449 lines
23 KiB
Plaintext
449 lines
23 KiB
Plaintext
|
|
|||
|
|
HOW TO CRACK, by +ORC, A TUTORIAL
|
|||
|
|
|
|||
|
|
Lesson 8.2: How to crack Windows, a deeper approach
|
|||
|
|
|
|||
|
|
---------------------------------------------------------
|
|||
|
|
SPECIAL NOTE: Please excuse the somehow "unshaven"
|
|||
|
|
character of the windows lessons... I'm cracking the
|
|||
|
|
newest Windows '95 applications right now, therefore
|
|||
|
|
at times I had to add "on the fly" some corrections to
|
|||
|
|
the older Windows 3.1 and Windows NT findings.
|
|||
|
|
"homines, dum docent, discunt".
|
|||
|
|
---------------------------------------------------------
|
|||
|
|
|
|||
|
|
-> 1st THING TO REMEMBER
|
|||
|
|
If you thought that DOS was a mess, please notice that windows
|
|||
|
|
3.1 is a ghastly chaos, and windows 95 a gruesome nightmare of
|
|||
|
|
ill-cooked spaghetti code. Old Basic "GOTO" abominations were
|
|||
|
|
quite elegant in comparison with this concoction... One thing is
|
|||
|
|
sure: This OS will not last... it's way too messy organised,
|
|||
|
|
impossible to consolidate, slow and neurotic (but I must warn
|
|||
|
|
you... I thought exactly the same things about DOS in 1981).
|
|||
|
|
The most striking thing about windows 95 is that it is neither
|
|||
|
|
meat not fish: neither 16 nor 32... you could call it a "24 bit"
|
|||
|
|
operating system.
|
|||
|
|
We'll never damage Microsoft interests enough to compensate for
|
|||
|
|
this moronic situation... where you have to wait three minutes
|
|||
|
|
to get on screen a wordprocessor that older OS (and even old DOS)
|
|||
|
|
kick up in 5 seconds. I decide therefore, hic et nunc, to add an
|
|||
|
|
ADDENDUM to this tutorial: Addendum 1 will be dedicated to teach
|
|||
|
|
everybody how to crack ALL Microsoft programs that do exist on
|
|||
|
|
this planet. I'll write it this sommer and give it away between
|
|||
|
|
the "allowed" lessons.
|
|||
|
|
Anyway you can rely on good WINICE to crack everything, you'll
|
|||
|
|
find it on the web for free, I use version 1.95, cracked by [The
|
|||
|
|
Lexicon] (do not bother me for Warez, learn how to use the search
|
|||
|
|
engines on the web and fish them out yourself). Learn how to use
|
|||
|
|
this tool... read the whole manual! Resist the temptation to
|
|||
|
|
crack immediatly everything in sight... you 'll regret pretty
|
|||
|
|
soon that you did not wanted to learn how to use it properly.
|
|||
|
|
A little tip: as Winice is intended more for software developers
|
|||
|
|
than for crackers, we have to adapt it a little to our purposes,
|
|||
|
|
in order to make it even more effective: a good idea is to have
|
|||
|
|
in the *.DAT initialization file following lines:
|
|||
|
|
INIT = "CODE ON; watchd es:di; watchd ds:si;"
|
|||
|
|
TRA = 92
|
|||
|
|
This way you'll always have the hexadecimal notation on, two very
|
|||
|
|
useful watch windows for passwords deprotection and enough buffer
|
|||
|
|
for your traces.
|
|||
|
|
|
|||
|
|
WINDOWS 3.1. basic cracking: [ALGEBRAIC PROTECTIONS]
|
|||
|
|
The most used windows protections are "registration codes",
|
|||
|
|
these must follow a special pattern: have a "-" or a "+" in a
|
|||
|
|
predetermined position, have a particular number in particular
|
|||
|
|
position... and so on.
