Free chatting!
Send Free sms!
Free SMS to India
Monday, March 3, 2008
How to make ALL Keylogger UNDETECTABLE!!
This tutorial tells you how to make a Trojan, Virus, Keylogger, or anything that would be found harmful, NOT. This tutorial explains how to make all files look %100 clean (become clean and be %100 UNDETECTABLE from ALL ANTIVIRUSES!!!!! ALL!!!!!)
First, get your trojan, virus or keylogger, or server or w/e you plan on using to become undetectable, and get it ready. Fix it up, create it, whatever.
My personal favorite
keylogger: Ardamax Keylogger
Remote Administration Tool (Must not have a router): Poisin Ivy
Google is your friend.
Now that you have your trojan, virus or keylogger or w/e harmful ready, its time to make it UNDETECED!
1. Download Software Passport (Armadillo) by Silicon Realms. This is THE best binder out there I know of, it makes everything %100 UNDETECTABLE BY ALL ANTIVIRUSES (including Norton, Kaspersky, Avast, etc)... The direct link to dl the program is here:
Code:
http://nct.digitalriver.com/fulfill/0161.001
There is a form to fill out information, so put in your real email address, and then you'll recieve a download link in your email (it might be in Spam, Junk mail section so beware.)
2. Once you download the program, install it.
the
Code is :
http://img339.imageshack.us/img339/6...assportzh3.jpg
This is the program. Now that you have it open, you might be confused on what the hell to do, right? Well, this is what you do!
1. Download this pre-made settings. These settings are pre-made by me so you won't be confused. Everything is working.
DOWNLOAD THIS FOR THE PRE-MADE SETTINGS:
Code:
http://rapidshare.com/files/8749860/projects.arm.html
DOWNLOAD THIS FOR THE BACKUP (You need this in the same location as the projects.arm file) YOU NEED THIS FILE ALSO!
Code:
http://rapidshare.com/files/8750048/projects.Stats.html
Now, when you download these files, and you put them in the SAME FOLDER (or same location), open Software Passport again and click Load Existing Project (top left).
Where it says "Files to Protect" (if theres stuff there, delete it):
Add the files you want to make %100 UNDETECTABLE!!
Now, once done, go to the bottom right and click "Build Project". A bunch of windows will come up, just click Yes and OK.
Now, once its created, they are %100 undetectable. Go to
Code:
virustotal.com
to scan it with every Antivirus, and they wont find ANYTHING
This tutorial tells you how to make a Trojan, Virus, Keylogger, or anything that would be found harmful, NOT. This tutorial explains how to make all files look %100 clean (become clean and be %100 UNDETECTABLE from ALL ANTIVIRUSES!!!!! ALL!!!!!)
First, get your trojan, virus or keylogger, or server or w/e you plan on using to become undetectable, and get it ready. Fix it up, create it, whatever.
My personal favorite
keylogger: Ardamax Keylogger
Remote Administration Tool (Must not have a router): Poisin Ivy
Google is your friend.
Now that you have your trojan, virus or keylogger or w/e harmful ready, its time to make it UNDETECED!
1. Download Software Passport (Armadillo) by Silicon Realms. This is THE best binder out there I know of, it makes everything %100 UNDETECTABLE BY ALL ANTIVIRUSES (including Norton, Kaspersky, Avast, etc)... The direct link to dl the program is here:
Code:
http://nct.digitalriver.com/fulfill/0161.001
There is a form to fill out information, so put in your real email address, and then you'll recieve a download link in your email (it might be in Spam, Junk mail section so beware.)
2. Once you download the program, install it.
the
Code is :
http://img339.imageshack.us/img339/6...assportzh3.jpg
This is the program. Now that you have it open, you might be confused on what the hell to do, right? Well, this is what you do!
1. Download this pre-made settings. These settings are pre-made by me so you won't be confused. Everything is working.
DOWNLOAD THIS FOR THE PRE-MADE SETTINGS:
Code:
http://rapidshare.com/files/8749860/projects.arm.html
DOWNLOAD THIS FOR THE BACKUP (You need this in the same location as the projects.arm file) YOU NEED THIS FILE ALSO!
