

                     L                ZZZZZZ         RRRRR           SSSSS
                     L                    Z          R    R         S
                     L          aaa      Z      aaa  R    R  u   u  S
                     L            a     Z         a  RRRRR   u   u  SSSSS
               XX    L         aaaa    Z       aaaa  R    R  u   u       S
              XXXX   L        a   a   Z       a   a  R    R  u   u       S
             XXXXXX  LLLLLLL  aaaaa  ZZZZZZZ  aaaaa  R    R  uuuuu  SSSSSS
             XXXXXX       
        XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
       XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
        XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
             XXXXXX
             XXXXXX
              XXXX        proudly presents his 1.Cracking Tutorial (20.01.1999)
               XX

I.   Introduction
I.1  What is cracking and how can I learn it
I.2  Is cracking illegal ?
I.3  Aims of this document
I.4  Tools you need for my tutorial
II.  Cracking(?), the lamer(?) way
III. Cracking with Win32Dasm
IV.  Cracking with Soft-Ice for Windows
IV.1 Installing Soft-Ice
IV.2 Let's start cracking
V.   Writing a patch in C++
VI.  BTW

I.   Welcome to my first cracking tutorial.

I.1  What is cracking and how can I learn it:
     Cracking is the editing of - most time - shareware programs to use them when time limit
     exceeds, to remove nag-screens, to remove copy protections or to get the password to 
     register it directly.
     Actually I can't say how to become a good cracker because I'm still a newbie, but there
     are two important thing you should do: Read, Read, Read, Read as many cracking tutorials
     you can find !!! (Start at www.fravia.org or http://Qserve.8m.com) and practice. Install
     programs only to crack them, then try your skills and remove them if you got the crack
     or you lost hope (Patience is very important).

I.2  Is cracking illegal ?
     There are several opinions on the web that say that it is illegal and there are several
     that say it's not. I believe that manipulating the code of a program or patching it with a
     Hex-Editor is absolutely illegal. The searching of correct registration numbers should be
     not illegal or even legal. Who cares when I look at my RAM and see - accidentally of 
     course ;-) - the correct serial number for a program.

I.3  Aims of this document:
     In the very beginning of my cracking time I searched for tutorials to learn from them, but
     most of them were so bad, that no newbie could follow them, also they were for newbies.
     Now I want to write a tutorial for all these newbies that think that cracking is way too
     hard for them, only because they can't find a good example of a crack. I want to write down
     every single step from the installing of the tools, the first start of a program to 
     crack to the crack, and do this in several ways.

I.4. Tools you need for my tutorial
     Win32Dasm 8.9  (get at http://Qserve.8m.com)
     Soft-Ice for Windows (get at http://Qserve.8m.com)
     A hex-editor, I prefer Hex Workshop 2.54 (get at www.bpsoft.com, change bytes 909A and 
                                               256B4 to 85; then you can register it with every
                                               serial#)
     Jaylock, the program to be cracked (get at http://Qserve.8m.com; Tutorials section; you 
                                         download it with another tutorial from Quantum-X)
     Get a Windows-API reference. (Included in any Borland/Inprise programming languages)
     
II.  Cracking(?), the lamer(?) way
     The first way is no real cracking. There are several shareware programs that have a really
     sucking process of calculating the correct serial#. It seems that they use only
     multiplication in there process, so when you use 0 in every textfield the correct serial
     will also be 0. No joke, I've seen several appz that use such a kind of process, especially
     if the serial doesn't depend on a name or other string, but on a number, for example a
     Product-ID (Jaylock does this).
     Try this way at first, so you can save time if you're lucky. Don't try this on Jaylock,
     because it works and you needn't read this tutorial further. If you really want to try, 
     delete the entry HKEY_LOCAL_MACHINE\Software\Jaytown\Jaylock\SeedPadding in the 
     Windows-Registry. If you don't know how to do this try to handle Windows perfect at first
     and come back to cracking when you know how to use the Windows-Registry.
     OK, don't want too much from this way of cracking(?). It will only work with 0.5% of
     the programs you try it out.
     The Questionmarks in the headline: I don't think it is real cracking, but it can save you
     time and thus it's no lamer way.

