

                     L                ZZZZZZ         RRRRR           SSSSS
                     L                    Z          R    R         S
                     L          aaa      Z      aaa  R    R  u   u  S
                     L            a     Z         a  RRRRR   u   u  SSSSS
               XX    L         aaaa    Z       aaaa  R    R  u   u       S
              XXXX   L        a   a   Z       a   a  R    R  u   u       S
             XXXXXX  LLLLLLL  aaaaa  ZZZZZZZ  aaaaa  R    R  uuuuu  SSSSSS
             XXXXXX       
        XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
       XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
        XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
             XXXXXX
             XXXXXX
              XXXX        proudly presents his 2.Cracking Tutorial (31.01.1999)
               XX

I.    Introduction
I.1   What is cracking and how can I learn it
I.2   Is cracking illegal ?
I.3   Aims of this document
I.4   Tools you need for my tutorial
II.   Cracking with W32Dasm
III.  Cracking with Soft-Ice for Windows
III.1 Installing Soft-Ice
III.2 Let's start cracking
V.    Writing a patch in C++
VI.   BTW
VII.  All Tutorials by LaZaRuS

I.   Welcome to my second cracking tutorial.

I.1  What is cracking and how can I learn it:
     Cracking is the editing of - most time - shareware programs to use them when time limit
     exceeds, to remove nag-screens, to remove copy protections or to get the password to 
     register it directly.
     Actually I can't say how to become a good cracker because I'm still a newbie, but there
     are two important thing you should do: Read, Read, Read, Read as many cracking tutorials
     you can find !!! (Start at www.fravia.org or http://Qserve.8m.com) and practice. Install
     programs only to crack them, then try your skills and remove them if you got the crack
     or you lost hope (Patience is very important).

I.2  Is cracking illegal ?
     There are several opinions on the web that say that it is illegal and there are several
     that say it's not. I believe that manipulating the code of a program or patching it with a
     Hex-Editor is absolutely illegal. The searching of correct registration numbers should be
     not illegal or even legal. Who cares when I look at my RAM and see - accidentally of 
     course ;-) - the correct serial number for a program.

I.3  Aims of this document:
     In the very beginning of my cracking time I searched for tutorials to learn from them, but
     most of them were so bad, that no newbie could follow them, also they were for newbies.
     Now I want to write a tutorial for all these newbies that think that cracking is way too
     hard for them, only because they can't find a good example of a crack. I want to write down
     every single step from the installing of the tools, the first start of a program to 
     crack to the crack, and do this in several ways.

I.4. Tools you need for my tutorial
     Win32Dasm 8.9  (get at http://Qserve.8m.com)
     Soft-Ice for Windows (get at http://Qserve.8m.com)
     A hex-editor, I prefer Hex Workshop 2.54 (get at www.bpsoft.com, change bytes 909A and 
                                               256B4 to 85; then you can register it with every
                                               serial#)
     Goldwave v4.02, the program to be cracked (get at www.goldwave.com
     Better get a Windows-API reference. (Included in any Borland/Inprise programming languages)
     
II.  Cracking with W32Dasm:
     First make a copy of Goldwave.exe, because you can't use Win32Dasm and a hex-editor at the
     same time on the file. Then start Goldwave. A help-file pops up. This is the nag-screen of
     Goldwave. Close it and load a sound file in Goldwave. In the lower left corner of the main
     window you can see something like Toll: $X.XX. Every action you make the Toll increases.
     In the Goldwave helpfile, you can read that you have an amount of 1.50$ every time you
     start Goldwave. Having exceeded this, another nag-screen appears every time you make an
     action. I've made a Goldwave 3.24 Crack before and remember that Goldwave writes the serial
     that fits to your name into the file [WINDIR]\Goldwave.ini when you cracked the serial
     check. So we first try to do this again. Disassemble Goldwave.exe with W32Dasm. Meanwhile
     try to register Goldwave. Choose the menu OPTIONS/REGISTER and put in a first name, a last
     name and a fake serial. Push [ENTER] and you see a messagebox saying 'Invalid...'. Save
     this message in your brain, switch to W32Dasm and choose the Menu SEARCH/FIND TEXT. Put
     in the first part of the error message from Goldwave (Invalid r). Now you should see this:

