
                        
                              
                     
                   
                  
                
           
          
                   
              
              
               
                
                  
                        
                                        
                                                        >dS

   Welcome to Cracking Tutorial #10!
   Yikes! Here we are again! More newbees..
   *cough* .. *cough* :))

   In this tutor I'll teach you everything more about W32Dasm,
   SoftIce, and SmartCheck. Without knowledge, no power! ;)

   Warning, this tutorial is a real mother!!  *grin*

   Sorry for my bad grammatical errors, I hope you'll understand
   this piece! Ok, let's rock!!


   Tools - What tools should we use?

   Tutor Part 1 - How to remove a CD-Check in Age of Empires
                  We'll use SoftIce and HIEW

   Tutor Part 2 - How to get a serial in Easy CD-DA Extractor 3.0
                  We'll use SoftIce

   Tutor Part 3 - How to get a serial in MP3 to EXE 1.01
                  We'll use SoftIce and W32Dasm

   Tutor Part 4 - How to get a serial in Visual Day Planner 6.1
                  We'll use SmartCheck

   Ending - Last Words


   You'll need the following tools:

   (I use these tools, I assume you'll use 'em, but it doesn't
   mean that you'll need to use all those tools, so be sure to
   get them handy for the examples in this tutorial!)

   SoftIce 3.24
   W32Dasm 8.93
   Hacker's View 5.92
   SmartCheck 6.0
   Windows Commander 3.52 (I use it coz of easier to multitask)

   Don't ask me where to download all these tools since you had
   a chance to get them when you used my older tutorials. Here
   is a good cracking site where you can grab tools from:

   http://cracking.home.ml.org or http://surf.to/HarvestR

   or ask any crackers to get you these tools!

   Are you ready?!

   OK! ;)



    PART 1: How to crack Age of Empires


    I'm back :P I hope you will like this tutorial since it's my first one for a
    game. This tutorial is not as usual, this time i'm gonna teach you how to
    crack a game - Age of Empires. This one is not as easy as my "old" tutorials
    and therefor i included quite a lot of code. I also put a lot of comments,
    to make it easier for you. (newbie *cough cough*)  :)
    For all of you to understand this i will advice you to read it several times
    and understand all of it.

    TOOLS:
      SoftIce 3.24
      HIEW 5.92

    This game has - as you probably already know - a cd-check when it's launched.
    This we don't like and we're therefor going to find a way around it.

    Normally we would only use W32Dasm when cracking this kind of protection, but
    not in this case. Actually it's just as easy in SoftIce (at least I think so).
    Of course you could try using W32Dasm and if you decide to do this i will give
    you a small hint. When programming it Microsoft did not use a normal text-box,
    they used graphic. So now you know ;)

    Ok..let's start. If you're a newbie go through this step by step.

    1. Before using SoftICE you'll have to modify the WINICE.DAT file. Just delete
       the semi-colons before the EXP instructions, where USER32, GDI32, KERNEL32
       are mentioned. Now SoftICE will load these export functions.
    2. Launch SoftICE and open EMPIRES.EXE
    3. Load it. (Modules->load) and ignore irrelevant error messages.
    4. Soft-ICE pops up. Set a breakpoint on the function GetDriveTypeA (returns
       eax=5 if CDROM,eax=3 if Fixed HDD) by typing : bpx getdrivetypea   [ENTER]
       The 'a' on the end of the function means, that we are talking about a
       32-Bit application. Getdrivetype would work for a 16-Bit App.
    5. Hit [CONTROL-D] to go back to the game. If SoftICE pops up again - ignore
       it. Just push [CONTROL-D] until you get to the main menu.
    6. So now you are at the main menu - hit the 'Single Player' Button.
    7. If you've done everything right - Soft-ICE pops up at the desired function.
       Hit [F11].
    8. Now you're at the place, where GetDriveTypeA has been called from !. Look
       around a bit.([CONTROL-(],[CONTROL-(])
    9. Here is what you should see :