|
|||
|
|
For the program [SHEZ], for instance, the pattern is to have a
|
|||
|
|
14 bytes long alphanumeric sequence containing CDCE1357 in the
|
|||
|
|
first 8 bytes.
|
|||
|
|
The second level of protection is to "connect" such a
|
|||
|
|
pattern to the alphanumeric contents of the NAME of the user...
|
|||
|
|
every user name will give a different "access key". This is the
|
|||
|
|
most commonly used system.
|
|||
|
|
As most of these protections have a "-" inside the answering
|
|||
|
|
code, you do not need to go through the normal cracking procedure
|
|||
|
|
(described in the next lesson):
|
|||
|
|
* load WINICE
|
|||
|
|
* hwnd [name_of_the_crackanda_module]
|
|||
|
|
* choose the window Handle of the snap, i.e, the exact
|
|||
|
|
"FIELD" where the code number input arrives... say 091C(2)
|
|||
|
|
* BMSG 091C WM_GETTEXT
|
|||
|
|
* Run anew
|
|||
|
|
* Look at the memory location(s)
|
|||
|
|
* Do the same for the "Username" input FIELD. (Sometimes
|
|||
|
|
linked, sometimes not, does not change much, though)
|
|||
|
|
* BPR (eventually with TRACE) on the memory locations (these
|
|||
|
|
will be most of the time FOUR: two NUMBERCODES and two
|
|||
|
|
USERNAMES). The two "mirrored" ones are the most important
|
|||
|
|
for your crack. At times there will be a "5th" location,
|
|||
|
|
where the algebraic play will go on...
|
|||
|
|
* Look at the code that performs algebraic manipulations on
|
|||
|
|
these locations and understand what it does...
|
|||
|
|
* Disable the routine or jump over it, or reverse it, or
|
|||
|
|
defeat it with your own code... there are thousand
|
|||
|
|
possibilities...
|
|||
|
|
* Reassemble everything.
|
|||
|
|
|
|||
|
|
Uff... quite a long cracking work just to crack some miserable
|
|||
|
|
program... isn'there a quicker way? OF COURSE THERE IS! Actually
|
|||
|
|
there are quite a lot of them (see also the crack of Wincat Pro
|
|||
|
|
below): Look at the following code (taken from SNAP32, a screen
|
|||
|
|
capture utility for Windows 95, that uses a pretty recent
|
|||
|
|
protection scheme):
|
|||
|
|
|
|||
|
|
XOR EBX,EBX ; make sure EBX is zeroed
|
|||
|
|
MOV BL, [ESI] ; load input char in BL
|
|||
|
|
INC ESI ; point at the next character
|
|||
|
|
MOV EDI,EBX ; save the input character in EDI
|
|||
|
|
CMP EBX,+2D ; input char is a "-" ?
|
|||
|
|
JZ ok_it's_a_+_or_a_-
|
|||
|
|
CMP EBX,+2B ; input char is a "+" ?
|
|||
|
|
JNZ Jesus_it's_neither_a_minus_nor_a_plus_let's_check_it
|
|||
|
|
:ok_it's_a_+_or_a_-
|
|||
|
|
XOR EBX,EBX ; EBX is zeroed
|
|||
|
|
MOV BL,[ESI] ; recharge BL
|
|||
|
|
INC ESI ; point to next char (do not check - or +)
|
|||
|
|
:Jesus_it's_neither_a_minus_nor_a_plus_let's_check_it
|
|||
|
|
XOR EBP,EBP ; zero EBP
|
|||
|
|
CMP DWORD PTR [boguschecker], +01
|
|||
|
|
...
|
|||
|
|
|
|||
|
|
even if you did not read all my precedent lessons, you do not
|
|||
|
|
need much more explications... this is a part of the algebraic
|
|||
|
|
check_procedure inside the SNAP32 module... you could also get
|
|||
|
|
here through the usual
|
|||
|
|
USER!BOZOSLIVEHERE
|
|||
|
|
KERNEL!HMEMCPY
|
|||
|
|
USER!GLOBALGETATOMNAME
|
|||
|
|
Windows wretched and detestable APIs used for copy protections,
|
|||
|
|
as usual with WINICE cracking, and as described elsewhere in my
|
|||
|
|
tutorial.
