CbD's Tutorial #4
Alternitive to Serial # Locating
Target : Business Cards 32 v 4.18
Level: New to Intermediate
Motive of Crack:
Well we all know that sometimes we cant seem to find the right serail number
when we are cracking a program, So this crack is to help you to better understand
that there are other ways to register even if you cant find that " GooD " number
I will show you that you can simply make the program take any number as a
"GooD" one. This type of crack can be hard in some cases but for this example
I have choosen a fairly simple program for us to use. If you have read my other
Tutorials you should know that I crack in steps to help each of you new crackers
to follow along and hopefully not get lost :-).
About the Crack:
This crack will have 3 main Parts to it each of them having there own steps for
you to follow. I hope i have made it easy for you and if for some reason you
have trouble with it please feel free to join us on EFNET in #cracking4Newbies
and ask for help. Please note that we dont mind helping the newest of the
Cracking world to better their skills as this is what we are here for.
The Target: Business Cards 32 v4.18
Get it From: http://www.midstream.com
Protection Type: Serial Number Registration with a 30day time limit
Requested by: None
Tools Needed: SoftIce, Hiew(or other Hex Editor)
The Crack
Part #1
Ok lets get the crack started, so go and get the prorgram from midstream
and install it. Got it installed yet? well do it....
Step 1
Well let start this crack by looking at our little program, So load Bcards
and then you will see the nag screen telling us that we are not a registered user
(Not Yet anyway) and that you have 30 days to try the program. Well click and get rid
of the nag and then click [HELP] [REGISTER] you will get the little box for you to
put in your info. Well put the Name in you want then the company (if you want) and
then the serial number.
Step 2
Now if we wanted to find the "GooD" serial number we would have to use softice
to find the location that the "GooD" number get compared to ours, But we dont
care what the number should be cause we are going to make the program
take our bogus number ( And Like It ) and then give us a registered user status.
But for us to do this we have to still use Softice so we can find where the program
checks for a valid number then make it think any number is a good one
so lets get in SoftIce and start the work. Do this Ctrl-D this put you in SI
now we need to break when the programs reads our Serial number so
we will set a BP(BreakPoint) on GetDlgItemTextA (I have already found the right
function for you) so do this BPX GETDLGITEMTEXTA and press enter
now we have the only break point we need for this crack. So get out of SI with
Ctrl-D.
Step 3
Now you should be back in Bcards at the registration screen, so press enter
and you will land back in SI at the GetDlgItemTextA function that was called
by our program. Well this is not where we need to be, because our program
has three different textboxes to read the data from (1) Name (2) company
(3) serial number, and the one we want is the serail number one. So
lets press F11 to return to the place the function was called then press F5
and let the program continue to run, we will break again at the GetDlgItemTextA
function, this is where the program gets our company info, this to is not what we
want so Press F11 to return and then F5, now we break at the function once more
so we Press F11 to get to where the function was called from. This is where we
will start to do the real cracking of the program.
Step 4
Now that we are in the part of the code that will be checking our serial number
and deciding if we are a (GooD Guy) or a (Bad Cracker) we will need to do some single
stepping to see what happens here. So Press F10 and watch the lines of code as they
pass. We will want to stop on the code below.
Your addresses may differ but the code it's self should look the same
:00412C3A ADD ESP,04
:00412C3D CMP BX,AX [STOP HERE] <---- compares part of our serial # with parts of the good one
:00412C40 JNZ 00412C7E <---- if all is good then go ahead and if not the jump
:00412C42 LEA EAX, [EBP-0C] so this is one of our points we need to make a change to
Ok we will need to change the JNZ (Jump if Not Zero) to JZ (Jump if Zero) and in doing this
if we were to enter a valid serial number the program would not allow it to register as it
will then think that it is a Bad number. So lets make a note of the the address we
will need to change and also you should do a D xxxx:00412C40 and then write down
the value from the data window for later use. Or if you just want to crack your program
and not make a general crack to distribute you can make the change in SI like this
A xxxx:00412C40 [ENTER] <----- Press the Enter Key
xxxx:00412C40 JZ 00412C7E [ENTER] [ENTER] <---- Press Enter Twice
(Note the xxxx is the starting value for the address as you see it on your system mine is 0137)
now this will not modify your program on the disk only what is running in the system memory
after you close the program the changes you made will be gone, but if you do all the right
steps the program will still be registered.