    :004D65F6 FF1554267000   Call [Kernel32!GetDriveTypeA]         -> calls the function
    :004D65FC 83F805         cmp eax, 00000005                     -> If CDROM - drive resent
    :004D65FF 7404           je 004D6605                           -> jump to ...
    :004D6601 33C0           xor eax, eax                          -> if not : eax=0 ..
    :004D6603 EB53           jmp 004D6658                          -> ... and return.
    :004D6605 8D84241C010000 lea eax, dword ptr [esp+0000011C]     -> Volume-check ...
    :004D660C 6800010000     push 00000100
    :004D6611 8D4C241C       lea ecx, dword ptr [esp+1C]
    :004D6615 50             push eax
    :004D6616 8D54241C       lea edx, dword ptr [esp+1C]
    :004D661A 51             push ecx
    :004D661B 8D44241C       lea eax, dword ptr [esp+1C]
    :004D661F 52             push edx
    :004D6620 8D4C242C       lea ecx, dword ptr [esp+2C]
    :004D6624 50             push eax
    :004D6625 6800010000     push 00000100
    :004D662A 51             push ecx
    :004D662B 57             push edi
    :004D662C FF1558267000   Call [Kernel32!GetVolumeInformationA] -> Volume-check
    :004D6632 85C0           test eax, eax                         -> is a CD-ROM in the drive ?
    :004D6634 B800000000     mov eax, 00000000                     -> eax=0
    :004D6639 741D           je 004D6658                           -> no ! return with eax=0 !
    :004D663B 8B460C         mov eax, dword ptr [esi+0C]
    :004D663E 8D4C241C       lea ecx, dword ptr [esp+1C]           -> ecx = CD-ROM label
    :004D6642 05FD020000     add eax, 000002FD                     -> eax = Label (AOE)
    :004D6647 50             push eax
    :004D6648 51             push ecx
    :004D6649 E802D60500     call 00533C50                         -> very interesting call ...
    :004D664E 83C408         add esp, 00000008
    :004D6651 83F801         cmp eax, 00000001                     -> if eax=1 ... set register flags
    :004D6654 1BC0           sbb eax, eax                          -> eax=eax-(eax+c)
    :004D6656 F7D8           neg eax                               -> 'invert' eax
    :004D6658 5D             pop ebp
    :004D6659 5F             pop edi
    :004D665A 5E             pop esi
    :004D665B 5B             pop ebx
    :004D665C 81C40C020000   add esp, 0000020C
    :004D6662 C20400         ret 0004                              -> ... and return

    You can step through the code  (execute it line by line) by pressing [F10] and
    trace into a call (going into a function) by pressing [F8].You can view the
    'contents' of a variable by typing d [variable] (e.g. d eax).
    You can also set variables, by typing r [variable]=[value] (e.g.r eax=1).
    You can also toggle register-flags, by typing r fl [register] (e.g.r fl z   ->
    inverts result of a compare (cmp)).


    As you can see, the program checks if you have a CD-ROM drive and returns the
    drive letter if so.
    Then it retrieves various info about the inserted CD-ROM (if it is inserted).
    If an error occurs it sets eax=0 and returns.
    All right. What now? Let's take a quick look into the mysterious call (only at
    the end of it) :

    :00533C50 55             push ebp
    :00533C51 8BEC           mov ebp, esp
    :00533C53 57             push edi
    :00533C54 56             push esi
    :00533C55 53             push ebx
    :00533C56 8B750C         mov esi, dword ptr [ebp+0C]
    :00533C59 8B7D08         mov edi, dword ptr [ebp+08]
    :00533C5C 8D05D08E5600   lea eax, dword ptr [00568ED0]
    :00533C62 83780800       cmp dword ptr [eax+08], 00000000
    :00533C66 753B           jne 00533CA3
    :00533C68 B0FF           mov al, FF
    :00533C6A 8BC0           mov eax, eax
    ...
    :00533CC6 E845070000     call 00534410
    :00533CCB 83C404         add esp, 00000004
    :00533CCE 38C3           cmp bl, al
    :00533CD0 74DA           je 00533CAC
    :00533CD2 1BC0           sbb eax, eax
    :00533CD4 83D8FF         sbb eax, FFFFFFFF
    :00533CD7 5B             pop ebx
    :00533CD8 5E             pop esi
    :00533CD9 5F             pop edi
    :00533CDA C9             leave
    :00533CDB C3             ret

    The above function is rather complicated. You wouldn't want to know what it
    does... ;-)
    Anyway, if you go through it several times, changing some variables and flags,
    you'll arrive at the conclusion, that the value of eax (when the call returns)
    can be either 0, FFFFFFFF or 1.(If you inserted the wrong CD - it is 1 or
    FFFFFFFF).

    We can assume at this point, that the value 0 means, that we have inserted the
    right CD ... let's try it out !
    When you are debugging and you are at the end of the function (e.g. 533CDA)
    type: r eax=0 [ENTER] and press [CONTROL-D] in order to let it go on.It works,
    you've made it !

    Well, if you're not so sure about this business (WHY did it work ???) go on
    reading ... if you are sure or just don't care - jump to the cracking section.