III. Cracking with Win32Dasm:
     First make a copy of Jaylock.exe, because you can't use Win32Dasm and a hex-editor at the
     same time on the file. Then start Jaylock. A registering screen appears where you should
     input the serial# you received. You didn't register it ? Bad Boy. Seems you need to crack it
     to get the full version. You can see a Unique (HAHAHA, it stands in the windows registry:
     HKEY_LOCAL_MACHINE\Software\Jaytown\Jaylock\PrimeFactor; at least he didn't use obvious
     keynames) product ID. If you want you can change it to whatever you want in the registry,
     but then you have to restart Jaylock. OK, below the ID you see a textfield, where you can
     put in your serial number. Put in any number you want and press the OK-Button. Now a
     messagebox should appear that this is not the correct registration code. If it doesn't
     then you already got a cracked version, or you guessed the correct serial#: Congratulations.
     Write down the error message saying that it was the wrong serial#, or at least the first
     four words. Now end Jaylock and start Win32Dasm. Open Jaylock.exe to disassemble.
     Now search the words you noticed saying it was the wrong serial#. I used 'This not the'.
     You can do this in the menu [Refs], [String Data References] too, but I prefer the search
     way, because I don't want to step through hundreds of string references in some programs.
     Win32Dasm should have found the place where the string is located. You should see this:

     :0040651E 3BC1                    cmp eax, ecx
     :00406520 7438                    je 0040655A
     :00406522 8B8EDC000000            mov ecx, dword ptr [esi+000000DC]
     :00406528 6A30                    push 00000030
     :0040652A 41                      inc ecx

     * Possible StringData Ref from Data Obj ->"Notification"
                                  |
     :0040652B 68AC214300              push 004321AC
     :00406530 898EDC000000            mov dword ptr [esi+000000DC], ecx

     * Possible StringData Ref from Data Obj ->"This not the correct registration "
                                             ->"code. Please go to http://www.jaytown.com "
                                             ->"to obtain you registration code"
                                  |
    :00406536 68A8284300              push 004328A8
    :0040653B 8BCE                    mov ecx, esi
    :0040653D E835A40100              call 00420977
    :00406542 83BEDC00000003          cmp dword ptr [esi+000000DC], 00000003
    :00406549 7516                    jne 00406561
    :0040654B 8BCE                    mov ecx, esi
    :0040654D E81B5E0100              call 0041C36D
    :00406552 5E                      pop esi
    :00406553 81C4F4010000            add esp, 000001F4
    :00406559 C3                      ret

    If you don't see this, something went wrong, or it is the wrong version (1,0,0,1) of Jaylock.
    If you see only garbage choose another font from the [Disassembler],[Font] menu.
    The * Possible StringData Ref from Data Obj ->"This not the correct registration " line is
    colored different. This color shows the active line. Scroll up and down a little (max. 2
    seconds) to get a feeling for it. 
    Now look at the code above the line.

    :0040650F 51                      push ecx
    :00406510 E8CB180000              call 00407DE0
    :00406515 8B8ED8000000            mov ecx, dword ptr [esi+000000D8]
    :0040651B 83C404                  add esp, 00000004
    :0040651E 3BC1                    cmp eax, ecx
    :00406520 7438                    je 0040655A
    :00406522 8B8EDC000000            mov ecx, dword ptr [esi+000000DC]
    :00406528 6A30                    push 00000030
    :0040652A 41                      inc ecx