     :0042D3C3 E83CF8FFFF              call 0042CC04
     :0042D3C8 59                      pop ecx
     :0042D3C9 84C0                    test al, al
     :0042D3CB 0F85A1000000            jne 0042D472

     * Possible StringData Ref from Data Obj ->"Register"
                                  |
     :0042D3D1 8B1560BB4D00            mov edx, dword ptr [004DBB60]
     :0042D3D7 8B4E66                  mov ecx, dword ptr [esi+66]
     :0042D3DA 8B01                    mov eax, dword ptr [ecx]
     :0042D3DC 6A30                    push 00000030
     :0042D3DE 52                      push edx

     * Possible StringData Ref from Data Obj ->"Invalid registration!  Please "
                                        ->"check your password and try again."
                                   |
     :0042D3DF 6852C54D00              push 004DC552
     :0042D3E4 8B500C                  mov edx, dword ptr [eax+0C]
     :0042D3E7 52                      push edx
     :0042D3E8 8B4868                  mov ecx, dword ptr [eax+68]
     :0042D3EB 51                      push ecx
     :0042D3EC E8958F0500              call 00486386

     Here the messagebox that appears when you put in a wrong serial#. Do you see the 
     jne 0042D472, too. (BTW remember the adress 0042D3C3 for the Soft-Ice crack later in
     this tutorial. It is the last call in front of the conditioned jump). This conditioned 
     jump reference jumps somewhere beyond the messagebox.
     Let's reverse this device and see what happens. Move the highlighted line onto the jne.
     Now look at the Status Bar at the bottom of the windows. You should see the offset of the 
     jump in the file Goldwave.exe. It is @Offset: 0002C9CBh. If you don't see it, move your
     mouse in the center of the screen. Open the copy of Goldwave.exe in your Hex-Editor and go
     to the adress 0002C9CBh. You see 0F85A1000000. This is the hexcode of jne 0042D472. Change
     it to 0F84A1000000. This is the hexcode of je 0042D472. Now the messagebox shouldn't appear
     when you put in a wrong serial. Try it. YES! There is another messagebox that says that
     Goldwave is now registered. Look in the About-Screen and you see that Goldwave is registered
     to the name you put in. Close Goldwave and restart it. NOOOOO! It is not registered. Seems
     that the programmers have learned from their mistakes. In this version they don't write
     the correct serial# in the Goldwave.ini file, but the serial you put in. This means it is
     not enough to get round the serial check.
     In the Goldwave help you can see that the shareware version of Goldwave is fully functional.
     So let's just crack away the nag-screens. The first one is the appearing helpfile. Now the
     API-Reference would be useful. I tell you, there is a windows-function to start a helpfile.
     It's called WinHelpA. Search for WinHelpA in the disassembled Goldwave.exe. You find it
     twice. The first one is the definition in the import functions, the second hit is where the
     nag-screen appears. You should see this:

     * Referenced by a CALL at Address: 
     |:00458C08   
     |
     :0044150C 55                      push ebp
     :0044150D 8BEC                    mov ebp, esp
     :0044150F 53                      push ebx
     :00441510 56                      push esi
     :00441511 8B5D08                  mov ebx, dword ptr [ebp+08]
     :00441514 80BB5707000000          cmp byte ptr [ebx+00000757], 00
     :0044151B 752D                    jne 0044154A
     :0044151D 6A00                    push 00000000
     :0044151F E88CF4FFFF              call 004409B0
     :00441524 59                      pop ecx
     :00441525 8BF0                    mov esi, eax
     :00441527 68AE010000              push 000001AE
     :0044152C 6A01                    push 00000001
     :0044152E 56                      push esi
     :0044152F 8B4366                  mov eax, dword ptr [ebx+66]
     :00441532 8B10                    mov edx, dword ptr [eax]
     :00441534 8B4A0C                  mov ecx, dword ptr [edx+0C]
     :00441537 51                      push ecx
 
