
                                        
                         ܰ              
                           ܰ            
                           ݰ            
                             ۱            
                              ۲        
                            ۲     
                             ۲ ݰ      
                                  
                                   ݰ
                                   
                 ݱ         ݱ
                 ۲ ۲        ۱
                  ۲۲       ۱
                    ۱         ۲
                                                    ۲
                                                       

	 -͹ Crackers in Action presents: - 
                    Ľ                              
                      EASY CRACKING TUTORIAL BY : BuLLeT
                                                             January 6 - 1999
Heya !

Ok..so sitting here not knowing what to type, i thought i might as well write
something about the basics of cracking. This tutorial is actually written due
to the fact that i lately have got a few emails asking: "Why did you know that
THAT was the correct byte to patch?" or "How did you know that THAT was the
correct breakpoint to set?" These are commonly asked questions and i think it's
time to answer them once and for all. Since this isn't gonna be a tutorial in
which you need much cracking experience i think that being armed with W32Dasm,
SoftICE & HIEW will get you started pretty well.

In this tutorial i will not teach you how to crack a particular program, but
teach you the basics in order to make it easier for you in the future when you
decide to crack something.

So..let's get started. I now assume that you have the disassemblers ready.

One question that many newbies ask me is: "Can you recommend me a program to
crack?" I can't..but i can give you an advice. I think everyone has a
SHAREWARE cd filled with a lot of goodies on it. Put that in the drive and
search it. You will sonner or later find a small (unsecure) program that has
a week protection, and you will chose that as your target. A small program
that a standard registration routine. (NAME/SERIAL). I would NOT recommend you
to get a VB (=Visual Basic) nor would i advice you to get an encrypted one,
since you then need knowledge of decrypting etc. (I will later explain how to
check for encryption). The reason for not chosing a VB app is that VB isn't
really a program. It uses the VBRUNxxx.DLL so therefor you can't just dis-
assemble the EXE file since the important code is in the DLL. The reason for
not chosing an encrypted program is pretty obvious. Since it's encrypted you
will not be able to patch the code without causing a GPF (=General Protection
Fault). So let those two types of programs rest for a while, while you start
your cracking on an easy target.

"But now that i've found a program that i THINK might be easy, what do i do?"
Well first of all you might wanna check if the program really IS as week as
you thought. An easy way to do this is to edit the file. (HIEW FILENAME.EXE)
The first page you look at can actually tell you if it's encrypted/packed or
not. (In most cases). If the file is not encrypted you will see, somewhere on
the first screen, something like this:  .idata  /  .rdata  /  .tls  /  .reloc
/ .rsrc  If the program, however, IS encrypted/packed you will most likely see
something like this. If the packer is SHRINKER: .shrink2  /  .shrink3  If the
program is encrypted by fx. PE-CRYPT you will noticed a nasty message saying:
.ficken (=fuck in German) a lot of times. This is a feature provided by the
cool program called PE-CRYPT by Phrozen Crew. Tnx d00dz !!
If you see one of these, or something else not looking "normal" you will know
that the program has either been encrypted or packed and you will go on to the
next target.

So..assumed that you have your target, you now launch it so gather as much
information about the registration process as you can. eg. TEXT/NAG/BUTTONS,
stuff that you might neeed to use. One thing that you, most likely, need to
note is the message you get when entering an INVALID serial. "Wrong serial.."
Note it cause you'll sooner or later need it when cracking.
"So..why do i need it?". Well as you probably already know, since you have
read other tutorials :P, you will need to find the place in the code where
that messagebox is called. And just editing the file and search for it would
be a waste of time since there probably are more checks you need to consider.
Therefor you note the messages and disassemble the program in W32Dasm. Also
called Windows 32 Disassembler. Now what?..after disassembling all you see is
just a bunch of strange Assembly which you probably don't understand. And the
cool part is: YOU DON'T NEED TO !! (at least not always). Of course it's good
to know what it means but it's not required if the program you've found is
easy enough. So..so you remember the message you got when entering a wrong
name/serial? If so go to the SDR (=String Data Reference) in one of the menus
to the right. This menu item is a very helpfull item when cracking since it
will show you the text of the program. "What text?". Think about it!

