dRaG0n´s CrAcKinG Lesson 1
Tools you need
- Softice V.3.X
- W32dasm V8.X
- Hiew VX.X
Lets start
Hi !
Welcome to my cracking lesson 1 ;) ... in this Lesson i will show you how to use
Softice & W32dasm =)
I think, we will start with Softice !
Softice V3.X
Ok , first install Softice V3.x :) ...
Once installed , you have to make some changes with thewinice.datin your Softice dir. !
Find the " INIT="X" " Section ... there you can change , what you will see when you
will run winice , like Registers , Hex-Display , colors etc ...
Here is what you can replace for the INIT="X" section , really coool :)
INIT="lines 60;color f a 4f 1f e;wd 22;wc 22;wr;code on;x;"
Here ´s what any command stand for ...
| :lines 60 Set 60 lines mode
| :color f a 4f 1f e Set psychedelic colors (Optional)
| :wd 22 Enable Data Window 22 lines long
| :wc 25 Enable Code Window 25 lines long
| :wr Enable Register Window
| :code on Display instruction bytes
... and another change we have to do ...
We have to remove the ;´s below , in the last part of thewinice.dat, below the
; ***** Examples of export symbols that can be included for winfuck95 *****
; Change the path to the appropriate drive and directory
Done , then only do a last check if the directories behind the removed ;´s are correct ..
The default is C:\windows\system\xxxxx.dll ... if you installed Windows in a directory
c:\wfuck95 like me =) , then just change it to the right dir. !
Ok , got it ? Lets go on :-)
iF you want to run Softice, you have to load it before Windows loads , just put this in your autoexec.bat !
c:\path-of-softice\winice.exe
Reboot your comp. after thiz and then go on reading ;-)
Back ? Ok ... now press Ctrl-d to enter Softice ...
Duh , what a screen !? ... haha .... i will explain it to you .. :-)
It will look something like thiz ..
--------------------
| Registers |
--------------------
| Data Window |
--------------------
| Code Window |
--------------------
| Command Win |
--------------------
Softice default Commands
Here is a listing of the important keys you will need in Softice .. ;-)
- 'D' View an address in the Data Window . ex.: 'D 44133E
- 'A' To edit the Asm Code in the Code Window (Duh!) ex.: 'A 44133E'
- 'BPX' Breakpoint on something , for ex.: 'Bpx GetDlgItemTextA'
- '?' Coverts Value Hex -> Decimal -> Ascii . ex.: '? 44133E'
- 'F5/Ctrl-d' Run.. To leave Sice or to get on next Breakpoint for ex. !
- 'F8' Step into Function . ex.: You are on a 'Call 44133E' command , press 'F8' to step into :)
- 'F10' Step over Function . ex.: Your are on a 'Call 44133E' or other command , press 'F10' Step over / go on tracing , run rest of the prog step by step.
- 'F11' Step over or to go on 'tracing' , run rest of programm step by step ...
- Step out of function.. ex.: To get to something where someth. was called from.
Ok , that were some important Commands , which you´ll need very often when you´re cracking ..
Now you know a little about Softice .. You will see what commands are good for , etc ,
when we will crack our first program in Lesson 2 :-) Lets go to W32dasm ..
W32Dasm V8.X
So , hi again =)
W32dasm is a disassembler which is very useful when you want to crack/patch a programm !
Also , if you must read the calculation of the serial etc ..
W32dasm is very easy to use ..
Open a Programm , Acdsee32.exe for ex. and you will see the whole Asm Code ,
where you can search for a text , like 'Unregistered' or something else i told you above :)
Nothing more to say for now , you will learn to use it when you read Lesson 2...
Assembly For Cracker :
Ok .. here is some explained asm code , which you´ll need when you crack ...
I don´t want to write another ASM 4 Cracker tut , cause i think Corn2 (hi!) did a great job on it ..
Corn2´s Asm 4 Crackers :
Assembly for Crackers - v1.0
----------------------------
Hey, This is a very basic guide to assembly for all those people who couldn't be bothered learning the in's & out's of their computer just to be able to use mIRC without having to click on some guys face. :)
I'll basically go through the most necessary stuff that you need to know before you can begin to crack. I know it's not in a very logical order, but what d'ya want for free? ;))
Oh yeah, you should view this with wordwrap on, otherwise it'll be a pain in the arse to follow ;)
REGISTERS
---------
Registers are basically default places in which to store data. The only ones we need to worry about are: (E)AX,(E)BX,(E)CX,(E)DX
( The (E) is only significant when debugging 32-bit code )
Also the register pairs:
DS:SI ; Can be used as the source for string operations
ES:DI ; Used as the target for string operations
To understand registers isn't very important for cracking, generally just to know that they're variables for data storage is enough to get you started :)
FLAGS
-----
Flags are essentially like registers except that they can only be true or false ( ie 0 or 1 ) These are set by commands such as CMP, and are used to check the outcome of such a call, ie:
CMP AX, BX ; Compare AX to BX, if equal the zero flag is set to 1
JZ 00124531 ; If the zero flag is set, jump to 001254531.
