HACK GUIDE
Hi dudes!
Now I'm back at cracking tutorial, this time I would like to teach you how to
remove NAGS and how to use Debugger Mode in W32Dasm, it's real easy!!
Sorry for my bad grammatical errors, I hope you'll understand this piece! :-)
Let's go!
TOOLS:
For tools you need the followings: (I use these tools, I assume you'll use 'em)
W32Dasm 8.9 or high version
Hacker's View 5.60
Norton Commander or Windows Commander (I'll explain later why I use this one)
Ask any crackers to get you these tools, they'll be happy to serve you! :-)
CONTENTS:
1) a. How to remove NAGs in Private EXE 2.0a (using Debugger in W32Dasm)
b. How to remove NAGs in Private EXE 2.0a (without W32Dasm!!)
2) a. How to remove NAGs in LView Pro 1.C/32 (using Debugger in W32Dasm)
b. How to crack LView Pro 1.C/32 (to enter any serials)
(Because of no modem here for a while I couldn't grab the latest shareware, so
I use those old programs for demonstration.)
PART 1a: To remove NAGs in Private EXE 2.0a (with W32Dasm)
Step 1. Run PEXE32.EXE
Step 2. Now you see these annoying NAGs screen, you would like to remove this
NAGs, right? :-)
Step 3. Ok, exit the program.
Step 4. Run Norton Commander, go to PrivateEXE directory.
Step 5. Copy PEXE32.EXE to PEXE32.EXX (for backup) and copy PEXE32.EXE to
1.EXE (for use by W32Dasm)
Step 6. Run W32Dasm and disassemble 1.EXE.
Step 7. Once it's disassembled, click Debug|Load Process (or press CTRL-L).
Step 8. Wait untill Debugger is finished with loading all the DLL's.
Step 9. Ok, now you're at the 'debug' window, you should see the bar at:
:004074B0 mov eax, dword ptr fs: [00000000]
:004074B6 push ebp
...
...
Step 10. It's where you're at Program Entry Point. Ok, you're ready to run
Private EXE, click on RUN (or press F9). You should see these NAGs
screen, you would like to know where it processes the NAGs. Click on
Step Into (or press F7). Ah! Now you should see the following:
:00405C21 call USER32.DialogBoxParamA
:00405C27 pop ebp
...
...
Step 11. Click on Terminate, it'll close Debugger and Private EXE windows.
Step 12. You should be back at W32Dasm and see the following:
:00405C21 FF1590664100 Call dword ptr [00416690]
:00405C27 5D pop ebp
:00405C28 C3 ret
...
Step 13. Ok, now you must check where it starts to process the dialogs. Press
UP arrow key till you find:
:00405BFC CC int 03
:00405BFD CC int 03
:00405BFE CC int 03
* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401064 (U)
|
:00405BFF 55 push ebp
:00405C00 8B442414 mov eax, dword ptr [esp+14]
...
Step 14. These CC's (int 03), it's where it starts to process the dialogs.
Make sure the cyan color bar is on :00405BFF 55 push ebp
You should see Offset address below on the screen like @Offset
00004FFFh. It's where you can patch it in PEXE32.EXE.
Step 15. Go back to Norton Commander, run HIEW PEXE32.EXE, press F4 to select
Decode mode (ASM), press F5 and enter 4FFF. You should see like:
00005BFF: 55 push ebp
00005C00: 8B442414 mov eax,[esp][00014]
00005C04: 8BEC mov ebp,esp
00005C06: 85C0 test eax,eax
(Remember, I'm using HIEW 5.60 now which it shows you diff offset address,
and this version is awesome, grab it!!)
Step 16. That's where you can change the bytes, press F3, enter C3, press F9 to
update PEXE32.EXE. When you've pressed F3 and entered C3, it should
look like this:
00004FFF: C3 retn
00005000: 8B442414 mov eax,[esp][00014]
00005004: 8BEC mov ebp,esp
00005006: 85C0 test eax,eax
(Notice about offset address)
Step 17. Why C3? Ah, when the program starts here at C3 (retn), it won't
continue with processing dialogs because you tell him to return back!
