Copy Link
Add to Bookmark
Report

PhRoZeN CReW - Tutorial 2 - 6-8-1997

eZine's profile picture
Published in 
PhRoZeN CReW
 · 4 years ago

                          ‹‹€€≤‹‹                   ∞ 
‹≤≤flfl flfl≤≤‹‹ ˛ fl ‹ ± ‹‹≤≤‹
‹ ‹fl ‹‹‹€€€€‹‹‹ fl€≤‹ fl ‹≤ ˛flflflflfl€€≤≤‹
‹fl fl ‹ fl ‹€€≤≤€€€€€€€€‹ fl€€ ∞ ∞ ∞∞±±≤≤≤€€€€€‹‹‹ flfl€€‹
fi› ‹€€flfl fl€€€≤€€ fi€€‹ ‹ ‹€€€€≤€€€€€€€€‹ fl≤≤fl
fl‹ ‹flfl ‹ ∞∞ fi€≤≤≤€› €fl fi€€€flfl€€€€€€€€€≤€
fl fl ‹‹‹€€ €€€≤€€€ fl ‹ ‹€€€› fi≤€€€€€≤≤≤≤±±∞∞ ∞ ∞
˛ ‹‹‹‹€€€€€≤≤€› €‹‹€€€€€€€› fl fl€≤€€€ fl≤€€€€flfl≤fl ‹‹
fl‹ fl≤≤€€€≤≤≤≤€› €≤≤€€€€€€≤€ ‹ ∞ ∞∞ ‹ fl≤≤€ flfl ‹‹ ± ‹≤≤fl
fi≤‹ €€€€€€≤≤≤›€€≤€€€€€€€fl ∞ ∞ ∞ €€‹ fl≤› ‹≤€≤fl ∞ fifl
≤€€€›fi€€€€€€≤≤› fl€€€≤≤flfl fi≤€€€ fl fl≤fl
∞ ∞ ∞∞±±≤≤≤€€ €€€€€€≤≤€ ≤≤≤€€›
±≤≤€€€ €≤€€€€€≤≤› ∞∞∞∞∞ ∞ ∞ fl≤≤fl ‹ ‹€≤‹
± ≤fl €≤€€€€€€≤€ ∞∞∞ ∞ ∞ fl ‹ ± ‹≤ ‹ ∞ fl€€€≤‹ ∞
∞ fi≤≤€€€€€€€≤€‹ ∞ ∞ fi€≤‹‹€≤› fl≤fl∞∞∞∞ fi€≤≤≤fl fl ∞∞∞∞ ∞
‹≤≤€€€€€flflflflflflfl ∞ ∞∞∞±±≤≤≤€€€› ∞ ‹€€≤≤€‹‹ ∞
‹‹€≤€flflfl ‹≤€‹‹ ± fl€€€‹ ‹≤flfl flflfl≤‹‹
‹˛flfl fl€≤≤€€‹ ∞ fl≤€€‹‹flfl ‹˛ fl fl ‹
‹ ‹ ˛ ‹ flfl≤€€‹ fi≤≤fl ∞ fi› ∞∞ fi›
fi› fl ‹ fl flfl‹ ∞ ‹fl ∞ ∞∞∞ fl‹ €
fl‹ fl fi€‹ [cH]fi€ fl ‹ fl ∞ fl ‹ fl
˛ ‹ ˛fl ‹≤fl flfl ‹ ˛fl
˛fl

Hi dudes!

Now I'm back at cracking tutorial, this time I would like to teach you how to remove NAGS and how to use Debugger Mode in W32Dasm, it's real easy!!

Sorry for my bad grammatical errors, I hope you'll understand this piece! :-) Let's go!

TOOLS

  • For tools you need the followings: (I use these tools, I assume you'll use 'em)
  • W32Dasm 8.9 or high version
  • Hacker's View 5.60
  • Norton Commander or Windows Commander (I'll explain later why I use this one)

Ask any crackers to get you these tools, they'll be happy to serve you! :-)

CONTENTS

1)

  • a. How to remove NAGs in Private EXE 2.0a (using Debugger in W32Dasm)
  • b. How to remove NAGs in Private EXE 2.0a (without W32Dasm!!)