|
|||
|
|
The above code is the part of the routine that checks for the
|
|||
|
|
presence of a "+" or a "-" inside the registration number (many
|
|||
|
|
protections scheme requires them at a given position, other need
|
|||
|
|
to jump over them).
|
|||
|
|
Now sit down, make yourself comfortable and sip a good Martini-
|
|||
|
|
Wodka (invariably very useful in order to crack... but be aware
|
|||
|
|
that only Moskowskaia russian Wodka and a correct "Tumball" glass
|
|||
|
|
will do, do not forget the lemon)... what does this "-" stuff
|
|||
|
|
mean for us little crackers?
|
|||
|
|
It means that we can search directly for the CMP EBX,+2B
|
|||
|
|
sequence inside any file protected with these schemes... and
|
|||
|
|
we'll land smack in the middle of the protection scheme! That's
|
|||
|
|
amazing... but you will never underrate enough the commercial
|
|||
|
|
programmers... the only really amazing thing is how simpleton the
|
|||
|
|
protectionists are! You don't believe me? Try it... you 'll get
|
|||
|
|
your crack at least 4 out of 5 times.
|
|||
|
|
Yes I know, to find this code is not yet to crack it... but for
|
|||
|
|
this kind of copy protection (that's the reason it is so
|
|||
|
|
widespread) there is no single solution... each makes a slightly
|
|||
|
|
different algebraic manipulation of the alphanumeric and of the
|
|||
|
|
numeric data. It's up to you to crack the various schemes... here
|
|||
|
|
you can only learn how to find them and circumvene them. I'll not
|
|||
|
|
give you therefore a "debug" crack solution. You'll find it
|
|||
|
|
yourself using my indications (see the crack of the Wincat Pro
|
|||
|
|
program below).
|
|||
|
|
|
|||
|
|
WHERE ARE THE CODES? WHERE ARE THE MODIFIED FILES? WHERE DO THE
|
|||
|
|
PROTECTIONS KEEP COUNT OF THE PASSING DAYS?
|
|||
|
|
Most of the time the protection schemes use their own *.ini files
|
|||
|
|
in the c:\WINDOWS directory for registration purposes... at time
|
|||
|
|
they even use the "garbage sammler" win.ini file. Let's take as
|
|||
|
|
example WINZIP (versions 5 and 5.5), a very widespread program,
|
|||
|
|
you'll surely have one shareware copy of it somewhere between
|
|||
|
|
your files.
|
|||
|
|
In theory, winzip should be registered per post, in order to
|
|||
|
|
get a "NEW" copy of it, a "registered" copy.
|
|||
|
|
This scares most newby crackers, since if the copy you have
|
|||
|
|
it's not full, there is no way to crack it and make it work,
|
|||
|
|
unless you get the REAL stuff. The youngest among us do not
|
|||
|
|
realize that the production of a real "downsized" demo copy is
|
|||
|
|
a very expensive nightmare for the money-infatuated commercial
|
|||
|
|
programmers, and that therefore almost nobody does it really...
|
|||
|
|
nearly all "demos" and "trywares" are therefore CRIPPLED COMPLETE
|
|||
|
|
PROGRAMS, and not "downsized" demos, independently of what the
|
|||
|
|
programmers and the protectionists have written inside them.
|
|||
|
|
Back to Winzip... all you need, to crack winzip, is to add a
|
|||
|
|
few lines inside the win.ini file, under the heading [WinZip],
|
|||
|
|
that has already been created with the demo version, before the
|
|||
|
|
line with "version=5.0".
