A Cracking Tutorial for Newbies

Tweet

A Cracking Tutorial for Newbies by FlOrEsTaN Newbies ONLY "FlOrEsTaN has sent me this tutorial he wrote a few months back and imho its one of the best "how to get started" tutorials I've read, I'll certainly be adding this to my recommended newbies reading list. You should easily find the target programs and tools. I hope FlOrEsTaN will go forward to enhance his knowledge further". "Slightly edited and commented by CrackZ". You notice the title. I am a beginner. I have been cracking for about a month or 2, with mixed success. It should be noted therefore, lots of what I say may be incomplete or inaccurate. It is the intention of this tutorial to teach *complete* newbies what I have learned so far. (BTW, you'd better read this with word wrap on, or you'll have hell trying to follow the text!!!). The first thing I think you should do is get "W32Dasm". This is one of the tools you will use regularly when cracking. It is a "disassembler". It disassembles files, so you can see how the program is set out, how it works etc. Get this tool from :- http://www.woodmann.com/crackz/Tools.htm Just copy and paste that URL into your browser and you should start downloading. Go get this program now, and resume the tutorial when it's installed. When you disassemble a file for the first time, you'll look at the contents of your screen and think, "Oh dear...". Don't be discouraged, what you'll be looking at is the program's "Assembly". You will have to get to know what lots of the stuff means. I'm still struggling, but I'm still learning. The assembly of a program is the listing of all the functions it carries out. Every program you disassemble will look similar. When you disassemble a program using W32Dasm you will notice it takes a long time to load some files, depending on the size of the exe you are disassembling. (Especially on my slow excuse for a PC!) Load "calc.exe" (The Windows Calculator) into the disassembler. The one I have is 92KB, but if yours is different, just apply what I say to your version. (P.S. If you skipped ahead without getting W32Dasm, get it now, you honestly will need it from this point on). Disassembled the calculator? Good. Now, a few basics about the disassembled text. First of all, click on the button on the W32Dasm toolbar that says "Cd Loc". (When you put your mouse over this button it will say "Goto Code Location". Push the button. A window will pop up). Type in the window :- "010026A6" (Without Quotes) (Don't worry, it's only a random number I have chosen). Click on OK. All the way down the left side of the page you will see 8 numbers (or letters). These first 8 numbers or letters on each line are the "Addresses" or "Code Locations". Ignore the numbers and letters after the addresses for now. Addresses are used so that if a program says "Carry out the function at address (Whatever the address is)", the program will know where to go next. Things like that. Look at the right hand side of the assembly language. You will see something like the following: (Don't worry if yours isn't the same as what is written here - it's not important). call 01007387 mov ecx, dword ptr [01013D90] mov dword ptr [ecx+04], eax mov eax, dword ptr [01013D64] mov eax, dword ptr [4*eax+01013CE0] jmp 01002745 These are the actual instructions. Don't ask me what it all means! I only know the basics right now. Look for an instruction that begins with a "Jmp". Any one you can find. If you're using the same file as me, there will be one just below where your blue bar should be :- :010026AD E993000000 jmp 01002745 ^ ^ ^ Address "Hex" Instruction Don't worry yourself with hex just yet. See the "Jmp" is followed by an address. Here is a good place to explain that "Jmp" means "Jump". This means that the program will jump from the address specified on the left (e.g. in the above example the address is 010026AD) to the address specified in the Jump instruction (e.g. 01002745). Double-Click on the line with the "Jmp". The blue bar should go onto the line and turn green. Memorize the address after the "Jmp" (E.g. in the above example I mean memorize "01002745"). Look at the toolbar of W32Dasm. You will see a "Jump to" button. Put your mouse over it. It will say, "Execute Jump". Click on the button. Look at where it has taken you. Look on the left, the address is the one specified in the Jump instruction. Go to any random parts in the file and try this jumping procedure some more, so you get used to how jumping and addresses work. Now I'll explain about different jumps. The "Jmp" was an "Unconditional Jump". This means that the program will jump when it reaches the "Jmp" instruction, no questions asked. There are many other types of jump. Here are some of the most important: "Je" - Jump if Equal This will regularly come after a "Cmp" (Compare) instruction. You will see the compare