2)

  • a. How to remove NAGs in LView Pro 1.C/32 (using Debugger in W32Dasm)
  • b. How to crack LView Pro 1.C/32 (to enter any serials)

(Because of no modem here for a while I couldn't grab the latest shareware, so I use those old programs for demonstration.)

PART 1a: To remove NAGs in Private EXE 2.0a (with W32Dasm)

Step 1. Run PEXE32.EXE

Step 2. Now you see these annoying NAGs screen, you would like to remove this NAGs, right? :-)

Step 3. Ok, exit the program.

Step 4. Run Norton Commander, go to PrivateEXE directory.

Step 5. Copy PEXE32.EXE to PEXE32.EXX (for backup) and copy PEXE32.EXE to 1.EXE (for use by W32Dasm)

Step 6. Run W32Dasm and disassemble 1.EXE.

Step 7. Once it's disassembled, click Debug|Load Process (or press CTRL-L).

Step 8. Wait untill Debugger is finished with loading all the DLL's.

Step 9. Ok, now you're at the 'debug' window, you should see the bar at:

        :004074B0 mov eax, dword ptr fs: [00000000] 
:004074B6 push ebp
...
...

Step 10. It's where you're at Program Entry Point. Ok, you're ready to run Private EXE, click on RUN (or press F9). You should see these NAGs screen, you would like to know where it processes the NAGs. Click on Step Into (or press F7). Ah! Now you should see the following:

         :00405C21 call USER32.DialogBoxParamA 
:00405C27 pop ebp
...
...

Step 11. Click on Terminate, it'll close Debugger and Private EXE windows.

Step 12. You should be back at W32Dasm and see the following:

         :00405C21 FF1590664100         Call dword ptr [00416690] 
:00405C27 5D pop ebp
:00405C28 C3 ret
...

Step 13. Ok, now you must check where it starts to process the dialogs. Press UP arrow key till you find:

         :00405BFC CC                   int 03 
:00405BFD CC int 03
:00405BFE CC int 03

* Referenced by a (U)nconditional or (C)onditional Jump at Address:
|:00401064 (U)
|
:00405BFF 55 push ebp
:00405C00 8B442414 mov eax, dword ptr [esp+14]
...

Step 14. These CC's (int 03), it's where it starts to process the dialogs. Make sure the cyan color bar is on :00405BFF 55 push ebp You should see Offset address below on the screen like @Offset 00004FFFh. It's where you can patch it in PEXE32.EXE.

Step 15. Go back to Norton Commander, run HIEW PEXE32.EXE, press F4 to select Decode mode (ASM), press F5 and enter 4FFF. You should see like:

         00005BFF: 55                           push   ebp 
00005C00: 8B442414 mov eax,[esp][00014]
00005C04: 8BEC mov ebp,esp
00005C06: 85C0 test eax,eax

(Remember, I'm using HIEW 5.60 now which it shows you diff offset address, and this version is awesome, grab it!!)

Step 16. That's where you can change the bytes, press F3, enter C3, press F9 to update PEXE32.EXE. When you've pressed F3 and entered C3, it should look like this:

         00004FFF: C3                           retn 
00005000: 8B442414 mov eax,[esp][00014]
00005004: 8BEC mov ebp,esp
00005006: 85C0 test eax,eax

(Notice about offset address)

Step 17. Why C3? Ah, when the program starts here at C3 (retn), it won't continue with processing dialogs because you tell him to return back!

Step 18. Now run PEXE32.EXE, do you see those NAGs screen? Kewl!! You've cracked Private EXE 2.0a!!

BTW: this isn't 100% crack (to Bypass Password Protection), I show you only how to remove NAGs, remember? :-)

PART 1b: To remove NAGs in Private EXE 2.0a (without W32Dasm)

(I use this part alltime 'cos it's easier and faster)

Step 1. Run PEXE32.EXE

Step 2. Now you see these annoying NAGs screen, you would like to remove this NAGs, right? :-)

Step 3. Ok, exit the program.

Step 4. Run Norton Commander, go to PrivateEXE directory.