-while you give your eyes a rest from this LOOONG and EASY text. *hehe*

One of the things you might find is the VERSION of the program and, most
likely, the ERROR message you just noted. You see why this message is so
important? :P Ok..now that you know that it shouldn't really be necessary to
tell you to grab those scrollers and find the message. So..scrolling down,
watching the other messages, you finally find the ERROR. To go the place in
the program where it's located you double-click it. Now the data-window (in
the back-ground) will change, and you will also see some stuff in the bottom
line of the disassembler. You should see: CODE: XXXXXXXX / OFFSET XXXXXXXXh.
This was the FIRST place where the ERROR was stored but it MIGHT be stored
more places, and to check that you note the offset at the bottom and double-
click the ERROR again. In some cases it changes but if it don't you just close
the SDR window and start looking at the code.

-go take a look at it.  ZZZZZZZZZZZZZZzzzzzzzzzzzzzzzzzzz  *BOO* Fell asleep?

The first thing you'll need to do is to learn these simple Assembly codes:

  CMP   = Compare   (eg. CMP EAX, EAX) <- Compare EAX to EAX
  JE    = Jump if Equal
  JNE   = Jump if NOT Equal
  JL    = Jump if Lower
  JLE   = Jump if Lower or Equal
  JA    = Jump if Above
  JAE   = Jump if Above or Equal
  JMP   = Jump Straigth

This is pretty much what you need to know, at least in the beginning. Assembly
is actually pretty logical as you see.

But we're not at the right code yet. Cause right now we're already inside the
message, and what we want is to be at the CALL which CALL's the message.
This is where W32Dasm is cool. You trace up (use the scroller) until you see
something like this:

    * Referenced by a (U)nconditional or (C)onditional Jump at Address:
    |:00xxxxxx(U/C)

The 00xxxxxx at the right is the code location NOT the offset. The xxxxxx
should be numbers (ex: 040260)

So now you go to that address and look again. There you'll see something like
this. This is just an easy example, but there are several types of this.

    :00xxxxxx 3BC5              cmp eax, ebp          <---- Compare
    :00xxxxxx 741E              je 00xxxxxx           <---- Jump if Equal

The 3BC5 is the code equal to the text. Which means that 74 = JE
After learning the Assembly i just showed you, understanding this code should
be pretty easy. EAX and EBP are registers which, in this case, is used to
store the serials. Let's say that EAX contains the CORRECT serial and in EBP
we find our WRONG serial (the random number we entered). So this should be
pretty obvious. It compares EAX (=CORRECT SERIAL) with EBP (=WRONG SERIAL),
and if they're equal it jumps to the address 00xxxxxx. Can this be more easy??
Nah..it can't. So considered the Assembly you just learned it should be pretty
easy for you to figure out what to do to make this program accept ALL serial.
Or? Ya know what to do? No?? Well..look at the JE (=Jump if Equal). Maybe
changing this to JNE (=Jump if NOT Equal) would do the job. And yes..it will!

Now it's time to move the green bar over the JE line and note the offset at
the bottom of the disassembler. It should say something like: 00xxxxxxh, but
you don't have to type the h since it's only there to show that we're dealing
with HEXADECIMAL language.

So, now you know WHAT and WHERE to patch so let's HIEW the file and patch.
(HIEW FILENAME.EXE) Press <ENTER> twice to go to DECODE mode. There you will
need the following keys: F5 = GOTO OFFSET  /  F3 = EDIT  /  F9 = UPDATE
Knowing this, you hiew the file, go to decode mode, press F5 and enter the
offset. Then to edit press F3 and enter 75 (=JNE). To update your work press
F9, and quit HIEW. Launch the program and it SHOULD be cracked (IF you chose
an easy program AND if it only has one check, you will now see a REGISTERED
and 100% working program).

* I think i pretty much answered the first question.

What you just read is mostly for W32Dasm and can NOT be done like this in
SoftICE. In SoftICE, however, you can get the CORRECT serial by typing ? EAX
This i will describe a bit more detailed in the following.