|
|||
|
|
I will not help you any further with this... I'll leave it to
|
|||
|
|
you to experiment with the correct sequences... inside win.ini
|
|||
|
|
you must have following sequence (these are only template to
|
|||
|
|
substitute for your tries inside WINICE... you'll get it, believe
|
|||
|
|
me):
|
|||
|
|
[WinZip]
|
|||
|
|
name=Azert Qwerty
|
|||
|
|
sn=########
|
|||
|
|
version=5.5
|
|||
|
|
|
|||
|
|
The *important* thing is that this means that you DO NOT NEED
|
|||
|
|
to have a "new registered version" shipped to you in order to
|
|||
|
|
make it work, as the protectionist sellers would like you to
|
|||
|
|
believe. The same applies most of the time... never believe what
|
|||
|
|
you read in the read.me or in the registration files...
|
|||
|
|
This brings me to a broader question: NEVER believe the
|
|||
|
|
information they give you... never believe what television and/or
|
|||
|
|
newspapers tell you... you can be sure that the only reason they
|
|||
|
|
are notifying you something is to hinder you to read or
|
|||
|
|
understand something else... this stupid_slaves_society can only
|
|||
|
|
subsist if nobody thinks... if you are really interested in what
|
|||
|
|
is going on, real information can be gathered, but surely not
|
|||
|
|
through the "conventional" newspapers and/or news_agencies (and
|
|||
|
|
definitely NEVER through television, that's really only for the
|
|||
|
|
stupid slaves)... yes, some bit of information can be
|
|||
|
|
(laboriously) gathered... it's a cracking work, though.
|
|||
|
|
|
|||
|
|
HOW TO CRACK INFORMATION [WHERE WHAT]
|
|||
|
|
* INTERNET
|
|||
|
|
In the middle of the hugest junk collection of the planet, some
|
|||
|
|
real information can be laboriously gathered if you do learn how
|
|||
|
|
to use well the search engines (or if you do build your ones...
|
|||
|
|
my spiders are doing most of the work for me... get your robots
|
|||
|
|
templates from "Harvest" or "Verify" and start your "spider
|
|||
|
|
building" activity beginning from Martijn Koster's page). As
|
|||
|
|
usual in our society, in the Internet the real point is exactly
|
|||
|
|
the same point you'll have to confront all your life long: HOW
|
|||
|
|
TO THROW AWAY TONS OF JUNK, HOW TO SECLUDE MYRIADS OF USELESS
|
|||
|
|
INFORMATION and HOW TO FISH RARE USEFUL INFORMATION, a very
|
|||
|
|
difficult art to learn per se. Internet offers some information,
|
|||
|
|
though, mainly BECAUSE it's (still) unregulated. You want a
|
|||
|
|
proof? You are reading it.
|
|||
|
|
|
|||
|
|
* SOME (RARE) NEWSPAPERS.
|
|||
|
|
The newspaper of the real enemies, the economic powers that
|
|||
|
|
rule this slaves world, are paradoxically most of the time the
|
|||
|
|
only ones worth studying... somewhere even the real rulers have
|
|||
|
|
to pass each other some bits of real information. The "Neue
|
|||
|
|
Zuercher Zeitung", a newspaper of the Swiss industrials from
|
|||
|
|
Zuerich, is possibly the best "not_conformist trend analyzer"
|
|||
|
|
around that you can easily find (even on the web). These
|
|||
|
|
swissuckers do not give a shit for ideology, nor preconcerted
|
|||
|
|
petty ideas, the only thing they really want is to sell
|
|||
|
|
everywhere their ubiquitous watches and their chocolates... in
|
|||
|
|
order to do it, a land like Switzerland, with very high salaries
|
|||
|
|
and a good (and expensive) social system, must use something
|
|||
|
|
brilliant... they found it: a clear vision of the world... as a
|
|||
|
|
consequence this newspaper is very often "against" the trend of
|
|||
|
|
all the other medias in the world, the ones that are used only
|
|||
|
|
in order to tame the slaves... If the only language you know is
|
|||
|
|
english (poor guy) you could try your luck with the weekly
|
|||
|
|
"Economist"... you'll have to work a lot with it, coz it has been
|
|||
|
|
tailored for the "new riches" of the Tatcher disaster, but you
|
|||
|
|
can (at times) fish something out of it... they do a lot of
|
|||
|
|
idiotic propaganda, but are nevertheless compelled to write some
|
|||
|
|
truth. American newspapers (at least the ones you can get here
|
|||
|
|
in Europe) are absolute shit... one wonders where the hell do the
|
|||
|
|
americans hyde the real information.