Step 5. Copy PEXE32.EXE to PEXE32.EXX (for backup) and run HIEW PEXE32.EXE.

Step 6. Press F4 to select HEX Mode, now you'll see HEX craps in PEXE32.EXE. No need to pee your pants! :-)

Step 7. Do you remember what the crap says in NAGs screen? Ah, you should write down these craps when running PEXE32.EXE. Like "PrivateEXE is NOT a free software. It is commercial.." or "Ok, I agree.." etc etc.

Step 8. Press F7 to search, enter "agree" (at ASCII field). Does it find the string? Ok, remember PEXE32.EXE file is a 32bit program, so it'll use "00" string between each letter like "a g r e e" (not space character!)

Step 9. Press F7 again, enter "a" (at ASCII), press DOWN arrow key, enter "00" (at HEX field), press UP arrow key, enter "g", press DOWN, "00", UP, "r", DOWN, "00", UP, "e", DOWN, "00", UP, "e". You should see the following:

        …Õ[F2:Forward /F4:Full ]ÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕ... 
∫ ASCII: a g r e e∞∞∞∞∞∞∞∞∞∞∞ ...
∫ ...
∫ Hex: 61 00 67 00 72 00 65 00 65 ∞∞∞∞∞∞∞∞...
»ÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕÕ...

Step 10. Ok, press ENTER to find these string. Now you'll see like this:

.00019300:  00 00 F0 00-14 01 00 00-00 00 41 00-62 00 6F 00         A b o 
.00019310: 75 00 74 00-20 00 50 00-72 00 69 00-76 00 61 00 u t P r i v a
.00019320: 74 00 65 00-45 00 58 00-45 00 00 00-08 00 4D 00 t e E X E M
.00019330: 53 00 20 00-53 00 61 00-6E 00 73 00-20 00 53 00 S S a n s S
.00019340: 65 00 72 00-69 00 66 00-00 00 00 00-01 00 01 50 e r i f  P
.00019350: 00 00 00 00-19 00 EA 00-5A 00 0E 00-01 00 FF FF  Í Z   ˇˇ
.00019360: 80 00 26 00-4F 00 6B 00-2C 00 20 00-49 00 20 00 Ä & O k , I
.00019370: 61 00 67 00-72 00 65 00-65 00 00 00-00 00 00 00 a g r e e
.00019380: 00 00 01 50-00 00 00 00-7B 00 EA 00-5A 00 0E 00 P { Í Z 
.00019390: 65 00 FF FF-80 00 4F 00-72 00 64 00-65 00 72 00 e ˇˇÄ O r d e r
.000193A0: 69 00 6E 00-67 00 20 00-26 00 49 00-6E 00 66 00 i n g & I n f

Step 11. Those "Ok, I agree", "Ordering" etc are buttons, now go down till you find:

.00019420:  81 00 02 50-00 00 00 00-11 00 9E 00-CC 00 21 00  Å P     û Ã ! 
.00019430: FF FF FF FF-82 00 50 00-72 00 69 00-76 00 61 00 ˇˇˇˇ~ P r i v a
.00019440: 74 00 65 00-45 00 58 00-45 00 20 00-69 00 73 00 t e E X E i s
.00019450: 20 00 4E 00-4F 00 54 00-20 00 61 00-20 00 66 00 N O T a f
.00019460: 72 00 65 00-65 00 20 00-73 00 6F 00-66 00 74 00 r e e s o f t
.00019470: 77 00 61 00-72 00 65 00-2E 00 20 00-49 00 74 00 w a r e . I t
.00019480: 20 00 69 00-73 00 20 00-63 00 6F 00-6D 00 6D 00 i s c o m m
.00019490: 65 00 72 00-63 00 69 00-61 00 6C 00-20 00 70 00 e r c i a l p

Step 12. Look at FF FF FF FF 82 just before the string "PrivateEXE is NOT a.." It's where it'll generate dialogs, remember only 4 FF's and 82 bytes will do the tricks! Now use the arrows key to bring the cursor at "82" You'll see "19434" above the screen, now press F3 and change "82" to "7E", look above the screen, you're at Offset Address 14A34. It's where you can patch it. Press F9 to update PEXE32.EXE.

