Copy Link

Add to Bookmark

Report

PhRoZeN CReW - Tutorial 5 - 4-1-1998

Published in

· 27 Feb 2023

                          ‹‹€€≤‹‹                   ∞ 
                       ‹≤≤ﬂﬂ   ﬂﬂ≤≤‹‹   ˛ ﬂ   ‹     ±     ‹‹≤≤‹ 
             ‹       ‹ﬂ ‹‹‹€€€€‹‹‹ ﬂ€≤‹          ﬂ ‹≤  ˛ﬂﬂﬂﬂﬂ€€≤≤‹ 
        ‹ﬂ     ﬂ ‹ ﬂ  ‹€€≤≤€€€€€€€€‹ ﬂ€€   ∞ ∞ ∞∞±±≤≤≤€€€€€‹‹‹ ﬂﬂ€€‹ 
       ﬁ›           ‹€€ﬂﬂ     ﬂ€€€≤€€ ﬁ€€‹ ‹      ‹€€€€≤€€€€€€€€‹ ﬂ≤≤ﬂ 
        ﬂ‹        ‹ﬂﬂ    ‹ ∞∞  ﬁ€≤≤≤€› €ﬂ        ﬁ€€€ﬂﬂ€€€€€€€€€≤€ 
            ﬂ   ﬂ   ‹‹‹€€      €€€≤€€€ ﬂ    ‹   ‹€€€›  ﬁ≤€€€€€≤≤≤≤±±∞∞ ∞  ∞ 
        ˛   ‹‹‹‹€€€€€≤≤€›  €‹‹€€€€€€€› ﬂ      ﬂ€≤€€€    ﬂ≤€€€€ﬂﬂ≤ﬂ  ‹‹ 
         ﬂ‹  ﬂ≤≤€€€≤≤≤≤€› €≤≤€€€€€€≤€  ‹ ∞ ∞∞ ‹ ﬂ≤≤€      ﬂﬂ ‹‹ ± ‹≤≤ﬂ 
          ﬁ≤‹  €€€€€€≤≤≤›€€≤€€€€€€€ﬂ  ∞   ∞ ∞ €€‹ ﬂ≤›    ‹≤€≤ﬂ  ∞ ﬁﬂ 
          ≤€€€›ﬁ€€€€€€≤≤› ﬂ€€€≤≤ﬂﬂ           ﬁ≤€€€  ﬂ   ﬂ≤ﬂ 
 ∞  ∞ ∞∞±±≤≤≤€€ €€€€€€≤≤€                    ≤≤≤€€› 
         ±≤≤€€€ €≤€€€€€≤≤› ∞∞∞∞∞ ∞      ∞     ﬂ≤≤ﬂ  ‹       ‹€≤‹ 
          ± ≤ﬂ  €≤€€€€€€≤€  ∞∞∞ ∞   ∞     ﬂ ‹ ±   ‹≤   ‹   ∞ ﬂ€€€≤‹     ∞ 
          ∞    ﬁ≤≤€€€€€€€≤€‹ ∞    ∞         ﬁ€≤‹‹€≤›  ﬂ≤ﬂ∞∞∞∞ ﬁ€≤≤≤ﬂ ﬂ ∞∞∞∞ ∞ 
              ‹≤≤€€€€€ﬂﬂﬂﬂﬂﬂﬂ         ∞ ∞∞∞±±≤≤≤€€€›       ∞ ‹€€≤≤€‹‹   ∞ 
          ‹‹€≤€ﬂﬂﬂ        ‹≤€‹‹               ± ﬂ€€€‹      ‹≤ﬂﬂ    ﬂﬂﬂ≤‹‹ 
       ‹˛ﬂﬂ               ﬂ€≤≤€€‹             ∞    ﬂ≤€€‹‹ﬂﬂ     ‹˛ ﬂ      ﬂ ‹ 
     ‹                ‹ ˛ ‹  ﬂﬂ≤€€‹                 ﬁ≤≤ﬂ    ∞  ﬁ› ∞∞        ﬁ› 
    ﬁ›              ﬂ      ‹ ﬂ    ﬂﬂ‹         ∞    ‹ﬂ    ∞ ∞∞∞  ﬂ‹          € 
     ﬂ‹           ﬂ        ﬁ€‹  [cH]ﬁ€ ﬂ    ‹   ﬂ           ∞      ﬂ    ‹  ﬂ 
        ˛  ‹   ˛ﬂ         ‹≤ﬂ ﬂﬂ ‹ ˛ﬂ 
                      ˛ﬂ

Hi ya!