So..time to answer the second question, which was how i find out which break-
points to set. Well..this is a thing you will learn pretty fast. Generally you
can say that when cracking a DELPHI program you can be pretty sure it uses
either: GetDlgItemText(A) or GetWindowText(A). (Now this was kinda stupid to
write that, cause now i know that the newbies got another question to ask.
"When i try to set GetDlgItemText(A) it gives me an ERROR!". So i might as
well just explain a bit. The (A) is NOT something you should type. You can
write either GetDlgItemText or GetDlgItemTextA, depending on if the program
you're cracking is 16 or 32-bit (by typing the A you'll set a 32-bit). Now..
that should pretty much cover it. Just remember that the A can also be typed
in other breakpoints.
Again i'll need to tell you an exception. In the beginning i told ya NOT to
crack VB in the beginning but here's a reason against that, cause cracking VB
can SOMETIMES be VERY easy. The only thing you need is to set a breakpoint on
__VbaStrCmp, which needs to be enabled from your WINICE.DAT This is, however,
not a good idea to start with, cause you'll pretty fast get lost in KERNEL32
or USER so do that when you start to understand what you're doing.
Ok, time to set the CORRECT breakpoint (BPX from now on). A thing that many
crackers advice is to use Quick View and look at the imports etc. This it not
a thing i usually do since it's actually not necessary. You can just set all
four BPX. GetDlgItemText/GetDlgItemTextA/GetWindowText/GetWindowTextA.
By setting these you can be pretty sure to make SoftICE break. These are the
most commonly used BPX's and will worx in almost all programs you'll meet in
the beginning. So, set them ALL four and let's crack using SoftICE!

Ok..you will need to re-install the program in order to crack the NOT cracked
version. Let's say you have two input boxes: Name/Serial. You enter your NAME,
and enter a random SERIAL. Press CTRL+D to go to SoftICE to set the BPX's. Set
them and press F5. Click the OK/REGISTER/CHECK button, or whatever it might
say. You should now be back in SoftICE. If you're NOT, go back to SoftICE
using CTRL+D and clear ALL BPX's (=BC*). Set a new one called HMEMCPY. This
is a breakpoint which will break every time something is copied to memory.
Using this you'll need some experience since you'll have to trace through the
KERNEL and USER so get to the program.
So..assuming that the program used one of the four breakpoints you're now back
in SoftICE and ready to trace. And that's exactly what we're gonna do. In
SoftICE you'll need the following keys in the beginning:
F5 = RUN / F8 = Trace INTO a CALL / F10 = Trace OVER a CALL /
F11 = Go back to CALL'er
ok..now you would normally press F11 to return to the CALL'er but you might
forget something. The program had TWO input-boxes which means that it will
break TWO times. So press F5 to read the second input-box. Ok..NOW you may
press F11 to return to the CALL'er, and start tracing. So, Press F11 and start
pressing F10, while you watch your name/serial go through the registers etc.
Now since i don't know the program i can't tell you all the details so let's
just skip the section where is compares our serials. Like above you'll also
here see this:

    :00xxxxxx 3BC5              cmp eax, ebp          <---- Compare
    :00xxxxxx 741E              je 00xxxxxx           <---- Jump if Equal

Again it should be pretty easy. You know that our serial is in EBP and that
the CORRECT serial is in EAX. So type: ? EAX or D EAX and note the serial.
Clear all BPX's and press F5 to run the program again. Now use your own NAME
and the CORRECT serial to register the program.

Ok..so the section about SoftICE got pretty small, but i dunno what else to
write. I think i pretty much covered what you need to know.

I hope i helped some of you out there who really want to become crackers. If
you did not understand this text, or even got a clue about what it's about,
you might as well just forget becomming a cracker. This text is on LEVEL -00
and should be understood by everyone who has read more than one tutorial.

One final thing i'd like to say is. DO NOT GIVE UP !!! If you still can't
crack the program after 2 hours just go get another. MAYBE you just got a hard
program or something. So..get those cracking skills enhanced and GO ON !!!


* I hope that i will get some response on this, cause i think i actually did
a pretty good job (considering i wrote this in 30 minutes). Plz lemme know if
this text helped you in ANY way !!

All for now..Cya

------------------- i MaY Be SLoW - BuT i'M DeaDLy aS HeLL -------------------

Written by [BuLLeT-CiA'98]
E-Mail: BuL_LeT@hotmail.com

------------------- i MaY Be SLoW - BuT i'M DeaDLy aS HeLL -------------------
