
                          ۲                   
                       ܲ   ߲                 ܲ
                      ۲           ܲ  ۲
                 ۲       
                       ۲        ۲ ߲
                       ۲         ۲
                        ۲          ޲۲   
           ۲         ۲    ߲߲  
           ߲۲ ۲۲      ߲         ܲ
          ޲  ۲۲        ߲    ܲ۲   
          ۲ ۲           ޲     ߲
     ۲                    
          ۲۲             ߲         ۲
             ۲۲                ܲ       ۲     
              ޲۲              ۲۲  ߲߰ ۲   
              ܲ                  ۲   
          ۲        ܲ                      ܲ    ߲
                      ۲                 ߲             
                         ߲                 ޲               
                                                           
                          [cH]                               
                      ܲ   
                      

   Welcome to Cracking Tutorial #9!
   Yikes! Here we are again! More newbees..
   Man, it's been long time no tutors! *cough* .. *cough*
   Ok, not a biggie problem! ;)

   As you can see, I've changed this version *again*
   It should look like professional :P Anyway, I hope
   you'll like this version! ;)

   Warning, this tutorial is a real mother!!  *grin*

   In this tutor I'll teach you everything more about W32Dasm
   and SoftIce. Without knowledge, no power! ;)

   Sorry for my bad grammatical errors, I hope you'll understand
   this piece! Ok, let's rock!!


   Tools - What tools should we use?

   Tutor Part 1 - How to get a serial in WinAmp 2.01
                  We'll use SoftIce

   Tutor Part 2 - How to get a serial in WinNavigator 1.0
                  We'll use SoftIce and W32Dasm

   Tutor Part 3 - How to get a serial in WinBoost 98 1.1
                  We'll use SoftIce and W32Dasm

   Tutor Part 4 - How to make a 'keygen' for File Mag-Net 1.10
                  We'll use SoftIce, W32Dasm and HIEW

   *Please refer to PC.NFO where to get all those programs above!*

   Ending - Last Words

   PART 1: How to get a serial in WinAmp 2.01


   Step 1. Run WINAMP.EXE

   Step 2. RightClick on WinAmp, select Shareware, click on Enter
           Registration Info. Enter "tKC/PC '98" as Name, "123456"
           as Reg#. Hmm, now you can't click OK button. What now?

   Step 3. Ok, not a big problem. Press CTRL-D to Softice.

   Step 4. Type BPX GETDLGITEMTEXTA and press F5 to return back
           to WinAMP.

   Step 5. Press BackSpace at Reg#, to erase "6" .. *boom* now you
           are in Softice!

   Step 6. You can press F11 to get to the caller.

   Step 7. Do you see EAX=0000000A in Register Window? It's the
           lenght for our name. Type ? EAX and you'll see:

           0000000A  0000000010  <--- 10 letters for our name

           We know we're near the bitch's nest. We're getting there ;)

   Step 8. Trace downward (press F10) till you see:

           0177:00403AD1  MOV ESI, EAX  <--- our false code

   Step 9. Now type ? EAX and you'll see:

           00003039  0000012345  "09"

           It's our false code. Ok, kewl.

   Step 10. Trace downward (press F10) till you see:

            0177:00403AD6  PUSH EAX  <--- our name

   Step 11. Type D EAX. What do you see in Data Window? *Our Name*

   Step 12. Trace downward (press F10) till you see:

            0177:00403ADC  ADD ESP, 04

            Now you'll see in Register Window:

            EAX=04EC9715 .. hmm, what's it?

   Step 13. Type ? EAX and you'll see:

            04EC9715  0082614037  ""

            Kewl, it's our code!

   Step 14. Type BC* and press F5 to return to WinAmp.

   Step 15. Enter "82614037" *registered!*


   PART 2: How to get a serial in WinNavigator 1.0


   Step 1. Run WN.EXE

   Step 2. Click on Register, enter "tKC/PC '98" as Name, and "12345"
           as Registration Number.

   Step 3. Press CTRL-D to Softice.

   Step 4. Type BPX GETWINDOWTEXTA and press F5 to return back
           to WinNavigator.

   Step 5. Click OK .. *boom* now you are in Softice.

   Step 6. You can press F11 to get to the caller.

   Step 7. Hmm, I don't think we're at the right place. Coz WN is
           written in Delphi *duh* ;)

   Step 8. Ok, not a big problem, type BC* and press F5. Quit WN,
           open W32Dasm and disassemble WN.EXE.

