Here is another essay by PlasMa: this time it's a little more detailed, and helps you to crack a program whose cracks on the Internet don't always work. Someone will recognize in this work the birth of a good cracker ;-)
HOW TO REGISTER _Dogz v1.08p_ WITH WINICE
1) Load Dogz and reach this window:
+-------------------------------------------------------------+
| |
| PURCHASE YOUR DOGZ |
| |
| |
| |
| Dogz Validation Code 1.08p Dogz Unlock Code |
| |
| 4236-7036-0538-4873-5625 XXXX-XXXX |
| (THIS MAY CHANGE!) |
| |
+-------------------------------------------------------------+
2) Before pressing enter, call Winice with CTRL+D and write
"bpx GETDLGITEMTEXT" (16 bit code?)
[Remember that the difference from 16 and 32 bit code stays in the "a"
at the end of the procedure's name: getdlgitemtext=16 bit code,
getdlgitemtexta=32 bit code. Bpx is used to break the program when
the procedure getdlgitemtext is called.]
Then press CTRL-D again, put an unlock code (I put 6666-6666)
and press enter. The prog will break and return to Winice.
3) Press F11 to exit the call and look at the last 3 PUSHes before
the call. I got something like this:
MOV AX, [BP+6]
ADD AX, 028C
PUSH WORD PTR [BP+8] <-- AHA! These two PUSHes tell you the PUSH AX <-- address of the text entered! PUSH 0080 [Remember that the address of the text read by getdlgitemtexta is ALWAYS in the 3rd push BEFORE the call of the function: in this case we have the 4th="offset" and 3rd="address]" If you dump bp+8 you'll see the offset of the address in which you should find the text entered. AX doesn't have the right value out of the call... you'll have to look yourself (the value pushed was 93E anyway). [If you want to look at the value before the call, you should bpx on the address of the PUSH you're interested in and reinsert your password] So look to your password location with "d offset:93e" and then "bpm offset:93e" [Remember that BPM means "Breakpoint on memory access"] 4) Press CTRL-D. You'll see some code containing a REPNZ SCASB. It's a counter, you can skip it pressing CTRL-D again. [LEARN WELL how a counter works: if you can recognize it you'll be able to skip it the next times!] 5) Now you find some code like this: MOV AL,ES:[BX] ...> In the meanwhile, BX changes!
MOV ES:[BX],AL
Hey, BX is changed to A3E, so write
"d es:a3e"
hmm... interesting! My pw is going to be copied here! Let's
"bpm es:a3e"
6) Press CTRL-D and you'll find another counter: skip it. You'll find
a piece of code with:
MOV AL,ES:[BX]
... --> Here you find a compare with 2D, which is
... --> "-": remember the pw is "XXXX-XXXX"?
MOV SS:[BX],AL
well, let's check with
"d ss:bx"
and then
"bpm ss:bx"
You've just breakpointed the memory address containing your pw
WITHOUT "-"...
[REMEMBER! You should dump and breakpoint registers only when you're
sure that they have the same value as in the MOV instruction!]
7) Now skip those boring SCASBs... :)
8) You'll find another piece of code like:
MOV AL,ES:[BX]
... --> In the meanwhile, BX changes!
MOV ES:[BX],AL
Here the string without the "-" is copied in the old address 93e...
CTRL-D some times... you'll see junk values in the last address you
breakpointed: you just don't need it anymore! Let's
"bc 3"
[BC means "Clear Breakpoint": you use it to delete a breakpoint you
don't need anymore]
Press CTRL-D and skip SCASB if you find one... ;)
9) Here is another
MOV AL,ES:[BX]
... --> In the meanwhile, BX changes!
MOV ES:[BX],AL
Well... guess now...
"d es:bx" --> let's check... it's a new address! :)
"bpm es:bx" --> let's see if it's important...
10) The last address is VERY important... pressing CTRL-D you'll jump
exactly in a CMPSB routine (guessed something?)
Try to
"d es:di"
You see those 5 numbers? They are the first five digits of YOUR
code! No need of crackin'... just write 'em down! Note that the
check for the other three digits starts only if the first five
are the right ones... when it starts, dump es:di again and you'll
see the last three digits! :)
11) You wanna crack this prog? Easy! Press F10 until you exit the call,
then... you see that jump? Somethin' like a 74 03 (JZ)? Well,
change it to a EB 03 (JMP anyway). Then you'll jump in the second
CMPSB... Press F10 again until you RET... Check the jump this time:
is it a 75 2A (JNZ)? Change it to a 90 90, or to a 75 00: Dogz is
now cracked!
12) Well... what can I say now? Enjoy your Dogz!!! :)
Greetz,
PlasMa
(c) PlasMa 1998.
WARNING: this tutorial is published for EDUCATIONAL PURPOSES only! Nobody except you is
responsible for what you do with the things you read here. Also, if you intend to use
shareware programs for a perio