Make your own free website on Tripod.com

Welcome to Cracking Tutorial #8!

Yikes! Here we are again! More newbees.. *cough .. cough* Ok, not a biggie problem ;)

I'm glad people love the style of this version! So I'll stay on this book style! ;)

Warning, this tutorial is a real mother!! *grin*

In this tutor I'll teach you everything more about W32Dasm and SoftIce. Without knowledge, no power! ;)

Sorry for my bad grammatical errors, I hope you'll understand this piece!

Ok, let's rave!!

CONTENTS:

1) How to unlock CaptureEze97 6.0

Using SoftIce.

URL: http://www.screencapture.com/c97setup.exe

2) How to register in MPEG Player 1.76

Using SoftIce.

URL: ftp://ftp.simtel.net/pub/simtelnet/win95/mmedia/mpegp176.zip

3) How to register in WinXFiles 2.8

Using SoftIce & W32Dasm.

URL: http://www.pepsoft.com/wxf32_28.zip

4) How to register in CD-R Diagnostic 0.1.1.3

Using SoftIce.

URL: http://www.enteract.com/~pcrowley/windows/cdrdiagver113.exe

5) Tips for SoftIce

6) My last words

TOOLS:

For tools you need the followings:

(I use these tools, I assume you'll use 'em)

W32Dasm 8.9 - http://www.fortunecity.com/bally/waterford/18/w32dsm89.zip

Hacker's View 5.66 - ftp://ftp.cdrom.com/.27/sac/utilprog/hiew566.zip

FAR 1.50 - ftp://rwntug.quarta.msk.ru/WinUtil/Rar/far150.exe

or Windows Commander 3.51 - http://www.ghisler.com

or ask any crackers to get you these tools, they'll be happy to serve you!

BTW: You can find another tools eg. SoftIce 3.22, IDA 3.75 and useful programs at:

http://cracking.home.ml.org

Be sure to get all these tools for the next tutor!!

PART 1: How to unlock CaptureEze97 6.0

BTW: Once the program is unlocked, it's still a trial, only Time Limit is removed. You'll

have to order Full Retail program, so it sux too :-/

Step 1. Run CAPEZE97.EXE

Step 2. You'll see 45 Days Remaining BOX. Ok, no problem, click on Purchase button. Enter

"tKC" as User Name, "PC '98" as Company, and "12345" as Unlock Code.

Step 3. Press CTRL-D to Softice.

Step 4. Type BPX GETWINDOWTEXTA and press F5 to return back to CAPEZE.

Step 5. Click OK, and now you're back at Softice, press F5.

Step 6. You can press F11 if you want but it'll take you longer to trace, so the best is to

press F5 again and then F11 to get to the caller.

Step 7. Do you see EAX=00000006 in Register Window? It's the lenght for our company.

We know we're near the bitch's nest. We're getting there ;)

Step 8. Trace downward (press F10) till you see:

015F:00633FC1 LEA EAX,[EBP-14] ^P11<---our false code^p

015F:00633FC4 LEA ECX,[EBP-28] ^P11<---our code!!^p

015F:00633FC7 PUSH EAX

015F:00633FC8 PUSH ECX

Step 9. Now type D EAX. Do you see "12345" in Data Window? Ok kewl.

Step 10. Type D ECX. What do you see in Data Window? *Our code*

Step 11. Type BD* and press F5 to return to CAPEZE.

Step 12. Enter "4422028906994041" *unlocked!*

Step 13. If you don't want unlock, you can find a code to restore your

trial periode by pressing F10 till you see:

015F:00634034 LEA EAX,[EBP-14]

015F:00634037 LEA ECX,[EBP-28]

015F:0063403A PUSH EAX

015F:0063403B PUSH ECX

Step 14. Type D ECX and you'll find a code to restore trial periode. As I said, it sux too!

{Our code might be different, since it asked for your name when installing first time!)

