Welcome to Cracking Tutorial #7

Welcome to Cracking Tutorial #7!

Phew, many newbees have asked me to continue on writing tutors. So you're looking at this

new Windows version! I hope you'll like this kewl proggie! :-) More newbees.. *cough*

Warning, this tutorial is a real mother!! *grin*

In this tutor I'll teach you everything more about W32Dasm and SoftIce. Thank GOD

for a new superPC! :-)

Sorry for my bad grammatical errors, I hope you'll understand this piece!

Ok, let's rave!!

CONTENTS:

1) How to remove CD Check in Balls of Steel 1.1

Using W32Dasm.

URL: http://www.pinfllwizards.com/bosdownload.html

2) How to remove NAG and 30 days limit in NeverForget 1.00

Using W32Dasm.

URL: http://www.neverforget.com/trial.html

3) How to register in Phone Plus 2.00

Using SoftIce.

URL: http://www.aros.net/~impulse

4) How to register in WinPatch 1.0.06

Using SoftIce.

URL: http://www.artistry.com/products/winpatch/wp.exe

5) Short Summary

6) My last words

TOOLS:

For tools you need the followings:

(I use these tools, I assume you'll use 'em)

W32Dasm 8.9 - http://www.fortunecity.com/bally/waterford/18/w32dsm89.zip

Hacker's View 5.66 - ftp://ftp.cdrom.com/.27/sac/utilprog/hiew566.zip

FAR 1.50 - ftp://rwntug.quarta.msk.ru/WinUtil/Rar/far150.exe

or Windows Commander 3.51 - http://www.ghisler.com

or ask any crackers to get you these tools, they'll be happy to serve you!

BTW: You can find another tools eg. SoftIce 3.22, IDA 3.75 and useful programs at:

http://cracking.home.ml.org

Be sure to get all these tools for the next tutor!!

PART 1: How to remove CD Check in Balls of Steel 1.1

Step 1. Run BOS.EXE

Step 2. You'll see that you have to insert your CD to play. Ok, no problem, write down error message. ("Please insert the Balls of Steel CD and click...")

Step 3. Ok, exit the program.

Step 4. Run WC, go to BOS directory.

Step 5. Copy BOS.EXE to BOS.EXX, and copy BOS.EXE to BOS.W32

Step 6. Run W32Dasm and disassemble BOS.W32

Step 7. Once it's disassembled, click STRING DATA REFERENCE, look down for the string:

"Please insert the Balls of Steel.." (You should remember that error message),

double click on it.

Step 8. Close SDR window, you should see the line:

:00439882 B9F4984300 mov ecx, 004398F4

* Possible StringData Ref from Code Obj ->"Please insert the Balls of Steel "

Step 9. Ok, let's find out what calls this procedure. Hmm, we should go back to the

beginning of this procedure.

Step 10. Press PgUp key 2 or 3 times, and we find:

* Referenced by a CALL at Address:

|:004399D5 <--- what's it?

:004397A4 55 push ebp

:004397A5 8BEC mov ebp, esp

Step 11. Ok, let's find out what calls this procedure. Look above, referenced by a

call at 4399D5! Click Goto Code Location button, and enter 4399D5.

Step 12. Ah! We find the call here:

:004399D5 E8CAFDFFFF call 004397A4

Step 13. Hmm, ok let's nop out this call and see what happens. Make sure the green color

bar is on 004399D5 E8CAFDFFFF call 004397A4 and you should see Offset address

below on the screen like @Offset 00038DD5h. It's where you can patch it in BOS.EXE.

Step 14. Go back to WC, run HIEW BOS.EXE, press F4 to select Decode mode

(ASM), press F5 and enter 38DD5. You should see like:

00038DD5: E8CAFDFFFF call 000038BA4 ---------- (1)

00038DDA: E8D1FBFFFF call 0000389B0 ---------- (2)

00038DDF: 8B0B mov ecx,[ebx]

00038DD5: E8CAFDFFFF call 000038BA4 ---------- (1)

00038DDA: E8D1FBFFFF call 0000389B0 ---------- (2)

00038DDF: 8B0B mov ecx,[ebx]

Step 15. That's where you can change the bytes, press F3, enter 9090909090 and press F9 to

update BOS.EXE. Exit HIEW.

Step 16. Run BOS.EXE, does it work? *heeyaa* You've made it!!

PART 2: How to remove NAG and 30 days limit in NeverForget 1.00

Step 1. Run NeverForget.EXE

Step 2. You'll see the NAG screen, very annoying, right? Ok, no problem, write down

error message. ("Demo version 1.00 installed on..")

Step 3. Ok, exit the program.

Step 4. Run WC, go to NeverForget directory.

Step 5. Copy NeverForget.EXE to NeverForget.EXX, and copy NeverForget.EXE to NeverForget.W32

Step 6. Run W32Dasm and disassemble NeverForget.W32

Step 7. Once it's disassembled, click STRING DATA REFERENCE, look down for the string:

"Demo version " (You should remember that error message),

double click on it.

Step 8. Close SDR window, you should see the line:

* Referenced by a (U)nconditional or (C)onditional Jump at Address:

|:00408D55(C) <--- what's it?

* Possible StringData Ref from Data Obj ->"Demo version "

Step 9. Ok, let's find out what jumps to this procedure. Look above, referenced by a

call at 408D55! Click Goto Code Location button, and enter 408D55.