   Step 9. Once it's disassembled, click STRING DATA REFERENCE,
           look down for the string:

           "Wrong registration number" and double click it.

   Step 10. Close SDR window, you should see the line:

* Possible StringData Ref from Code Obj ->"Wrong registration number"

   :004A79CF B8047B4A00              mov eax, 004A7B04
   ...
   ...
   ...
* Possible StringData Ref from Code Obj ->"The registration successfully"

   Step 11. Now press PgUp key till we get:

   :004A7996 E8EDC3F5FF              call 00403D88

   Step 12. This is the address we're gonna use in SoftIce.
            Close W32Dasm. Go back to WN, run it and enter as in
            Step 2.

   Step 13. CTRL-D to SoftIce. Type BPX SHOWWINDOW, then F5.
            Click OK .. *boom* you're back in SoftIce.

   Step 14. Type G 4A7996  <--- this is where we've got the address
            in W32Dasm. *boom* we're back at WN. Click OK, again
            click OK. *boom* we're at the right caller!

   Step 15. Do you see EAX=0151C89C in Register Window? Type D EAX
            and we'll see our name in Data Window. Kewl, we know
            we're near the bitch's nest. We're getting there ;)

   Step 16. Trace downward (press F10) till you see:

            0177:004A79C5  MOV EAX, [EBP-04]

            Now you'll see in Register Window:

            EDX=0151C8C8 .. hmm, what's it?

   Step 17. Type D EDX and you'll get "12345" in Data Window..
            Kewl, our false code!

   Step 18. Trace downward (press F10) till you see:

            0177:004A79C8  CALL 00403E98

            Now you'll see in Register Window:

            EAX=0151C8B4 .. hmm, what's it?

   Step 19. Type D EAX and what do we get in Data Window?
            *our registration code!!*

   Step 20. Type BC* and press F5 to return to WN.

   Step 21. Enter "4459953" *registered!*



   PART 3: How to get a serial in WinBoost 98 1.1


   Step 1. Run WB98.EXE

   Step 2. Click on Register, enter "tKC/PC '98" as Name, and "12345"
           as Registration Code.

   Step 3. Click OK. Nothing happens, hmm it sucks. Again it's written
           in Delphi! *duh* ;)

   Step 4. Ok, not a big problem. Quit WB98, open W32Dasm and
           disassemble WB98.EXE.

   Step 5. Once it's disassembled, click STRING DATA REFERENCE,
           look down for the string:

           "WinBoost 98 has been registered" and double click it.

   Step 6. Close SDR window, you should see the line:

* Possible StringData Ref from Code Obj ->"WinBoost 98 has been registered"

   :004AE069 B844E34A00              mov eax, 004AE344

   Step 7. Now press PgUp key till we get:

   :004AE019 8B45F4                  mov eax, dword ptr [ebp-0C]

   Step 8. This is the address we're gonna use in SoftIce.
           Close W32Dasm. Go back to WB98, run it and enter as in
           Step 2.

   Step 9. CTRL-D to SoftIce. Type BPX SHOWWINDOW, then F5.
           Click ORDER FORM .. *boom* you're back in SoftIce.

   Step 10. Type G 4AE019  <--- this is where we've got the address
            in W32Dasm. *boom* we're back at WB98. Click ORDER LATER,
            then click OK. *boom* we're at the right caller!

   Step 11. Trace downward (press F10) till you see:

            0177:004AE01C  MOV EDX, [EBP-10]

            Now you'll see in Register Window:

            EAX=0904054 .. hmm, what's it?

   Step 12. Type D EAX and you'll get "12345" in Data Window..
            Kewl, our false code!

   Step 13. Trace downward (press F10) till you see:

            0177:004AE01F  CALL 00403D74

            Now you'll see in Register Window:

            EDX=091BF7C .. hmm, what's it?

   Step 14. Type D EDX and what do we get in Data Window?
            *our registration code!!*

   Step 15. Type BC* and press F5 to return to WB98.

   Step 16. Enter "375782918" *registered!*



   PART 4: How to make a 'keygen' for File Mag-Net 1.10


   Step 1. Run FMAGNET.EXE

   Step 2. Enter "tKC/PC '98" as Name, and "12345" as Code.

   Step 3. Sorry, wrong Registration ID or KEY. Kewl, let's go!

   Step 4. Quit FMAGNET, copy FMAGNET.EXE to FMAGNET.EXX, copy
           FMAGNET.EXE to FMAGNET.W32. Open W32Dasm and disassemble
           FMAGNET.W32.

