Ok I know the title sounds strange, _CbD_ vs. Ultisoft, Inc. but i decide this would be a good title for this tutorial seeing how i will be attacking 5 of there programs in this tutorial. Well let me tell you how this war began, I know you dont care, but i am going to tell you anyway. Well I was on Windows95.com and was looking for a good casino game, well what i found was a lot of programs by this Ultisoft, Inc., and the bad part is that they were mostly slot games, NO FUN. well i also seen that some of them where VB4 programs so i thought ok this might be a good program to practice what (razzia) said about VB4 protections. Ok so i downloaded a few of them.
I then unzipped and checked to see if they would allow me to register them, guess what as soon as i started the program a big blue screen pops up asking me to register, hmm ok that answers that question. Well now lets see if the program is any good. Ha Ha Ha this games sucks, well i decided to crack it anyway. so now on to the cracks
target #1
Name: Cherry Slots
Author: Ultisoft, Inc.
Tools: Softice 3.xx
you can get it at (http://wwwsoftsite.com/ulti/95chry44.zip)
ok i will do this crack in several steps so even the newest of crackers can follow, before i start i want to thank razzia for his exellent tutorial on VB4 , so Thanks. Ok now go get the program from softsite.com (it is small like 150k)
ok you got it. lets crack it.
First of all i am going to asume you have just started your softice seesion and have NO other breakpoints set
if you do you can (A) write them down if you still need them then do a BC * and clear them or just disable them by
BD * because you dont need any extra breakpoints set while we do this.
Step #1
Lets look at the File. So in Explorer select it and do QuickView (right click select quickview)
now scroll down and see what the Import Table says, Hmm VB40032.DLL. Ah this is a VB4
program. Ok now we know that or GetWindowTextA and GetDlgItemTextA wont work for us
so we will have to use HMEMCPY to get into the program. Wait didnt i read a tutorial by razzia
talking about VB4 programs hmm, yeah now i remember. ok lets try and recall what it was he wrote
(if you never read it you should, but i will use alot of his methods here for those of you who have
no idea).
Step #2
ok lets start this little puppy, so run cherry.exe. OK now a big ugly blue screen pops up and what is
this the middle button is (REGISTATION CODE) hmm wonder what that does. So click on it and find out
ah the old enter your registration Number box (Like you would really buy this game). ok first lets type in
a few numers to see if it has a pre-set length for the reg number 12345678901244567865, hmm
nope has no pre-set length. Ok that is fine lets just clear that text out and enter hmm 7777777
seven 7's (my favorite) and then press REGISTER. hmm We get the old faithfull Registration Failed
thats fine just click ok. hmm our box is gone now What they only give us one chance (assholes).
Step #3
Ok now look in the menu and you will see Register so click on it, What is this our box is back. Good lets enter 7777777 again now DONT PRESS REGISTER YET now we need to get in Softice and set some
BreakPoints so Press Ctrl-D, boom. Into Softice we go now lets set some BreakPonits.
so at the ---> : type BPX HMEMCPY and press [ENTER] ok now we have a BreakPoint set
on the HMEMCPY fuction. ok now press Ctrl-D again and boom back to Cherry Slots we go
Now you can press REGISTER and continue on to step 4.
Step #4
Ok if you done it right you should be looking at the softice screen, and if not then go back and start over
from step #1. Ok now we are looking at the call made to HMEMCPY so lets get out of that as we need
not be there. but first lets disable that BreakPoint as we dont need it anymore so do a --> BD 0 <--- now press F11 and then softice should blink and then pop you right back in. Ok now we are
in the Fuction that made the call well this to is not really that important to us. What we need to be in is the
VB40032.DLL so press F10 til you see the text (on the line between the Code window and the command window) VB4xxxxxxx ok now that should look like somthing this (Address's may look different)
0137:0F730116 CALL EBP
0137:0F730118 MOV [ESP+14] , EAX
0137:0F73011C CMP DWORD PTR [ESP+2C] , 00
0137:0F730121 JNZ 0F73070C
0137:0F730127 MOV EAX, [ESP+14]
0137:0F73012B POP EBP
0137:0F73012C POP EDI
0137:0F73012D POP ESI
Yours may differ just a bit. Ok now we are in the VB4xxxx section of the code. Next we will look at some
of razzia's VB tutorial
razzia has done all the hard work for us and found the VB4 dll code
that compares two strings (in WideChar format !).
