                         Cracking for Fun and Knowledge
                   (for 1st timers and accomplished crackers)

                                 CrackMe v1.0

                                  -= By =-

                                   Nullz 

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

[ Notes to New User / Newbie cracker ]
======================================

First of all you will need Softice and W32Dasm.  These are the two 
most important cracking tools and can be found on the Internet; just
search for it!  Second, you will need a little bit of knowledge of
Assembly language and High level language. Thrid, you will need to
learn how to use Softice's most basic commands. Lastly, you need know
how to go about "Debugging" a Win32 program.

This documentation is not a complete tutorial.  These tutorials are
found almost anywhere on the Internet.  For example, beginning assembly
language, basic C/C++, or Softice user manual can all be found on the 
Internet. And I assume that you are able enough to find them and learn 
them on your own.  This documentation assumes that you have maybe tried
to do some cracks on your own, but failed in many ways.  So it is assumed
that you have seen Softice and/or W32Dasm before, but not knowing much 
how to actually apply it in a pratical real world situation.

No more rough start! With this tutorial and the accompanying "CrackMe" 
program, you can turely learn how to make your first crack.  If you've
ever tried to crack a conventional shareware for the first time, you'll
very much likely to be unsuccessful.  Because the registration routines
used are built for counter attacking the accomplished crackers.  It would
be unpractical for beginners, who knows very little about programming, to 
crack them.  So I've written this "CrackMe" program with some very simple
registration routines that are design for beginners in mind.  It has 
different levels of difficulties, where the next is harder then the
previous.


[ Basic Configuration needed for Softice ]
==========================================

You will need the following symbol files...
kernel32.dll
user32.dll
gdi32.dll

So in your "winice.dat" file, you'll need to remove the semicolons to
uncomment them.  They are near the bottom of the file.
It should look something similar to this...
EXP=c:\windows\system\kernel32.dll
EXP=c:\windows\system\user32.dll
EXP=c:\windows\system\gdi32.dll
(you can also copy and paste these lines into the file)

  Useful Commands to remember
  ----------------------------
  (these keys should be the default, unless you've changed them)
  [Ctrl]-D  - breaks into or out of Softice
  wc, wd, wr  - toggles the code, data, and register window
  code on/off  - display/hides the instructions bytes in code window
  d [memory address]  - display memory contents in the specified address
  bpx [API function name]  - set breakpoint on API calls
  bc [*/list]  - clear break point(s)
  bd [*/list]  - disable break point(s)
  be [*/list]  - enable break point(s)
  bl  - list current break point(s) 
  [F8]  - step into functions (trace)
  [F10]  - step over functions
  [F12]  - step out of a function
  help [command]  - get help on any Softice commands


[ Notes about CrackMe v1.0 ]
============================

It is written in MS Visual C++ 5. And it requires the following DLLs...
MFC42.DLL
MSVCRT.dll
KERNEL32.dll
USER32.dll

The 32-bit API calls used are (keep these in mind)...
GetDlgItemTextA  - get a text string (fix character array)
GetWindowTextA   - get a text string (CString object; dynamic)
lstrlenA         - get length of a string
lstrcmpA         - compare 2 strings, returns 0 if equal
MessageBeep      - make a beep sound
MessageBoxA      - a simple dialog box
WSprintfA        - formats a string in certain ways
                   (go to a C reference manual for details)


[ Step by Step on Cracking Level-1 registration key]
====================================================

1. What you need to know before cracking?
-----------------------------------------
A Window Application contains a lot of start up codes, such as
building the frame window and allocating space for the program.
To revise engineered a window program, you'll need to look at
almost everything.  That would be really tough, because there's
a lot of assembly codes to look at.  But luckyly your objective
is not that.  You only want to find the registration routine, and
trace whatever it is doing.  And that would be quite simple.

So in order to find the registration routine in a program, there
are serveral ways to do so.  But the easiest and simplest way is
to debug it.  Debugging allows you to trace the execution of each
instruction, therefore giving you a visual idea of what the program
is doing.  This is a great way for beginners to get a feel of
cracking even with very little experience with programming. And
this is why you'll need Softice!

And in the course of debugging, you'll hear the word "Break Points"
a lot.  That's because it is essentially what debugging is, or at
least one effective way of debugging.  You really don't know what
break points are, just know how they are related to the usage of
a program.  
For example, in Softice command window.  The following...

: bpx MessageBoxA

...will set the break point on the Win32 API call "MessageBox".
So WHENEVER or WHATEVER calls upon the MessaegBox functions within
Windows, Softice will break into the program that calls it.  All
execution will stop (even your Windows clock timer). {Time Dilation?}

It is very important to note that the border line between the
code window and the command window shows you the program name that
you are currently debugging.  This changes a lot as you step
through each instruction since Windows is a multitasking environment.
Sometimes you'll see KERNEL32, and sometimes you'll see USER32.
All you need to worry about are the instructions that belongs to
the application program.