    Okay, so you want to be a cracker...Lets assume, you haven't changed anything
    (and have inserted the wrong CD), then the call will return eax=1.Let's look
    again at the code after the call returns :

    :004D664E 83C408         add esp, 00000008
    :004D6651 83F801         cmp eax, 00000001                     -> if eax=1 . set Z ;or C if eax=0
    :004D6654 1BC0           sbb eax, eax                          -> eax=1-1 => eax=0
    :004D6656 F7D8           neg eax                               -> 'invert' eax => eax=0
    :004D6658 5D             pop ebp
    :004D6659 5F             pop edi
    :004D665A 5E             pop esi
    :004D665B 5B             pop ebx
    :004D665C 81C40C020000   add esp, 0000020C
    :004D6662 C20400         ret 0004                              -> ... and return

    So the whole function returns an eax=0 if the CD is wrong...Hmmm....
    Usually, when looking at simple protections, you'll see that when an eax=0
    means WRONG then an eax=1 will mean ALL RIGHT.
    Let's see, what happens if the call returns with an eax=0 ....

    :004D6651 83F801         cmp eax, 00000001                     -> if eax=1 ... (set C=1)
    :004D6654 1BC0           sbb eax, eax                          -> eax=eax-(eax+c) => eax=0-1=FFFFFFFF
    :004D6656 F7D8           neg eax                               -> 'invert' eax => eax=1

    Looks like this is another simple protection-scheme ...
    Now you have basically two ways to crack this game:

    You can set eax=1 in the function or you can set eax=0 in the call.
    It is possible, that the game might make a check during the gameplay with this
    call but with another function.
    Considering this, it would be best to insert a 'mov eax=0' instruction into
    the call, somewhere at the end (or beginning, followed by a 'return').
    But this game won't make a check ! (You can try it out ...)
    So you can just as well insert a 'mov eax=1' instruction in the function,
    somewhere at the end (or beginning, followed by a 'return').
    It is up to you. I've chosen the first possibility.

    I'll try to explain how to do it:

    1. The easiest way is to write down a long sequence of the hexadecimal-code,
       in order to locate this fragment in the exe-file.(e.g. 8D05D08E560083780800 -
       this is taken from 533C5C to 533C62)
       You could just as well read the local offset from SoftICE - it can be a bit
       confusing though.
    2. Launch hiew (HIEW EMPIRES.EXE), press [F4] and then [F2], in order to
       view the text in hex-mode.
    3. Search for the string, you've written down.([F7])
    4. Now switch to decode-mode ([F4],[F3]) - you're right there - shortly after
       the beginning of the call.
    5. Go to the 'mov esi,[ebp][0000C]' instruction (it will be overwritten, but
       that doesn't matter)
    6. Press [F3] followed by [TAB]
    7. Now you can type the command 'mov eax,0h' - you surely remember why, don't
       you. The hex-code of this command should look like : B800000000
       Now it should jump to the end of the call - type jmp xxxxxx' , where xxxx
       represents the end of the call.The adress will vary so you have to look for
       it yourself.In our listing, it is at 533CD7.Look at this code and look for
       it in hiew. Then you'll have the needed address...
    8. Press [ESC] to end assembly, [F9] to save it, quit HIEW and launch the game...
    9. It works !!!!

    I hope i made myself a bit clear and that you understand just 80% of it.
    If you do not understand or have any question/comment feel free to contact me.

    This crack could without a doubt be done more elegant, but i'll leave it up
    to you to find the easiest way. After all i did teach you one of the ways :P

    All for now..Cya

    ------------------- i MaY Be SLoW - BuT i'M DeaDLy aS HeLL -------------------

    Written by -=[BuLLeT]=-
    E-Mail: BuL_LeT@hotmail.com

    ------------------- i MaY Be SLoW - BuT i'M DeaDLy aS HeLL -------------------



    PART 2: How to get a serial in Easy CD-DA Extractor 3.0 beta


    Now what's this??? Two tutorials in ONE day!! I must be writing my bloody ass
    off..i wonder why i feel like writing all the time :P
    Well, the program we're gonna attack this time is called:

                   Easy CD-DA Extractor 3.0 beta [build 340]
                    (http://www.saunalahti.fi/~poiko/cdda3)

    I bet you all know what this is. If you do not know what this is i'll just
    give a short describtion. CD-DA is a program to RIP audio cds. This is very
    usefull and in addition this also has the cool feature of being able to get
    all the track info from the internet - a huge database with (almost) every CD!