Step 18. Now run PEXE32.EXE, do you see those NAGs screen? Kewl!!
You've cracked Private EXE 2.0a!!
BTW: this isn't 100% crack (to Bypass Password Protection), I show you only
how to remove NAGs, remember? :-)
PART 1b: To remove NAGs in Private EXE 2.0a (without W32Dasm)
(I use this part alltime 'cos it's easier and faster)
Step 1. Run PEXE32.EXE
Step 2. Now you see these annoying NAGs screen, you would like to remove this
NAGs, right? :-)
Step 3. Ok, exit the program.
Step 4. Run Norton Commander, go to PrivateEXE directory.
Step 5. Copy PEXE32.EXE to PEXE32.EXX (for backup) and run HIEW PEXE32.EXE.
Step 6. Press F4 to select HEX Mode, now you'll see HEX craps in PEXE32.EXE.
No need to pee your pants! :-)
Step 7. Do you remember what the crap says in NAGs screen? Ah, you should write
down these craps when running PEXE32.EXE. Like "PrivateEXE is NOT a
free software. It is commercial.." or "Ok, I agree.." etc etc.
Step 8. Press F7 to search, enter "agree" (at ASCII field). Does it find the
string? Ok, remember PEXE32.EXE file is a 32bit program, so it'll use
"00" string between each letter like "a g r e e" (not space character!)
Step 9. Press F7 again, enter "a" (at ASCII), press DOWN arrow key, enter "00"
(at HEX field), press UP arrow key, enter "g", press DOWN, "00", UP,
"r", DOWN, "00", UP, "e", DOWN, "00", UP, "e". You should see the
following:
ÉÍ[F2:Forward /F4:Full ]ÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ...
ASCII: a g r e e ...
...
Hex: 61 00 67 00 72 00 65 00 65 ...
ÈÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍÍ...
Step 10. Ok, press ENTER to find these string. Now you'll see like this:
.00019300: 00 00 F0 00-14 01 00 00-00 00 41 00-62 00 6F 00 ð �� A b o
.00019310: 75 00 74 00-20 00 50 00-72 00 69 00-76 00 61 00 u t P r i v a
.00019320: 74 00 65 00-45 00 58 00-45 00 00 00-08 00 4D 00 t e E X E M
.00019330: 53 00 20 00-53 00 61 00-6E 00 73 00-20 00 53 00 S S a n s S
.00019340: 65 00 72 00-69 00 66 00-00 00 00 00-01 00 01 50 e r i f � �P
.00019350: 00 00 00 00-19 00 EA 00-5A 00 0E 00-01 00 FF FF � ê Z
� ÿÿ
.00019360: 80 00 26 00-4F 00 6B 00-2C 00 20 00-49 00 20 00 € & O k , I
.00019370: 61 00 67 00-72 00 65 00-65 00 00 00-00 00 00 00 a g r e e
.00019380: 00 00 01 50-00 00 00 00-7B 00 EA 00-5A 00 0E 00 �P { ê Z
.00019390: 65 00 FF FF-80 00 4F 00-72 00 64 00-65 00 72 00 e ÿÿ€ O r d e r
.000193A0: 69 00 6E 00-67 00 20 00-26 00 49 00-6E 00 66 00 i n g & I n f
Step 11. Those "Ok, I agree", "Ordering" etc are buttons, now go down till you
find:
.00019420: 81 00 02 50-00 00 00 00-11 00 9E 00-CC 00 21 00 P � ž Ì !
.00019430: FF FF FF FF-82 00 50 00-72 00 69 00-76 00 61 00 ÿÿÿÿ~ P r i v a
.00019440: 74 00 65 00-45 00 58 00-45 00 20 00-69 00 73 00 t e E X E i s
.00019450: 20 00 4E 00-4F 00 54 00-20 00 61 00-20 00 66 00 N O T a f
.00019460: 72 00 65 00-65 00 20 00-73 00 6F 00-66 00 74 00 r e e s o f t
.00019470: 77 00 61 00-72 00 65 00-2E 00 20 00-49 00 74 00 w a r e . I t
.00019480: 20 00 69 00-73 00 20 00-63 00 6F 00-6D 00 6D 00 i s c o m m
.00019490: 65 00 72 00-63 00 69 00-61 00 6C 00-20 00 70 00 e r c i a l p
Step 12. Look at FF FF FF FF 82 just before the string "PrivateEXE is NOT a.."