Step 5
Ok that was one of the 3 changes that will need to be made becasue if you scroll down with the
Ctrl-downarrow you will see the following code after you locate it Press F10 till you get to the
CMP then if you wish you can make your changes.
:00412C62 ADD ESP,04
:00412C65 CMP SI,AX [STOP HERE] <---- compares part of our serial # with parts of the good one
:00412C68 JNZ 00412C7E <---- Notice that the jump is to the same address as before
:00412C6A LEA EAX, [EBP-0C] so we will need to do the same as we did above
do a D xxxx:00412C68 the write down the value from the data window for this one
and again if you want to you can make the change from right here in softice
A xxxx:00412C68 [ENTER] <----- Press the Enter Key
xxxx:00412C68 JZ 00412C7E [ENTER] [ENTER] <---- Press Enter Twice
now that is the second change now we have one more then the crack will be done
Step 6
Now F10 just a few lines and you will see this code below
:00412C62 ADD ESP,04
:00412C65 CMP EAX, [EBP-0098] [STOP HERE]
:00412C68 JZ 00412C91 <--- Jump if all the code is good
:00412C6A LEA EAX, [EBP-0C]
Remeber to do a D xxxx:00412C68 and write down the values.
Now here we will need to change the JZ to a JNZ and once we have done this we can disable our
breakpoints and hit F5 or Ctrl-D and let the program continue and as we pop back to the program we
will see that we are now a registered owner of this program .......
Ok we ahve now Cracked this program and if we want to we can make a general crack
so everyone can crack there copy. to do this just follow the steps below
Part 2
Step 1
Ok remember the values I told you to write down ? did you ? well if not i have provided them below
First one was
xxxx:00412C40 75 3C 8D 45 F4 50 E8 59
^ ^ ^ ^ ^ ^ ^ ^ <--- Values you will need
Second one
xxxx:00412C68 75 14 8D 45 F4 50 E8 31
^ ^ ^ ^ ^ ^ ^ ^ <--- Values you will need
Third one
xxxx:00412C7C 75 13 8D 45 F4 50 E8 1D
^ ^ ^ ^ ^ ^ ^ ^ <--- Values you will need
The following instructions are for users of HIEW only if you are using a different
Hex editor then you will need to find the commands that do the same procedures
ok Start Hiew by editing the bcards.exe file (Make a backup first)
then do the following
1) when hiew starts press the F4 key to get Hex view
2)press F7 to search
3) enter the first string from above(only the ones marked)
4)press F2 to get the Code view
5)press F3 to edit the code
6)press F2 for ASM mode
7)change the JNZ to a JZ
(This may show as a JE or a JNE depending on the step you are in 1,2 or 3)
8)press F9 to update
9)Press F10 to exit
now do the same for each of the three strings, you will need to restart Hiew each time
to insure that you are able to get the proper search result
(Note for the last on make sure you change the JZ to a JNZ)
after you are done with all three you can then exite Hiew and continue to part 3
Part 3
Makeing a Patch with Gpatch
ok remember I told you to make a back up copy of your file before you used HIEW
well you should name it like this Bcards32.bak and the one you edited should be
Bcards32.exe (note you should read the Doc that comes with gpatch to full understand
how to use it) if you want you can make a txt file named gpatch.txt and put any nfo
about your patch you want. now run gpatch like this gpatch bcards32.exe
it will make you a patch and name it patch.com you can now rename it to whatever you
like and distribute it . well thats it for this tut.
I hope this Tutorial has been helpful and showed you another way to crack
those serial number protections. Well even if you cant seem to make the crack work
(Dont see why you couldn't) i have included the crack with the tutorial.
Enjoy and Happy Cracking......... _CbD_ ME/C4N'97
EFNET #Cracking4Newbies stop by and see us sometime....