Code:
http://rapidshare.com/files/8750048/projects.Stats.html
Now, when you download these files, and you put them in the SAME FOLDER (or same location), open Software Passport again and click Load Existing Project (top left).
Where it says "Files to Protect" (if theres stuff there, delete it):
Add the files you want to make %100 UNDETECTABLE!!
Now, once done, go to the bottom right and click "Build Project". A bunch of windows will come up, just click Yes and OK.
Now, once its created, they are %100 undetectable. Go to
Code:
virustotal.com
to scan it with every Antivirus, and they wont find ANYTHING
## Undetectable Remote Hacking ##
A noob proof tutorial on remote hacking which is 90% undetectable
In this tutorial you will learn how to hack a computer any where in the world. Ok well not anywhere obviously things like the military and the goverment will have very high security so you definately wont be able 2 hack them using this method. I hope not aniways =.
A Major Notice If you are behind a router you will need to port forward your router. To do this you can use a DMS. Its hard to explain as every router has a different interface ( homepage that has a different layout ) so i suggest you go to google and search portforward.com. It will teach you how to port forward your router there.
Ok to begin with you will need these three tools : -
Daemon Crypt - http://rapidshare.com/files/8161346/Daemon_Crypt.rar
Pc Guard - http://rapidshare.com/files/11136172/PC_GUard.rar
Yuri Rat - http://rapidshare.com/files/8161510/Yuri_Rat.rar
Ok now that you have these three tools your 1st step will be to open up Yuri Rat. You will see [Yuri] Remote ADMIN tool and then click on server build. Then put your IP address into the DNS/IP section
To get IP Address go to Start > Run > Type CMD and hit enter. When the black box appears type in IPCONFIG. You will then have your IP Address
Port: You Can Leave As Default (-7898-)
Assigned Name: Doesn’t effect how the server will work its just to keep you more organized so if you wanted to hack your friend “JOE” and specifically make this server for him then you may want to type something like “JOES TROJAN”.
Server Install Name: You should leave this as default as I myself don’t know what the difference is as every server you make is named server when it is 1st created anyway. Do not change it as it may make problems but I am not sure.
Ok as you can see there are more settings on the right hand side. I am going to recommend you settings for different purposes
To Hack A Friend For Fun: Uncheck Everything Unless You Want To Do Optional
(OPTIONAL) Melt Server - Your server will disappear into another folder
(OPTIONAL) Custom Icon if you want to make it more believable or something then get an icon of super Mario or something you get my drift.
To Find Out Valuable Information: Check Everything
Ok Now You Are Finished Click Build
Your server will then be saved to your C: or Hard Drive which ever you know it as. Now we are going to make the server about 90% Undetectable. Only once has one of my servers been detected by an anti virus and I think it was a Norton not sure which version. Ive scanned more then once with Kasper Sky & Symantec Anti Virus and every time they said its clean so lets begin
Open Up Daemon Crypt
Select Your File by clicking browse and going to the folder your server is in. If you have not moved it, it will most likely be in C:
Click On Crypt and then you can close Daemon Tools
Now Install Your Pc Guard for Win32
Ok you have to do basically the same thing as what you did with daemon tools. Click Browse and then find your server so that you have this screen PC Guard for Win32-[Untitled.prj]. Click Protection Options -> Application Info ->
Application Name = Demo application V1.00
Application signature = DEMOAPP100
Application filename = C:\Server.exe
You then want to click on the General Settings and put these settings:-
- Self checking against modifications
- Hide executable objectsnames
- Advanced overlay management
- Encrypt import directory data
- ERASE import directory data
- Enable smart DLL handling
- Virtual machine detection
Ok now you want to go to customization and make sure nothing is ticked
For the last step you want to click the protection methods tab and set it to plain. And then click on protect
Your server is now undetectable =)
Ok so now we have our server and everything is ready to go. Only thing now is to do some social engineering. Basically just lie to your friend/victim and tell them that it is a harmless file. If you do not know anything about your victim talk 2 him for like 3 days find out what he likes. Then lets say he likes football and naked women XD. say to him its a funny game where you play a 5minute 2D football match and if you win a sexc girl comes up on the screen and strips or something along them lines. Im not to good at social engineering. You could even say to your friend/victim that it is a patch for a game that you know that they have and it adds on extra things. The Server is now on there computer and they have double clicked it. If you checked the melt server option then the server will basically evaporate into their computer. They say hey its not working you say hey thats strange it works on my comp. Ahh fuck it i cant b bothered 2 send it again..
