-----T U T O R I A L No.1--------
Most interesting way for finding serial number
written by glupi!
This is tutorial on how to find serials for game PetWings
PROGRAM: PetWings
VERSION: 1.0
EMAIL: jjsoft.geo@yahoo.com
URL: http://welcome.to/jjsoft/
Tools needed:
W32Dasm 8.93
Pen & Paper
Notepad.exe
Brain - not nessecary
Something about the game:
OVERVIEW
PetWings is a classic arcade style shooting game with cute cartoonish graphics,
53 game levels,5 huge bosses and 6-level fire power-up.
This game is Shareware but you can play the entire Episode1 (consists of 16 stages)
without registration.
HOW TO PLAY
Select an episode to play at the title screen. Each episode consists of 16 stages.
You will encounter a huge boss at stage 8 and stage 16.
Shoot the flying creatures and they will drop magic potions.
Your fire power will be increased after collecting 60 potions.
The maximum fire power you can gain is 6.
The game is over when your life energy is gone.
You may continue the game if you have more than 60 potions.
You will lose 60 potions after continue and that implies your fire power level
will be decreased too.
REGISTRATION
PetWings is Shareware. You need to register to play all three episodes.
The registration fee is $5 (US currency) and it will give you more challenging levels
with new tricky creatures and new tougher bosses!Online registration using a credit card
is available at JJsoft homepage. It is simple, secure and quick. Please visit JJsoft homepage
for more information.After registration, you will receive a registration key via E-mail.
Select "Register" at the title screen and enter the registration key.
Let's examine the game a little:
Start game.You will be able to play only episode one (unregistred version).
If you choose episode 2 or episode 3 you it will be brought to you that it is not registred
version and you can choose to go >back to menu< or >read manual< in which case it will open
Manual_E.htm in your favorite www-browser.
On Main menu you can choose also RANKING or REGISTER or simply EXIT.
If you enter any serial number on REGISTER it creates in directory where the game
is, file Register.dat.If you open it later with Notepad you will see your wrong serial or....
if you are exstremly lucky right serial!
If you go to RANKING you will see that dude by the name jjsoft is on each eight place,
but if you open Ranking.dat with Notepad you will not be able to read shit from this!!
it looks like this: and actualy means this:
725F4055382314071254 --> JJSOFT 100
7A5F5C33381A080E00 --> JJSOFT 90
7B5F5C33381A080E00 --> JJSOFT 80
745F5C33381A080E00 --> JJSOFT 70
755F5C33381A080E00 --> JJSOFT 60
755F5C3E3E3C3721 --> GLUPI 60
765F5C33381A080E00 --> JJSOFT 50
775F5C33381A080E00 --> JJSOFT 40
WooW ..... bad thing.....that means that i' can't simply edit (like in the game Minesweeper,
winmine.ini and be bether than my sister)......bummer...
Not completly you will se later...ok...lets take some sirious business.....
Lets start:
This tutorial suposes that you are familiar with the cracking and know how to use W32Dasm
(it means you know how to open file needed to be disassembled and to find string references)
ok! let's disassemble Petwings.exe (it is huge 4,012 kb but it does not take too long).
now!lets look at string references (means press button named "Strn Refn", that is button next to
the last one)
ok! You will get something like this:
" ((((( "
" "
"%s"
"]_^["
"<"
"0"
"0123456789ABCDEF"
"120,"
"725D4055223E4A5C42191C0000" --->looks interesting!!!
"725D405531212229200D050F00" --->and this too!!!
"-CHEAT MODE-" --->this means that we can use cheat in games I guess
"close all"
"COPYRIGHT 1999 JJSOFT"
"Copyright 1999 PetWings"
"DIRECTION"
"DIRECTION_REVERSE"
"DIRECTION_TO_MYCHARA"
"Enter Registration Key" --->interesting too us if you wanna crack the game
"Enter Your Name "
"ERROR"
"Failed to create application window."
"Failed to create DirectDraw object."
