205 lines
9.6 KiB
Plaintext
205 lines
9.6 KiB
Plaintext
CbD's Tutorial #4
|
|
Alternitive to Serial # Locating
|
|
Target : Business Cards 32 v 4.18
|
|
Level: New to Intermediate
|
|
|
|
Motive of Crack:
|
|
Well we all know that sometimes we cant seem to find the right serail number
|
|
when we are cracking a program, So this crack is to help you to better understand
|
|
that there are other ways to register even if you cant find that " GooD " number
|
|
I will show you that you can simply make the program take any number as a
|
|
"GooD" one. This type of crack can be hard in some cases but for this example
|
|
I have choosen a fairly simple program for us to use. If you have read my other
|
|
Tutorials you should know that I crack in steps to help each of you new crackers
|
|
to follow along and hopefully not get lost :-).
|
|
|
|
About the Crack:
|
|
This crack will have 3 main Parts to it each of them having there own steps for
|
|
you to follow. I hope i have made it easy for you and if for some reason you
|
|
have trouble with it please feel free to join us on EFNET in #cracking4Newbies
|
|
and ask for help. Please note that we dont mind helping the newest of the
|
|
Cracking world to better their skills as this is what we are here for.
|
|
|
|
|
|
The Target: Business Cards 32 v4.18
|
|
Get it From: http://www.midstream.com
|
|
Protection Type: Serial Number Registration with a 30day time limit
|
|
Requested by: None
|
|
Tools Needed: SoftIce, Hiew(or other Hex Editor)
|
|
|
|
The Crack
|
|
|
|
Part #1
|
|
Ok lets get the crack started, so go and get the prorgram from midstream
|
|
and install it. Got it installed yet? well do it....
|
|
|
|
Step 1
|
|
Well let start this crack by looking at our little program, So load Bcards
|
|
and then you will see the nag screen telling us that we are not a registered user
|
|
(Not Yet anyway) and that you have 30 days to try the program. Well click and get rid
|
|
of the nag and then click [HELP] [REGISTER] you will get the little box for you to
|
|
put in your info. Well put the Name in you want then the company (if you want) and
|
|
then the serial number.
|
|
|
|
Step 2
|
|
Now if we wanted to find the "GooD" serial number we would have to use softice
|
|
to find the location that the "GooD" number get compared to ours, But we dont
|
|
care what the number should be cause we are going to make the program
|
|
take our bogus number ( And Like It ) and then give us a registered user status.
|
|
But for us to do this we have to still use Softice so we can find where the program
|
|
checks for a valid number then make it think any number is a good one
|
|
so lets get in SoftIce and start the work. Do this Ctrl-D this put you in SI
|
|
now we need to break when the programs reads our Serial number so
|
|
we will set a BP(BreakPoint) on GetDlgItemTextA (I have already found the right
|
|
function for you) so do this BPX GETDLGITEMTEXTA and press enter
|
|
now we have the only break point we need for this crack. So get out of SI with
|
|
Ctrl-D.
|
|
|
|
Step 3
|
|
Now you should be back in Bcards at the registration screen, so press enter
|
|
and you will land back in SI at the GetDlgItemTextA function that was called
|
|
by our program. Well this is not where we need to be, because our program
|
|
has three different textboxes to read the data from (1) Name (2) company
|
|
(3) serial number, and the one we want is the serail number one. So
|
|
lets press F11 to return to the place the function was called then press F5
|
|
and let the program continue to run, we will break again at the GetDlgItemTextA
|
|
function, this is where the program gets our company info, this to is not what we
|
|
want so Press F11 to return and then F5, now we break at the function once more
|
|
so we Press F11 to get to where the function was called from. This is where we
|
|
will start to do the real cracking of the program.
|
|
|
|
Step 4
|
|
Now that we are in the part of the code that will be checking our serial number
|
|
and deciding if we are a (GooD Guy) or a (Bad Cracker) we will need to do some single
|
|
stepping to see what happens here. So Press F10 and watch the lines of code as they
|
|
pass. We will want to stop on the code below.
|
|
|
|
Your addresses may differ but the code it's self should look the same
|
|
|
|
:00412C3A ADD ESP,04
|
|
:00412C3D CMP BX,AX [STOP HERE] <---- compares part of our serial # with parts of the good one
|
|
:00412C40 JNZ 00412C7E <---- if all is good then go ahead and if not the jump
|
|
:00412C42 LEA EAX, [EBP-0C] so this is one of our points we need to make a change to
|
|
|
|
|
|
Ok we will need to change the JNZ (Jump if Not Zero) to JZ (Jump if Zero) and in doing this
|
|
if we were to enter a valid serial number the program would not allow it to register as it
|
|
will then think that it is a Bad number. So lets make a note of the the address we
|
|
will need to change and also you should do a D xxxx:00412C40 and then write down
|
|
the value from the data window for later use. Or if you just want to crack your program
|
|
and not make a general crack to distribute you can make the change in SI like this
|
|
|
|
A xxxx:00412C40 [ENTER] <----- Press the Enter Key
|
|
xxxx:00412C40 JZ 00412C7E [ENTER] [ENTER] <---- Press Enter Twice
|
|
(Note the xxxx is the starting value for the address as you see it on your system mine is 0137)
|
|
|
|
now this will not modify your program on the disk only what is running in the system memory
|
|
after you close the program the changes you made will be gone, but if you do all the right
|
|
steps the program will still be registered.