    Look upwards until you see any jump-device. You can recognize them starting with a 'j' in the
    third column. The first column shows the code-offset, the second the hex-value of the
    assembler-device in the third column. Hopefully you found je 0040655A. One line up there
    is a compare (cmp eax, ecx). Now look at the jump. The jump leads to code-offset 0040655A.
    If you look at the code you can see, that this jump goes beyond the 'This not the...'-String,
    and since this beyond the messagebox. Now guess, why should the code compare something and
    then jump to a section beyond the error-box ? Exactly! Here it compares the serial you 
    entered to the one that is calculated by the program. If the serial is correct it jumps
    beyond the box, if not then you guessed the wrong serial. Wouldn't it be nice, if we could
    change this and turn around the jump conditions. Actually we can do this with a hex-editor.
    Move the cursor in the middle of the Win32Dasm-Window and you can see the offset we have to
    change. It is 5920h. Write the offset down and load the copy of Jaylock you made in the
    very beginning in a hex-editor. Search the offset. The value of 5920h will be 75. OK, but
    how to change it. The assembler code je means 'Jump if equal' reverse it and you get
    'Jump if not equal' or jne in assembler. The hex-code of je is 75, the hex-code of jne is 74.
    So we could change it to 74. STOP! Don't do this. Jaylock wouldn't accept correct serials any-
    more. Jumping with every serial would be even better. You can realize this by changing the
    75 to EB meaning 'Jump' (always) or jmp in assembler. Now save the edited file, exit the
    hex-editor and start the copy of Jaylock. Input any serial# and you will see it worked.
    If it doesn't, go through this tutorial and find your mistake.
    The crack is nice, but what if you want to distribute the crack. What about writing a little
    patcher (C++) for Jaylock. If you want to do this and need help read chapter V.

    IV. Cracking with Soft-Ice for Windows
    
    IV.1. Installing Soft-Ice
    Having installed Soft-Ice. There are several difficulties to master. First you have to load
    Soft-Ice before you start Windows, second you have to choose your graphics driver and third
    you have to edit the file 'Winice.dat' in the Soft-Ice directory.
    For the first difficulty, I would install a software-bootmenu in the autoexec.bat and
    config.sys file.
    Example:
    @Echo Off

    AUTOEXEC.BAT:

    REM Here put in your normal stuff, like drivers

    :SICE
    C:\SIW95\WINICE.EXE
    goto common
    :NORM
    goto common
    :common
    End of file
 
    The lines starting with ':' are places to jump to, when a .
    The 'goto'-line are the jumps.

    CONFIG.SYS
    
    [menu]
    menuitem SICE,Soft-Ice
    menuitem NORM,Normal Mode
    menudefault NORM,5

    [SICE]
    [NORM]
    [common]
    
    Put your normal stuff here.

    End of File

    Next difficulty: Start VSetup in the SI directory (Soft-Ice=SICE=SI). If your video-card
    isn't mentioned here choose VGA, because SI won't work when you choose different. If you need
    to choose VGA you need a hardware-bootmenu, too, because you have to switch between the video
    drivers when you start Windows in normal mode or in SI-Node. You can do this in the
    Windows Control Panel/System. Copy your hardware profile and disable your video card in the
    new profile. Save. Next time you start windows you can choose the hardware and the software
    you wish to load. If you disabled your video card and you start Windows-SI there are some
    error messages to choose graphic drivers. Just [ESC] them away.

    Third difficulty:
    No real difficulty. Load the file winice.dat in a text-editor and remove the ; from the lines
    ;exp=c:\windows\system\kernel32.dll
    ;exp=c:\windows\system\user32.dll
    ;exp=c:\windows\system\gdi32.dll

    standing below the lines
    ; ***** Examples of export symbols that can be included for Chicago *****
    ; Change the path to the appropriate drive and directory

    IV.2 Let's start cracking
    Now restart your computer with the SI-Configuration. In Windows press [CTRL]+[D] to see if
    you can load SI. If nothing happens, you forgot to load SI in your Autoexec.bat, if the
    screen is black, and you have already chose video drivers, you have a little problem.
    Try to fix it with the help of the WWW.

