|
|
|
|
|
|
|
|
|
|
|
|
|
|
||
|
|
||
|
|
|
There is a crack, a crack in everything. That's how the light gets in. |
|
|
|
|
|
|
Make sure you have
this highlighted
line included with the rest of these lines in your Winice.dat file which
is located in your Softice directory .
Winice.dat file
can be opened for editing using NotePad.
EXP=C:\windows\system\kernel32.dll
EXP=C:\windows\system\user32.dll
EXP=C:\windows\system\gdi32.dll
EXP=C:\windows\system\comdlg32.dll
EXP=C:\windows\system\shell32.dll
EXP=C:\windows\system\shell232.dll
EXP=C:\windows\system\advapi32.dll
EXP=C:\windows\system\vb40032.dll
EXP=C:\windows\system\msvbvm50.dll
<<--- make sure that this .dll file is listed in your winice.dat
file. Make sure that there are NO "
; " (semi-colons) in front of these statements or the file will not be
read.
Of course you
will want to make sure that the path above is also correct and matches
the path that your file is actually 'housed' in...! C:\windows\system...ect...
2. Next, reconfigure the Alt-F4
key and re-program it so that it will automatically locate the EXACT
Visual Basic sub-routine that compares our entered serial number against
the one the target program expects us to use.
While still editing Winice.dat locate the
line starting with AF4="^
and REPLACE it with the
highlighted line shown below.
F1="h;"
F2="^wr;"
F3="^src;"
F4="^rs;"
F5="^x;"
F6="^ec;"
F7="^here;"
F8="^t;"
F9="^bpx;"
F10="^p;"
F11="^G @SS:ESP;"
F12="^p ret;"
SF3="^format;"
CF8="^XT;"
CF9="TRACE OFF;"
CF10="^XP;"
CF11="SHOW B;"
CF12="TRACE B;"
AF1="^wr;"
AF2="^wd;"
AF3="^wc;"
AF4="^s 0 l ffffffff
56,57,8b,7c,24,10,8b,74,24,0c,8b,4c,24,14,33,c0,f3,66,a7;"
AF5="CLS;"
AF8="^XT R;"
AF11="^dd dataaddr->0;"
AF12="^dd dataaddr->4;"
CF1="code on; altscr off; lines 58; wc
33; wd 8; wr; wl; ww 2; faults off;"
CF2="^wr;^wd;^wc;"
The above lines assigns commonly used Softice commands to some of your function keys, this saves a lot of typing on your part if you can execute a whole sequence of commands just by press two keys together. Now the new ALT-F4 function will save you from having to type:
s 0 l ffffffff 56,57,8b,7c,24,10,8b,74,24,0c,8b,4c,24,14,33,c0,f3,66,a7
every time you wish to locate the VB routine that compares two strings together.
This command simply tells Softice to search for a unique sequence of 19 bytes starting from memory location 0 all the way to the maximum amount of memory installed on your pc. These bytes form just a part of the VB routine we're interested in and have to include this number of bytes because there are other very similar routines to the one we're interested in and this way we can be sure that the VB routine Softice finds is the right one.
Now save your winice.dat
file. Make sure you make a backup first just in case you make any
mistakes.
That's it!.
|
|
Run the program Cconvert.exe ...a box appears saying you're unregistered; click okay; now select the 'about' and then the "Register" button.
Type in your Name/Handle then a random sequence of numbers into the Registration box.
Before going any further press CTR-D to fire up Softice and then type: bpx hmemcpy. Now type X to leave Softice.
OK, now you can click on the 'Validate' button...
Softice breaks at the beginning of the HmemCpy sub-routine.
Now we want to quickly find the routine that compares our serial number with the *real* one and we can do this effortlessly by pressing the ALT-F4 keys together.
Softice should now
report back a first memory location of where the sub-routine were looking
for is to be found in memory. In my
case Softice reported:
Pattern found at:
0030:0F00D9EA --<-This address may
be different on your puter
Now type: u followed_by_the_memory_address_just_given_by_Softice
In my case I type:
u 0030:0F00D9EA
Softice should
now display this code snippet:-
: 56
push esi <<<---you land here;
this is where you will set a new breakpoint.
: 57
push edi
: 8B7C2410
mov edi, [esp + 10]
: 8B74240C
mov esi, [esp + 0C]
: 8B4C2414
mov ecx, [esp + 14]
: 33C0
xor eax, eax
: F366A7
repz cmpsw
: 7405
je 0F79B362
: 1BC0
sbb eax, eax
: 83D8FF
sbb eax, FFFFFFFF
: 5F
pop edi
: 5E
pop esi
: C20C00
ret 000C
Ok, from here type:
Example: bpx
followed_by_the_memory_address_just_given_by_Softice
In my case I type:
bpx 0030:0F00D9EA
. I have found that in order to get the above address you
sometimes must type 's' to do another search until you have found the above
line #. You also can double click on the line
0030:0F00D9EA, instead of typing it in, to
set the breakpoint...
Lastly, type: bd
00 to disable our original hmemcpy breakpoint,
we don't need it anymore and finally, type
X to leave Softice.
Softice now breaks again, this time on
our newly created breakpoint,
: 56
push esi <<<---we land here
: 57
push edi
: 8B7C2410
mov edi, [esp + 10]
: 8B74240C
mov esi, [esp + 0C]
: 8B4C2414
mov ecx, [esp + 14] <<<--F-10
to here;
<<<< type "d
ecx"...the real serial will
<<<< be displayed...
<<<< typing "d
esi"; the line above; and
<<<< this will display your fake # input.
: 33C0
xor eax, eax
: F366A7
repz cmpsw
: 7405
je 0F79B362
: 1BC0
sbb eax, eax
: 83D8FF
sbb eax, FFFFFFFF
: 5F
pop edi
: 5E
pop esi
: C20C00
ret 000C
Our registration code will be in Wide Character Format, which simply means that instead of our Registration/Serial number looking like "GypsyJoker" it will now look like: "G.y.p.s.y.J.o.k.e.r " instead. Other than that it's still the REAL serial number.
In this case Violatily has mixed letters and Numbers; and the code for my input was:
User Name: jasman <<<---I usually use "jas" but lately the user name has been "length" sensitive..I just may have to get myself a longer handel...
Registration Code: "XXX-2120-XXXX" <<<---Where "X" is a hard coded part of this Reg code and for which I'll not publish.
Ya'all will see it if you follow the guidelines above...
The numerical part of this reg is generated by a part of your user name input.....I'll leave that for you to figure out also...
CONGRATULATIONS!
BUSTED this dude!
If you now type bd *, to clear all breakpoints,
and re-open the program and type in a new name and reg #; ctrl-d; and type
in "be 00",
(our hmemcpy bpx #); and then x to leave;
ice will now POP and will immediately show in the
data window the new reg code for the new name you used......without
having to re-search any code at all.....:)
Okay; I must explain a little: SOMETIMES
this works; at other times I must hit x ; enter; x; enter; x, enter, til
the "Sorry" error box appears; now hit your 'x' and enter key once more
and the new Username and new reg key will be displayed in data window without
having to go back inside any code!!!
Are we done?
Some will be...
if they are only interested in 'the' crack.;
but for those of you who have just used this Alt-f4 key combo on some other
VB program that will not break to bpx 0f00d9ea...stick around...more to
come...
#1 Sometimes the bpx 0f00d9ea simply will not return to your set breakpoint to enable you to view this code.
#2 Sometimes the breakpoint will break and you will find and see a legitimate looking code displayed; but when you enter it, it brings back an error "bad reg" statement. DON'T let this fool you! This code , in most cases, is the correct code; but it simply needs some more work; albeit, a xor routine somewhere in the code that you will have to find and convert.
#1
By following the next two examples you can increase your chances of finding
a correct code when alt-f4 key does
not produce.
I came in the backdoor
on this one by stepping thru the 0f00d9ea call; when we do so, we return
to this area: MSVBUM50!__vbastrcomp
014f:0f003563...55...push
ebp...
So checking several
programs that would not break-back to the alt-f4 key I found if I set a
breakpoint at:bpx __vbastrcomp instead; that I was enabled to break back;
and interesting; your code lies here also.
Try this:
Using Volatilities
CConvert program; fill in the Reg and name key, set a bpx
hmemcpy in ice; x;
hit the Validate button;
ice pops; type bd 00
to disable your hmemcpy break; and now type bpx
__vbastrcomp;
x; ice flashs and pops back into ice... (note
here that the __ <<--are
TWO underscores together!)
You will land here:
MSVBUM50!__vbastrcomp
014f:0f003563
55 push...ebp <<--land
here
014f:0f003564
8bec mov ebp, esp
F-10 down to
014f:0f003564 8bec mov ebp, esp <<--type 'd' esp here
now if you are not already running your data window in this mode:
type dd esp.
Your data window
will now look like this:
0157:0064f250......0064f2c4......0f00461b......00000000.....00424798........d..f......GB
0157:0064f260......00424750......0f100640......00000000......00424798......PGB.@....GB
Notice the fourth stack; 00424798
now type 'd'
00424798....this reveals the Real Code
curious as to the
#.00424750 in
first stack; second line:
I typed
'd' 00424750....this is your fake #......
If you continue
to step thru this routine in this way you will continue to find half a
million references to your fake and real code being revealed.
Also I found something
repeated in some programs;
If you step down
to line # 014f:0f00358f...jae 0f0035b6...it wants to jump here to 0f0035b6
By typing r eip=0f003591
You will be allowed
to step to the next line down and at 10 more lines down you arrive
at...
0f0035a6...call
0f00d9ea
(Do you recognize this #?)
Yep; our alt-f4 routine;
step into it (f-8) and explore...