|
|||
|
|
On the "non-capitalistic" side of information there is a
|
|||
|
|
spanish newspaper "El Pais" that seems to know about what's going
|
|||
|
|
on in South America, but it's so full of useless propaganda about
|
|||
|
|
irrelevant Spanish politics that it's not really worth reading.
|
|||
|
|
The monthly "Le Monde diplomatique" offers something too... this
|
|||
|
|
one exaggerates a little on the pauperistic "third world" side,
|
|||
|
|
but has a lot of useful information. See what you can do with all
|
|||
|
|
this information (or disinformation?)
|
|||
|
|
|
|||
|
|
[BELIEVE THE COUNTRARY]
|
|||
|
|
Another good rule of thumb in choosing your medias is the
|
|||
|
|
following... if all medias around you assure, for instance, that
|
|||
|
|
"the Serbians are evil"... the only logical consequence is that
|
|||
|
|
the Serbians are not so evil at all and that "the Croats" or some
|
|||
|
|
other Yugoslavian shits are the real culprits. This does not mean
|
|||
|
|
at all that the Serbians are good, I warn you, it means only what
|
|||
|
|
I say: something is surely hidden behind the concerted propaganda
|
|||
|
|
you hear, the best reaction is to exaggerate in the other
|
|||
|
|
direction and believe the few bit of information that do say the
|
|||
|
|
countrary of the trend. This rule of thumb may be puerile, but
|
|||
|
|
it works somehow most of the time... if somewhere everybody
|
|||
|
|
writes that the commies are bad then THERE the commies must not
|
|||
|
|
be so bad at all and, conversely, if everybody in another place
|
|||
|
|
writes that the commies are all good and nice and perfect (like
|
|||
|
|
the Soviet propaganda did) then THERE the commies are surely not
|
|||
|
|
so good... it's a matter of perspective, much depends on where
|
|||
|
|
you are, i.e. whose interests are really at stake. There is NEVER
|
|||
|
|
real information in this society, only propaganda... if you still
|
|||
|
|
do not believe me do yourself a little experiment... just read
|
|||
|
|
the media description of a past event (say the Vietnam war) as
|
|||
|
|
written AT THE MOMENT of the event and (say) as described 10
|
|||
|
|
years later. You'll quickly realize how untrustworthy all
|
|||
|
|
newspapers and medias are.
|
|||
|
|
|
|||
|
|
* SEMIOTICS You'll have to study it (as soon as you can) to
|
|||
|
|
interpret what they let you believe, in order to get your
|
|||
|
|
bearings. A passing knowledge of ancient RHETORIC can help quite
|
|||
|
|
a lot. Rhetoric is the "Softice" debugger you need to read
|
|||
|
|
through the propaganda medias: concentrate on Periphrasis,
|
|||
|
|
Synecdoche, Antonomasia, Emphasis, Litotes and Hyperbole at the
|
|||
|
|
beginning... you'll later crack higher with Annominatio,
|
|||
|
|
Polyptoton, Isocolon and all the other lovely "figurae
|
|||
|
|
sententiae".
|
|||
|
|
|
|||
|
|
Enough, back to software cracking.