    In SI you can read out the RAM of your PC, set breakpoints on nearly everything and most 
    important CRACK. All offset-parts in this tutorial start with XXXX: because this can
    be different on different computers.
    Start SI [CTRL]+[D]. You see many digits and chars. Press [CTRL]+[D] fast and get out of
    SI and recover from the Shock. Don't be afraid it is not as difficult as you often read.
    Start Jaylock and put in any serial# you wish. Don't hit [ENTER] yet. You should know
    that there are several executions you can break on in SI. The most common for a string
    entry are GetDlgItemText and GetWindowText or 16bit programs and GetDlgItemTextA and
    GetWindowTextA for 32bit programs. If you can't choose them see the Installing SI-Section.
    Get into SI and put in bpx GetWindowTextA. Get into Jaylock and hit enter. You should be
    kicked back to SI. Don't care about what you see. Push [F11] and you get back to the
    point where the function is called. Push [F10] to step through the code. If the offsets
    you see in the big part of the window are like this: XXXX:XXXX don't care about them.
    Keep on stepping. If they look like this: XXXX:XXXXXXXX slow your stepping. Step as long
    through the code as you can't step further and write down the adress of the last 
    conditioned jump-reference. Out of SI. You can't step further on offset XXXX:0040653D. 
    Look at the Win32Dasm crack at offset 0040653D it is the same like in SI. The last 
    conditioned jump was XXXX:0046520. Now go into Jaylock again and hit [ENTER]. BLAM! Back
    in SI. Press [F11]. Step through the Code until you come close to XXXX:0046520. Stop there.
At the right of the SI-Screen should appear NO JUMP if the je line is highlighted.
    Now we got three ways to crack it.
    First way: 
    Disable breakpoints with bd * and enable them be *.
    The je uses the Zero-Flag (ZF) for its conditions. Look in an Assembler reference, if you 
    don't know what a ZF is. We can change the ZF. All flags have only two values: set or not
    set. Our ZF is not set, so set it. You can do this with r fl z in SI. Now the NO JUMP 
    should change to JUMP. Press [CTRL]+[D] to make Jaylock registered.
    This change is gone when you restart the computer, but the program stays registered.    

    Second way:
    Step through the code like in way 1. Don't change the ZF, but the instruction 
    jz XXXX:0046520 to jnz XXXX:0046520. You do this by typing:
    a XXXX:0046520 [ENTER]
    jnz XXXX:0046520 [ENTER] [ENTER]
    When the instruction is changed, just [CTRL]+[D] to register Jaylock.
    This change is gone when you restart the computer, but the program stays registered.    

    Third and best way:
    This time we read out the correct serial#.
    Step through the code like in way 1 and 2, but don't change anything. Stop at adress
    XXXX:0046520. One line above you see cmp eax,ecx. This registers must contain the
    correct serial# and the one you gave in (See Win32Dasm-Crack; Beginning). To read
    out eax input ? eax. Three thing appear. The hex-value of the code you entered,
    the dec-value of the code you entered and the ASCII-value of the code you entered.
    Since this ecx must contain the correct code. Type ? ecx. You see the hex-value of
    the code, the dec-value (the correct code) and the ASCII-value.
    Get out of SI and put in the correct serial# in Jaylock. Congratulations it is
    registered.

    Note: Don't think it is always so easy, most time it isn't.

V.  Writing a patch in C++
    In the Win32Dasm-section I told you to write a patch-program for the crack. Here is how
    I manage this in C++ 5.0 (only important part; no information just crack).

    FILE *handle;
    handle = fopen("Filename.exe", "r+b");
    if (handle==0)
    {
       cprintf("No File Filename.exe found");
    }
    
    else
    {
      fseek(handle, HERE OFFSET IN DECIMAL, SEEK_SET);
      fprintf(handle,"%c",HERE NEW VALUE IN DECIMAL);
      fclose(handle);
    }

VI. BTW
    Hope my tutorial was helpful for you and see you again in my next tutorial. 
    If not see I.1 where you can get more information about cracking.
    BTW this tutorial is for educational purposes only. Make sure to get the full version
    legally. I withdraw myself from all responsibility, and trouble if you get into any.
    
    Greets to: tKC, Ed!son, Moral Insanity, Michael T.