"Failed to create DirectInput object."
"Failed to initialise palette."
"Failed to register Window class."
"Failed to restore surfaces."
"Failed to set up Full-screen mode."
"GOSUB"
"GOTO_LABEL"
"INCR_FRAME"
"It costs 60 potions to continue."
"JJWindowClass"
"LABEL"
"Manual_E.htm"
"MOVE"
"Music01.mid"
"Music02.mid"
"Music03.mid"
"open %s type sequencer alias MUSIC"
"open"
"PetWings Message"
"PetWings"
"play MUSIC from 0 notify"
"play MUSIC notify"
"PLAY_SOUND"
"r"
"Ranking.dat" --->here will be stored high scores
"Register.dat" --->and there will be stored our serial number
"REPEAT"
"REPEAT_END"
"RETURN"
"ROTATE_LEFT"
"ROTATE_RIGHT"
"SET_BULLET_OFFSET"
"SET_FRAME"
"SHIFT_X"
"SHIFT_Y"
"SHOOT"
"SPEED"
"SPEED_PERCENT"
"stop MUSIC"
"STOP"
"UNREGISTERED" --->this is what we get if we dont know serial
"w"
"WAVE"
Let's look the line I marked!!!
We can't notice that game has the -cheat mode-.
You can't guess that cheat mode can be entered pressing right keys or
enter right serial (that is in our case what we will see later).
The thing that takes my attention are those long number (hex) we first marked
725D4055223E4A5C42191C0000
725D405531212229200D050F00
Maybe it is our serial.... is it really that easy you wonder.
Only in some cases, in our case when you try to entered you will be suprised that serial number
can't be that long (You can enter max. 10 letter).What are those too long numbers for?
In a minute....first I would like to explain that thing isn't stupid like it sounds!!!
Yeah, I hear you programmer will put the serial number right in front of your nose, yeah right..
What a stupid thinking.....
NO!!!!
In some cases it is exactly that.For example if you disassembly the program
PROGRAM: Letter Chase Typing Tutor
Version: 3.0
URL:http://www.regsoft.com/
Letter Chase Typing Tutor 3.0 is Copyright 1998, 1999 by David Ray
For more than 100 users contact me at: s22k77@granitecity.com
you will find six strange strings.......
they are :
aer758om
5599c33m
5500c33m
57caee9m
hb456bnm
1414ytym
and when you try to enter them as your Unlock code (all is working!!!) with any name you will
get the "Thank you for registration!!!!" message.
ok, so in our case that is not so....don't laugh at me for trying.
What now, you wonder??????
If you carefully read the tutorial maybe you will get an idea..........
ok I give you two more minutes............................................................
..............................................................................
NO idea!!!!
Ok, look at my idea.If you remember at the begining of the tutorial that name and score are
entered in file ranking.dat in peculiar way... I can't read JJSOFT 100 from
725F4055382314071254, can you?
It is encripted in someway (what soever I can't read that...)
Idea is this: why don't we try to use the same decription in our case (we got two long numbers).
So let's modify Ranking.dat by putting the two long numbers (strings, call it what
ever you want) instead of the two first line, just replace them.
After modifying the ranking.dat should look like this: and actuely means this:
725D4055223E4A5C42191C0000 --> PW-469-99 120
725D405531212229200D050F00 --> CHEAT-469 120
7B5F5C33381A080E00 --> JJSOFT 80
745F5C33381A080E00 --> JJSOFT 70
755F5C33381A080E00 --> JJSOFT 60
755F5C3E3E3C3721 --> GLUPI 60
765F5C33381A080E00 --> JJSOFT 50
775F5C33381A080E00 --> JJSOFT 40
Woooooouuuuuuw, it looks that it works i think..... lets look
go on registration window and enter PW-469-99
and we can play EPISODE 2 and EPISODE 3
ok!
if we enter CHEAT-469 we wil be able to play EPISODE 2 and EPISODE 3 and we can cheat
a little bit if you press:
F1 -you will get Power-Up (stronger weapon, Power 6 is max.)