Ok so now you have the server running on there comp and it has opened up the default port for you to connect to.
Once again open Yuri Rat and click on listen. Yuri rat will then listen for your online servers that you have gave to people running on the default port 7898. If the person who you sent the rat to is not online you cant connect. When the server you sent out to your friend/victim a balloon notification will pop up. Note that yuri rat should still be listening for the servers. The server will show up in yuri rat. You right click and press connect. And there you go. you are now successfully connected to your victim.
Note: Make sure Port 7898 is the same as the one you used in server build settings.
Ok now without uploading plug ins from yuri rat to your friends/victims computer you will only be able to do limited things with the program which are Download files from there comp & put files from your comp onto their comp.
When you are connected click on plug ins and them upload all of them.
You will then have access to keyloggers, screen capture and much more. If you get stuck click on the help button and it will tell you more about plug ins….
A noob proof tutorial on remote hacking which is 90% undetectable
In this tutorial you will learn how to hack a computer any where in the world. Ok well not anywhere obviously things like the military and the goverment will have very high security so you definately wont be able 2 hack them using this method. I hope not aniways =.
A Major Notice If you are behind a router you will need to port forward your router. To do this you can use a DMS. Its hard to explain as every router has a different interface ( homepage that has a different layout ) so i suggest you go to google and search portforward.com. It will teach you how to port forward your router there.
Ok to begin with you will need these three tools : -
Daemon Crypt - http://rapidshare.com/files/8161346/Daemon_Crypt.rar
Pc Guard - http://rapidshare.com/files/11136172/PC_GUard.rar
Yuri Rat - http://rapidshare.com/files/8161510/Yuri_Rat.rar
Ok now that you have these three tools your 1st step will be to open up Yuri Rat. You will see [Yuri] Remote ADMIN tool and then click on server build. Then put your IP address into the DNS/IP section
To get IP Address go to Start > Run > Type CMD and hit enter. When the black box appears type in IPCONFIG. You will then have your IP Address
Port: You Can Leave As Default (-7898-)
Assigned Name: Doesn’t effect how the server will work its just to keep you more organized so if you wanted to hack your friend “JOE” and specifically make this server for him then you may want to type something like “JOES TROJAN”.
Server Install Name: You should leave this as default as I myself don’t know what the difference is as every server you make is named server when it is 1st created anyway. Do not change it as it may make problems but I am not sure.
Ok as you can see there are more settings on the right hand side. I am going to recommend you settings for different purposes
To Hack A Friend For Fun: Uncheck Everything Unless You Want To Do Optional
(OPTIONAL) Melt Server - Your server will disappear into another folder
(OPTIONAL) Custom Icon if you want to make it more believable or something then get an icon of super Mario or something you get my drift.