|
|||
|
|
|
|||
|
|
HOW A REGISTRATION CODE WORKS [WINCAT]
|
|||
|
|
Let's take as an example for the next crack, a Username-
|
|||
|
|
algebraic registration code, WINCAT Pro, version 3.4., a 1994
|
|||
|
|
shareware program by Mart Heubel. It's a good program, pretty
|
|||
|
|
useful to catalogue the millions of files that you have on all
|
|||
|
|
your cd-roms (and to find them when you need them).
|
|||
|
|
The kind of protection Wincat Pro uses is the most utilized
|
|||
|
|
around: the username string is manipulated with particular
|
|||
|
|
algorithms, and the registration key will be made "ad hoc" and
|
|||
|
|
depends on the name_string. It's a protection incredibly easy to
|
|||
|
|
crack when you learn how the relevant procedures work.
|
|||
|
|
[WINCAT Pro] is a good choice for cracking studies, coz you
|
|||
|
|
can register "over your registration" one thousand times, and you
|
|||
|
|
can herefore try for this crack different user_names to see all
|
|||
|
|
the algebrical correspondences you may need to understand the
|
|||
|
|
protection code.
|
|||
|
|
In this program, when you select the option "register", you
|
|||
|
|
get a window where you can input your name and your registration
|
|||
|
|
number (that's what you would get, emailed, after registering
|
|||
|
|
your copy). If you load winice and do your routinely hwnd to
|
|||
|
|
individuate the nag window, and then breakpoint on the
|
|||
|
|
appropriate memory ranges you'll peep in the working of the whole
|
|||
|
|
bazaar (this is completely useless in order to crack these
|
|||
|
|
schemes, but it'll teach you a lot for higher cracking, so you
|
|||
|
|
better do it also with two or three other programs, even if it
|
|||
|
|
is a little boring): a series of routines act on the input (the
|
|||
|
|
name) of the user: the User_name_string (usn). First of all the
|
|||
|
|
usn_length will be calculated (with a REPNZ SCASB and a following
|
|||
|
|
STOSB). Then various routines store and move in memory the usn
|
|||
|
|
and the registration_number (rn) and their relative lengths. In
|
|||
|
|
order to compare their lengths and to check the correct
|
|||
|
|
alphanumeric correspondence between usn and rn, the program first
|
|||
|
|
uppercases the usn and strips all eventual spaces away.
|
|||
|
|
Here the relevant code (when you see an instruction like
|
|||
|
|
SUB AL,20 you should immediately realize that you are in a
|
|||
|
|
uppercasing routine, which is important for us, since these are
|
|||
|
|
mostly used for password comparisons)... here the relevant Winice
|
|||
|
|
unassemble and my comments:
|
|||
|
|
253F:00000260 AC LODSB <- get the usn chars
|
|||
|
|
253F:00000261 08C0 OR AL,AL <- check if zero
|
|||
|
|
253F:00000263 740F JZ 0274 <- 0: so usn finished
|
|||
|
|
253F:00000265 3C61 CMP AL,61 <- x61 is "a", man
|
|||
|
|
253F:00000267 72F7 JB 0260 <- not a lower, so loop
|
|||
|
|
253F:00000269 3C7A CMP AL,7A <- x7A is "z", what else?
|
|||
|
|
253F:0000026B 77F3 JA 0260 <- not a lower, so loop
|
|||
|
|
253F:0000026D 2C20 SUB AL,20 <- upper it if it's lower
|
|||
|
|
253F:0000026F 8844FF MOV [SI-01],AL<- and hyde it away
|
|||
|
|
253F:00000272 EBEC JMP 0260 <- loop to next char
|
|||
|
|
253F:00000274 93 XCHG AX,BX
|
|||
|
|
...
