the right way to go! ÜÜÜÜÜÜÜÜ ÜÜÜÜÜÜÜÜ ÜÜÜÜÜÜÜÜÜÜÜÜÜ ÜÜÜÜÜÜÜÜ Û ÜÜÜÜ Û Û ÜÜÜÜ ßßßßßßßßß ÜÜÜÜ ÜÜÜÜ ßßßß ÜÜÜÜ ßßßßßßßßßßÛ Û ÛÛÛÛ Û Û ÛÛÛÛßÛÛÛÛ ÛÛÛÛ ÛÛÛÛ ÛÛÛÛ ÛÛÛÛßÛÛÛÛ ÛÛÛÛ ÛÛÛÛ Û Û ÛÛÛÛ ßßßß ÛÛÛÛ ÛÛÛÛ ÛÛÛÛÜÛÛÛÛ ÛÛÛÛ ÛÛÛÛ ÛÛÛÛ ÛÛÛÛ ÛÛÛÛ Û Û ÛÛÛÛ ÛÛÛÛ ÜÜÜÜÜÛÛÛÛ ÜÜÜÛÛÛÜÜÜ ÛÛÛÛ ÛÛÛÛ ÜÜÜÜ ÛÛÛÛ ÛÛÛÛ Û Û ÛÛÛÛ ÛÛÛÛ ÛÛÛÛ ÛÛÛÛ ÛÛÛÛ ÛÛÛÛ ÛÛÛÛ ÛÛÛÛ Û Û ÛÛÛÛßßßßß Û Û ÛÛÛÛÜÛÛÛÛ ÛÛÛÛÜÛÛÛÛ ÛÛÛÛ ÛÛÛÛ ÛÛÛÛ ÛÛÛÛ Û Û ÛÛÛÛ Ûßßßßß Û ßßßß ÜÜÜÜÜÜÜÜÜÜ ßßß ÜÜÜÜÜ ßßß ßßß ßßßß Û Û ßßßß Û ßßßßßßßß ßßßßßßß ßßßßßßßßßßßßßßßßß ßßßßßßßß GERMAN CRACKING FORCE / PC -ÄÄÄÜ ßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßßß Cracking - HowTo #3 made for you by JoGy [Laxity] I read the tutorial from Yaan!, another cracker from Laxity, and thought: I should show you the differences between cracking with a disassembler and a debugger. So I decided to write this tutorial about cracking Ghosttyper 1.0e with SoftIce. This tutorial won't show you how SoftIce works; but it will show you how to crack a shareware program using it. What you will need: * SOFTICE v. 3.0 or higher: SoftIce is a "must-have" in the scene. Try to get it at http://cracking.home.ml.org/ and don`t blame me, if you can`t find it or if it`s deadlinked ! * PIECE OF PAPER: You'll need it later to write down the right code 8) Oky, let's start. Open the ghosttyper.exe with the SymbolLoader from SoftIce and execute it by clicking on the LOAD button in SoftIce. You will be in SoftIce at the beginning of the program. So it's time to configure SoftIce a little bit: write 'data' [enter] and write 'r' [enter]. Now a part of the SoftIce window shows the CPU registers and another shows the offset-adresses and what's in them. Press [F5] to let the program run, again. The Ghosttyper window, where you should register, will be opened. Click on the 'register' button and enter your name and a dummy code (e.g. 98765432). BEFORE you click on the OK button go back in SoftIce by pressing [CRT] & [d] at the same time. Back in ICE you have to set a breakpoint. There are many breakpoints possible to set, but the one I prefer is for breaking on highmemcopy. This bp will be activated if the program calls the hmemcopy-procedure. (this program reads in three values, so it calls the hmemcopy procedure three times. Set the breakpoint by typing this in SoftIce: 'bpx (that means breakpoint) hmemcpy' [ENTER]. Now press [F5] again to switch back to Ghosttyper. Click the ok button. Immediately you will be back in ICE due to the breakpoint at hmemcpy. Press [F5] two times. Now press the [F12] button until you are out of the 16-bit adresses in the 32-bit adresses. You will stop at 0137:00436E92 POP ESI. We are not more in KERNEL but in the GHOSTTYPER CODE and that's what we want. The prog has read all neccessary information with hmemcpy. But where are the codes ? They have to be somewhere.. so let's search for the dummy code 98765432! Probably the code is on an adress beginning with 013F:????????. So let's move to those adresses by typing 'd 013F:00000000'. Now let's search: type 's (for search) 0 l ffffffff (type as much times the 'f' as the length of your code is. Each 'f' stands for one position in your dummy code) '98765432''! 's 0 l ffffffff '98765432' [ENTER] After that you will see 'pattern found at 013F:00ADB778' ! Now, try to think, (if it is possible)...our dummy code is on the address 013F:00ADB778.hmmm...... What we wanna find is the compare between our dummy code and the right code: so all we have to do is to set another breakpoint that will be activated if our dummy code is moved, read , deleted or overwritten. Therefore we use 'bpm (breakpoint on memory access) 013F:00ADB778'[ENTER]. After you defined this bpm press [F5] and you will be back immediately at the address 0137:00402AF1 INC ESI. So, this means