To Find Out Valuable Information: Check Everything
Ok Now You Are Finished Click Build
Your server will then be saved to your C: or Hard Drive which ever you know it as. Now we are going to make the server about 90% Undetectable. Only once has one of my servers been detected by an anti virus and I think it was a Norton not sure which version. Ive scanned more then once with Kasper Sky & Symantec Anti Virus and every time they said its clean so lets begin
Open Up Daemon Crypt
Select Your File by clicking browse and going to the folder your server is in. If you have not moved it, it will most likely be in C:
Click On Crypt and then you can close Daemon Tools
Now Install Your Pc Guard for Win32
Ok you have to do basically the same thing as what you did with daemon tools. Click Browse and then find your server so that you have this screen PC Guard for Win32-[Untitled.prj]. Click Protection Options -> Application Info ->
Application Name = Demo application V1.00
Application signature = DEMOAPP100
Application filename = C:\Server.exe
You then want to click on the General Settings and put these settings:-
- Self checking against modifications
- Hide executable objectsnames
- Advanced overlay management
- Encrypt import directory data
- ERASE import directory data
- Enable smart DLL handling
- Virtual machine detection
Ok now you want to go to customization and make sure nothing is ticked
For the last step you want to click the protection methods tab and set it to plain. And then click on protect
Your server is now undetectable =)
Ok so now we have our server and everything is ready to go. Only thing now is to do some social engineering. Basically just lie to your friend/victim and tell them that it is a harmless file. If you do not know anything about your victim talk 2 him for like 3 days find out what he likes. Then lets say he likes football and naked women XD. say to him its a funny game where you play a 5minute 2D football match and if you win a sexc girl comes up on the screen and strips or something along them lines. Im not to good at social engineering. You could even say to your friend/victim that it is a patch for a game that you know that they have and it adds on extra things. The Server is now on there computer and they have double clicked it. If you checked the melt server option then the server will basically evaporate into their computer. They say hey its not working you say hey thats strange it works on my comp. Ahh fuck it i cant b bothered 2 send it again..
Ok so now you have the server running on there comp and it has opened up the default port for you to connect to.
Once again open Yuri Rat and click on listen. Yuri rat will then listen for your online servers that you have gave to people running on the default port 7898. If the person who you sent the rat to is not online you cant connect. When the server you sent out to your friend/victim a balloon notification will pop up. Note that yuri rat should still be listening for the servers. The server will show up in yuri rat. You right click and press connect. And there you go. you are now successfully connected to your victim.
Note: Make sure Port 7898 is the same as the one you used in server build settings.
Ok now without uploading plug ins from yuri rat to your friends/victims computer you will only be able to do limited things with the program which are Download files from there comp & put files from your comp onto their comp.
When you are connected click on plug ins and them upload all of them.
You will then have access to keyloggers, screen capture and much more. If you get stuck click on the help button and it will tell you more about plug ins….
Wednesday, February 27, 2008
Cracking - an outcover
How to crack a software
How to crack a software
tools required
1.hiew
2.win32dasm89++
you may download these tools from
http://www.esnips.com/web/hackingstuffs?docsPage=2#files
as we are using dissembler it will dissemble the soft into its assembly codes so u need to know some basic codes which we need in this job
----------------------------------------------------------
this part is copied from anither community post as i dont feel to rewrite the same thing again
EB-----------------jmp---------------------------Unconditional jump
90-----------------nop---------------------------No operation
75/0F85------------jne---------------------------jump if not equal
74/0F84------------je----------------------------jump if equal
77/0F87------------ja----------------------------jump if above
0F86---------------jna---------------------------jump if not above
0F83---------------jae------------------------jump if above or eq
-------------------------------------------------------------------
now start
1st step-
try to register the software with some random character. you will get an error messege like "wrong code"
note down this code
dessemble the exe file using win32dasm
u will getthe codes in too many lines .. may be 10000 depending upon the size of soft.
now find "wrong code" by search option in the dissembler
as you can see the codes are written in modules
just the line you find the "wrong code" ..try to check for the start of that module
hint* check for the lines "unconditional and conditional jump statements"
see the memory addresses written there
eg- oo1a009877...
leave this thing here only
now open the same .exe file with the help of hiew
open hiew.exe and start working on it with keyboard only
select the folder and select the file to open it
after opening it u can see garbage characters that you can not understand.
press f4 and select 3rd option ie- decode
now you can see the codes
now note the addresses written on dissembler part where we left
on hiew window press f5 and press "." then foloowed by the address u noted there
now after coming to the desired position select edit option by pressing f3
now we have to revert the statements
like lets say we encountered jne
like jne to je and vice-versa by changing there corresponding values ie 84<-->85
like this revert all the loop statements noted on dissembler module where we left after searching
now after editing the values press enter key and then press "f9" to update the changes in the exe file
now exit hiew
done!!!
now replace the .exe file with the one you just cracked
now it will accpet all the wrong codes which u will ener for registration and on entering the correct key only it will show error messege
Any type of registration protection.
