_CbD_ Tutorial #6 Modifying dll's to give real reg codes Target:VoxPhone Pre Crack notes: Ok how many of you have wanted to crack a program and have it give you the real registration code instead of the Sorry you entered a invalid Code message? Hmm thought so everyone. ok well that is what this tut is all about. This will show you one of many ways to do this the program we will be werking with uses a dll to check our reg number so this will also give you a little info on cracking dll's. About the Tut. Target: Vox Phone where to get it: www.voxware.com protection type: user ID number / key number tools needed: Softice, W32dasm, Heiw (Hexeditor) Tut requested by: JosephCo & nIabI Crack requested by: DarkNight Well if you have ever read any of my tut's then you are aware of my style of cracking, Step by Step is the nest way for newbies to follow IMHO so that is how this tut will flow. Pre Crack notes You will need to run the program while you are on the net then disconect so you can use the BreakPoint we will need if you try to do this online you will break every time your system gets info from your ISP but the program will not start if you are not online so make sure your online when you start then log off. Also you will have to click on [help] register then fill out the form and tell the you are going to send your registration in by mail then you will be able to enter a registration number after that. Step 1: ok lets start by setting the Break Points we will need in Softice the one we will use first is GETDLGITEMTEXTA so set that in si (BPX GETDLGITEMTEXTA)then press ctrl-d to return to our program. Now lets go back to [help] and register and you will see the box asking for a regcode. enter anything you want as long as it fills the box or is atleast 10 digits long and then press unlock. Step 2: you should be in Softice now at the point that our program called the getdlgitemtexta function. press F11 to get back to the code that called this. you should see something like the code below 0137:00691ESC CALL [USER32!GetDlgItemTextA] <-- Call to get 0137:00691B92 MOV ECX,PFFFFFFF our unlock code 0137:00691E97 SUB EAX,EAX 0137:00691E99 REPNZ SCASB 0137:00691E9B NOT ECX 0137:00691E9D DEC ECX 0137:00691E9E CMP ECX,OA <-- Check to see if code is 10 digits 0137:00691EA1 JZ 00691EE3 <-- Jump if is 0137:00691EA3 LEA EAX,[ESP+74] <-- set msg for invalid code 0137:00691EA7 PUSH 006AC444 0137:00691EAC PUSH EAX <-- save msg 0137:00691BAD CALL 006A0370 0137:00691EB2 LEA EAX,[ESP+7C] 0137:00691EB6 ADD ESP,OS 0137:00691EB9 PUSH 30 ok as you can see here the program checks to see if we entered a code that is 10 digits long and if we did then it will jump to the code below if not then it displays a invalid code msg 0137;00691EE2 RET 0137:00691EE3 MOV EDI ,006B3ADO <-- we land here if code is 10 0137:00691EB8 MOV ECX ,FPFFFFFF 0137:00691EED SUB EAX ,SAX ok now you will have to press F10 to single step though the code till you come to the code below. 0137 :00691F1E CALL 006936EO <-- Generate real code here 0137 :00691F23 LEA ECX,ESP+4C) <-- if we do a ED ESP+4c here we get 0137 :00691F27 ADD ESP,OC the real code 0137 :00691F2A PUSH 006B84BO 0137 :00691F2P PUSH ECX <-- Save real code 0137 :00691230 CALL 006AA980 <-- call to compare our code with 0137 :00691F35 ADD ESP,OB real code. I have skiped some code here just scroll down and you will see this. 0137:00691F3A MOV EAX,[006B78B4] 0137:00691F3F JNZ 00691F53 <-- jump if code is invalid 0137:00691F41 MOV WORD PTR [EAX+04],0001 0137:00691F47 XOR EAX,EAX 0137:00691F49 POP EDI 0137;00691F4A POP ESI 0137:00691F4B POP EBX 0137:00691F4C ADD ESP,00000130 0137:00691F52 RET 0137:00691F53 LEA ECX,[ESP+74] <-- set up for invalid code msg 0137:00691F57 PUSH 006AC444 0137:00691F5C MOV WORD PTR [EAX+04,0000 0137:00691F62 PUSH ECX 0137:00691P63 CALL 006A0370 0137:00691F68 LEA ECX,[ESP+7C] (this may not be 7C as i cant remeber i had changed it before i wrote down the code) This is where we will make our change inorder to get our real number. Ok damn that is a lot of code. well what is happening here is our program (the Rsagnt32.dll is getting ready to give us that damn " Sorry you fucked up message" the program copies the strings we will see in the messagebox right here to ECX then will push ECX in a few lines down but we dont want it to push the message we want it to push our real code, dont we. So we will need to make a few changes here. rememeber where i siad our real code was? :00691F23 LEA ECX,ESP+4C) <-- if we do a ED ESP+4c here we get :00691F27 ADD ESP,OC the real code well do you think you see what needs to be done? yeah change the esp+7c to esp+4c right? Nope that want work. If you do that you will only get the last 5 letters of the code because the code starts before 4c do we need to do a ED esp+4c and see what we get. hmm well what we want to see is our code start on the first line of the data window like below :009BEBD4 49505848 544E4A54 00005443 00000004 HXPITJNTCT.. . :009BEEE4 00000000 00000000 02EF005C 02EF0004 :009BEEF4 034P3AAO 02EF7E3B 7P1R0500 18078394 0.> .....0.... :009BEF04 00004389 00000000 382780D4 40000000 C........'8...0 now to do this we will have to play with ESP so to save you time i have found that ESP+48 will do the trick. so what we will need to do is change LEA ECX,[ESP+7C] to LEA ECX,[ESP+48] this will yield us a real code every time in the place of that damn "Sorry you Fucked up message" so now you can do one of 2 things (1) restart the registraion process and when you get to the line with LEA ECX,[ESP+7C] on it do a ED xxxx:00691F68 then write down what you see in the data window so you can change it or i will give you the info you willl need when you run your hexeditor you will need 8D4C247C83C408 do a search for that in your hexeditor (use Hiew it is the best) and replace the 7C with 48 and then save your file (make a back up before you do this though) now when you run the program you will get a message that tell you that a dll is corupted go on to the next step to fix that step 3: in the Main program file tx32.exe do the following: ok in hiew search for 85C0752C50 then edit it in code mode and change the jnz to jz or visa versa then there is one more search for 85C0752E33FF and change its jnz to jz or visa versa i cant remember if they are jnz or jz but what ever it is change to the opisite. or you can do a BPX MESSAGEBOXA and find the jumps on your own. (Hint addresses are :0041CD27 & :0041D267) well that is about it after you make the changes you can run the program and get you real number from it then register it. Sorry if this is not as clear as most of my tut's but i only wrote down the code that i needed while i was cracking and make notes about the rest so if you have any trouble just find me on EFNET in #cracking4newbies and i will be glad to explain. Oh yeah you cant unregister the program after you register it so make sure you get a good understanding of how it all werks before you regiters the program. Hope this Helps you to better understand Dll cracking and makeing a msg box show you the real reg codes for your program. _CbD_ Greetz to : josephCo, nIabI, Mornings, ^pain^, drlan, mp, razzi and all the rest of #Cracking4newbies