PART 2: How to register in MPEG Player 1.76

Step 1. Run MPEGP32.EXE

Step 2. You'll see the NAG screen, very annoying, right? Ok, no problem, click on About/Registration.

Step 3. Enter "tKC/PC '98" as UserName and "12345" as UserCode.

Step 4. Press CTRL-D to Softice.

Step 5. Type GETDLGITEMTEXTA and press F5 to return back to MPEGP32.

Step 6. Click on Register and now you're back at Softice, press F5.

Step 7. Now press F11 to get to the caller. Do you see EAX=00000005 in Register Window?

Easy to guess what it is. The length of our code.

Step 8. Ok, now we should see:

015F:0040A161 PUSH 00449140

015F:0040A166 PUSH 0043CCC0

Step 9. Type D 449140 and you should see "12345" in Data Window. Also type D 43CCC0 to see

our name.

Step 10. Ok, press F10 till you're at:

015F:0040A16B CALL 0040E6D0

Step 11. We need to go into this call 'coz this is the last call before

the error message pops up. Ok, now press F8 to go into the call.

Step 12. Trace down (F10) till we see:

015F:0040E75D MOV ESI,[ESP+0C]

015F:0040E761 MOV EDI,[ESP+10]

015F:0040E765 LEA EDX,[ESP+0C]

Step 13. What do we get? We see ESI=13EE3B42 and EDI=BE096ACF in Register Window.

We're entering the bitch's nest ;) Ok, press F10 till we come at:

015F:0040E79F LEA EAX,[ESP+0000010C]

015F:0040E7A6 MOV DL,[EAX]

Step 14. Type D EAX and what do we see in Data Window? *CODE*

Step 15. Type BD* and press F5 to return to MPEGP32.

Step 16. Enter "13ee3b42-be096acf" *boom* Registered!!

PART 3: How to register in WinXFiles 2.8

BTW: This program is written in Delphi, and sometimes it uses their own exp handlers. So we'll

use W32Dasm and Softice to enter a bitch's nest. ;)

Step 1. Run WXFILES.EXE

Step 2. Click on Register, enter "tKC/PC '98" as UserName and "12345" as Key.

Step 3. Press CTRL-D to Softice, type BPX GETWINDOWTEXTA and also BPX GETDLGITEMTEXTA.

Step 4. Press F5 to return back to WXFILES and click OK.

Step 5. Hmm, nothing happened. Delphi doesn't like those GETxxxxxxx exp's.. (GOD knows why

I love Delphi!) ;) Ok, not a big problem, open W32Dasm and disassemble WXFILES.EXE.

Step 6. Once it's disassembled, click STRING DATA REFERENCE, look down for the string:

"Invalid Registration Password" and double click it.

Step 7. Close SDR window, you should see the line:

:00482A1A 668B0DAC2A4800 mov cx, word ptr [00482AAC]

:00482A21 B202 mov dl, 02

* Possible StringData Ref from Code Obj ->"Invalid Registration Password."

Step 8. Now press PgUp key and we see:

:00482990 8D95D4FBFFFF lea edx, dword ptr [ebp+FFFFFBD4]

:00482996 8B45FC mov eax, dword ptr [ebp-04]

---

---

---

:004829C8 754E jne 00482A18 ^P11<---jump if wrong code^p

:004829CA 8B45FC mov eax, dword ptr [ebp-04]

Step 9. Ok, we have the address (482990) and we'll use this one for Softice. Close W32Dasm.

Step 10. Go back to WXFILES, enter our name and code again. Don't click OK yet.

Step 11. Press CTRL-D to Softice, type BPX SHOWWINDOW and press F5. And now you may click OK.

Step 12. *boom* You're now at Softice. Ok, type G 482990 (no need to press F5!) You'll be back

at WXFILES. Enter the code, and click OK again.

Step 13. *boom* You see Break due to G (ET=x.xx seconds) Kewl, we're enter the bitch's nest!