Phew, here are we again at learning crack yer babes! Too many newbees!! *cough* Ok, let's rock, in this tutor I'll teach you how to play with your WIN Registry and how to kill Timeouts. :-)

No SoftIce, still my little ol' laptop and I'm getting a new machine soon, then we'll sing soon! :-)

Sorry for my bad grammatical errors, I hope you'll understand this piece! :-)
Ok, let's rave!

TOOLS

For tools you need the followings: (I use these tools, I assume you'll use 'em)

W32Dasm 8.9 or high version (www.expage.com/page/w32dasm)
Hacker's View 5.66 (E-mail: sen@suslikov.kemerovo.su)
FAR 1.50b (ftp://ftp.elf.stuba.sk/pub/pc/utilfile/far150b.exe) It's real nice!
or use Windows Commander 3.50 ·eta 5 in stead of FAR (http://www.ghisler.com)

Ask any crackers to get you these tools, they'll be happy to serve you! :-)

How to register TrayCal 1.0 using WIN Registry URL: http://www.spaeder.com
How to register CopyPaste 1.20 URL: http://www.wz.com/scriptsoftware
How to remove timeout in Radio Destiny 0.2 URL: http://www.destiny-software.com/destiny
PASCAL Source Code for a Patcher by tKC/PC '98

PART 1: To register TrayCal 1.0

Step 1. Run TRAYCAL.EXE

Step 2. You'll see that you have 15 evaluation launches remaining. Right click on TC, and click Register. Enter your name/any code. *boom* Invalid registration code.

Step 3. Ok, exit the program.

Step 4. Run WC, go to TrayCall directory.

Step 5. Copy TRAYCAL.EXE to TRAYCAL.W32

Step 6. Run W32Dasm and disassemble TRAYCAL.W32

Step 7. Once it's disassembled, click STRING DATA REFERENCE, look down for the string "Sorry, invalid registration code.". (You should remember that error message), double click on it.

Step 8. Close SDR window, you should see the line:

  * Possible StringData Ref from Code Obj ->"Sorry, invalid registration code." 

  :0043FD3D A1E8194400              mov eax, dword ptr [004419E8] 
  :0043FD42 E88D02FFFF              call 0042FFD4

Step 9. Ok, let's find out what happens if you entered valid codes. Press PgDn key 3 or 4 times till you see:

  * Possible StringData Ref from Code Obj ->"Software\Spaeder" 
                                    | 
  :0043FE3A 8B0DDC194400            mov ecx, dword ptr [004419DC] 
  :0043FE40 B201                    mov dl, 01 
  :0043FE42 A128D84300              mov eax, dword ptr [0043D828] 
  :0043FE47 E880E1FFFF              call 0043DFCC 
  :0043FE4C A3FC274400              mov dword ptr [004427FC], eax 
  :0043FE51 C605C819440001          mov byte ptr [004419C8], 01 
  :0043FE58 A0C8194400              mov al, byte ptr [004419C8] 
  :0043FE5D 50                      push eax 

  * Possible StringData Ref from Code Obj ->"EnhancedSystemDate" 
                                    | 
  :0043FE5E B920004400              mov ecx, 00440020 

  * Possible StringData Ref from Code Obj ->"TrayCal" 
                                    | 
  :0043FE63 8B15D8194400            mov edx, dword ptr [004419D8] 
  :0043FE69 A1FC274400              mov eax, dword ptr [004427FC] 
  :0043FE6E E8ADE5FFFF              call 0043E420 
  :0043FE73 6A01                    push 00000001 

  * Possible StringData Ref from Code Obj ->"RegistrationStatus"

Step 10. Enteresting.. do you see "RegistrationStatus"? Let's run REGEDIT and have a look at HKCU\Software\Spaeder\TrayCal:

  EnhancedSystemDate="0" 
  RegistrationStatus="0"

What does it mean? You should know what it does! :-) Ok, let's modify them. Replace "0" to "1". After it should look like:

  EnhancedSystemDate="1" 
  RegistrationStatus="1"

Note, we should have to motify EnhancedSystemDate Key too, otherwise it won't work. Ok, press F5 to update registry.