instruction as "Cmp" followed by two values. e.g. Scroll up to address "010025C2" if you are using the same version of calc as me, otherwise, just follow what I'm saying. You'll find loads of "Cmp" instructions in your file also. :010025C2 3BC3 cmp eax, ebx :010025C4 0F84DD020000 je 010028A7 This is a typical example of a "Cmp" instruction followed by a "Je". In this example, when the program gets to this point, it will compare the value contained in ebx with the value contained in eax. (EAX and EBX are "Registers". Don't worry about it quite yet!) If the values in these registers are equal, the program will jump when it reaches the next (Je) instruction. If EAX and EBX's value are not equal, the program will not jump, the instruction will be ignored. "Jne" - Jump if NOT Equal This is the same sort of thing as "Je", but it's the opposite. It jumps if the compared values are not equal. It would be common to find a "Jne" in a relevant part of code in a program you are cracking, where if the program compares the registration code you entered with the right code, and they don't match, it will jump to a set of instructions that send you the error message. "Jz" - Jump if Zero This is like "Je" but it is after the program calculates something. If the answer to the calculation is 0 (Zero), the jump will occur. "Jnz" means Jump if NOT Equal. (Use your common sense). I will explain more about these jumps when I try to explain "SoftICE" to you. There are other jumps, but they don't need explaining now. Without any further ado, let's do some practical work... You will need two programs :- "Hex Workshop" (Version 2.20) (Which we will be cracking) and "Hackers' View" (or "HIEW" for short. This is a tool you will need to start using). Get these programs. http://ftp.bspu.unibel.by/fileecho/MFEDOS/HIEW616.ZIP (Hackers' View - copy and paste the URL and you should start downloading). http://www.bpsoft.com (Hex Workshop) Some of the links may be dead by the time you get to read this, if that's the case, just find a cracker, they should help you get the tools. (Or you could E-Mail me at "Florestan5@hotmail.com" and I'll send them by mail. Got the programs? Good. All set up? Run Hex Workshop. (HWorks32.exe). Aha, look in the top right hand corner. "Unregistered Version". We don't like that... Go to "Help", and "About". Here you have the chance to enter the serial number. Enter anything and click on "Register". Unless you are the luckiest person on earth and guessed the correct code, you will be staring at an error message. Write the message down. ("You have entered an invalid registration number" will suffice). Get out of the program. Highlight the HWorks32.exe file and copy it. (Ctrl-C, as if you didn't know). Make 2 copies of the file. Rename one "HWorks32.ex_" for backup, if we totally screw the program up when we're cracking it. Rename the other one "HWorks32.w32". This helps you remember that this is the file you will disassemble using (.w32)Dasm. Load up "HWorks32.w32" into W32Dasm. Click on find on the W32Dasm toolbar. Get the message you wrote down. Type in "You have entered an invalid". Click on find. It will put you in the section headed "Dialog Information", before you even come to any instructions or addresses. Look up 2 lines. You will see "DialogID_0075". Write this information down, as this is what the program will refer to when it needs the text for the error message. Click on find again. Enter "DialogID_0075" and click on find. You will land on a line that says "Possible reference to Dialog: DialogID_0075". Look up to where it says :- Referenced by a (U)nconditional or (C)onditional jump at address: |:0041BCCE(C) This means that the address 0041BCCE had a conditional jump (I.E a "Je" or "Jne" etc.) that told the program to go to the part of the code that follows the "Referenced by a (U)nconditional or (C)onditional jump at address" text. Eg. When we go to the code location (address) 0041BCEE, we should see one of the following lines: je 0041BD4D ;or jne 0041BD4D ;or jz 0041BD4D (you get the picture). So lets scroll up to address 0041BCCE. It shouldn't be far away. Found the address? Look. Sure enough: :0041BCCE 0F8479000000 je 0041BD4D Write the address down. (Write down "0041BCCE") This instruction "je 0041BD4D" we are about to change, so that is "jne 0041BD4D". DON'T close W32Dasm yet. Minimize it. Run HIEW (Hackers' View). Find your original HWorks32.exe file and open it in HIEW. When this is done, press F4. From here you can select "Decode Mode" which is where we can change what the program does. Select Decode mode. Sure enough, you notice anything familiar? Yep. Good old assembly! Press F5. The top line will change colour and you will be able to put the address we wrote down in here. Put the address you made a note of. IMPORTANT - Make sure you put a dot (.) before the numbers. So type in (Without quotes