|
|||
|
|
The instruction MOV [SI-01],AL that you see here is important
|
|||
|
|
at times, coz it points to the location of the "pre-digested"
|
|||
|
|
usn, i.e. the usn formatted as it should be for the number
|
|||
|
|
comparison that will happen later. In some more complicated
|
|||
|
|
protection schemes the reasoning behind this formatting is the
|
|||
|
|
following: "Stupid cracker will never get the relation algorhitm
|
|||
|
|
usn <-> rn, coz he does not know that usn AND rn are slightly
|
|||
|
|
changed before comparing, ah ah... no direct guessing is
|
|||
|
|
possible". Here is only "polishing": you have to "polish" a
|
|||
|
|
string before comparing it in order to concede some mistakes to
|
|||
|
|
the legitimate user (too many spaces in the name, upper-lower
|
|||
|
|
case mismatch, foreign accents in the name etc.) You just need
|
|||
|
|
to know, for now, that this checking is usually still 5 or 6
|
|||
|
|
calls ahead of the real checking (it's what we call a "green
|
|||
|
|
light").
|
|||
|
|
You should in general realize that the real checking of the
|
|||
|
|
algebrical correspondence follows after a whole series of memory
|
|||
|
|
operations, i.e.: cancelling (and erasing) the previous (if ever)
|
|||
|
|
attempts; reduplicating the usn and the rn somewhere else in
|
|||
|
|
memory; double checking the string lengths (and saving all these
|
|||
|
|
values somewhere... be particularly attentive when you meet stack
|
|||
|
|
pointers (for instance [BP+05]): most of the programs you'll find
|
|||
|
|
have been written in C (what else?). C uses the stack (SS:SP) to
|
|||
|
|
pass parameters or to create local variables for his procedures.
|
|||
|
|
The passwords, in particular, are most of the time compared to
|
|||
|
|
data contained within the stack. If inside a protection a BP
|
|||
|
|
register points to the stack you have most of the time fished
|
|||
|
|
something... remember it pupils: it will spare you hours of
|
|||
|
|
useless cracking inside irrelevant routines. Back to our CATWIN:
|
|||
|
|
another little check is about the "minimal" length allowed for
|
|||
|
|
a user name, in our babe, for instance, the usn must have at
|
|||
|
|
least 6 chars:
|
|||
|
|
230F:00003483 3D0600 CMP AX,0006
|
|||
|
|
230F:00003486 730F JAE 3497 <- go to nice_name
|
|||
|
|
:too_short
|
|||
|
|
230F:00003488 BF9245 MOV DI,4592 <- no good: short
|
|||
|
|
After a lot of other winicing you'll finally come across
|
|||
|
|
following section of the code:
|
|||
|
|
2467:00000CA3 B90100 MOV CX,0001
|
|||
|
|
2467:00000CA6 03F1 ADD SI,CX
|
|||
|
|
2467:00000CA8 2BC1 SUB AX,CX
|
|||
|
|
2467:00000CAA 7213 JB 0CBF
|
|||
|
|
2467:00000CAC 40 INC AX
|
|||
|
|
2467:00000CAD 368B4F04 MOV CX,SS:[BX+04] <- here
|
|||
|
|
2467:00000CB1 0BC9 0R CX,CX
|
|||
|
|
2467:00000CB3 7D02 JGE 0CB7
|
|||
|
|
2467:00000CB5 33C9 XOR CX,CX
|
|||
|
|
2467:00000CB7 3BC1 CMP AX,CX
|
|||
|
|
2467:00000CB9 7606 JBE 0CC1
|
|||
|
|
2467:00000CBB 8BC1 MOV AX,CX
|
|||
|
|
2467:00000CBD EB02 JMP 0CC1
|
|||
|
|
2467:00000CBF 33C0 XOR AX,AX
|
|||
|
|
2467:00000CC1 AA STOSB <- and here
|
|||
|
|
2467:00000CC2 8BC8 MOV CX,AX
|
|||
|
|
2467:00000CC4 F3A4 REPZ MOVSB <- and here!