Step 11. Run TRAYCAL.EXE. Right click on TC, and click About. Wow, it's reg'd now!! Easy huh?

Step 12. Anyway you can export HKCU\Software\Spaeder\TrayCal to a file. Click Export Registry File, save it to TC.REG.. See below:

  REGEDIT4 

  [HKEY_CURRENT_USER\Software\Spaeder\TrayCal] 
  "RegistrationStatus"="1" 
  "EnhancedSystemDate"="1"

Step 13. You can pass TC.REG to anyone or next time run REGEDIT TC.REG, it'll import to Registry File..

PART 2: To register CopyPaste 1.20

Step 1. Run CopyPaste.EXE

Step 2. Enter password to register it. *boom* Wrong password - no register.

Step 3. Ok, exit the program.

Step 4. Run WC, go to CopyPaste directory.

Step 5. Copy CopyPaste.EXE to CopyPaste.EXX (for backup) and copy CopyPaste.EXE to CopyPaste.W32 (for use by W32Dasm)

Step 6. Run W32Dasm and disassemble CopyPaste.W32

Step 7. Once it's disassembled, click STRING DATA REFERENCE, look down for the string "Wrong password - no register..". (You should remember that error message), double click on it.

Step 8. Close SDR window, you should see the lines:

  * Referenced by a (U)nconditional or (C)onditional Jump at Addresses: 
  |:00403427(C), :00403438(C) 

  :0040346F 8D442430                lea eax, dword ptr [esp+30] 
  :00403473 68FF000000              push 000000FF 
  :00403478 50                      push eax 
  :00403479 8B0D1C664100            mov ecx, dword ptr [0041661C] 

  * Possible Reference to String Resource ID=00014: "Wrong password - no reg.."

Step 9. Did you see Referenced Jump? (403427 and 403438) Ok, press PgUp key till you see:

  :00403427 7446                    je 0040346F 
  :00403429 8D442410                lea eax, dword ptr [esp+10] 
  :0040342D 50                      push eax 
  :0040342E E81D400000              call 00407450 
  :00403433 83C404                  add esp, 00000004 
  :00403436 85C0                    test eax, eax 
  :00403438 7435                    je 0040346F 
  :0040343A 8D442430                lea eax, dword ptr [esp+30] 
  :0040343E 68FF000000              push 000000FF 
  :00403443 50                      push eax 
  :00403444 8B0D1C664100            mov ecx, dword ptr [0041661C] 

  * Possible Reference to String Resource ID=00013: "Thank you for regist..."

Step 10. Look at 00403427, it's where it will jump to when it has fucked. Let's see. Make sure the green color bar is on 00403427 7446 je 0040346F and you should see Offset address below on the screen like @Offset 00002827h. It's where you can patch it in CopyPaste.EXE.

Step 11. Go back to WC, run HIEW COPYPA~1.EXE, press F4 to select Decode mode (ASM), press F5 and enter 2827. You should see like:

  00002827: 7446                         je     00000286F   ---------- (1) 
  00002829: 8D442410                     lea    eax,[esp][00010] 
  0000282D: 50                           push   eax 
  0000282E: E81D400000                   call   000006850   ---------- (2) 
  00002833: 83C404                       add    esp,004 
  00002836: 85C0                         test   eax,eax 
  00002838: 7435                         je     00000286F   ---------- (3)

NOTE: To prevent confusing offset address in HIEW, edit HIEW.INI, following: ShowOffset = Global

Step 12. That's where you can change the bytes, press F3, enter 9090 and go below till 7435 (offset 2838), enter 9090 and press F9 to update COPYPA~1.EXE. Exit HIEW.

Step 13. Run CopyPaster.EXE, does it work? *eeyaa* You've made it!!