    To follow this tutorial step by step you only need SoftICE 3.24.
    Sounds cool? Well it is :)

    So..what are we waiting for? Let's crack this little bastard.

    1. Open the program..what's this? "Enter registration code...."
       Let's press that nasty little button. Enter your name and a random serial.
       (e.g.: BuLLeT / 22446688)
    2. So now it's time to run that wonderful little debugger. Press CTRL+D.
       Now we need to set a bpx. Try setting GetWindowTextA / GetDlgItemTextA
       Press F5 and click OK. What's this...no break. Well now what? You know of
       any other breakpoints that might be useful? Well at least i remember one ;)
    3. I wonder what this little fella could do: BPX HMEMCPY  (=useful - i think)
       So press CTRL+D to return to SoftIce. You might wanna clear the other bp's
       which you set before. (BC* = clear all breakpoint). Type: BPX HMEMCPY, and
       press F5. Click OK.
    4. BZZZZzzzz....BOOM. Beam me up Scotty ;) You're now back in SoftICE happier
       than ever. But you're at the wrong place aren't you? It says: USER32 in the
       bottom of the screen. Hmm..let's get to the right place. Press F10 a lot of
       times. (about 148 times I think). At least until you see this:

               XOR EDX,EDX                 <- Set EDX=0
               MOV [EBP-04],EDX            <- Move stuff around
               LEA EDX, [EBP-04]           <- Put EBP-04=EDX
               INC DWORD PTR [EBP-18]      <- Increase stuff
           MOV EAX, [EBX+000001E0]     <- Move stuff to EAX
               CALL 0045C978               <- A call..hmm...
               LEA ECX, [EBP-04]           <- This is where you should be

    5. Ok..you're now at 'LEA ECX, [EBP-04]' right? If not start over =)
       If you have done everything i told you correctly you should now see this
       line in the top right corner of the screen:

                              SS: 0079EA48=009D5254

       What this means is not a child thing and i will therefor not explain it in
       details. *cough*
       So..what's next? Well, isn't it obvious? If not keep reading.
    6. Try typing: 'D 009D5254'. What d'ya see? You should see your name twice and
       what's that below? Looks like a code. Or?
       This is a piece of what i saw in the data-window:

                                    BuLLeT...........
                                    XXXXXXXXXX.......
                                    BuLLeT...........
                                    ........EZCDDAX3-
                                    711189DC-A7964775
                                    -396.............

       Doesn't that look too easy? I should be a moron if i couldn't see it..but i
       could. (Lucky me :) )
    7. So..write it down and clear all breakpoint (=BC*). Press F5 to return to
       CD-DA and enter the code.
       (Name:BuLLeT  /  Code:EZCDDAX3-711189DC-A7964775-396)
    8. YIIIIHAAAAAAAAAAAA. Damn you're good *cough*. No more NAG and no more:
       "You can only select multible tracks....."

    And they lived happily ever after......*kiss*
    Damn..i'm getting sentimental...sux

    All for now..Cya

    ------------------- i MaY Be SLoW - BuT i'M DeaDLy aS HeLL -------------------

    Written by -=[BuLLeT]=-
    E-Mail: BuL_LeT@hotmail.com

    ------------------- i MaY Be SLoW - BuT i'M DeaDLy aS HeLL -------------------



   PART 3: How to get a serial in MP3 to EXE 1.01
           http://software.webset.de/buschjost/mp3eng.htm


   Step 1. Run MP3TOEXE

   Step 2. Click on Register, enter "The Keyboard Caper" as Name, "tKC"
           as Serial, and "12345" as Registration Code.

   Step 3. Click OK. Wrong code.. Hmm it's written in Delphi! *duh* ;)

   Step 4. Ok, not a big problem. Quit MP3TOEXE, open W32Dasm and
           disassemble MP3TOEXE.EXE.

   Step 5. Once it's disassembled, click STRING DATA REFERENCE,
           look down for the string:

           "The Registrationinformation is wrong. Try again?" and double click it.

   Step 6. Close SDR window, you should see the line:

* Possible StringData Ref from Code Obj ->"The Registrationinformation is "
                                        ->"wrong. Try again?"

   :0045468B BA4C4B4500              mov edx, 00454B4C

   Step 7. Now press PgUp key till we get:

   :0045459A 8D55F8                  lea edx, dword ptr [ebp-08]

   Step 8. This is the address we're gonna use in SoftIce.
           Close W32Dasm. Go back to MP3TOEXE, run and click Register button.

   Step 9. CTRL-D to SoftIce. Type BPX SHOWWINDOW, then F5.
           Click Enter RegistrationCode .. *boom* you're back in SoftIce.