First of all.Use Softice cause i don't like Live Approch.
Ok
Run Your target program and go on the registration dialog,then put
in the dialog any name and any serial number but DON'T press OK
before press "control+d" to pops up softice and in softice sets some
Break points.......for approching with a registration routine we must
breakpoint on api(windows functions) used to read Your name and Your
Sn.
They are
Getwindowtext
GetwindowtextA
Getdlgitemtext
GetdlgitemtextA
Hmemcpy (that's not an api but it's the best)
Well the "A" after the api means 32 bit so if your program is 32 bit
put the A if not don't.Easy!
I always use only Hmemcpy cause it runs 99,9% of the times.
Well now exit from softice by pressing control+d and press ok,if you have set
a working bpx softice will pops up.
Now start the real cracking.....
Press F12 until you can read on the bottom line of SoftIce the name
of the file of the program you're cracking....
then if before your location there's a call ok,if not press again F12 until you find it.
Then you must step into the code.....(by pressing F10),if in your stepping you find some
condictional jumps have a look at them......btw step until you find a call that prompt you
something like a messagebox or something else that prompt you the "You entered a Wrong code",
well before that call you noticed a condictional jump that jumped on that call or dindn't jump
over that call....if yes try to inverse the jump (change a jz into a jnz)
or (a better way) change the value of the eip in order to make that jump to jump or not.
Doing this if you find the good jump the program must prompt you "Thank for Registering this
fucked program",
now the crack is near to the end...
Often cracking this way you will only prompt the "You Are Regged" but the program still continue
to be unregged so in order to crack it 100% and easly there are 2 ways-
1) trace into the call BEFORE our important condictional jump and try to understand the code,
in order to find the real compare instrucion that often is kept in this call not out....if
you find out our real compare instruction,and change the below condictional jump in order to
make it jump or not(it depends if it before jumped or not,do the reverse).
Ok now the program should be fully cracked!
2) this is a worse way than the first but it works!This way is easyer for beginners
You must trace into the call before our important codictional jmp,and then put a bpx in its first line,then press "x" and exit from softice and use the program in all its functions,create new,open,about,save, and when softice pops up press "f12" in order to get out that call and look for a near condictional jump and try to inverse it and look if the program looks like regged,
you must sign up all these condictional jump and inverse it,and your program is cracked!
How to crack a software
tools required
1.hiew
2.win32dasm89++
you may download these tools from
http://www.esnips.com/web/hackingstuffs?docsPage=2#files
as we are using dissembler it will dissemble the soft into its assembly codes so u need to know some basic codes which we need in this job
----------------------------------------------------------
this part is copied from anither community post as i dont feel to rewrite the same thing again
EB-----------------jmp---------------------------Unconditional jump
90-----------------nop---------------------------No operation
75/0F85------------jne---------------------------jump if not equal
74/0F84------------je----------------------------jump if equal
77/0F87------------ja----------------------------jump if above
0F86---------------jna---------------------------jump if not above
0F83---------------jae------------------------jump if above or eq
-------------------------------------------------------------------
now start
1st step-
try to register the software with some random character. you will get an error messege like "wrong code"
note down this code
dessemble the exe file using win32dasm
u will getthe codes in too many lines .. may be 10000 depending upon the size of soft.
now find "wrong code" by search option in the dissembler
as you can see the codes are written in modules
just the line you find the "wrong code" ..try to check for the start of that module
hint* check for the lines "unconditional and conditional jump statements"
see the memory addresses written there
eg- oo1a009877...