   Step 5. Once it's disassembled, click STRING DATA REFERENCE,
           look down for the string:

           "Sorry, wrong Registration ID or" and double click it.

   Step 6. Close SDR window, you should see the line:

* Possible StringData Ref from Data Obj ->"Sorry, wrong Registration ID or"

   :0040276A 68B4A04100              push 0041A0B4

   Step 7. Now press PgUp key till we get:

   :00402763 6A10                    push 00000010

   Step 8. This is the address where we're gonna patch FMAGNET.EXE.
           The offset is 1B63 (look below in W32Dasm for the offset)
           Close W32Dasm.

   Step 9. Run HIEW FMAGNET.EXE, press F4 to select Decode Mode (ASM),
           press F5 and enter 1B63. You should see:

   00001B63: 6A10                         push      010
   00001B65: 68D8A04100                   push      00041A0D8
   00001B6A: 68B4A04100                   push      00041A0B4

   Step 10. Now this is what FMAGNET will show you the error messages.
            I'm not gonna tell you the full details, if you play with
            SoftIce, you'll find the registers where the name/code
            are stored in. The best is to play till you get it.

   Step 11. Ok, press F3 to edit FMAGNET.EXE, type the following:

   00001B63: 8B6C2410                     mov       ebp,[esp][00010]
   00001B67: 8B74241C                     mov       esi,[esp][0001C]
   00001B6B: 8BC5                         mov       eax,ebp
   00001B6D: 8BDE                         mov       ebx,esi
   00001B6F: 50                           push      eax
   00001B70: 53                           push      ebx

   Step 12. Press F9 to update FMAGNET.EXE and exit HIEW. Run FMAGNET
            and enter your name/code, click Register.

   Step 13. Kewl, you've got your name and a correct serial!
            *oops* *!@#$%* *crash* Shit happens. ;)

   Step 14. Not a biggie problem. We'll have to correct it. Open
            W32Dasm, click Imported Functions, look down for the
            string:

            "MSVCRT.exit" and double click it.

   Step 15. Close ImpFn window, you should see the line:

   :0041236A FF15E4C04100            Call dword ptr [0041C0E4]

            Ah, this is the address to where we have to call to exit
            FMAGNET after showing us our name/code! The offset is
            1176A. Look below in W32Dasm for the offset. Close W32Dasm.

   Step 16. Run HIEW FMAGNET.EXE, press F4 to select Decode Mode (ASM),
            press F5 and enter 1B63. This is where you've patched it.
            Press F3 and goto 1B76, enter "E8EFFB0000", press F9 to
            update FMAGNET.EXE.

   Step 17. It should look like:

   00001B63: 8B6C2410                     mov       ebp,[esp][00010]
   00001B67: 8B74241C                     mov       esi,[esp][0001C]
   00001B6B: 8BC5                         mov       eax,ebp
   00001B6D: 8BDE                         mov       ebx,esi
   00001B6F: 50                           push      eax
   00001B70: 53                           push      ebx
   00001B71: E830F10000                   call      000010CA6 ------ (1)
   00001B76: E8EFFB0000                   call      00001176A ------ (2)

   Step 18. Exit HIEW, run FMAGNET. Enter your name/code. *boom*
            Works .. no crash!

   Step 19. Now you'll have the idea how the 'keygen' works. You'll need
            to play with another programs to understand the bitch! :P



   I really hope you've enjoyed this tutorial too much as I did!
   In next tutorial, I'll give you more advanced lessons on keygens,
   and how to use SmartCheck. If you ask me nicely, then you'll get a
   tutor #10 very soon! ;)

   I've got wise words from somebody, here it says:

   If you give a person a crack,
   he will be hungry again.
   If you teach a person to crack,
   he will never be hungry again!

   And as I said last time: Without knowledge, there's no power! ;)


   Credits go to: 

   DaVince for Splash Logo - you r0x!!
   Arcane for providing programs since I have no phone at home yet! ;)
   Acid420 for providing the site to grab programs for this tutorial.
   And everybody for supporting PC!!


   PersGreetz go to:

   Miss Jessica, PowerLord, Arcane, Taylor, Nitallica & everyone on IRC!
   Yea babes again! *sigh* ;)


   You can find me on IRC or email me at tkc@phrozen.crew.in.the.freeza.org


   Written by The Keyboard Caper - tKC/PC '98
   The Founder of PhRoZeN CReW '94-98

   Compiled on 27 September 1998

   Cracking Tutorial #9 is dedicated to Miss Jessica..