Step 14. Now type BD* and press F10 down till we see:

015F:004829AB LEA EAX,[EBP+FFFFFBD8]

Step 15. Type D EAX and we see "12345" in Data Window. Kewl, getting on..

Step 16. Press F10 down till we come at:

015F:004829C2 POP EAX

Step 17. Now type D EDX and what do we see in Data Window? *bitch!*

Step 18. Press F5 to return to WXFILES.

Step 19. Enter MCGBVPFMWBAMYXQ *boom* Registered!!

PART 4: How to register in CD-R Diagnostic 0.1.1.3

Step 1. Run CDRDIAG.EXE

Step 2. You'll see the NAG screen, shit, right? Ok, no problem, click on Help/Registration.

Step 3. Enter "tKC/PC '98" as Name and "12345" as Code.

Step 4. Press CTRL-D to Softice.

Step 5. Type GETDLGITEMTEXTA and press F5 to return back to CDRDIAG.

Step 6. Click on OK and now you're back at Softice.

Step 7. Now press F11 to get to the caller. Do you see EAX=00000005 in Register Window?

Easy to guess what it is. The length of our code.

Step 8. Ok, now we should see:

015F:00408AC0 MOV DL,[0041B640]

Step 9. Type D 41B640 and you will see "12345" in Data Window.

Step 10. Ok, now press F10 down till you're at:

015F:00408B26 ADD ESP,04

Step 11. You should see EAX=0000204C in Register Window.

Step 12. Now type ? EAX and we get:

0000204C 0000008268 " L"

Step 13. What do we see? 8268 is a part of our 4 digits code. The Author isn't so

clever as what we thought. If you look closely at the coding, it needs 8 digits

for a correct code. It takes 1st and 2nd digit out of "8268" to add to the code,

and we get 6 digits code. And again it takes 1st and 2nd digit out of "828268" to add

to the code and we get 8 digits code. Example:

1)

Digits: 1 2 3 4

Code: 8 2 6 8

2)

Digits: 1 2 3 4 5 6

Code: 8 2 8 2 6 8

3)

Digits: 1 2 3 4 5 6 7 8

Code: 8 2 8 2 8 2 6 8

Step 14. Now our code should be 82828268. Let's try, type BD* and press F5 to go back to CDRDIAG.

Step 15. Enter "82828268" *boom* Registered!!

PART 5: Tips for Softice

Here are some functions that you should breakpoint in Softice when cracking programs.

 

Reading/Writing files:

ReadFile

WriteFile

CreateFileA

Reading data from INI file:

GetPrivateProfileStringA

GetPrivateProfileIntA

WritePrivateProfileStringA

WritePrivateProfileIntA

Registry Access:

RegCreateKeyA

RegDeleteKeyA

RegQueryValueA

RegCloseKeyA

RegOpenKeyA

DialogBoxes:

GetWindowTextA

GetDlgItemTextA

GetDlgItemInt

MessageBoxes:

MessageBox

MessageBoxA

MessageBoxExA

MessageBeep

Time And Date:

GetLocalTime

GetSystemTime

GetFileTime

Creating a window (like a NAG):

CreateWindowExA

ShowWindow

Thanks go to THE_q for this tips...

LAST WORDS:

I really hope you've enjoyed this tutorial too much as I did!

In next tutorial, I'll give you more advanced lessons.

If you ask me nicely, then you'll get a tutor #9 ;)

I've got wise words from somebody, here it says:

If you give a person a crack,

he will be hungry again.

If you teach a person to crack,

he will never be hungry again!

And as I said last time: Without knowledge, there's no power! ;)

PersGreetz go to:

Taha, Taylor, Kim, Tracy, Nitallica, Kristina & everyone at PC98 channel! Yea babes again! *sigh* ;)

You can find me at #pc98 or email me at tkc@reaper.org

Enjoy it,

The Keyboard Caper,

The Founder of PhRoZeN CReW '94-98

7-4-1998

Oscar 10.0