Quantum-X - MaNiFeSt `99 [ Newbie] Present - Quantum-X's Cracking Tutorial N° 1 - Simple Win32Dasm [View in M$ Word] Table of Contents: 1. Introduction A] Aims of this document B] Background C] Tools you will need D] Explanation of tools 2. Getting Started A] Getting to know your target 3. Cracking It! A] Error B] Win32dasm C] Locations D] Patching 4. Making Cracks A] Basic Idea B] ASM listing of the Source 5. Finishing Up Introduction Firstly, welcome to my cracking tutorial. Aims of this document In this document, I am striving, firstly to expend the knowledge of cracking to more people. This document in aimed directly at the absolute newbie, but will contain useful information for eve nthe intermediate cracker. I believe that something can be learned from every tutorial, badly written or otherwise.. =) At the end of this tutorial, you should be able to understand almost everything in this document. Enough chatter, into some more intersting stuff ...=) Background Cracking is, simply, removing copy protection, or registering a program (illegaly [?]) to yourself etc. Cracking comes in many levels, but after a while of cracking, you should see repeats in protection styles. Tools you will need To even begin trying to crack a program, you need the right tools. In this document, we will be focusing mainly on two programs, Win32Dasm, & Hiew (aka Hacker's View) and Tasm for the crack. Win32Dasm is about 932k, and can be downloaded (Registered) from : Http://Qserve.8m.com - Tools section, or Http://surf.to/HarvestR - Tools section. Like wise, Tasm and Hiew can also be downloaded from the sites mention above. Explanation of Tools Win32Dasm stands for Windows (32 bit) Dissassembler, and does exactly that. You can use it to view listings of files, and their string references, etc. Hiew stands for Hacker's View, and, in essence is a DOS based Hex / Text / Assembler code viewer, and editor. Tasm stands for Turbo Assembler, and compiles you Assembler code... Getting Started Getting to know your target Open up the target program, JayLock. As soon as you load it, a 'Nag Screen' pops up, demanding that you should register it. It also supplies you a computer independent code. Enter nad code, and it gives you an error message - ' This is not a correct .....'. You should remember / write this down. We are going to change this, so any code will make it register... Cracking It! Error Now quit the program, and go into Win32Dasm. Note - you may have to change the font from WingDings, that, for some reason seems to make itself the default font. Choose open from the File menu, then choose 'JayLock.exe' from the directory where you installed it. It will take a little while to dissassemble the file (takes much longer on my P120..). Once it has finished, find and click on the 'String Reference' Button on the toolbar. This will bring up a box, with the strings that the program contains. Scroll down, until you find 'This is not a correct...', and double click on it. It will bring you to some code, that should look like this - (the addresses may be different on you PC) :00406503 8D4E5C lea ecx, dword ptr [esi+5C] :00406506 E8A4600100 call 0041C5AF :0040650B 8D4C2404 lea ecx, dword ptr [esp+04] :0040650F 51 push ecx :00406510 E8CB180000 call 00407DE0 :00406515 8B8ED8000000 mov ecx, dword ptr [esi+000000D8] :0040651B 83C404 add esp, 00000004 :0040651E 3BC1 cmp eax, ecx :00406520 7438 je 0040655A :00406522 8B8EDC000000 mov ecx, dword ptr [esi+000000DC] :00406528 6A30 push 00000030 :0040652A 41 inc ecx * Possible StringData Ref from Data Obj ->"Notification" | :0040652B 68AC214300 push 004321AC :00406530 898EDC000000 mov dword ptr [esi+000000DC], ecx Possible StringData Ref from Data Obj ->"This not the correct registration " ->"code. Please go to http://www.jaytown.com " ->"to obtain you registration code" | :00406536 68A8284300 push 004328A8 :0040653B 8BCE mov ecx, esi :0040653D E835A40100 call 00420977 :00406542 83BEDC00000003 cmp dword ptr [esi+000000DC], 00000003 :00406549 7516 jne 00406561 :0040654B 8BCE mov ecx, esi :0040654D E81B5E0100 call 0041C36D :00406552 5E pop esi :00406553 81C4F4010000 add esp, 000001F4 :00406559 C3 ret * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00406520(C) | :0040655A 8BCE mov ecx, esi :0040655C E8F35D0100 call 0041C354 You can see the error message, so have a little look at the code above it..It seems to make a few calls, and compares (cmp). Now, the thing with compares is, after it has compared something, there is almost always a conditional jump. For example, imagine