dRaG0n´s CrAcKinG Lesson 6
Tools you need
- Softice V.3.X
- W32dasm V8.X
- MP3toExE v1.01
- Hiew 5.xx
Introduction
bAck , doooods ;) ... jUst AnotHa lesSOn .. hOpe yA enJoy it .. hehe ! k .. lEt´s daNcE =)
Cracking MP3 to EXE with Softice
I will do thiz in Steps , so its better to Understand :-) .. like in the other Lessons ...
Step 1
Run MP3 to EXE and go to "Register/Enter the RegistrationCode"
Step 2
Enter "DrAg0n" as name , "[FFO]" serial , and "77777" as dummy regnum. .
.. enter S-iCE ...
Now we´ll set the most common Breakpoints .
"Bpx GetDlgItemTextA"
"Bpx GetWindowTextA"
Now leave S-iCE .
Step 3
Press "Ok" , nOthing comes up .. hmm .. lets try hmemcpy , go back to SiCE and do "Bpx hmemcpy" , leave SiCE and hit Ok .. ;-)
"break duo to BPX Kernel!Hmemcpy ... "
Step 4
Now press "F5" three times, cause at the third time it brakes last ... Press "F11"
Now you´ll see that we arent in the right place, see "USER(03)" .. K .. Hit "F10" till you are in the "MP3TOEXE!CODE+xxxxxxx" section ...
If you trace a bit (F10) , you´ll see that there are only many ret commands here , so trace as long , till you´re at the right code ... on Location xxxx:4545Ab ..
You´ll see following code from there , the only you´ll need :
From now i wont describe all the ASM code for ya , only if needed or new commands...
If you need help on them , the ASM tut of Corn2 in Lesson 1 ! =)
004545AB 8B45F8 mov eax, dword ptr [ebp-08]
004545AE 50 push eax
004545AF DB2E fld tbyte ptr [esi] ; I dunno , sorry..
004545B1 E872E4FAFF call 00402A28 ; No intresting Call
004545B6 8D4DDC lea ecx, dword ptr [ebp-24]
004545B9 BA08000000 mov edx, 00000008
004545BE E8991AFBFF call 0040605C ; No intresting Call
004545C3 8D45DC lea eax, dword ptr [ebp-24]
004545C6 50 push eax
004545C7 DB2B fld tbyte ptr [ebx] ; what is thiz ?
004545C9 E85AE4FAFF call 00402A28 ; No intresting Call
004545CE 8D4DD8 lea ecx, dword ptr [ebp-28]
004545D1 BA08000000 mov edx, 00000008
004545D6 E8811AFBFF call 0040605C ; No intresting Call
004545DB 8B55D8 mov edx, dword ptr [ebp-28]
004545DE 58 pop eax
004545DF E82CF1FAFF call 00403710 ; Intresting , cause
; its the second
; Call b4 the jnz
; command where it go to
; Bad cracker / Good
; Buyer !
004545E4 8B55DC mov edx, dword ptr [ebp-24] ; After the Call and this
; Command are executed ,
; do a "d edx" & you´ll
; see a number ...
; Write it down!
004545E7 58 pop eax
004545E8 E82BF2FAFF call 00403818 ; No intresting Call
004545ED 0F8591000000 jnz 00454684 ; Good Buyer / Bad CrackerStep 5
Ok ... After the call calculates the Serial and "mov edx..." moved it to Edx , do a "d edx" .. you´ll notice a new number .. Write it down ..
For me it was 14FE7A6E4B9A6E49 ... do "bd * " , leave SiCE and replace our dummy serial "77777" with the code we got ... and Hit Register ...
k , no box came up and sais , wrong serial , so restart the prog and goto
About.. you´ll see :
Registered to : DrAg0n
Serial : [FFO]*Boooom*, Regged ;-)
Last Words
Ok , that was another Name/Serial prog. , my favourites :-)
Just tell me if you know what "fld tbyte ptr [ebx]" or so means , i will add this to this Tut then ;)
thx , c ya in next Lesson (7) sooooon , hehe
l8rz dRAg0n
.. wHats tHat VoiCe sAyinG my Name ? .. HmmM .. .. ... aHHH .. My bEd :-D