F2 -get extra life
F5 -play next level (skip the current level)
F6 -replay the level
F7 -Play previous level (you are back one level)
NOTE:
If you can't find "-" on REGISTER window edit manualy with Notepad file Register.dat.
When you edit register.dat you must be careful if you get PW-469-99 OZK 120 or something else
that means that you have some free space on the end of first line
(hit delete few times to correct it).
FINAL NOTE:
I played the game on Pentium 166 MMX and I needed cheat badly!
When I played on 486/80 MHz then it was more easy, but not too easy to play!!!
Maybe if you want to cheat slow your computer a little bit.
Thanks goes to!!!!!
Jessie (she is a girl, I think so!) for correcting the bunch of errors!!!
tkc for his great tutorial (just keep going, I learned a lot from you)
Gretz
CrOator & Dr.Jones,RoToR,keySpector,HRVSCORPIO,
and all the other crackers from Croatia!!!
and to all crackers all over the world!!!!!!!
You can contact me on e-mail: glupii@mailcity.com
Sorry for my very bad english.o some API function
code, but we can also see what the message that caused softice to
break was (WM_DESTROY). This gives us a fair idea of what API
function we are in. Still lets press F12 (23 times) till we get back
to our program code. Here we can see we return from the function
DestroyWindow. You could just carryon from here but I prefer to keep
things tidy by setting a 'BPX DestroyWindow' clearing the button
breakpoint 'BC0', leaving softice and entering the serial number again.
Ok so
we are in the program just after the DestroyWindow call now press F11
to get back to the program and F12 till the 'Invalid Serial' box
shows up (8 times). Count the number of times you press F12. This
time do it again and press F12 once less (7 times) and we know we are
just before the call to the 'Invalid' box.
We
can see the code 'Call 004688D4' and we know that if we execute this
code we will get our 'Bad Boy' message so we need to press F8 to go
into this function call.
Inside
we see several more calls and we don't want to start tracing through
all of them so clear all our breakpoints 'BC*" and set a new one
at this foothold 'BPX 0177:004688D7' and now we start to press F10
noticing what the code is doing after each call as we go. the flow is
pretty straight forward for the first few calls but the fourth
presents us with a jump, so we jump and two calls later we get our
message. I wonder what would happen if we didn't jump. Lets try.
Enter your number again and we break at 004688D7, F10 down to the 'jz
0046896E' and softice tells us we are going to jump. So lets change
the zero flag so we don't jump. I have mouse support on so I can do
this by clicking on the 'Z' zero flag and pressing 'INS' to toggle
it. If you don't have mouse support you can do the same thing by
typing 'R FL Z'. So now we don't jump, press Ctrl+D to leave softice
and we get the 'Good Boy' message. Is this all we need to do to
register the program, patch this instruction? If you check your
available games you will see we are still not registered.
So we
go round again. This time we know that the value of 'AL' determines
wether we jump or not, just before the 'Test AL, AL' we have another
'Call'. This Call must set AL and therefore must be our serial
checking routine. So this time we F8 into this routine at 00469024.
Whoa! hundreds of Calls, not to worry lets do the same old routine
again. F10 our way through them watching what happens. At 0049083 we
get another jump dependant on 'AL' . If we follow this we are very
quickly dealt with and kiccked out to the 'Bad Boy' message so lets
trace into the instruction 'Call 00450184' that sets up 'AL'. At this
point you probably start to realise the importance of dropping some
breadcrumbs on your way into the dark codewoods. I tend to set a new
BPX every time I F8 into a Call, disabling all other BPX's ('BD*') so
that i can quickly return to where I left the last path.
Look
at all them Calls, never mind we do the same process again. Before we
move off though I always like to take a quick look at where we are
going, by holding down the Ctrl key and using the up/down arrows we
can scan the code ahead in softice. I usually just quickly browse
down to the 'Ret' statement to see what we might expect. In this case
we see four 'CMP' instructions before we leave, that's kind of
hopeful. So press F10 to return to where we left of and onward we go.
