L0phtCrack 2.52 for Win95/NT  -  Cracking Tutorial by Goatass
--------------------------------------------------------------
  BEGINNER (X) - NEWBIE () - INTERMEDIATE () - ADVANCED ()


	First off, L0phat Heavy Industries is one of the best hacking groups out there
today along with some others that release some of the best hacking/security tools.
I am a newbie but I will do my best to teach you how to crack L0phtCrack 2.52 which is
the latest NT password cracking tool.


About this protection:
-----------------------
This is a very simple time trial/serial number protection. An unlock code gets 
compared with a pre-assigned serial number.  I was very surprised to find out that 
such a great hacking group didn't bother to protect their trademark tool very well. 
They are selling it for $100.

Ok well lets get going with the crack.



What you will need:
--------------------

- L0phtCrack 2.52    (http://www.l0pht.com/l0phtcrack/)

- SoftIce

- your eyes



The crack:
-----------

This is a memory echo crack which should be very easy for all newbies.
First off, make a backup of l0phtcrack.exe incase you screw something up.
Run the program and you should see a nag screen showing you how many days you
have left (15 days total) and there is also a "Register" button. Click the 
"Register" button and you should see a dialog box with a grayed out box with
the pre-assigned serial number and below it there will be a box for your unlock
code.  The unlock code is alphnumeric but that doesn't matter right now. Go ahead
and put any number you like, I used 12345678 for my unlock code.

Now go into SoftIce (CTRL+D) and set a breakpoint on GetWindowTextA (BPX GetWindowTextA).
The approach here is to break right after the program reads your unlock code and then uses it
along with the pre-assigned serial number to generate and compare the good unlock code.
Now get out of SoftIce (X) and click the OK button. SoftIce breaks, press F11 to return to the 
calling function, that read in the pre-assigned serial number. Now press F5 to read your unlock code,
SoftIce breaks a second time, press F11 again and now you are in the program's code.
Trace through the code until you get to this part:

:406345	MOV	EAX, [EBX]         <-- if you type D EAX you will see the code you entered
:406347	LEA	ECX, [ESP+1C]      <-- here is the unlock code,  D ECX to see it

If you dump ECX you will see two 8 digit alphanumeric strings they are both the correct 
unlock codes. Why two ? you'll see in a second.

Next we see the program PUSHing EAX and ECX onto the stack then comes the CALL to compare the codes.


:40634D	CALL	00426260           <-- this is where the program compares your number and the first
				       unlock code. Since you entered a wrong code the CALL will return
				       with EAX=FFFFFFFF (-01), if the code you entered was correct it
				       would return with EAX=00000000
:406355	TEST	EAX, EAX	   <-- checks to see what the CALL returned, if the code is good or not.
:406357	JZ	004063A2	   <-- if the CALL returned 00, good code, jump to "Thank You"

Now the program gives you another try and does the exact same thing as above with the second code.

:406359	MOV	EAX, [EBX]	   <-- here is your the code you entered
:40635B	LEA	EDX, [ESP+2C]      <-- and here is the second unlock code, type D EDX to see the 2nd code
.....
:406361	CALL	00426260	   <-- here is that same call for comparing the codes, same as before
				       the program will return EAX=FFFFFFFF (-01)
.....

I skipped some code here that does the same as above with the TEST and JZ. Since the code you entered was wrong
the program proceeds to the nag screen:

:406376	CALL	0045666B           <-- this is the call to display the nag screen.

Now you can get out of SoftIce and try your new unlock code and you'll be registered.

There are a few ways of going about cracking this program, the easiest would be what I have described above
but if you want you can force the jump at 406357 by changing it from JZ to JMP but why screw with the code
if you don't have to.

Another way is to use the program to create a small KeyGen. By changing one of the two PUSHes before the CALL
to the nag screen at 406361 and making it display the correct code,  PUSH [ESP+1C] or PUSH [ESP+2C].



The End:
---------

That's all for this tutorial I hope I helped you better understand the memory echo concept.
This was a very easy crack but keep in mind that many other programs use the same way for protection.

I just want to say THANK YOU to my mentor zip for getting me started with cracking.
Also great thanks goes out to EDiSON, +ORC, Fravia, CrackZ, Sandman and all the great people who 
reverse for knowledge, keep writing those great tutorials.

I'm out, PEACE !

Goatass