leave this thing here only
now open the same .exe file with the help of hiew
open hiew.exe and start working on it with keyboard only
select the folder and select the file to open it
after opening it u can see garbage characters that you can not understand.
press f4 and select 3rd option ie- decode
now you can see the codes
now note the addresses written on dissembler part where we left
on hiew window press f5 and press "." then foloowed by the address u noted there
now after coming to the desired position select edit option by pressing f3
now we have to revert the statements
like lets say we encountered jne
like jne to je and vice-versa by changing there corresponding values ie 84<-->85
like this revert all the loop statements noted on dissembler module where we left after searching
now after editing the values press enter key and then press "f9" to update the changes in the exe file
now exit hiew
done!!!
now replace the .exe file with the one you just cracked
now it will accpet all the wrong codes which u will ener for registration and on entering the correct key only it will show error messege
Any type of registration protection.
First of all.Use Softice cause i don't like Live Approch.
Ok
Run Your target program and go on the registration dialog,then put
in the dialog any name and any serial number but DON'T press OK
before press "control+d" to pops up softice and in softice sets some
Break points.......for approching with a registration routine we must
breakpoint on api(windows functions) used to read Your name and Your
Sn.
They are
Getwindowtext
GetwindowtextA
Getdlgitemtext
GetdlgitemtextA
Hmemcpy (that's not an api but it's the best)
Well the "A" after the api means 32 bit so if your program is 32 bit
put the A if not don't.Easy!
I always use only Hmemcpy cause it runs 99,9% of the times.
Well now exit from softice by pressing control+d and press ok,if you have set
a working bpx softice will pops up.
Now start the real cracking.....
Press F12 until you can read on the bottom line of SoftIce the name
of the file of the program you're cracking....
then if before your location there's a call ok,if not press again F12 until you find it.
Then you must step into the code.....(by pressing F10),if in your stepping you find some
condictional jumps have a look at them......btw step until you find a call that prompt you
something like a messagebox or something else that prompt you the "You entered a Wrong code",
well before that call you noticed a condictional jump that jumped on that call or dindn't jump
over that call....if yes try to inverse the jump (change a jz into a jnz)
or (a better way) change the value of the eip in order to make that jump to jump or not.
Doing this if you find the good jump the program must prompt you "Thank for Registering this
fucked program",
now the crack is near to the end...
Often cracking this way you will only prompt the "You Are Regged" but the program still continue
to be unregged so in order to crack it 100% and easly there are 2 ways-
1) trace into the call BEFORE our important condictional jump and try to understand the code,
in order to find the real compare instrucion that often is kept in this call not out....if
you find out our real compare instruction,and change the below condictional jump in order to
make it jump or not(it depends if it before jumped or not,do the reverse).
Ok now the program should be fully cracked!
2) this is a worse way than the first but it works!This way is easyer for beginners
You must trace into the call before our important codictional jmp,and then put a bpx in its first line,then press "x" and exit from softice and use the program in all its functions,create new,open,about,save, and when softice pops up press "f12" in order to get out that call and look for a near condictional jump and try to inverse it and look if the program looks like regged,
you must sign up all these condictional jump and inverse it,and your program is cracked!
How to make Keygens.
Long and detailed tutorial :
Tools!
For tools you need a minimum of debugger like SoftIce for Windows (hence WinIce), and a C compiler with Dos libraries.
Content!
In this tutorial I will show how to make a key-gen for Ize and Swiftsearch. The protection that these programs use is the well
known Enter-Name-and-Registration-Number method. After selecting 'register', a window pops up where you can enter your name and
your registration number. The strategy here is to find out where in memory the data you enter is stored and then to find out what
is done with it. Before you go on make sure you configure the SoftIce dat file correctly.
Tutorial number 1:
Scanline Swiftsearch 2.0!