2. Cracking the "Very Easy" registration routine
------------------------------------------------

This is a level-1, the most basic registration routine designed to help
beginners getting started.  You will almost never find such a registration
routine in any real world sharewares. But it's good to have an easy start!
No username is require in this routine.  You just need the correct
registration key.  Very simple.

Make sure you have Softice loaded before Windows.  You don't need
the Softice Symbol loader, just as long as Softice is loaded then
it is fine.  Then load up the "CrackMe" program, and type in any fake
registration key you want.

Now, what you will need to do first is to set break points.
Go into Softice by pressing [Ctrl]-D.  In the command window, type in
: bpx GetDlgItemTextA
GetDlgItemTextA is used by CrackMe to obtain the registration key
entered by the user.  When you hit the button "Validate Registratino Key".
You will noticed that Softice should take over the Window.  That is
because once you hit the button, CrackMe calls the GetDlgItemTextA
API function in order to obtain the registration key entered by the user.
And at this moment, Softice will break into the program.  Then everything
that Windows is doing will all be stopped.

You should now be inside of the GetDlgItemTextA function, which it
belongs to USER32.DLL.  So leave the function by pressing [F12]; you
don't need to know the details of what the function does. Just know
that it retrieves a text string and saves it to some memory location.
After pressing [F12] only once, you should be in MFC42.DLL.  You also
don't need to know what it is doing here, just leave it by pressing
[F12] again.  Now, you'll be back into the CrackMe program's code as
indicated by the text between the code and command window in Softice.

You will see several important things here, and you should see
assembly codes that are similar to what you see here...
The line you'll be at after the break point is ":004018D8"
That's after calling the GetDlgItemTextA function
---------------------------------------------------------------------
:004018D3 E8AA060000              Call 00401F82 ; GetDlgItemTextA
:004018D8 8D54240C                lea edx, [esp+0C]
:004018DC 8D442428                lea eax, [esp+28]
:004018E0 52                      push edx
:004018E1 50                      push eax

:004018E2 FF1508304000            Call [KERNEL32!lstrcmp]
:004018E8 85C0                    test eax, eax
:004018EA 7519                    jne 00401905
:004018EC 50                      push eax
----------------------------------------------------------------------
To see that GetDlgItemText really did retrieved the string you've
entered for the registration key. Do the following...

If you are not currently at line :004018E0, then hit [F10] until
you get there.  Then type in "d eax"
(That says display the memory contents pointed to by the register EAX)
Now in the data window, you should see the string you've just entered.

If you scroll the data window up a little, or type in "d edx" you should
see some weird string sitting in the memory.  And the string should read 
something like "qJT62aWfviq0P57JGs2FelQkX", humm... suspicious???

What's more weird is that the address of the two strings are being
passed onto the "lstrcmpA" function at address :004018E2
  push edx ; - points to an unkown misterious string
  push eax ; - points to user's registration code
  call [KERNEL32!lstrcmp] ; - calls the string compare function
(lstrcmpA is a Kernel function that compares two strings)

Obviously, it is comparing the two strings.  And you know that
the return value is in the EAX register.  So the next line that
says "test eax, eax" should be testing something is that related
to the "lstrcmpA" function called previously!

Now, you're almost done with cracking this registration routine.
There are different ways in which you would choose to do at this point.
You can continue tracing the program and see what happens. 
Or you can leave Softice, return to Windows, and allow the program to 
continue its execution.  Then enter the weird string as the key, and 
see what happens. (you might want to disable the break point first)

There isn't much more I should say now.


=========================================================================
 +----------------------------Contact Info-----------------------------+
  _____________________________________________________________________
  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^

Programmer:  Nullz
    E-mail:  crackz@hehe.com
       URL:  http://members.xoom.com/nullz/

 Program Last Updated:  May 02, 1998
Document Last Updated:  May 02, 1998


Note:
Only levels 1,2,3 are available at this point.  I'm still developing
the harder levels 4 and 5.  It will most likely be available in
the next version.

Levels 1 and 2 are design specifically for beginners.
Levels 3 (Common) are the usual registration routines found in many
average sharewares.  The style and difficultly should be very 
similar to the real world shareware.  But it is still not very
difficult. Wait for Levels 4 & 5!

After cracking these registration keys, you might consider writing
a key generator for them.  That will be an added challenge.  And 
that is when W32Dasm comes in.  Shouldn't be very hard if you can
crack all the keys.

~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
 ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~ ~