It's where it'll generate dialogs, remember only 4 FF's and 82 bytes
will do the tricks! Now use the arrows key to bring the cursor at "82"
You'll see "19434" above the screen, now press F3 and change "82" to
"7E", look above the screen, you're at Offset Address 14A34. It's
where you can patch it. Press F9 to update PEXE32.EXE.
Step 13. Remember only 4 FF's and 82 bytes will work otherwise you can fuck
your arse. Now once you've changed "82" to "7E", it won't generate the
dialogs. Exit HIEW and run PEXE32.EXE.
Step 14. Do you see those NAGs screen? Kewl!! You've cracked Private EXE 2.0a!!
PART 2a: To remove NAGs in LView Pro 1.C/32 (with W32Dasm)
Step 1. Run LVIEWPRO.EXE
Step 2. Now you see these annoying NAGs screen, you would like to remove this
NAGs, right? :-)
Step 3. Ok, exit the program.
Step 4. Run Norton Commander, go to LView Pro directory.
Step 5. Copy LVIEWPRO.EXE to LVIEWPRO.EXX (for backup) and copy LVIEWPRO.EXE to
1.EXE (for use by W32Dasm)
Step 6. Run W32Dasm and disassemble 1.EXE.
Step 7. Once it's disassembled, click Debug|Load Process (or press CTRL-L).
Step 8. Wait untill Debugger is finished with loading all the DLL's.
Step 9. Ok, now you're at the 'debug' window, you should see the bar at:
:00450236 mov eax, dword ptr fs: [00000000]
:0045023C push ebp
...
...
Step 10. It's where you're at Program Entry Point. Ok, you're ready to run
LView PRO, click on RUN (or press F9). You should see these NAGs
screen, you would like to know where it processes the NAGs. Click on
Step Into (or press F7). Ah! Now you should see the following:
:004324F1 cmp eax, FFFFFFFF
:004324F4 jne 00432508
...
...
Step 11. Click on Terminate, it'll close Debugger and LView Pro windows.
Step 12. You should be back at W32Dasm and see the following:
:004324F1 83F8FF cmp eax, FFFFFFFF
:004324F4 7512 jne 00432508
...
Step 13. Ok, now you must check where it starts to process the dialogs. Press
UP arrow key till you find:
:004323ED CC int 03
:004323EE CC int 03
:004323EF CC int 03
* Referenced by a CALL at Address:
|:00407EEC
|
:004323F0 83EC78 sub esp, 00000078
:004323F3 56 push esi
...
Step 14. These CC's (int 03), it's where it starts to process the dialogs.
Make sure the cyan color bar is on :004323F0 83EC78 sub esp, 00000078
You should see Offset address below on the screen like @Offset
000317F0h. It's where you can patch it in LVIEWPRO.EXE.
Step 15. Go back to Norton Commander, run HIEW LVIEWPRO.EXE, press F4 to select
Decode mode (ASM), press F5 and enter 317F0. You should see like:
.000323F0: 83EC78 sub esp,078 ;"x"
.000323F3: 56 push esi
.000323F4: 8BB42480000000 mov esi,[esp][000000080]
.000323FB: 85F6 test esi,esi
(Remember, I'm using HIEW 5.60 now which it shows you diff offset address,
and this version is awesome, grab it!!)
Step 16. That's where you can change the bytes, press F3, enter C3, press F9 to
update LVIEWPRO.EXE. When you've pressed F3 and entered C3, it should
look like this:
000317F0: C3 retn
000317F1: EC in al,dx
000317F2: 7856 js 00003184A
000317F4: 8BB42480000000 mov esi,[esp][000000080]
000317FB: 85F6 test esi,esi
(Notice about offset address)
Step 17. Why C3? Ah, when the program starts here at C3 (retn), it won't
continue with processing dialogs because you tell him to return back!