that something happens to our dummy code here; look at the [esi] register by typing: 'd esi'[ENTER]. WOW! Our code is in the esi-register. The line above MOV BL, [ESI] has moved the first number of our code into the BL register. Trace further by pressing [F10] and let's try to understand what happens to our code: There are many compares but it's not THE cmp WE are looking for. At the address 0137:00402B1D ADD EAX,EBX the first numba will be moved into the EAX register. If you trace further you will notice that we are in a loop which moves one codenumba after another into the EAX register by using ADD EAX, EBX. Press [F10] until you reach 0137:0046301F MOV ESI, EAX. (before you should have left two calls by tracing through RET instructions.) Type '? eax' and you will see our dummy code in the eax register. Now it will be moved to the esi register. Trace one step further and type ' ? esi' and you will see our dummy code in the esi register. Trace two steps further and you are diggin gold: CMP ESI, EAX. Yeah. Thatsit. The call before has given eax the right code. Get its value by typing '? eax' and use your peace of paper to write your code it down ! If you wanna know how the code was calculated... have a look into the call before. But that's only neccessary if you want to code a keygenerator. (Maybe in the next tutorial ?) You made it. You ripped a code out of a shareware progarm using SoftIce ! Did you notice that it`s much cheaper to register a ProG this way ???? Common.... If you understand it and you have fun cracking other progs: JOIN US... JOIN LAXITY - GERMAN CRACKING FORCE!!! Mail us and become a trial memba ! Perhaps I will write some other tutorials (if you want to !), but don't terrorize me by sending too much mail. (a tuti like this needs its time to be done!) GOOD LUCK by TRYING to CRACK sharewareProGs! CU JoGy [Laxity] ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ ÛÛ³ÉÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍį Membaz: ®ÄÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ»³ÛÛ ÛÛ³º Animalo ³ founder, cracker ³Ü laxity_hq@gmx.net º³ÛÛ ÛÛ³ºÄÄÄÄÄÄÄÄÄÄÄÄÄijÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄijÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄĺ³ÛÛ ÛÛ³º SONIC 98 ³ cracker, iNET admin ³Ü laxity_s98@gmx.net º³ÛÛ ÛÛ³º pCsK8R ³ cracker ³Ü laxity_pc@gmx.net º³ÛÛ ÛÛ³º Yaan! ³ cracker ³Ü laxity_yaan@hotmail.com º³ÛÛ ÛÛ³º JoGy ³ cracker ³Ü jogy_laxity@hotmail.com º³ÛÛ ÛÛ³º The Brain ³ cracker ³Ü the.brain.@gmx.net º³ÛÛ ÛÛ³º xCrk ³ cracker ³Ü xcrk@bigfoot.com º³ÛÛ ÛÛ³º vTeC ³ cracker ³Ü @ º³ÛÛ ÛÛ³º Swoop ³ cracker ³Ü @ º³ÛÛ ÛÛ³º Smakkker ³ cracker ³Ü @ º³ÛÛ ÛÛ³º Twister ³ cracker ³Ü @ º³ÛÛ ÛÛ³º Tiger of THT ³ gfxer ³Ü @ º³ÛÛ ÛÛ³º Raptor #1 ³ driver ³Ü @ º³ÛÛ ÛÛ³ºÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͺ³ÛÛ ÛÛ³º Trial Membaz: º³ÛÛ ÛÛ³ºÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄĺ³ÛÛ ÛÛ³º _awe_ ³ gfxer, tester ³Ü @ º³ÛÛ ÛÛ³ºÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͺ³ÛÛ ÛÛ³º Greetz º³ÛÛ ÛÛ³ºÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄĺ³ÛÛ ÛÛ³º APP - GCG - GWA98 - NEXUS98 - UCF2000 - PC98 º³ÛÛ ÛÛ³ºÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͺ³ÛÛ ÛÛ³º Join Laxity º³ÛÛ ÛÛ³ºÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄĺ³ÛÛ ÛÛ³º Are you a cracker?... Contact laxity and ask him if you can join! º³ÛÛ ÛÛ³º We need also slaves for our irc, spread, test and help section... º³ÛÛ ÛÛ³ºÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͺ³ÛÛ ÛÛ³º iNET º³ÛÛ ÛÛ³ºÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄĺ³ÛÛ ÛÛ³º IRC EFNET: ³ #laxity98 º³ÛÛ ÛÛ³º German Hq ³ http://gcf.notrix.de º³ÛÛ ÛÛ³ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍͼ³ÛÛ ÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛÛