L ZZZZZZ RRRRR SSSSS L Z R R S L aaa Z aaa R R u u S L a Z a RRRRR u u SSSSS XX L aaaa Z aaaa R R u u S XXXX L a a Z a a R R u u S XXXXXX LLLLLLL aaaaa ZZZZZZZ aaaaa R R uuuuu SSSSSS XXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXX XXXXXX XXXX proudly presents his 6.Cracking Tutorial (06.04.1999) XX MP3 TO EXE 1.2 I. Tools you need for my tutorial II. Cracking the Nag-Screen III. Getting the serial IV. BTW I. Tools you need for my tutorial Win32Dasm 8.9 (get at http://Qserve.8m.com) Registry Monitor (get at http://Qserve.8m.com ?) (perhaps) Soft-Ice for Windows (get at http://Qserve.8m.com) A hex-editor, I prefer Hex Workshop 2.54 MP3 TO EXE 1.02, the target (http://software.webset.de/buschjost/mp3eng.htm mail me if you don't find the version 1.02 there) II. Cracking with Win32Dasm: There are three reasons I write this tutorial: 1. At my first attempt it was damn hard to crack it. I installed it, tried it and deinstalled it again, saying that I can't crack it. Next day I installed it again saying to myself it can't beat you. But I gave up again and deinstalled it. This procedure I made three more times until I got it. 2. In my opinion it is a good newbie target (easy, but not too easy) 3. I'm sitting in holidays and outside it is raining cats and dogs. So I haven't got to do anything. But now let's start cracking. When you look at the target, there are several differences between the shareware and the full version. In the sw version the first thing you see is a nag-screen (Strange, it doesn't say you should register, but only that you are not allowed to distribute files created with the sw version). When you look at the about box, you see that is is registered to noone (Did you guess that ;) When you create a MP3.EXE file you see a "Unregistered" message, too but that's not our problem. To register MP3 TO EXE, you have to enter a name, a serial and a registration code. The last one is calculated off the name and the serial. When we fire up Registry Monitor, we see three important values. HKEY_LOCAL_MACHINE\SOFTWARE\Oliver Buschjost\MP3TOEXE\Name ;;name HKEY_LOCAL_MACHINE\SOFTWARE\Oliver Buschjost\MP3TOEXE\Serial ;;serial HKEY_LOCAL_MACHINE\SOFTWARE\Oliver Buschjost\MP3TOEXE\Free ;;registration code OK, let's get rid of the nag-screen. These approaches all failed: 1. My beloved I-DON'T-WANT-TO-USE-MY-BRAIN-BRUTE-FORCE method (see tutorial six) 2. searching for a string that appears in the nag-screen 3. Searching for MessageBoxA Now it's time for a little ZEN (That means USE your brain) cracking. OK, what do we know ? Not much, except that it calculates the valid serial again at the beginning of the program (better: we assume that because of the style the program saves the reg information). So let's check for the string "Free". I search for "Free" and not for "Name", because most time it is like this: Get Name Get Serial Get RegCode (in this case) Calculate correct code and compare Show MessageBox if unregistered The string "Free" appears four times: One time when we try to register it, as you can see at the other strings nearby. The three other times we don't have a clue where that could be. So we place a breakpoint (I'm using W32Dasm) some lines above "Free" and run the program. If it breaks, we know that this is the check that takes place at the beginning. I tell you, it will be last "Free". You see: :0045BADD 8B45C0 mov eax, dword ptr [ebp-40] :0045BAE0 50 push eax :0045BAE1 8D4DBC lea ecx, dword ptr [ebp-44] * Possible StringData Ref from Code Obj ->"Free" | :0045BAE4 BA04C04500 mov edx, 0045C004 :0045BAE9 8BC7 mov eax, edi :0045BAEB E82827FFFF call 0044E218 :0045BAF0 8B55BC mov edx, dword ptr [ebp-44] :0045BAF3 58 pop eax :0045BAF4 E81F7DFAFF call 00403818 ;;*could* be the calculation/comparison :0045BAF9 7412 je 0045BB0D ;;*could* be the "Beggar off" :0045BAFB 8B45FC mov eax, dword ptr [ebp-04] ;;*could* be the flag :0045BAFE 8B803C020000 mov eax, dword ptr [eax+0000023C] ;;*could* be the flag :0045BB04 B201 mov dl, 01 ;;*could* be the flag :0045BB06 E8791FFDFF call 0042DA84 :0045BB0B EB10 jmp 0045BB1D ;;*could* be "Good Guy" Plenty of *could* here :( So now we have to check. I set a breakpoint on the line with the conditional jump and change the value of the Zero flag when we reach this jump. And when I have done this, the nag-screen was gone :), the "Register" button was gone :), but the "About" box still said registered to noone :(. Of course, we didn't enter any values in the windows registry. So fire up regedit.exe and create some values with the names: name and serial in HKEY_LOCAL_MACHINE\SOFTWARE\Oliver Buschjost\MP3TOEXE. Then set the breakpoint and restart again. Change the Zero flag and push "Run". Now we see our name in the "About" box, too :). But NO when we create a EXE file from an MP3 we get a unregistered message there :( So we have to find out the correct serial for MP3 TO EXE. (If anybody has cracked the files that are created with MP3 TO EXE, please mail me) btw: If you want to patch the file anyway, there is a nice "The file has been modified" message waiting for you, but this one is pretty easy to bypass, because you can easily locate the string of the messagebox. III. Getting the correct serial: In the first section we saw that the first "Free" is near the "Thank you" message. So let's start there. If you scroll some lines up, you should see this: * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00454BEC(U) | :00454BF9 DB2B fld tbyte ptr [ebx] :00454BFB DB2D2C524500 fld tbyte ptr [0045522C] :00454C01 DED9 fcompp :00454C03 DFE0 fstsw ax :00454C05 9E sahf :00454C06 72E6 jb 00454BEE :00454C08 8D55F8 lea edx, dword ptr [ebp-08] :00454C0B 8B45FC mov eax, dword ptr [ebp-04] :00454C0E 8B80AC010000 mov eax, dword ptr [eax+000001AC] :00454C14 E81B01FCFF call 00414D34 :00454C19 837DF800 cmp dword ptr [ebp-08], 00000000 :00454C1D 7532 jne 00454C51 ;; JUMP TO "Thanks" :00454C1F 8D55E4 lea edx, dword ptr [ebp-1C] :00454C22 8B45FC mov eax, dword ptr [ebp-04] :00454C25 8B80B4010000 mov eax, dword ptr [eax+000001B4] :00454C2B E80401FCFF call 00414D34 :00454C30 837DE400 cmp dword ptr [ebp-1C], 00000000 :00454C34 751B jne 00454C51 ;; JUMP TO "Thanks" :00454C36 8D55E0 lea edx, dword ptr [ebp-20] :00454C39 8B45FC mov eax, dword ptr [ebp-04] :00454C3C 8B80B0010000 mov eax, dword ptr [eax+000001B0] :00454C42 E8ED00FCFF call 00414D34 :00454C47 837DE000 cmp dword ptr [ebp-20], 00000000 :00454C4B 0F8427010000 je 00454D78 ;; JUMP TO "Wrong" There are two jumps to "Thanks" (perhaps two valid serial for every name like in Winzip ?) OK, it strongly seem that the valid serial is calculated somewhere in the call at :00454C14 and that the value at [ebp-08] is a correct/wrong flag. So