Where will it return
us too? Yep; the MSVBUM50!__vbastrcomp check. Hummmm; I wonder where tracing
backwards from here would take us? Are we done?
Nope!
Fourth Approach:
.
As I say; none of
these proceedures are infalable; I have tried to explore many VB programs
to find a difinite pattern that we could follow and sometimes one or the
other of these work out but never... ALWAYS...
So here is another
approach when the above fails...
Once again fill in all information and bpx hmemcpy; x to leave; hit Validate button; ice pops; F-11 once; and now f -12 thirteen times;
(Note: this number
is consistant with every VB program I tried; it is always 13 f-12's;
unless you have a greyed out button and type in an extra # to pop hmemcpy;
then the #of f-12's changes) Now you will land in MSVBUM50 dll...
and on a RET
instruction;
F-10 into this Ret.
You will now land inside of the program code.
Step down to line # 014f:0040ac84...mov...ecx...[ebp-58]
type: dd esp; to change the data window.
Now type 'd' ebp-58
you will see this:
00424774......00000000......000d1626......1b0c005......
Now just type: 'd' 00424774...
you'll see your user name and just below this you will see your real code: Now this proceedure is not consistant AT this paricular line,not always; in this case the real code was revealed to us in the data window; BUT often you must continue stepping thru this code area continuing to check your various registers to find the real code; ...so far I have been fortunate and have found 7 out of 12 in this way in my test of this proceedure...
Are we done?
Nope!
Not unless you are!
Fifth Proceedure:
I have found this
proceedure, when it works out; to be most powerful! VB uses the following
APIs to manipulate strings:
multibytetowidechar
widechartomultibyte
Heres what we are going to do this time.
Okay; fire up Ice:
type the following lines very carefully in the ice input window!
This will be the hardest to follow so pay attention...:)
bpx multibytetowidechar
do "d * (esp+4*3)"
bpx widechartomultibyte
do "d * (esp+4*3)"
Okay; once you have
up these two breakpoints then open up Cconvert... Ice will immediately
break. Now this varys from program to program so you will have to watch
what happens in your data window; In Cconverts case we are going to use
the f-5 key to step thru the loading and converting of your input.
Now f-5 (50) times until the Unregistered Version box pops; press the okay
button; Volatilitys Unregistered program is displayed. Now click on the
About button.
ICE will pop; 16
f-5's will pop the About-Register box .
Click on Register button.
Fill in the User-name and Registration Code Areas.
Click the Validate button.
Ice will pop :
Your code window will show that you are at
Kernel32!multibytetowidechar & Kernel32!widechartomultibyte
In your data window you will see your Username; Now f-5 until you see your fake serial # input in the data window. When you see your fake # displayed type: dd esp
This will change the appearance of your data window.
You will see four stacks of numbers:
0f0414e2.....00000000......00000000......00d9e4dc
typing: d
00d9e4dc reveals our fake #
Now type:
d 0f0414e2...and press F-11 key
Your code window has now changed; you are here:
0f0414dc.....call...Kernel32!multibytetowidechar
0f0414e2......mov......ebx,
eax.....<<<--land here
Now watching your data window...
continue to f-5 until
you SEE the "Sorry; You no good excuse for a cracker" message
Here you will also
see that your code has been processed and is displayed in the data window.
You might have to
scroll up a line or two.
I checked this on 4 VB programs and although the number of f-5's change; basically this same format works for those I checked ...except for two... Those two exceptions (so far) hung up and simply continued to go on and on and on once I saw the reg box pop behind ice window; and so I simply control-d-ed back to ice; bd *; my two bpx multi statements; THEN I x-ed out; filled in the Reg box; cntrl-d back to ice; BE 00 & BE 01 to re-enable the two bpxs; x-ed out; hit reg key; and then kept f-5-ing to the next step of proceedure above...
Procedure done.
|
|
I would like to congratulate Volatilty
for producing one of the greatest teaching programs anyone could have written
for teaching the many ways VB could be attacked and handeled.
As we have learned at the Sandmans projects
site @ http://disc.server.com/Indices/33330.html
the crack is not done until the cracker ' knows' his crack.
My thanks and gratitude goes to:-
The Sandman
for providing possibly the greatest source of Reverse Engineering knowledge
for newbys on the Web; and who told
me to never give up when VB was strangeling me.
Special thanks go to Crackz; Prophesy, for their great tutes; to Volatility; and BornaJanes who wouldn't let me give up. And to my great internet compadre', twno, who forever teaches and watches over me.:) and also to D0gbytes who can drink me under the table at virtual whiskey sites...:)
And to all those of you who write and teach
me each day, no matter your depth of knowledge.
|
|
Ripping off software through serials
and cracks is for lamers..
If your looking for cracks or serial
numbers from these pages then your wasting your time, try searching elsewhere
on the Web under Warze, Cracks etc.
For
more info. on this type protection and set-up Goto the Sandmans' Essays
#59 & #63
| Return |