Here is what it looks like
: 56 push esi
: 57 push edi
: 8B7C2410 mov edi, [esp + 10]
: 8B74240C mov esi, [esp + 0C]
: 8B4C2414 mov ecx, [esp + 14]
: 33C0 xor eax, eax
: F366A7 repz cmpsw ;<-- here the (WideChar) strings at ds:esi
: 7405 je 0F79B362 ; and es:edi get compared
: 1BC0 sbb eax, eax
: 83D8FF sbb eax, FFFFFFFF
: 5F pop edi
: 5E pop esi
: C20C00 ret 000C
Now you have enogh to crack this program.
Ok now for the final step
Step #5
Now we know the code lets find it in our program so we need to search for it
we can do this by typeing the following in the command window
S 0 L FFFFFFFFF 56,57,8B,7C,24,10,8B,74,24,0C,8B,4C,24,14 then press [ENTER]
you should get something like this
Procedure found at 0030:0F79B348 (0F79B348)
Now we set a Break Point on it BPX 0030:0F79B348 and press F5 we will break again
into softice were you should see the above code
ok Now we have the question (Does the program have a set serial Number that we have to
enter or does it just compare certian letters or numbers of our serial code.)
well lets just have a look at some of the values here
So type this ----> ed esi <-------- and you should see the following in the data window
Well what is this hmm look kinda strange there dont it hmmm could this be the serial number
hmm well it is 6 numbers long and if you took the spaces out it would read 316247
well lets see if this could be the serial number. So we do a BD 1 to disable our BreakPoint
and then press CTRL -D and you should return to Cherry Slots and the Registration Failed
box should be up. So clear it and press goto register once more this time enter the code
we got from VB4xxxxx it should be 316247 and then press register you should get the congradulations you have now registered this peice of shit software. Blah Blah
ok that is it the game is now registered. Ok if you want to distribute your cracked game
you can now look in your cherry slots Dir and you should see a file named
cherry.key this is all you need so pass it around and anyone needs only to put it in thier
cherry slots dir and they are registered to.
Although this is easy and takes only a few minutes i am going to look at makeing a patch to just get
the nag screens to go away without a correct serial numbers just as practice.
you can use these same steps to crack all of UltiSofts VB games.
PART 2
The War is Still On
_CbD_ vs. UltiSoft
After looking around there page i found that they also had a few games that was not
VB games so i decided to check them
target #2
Name: Animated Black Jack
Author: Ultisoft, Inc.
you can get it at (http://wwwsoftsite.com/ulti/95anbj11exe)
Tools Needed : W32DASM
Ok I downloaded this one and then used QuickView and then i seen this was not
a VB Program, so first i ran the program then noticed it had the same old
registration box as the others.. Ok well i decided to use softice and Break on
the old GetWindowTextA and GetDlgItemTextA well then i tried a fake number
and nothing i didnt pop into softice hmmm well lets try GetWindowText and GetDlgItemText
well nothing still no softice. So i decided to load it in W32DASM and look at the functions
well i saw tons of them this program uses everything but is own. Ok well lets have a look at some
of them (Damn there is so many ) well several look as if we could set breakpoints on and
try , but hmm lets look some more . lets look at the string references (the button should
be [Strn Ref] ) damn so so many well lets look for anything dealing with registration
We See ( 2. In the Registered Version) hmm well we could look at that
but What is that funny looking one right under it ?
all it says is ("508150") Hmm that looks funny it is 6 numbers and we have seen
that all of there codes are six numbers. no way it cant be that easy can it ?
well lets just check so we start up Black Jack and then we put 508150 for a
registration number and press [ENTER] knowing this wont work
and Boom Thank you for Registering our ShitWare hmm ok now
I have lost all respect for these guys (not that i ever had any) they have to be
very stupid to hard code there # that way hmm i think instead of sending them
the registration fee i will send them Programing For Dummies Books
Well thats it for that one and any of the other programs they have that are not vb
is the same way...
Oh yeah there installers sux and will hang so just use the task manager and end task on
the installer (CTRL + ALT + DEL) End TASK INSTALLER
ok this is a list of there programs that i have cracked useing these methods
VB
Cherry Slots #316247
Dynamite Slots #884916
Extreme Slots #196458
Other
Double Wide Slots # 317541
Animated Black Jack # 508150
All there other programs are on the site
http://www.softsite.com/ulti
Well I really Hope this helped you in some way if nothing than showing that sometime the protection
