Generic cracking guide

September 13, 2007 12:57pm CST
So let's begin! Start by installing AddLink (or one of the apps., that you wish to crack). Start AddLink by right-clicking on any file, select Send To -- Start Menu. A nasty *NAG* will show, and remind you to "pay" for the program. Go in to SoftIce (CTRL+D) and BPX Lstrcmp Press F5 to get out of SoftIce... Select Register... Enter your name (in my case): -=[JON!]=- And a fake serial: 1212121212 (Copyright © +ORC) Hit ENTER... Now, SoftIce BREAKS at Lstrcmp! Type: BC * To clear the breakpoint. Press F11 to go back, where it was CALLed from, scroll up a little, and you see this: CALL 00401BB0 ;Calculate valid code. LEA EAX,[ESP+18] ;Copy your code to EAX. ADD ESP,08 PUSH EAX ;PUSH your code. PUSH 004051C8 ;PUSH valid code. CALL [Kernel32!lstrcmp] ;Compare strings. TEST EAX,EAX ;Are you registered? JNZ 00401BA5 ;If not, JMP to *NAG*! Now, to retrieve the valid code, you'll need to set a breakpoint on the line where your code is PUSHed. To do this, simply double-click on that line. (If you have mouse disabled, do a BPX XXXX:YYYYYYYY, where XXXX:YYYYYYYY is the memory location). Now, go out of SoftIce and enter the name and a bogus code again. Press OK, and SoftIce breaks again. Type: BD * to temporarily disable the breakpoint (it will be used later). Type: D 004051C8 And you discover that the valid code for the name -=[JON!]=- is: 14621-136061-2316-6752. But why stop here? Why not make a key-gen? To do so, UNREGISTER the program, by deleting its registry-entries (HKEY_CURRENT_USER\SOFTWARE\ADDLINK). Now that it's unregistered, start the program, go in to SoftIce and enable your breakpoint once again: BE * Enter something fake and press OK. SoftIce breaks once again, where the valid code is PUSHed. Clear your breakpoint: BC * Now, write down the HEX-numbers for the PUSH function: 68C8514000 --------------------------------------------------------------------------------68C8514000 PUSH 004051C8 ;PUSH valid code.-------------------------------------------------------------------------------- Keep pressing F10, until you see these lines of code: PUSH 00 PUSH 00 PUSH 004051B4 ;PUSH the text "Incorrect code!" PUSH ESI CALL [USER32!MessageBoxA] ;CALL the *NAG* dialog. MOV EAX,00000001 ;Set EAX=1 (unregistered). Now, type: E XXXX:YYYYYYYY Where XXXX:YYYYYYYY is the memory-location of PUSH 004051B4 Enter the hex-digits you've written down (68C851400). Press F5 to get out of SoftIce, and what shows before your eyes?! A *NAG* with the valid code for your name!!! Cool, huh? To make the crack permanent: HIEW ADDLINK.EXE Search, F7: 6A006A0068B451400056 ^^ Replace : 6A006A0068C851400056 Save (F9) and exit (F10), and you've got yourself a working key-generator! --------------------------------------------------------------------------------6A006A0068B451400056 ;push incorrect code has been changed into 6A006A0068C851400056 ;push correct code-------------------------------------------------------------------------------- This can be applied to all the other apps. (some minor differences, of course), with the exception of QuickDesk and SysLaunch. This is because, the memory location in which the valid serial is stored is overwritten before the *NAG* is shown :-( But you can, of course still "fish" a serial, using the same method described above. Final Notes What have we learned? 1.If Lstrcmp is used the compare the codes, it's easy to locate the right one, since it has already been calculated! 2. If the programmer hasn't cleared the valid code before the "Incorrect code!" *NAG*, we can in most cases turn our worst enemy in to a key-gen! 3. The shareware programmers should make the protection-schemes different if they have more that one product! 4. SoftIce is the best debugger! 5. Cracking rulez! Greetings: +ORC, The +HCU, Fravia+, +Gthorne, all (+)crackers, all the cool cracking groups, all those who have killed a spammer, and of course to you, reader of this essay! Have Fun! :-) By Jon, February 9th, 1998. PS: If you have any comments on this crap (good or bad), don't hesitate to e-mail me at: jon101514(at)cyberjunkie(point)com
No responses