Step 13. Remember only 4 FF's and 82 bytes will work otherwise you can fuck your arse. Now once you've changed "82" to "7E", it won't generate the dialogs. Exit HIEW and run PEXE32.EXE.

Step 14. Do you see those NAGs screen? Kewl!! You've cracked Private EXE 2.0a!!

PART 2a: To remove NAGs in LView Pro 1.C/32 (with W32Dasm)

Step 1. Run LVIEWPRO.EXE

Step 2. Now you see these annoying NAGs screen, you would like to remove this NAGs, right? :-)

Step 3. Ok, exit the program.

Step 4. Run Norton Commander, go to LView Pro directory.

Step 5. Copy LVIEWPRO.EXE to LVIEWPRO.EXX (for backup) and copy LVIEWPRO.EXE to 1.EXE (for use by W32Dasm)

Step 6. Run W32Dasm and disassemble 1.EXE.

Step 7. Once it's disassembled, click Debug|Load Process (or press CTRL-L).

Step 8. Wait until Debugger is finished with loading all the DLL's.

Step 9. Ok, now you're at the 'debug' window, you should see the bar at:

        :00450236 mov eax, dword ptr fs: [00000000] 
:0045023C push ebp
...
...

Step 10. It's where you're at Program Entry Point. Ok, you're ready to run LView PRO, click on RUN (or press F9). You should see these NAGs screen, you would like to know where it processes the NAGs. Click on Step Into (or press F7). Ah! Now you should see the following:

         :004324F1 cmp eax, FFFFFFFF 
:004324F4 jne 00432508
...
...

Step 11. Click on Terminate, it'll close Debugger and LView Pro windows.

Step 12. You should be back at W32Dasm and see the following:

         :004324F1 83F8FF               cmp eax, FFFFFFFF 
:004324F4 7512 jne 00432508
...

Step 13. Ok, now you must check where it starts to process the dialogs. Press UP arrow key till you find:

         :004323ED CC                   int 03 
:004323EE CC int 03
:004323EF CC int 03

* Referenced by a CALL at Address:
|:00407EEC
|
:004323F0 83EC78 sub esp, 00000078
:004323F3 56 push esi
...

Step 14. These CC's (int 03), it's where it starts to process the dialogs. Make sure the cyan color bar is on :004323F0 83EC78 sub esp, 00000078 You should see Offset address below on the screen like @Offset 000317F0h. It's where you can patch it in LVIEWPRO.EXE.

Step 15. Go back to Norton Commander, run HIEW LVIEWPRO.EXE, press F4 to select Decode mode (ASM), press F5 and enter 317F0. You should see like:

  .000323F0: 83EC78                       sub    esp,078  ;"x" 
.000323F3: 56 push esi
.000323F4: 8BB42480000000 mov esi,[esp][000000080]
.000323FB: 85F6 test esi,esi

(Remember, I'm using HIEW 5.60 now which it shows you diff offset address, and this version is awesome, grab it!!)

Step 16. That's where you can change the bytes, press F3, enter C3, press F9 to update LVIEWPRO.EXE. When you've pressed F3 and entered C3, it should look like this:

   000317F0: C3                           retn 
000317F1: EC in al,dx
000317F2: 7856 js 00003184A
000317F4: 8BB42480000000 mov esi,[esp][000000080]
000317FB: 85F6 test esi,esi

(Notice about offset address)

Step 17. Why C3? Ah, when the program starts here at C3 (retn), it won't continue with processing dialogs because you tell him to return back!

Step 18. Now run LVIEWPRO.EXE, do you see those NAGs screen? Kewl!! You've cracked LView Pro 1.C/32!!

