__I'''''''''''''''''''''''''''''''''''''''''''I__ The Ultimate Begginer Cracker's Book v1.1__I'''''''''''''''''''''''''''''''''''''''''''I__ I by basdog22 I ------------------------------------------------------------------------------------------------------------------------------------------------- Well i started writing this tut cause there are NOT a lot of them availiable on the NET even now that knowledge is wide spreaded. This tut is aimed at the very newbies so if you are an advanced or an intermediate cracker through it away cause it just occupies space in your HDD and nothing more. I would like to apologise for my bad English and some spelling mistakes that i will for sure make here.English isn't my mother tongue so don't blame me ;) First of all: Make your notepad's resolution so that the line below will be shown in it's all length <------------------------------------------------------------------------------------------------------------------------------------------------> """""""""""""""""""""""""""""""""""""""W32Dasm: Some tips and some add-onns"""""""""""""""""""""""""""""""""" Our disassembler is our everyday tool.Every time we meet a prog, it is better to have a dead-listing of it's code in order to understand how it works, better and then we decide if we will patch it there or we will go fish a serial.I personally prefer to patch cause i believe that by fishing serial numbers is not so fair to the programmer.OK most people say that real crackers find serials and make keygens but i say that by making a keygen is useless since you don't need it, unless if you are in one of these groups that spread cracks and warez in order for lamers to download ;).I don't mean that it is bad to fish for serials i do it too sometimes but i prefer patching.You may call me lazy or anything else but i will never change the way i think. OK back to our tool. For every tool you want to learn how to use, always READ THE MANUAL that comes with it.W32Dasm is a great tool that most of the crackers use.When you download it you can run it right away by Dclicking on w32dasm.exe.First of all you must set the fonts that w32dasm will use so click on Disassembler and then on Font... click on Select Font i recomend Arial.After that you click on Save Default Font. Now our tool is ready to work.On the Disassembler menu hit "Open File to Disassemble" and open Notepad.exe located in your windows folder. Now look at all this mess that appeared on your screen... This file opened real quick it is only 56 kb but it might take some time to disassemble big files over than 1 mb.Now you can save the disassembly of this file for later use if you want and you can open it by clicking "Project" ---> "Open Project File..." We will leave the "Debug" menu for now (Yes W32Dasm is a debugger too.A prety good one.) and we will go to the "Search" menu.Here you can search for strings inside the disassembled file and as we move to the right we see the "Goto" menu,click on it and you will see 4 submenus we will mainly use the "Go to Code Location" option.Then we see "Execute Text" and the "Function" menus followed by "HexData" and "Refs" menu.From the "Execute Text" we can execute some calls as long as with some jumps(Very usefull function) and with the "Functions" menu we can see the imports and exports of the prog.In the "Refs" menu wich is the best option of this tool we will be able of seeing all the strings that the disassembled prog uses. Well the main functions that we will use are accesible from the little buttons under these menus but it is always good to know what your tool looks like ;) Now lets start some work. Click on the SDR (String Data Reference) button and look at the strings.A lot of them ha??? Ok D-Click on the string "Edit" The light Green line moves to the location where string "Edit" is and you see something like that: -----------------------------------------------------Cut here-------------------------------------------------------------- :00402DA0 57 push edi :00402DA1 2500001000 and eax, 00100000 :00402DA6 57 push edi :00402DA7 0504012050 add eax, 50200104 :00402DAC 50 push eax :00402DAD 6800104000 push 00401000 * Possible StringData Ref from Code Obj ->"Edit" | :00402DB2 6854104000 push 00401054 <----- We land here :00402DB7 6800020000 push 00000200 * Reference To: USER32.CreateWindowExA, Ord:005Bh | :00402DBC FF1544644000 Call dword ptr [00406444] :00402DC2 A304504000 mov dword ptr [00405004], eax :00402DC7 3BC7 cmp eax, edi :00402DC9 0F8466030000 je 00403135 :00402DCF 33DB xor ebx, ebx :00402DD1 A11C504000 mov eax, dword ptr [0040501C] :00402DD6 53 push ebx :00402DD7 50 push eax :00402DD8 68C8000000 push 000000C8 :00402DDD FF3504504000 push dword ptr [00405004] * Reference To: USER32.SendMessageA, Ord:01F9h | :00402DE3 FF15E4644000 Call dword ptr [004064E4] :00402DE9 68D0020000 push 000002D0 :00402DEE 6A5A push 0000005A :00402DF0 56 push esi And if you scroll up a little bit you will see this: :00402CF5 750E jne 00402D05 :00402CF7 53 push ebx :00402CF8 E843040000 call 00403140 :00402CFD 85C0 test eax, eax :00402CFF 0F8430040000 je 00403135 * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00402CF5(C) <--------------- Hmmm what is this??? | :00402D05 33FF xor edi, edi :00402D07 891D30554000 mov dword ptr [00405530], ebx :00402D0D 57 push edi :00402D0E B800000080 mov eax, 80000000 :00402D13 53 push ebx :00402D14 57 push edi :00402D15 57 push edi :00402D16 57 push edi :00402D17 50 push eax :00402D18 57 push edi :00402D19 50 push eax :00402D1A 680000CF00 push 00CF0000 :00402D1F 6800104000 push 00401000 --------------------------------------------------------------Cut here-------------------------------------------------------- You see that it says "* Referenced