Swiftsearch is a useful little program that you can use to search on the web. I will explain step by step how to crack it.
step 1. Start the program
step 2: Choose register from the menus. You will now get a window where you can enter your name and your registration number.
step 3: Enter SoftIce (ctrl-d)
step 4: We will now set a breakpoint on functions like GetWindowText(a) and GetDlgItemText(a) to find out where in memory the data that we just entered
is stored. The function that is used by this program is GetDlgItemTexta (trial and error, just try yourself so, in SoftIce type BPX GetDlgItemTexta
and exit SoftIce with the g command.
step 5: Now type a name and a registration number (I used jmdg and 12345) and press OK, this will put you back in SoftIce. Since you are now inside
the GetDlgItemTexta function press F11 to get out of it. You should see the following code:
lea eax, [ebp-2C] :<--- we are looking for this location
push eax
push 00000404
push [ebp+08]
call [USER32!GetDlgItemTextA]
mov edi, eax :<--- eax has the length of the string
and is stored in edi for later usage.
We see that EAX is loaded with a memory address and then pushed to the stack as a parameter for the function GetDlgItemTextA. Since the function
GetDlgItemTextA is already been run we can look at EBP-2c (with ED EDP-2c) and see that the name we entered is there. Now we know where the name
is stored in memory, normally it would be wise to write that address down, but we will see that in this case it wont be necessary.
So, what next? Now we have to allow the program to read the registration number we entered. Just type g and return and when back in SoftIce press F11.
You should see the following code:
push 0000000B
lea ecx, [ebp-18] : <--So, ebp-18 is where the reg. number
push ecx : is stored.
push 0000042A
push [ebp+08]
call [USER32!GetDlgItemTextA]
mov ebx, eax : <--save the lenght of string in EBX
test edi, edi : <--remember EDI had the lenght of the
jne 00402FBF : name we entered?
We see that the registration number is stored at location EBP-18 , check it with ED EBP-18. Again, normally it would be wise to note that address down.
Also we see that it is checked if the length of the name we gave was not zero. If it is not zero the program will continue.
Step 6: Ok, now we know where the data we entered is stored in memory. What next?
Now we have to find out what is DONE with it. Usually it would we wise to put breakpoints on those memory locations and find out where in the program
they are read. But in this case the answer is just a few F10's away. Press F10 until you see the following code :
cmp ebx, 0000000A :<--remember EPX had the length of the
je 00402FDE : registration code we entered?
These two lines are important. They check if the length of the registration code we entered is equal to 10. If not the registration number will be
considered wrong already. The program wont even bother to check it. Modify EBX or the FLAG register in the register window to allow the jump. Continue
Pressing F10 until you get to the following code (note that the adresses you will see could be different) :
:00402FDE xor esi, esi :<-- Clear ESI
:00402FE0 xor eax, eax :<-- Clear EAX
:00402FE2 test edi, edi
:00402FE4 jle 00402FF2
:00402FE6 movsx byte ptr ecx, [ebp + eax - 2C] :<-- ECX is loaded with a letter of the name we entered.
:00402FEB add esi, ecx :<-- Add the letter to ESI
:00402FED inc eax :<-- Increment EAX to get next letter
:00402FEE cmp eax, edi :<-- Did we reach the end of the string?
:00402FF0 jl 00402FE6 :<-- If not, go get the next letter.
Well, we see that the program adds together all the letters of the name we entered. Knowing that ESI contains the sum of the letters, lets continue
and find out what the program does with that value :
:00402FF2 push 0000000A
:00402FF4 lea eax, [ebp-18] :<-- Load EAX with the address of the reg. number we entered
:00402FF7 push 00000000
:00402FF9 push eax :<-- Push EAX (as a parameter for the following function)
:00402FFA call 00403870 :<-- Well, what do you think this function does?
:00402FFF add esp, 0000000C
:00403002 cmp eax, esi :<-- Hey!
:00403004 je 00403020
We see that a function is called and when RETurned ESI is compared with EAX. Hmm, lets look at what's in EAX. A '? EAX' reveals :
00003039 0000012345 "09"
Bingo. That's what we entered as the registration number. It should have been what's inside ESI. And we know what's inside ESI, the sum of
the letters of the name we entered!