     * Reference To: USER32.WinHelpA, Ord:0000h
                                  |
     :00441538 E8E52E0900              Call 004D4422
     :0044153D 85C0                    test eax, eax
     :0044153F 0F95C0                  setne al
     :00441542 83E001                  and eax, 00000001
     :00441545 A2342B5000              mov byte ptr [00502B34], al

     Look for a jump that jumps beyond the * Reference To: USER32.WinHelpA, Ord:0000h and you
     will find jne 0044154A. This could be the registered/unregistered check for the first nag-
     screen. Search for the offset 40B1Bh in your hex-editor and change it to EB. This changes
     the conditioned jump to the unconditioned jump jmp. Save and restart Goldwave.exe. The
     helpfile doesn't appear. We did it. We cracked the first nag-screen.
     Now go for the second one. It appears when you exceed your Toll-limit. The fastest way
     to do this is to load a sound file in Goldwave and push the PLAY button constantly.
     When you reach your toll limit, a messagebox appears saying 'Shareware Toll Limit'. 
     Search for this string in W32Dasm and you see this:

     :00458B17 81BB5307000096000000    cmp dword ptr [ebx+00000753], 00000096
     :00458B21 7C6C                    jl 00458B8F
     :00458B23 F6835307000001          test byte ptr [ebx+00000753], 01
     :00458B2A 7563                    jne 00458B8F

     * Possible StringData Ref from Data Obj ->"This shareware has a $1.50 limit "
                                        ->"each time the program is started."
                                  |
     :00458B2C A13C784E00              mov eax, dword ptr [004E783C] 
     :00458B31 8945FC                  mov dword ptr [ebp-04], eax
     :00458B34 8B4DFC                  mov ecx, dword ptr [ebp-04]
     :00458B37 894DF8                  mov dword ptr [ebp-08], ecx
     :00458B3A 8B07                    mov eax, dword ptr [edi]
     :00458B3C 8945F4                  mov dword ptr [ebp-0C], eax
     :00458B3F 6A31                    push 00000031

     * Possible StringData Ref from Data Obj ->"Shareware Toll Limit"
                                  |
     :00458B41 68D77C4E00              push 004E7CD7
     :00458B46 8B55F8                  mov edx, dword ptr [ebp-08]
     :00458B49 52                      push edx

     Look at the jne 00458B8F. This jump refers to somewhere beyond the messagebox. Let's change
     it that it jumps always beyond this box. Change the offset 5812Ah to EB. This means jmp
     (always). Save and restart Goldwave.exe. Now you can push the PLAY-button as often as you
     want, the nag-screen never appears again. We did it! We cracked Goldwave with W32Dasm!


IV.  Cracking with Soft-Ice for Windows
    
     IV.1. Installing Soft-Ice
     Having installed Soft-Ice. There are several difficulties to master. First you have to load
     Soft-Ice before you start Windows, second you have to choose your graphics driver and third
     you have to edit the file 'Winice.dat' in the Soft-Ice directory.
     For the first difficulty, I would install a software-bootmenu in the autoexec.bat and
     config.sys file.
     Example:
     @Echo Off 

     AUTOEXEC.BAT:
 
     REM Here put in your normal stuff, like drivers

     :SICE
     C:\SIW95\WINICE.EXE
     goto common
     :NORM
     goto common
     :common
     End of file
  
     The lines starting with ':' are places to jump to, when a .
     The 'goto'-line are the jumps.

     CONFIG.SYS
    
     [menu]
     menuitem SICE,Soft-Ice
     menuitem NORM,Normal Mode
     menudefault NORM,5

     [SICE]
     [NORM]
     [common]
    
     Put your normal stuff here.

     End of File

next difficulty: Start VSetup in the SI directory (Soft-Ice=SICE=SI). If your video-card
     isn't mentioned here choose VGA, because SI won't work when you choose different. If you need
     to choose VGA you need a hardware-bootmenu, too, because you have to switch between the video
     drivers when you start Windows in normal mode or in SI-Node. You can do this in the
     Windows Control Panel/System. Copy your hardware profile and disable your video card in the
     new profile. Save. Next time you start windows you can choose the hardware and the software
     you wish to load. If you disabled your video card and you start Windows-SI there are some
     error messages to choose graphic drivers. Just [ESC] them away. 

     Third difficulty:
     No real difficulty. Load the file winice.dat in a text-editor and remove the ; from the lines
     ;exp=c:\windows\system\kernel32.dll
     ;exp=c:\windows\system\user32.dll
     ;exp=c:\windows\system\gdi32.dll 

     standing below the lines
     ; ***** Examples of export symbols that can be included for Chicago *****
     ; Change the path to the appropriate drive and directory 

     IV.2 Let's start cracking
     Now restart your computer with the SI-Configuration. In Windows press [CTRL]+[D] to see if
     you can load SI. If nothing happens, you forgot to load SI in your Autoexec.bat, if the
     screen is black, and you have already chose video drivers, you have a little problem.
     Try to fix it with the help of the WWW.
 
     In SI you can read out the RAM of your PC, set breakpoints on nearly everything and most 
     important CRACK. All offset-parts in this tutorial start with XXXX: because this can
     be different on different computers.
     Start SI [CTRL]+[D]. You see many digits and chars. Leave SI with [CTRL]+[D] and start
     Goldwave. Enter any values in the register dialog, but don't push [Enter], yet. Get into
SI and set a breakpoint on hmemcpy (this means SI should appear every time Windows or any
     application uses the function hmemcpy). You do this with bpx hmemcpy. Now leave SI and
     hit [ENTER] in Goldwave. BLAM! Now you're back in SI. Goldwave needs three values to
     calculate the correct serial#. Thus there must be two more hmemcpy. Press [CTRL]+[D] twice
     and you are inside of the third hmemcpy. Press [F11] and you get out of the routine. Do
     you remember the adress of the call I told you to remember in the W32Dasm part. I tell
     you it was 0042D3C3. Step through the SI-code by pushing [F10] until the addresses in one
     of the SI-windows look like XXXX:XXXXXXXX Assembler-Code. Now set a breakpoint on the 
     adress XXXX:0042D3C3. (The XXXX can be different on every computer. In my case it is 0157).
     To set the BP enter bpx XXXX:0042D3C3 (in my case: bpx 0157:0042D3C3). Press [CTRL]+[D].
     Now a message should appear that SI stopped at the BP. The highlighted line should be
     XXXX:0042D3C3  call  0042CC04. Enter the call with [F8]. Now you're inside the code-
     calculating routine. Step through the code with [F10] until you come to adress XXXX:0042CC46.
     Enter d esi and you see the serial# that fits to the name you entered.
     Delete all breakpoints with bc*. Enter Goldwave and try to register it with the new serial#.
     If you have entered the correct name and serial# you have a correct registered Goldwave.
 
     Note: Don't think it is always so easy, most time it isn't. 

V.   Writing a patch in C++
     In the Win32Dasm-section I told you to write a patch-program for the crack. Here is how
     I manage this in C++ 5.0 (only important part; no information just crack).

     FILE *handle;
     handle = fopen("Filename.exe", "r+b");
     if (handle==0)
     {
        cprintf("No File Filename.exe found");
     }
     
     else
     {
       fseek(handle, HERE OFFSET IN DECIMAL, SEEK_SET);
       fprintf(handle,"%c",HERE NEW VALUE IN DECIMAL);
       fclose(handle);
     }
 
VI.  BTW
     Hope my tutorial was helpful for you and see you again in my next tutorial. 
     If not see I.1 where you can get more information about cracking.
     BTW this tutorial is for educational purposes only. Make sure to get the full version
     legally. I withdraw myself from all responsibility, and trouble if you get into any.
     
     Greets to: tKC, Ed!son, Moral Insanity, Jordan, The Sandman  

VII. All tutorials by LaZaRuS
      
     #|  date  |   name   |version|W32Dasm|Soft-Ice|kind of crack      |
     -|--------|----------|-------|-------|--------|-------------------|
     1|20.01.99|Jaylock   |1,0,0,1|  (X)  |   (X)  |serial#            |
     2|31.01.99|Goldwave  |4.02   |  (X)  |   (X)  |serial#,nag-screens|
     