And there is another way to remove those NAGs screen, wanna try this? Ok, go back to Step 1 and process those steps till Step 15, do the following steps:

Step 19. Now you're at 317F0 offset address, you would like to see where it calls this process. Press F6 to Refer (it'll find reference on current position), you should see like this:

  .00007EEC: E8FFA40200                   call  .0000323F0   ---------- (6) 
.00007EF1: 83C404 add esp,004
.00007EF4: 33C0 xor eax,eax
.00007EF6: E9320D0000 jmp .000008C2D ---------- (7)

Step 20. Ah, now you know where it calls to process dialogs. Press F3, enter 9090909090, press F9 to update LVIEWPRO.EXE. When you've pressed F3 and entered 9090909090, it should look like this:

    000072EC: 90                           nop 
000072ED: 90 nop
000072EE: 90 nop
000072EF: 90 nop
000072F0: 90 nop
000072F1: 83C404 add esp,004
000072F4: 33C0 xor eax,eax

Step 21. Those 9090909090 bytes will do that it won't call the process. Now run LVIEWPRO.EXE, do you see those NAGs screen? Kewl!! You've cracked LView Pro 1.C/32!!

PART 2b: How to crack LView Pro 1.C/32 (to enter any serials)

Step 1. Run LVIEWPRO.EXE

Step 2. Click on Registration, then I'll Register..., then at Name: enter "TKC/PC '97" and at ID#: enter "12345".

Step 3. You'll see the error message. (You should write down this message) and exit the program.

Step 4. Run Norton Commander, go to QVP directory.

Step 5. Copy LVIEWPRO.EXE to LVIEWPRO.EXX (for backup) and copy LVIEWPRO.EXE to 1.EXE (for use by W32Dasm)

Step 6. Run W32Dasm and disassemble 1.EXE.

Step 7. Once it's disassembled, click STRING DATA REFERENCE, look down for the string "User name and ID numbers do not...". (You should remember that error message), double click on it.

Step 8. Close SDR window, you should see the line:

        * Possible StringData Ref from Data Obj -> "User name and ID numbers.. 
-> "match, please verify if..
:0041ED7D 68188F4600 push 00468F18
:0041ED82 56 push esi

Step 9. Ok, now you must look for the last comparison like CMP, JNE, JE, TEST, etc before the error string. Press UP arrow key till you find:

        :0041ED7B 751A             jne 0041ED97 
* Possible StringData Ref from Data Obj -> "User name and ID numbers..
-> "match, please verify if..
...

Step 10. Now you know where it jumps to when you've entered the wrong code. Now you want see if it will work when you replace "jne" with "je". Make sure the green color bar is on :0041ED7B 751A jne 0041ED97, you should see Offset address below on the screen like @Offset 0001E17Bh. It's where you can patch it in LVIEWPRO.EXE.

Step 11. Go back to Norton Commander, run HIEW LVIEWPRO.EXE, press F4 to select Decode mode (ASM), press F5 and enter 1E17B. You should see like:

   .0001ED7B: 751A                         jne   .00001ED97   ---------- (1) 
.0001ED7D: 68188F4600 push 000468F18
.0001ED82: 56 push esi

Step 12. That's where you can change the bytes, press F3, enter 74, press F9 to update LVIEWPRO.EXE. Exit HIEW.

Step 13. Run LVIEWPRO.EXE, enter any code. Voila! You've cracked LVP 1.C/32!! Beware! What if you've enter the real serials? It'll jump to the error message dialog! What now?

Step 14. Run again HIEW LVIEWPRO.EXE, press F4, select Decode, press F5 and enter 1E17B. Press F3, enter EB, press F9. It won't jump to the error dialog!

Enough for now. I hope you've enjoyed this tutor too much as I did! :-) I'll see you next time at Tutor #3 for Soft-ICE 3.0!

Have fun,
The Keyboard Caper,
The Founder of PhRoZeN CReW '94 - '97
6-8-1997

← previous
next →
loading
sending ...
New to Neperos ? Sign Up for free
download Neperos App from Google Play
install Neperos as PWA

Let's discover also

Recent Articles

Recent Comments

Neperos cookies
This website uses cookies to store your preferences and improve the service. Cookies authorization will allow me and / or my partners to process personal data such as browsing behaviour.

By pressing OK you agree to the Terms of Service and acknowledge the Privacy Policy

By pressing REJECT you will be able to continue to use Neperos (like read articles or write comments) but some important cookies will not be set. This may affect certain features and functions of the platform.
OK
REJECT