Step 18. Now run LVIEWPRO.EXE, do you see those NAGs screen? Kewl!!
You've cracked LView Pro 1.C/32!!
And there is another way to remove those NAGs screen, wanna try this? Ok, go
back to Step 1 and process those steps till Step 15, do the following steps:
Step 19. Now you're at 317F0 offset address, you would like to see where it
calls this process. Press F6 to Refer (it'll find reference on current
position), you should see like this:
.00007EEC: E8FFA40200 call .0000323F0 ---------- (6)
.00007EF1: 83C404 add esp,004
.00007EF4: 33C0 xor eax,eax
.00007EF6: E9320D0000 jmp .000008C2D ---------- (7)
Step 20. Ah, now you know where it calls to process dialogs. Press F3, enter
9090909090, press F9 to update LVIEWPRO.EXE. When you've pressed F3
and entered 9090909090, it should look like this:
000072EC: 90 nop
000072ED: 90 nop
000072EE: 90 nop
000072EF: 90 nop
000072F0: 90 nop
000072F1: 83C404 add esp,004
000072F4: 33C0 xor eax,eax
Step 21. Those 9090909090 bytes will do that it won't call the process. Now run
LVIEWPRO.EXE, do you see those NAGs screen? Kewl!! You've cracked
LView Pro 1.C/32!!
PART 2b: How to crack LView Pro 1.C/32 (to enter any serials)
Step 1. Run LVIEWPRO.EXE
Step 2. Click on Registration, then I'll Register..., then at Name: enter
"TKC/PC '97" and at ID#: enter "12345".
Step 3. You'll see the error message. (You should write down this message) and
exit the program.
Step 4. Run Norton Commander, go to LVP directory.
Step 5. Copy LVIEWPRO.EXE to LVIEWPRO.EXX (for backup) and copy LVIEWPRO.EXE to
1.EXE (for use by W32Dasm)
Step 6. Run W32Dasm and disassemble 1.EXE.
Step 7. Once it's disassembled, click STRING DATA REFERENCE, look down for the
string "User name and ID numbers do not...".
(You should remember that error message), double click on it.
Step 8. Close SDR window, you should see the line:
* Possible StringData Ref from Data Obj -> "User name and ID numbers..
-> "match, please verify if..
:0041ED7D 68188F4600 push 00468F18
:0041ED82 56 push esi
Step 9. Ok, now you must look for the last comparison like CMP, JNE, JE, TEST,
etc before the error string. Press UP arrow key till you find:
:0041ED7B 751A jne 0041ED97
* Possible StringData Ref from Data Obj -> "User name and ID numbers..
-> "match, please verify if..
...
Step 10. Now you know where it jumps to when you've entered the wrong code.
Now you want see if it will work when you replace "jne" with "je".
Make sure the green color bar is on :0041ED7B 751A jne 0041ED97, you
should see Offset address below on the screen like @Offset 0001E17Bh.
It's where you can patch it in LVIEWPRO.EXE.
Step 11. Go back to Norton Commander, run HIEW LVIEWPRO.EXE, press F4 to select
Decode mode (ASM), press F5 and enter 1E17B. You should see like:
.0001ED7B: 751A jne .00001ED97 ---------- (1)
.0001ED7D: 68188F4600 push 000468F18
.0001ED82: 56 push esi
Step 12. That's where you can change the bytes, press F3, enter 74, press F9 to
update LVIEWPRO.EXE. Exit HIEW.
Step 13. Run LVIEWPRO.EXE, enter any code. Voila! You've cracked LVP 1.C/32!!
Beware! What if you've enter the real serials? It'll jump to the error
message dialog! What now?
Step 14. Run again HIEW LVIEWPRO.EXE, press F4, select Decode, press F5 and
enter 1E17B. Press F3, enter EB, press F9. It won't jump to the error
dialog!
Enough for now. I hope you've enjoyed this tutor too much as I did! :-)
I'll see you next time at Tutor #3 for Soft-ICE 3.0!
Have fun,
The Keyboard Caper,
The Founder of PhRoZeN CReW '94 - '97
6-8-1997
Oscar 10.0