   Step 10. Type G 45459A  <--- this is where we've got the address
            in W32Dasm. *boom* we're back at MP3TOEXE. Re-enter info as in Step 2,
            then click OK. *boom* we're at the right caller!

   Step 11. At 0177:0045459A, you'll see SS: 0071ED7C=00C4E1CC in Register Window,
            type D C4E1CC, and we get my name in Data Window. Kewl, trace down till:

            0177:004545AE  PUSH EAX

   Step 12. Type D EAX and you'll get "12345" in Data Window..
            Kewl, our false code!

   Step 13. Trace downward (press F10) till you see:

            0177:004545E7  POP EAX

            Now you'll see in Register Window:

            EDX=00C4E1CC .. hmm, what's it?

   Step 14. Type D EDX and what do we get in Data Window?
            *our registration code!!*

   Step 15. Type BC* and press F5 to return to MP3TOEXE.

   Step 16. Enter "032C8CD850E55270" *registered!*
            It won't say if it has accepted your code, just click X to close, again X
            to close boxes. Then click About, you'll see it's registered!




   PART 4: How to get a serial in Visual Day Planner 6.1
           ftp://www.inklineglobal.net/win32/2day61.zip


   Step 1. Run VDP.EXE, click Enter Reg. Code.

   Step 2. Enter "The Keyboard Caper" as Name, "The Cracker" as Company and "12345" as Code.

   Step 3. Wrong Registration Code! Kewl, let's go!

   Step 4. Quit VDP. Run SmartCheck. (I'll use SC as a shortcut)

   Step 5. Click Program/Settings. In Error Detection, all the boxes should be checked.
           In Reporting, everything should be checked except Report MouseMove events.
           Go back to Error Detection, click Advanced, first 4 boxes should be checked,
           and the rest unchecked.

   Step 6. Click OK to accept settings. Ok, let's go!

   Step 7. In SC, open File VDP.EXE and RUN it!

   Step 8. Don't panic!! If you get API failure or whatever, just click ACKNOWLEDGE.
           DON'T CLICK SUPPRESS!! Else it will stop showing all the errors!
           Right now, keep clicking Acknowledge till you get VDP popping up on screen.
           It's normal showing all shit errors.

   Step 9. Ok, now you see VDP on your screen, click Register/Enter Reg. Code.
           Re-enter "The Keyboard Caper" as Name, "The Cracker" as Company
           and "12345" as Code.

   Step 10. Click OK, now you'll get Wrong Code box. Goto SC, in Program Results window,
            You'll see: + mnuCode_Click below, click on + to expand branch. Trace down
            till you see + RegcodeForm.Show, expand it.

   Step 11. Trace down till you see + btnOK_Click, expand it. Go down to SECOND LCase$,
            on the right window (debug info) you'll see:

            String string = 0058A3D0
                   "12345"

   Step 12. Ok, it's where you've entered a wrong code. Go down to LCase$.. hmm.. there
            are so many LCase$ below, and its showing lots registration codes! So what,
            Take any one you want.. In my case, I take: 3882D927-9Y78-29699

   Step 13. Ok, enter that code.. Ahhhh now it has accepted the code! Kewl, your first serial
            in VB5 program!

   Step 14. For some practise, I suggest u to unregister VDP and re-play it over till you know
            what you're doing. To unregister VDP, open REGEDIT, goto:

            HKEY_CLASSES_ROOT\.isl\Code

            And delete the key, press F5 to update the registry. Close REGEDIT.

   Step 15. Now you can re-crack your VDP. In next tutor, I'll show you more how to get more
            out of SmartCheck. It's fun!



   I really hope you've enjoyed this tutorial too much as I did!
   In next tutorial, we'll include other crackers' tuts here.
   Don't miss Tutot #11! ;)

   And as I said last time: Without knowledge, there's no power! ;)


   Credits go to: 

   DaVince for Splash Logo - you r0x!! (This is the last logo I've got
   from him, finally we come at it. DV, I'll miss your gfx!!)
   BuLLeT for providing tuts in this version.
   

   PersGreetz go to:

   Miss Jessica, PowerLord, Arcane, Nitallica, Meshi & everyone on IRC!
   Yea babes again! *always* <GRiN>


   You can find me on IRC or email me at tkc@reaper.org


   Written by The Keyboard Caper - tKC
   The Founder of PhRoZeN CReW/Crackers in Action '98

   Compiled on 16 November 1998

   Cracking Tutorial #10 is dedicated to all the newbees :-P