PART 3: To remove timeout in Radio Destiny 0.2

Step 1. Run RADIO.EXE

Step 2. *boom* This version has expired. Exit the program

Step 3. Run WC, go to RADIO directory.

Step 4. Copy RADIO.EXE to RADIO.EXX (for backup) and copy RADIO.EXE to RADIO.W32 (for use by W32Dasm)

Step 5. Run W32Dasm and disassemble RADIO.W32.

Step 6. Once it's disassembled, click STRING DATA REFERENCE, look down for the string "This version has expired.". Hmm, no string found, what now? Debugger in W32Dasm won't work due of 16bit program. Grrrr.. Ok, let's try..

Step 7. Don't quit W32Dasm.. Run HIEW RADIO.EXE. Press F4 for HEX Mode, press F7. Search a string for "This version has exp" Gotcha! Found it! What now? Ok, locate the offset 6A26 (look above on HIEW)

Step 8. Go back to W32Dasm, press PgDn key down for f*cking times till you get offset address "00006A26h" (look below on W32Dasm)

Step 9. Wow, what have we got? We got here:

  :0001.63A6 54686973207665727369   DB "This versi" 
  :0001.63B0 6F6E2068617320657870   DB "on has exp" 
  :0001.63BA 697265642E00           DB "ired.",0

Press PgUp key 3 or 4 times. Anywhere when you see "BYTE xxxxh" ignore them, those referenced jumps won't work!!

Step 10. Hmm, what do you see? Call USER.MESSAGEBOX!!

         :0001.630A 9AC75B0000             call USER.MESSAGEBOX 
         So we know it calls messagebox when it has expired.

Press UP key till you see:

  :0001.62F1 7C21                   jl 6314 
  :0001.62F3 7F05                   jg 62FA 
  :0001.62F5 3DB40B                 cmp ax, 0BB4 
  :0001.62F8 761A                   jbe 6314

Step 11. Look at 0001.62F1, it's where it will jump to when it has fucked. Let's see. Make sure the green color bar is on 0001.62F1 address. and you should see Offset address below on the screen like @Offset 00006971h. It's where you can patch it in RADIO.EXE.

Step 12. Go back to WC, run HIEW RADIO.EXE, press F4 to select Decode mode (ASM), press F5 and enter 6971. You should see like:

  00006971: 7C21                         jl     000006994 
  00006973: 7F05                         jg     00000697A 
  00006975: 3DB40B                       cmp    ax,00BB4 
  00006978: 761A                         jbe    000006994

Step 13. That's where you can change the bytes, press F3, enter EB and press F9 to update RADIO.EXE. Exit HIEW.

Step 14. Ok, run RADIO.EXE *boom* It works!! :-)

PART 4: PASCAL Source Code for a Patcher by tKC/PC '98

-------------------------------<cut here>------------------------------------- 

Uses Crt; 

 Const A: Array[1..4] of Record {<-------- 4 bytes to be patched} 
                          A : Longint; 
                          B : Byte; 
                         End = 
((A:$2827;B:$90), {<--------------- offset "2827" and byte "90" to be changed} 
(A:$2828;B:$90), {<--------------- offset "2828" and byte "90" to be changed} 
(A:$2838;B:$90), {<--------------- offset "2838" and byte "90" to be changed} 
(A:$2839;B:$90)); {<--------------- offset "2839" and byte "90" to be changed} 

 
Var Ch:Char; 
    I:Byte; 
    F:File; 
    FN:file of byte; 
    Size:longint; 

 
Begin 
 Writeln('Little Patch');writeln('Crack for CopyPaste 1.20 by tKC/PC ''98'); 
 Assign(F,'COPYPA~1.EXE'); {<-------------- filename to be patched} 
 {$I-} Reset(F,1); {$I+} 
 If IOResult <> 0 then 
    begin 
    writeln('File not found!'); 
    halt(1); 
    end; 
 For I:=1 to 4 do {<---------------------- 4 bytes to be patched} 
 Begin 
  Seek(F,A[I].A); 
  Ch:=Char(A[I].B); 
  Blockwrite(F,Ch,1); 
 End; 
 Writeln('File successfully patched!'); 
End. 

-------------------------------<cut here>-------------------------------------