The Art Of Cracking
Introducing you to the world of Cracking, A beginner's tutorial Written by: PK
What is cracking?
Cracking is how i like to say an art, an expression. Everyone can handle it.
But not everyone can do the best of it. If you like to crack you`ll see that it
isn't easy to understand at first but after receiving some experience and
knowledge it is incredible .If you have learned the real cracking you aren't
only a cracker. You are more than a cracker. With the art of cracking you`ll
gain more knowledge about your PC the programs you are running on it and how
they work. You`ll understand how a program works and how to manipulate it that
it can be useful for you. And it doesn't mean that it`s illegal. Of course it`s
not 100% legal but it can be useful for you in your later life. You have
experience about the ASM-Code understand the function of programs and other
applications and maybe it bring you up to a programmer.
Who knows, but at first
you've to learn it step by step. I’ll help you with my tutorials and i hope you
understand the way how i explain it. Excuse my English i know it's not the best
but I’ll do my best.
Step one:
What do we need to
crack?
Do i need some knowledge
about assembler or anything else?
No, I made this tutorial
for all the beginners who don't understand anything about ASM-Code or the
internal functioning of applications. Like you and everyone else i also started
with cracking some time ago. And it took much of my life time to know what i
know today about cracking. I think there are many tutorials which are good and
i don't want to say anything against them. But i think that most of them are
quick written memory killer with which you can't do anything. I always had a
problem in understanding them and what do they mean. Like what is a NOP or
what do terms like JE, EAX, Jump Signs, etc. mean? What they mean by
jump to a bad boy and replace the jump if not equal with the jump if equal
command. All these things and many more sometimes make me worry about what i
want to learn. I thought that I’ll give up on cracking. Yes sometimes you`ll
think that "oh man what do you mean", "it doesn't work"!
BUT DON'T GIVE UP.
Everyone experienced
this at some point of time and you're neither the first nor you'll be the last.
You have to learn again and again. And then at any time you`ll see that it was
good what you're doing all the time and you'll be proud of your efforts.
The software we`ll need:
At first the only thing
we`ll need is W32Dasm8.9 (a Windows disassembler) and HIEW (it’s a good
Hex-Editor i think it`ll be the best for you at first).That's all. In the
following tutorials I’ll explain how to work with Soft-Ice and how to handle
the asm-code. But at first what you need as a beginning cracker are only two
things.
1) Getting started:
As you know it’s not
very easy to handle all the ASM-codes and i think you don't know much about
them. So I’ll explain the most needed commands. There we have to know that
every two numbers in ASM-code are representing one byte. Like the number
75564345 = 4 bytes. The 75 is one byte the 56 is one byte the 43 is one and the
45 is one byte. So we have 4 bytes leading the command at this point. If we
want to replace them later we now know that we have to replace always two
numbers with two other numbers. Like the 75 (in hexadecimal stands for JNE. Jne
means jump if not equal) we can change to 74 (in hexadecimal it stands for je.
Je means jump if equal).This in most of times is enough to crack a game or to
register a program so it`ll not say "sorry invalid password" or
something else (please don’t think it’s so easy i take it as a very simply
protection).Cause if we change the value of 75 (jump if not equal [means that
the application is checking something like if there is a CD present in the
drive or is it the same password like saved in the program and if it isn't
right like there is no CD in drive or the password you entered is not valid it
will jump to "Bad Boy" and the program pops up the error message] by
the way "Bad Boy" in cracker language is somewhat like the dude
who calls the error message) to 74 (jump if equal so the program thinks that
there is a CD in the drive or the password is valid and will jump to "Good
Boy”. Good Boy is the one who makes the way clear).You've to manipulate the
application so it thinks that there is a CD present or password is valid and
it continues with the program. Remember that the exe runs up to down.
So the commands which call the error messages are placed before the error
messages. The only thing i mean is that if you found the error message (I’ll
explain later how to do it) you have always look up in the ASM-code not down.