let's trace into the call. DON'T believe everything I tell you. You can trace forever if you enter this call. There are TWO "Wrong serial" messages. The first at :00454D58, the second at :00454D7F. We just looked at the first one. The second one is referenced by an unconditional jump at :00454CA4 (that is deep inside what we called it "Thanks"). The first checks we looked at were just to see if we entered something as name, serial and regcode. So around :00454CA4 you should see this: * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: |:00454C1D(C), :00454C34(C) | ;;the start of our "Thanks" (haha) :00454C51 8D55F8 lea edx, dword ptr [ebp-08] :00454C54 8B45FC mov eax, dword ptr [ebp-04] :00454C57 8B80B0010000 mov eax, dword ptr [eax+000001B0] :00454C5D E8D200FCFF call 00414D34 :00454C62 8B45F8 mov eax, dword ptr [ebp-08] :00454C65 50 push eax :00454C66 DB2E fld tbyte ptr [esi] :00454C68 E8BBDDFAFF call 00402A28 :00454C6D 8D4DDC lea ecx, dword ptr [ebp-24] :00454C70 BA08000000 mov edx, 00000008 :00454C75 E8E213FBFF call 0040605C :00454C7A 8D45DC lea eax, dword ptr [ebp-24] :00454C7D 50 push eax :00454C7E DB2B fld tbyte ptr [ebx] :00454C80 E8A3DDFAFF call 00402A28 ;; calculate first part :00454C85 8D4DD8 lea ecx, dword ptr [ebp-28] :00454C88 BA08000000 mov edx, 00000008 :00454C8D E8CA13FBFF call 0040605C ;; calculate second part :00454C92 8B55D8 mov edx, dword ptr [ebp-28] :00454C95 58 pop eax :00454C96 E875EAFAFF call 00403710 ;; add second part to first part :00454C9B 8B55DC mov edx, dword ptr [ebp-24] ;; valid code is stored in ECX :00454C9E 58 pop eax ;; d edx = valid regcode :00454C9F E874EBFAFF call 00403818 ;; this one compares :00454CA4 0F85A7000000 jne 00454D51 ;; that't the important jump :00454CAA B201 mov dl, 01 :00454CAC B8A4DE4400 mov eax, 0044DEA4 :00454CB1 E8A292FFFF call 0044DF58 :00454CB6 8BD8 mov ebx, eax :00454CB8 BA02000080 mov edx, 80000002 :00454CBD 8BC3 mov eax, ebx :00454CBF E82493FFFF call 0044DFE8 :00454CC4 B101 mov cl, 01 To make it quick. When you execute the program till :00454C9E and look the registers. You see your correct regcode (16 chars hexadezimal) at EDX. SICE: d edx W32Dasm: Click at ECX in the debug window If anyone makes a key generator for this one I would be pleased to hear about it. IV. BTW Hope my tutorial was helpful for you and see you again in my next tutorial. Greets to: Fravia+, tKC, ED!SON, Moral Insanity, The Sandman, Eternal Bliss, DaVinci and all [hf] members All Tutorials by LaZaRuS [hf] #| date | name |version|W32Dasm|Soft-Ice|kind of crack | -|--------|------------------|-------|-------|--------|-------------------------| 1|20.01.99|Jaylock |1,0,0,1| (X) | (X) |serial# | 2|31.01.99|Goldwave |4.02 | (X) | (X) |serial#,nag-screens | 3|28.03.99|AxMan |3.00 | (X) | (X) |serial#,remove date-limit| | | | | | |nag-screen, key generator| 4|29.03.99|C++Builder Strings| | (X) | (X) |how to find strings in | | | | | | |C++ Builder that are not | | | | | | |hardcoded | 5|29.03.99|Better Protection | | | |How to protect shareware | | | | | | |better against crackers | 6|04.04.99|Start Clean |1.2 | (X) | (X) |nag-screen/serial/keygen | 7|06.04.99|MP3 TO EXE |1.02 | (X) | (X) |nag-screen/serial | LaZaRuS [hf] Visit Hellforge at http://members.xoom.com/hell_crack for more tutorials and high quality cracking links. If you want to mail me: lazarus666@gnwmail.com