193 lines
9.8 KiB
Plaintext
193 lines
9.8 KiB
Plaintext
_CbD_ Tutorial 01
|
|
_CbD_ vs. Ultisoft, Inc.
|
|
|
|
Ok I know the title sounds strange, _CbD_ vs. Ultisoft, Inc. but i decide this would be a good title for this tutorial seeing how i will be attacking 5 of there programs in this tutorial. Well let me tell you how this war began, I know you dont care, but i am going to tell you anyway. Well I was on Windows95.com and was looking for a good casino game, well what i found was a lot of programs by this Ultisoft, Inc., and the bad part is that they were mostly slot games, NO FUN. well i also seen that some of them where VB4 programs so i thought ok this might be a good program to practice what (razzia) said about VB4 protections. Ok so i downloaded a few of them.
|
|
I then unzipped and checked to see if they would aloow me to register them, guess what as soon as i started the program a big blue screen pops up asking me to register, hmm ok that answers that question. Well now lets see if the program is any good. Ha Ha Ha this games sucks, well i decided to crack it anyway. so now on to the cracks
|
|
|
|
|
|
target #1
|
|
Name: Cherry Slots
|
|
Author: Ultisoft, Inc.
|
|
Tools: Softice 3.xx
|
|
you can get it at (http://wwwsoftsite.com/ulti/95chry44.zip)
|
|
|
|
ok i will do this crack in several steps so even the newest of crackers can follow, before i start i want to thank razzia for his exellent tutorial on VB4 , so Thanks. Ok now go get the program from softsite.com (it is small like 150k)
|
|
ok you got it. lets crack it.
|
|
|
|
Step #1
|
|
Lets look at the File. So in Explorer select it and do QuickView (right click select quickview)
|
|
now scroll down and see what the Import Table says, Hmm VB40032.DLL. Ah this is a VB4
|
|
program. Ok now we know that or GetWindowTextA and GetDlgItemTextA wont work for us
|
|
so we will have to use HMEMCPY to get into the program. Wait didnt i read a tutorial by razzia
|
|
talking about VB4 programs hmm, yeah now i remember. ok lets try and recall what it was he wrote
|
|
(if you never read it you should, but i will use alot of his methods here for those of you who have
|
|
no idea).
|
|
|
|
Step #2
|
|
ok lets start this little puppy, so run cherry.exe. OK now a big ugly blue screen pops up and what is
|
|
this the middle button is (REGISTATION CODE) hmm wonder what that does. So click on it and find out
|
|
ah the old enter your registration Number box (Like you would really buy this game). ok first lets type in
|
|
a few numers to see if it has a pre-set length for the reg number 12345678901244567865, hmm
|
|
nope has no pre-set length. Ok that is fine lets just clear that text out and enter hmm 7777777
|
|
seven 7's (my favorite) and then press REGISTER. hmm We get the old faithfull Registration Failed
|
|
thats fine just click ok. hmm or box is gone now What they only give us one chance (assholes).
|
|
|
|
Step #3
|
|
Ok now look in the menu and you will see Register so click on it, What is this our box is back. Good lets enter 7777777 again now DONT PRESS REGISTER YET now we need to get in Softice and set some
|
|
BreakPoints so Press Ctrl-D, boom. Into Softice we go now lets set some BreakPonits.
|
|
so at the ---> : type BPX HMEMCPY and press [ENTER] ok now we have a BreakPoint set
|
|
on the HMEMCPY fuction. ok now press Ctrl-D again and boom back to Cherry Slots we go
|
|
Now you can press REGISTER and continue on to step 4.
|
|
|
|
Step #4
|
|
Ok if you done it right you should be looking at the softice screen, and if not then go back and start over
|
|
from step #1. Ok now we are looking at the call made to HMEMCPY so lets get out of that as we need
|
|
not be there. but first lets disable that BreakPoint as we dont need it anymore so do a --> BD 0 <--- now press F11 and then softice should blink and then pop you right back in. Ok now we are
|
|
in the Fuction that made the call well this to is not really that important to us. What we need to be in is the
|
|
VB40032.DLL so press F10 til you see the text (on the line between the Code window and the command window) VB4xxxxxxx ok now that should look like somthing this (Address's may look different)
|
|
|
|
0137:0F730116 CALL EBP
|
|
0137:0F730118 MOV [ESP+14] , EAX
|
|
0137:0F73011C CMP DWORD PTR [ESP+2C] , 00
|
|
0137:0F730121 JNZ 0F73070C
|
|
0137:0F730127 MOV EAX, [ESP+14]
|
|
0137:0F73012B POP EBP
|
|
0137:0F73012C POP EDI
|
|
0137:0F73012D POP ESI
|
|
|
|
Yours may differ just a bit. Ok now we are in the VB4xxxx section of the code. Next we will look at some
|
|
of razzia's VB tutorial
|
|
|
|
razzia has done all the hard work for us and found the VB4 dll code
|
|
that compares two strings (in WideChar format !).
|
|
Here is what it looks like
|
|
|
|
: 56 push esi
|
|
: 57 push edi
|
|
: 8B7C2410 mov edi, [esp + 10]
|
|
: 8B74240C mov esi, [esp + 0C]
|
|
: 8B4C2414 mov ecx, [esp + 14]
|
|
: 33C0 xor eax, eax
|
|
: F366A7 repz cmpsw ;<-- here the (WideChar) strings at ds:esi
|
|
: 7405 je 0F79B362 ; and es:edi get compared
|
|
: 1BC0 sbb eax, eax
|
|
: 83D8FF sbb eax, FFFFFFFF
|
|
: 5F pop edi
|
|
: 5E pop esi
|
|
: C20C00 ret 000C
|
|
|
|
Now you have enogh to crack this program.
