCE mov ecx, esi :004068C1 E8E6710200 call 0042DAAC :004068C6 E8CB990200 call 00430296 If you enter the calculate serial call you see: * Referenced by a CALL at Addresses: |:00403526 , :00406897 , :004104C2 ;;referenced now, at the start and when you ;;open the "About" box the first time. | :00406280 8B542408 mov edx, dword ptr [esp+08] ;;edx=company :00406284 83EC18 sub esp, 00000018 :00406287 8D442400 lea eax, dword ptr [esp] ;;eax=Lenght(name) :0040628B 53 push ebx ;; :0040628C 56 push esi :0040628D 50 push eax :0040628E 8B442428 mov eax, dword ptr [esp+28] ;;eax=name :00406292 52 push edx ;;save company :00406293 50 push eax ;;save name :00406294 E857000000 call 004062F0 ;; here is the serial calculated ;;if you enter this call, you can trace ;;for hours, so DON'T ENTER :00406299 8B74242C mov esi, dword ptr [esp+2C] ;;your serial :0040629D 8D442408 lea eax, dword ptr [esp+08] ;;correct serial ... from now on your serial is compared with the correct serial char by char To get the serial, you can debug with W32Damn (YES, not with SICE). I debugged with W32Dasm, because I am in holidays and don't have SICE on my laptop. OK: Choose Debug/Load Process and then go to Code Location :00406294 and set breakpoint (not bpx 406294 ;-), but choose the correct line and hit F2). Now hit F8 three times and look at the register EAX. This is your serial. Note: The first time I cracked it I entered the call at 00406294 and was tracing for half an hour until I saw a little light. The serial was calculated without "-" : For name=LaZaRuS and company=Hellforge it was 255518709. Then it compares the fourth char of my entered serial 9 (usually I enter 666999) with 2D witch means with "-". The fourth char must be "-". But, no matter what the char is, the serial is calculated completely as you can see when you enter any other serial. So I thought nine chars in the correct serial. First compare with "-" at fourth char. That could be XXX-XXX-XXX. Luckily it was so regularly, or I would still be tracing ;-). How to make a keygen: If you really want to make a keygen you have to enter the call :00406294. After some time you will come to this code snippet. Somewherer in front of this snippet the company and the name are converted to lower case and the spaces were deleted. Then "My Love" is added. For name=Piracy Copy and company=I am a lamer that would be: piracycopyiamalamerMy Love But that is easy to follow if you trace through the code. :0040665D movsx eax, al :00406660 shl ecx, 04 :00406663 add ecx, eax :00406665 inc edx :00406666 mov eax, ecx get first :00406668 and eax, F0000000 char :0040666D je 00406676 :0040666F mov esi, eax esi=70000000 :00406671 shr esi, 18 esi=00000070 :00406674 xor ecx, esi xor 729089C3, 00000070 = 729089B3 :00406676 not eax not 00000070 = 8FFFFFFF :00406678 and ecx, eax and 729089B3, 8FFFFFFF = 029089B3 :0040667A mov al, byte ptr [edx] :0040667C test al, al :0040667E jne 0040665D I'll explain what it does: At the beginning is EAX=0. Then it is multiplicated with 16=2^4=shl ecx, 04. Then the ASCII value of the first string (name+company+My Love) is added to ecx. If first char of the eight-char hex-value is 0 it will jump back and do the following: Multiplicate ecx with 16 and add ASCII value of the second char to ecx. If first char of the eight-char hex-value is not 0, then do: Isole the first char: example: 70000000 Shift it right 18 time: example: 00000070 XOR it with the existing ecx value NOT the 00000070 AND it with the XORed ecx value back to normal calculation V. BTW Hope my tutorial was helpful for you and see you again in my next tutorial. If not see I.1 where you can get more information about cracking. BTW this tutorial is for educational purposes only. Make sure to get the full version legally. I withdraw myself from all responsibility, and trouble if you get into any. Greets to: tKC, Ed!son, Moral Insanity, The Sandman, Eternal Bliss, DaVinci and all [hf] members VI. All tutorials by LaZaRuS #| date | name |version|W32Dasm|Soft-Ice|kind of crack | -|--------|----------|-------|-------|--------|-------------------------| 1|20.01.99|Jaylock |1,0,0,1| (X) | (X) |serial# | 2|31.01.99|Goldwave |4.02 | (X) | (X) |serial#,nag-screens | 3|28.03.99|AxMan |3.00 | (X) | (X) |serial#,remove date-limit| LaZaRuS [hf] Visit Hellforge at http://members.xoom.com/hell_crack for more tutorials and high quality cracking links.