|
|
|
|
Step 5
|
|
Ok that was one of the 3 changes that will need to be made becasue if you scroll down with the
|
|
Ctrl-downarrow you will see the following code after you locate it Press F10 till you get to the
|
|
CMP then if you wish you can make your changes.
|
|
|
|
:00412C62 ADD ESP,04
|
|
:00412C65 CMP SI,AX [STOP HERE] <---- compares part of our serial # with parts of the good one
|
|
:00412C68 JNZ 00412C7E <---- Notice that the jump is to the same address as before
|
|
:00412C6A LEA EAX, [EBP-0C] so we will need to do the same as we did above
|
|
|
|
do a D xxxx:00412C68 the write down the value from the data window for this one
|
|
and again if you want to you can make the change from right here in softice
|
|
|
|
A xxxx:00412C68 [ENTER] <----- Press the Enter Key
|
|
xxxx:00412C68 JZ 00412C7E [ENTER] [ENTER] <---- Press Enter Twice
|
|
|
|
now that is the second change now we have one more then the crack will be done
|
|
|
|
Step 6
|
|
Now F10 just a few lines and you will see this code below
|
|
|
|
:00412C62 ADD ESP,04
|
|
:00412C65 CMP EAX, [EBP-0098] [STOP HERE]
|
|
:00412C68 JZ 00412C91 <--- Jump if all the code is good
|
|
:00412C6A LEA EAX, [EBP-0C]
|
|
|
|
Remeber to do a D xxxx:00412C68 and write down the values.
|
|
Now here we will need to change the JZ to a JNZ and once we have done this we can disable our
|
|
breakpoints and hit F5 or Ctrl-D and let the program continue and as we pop back to the program we
|
|
will see that we are now a registered owner of this program .......
|
|
|
|
|
|
Ok we ahve now Cracked this program and if we want to we can make a general crack
|
|
so everyone can crack there copy. to do this just follow the steps below
|
|
|
|
Part 2
|
|
|
|
Step 1
|
|
Ok remember the values I told you to write down ? did you ? well if not i have provided them below
|
|
|
|
First one was
|
|
xxxx:00412C40 75 3C 8D 45 F4 50 E8 59
|
|
^ ^ ^ ^ ^ ^ ^ ^ <--- Values you will need
|
|
|
|
Second one
|
|
xxxx:00412C68 75 14 8D 45 F4 50 E8 31
|
|
^ ^ ^ ^ ^ ^ ^ ^ <--- Values you will need
|
|
|
|
Third one
|
|
xxxx:00412C7C 75 13 8D 45 F4 50 E8 1D
|
|
^ ^ ^ ^ ^ ^ ^ ^ <--- Values you will need
|
|
|
|
The following instructions are for users of HIEW only if you are using a different
|
|
Hex editor then you will need to find the commands that do the same procedures
|
|
|
|
ok Start Hiew by editing the bcards.exe file (Make a backup first)
|
|
then do the following
|
|
|
|
1) when hiew starts press the F4 key to get Hex view
|
|
2)press F7 to search
|
|
3) enter the first string from above(only the ones marked)
|
|
4)press F2 to get the Code view
|
|
5)press F3 to edit the code
|
|
6)press F2 for ASM mode
|
|
7)change the JNZ to a JZ
|
|
(This may show as a JE or a JNE depending on the step you are in 1,2 or 3)
|
|
8)press F9 to update
|
|
9)Press F10 to exit
|
|
|
|
now do the same for each of the three strings, you will need to restart Hiew each time
|
|
to insure that you are able to get the proper search result
|
|
(Note for the last on make sure you change the JZ to a JNZ)
|
|
after you are done with all three you can then exite Hiew and continue to part 3
|
|
|
|
Part 3
|
|
|
|
Makeing a Patch with Gpatch
|
|
|
|
ok remember I told you to make a back up copy of your file before you used HIEW
|
|
well you should name it like this Bcards32.bak and the one you edited should be
|
|
Bcards32.exe (note you should read the Doc that comes with gpatch to full understand
|
|
how to use it) if you want you can make a txt file named gpatch.txt and put any nfo
|
|
about your patch you want. now run gpatch like this gpatch bcards32.exe
|
|
it will make you a patch and name it patch.com you can now rename it to whatever you
|
|
like and distribute it . well thats it for this tut.
|
|
|
|
I hope this Tutorial has been helpful and showed you another way to crack
|
|
those serial number protections. Well even if you cant seem to make the crack work
|
|
(Dont see why you couldn't) i have included the crack with the tutorial.
|
|
|
|
Enjoy and Happy Cracking......... _CbD_ ME/C4N'97
|
|
|
|
EFNET #Cracking4Newbies stop by and see us sometime....
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|