|
|
Ok now for the final step
|
|
|
|
Step #5
|
|
Now we know the code lets find it in our program so we need to search for it
|
|
we can do this by typeing the following in the command window
|
|
|
|
S 0 L FFFFFFFFF 56,57,8B,7C,24,10,8B,74,24,0C,8B,4C,24,14 then press [ENTER]
|
|
|
|
you should get something like this
|
|
|
|
Procedure found at 0030:0F79B348 (0F79B348)
|
|
|
|
Now we set a Break Point on it BPX 0030:0F79B348 and press F5 we will break again
|
|
into softice were you should see the above code
|
|
|
|
ok Now we have the question (Does the program have a set serial Number that we have to
|
|
enter or does it just compare certian letters or numbers of our serial code.)
|
|
well lets just have a look at some of the some of the values here
|
|
|
|
So type this ----> ed esi <-------- and you should see the following in the data window
|
|
|
|
013F : 0044A612 33 00 36 00 32 00 - 34 37 00 00 00 00 60 00 3 . 1 . 6 . 2 . 4 . 7 . . . ' .
|
|
|
|
Well what is this hmm look kinda strange there dont it hmmm could this be the serial number
|
|
hmm well it is 6 numbers long and if you took the spaces out it would read 316247
|
|
well lets see if this could be the serial number. So we do a BD 1 to disable our BreakPoint
|
|
and then press CTRL -D and you should return to Cherry Slots and the Registration Failed
|
|
box should be up. So clear it and press goto register once more this time enter the code
|
|
we got from VB4xxxxx it should be 316247 and then press register you should get the congradulations you have now registered this peice of shit software. Blah Blah
|
|
ok that is it the game is now registered. Ok if you want to distribute your cracked game
|
|
you can now look in your cherry slots Dir and you should see a file named
|
|
cherry.key this is all you need so pass it around and any needs only to put it in thier
|
|
cherry slots and they are registered to.
|
|
|
|
Although this is easy and takes only a few minutes i am going to look at makeing a patch to just get
|
|
the nag screens to go away without a correct serial numbers just as practice.
|
|
|
|
you can use these same steps to crack all of UltiSofts VB games.
|
|
|
|
|
|
PART 2
|
|
|
|
The War is Still On
|
|
_CbD_ vs. UltiSoft
|
|
|
|
|
|
After looking around there page i found that they also had a few games that was not
|
|
VB games so i decided to check them
|
|
|
|
|
|
|
|
|
|
target #2
|
|
Name: Animated Black Jack
|
|
Author: Ultisoft, Inc.
|
|
you can get it at (http://wwwsoftsite.com/ulti/95anbj11exe)
|
|
Tools Needed : W32DASM
|
|
|
|
Ok I downloaded this one and then used QuickView and then i seen this was not
|
|
a VB Program, so first i ran the program then noticed it had the same old
|
|
registration box as the others.. Ok well i decided to use softice and Break on
|
|
the old GetWindowTextA and GetDlgItemTextA well then i tried a fake number
|
|
and nothing i didnt pop into softice hmmm well lets try GetWindowText and GetDlgItemText
|
|
well nothing still no softice. So i decided to load it in W32DASM and look at the functions
|
|
well i saw tons of them this program uses everything but is own. Ok well lets have a look at some
|
|
of them (Damn there is so many ) well several look as if we could set breakpoints on and
|
|
try , but hmm lets look some more . lets look at the string references (the button should
|
|
be [Strn Ref] ) damn so so many wel lets loog for anything dealing with registration
|
|
|
|
We See ( 2. In the Registered Version) hmm well we could look at that
|
|
but What is that funny looking one right under it ?
|
|
|
|
all it says is ("508150") Hmm that looks funny it is 6 numbers and we have seen
|
|
that all of there codes are six numbers. no way it cant be that easy can it ?
|
|
well lets just check so we start up Black Jack and then we put 508150 for a
|
|
registration number and press [ENTER] knowing this wont work
|
|
and Boom Thank you for Registering our ShitWare hmm ok now
|
|
I have lost all respect for these guys (not that i ever had any) they have to be
|
|
very stupid to hard code there # that way hmm i think instead of sending them
|
|
the registration few i will send them Programing For Dummies Books
|
|
Well thats it for that one and any of the other programs they have that are not vb
|
|
is the same way...
|
|
Oh yeah there installers sux and will hang so just use the task manager and end task on
|
|
the installer (CTRL + ALT + DEL) End TASK INSTALLER
|
|
|
|
ok this is a list of there programs that i have cracked useing these methods
|
|
|
|
VB
|
|
Cherry Slots #316247
|
|
Dynamite Slots #884916
|
|
Extreme Slots #196458
|
|
|
|
Other
|
|
Double Wide Slots # 317541
|
|
Animated Black Jack # 508150
|
|
|
|
All there other programs are on the site
|
|
http://www.softsite.com/ulti
|
|
|
|
Well I really Hope this helped you in some way if nothing than showing that sometime the protection
|
|
can be so easy.
|
|
|
|
|
|
_CbD_ [ME/C4N'97]
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|