this - Cmp apples, bannanas Je GoodFruit Now, obviously, apples and bannanas don't match, so it can't possibly JE (jump if equal). So, it continues on, presumably to the BadFruit section, that must reside after wards... So, if we assume Apples is the right code, and Bananas is what you entered...Now, look at the code again... :0040651B 83C404 add esp, 00000004 :0040651E 3BC1 cmp eax, ecx [Apples, Bananas] :00406520 7438 je 0040655A [Jump if equal, if not, go on] :00406522 8B8EDC000000 mov ecx, dword ptr [esi+000000DC] :00406528 6A30 push 00000030 :0040652A 41 inc ecx [Bad Fruit !] Possible StringData Ref from Data Obj ->"This not the correct registration " ->"code. Please go to http://www.jaytown.com " ->"to obtain you registration code" | :00406536 68A8284300 push 004328A8 :0040653B 8BCE mov ecx, esi So, the obvious answer must be change Jump if Equal, to Jump in not Equal. Locations Ok, you say, we can't edit in here... So we must use another program. Now to crack it, we need to know / remember the location of the jump. But, instead of the location that is infront of the line, you have to get the code's offset. To get this, put the cursor (use the arrow keys) over the jump line, and copy the offest down, off the status bar. If this is done correctly, you should have copied down 5920h. Patching Quit Win32Dasm, and go into a DOS prompt. Go into the directory where you installed hiew, and type hiew . Then, using it's navigator, load up JayLock.exe. Hit F4, then F3 (Assembly Mode). Hit F5, and type in the location, 5920. It will jump to the line, and will have something like this... Address : 7438 je .0000665A 74 is JE in Hex, and we want to change it to JNE, which happens to be 75 in hex. [NOTE: It is just coincidence that JNE is one up from 74. EG- you cannot just add 1 to a jump, and expect it to work. To be sure what the opposite jump is, and what its Hex equivalent is, goto Http://Qserve.8m.com, and download the Mnemonics file] So, press F3, and move the cursor to the 4, and press 5. Then, hit F9 to save the changes, then Quit. Load up JayLock, and type in any code, and if you followed everything, it should register. Congratulations! However, you have only patched the program - if you want to distribute this crack, it maybe a little difficult to give them the program, as it makes registry entries. So how do you beat this? You make a crack... Making Cracks The Basic Idea What you want is a small program, that when run, will load up the main .exe, and patch it. I have used (sparsly) commented Assembly to do this. The Complete ASM source .model tiny .code .386 org 100h start: mov ah,9 mov dx, offset Intro ; Load and print Introduction Text int 21h mov ax,3d02h mov dx, offset Filename ; Loads filename int 21h jnb short ok ;checks it loaded mov ah,9 mov dx, offset Error ;if not, error int 21h mov ax,4c01h ;quit int 21h ok: mov bx,ax mov bx,4200h ;setup xchg ax,bx mov cx,0h mov dx,5920h ;stick offset 5920 in int 21h ;to patch mov ax,4000h mov cx,1 mov dx, offset BytestoWrite ;75 (jne) int 21h mov ax, 3e00h ;do it int 21h int 3 mov ah,9 mov dx, offset Done ; print done int 21h mov ax,4c00h ;quit int 21h Intro db 0dh,0ah db '·····································',0dh,0ah db '° ProGraM: JayLock °',0dh,0ah db '° TyPE: Crack °',0dh,0ah db '° iNFo: Enter Any Name °',0dh,0ah db '·MfD·······Quantum-X 1999········MfD·',0dh,0ah db 0dh,0ah,'$' Filename db 'JayLock.exe',0 Error db 'ERROR I/O- Is JayLock.exe in thisdirectory?',0dh,0ah,'$' Done db '···········CracKeD!············',0dh,0ah,'$' BytestoWrite db 75h end start Finishing Up Compile the code with : Tasm FileName Tlink FileName /t And there you have it - your own patch, source and crack! [NOTE] Remember - if you have already patched the .exe, then you will have to reinstall the program again to check if the patch works. Also, make sure to delete its Registry references! And that wraps up my tutorial. Hope to see you again in Tutorial N° 2! Remember - This document is for (and hopefully was) educational purposes. If you like a program, make sure you pay the authour - they usually do need it. Remember - if you don't do this, are breaking fedral laws, and the Digital Millenium Act. I withdraw my self from all responsibiliy, and trouble if you get into any... Greets go to (in no specific order) SliPMaTT - MfD · BuL-Let - CiA - For Help · HarvestR - For being Affiliated with my site · · WhizKid - Good friend · Vicentin - MfD dude :) ·Evel - MfD· And, most importantly, Xlogic, for being a great friend, and help. You really do rock... :)