To understand this properly you'll probably have to read on and then come back... :P
The Stack & Push/Pop
--------------------
Before any function call, a program must 'push' any parameters that the function expects onto the stack. Think of it as a stack of plates, the first plate on the stack is the last one to be taken off-- the stack is exactly the same. It's important to remember this 'first on/last off' principal when looking at a call, as this means that the parameters will be passed in reverse order...
In case my babbling has confused you, lets look at this example:
The windows api function GetDlgItemText requires the following parameters:
- Handle of dialog box
- Identifier of control
- Address of buffer for text
- Maximum size of string
Therefore these could be passed like so:
MOV EDI,[ESP+00000220] ; Get Handle of dialog box in EDI
PUSH 00000100 ; PUSH (4) Max size of string
PUSH 00406130 ; PUSH (3) Address of buffer for text
PUSH 00000405 ; PUSH (2) Identifier of control
PUSH EDI ; PUSH (1) Handle of dialog box
CALL GetWindowText ; CALL the function
Easy eh? This can be one of the simplest ways of cracking a serial number app, if you know the address of the buffer for the serial number, in this case 00406130, just breakpoint it, and you'll usually end up in or around the procedure that generates the real serial!! :)
POP is simply used to remove the first item from the stack, there are usually a lot of them before a function returns to the program...
AND
---
USAGE : AND dest,src
PURPOSE : Performs a logical AND of the two inputs, replacing the dest with the result
EXAMPLE : AND BX, 03h
There's not very much that can be said about this call, it does what it says.
CALL
----
USAGE : CALL address
PURPOSE : Executes a function at the address 'address'
EXAMPLE : CALL 10284312
Calls the function at address 'address', once the function has finished, the code with continue the line after the call.
CMP
---
USAGE : CMP dest,src
PURPOSE : Subtracts src from dest and updates the flags.
EXAMPLE : CMP AX,03h
This is an important instruction as far as we ( crackers ) are concerned :). Somewhere in the program for it to verify something, ie. to compare the real serial to the one we enter, or to check if a program is registered etc.
This instruction usually precedes a jump instruction of some kind.
INT
---
USAGE : INT interrupt_number
PURPOSE : Calls a default function ( usually coded in the BIOS )
EXAMPLE : INT 10h
You won't really see this command much ( if at all ) when debugging windows programs, but they turn up all over the place in DOS. Usually the parameters are passed in the default registers ( AX,BX,CX etc. )
There are far too many INT calls to list here, better to get a copy of an interrupt list. Ralph Browns is very good! :)
JMP
---
USAGE : JMP address
PURPOSE : Equivalent to a basic GOTO, jumps to a section of code
EXAMPLE : JMP 00402011
JMP is an unconditional jump to a section of code. As simple as that! :)
There are tons of variations on this instruction, the most important ones are:
- JZ - Jump if the zero flag is set. ( Same as JE )
- JNZ - Jump if the zero flag is not set. ( Same as JNE )
These usually follow a CMP instruction, ie:
CMP RealSerial,BadSerial ; Compare the real serial to our serial
JNE GoAwayBadCracker ; If Not Equal then exit.
MOV
---
USAGE : MOV dest,src
PURPOSE : Copies byte or word value from the source to the destination
EXAMPLE : MOV AX,DX
You will see this a *lot* when you're stepping through code, it basically means ( to use BASIC terms ;) ) LET dest = src
There are quite a few variants including MOVSX, but they all basically do the same thing. It might help to get the intel programming specs from their website.
If you can't understand this one, you're screwed! ;)
OR
--
USAGE : OR dest,src
PURPOSE : Performs a logical OR on the two inputs replacing the dest with the result
EXAMPLE : OR DX, AX
Does what it says.
RET
---
USAGE : RET
PURPOSE : To return from a function
EXAMPLE : RET
You will usually see this at the end of a function, and it simply instructs the processor to return to the address of the call to the function.
As far as I know this is about all you'll need to really understand to get started in cracking. Most of the stuff is pretty self-explanitory, but if you get stuck you can email me at: Corn02@hotmail.com or go to #cracking4newbies on efnet, where you'll be able to find someone to help you out. Any comments and stuff are also welcome, or any stuff that you think needs to be added also.
--Corn2
Last Words
Ok, dude .. That was Lesson 1 ... Lets rock´ in Lesson 2 :-)
l8ter
-DrAg0n FFO98-