It’s like you. If you read a book or a text you start on line one and read your
way down. The program does the same. It checks from line one of the ASM-code to
the end of the code if there is all corrects. And if it finds an error in line
9, it jumps down to the "Bad Boy”. It can’t jump up because there it
checked everything and there aren't complications. So if you found the error
message look up (before it) and you`ll find the command which calls the error
message on the screen. OK now some things about the numbers and
things you`ll see if you disassemble a exe (here are only the need fullest
things you've to know at this point of time): je (hexadecimal is 74) = Jump if
equal JNE (hexadecimal is 75) = Jump if not equal NOP (hexadecimal is 90) = No
operation call (no random hexadecimal) = call an operation jmp (no random
hexadecimal) = jump to string/operation These are the five basics we`ll need at
first. The others will be explained in the later tutorials when you'd have
gained more experience in ASM-code.
Ok, now we`ll take a
look at what do they do in an ASM-code string. JE (Jump if equal) jumps to an
operation if it has found what it was supposed to check.
Example: A game needs a
CD to start the main game. So the "jump if equal" je command check if
there is a CD in the drive. If there is a CD in the drive it'll continue and
give information away to the commands after it. That's an equal operation. The
CD was found (equal) and it continues in ASM-code (jump if equal). Jne (Jump if
not equal) jumps to an operation (most times Bad Boys that mean, to the error
message you`ll receive on your screen) if it didn't find what it checked.
Example: The game needs
a CD to start the main game. So the "jump if not equal" jne
command check if there is a CD present in drive. If not it’ll jump to
a "Bad Boy" and you`ll receive the error message on screen
like "Cannot find CD in drive. Please insert CD and click on OK."
That's a "jump if not equal" operation. The check failed (because it
didn't find a CD in drive) and it jumped to the "Bad Boy" and the
"Bad Boy" ends the load process and let the error message be shown on
your screen. NOP (no operation) command kills the current operation like
checking after CD in drive or checking if the password is valid.
Example: The game needs
a CD to start the main game. It's like before because you set the NOP command.
You can replace the JNE/je/call/jmp commands with a NOP command. The nop will
then disable the JNE/je/call/jmp command this mean that the program don’t check
if a CD is present in drive and continuous in asm-code. The game run (you can
do that but it’s also a style for simply CD protections). Call (Call an
operation) command do what its name say. It calls a command what can be an
error message, a nag screen...This you can disable with a nop command.
Example: Jmp (Jump to a
string/operation) command is like a call (not the same but...you can say it is)
it don’t call commands but it jumps to them.
Example: The jmp jumps
to a string/operation which will call an error message or to a Bad Boy...The
jmp can also be disabled with a nop command. I think that’s all you’ve got to
know for now about the commands in asm-code. In this tutorial we`ll handle only
with these few commands.
GOOD LUCK!!
About protection
schemes:
There are enough
protection styles you`ve to learn about and to learn how to disable them.
We have "normal" CD protections (a game is looking if there is
a CD present if not it`ll not start the game), password protections
(you've to enter a valid password [most times you find them in trial
versions] if you don’t enter a valid password you can’t register or start the
application), time locks (most times in trial versions. You have some time to
test a program like three weeks and after the time it won’t start/show an error
message/you've to enter a password to unlock it),and in unusually times
you've to get a unlock software from the programmer (the program won’t
work without the +software of the distributor. This kind of protection is hard
to find).That are the most usual protection schemes you`ll find on your way to
a real cracker. The easiest protections for us to crack are windows error
message boxes (i think so). It’s a windows message box which will be shown on
your screen with any text if you haven’t got a CD present or a valid
password. This kind of protections you can see in EA applications
like NFS/Fifa Soccer/NHL....It’s very easy to crack cause the only
thing you've to do is to kill the window (most times with
a nop command or
change je to JNE /JNE to je).Also we can find
this kind of protections at password locked applications. If you enter a
invalid password you`ll receive a windows message box too which include a text
like "invalid password" or something else. Then we have in game error
messages which are harder to crack. Because W32Dasm show you only the windows
box messages and not the in game messages. For this kind of protection we need
soft-ice debugger (I’ll explain in later tutorials how to use soft-ice).This
kind of protection you can see in games like
Commandos/Grand TheftAuto/Descent Free space .And the time lock
protections can be shown to you as a windows box and as a "in game"
error message (I’ll call them NAG screens).Those kind of protection you can see
in Paint Shop Pro. In this tutorial I’ll show you how to disable the windows
message boxes with W32Dasm version 8.9 and with Hiew. We`ll
crack WinRAR and WinRAR95 (may be a game too like Anno1602 or
anything else i don’t know how much time I’ll get and if the tutorial wont be
too long).
