|
|
Program: CRACKERS CONVERT by Volatility
written by: vladimir, last day of the year
1998
( slightly edited by Volatility for us Americans
:) )
Tools and things you´ll need:
(1) SoftIce
( I´m using the winice.dat modifyed
by the SANDMAN. You´ll find it on his page in the net. There are
some good changes in done)
(2) nerves
( so as every- time)
(3) beer and cigarettes(
if you like ),good music
|
|
Getting the CC from Volatility at a short ICQ- session with him, he explained that this nice little proggie is a useful utility AND ( last but not least ) also a nice, little crack me, wich allows everybody who want´s the app fully registered ( oh, where to by that one? *grin* ), to train and check his knowledge about cracking Visual Basic prog´s. And how it´s the right behaviour for an men on studying- I prompt started to check out what he mentioned. First I tryed to use WDasm, but- OOOOHHHNOOOOO- the only strgref I became was "VB5". O.K., nice, but this doesn´t bring me further in my way through this protection. Then I wanted to get lucky with SmartCheck, finding a few ´interesting´entrys in it, but couldn´t understand them ( not used SC so much.) What to do?!
I decided to let CC be, and learn more while
reading and practicing tutorials from experienced crackers. Trying, patching,
reading and on my table thousands of beer- bottles. But then the hammer
hit me ( no, not a headache ´cause of the beer- this time no need
for aspirin)- i remembered a tutorial ´bout first cracking VB´s.
So I used my brain, studied that one again, and- with a few trial and errors-
finally matched the reg-code.
But enough of blablabla- let´s start
over.......
|
|
Calling the .EXE, the proggie finally start´s
with this ÙNREGISTERED VERSION`-
msg. To find the right place where you could enter your informations and
register CC, you first have to click the `ABOUT`-button
and then I´m sure you´ve seen it allready?!- the
`REGISTER`-one...
In the `USERNAME`-
form you must type in your ( or any other ) name, at least there should
stand 2 letters. I entered- what else- vladimir
Then you have to enter in the `REGISTRATION
CODE´- form a fake ( sure, else we don´t
have to do that
all). I entered 0815,
but you can also enter 007 ( if you like James Bond ) or the type- number
of the enterprise D....
Normally, we would hit the `VALIDATE`-
button, to be face to face with this awfull `SORRY,
BETTER LUCK NEXT TIME`- msg. But not in this
case.
Before you will push the `VALIDATE`-
button, press
STRG + D (Cntrl+D for some of us - Volatility)
to let SICE appear. Then you´ve got to put a breakpoint on execution, this time we take the HMEMCPY-function. Enter
bpx hmemcpy
and go right back to running CC with
F5
Now you have to push `VALIDATE`and
FLASHBOUUMM, there´s SICE agin. You´ll land here:
| 0117:9E77
KERNEL!HMEMCPY 0117:9E7A 0117:9E7B 0117:9E7D 0117:9E7E 0117:9E80 |
RETF
00008
PUSH BP
|
Hit
F11
to finish the operation and let the debugger
return to the code- position, that call´s it. You´ll land here:
| 179F:0B40
179F:0B45 |
CALL
KERNEL!HMEMCPY
PUSH PTR ( DI ) |
Now you have to
F10
to go step by step through the code, untill
you find at the SICE- statusline the msg.
MSVBVM50!.Text+ ******** ( <<
that adress will be different to mine.)
When you´ve found this entry ( I F10ed
very often, so stay cool ), you got to press
ALT + F4 (this method assumes you are using The Sandman's Winice.dat - Volatility)
to let SICE search for the VB- comparing-routine.
After a few milliseconds SICE will prompt this:
Pattern found at ****:********
( << that adress also will be different )
Now you´ve got to type
u ****:******** ( the adress where the pattern was found )
to un- assemble this part of the coding. BAMM,
you´ll see that:
| 0137:0F00D9EA
0137:0F00D9EB 0137:0F00D9EC 0137:0F00D9F0 0137:0F00D9F4 0137:0F00D9F8 0137:0F00DFA 0137:0F00DFD |
PUSH
ESI
PUSH EDI MOV EDI, ( ESP+10 ) MOV ESI, ( ESP+0C ) MOV ECX, (ESP+14 ) XOR EAX, EAX REPZ CMPSV JZ 0F00DA04 |
O.K., let´s do the following steps. Clear the old breakpoint on hmemcpy with
bc 0
( if you´re not sure, take with BL a
short look at the breakpointlist )- and set a new breakpoint in this
routine with
bpx ****:********
to force CC to return to SICE when the adress would be used. So hit once again
F5
to return to CC and ZAPP- we´ll right back in SICE. What´s next?! Now you´ve got to step over again with
F10
to 0137:0F00D9EC
MOV EDI, ( ESP+10 )
till 0137:0F00D9EC
MOV EDI, ( ESP+10 )
has finished. And then- to display what´s
hidden in the edi- rgister. type
d edi
TATAAAAAATAAAAAAAA, there it is: In the first
two rows of SICE´s coding- window you´ll find this
REG- ****- CODE
( In my case it was REG-2360-CODE )
So, clear breakpoint, hit F5 to go back. enter
once again the name you used before, and now, the right
registration- code ( hope you wrote it down
).
`NICE WORK! YOU´RE REGISTERED
NOW`appears, and crackers happy......
|
|
It seems that CRACKERS CONVERT compiles the reg-number only under use of the FIRST letter you entered in the name- field ( but you still have to enter two digits !). I tryed my matched number with a few words starting with v, so as vado, vigo ( no- not viagra ), vl....- and everytime it matches with the same reg- number. ( But attention: there´s a difference between uppergrade letters and downgrades, like VLADIMIR and vladimir.)
Finally, CC stores the registry- information in the two files:
cconvert.§§§ (
the name )
cconvert.ccc ( the number )
I´ll try out more ( maybe a keygen, but
I´ve got to learn that ), maybe there are a few way´s to patch
that
thing.....
Enough for now,
greetz
vladimir
contact me, if you wan´t:
VLADWAR@GMX.NET
or ICQ me:
#24654645
P.T.: NICE IDEA, THE TWO SMILEY´S.
ALWAYS ON ACID I WAS HAPPY TO SEE THE
YELLOW ONE, HAHAHAHAH........