Step 10. Now we find the jump here:

:00408D55 0F84F30B0000 je 0040994E

:00408D5B 53 push ebx

:00408D5C 53 push ebx

Step 11. Ok, if we look down, we'll find there's also a timeout checking ("Will expire soon")

So, what if we skip this jump, but to where can we jump? Let's get a good look at:

:00408E2B 53 push ebx

Step 12. This could be the end of the timeout checking. Let's find out what happen if

we jump to this address. Make sure the cyan colol bar is on 00408E2B 53 push ebx

and you'll see Offset address below on the screen like @Offset 0000822Bh. Remember

this offset. And go back to 408D55 address, this offset should be 8155h, right?

Step 13. Ok, go back to WC, run HIEW NEVERF~1.EXE, press F4 to select Decode mode (ASM),

press F5 and enter 8155. You should see like:

00008155: 0F84F30B0000 je 000008D4E ---------- (1)

0000815B: 53 push ebx

Step 14. Now press F3, then TAB, enter "jmp 822B" and then press ESC. You'll see:

00008155: E9D1000000 jmp 00000822B

Step 15. And now you can press F9 to update NEVERF~1.EXE. Exit HIEW.

Step 16. Run NeverForget.EXE. *boom* No NAGs, no expire shit! Kewl, you've made it!!

PART 3: How to register in Phone Plus 2.00

Step 1. Run Phone.EXE

Step 2. You'll see the NAG screen, it looks like shit, right? Ok, no problem, click on "Enter

Registration Code.."

Step 3. Press CTRL-D to Softice.

Step 4. Type BPX GETWINDOWTEXTA and press F5 to return back to PhonePlus.

Step 5. Enter "tKC/PC '98" as our name and "12345" as our code, click OK.

Step 6. Now you're back in Softice, type D EAX, now you'll see "12345" in Data Window.

Step 7. Hmm, no.. press F5, type D EAX, ah you find "tKC/PC '98" in Data Window *boom*

Step 8. Press F11 to get to the caller. Do you see EAX=0000000A in Register Window? It's the

length for our name (Try ? A and you get 10)

Step 9. Now we know we're on the right place. Trace downward (Press F10) till you see:

015F:7C69D80F POP EDI

Step 10. Type D ECX and you'll see also our name in Data Window. Trace again (F10) till we

get:

015F:0040EC61 CALL 0040ECBA

Step 11. Since we know this is the last call before the error message pops up. We need to go

into this call. Press F8 to trace the call.

Step 12. Trace down till we see:

015F:7C681D37 MOV ESI,ECX

Step 13. Now type D EAX and what do we see in Data Window? *Our Serial*

Step 14. Type BD* and press F5 to return to PhonePlus.

Step 15. Enter "1P3201795" *boom* Registered!!

PART 4: How to register in WinPatch 1.0.06

Step 1. Run WinPatch.EXE

Step 2. You'll see the NAG screen, it looks like shit, right? Ok, no problem, click on "Enter

Registration Code.."

Step 3. Press CTRL-D to Softice.

Step 4. Type BPX GETWINDOWTEXTA and press F5 to return back to WinPatch.

Step 5. Enter "The Keyboard Caper" as our name and "12345" as our ID, and "Phrozen Crew '98"

as our organization. Then click OK.

Step 6. Now you're back in Softice, type D EAX, now you'll see our name in Data Window.

Step 7. Hmm, no.. press F5, type D EAX, ah you find "12345" in Data Window, not ready yet.

Step 8. Press F5 again, type D EAX *boom* our organization in Data Window. We're ready to rave.

Step 9. Press F11 to get to the caller. Do you see EAX=00000010 in Register Window? It's the

length for our organization (Try ? 10 and you get 16)

Step 10. Now we know we're on the right place. Trace downward (Press F10) till you see:

015F:0040F2A1 PUSH EDX

015F:0040F2A2 PUSH EAX

015F:0040F2A3 CALL 00416B50

Step 11. Since we know this is the last call before the error message pops up. Let's try,

type D EAX and what do we see in Data Window? *Our ID*

Step 12. Type BD* and press F5 to return to WinPatch.

Step 13. Enter "D&L-1121-1941-3638" *boom* Registered!!

PART 5: Short Summary

Once you load Softice, you cannot deactivate it until you reboot your PC. To verify that Softice

is loaded, press the Softice hot key CTRL-D. The Softice screen should appear. To return to

Windows, use the X (exit) or G (goto), or F5.

For help, use the H or F1.

To trace through source code, use the T or F8.

To trace without to step into calls, jumps etc, use the P or F10.

To set breakpoints, use BPX <function> eg. BPX GETWINDOWTEXTA or BPX GETDLGITEMTEXTA.

To view breakpoints, use the BL.

To clear all the breakpoints, use BC*, or the first breakpoint, then BC0 etc.

To activate the breakpoint, use BE0 or BE* for all breakpoints.

To deactivate the breakpoint, use BD0 or BD* for all breakpoints.

To go into the function, use F11.

In the next tutorial I'll give you more details on Softice.

LAST WORDS:

I really hope you've enjoyed this tutorial too much as I did!

If you ask me nicely, then there will be a chance that you'll get a tutor #8 ;)

PersGreetz to Celeste, Nicolene, Taha & everyone at PC98 channel!

You can find me at #pc98 or email me at tkc@reaper.org

Enjoy it,

The Keyboard Caper,

The Founder of PhRoZeN CReW '94-98

7-3-1998

Oscar 10.0