CbD's Tutorial #4 Alternitive to Serial # Locating Target : Business Cards 32 v 4.18 Level: New to Intermediate Motive of Crack: Well we all know that sometimes we cant seem to find the right serail number when we are cracking a program, So this crack is to help you to better understand that there are other ways to register even if you cant find that " GooD " number I will show you that you can simply make the program take any number as a "GooD" one. This type of crack can be hard in some cases but for this example I have choosen a fairly simple program for us to use. If you have read my other Tutorials you should know that I crack in steps to help each of you new crackers to follow along and hopefully not get lost :-). About the Crack: This crack will have 3 main Parts to it each of them having there own steps for you to follow. I hope i have made it easy for you and if for some reason you have trouble with it please feel free to join us on EFNET in #cracking4Newbies and ask for help. Please note that we dont mind helping the newest of the Cracking world to better their skills as this is what we are here for. The Target: Business Cards 32 v4.18 Get it From: http://www.midstream.com Protection Type: Serial Number Registration with a 30day time limit Requested by: None Tools Needed: SoftIce, Hiew(or other Hex Editor) The Crack Part #1 Ok lets get the crack started, so go and get the prorgram from midstream and install it. Got it installed yet? well do it.... Step 1 Well let start this crack by looking at our little program, So load Bcards and then you will see the nag screen telling us that we are not a registered user (Not Yet anyway) and that you have 30 days to try the program. Well click and get rid of the nag and then click [HELP] [REGISTER] you will get the little box for you to put in your info. Well put the Name in you want then the company (if you want) and then the serial number. Step 2 Now if we wanted to find the "GooD" serial number we would have to use softice to find the location that the "GooD" number get compared to ours, But we dont care what the number should be cause we are going to make the program take our bogus number ( And Like It ) and then give us a registered user status. But for us to do this we have to still use Softice so we can find where the program checks for a valid number then make it think any number is a good one so lets get in SoftIce and start the work. Do this Ctrl-D this put you in SI now we need to break when the programs reads our Serial number so we will set a BP(BreakPoint) on GetDlgItemTextA (I have already found the right function for you) so do this BPX GETDLGITEMTEXTA and press enter now we have the only break point we need for this crack. So get out of SI with Ctrl-D. Step 3 Now you should be back in Bcards at the registration screen, so press enter and you will land back in SI at the GetDlgItemTextA function that was called by our program. Well this is not where we need to be, because our program has three different textboxes to read the data from (1) Name (2) company (3) serial number, and the one we want is the serail number one. So lets press F11 to return to the place the function was called then press F5 and let the program continue to run, we will break again at the GetDlgItemTextA function, this is where the program gets our company info, this to is not what we want so Press F11 to return and then F5, now we break at the function once more so we Press F11 to get to where the function was called from. This is where we will start to do the real cracking of the program. Step 4 Now that we are in the part of the code that will be checking our serial number and deciding if we are a (GooD Guy) or a (Bad Cracker) we will need to do some single stepping to see what happens here. So Press F10 and watch the lines of code as they pass. We will want to stop on the code below. Your addresses may differ but the code it's self should look the same :00412C3A ADD ESP,04 :00412C3D CMP BX,AX [STOP HERE] <---- compares part of our serial # with parts of the good one :00412C40 JNZ 00412C7E <---- if all is good then go ahead and if not the jump :00412C42 LEA EAX, [EBP-0C] so this is one of our points we need to make a change to Ok we will need to change the JNZ (Jump if Not Zero) to JZ (Jump if Zero) and in doing this if we were to enter a valid serial number the program would not allow it to register as it will then think that it is a Bad number. So lets make