by a (U)nconditional or (C)onditional Jump at Address: |:00402CF5(C)" this means that our string "Edit" was referenced by a conditional jump from 00402CF5.The (C) means that the jump was Conditional and if you see a (U) after the address it means it was an Unconditional jump.Now we can go to the address where this Jump takes place by clicking the "Go to Code Location" button and writing the address in the box.We write 00402CF5 and we click OK and boom we land here: ---------------------------------------------------------------Cut here-------------------------------------------------------- :00402CCB 6A01 push 00000001 :00402CCD A3E0554000 mov dword ptr [004055E0], eax :00402CD2 53 push ebx * Reference To: USER32.LoadAcceleratorsA, Ord:018Eh | :00402CD3 FF1534644000 Call dword ptr [00406434] :00402CD9 A3D8554000 mov dword ptr [004055D8], eax :00402CDE 393DE0554000 cmp dword ptr [004055E0], edi :00402CE4 0F844B040000 je 00403135 :00402CEA 3BC7 cmp eax, edi :00402CEC 0F8443040000 je 00403135 :00402CF2 397D0C cmp dword ptr [ebp+0C], edi :00402CF5 750E jne 00402D05 <------ We land here :00402CF7 53 push ebx :00402CF8 E843040000 call 00403140 :00402CFD 85C0 test eax, eax :00402CFF 0F8430040000 je 00403135 ---------------------------------------------------------------Cut here-------------------------------------------------------- So this means that at address 00402CF5 makes the jump to the string "Edit".For the moment you might get confused and you may say "OK and how will this shit help me crack a prog???".OK think that you have a prog that when you put your serial in the Reg box it displays a "Wrong" message.If you disassemble the prog and search for the string "Wrong" by doubleclick you will land in the address of the string.By scrolling a little bit you will find a simmular reference like the one we found before: * Referenced by a (U)nconditional or (C)onditional Jump at Address: |:004xxxxxxx(C) so if you know where the jump takes place you will be able to modify the code to make it jump when our code is wrong or to Nop it in order to make it Non OPerative so that it will always say "Thank you" everytime we enter a wrong serial.Cool isn't it??? Debugging with W32Dasm ~~~~~~~~~~~~~~~~~~ As i mentioned above,W32Dasm is a debugger too.When it comes to compare it with SoftICE it has no chance but i believe it is very powerfull.It can debug only a disassembled file but you can expirement with a prog by modifing Registers and Flags on the fly.In order to start debugging you must click the "Debug" menu and then "Load Process" or even attach the disassembled file on a running process.OK hit "Load Process" and you will see 2 smaller windows pop-up.The left window shows us the Registers, the Flags and other usefull stuff but the most usefull goodie is the "Modify Data" button.There we can modify (for example to change the jump to "bad serial" in jump to "good serial") the code of the prog in order to test (debug) what happens.On the right window we see the code of the prog with the gray line on the function that is next to happen.We also see the buttons "Goto Address" "Patch Code" "Terminate" "Pause" "Run" etc.Hit the "Run" button now,you see Notepad fired up. No we will not do anything more at the moment just hit on "Terminate" and then "Close Dialogs" -------------------------------------------------------------------------------------------------------------------------------------------------- Tools for W32Dasm ~~~~~~~~~~~~~~ A very nice tool (better call it add-on) for you to have is VBRef by DEATH which can create string reference from Visual Basic progs.You can find it at http://crackpltools.prv.pl/ Another one that patches W32Dasm and makes it have some more functions like Visual basic strings and QuickEdit is Harlequin's patch also found at http://crackpltools.prv.pl/ -------------------------------------------------------------------------------------------------------------------------------------------------- Some quick Assembly ~~~~~~~~~~~~~~~~ Here are some quick reference to Assembly which i found on a Lockless (http://www.lockless.com) tutorial: Jumps: Hex: Asm: Means --------------------------------------------------- 75 or 0F85 jne jump if not equal 74 or 0F84 je jump if equal EB jmp jump directly to 90 nop no operation 77 or 0F87 ja jump if above 0F86 jna jump if not above 0F83 jae jump if above or equal 0F82 jnae jump if not above or equal 0F82 jb jump if below 0F83 jnb jump if not below 0F86 jbe jump if below or equal 0F87 jnbe jump if not below or equal 0F8F jg jump if greater 0F8E jng jump if not greater 0F8D jge jump if greater or equal 0F8C jnge jump if not greater or equal 0F8C jl jump if less 0F8D jnl jump if not less 0F8E jle jump if less or equal 0F8F jnle jump if not less or equal Registers: EAX EDI ESI EDX ECX EBX EBP ESP -------------------------------------------------------------------------------------------------------------------------------------------------- """""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" Thanks for reading this shit.I hope you gained some knowledge from this tut. My main goal was to help people who are interested in starting with the art of cracking (Not even newbies) but didn't know what tools to get and how to make them work. If you think that i should add some stuff in this tut or anything else you can send me your ideas to basdog22@yahoo.com i would apreciate it. """""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""""" In my next tutorial version 1.2 i will describe how SoftICE works and a very easy Crackme will be included which we will crack together. Till then go out there and have a drink with your girl and have fun cause the real life is out there... to be continued...