We come to a jump at 004501DA, but look where it jumps to! It jumps
over all our lovely CMP instructions and leaves the function, not
really what we want to do. So what is the jump dependant on? 'CMP
EAX,14' . So lets take a look at the code around here. Just before
the call we see we move ebp-04 into EAX, what does ebp-04 contain?
Type ':dw ebp-4' and we can see the dword at ebp-4 contains an
address, what is in this address? Remember the word are swapped
around! So to view the address you need to type the second word first
followed by the first word. Eg: I type 'dw epb-04' and softice shows:
017f:006DF8B4
8198 00C1 **** **** **** etc (your values may be different)
So to
view the address I type ':dw 00C18198'
and
there we go the serial number we entered, Which happens to be 10
digits long, which also happens to be the value stored in EAX. So we
now know that our serial number must be 14h (20) characters long. Set
a breakpoint make it so and return.
Now
we don't jump and we have the first definition of our real serial
number. We carry on and come to another jump at 00450243. So we take
a look around again and see two values were moved before our call. We
look to see what is in values ebp-20 and ebp-08 in the same way we
did before. Whats this the first two digits of our serial number and
the letters 'QR', it doesn't take much to figure out that our first
two digits probably should have been 'QR'. We can make it so and
return I prefer to just alter the 'Z' flag and carry on. And another
jump, we do the same thing here. Note: here we see tha dangers of
carrying on to far with the wrong serial number, this function
compares digits 11 and 12 of our serial number with the letters 'FV'
because my original number is only 10 digits long and I have been
cheating the 'Z' flags to keep going there is nothing in ebp-24 for
me. So I go and putin what I know so far and return to here my new
number: 'QR12345678FV98765432'
So we
have the second characteristic of our number, and we move on F10 we
hit our next jump at 004502B6 but it is only over one instruction so
let it go, and whoops we jump back up. I will explain this loop
basically compares each number of our serial number with the numbers
1 to 0 in turn, it checks it at 004502AD and increments ebp-10 if an
occurance is found. It is in fact making sure that our serial number
does not contain more than 5 occurances of the same number. To leave
the loop (as our number does not contain more than 5 occurances) 'BPX
004502D4' just after the check to see if ESI is value ASCII '0', and
then F11.
Now
we have a whole bucket full of Calls to F10 through, no jump and we
come down to our lovely 'CMP' instructions here surely all will be revealed.
At
the very first 'CMP' we fail. EDI =A or 10d in our case and the
program is looking for a 13h. We look at all the addresses around the
compare nothing, no sign of our serial number, how did EDI come to
contain A????? We must have missed something in the preceding calls.
At
this point I leave you, as I said at the begining I would not give
you the serial number, the author deserves better than that. I will
tell you this, once you have staisfied the four compare statements
you will have your serial number. Everything you need to know is
contained between your last BPX at 004502D4 and these compare
instructions and you do not need to trace into any calls. F10 all the
way. You should check what is being loaded into 'DL' before the calls
and where the result is moved added after the calls
Good
luck and enjoy.
During the cracking of this program I learnt to not get to
overwhelmed with all the Calls and jumps, don't get to involved with
the details of the code. Swing your rifle barrel about a bit until
you can narrow your aim to a specific target, then you can
concentrate on the more detailed code. F10 F10 F10 F10 and drop
plenty of breadcrumbs on your way in.
+ORC Lesson 9 (2): How to crack Windows, Hands on.
Available at 'Fravia's page of reverse engineering'.
Cracking
is a hobby, a challenge, a sport, if you use it buy it.
I
would like to thank The Sandman for making The
Newbies Forum
available, without it I would still be lost in the dark codewoods, ALONE!
Thanks
to the snake and everybody on the newbies forum.
Essay by: ShADë
Page Created: 1st October 1999