a note of the the address we will need to change and also you should do a D xxxx:00412C40 and then write down the value from the data window for later use. Or if you just want to crack your program and not make a general crack to distribute you can make the change in SI like this A xxxx:00412C40 [ENTER] <----- Press the Enter Key xxxx:00412C40 JZ 00412C7E [ENTER] [ENTER] <---- Press Enter Twice (Note the xxxx is the starting value for the address as you see it on your system mine is 0137) now this will not modify your program on the disk only what is running in the system memory after you close the program the changes you made will be gone, but if you do all the right steps the program will still be registered. Step 5 Ok that was one of the 3 changes that will need to be made becasue if you scroll down with the Ctrl-downarrow you will see the following code after you locate it Press F10 till you get to the CMP then if you wish you can make your changes. :00412C62 ADD ESP,04 :00412C65 CMP SI,AX [STOP HERE] <---- compares part of our serial # with parts of the good one :00412C68 JNZ 00412C7E <---- Notice that the jump is to the same address as before :00412C6A LEA EAX, [EBP-0C] so we will need to do the same as we did above do a D xxxx:00412C68 the write down the value from the data window for this one and again if you want to you can make the change from right here in softice A xxxx:00412C68 [ENTER] <----- Press the Enter Key xxxx:00412C68 JZ 00412C7E [ENTER] [ENTER] <---- Press Enter Twice now that is the second change now we have one more then the crack will be done Step 6 Now F10 just a few lines and you will see this code below :00412C62 ADD ESP,04 :00412C65 CMP EAX, [EBP-0098] [STOP HERE] :00412C68 JZ 00412C91 <--- Jump if all the code is good :00412C6A LEA EAX, [EBP-0C] Remeber to do a D xxxx:00412C68 and write down the values. Now here we will need to change the JZ to a JNZ and once we have done this we can disable our breakpoints and hit F5 or Ctrl-D and let the program continue and as we pop back to the program we will see that we are now a registered owner of this program ....... Ok we ahve now Cracked this program and if we want to we can make a general crack so everyone can crack there copy. to do this just follow the steps below Part 2 Step 1 Ok remember the values I told you to write down ? did you ? well if not i have provided them below First one was xxxx:00412C40 75 3C 8D 45 F4 50 E8 59 ^ ^ ^ ^ ^ ^ ^ ^ <--- Values you will need Second one xxxx:00412C68 75 14 8D 45 F4 50 E8 31 ^ ^ ^ ^ ^ ^ ^ ^ <--- Values you will need Third one xxxx:00412C7C 75 13 8D 45 F4 50 E8 1D ^ ^ ^ ^ ^ ^ ^ ^ <--- Values you will need The following instructions are for users of HIEW only if you are using a different Hex editor then you will need to find the commands that do the same procedures ok Start Hiew by editing the bcards.exe file (Make a backup first) then do the following 1) when hiew starts press the F4 key to get Hex view 2)press F7 to search 3) enter the first string from above(only the ones marked) 4)press F2 to get the Code view 5)press F3 to edit the code 6)press F2 for ASM mode 7)change the JNZ to a JZ (This may show as a JE or a JNE depending on the step you are in 1,2 or 3) 8)press F9 to update 9)Press F10 to exit now do the same for each of the three strings, you will need to restart Hiew each time to insure that you are able to get the proper search result (Note for the last on make sure you change the JZ to a JNZ) after you are done with all three you can then exite Hiew and continue to part 3 Part 3 Makeing a Patch with Gpatch ok remember I told you to make a back up copy of your file before you used HIEW well you should name it like this Bcards32.bak and the one you edited should be Bcards32.exe (note you should read the Doc that comes with gpatch to full understand how to use it) if you want you can make a txt file named gpatch.txt and put any nfo about your patch you want. now run gpatch like this gpatch bcards32.exe it will make you a patch and name it patch.com you can now rename it to whatever you like and distribute it . well thats it for this tut. I hope this Tutorial has been helpful and showed you another way to crack those serial number protections. Well even if you cant seem to make the crack work (Dont see why you couldn't) i have included the crack with the tutorial. Enjoy and Happy Cracking......... _CbD_ ME/C4N'97 EFNET #Cracking4Newbies stop by and see us sometime....