|
|||
|
|
2467:00000CC6 8EDA MOV DS,DX
|
|||
|
|
2467:00000CC8 FC RETF 0008
|
|||
|
|
|
|||
|
|
This is obviously the last part of the checking routine
|
|||
|
|
(I'll not delve here with the mathematical tampering of it, if
|
|||
|
|
you want to check its workings, by all means, go ahead, it's
|
|||
|
|
quite interesting, albeit such study is NOT necessary to crack
|
|||
|
|
these schemes). The important lines are obviously the MOV
|
|||
|
|
CX,SS:[BX+04], the STOSB and the REPZ MOVSB (as usual in password
|
|||
|
|
protection schemes, you do remember lesson 3, don't you?).
|
|||
|
|
You should be enough crack-able :=) by now (if you have read
|
|||
|
|
all the precedent lessons of my tutorial), to find out easily,
|
|||
|
|
with these hints, how the working of the protection goes and
|
|||
|
|
where dwells in memory the ECHO of the correct rn (passkey) that
|
|||
|
|
matches the name you typed in. Remember that in these kind of
|
|||
|
|
cracks the ECHO is present somewhere (90% of the cases). There
|
|||
|
|
are obviously one thousand way to find such ECHOs directly,
|
|||
|
|
without going through the verificayions routines... for instance
|
|||
|
|
you could also find them with a couple of well placed
|
|||
|
|
snap_compares, it's a "5 minutes" cracking, once you get the
|
|||
|
|
working of it. I leave you to find, as interesting exercise, the
|
|||
|
|
routine that checks for a "-" inside the rn, a very common
|
|||
|
|
protection element.
|
|||
|
|
In order to help you understand the working of the protection
|
|||
|
|
code in [Wincat Pro] I'll give you another hint, though: if you
|
|||
|
|
type "+ORC+ORC+ORC" as usn, you'll have to type 38108-37864 as
|
|||
|
|
rn, if you usn as usn "+ORC+ORC" then the relative rn will be
|
|||
|
|
14055-87593. But these are my personal cracks... I have offered
|
|||
|
|
this information only to let you better explore the mathematical
|
|||
|
|
tampering of this specific program... you'll better see the
|
|||
|
|
snapping mechanism trying them out (going through the routines
|
|||
|
|
inside Winice) alternatively with a correct and with a false
|
|||
|
|
password. Do not crack Wincat with my combination! If you use a
|
|||
|
|
different usn than your own name to crack a program you only show
|
|||
|
|
that you are a miserable lamer... no better than the lamers that
|
|||
|
|
believe to "crack" software using huge lists of serial numbers...
|
|||
|
|
that is really software that they have stolen (Yeah: stolen, not
|
|||
|
|
cracked). You should crack your programs, not steal them...
|
|||
|
|
"Warez_kids" and "serial#_aficionados" are only useless zombies.
|
|||
|
|
I bomb them as soon as I spot them. YOU ARE (gonna be) A CRACKER!
|
|||
|
|
It makes a lot of a difference, believe me.
|
|||
|
|
|
|||
|
|
Well, that's it for this lesson, reader. Not all lessons of my
|
|||
|
|
tutorial are on the Web.
|
|||
|
|
You 'll obtain the missing lessons IF AND ONLY IF you mail
|
|||
|
|
me back (via anon.penet.fi) with some tricks of the trade I may
|
|||
|
|
not know that YOU discovered. Mostly I'll actually know them
|
|||
|
|
already, but if they are really new you'll be given full credit,
|
|||
|
|
and even if they are not, should I judge that you "rediscovered"
|
|||
|
|
them with your work, or that you actually did good work on them,
|
|||
|
|
I'll send you the remaining lessons nevertheless. Your
|
|||
|
|
suggestions and critics on the whole crap I wrote are also
|
|||
|
|
welcomed.
|
|||
|
|
|
|||
|
|
"If you give a man a crack he'll be hungry again
|
|||
|
|
tomorrow, but if you teach him how to crack, he'll
|
|||
|
|
never be hungry again"
|
|||
|
|
|
|||
|
|
an526164@anon.penet.fi
|
|||
|
|
|