Beginning with cracking:
Now let’s start with the
main thing you want to learn Cracking. I`ll show you now, how to handle the
basic commands of W32Dasm89 and Hiew. We`ll now crack WinRAR95.exe (we`ll make
a full registered version of the trial).
At first we start the
program we’re in. What can we see? At first we can see on top of the window
"WinRAR (unregistered version)". That’s very good for us
because the "unregistered version" status behind the "WinRAR"
tell us that it is unregistered and that it`ll be not shown if it registered.
Now we click on "Options" and then on "Register". Now you
can see a windows box (these kind of boxes i mean which are easy to crack for
us).Now enter in the text boxes what you want like as a name "Test"
and as a number "12345" and click on ok. You`ll hear a sound and
another windows box pops up which tell you "Registration Failed".
That’s all we want to know. Close WinRAR95 and go to your Ms-Dos box. Now in
Norton Commander (you can use windows commander too) make from your
WinRAR95.exe two copies. One of them named WinRAR95.w32 (for W32Dasm89) and one
named WinRAR95.exe (a saved copy if you change wrong bytes). Now I’ll
explain why we do these copies. Its very easy. If you disassemble a exe like
WinRAR95 and you`re working in W32Dasm89 you can’t run the WinRAR95.exe as the
same time in Hiew or in Windows Explorer. You make a second copy named
WinRAR95.w32 (you can call it like you want no matter but it’s good that you
see its for W32Dasm89).This copy you`ll disassemble with W32Dasm89 and you can
every time start the original exe in Windows or change the bytes in Hiew. The
second copy WinRAR95.exx is only a save recovery copy. If you change wrong
bytes in Hiew or anything else so that it won’t run you can rename the
WinRAR95.exe with WinRAR95.exx.And try it again (remember its always "try
and error" technique).Ok if you make the two copies start W32Dasm89.Now
click on the first button on the top (or click on Disassembler and then on
"Open file to disassemble". A window pops up and you can choose the
file you want to be disassembled. Change your directory to your WinRAR
directory and click on WinRAR95.w32. Now W32Dasm starting the disassembling
process (if you have low system memory or low HD memory it`ll take some
time).You can always click on the button in the middle of the screen called
"Cancel Disassembly" which will abort the disassembling process. If
the exe is disassembled it may be that you see no "normal" signs but
WinDings written lines. Don’t worry you can change your font. Click on
"Disassembler" then on "Font" and at least on "Select
Font". Now you can chose the font you`ll use in W32Dasm89.I think the best
one is Arial. Change the font. Now you have your selected font present in
W32Dasm89.Click a second time on "Disassembler" "Font" and
then on "Save default Font" (if you don’t do that at your next
disassembling file you`ve to change the font a second time).Now you see the
asm-code. It will not tell you much cause you don’t know what all the commands
mean. Now click on the button next to the "Print" button called
"Strn Ref" (String Data References).A window pops up. Now you can see
all the error messages you can receive from the exe.Do you remember what does
WinRAR said if you entered the wrong code? It said "Registration Failed”.
Now look at the text and search for the message. Got it? Double click on it. In
W32Dasm you`ll be warped to the position in the ASM-code where it let pops up
the error message you`ll receive on your screen when you entered the wrong
code. If you make it right you've to look at a screen like this:
:00413A8F 6A6A
push
0000006A
:00413A91 E863640000
call 00419EF9
:00413A96 59
pop ecx
:00413A97 50
push eax
:00413A98 FF7508
push
[ebp+08]
No comments:
Post a Comment