Step 7: Now we know how the program computes the registration code we can make a key-gen.
But we should not forget that the program checks also that the registration number has 10
digits.
A simple C code that will compute the registration number for this program could look like this:
#include
#include
main()
{
char Name[100];
int NameLength,Offset;
long int Reg = 0, Dummy2 = 10;
int Dummy = 0;
int LengtDummy = 1;
int Lengt , Teller;
printf("Scanline SwiftSearch 2.0 crack by JM-DG.\n");
printf("Enter your name: ");
gets(Name);
NameLength=strlen(Name);
/* the for lus calculates the sum of the letters in Name */
/* and places that value in Reg */
for (Offset=0;Offset /* Then print the registration number */
printf("%lu\n", Reg);
}
Tutorial number 2
Ize 2.04 from Gadgetware
Ize from Gadgetware is a cute little program that will put a pair of eyes on your screen which will
follow your mousepointer. It has a register function where you can enter your name and a registration
number. The strategy in this case is still the same : Find out where in memory the entered information
is stored and then find out what is done with that information.
Step 1: Start Ize. Chose register and enter a name and a number. I used again 'jmdg' and '12345'.
Sterp 2: Enter (CTRL-D) Softice and set a breakpoint on GetDlgItemTextA.
Step 3: Leave SoftIce and press OK. This will put you back in Softice. You will be inside the GetDlgItemTextA
function. To get out of it press F11. You should see the following code :
mov esi, [esp + 0C]
push 00000064
push 0040C3A0 :<--On this memory location the NAME we entered will be stored.
mov edi, [USER32!GetDlgItemTextA] :<--Load edi with adress of GetDlgItemTextA
push 00004EE9
push esi
call edi :<-- Call GetDlgItemTextA
push 00000064 :<-- (you should be here now)
push 0040C210 :<--On this memory location the NUMBER we entered will be stored
push 00004EEA
push esi
call edi :<-- Call GetDlgItemTextA
We see that the function GetDlgItemTextA is called twice in this code fragment. The first call has
already happened. With ED 40C3A0 we can check that the name we entered is stored on that location.
To allow the program to read in the number we entered we type G and enter. Now we are inside the Get-
DlgItemTextA function again and we press f11 to get out of it. We check memory location 40C210 and
we see the number we entered is stored there.
Now we know the locations were the name and the number are stored,we note those down!
Step 4: Ok, what next? We now know where in memory the name and the number are stored. We need to find out
what the program does with those values. In order to do that we could set breakpoints on those memory
locations to see where they are read. But in this case it wont be necessary. The answer is right after the
above code :
push 0040C210 :<--save the location of the number we entered (as a parameter for the next call)
call 00404490 :<-- call this unknown function
add esp, 00000004
mov edi, eax :<-- save EAX (hmmmm)
We see a function being called with the number-location as a parameter. We could trace into the function and see what it does, but that is not
needed. With your experience of the Swiftsearch example you should be able to guess what this function does. It calculates the numerical value
of the registration number and puts it in EAX. To be sure we step further using F10 until we are past the call and check the contents of EAX
(with ? EAX). In my case it showed : 00003039 0000012345 "09".
Knowing that EDI contains our registration number we proceed:
push 0040C3A0 :<-- save the location of the name we entered (as a parameter for the next call)
push 00409080 :<-- save an unknown memory-location (as a parameter for the next call)
call 004043B0 :<--call to an unknown function
add esp, 00000008
cmp edi, eax :<--compare EDI (reg # we entered) with EAX (unknown, since the previous call changed it)
jne 004018A1 :<--jump if not equal
We see that a function is called with two parameters. One of the parameters is the location of the name
we entered. The other we dont know, but we can find out with ED 409080. We see the text 'Ize'.
This function calculates the right registration number using those two parameters. If you just want to
crack this program, you can place a breakpoint right after the call and check the contents of EAX. It will
contain the right registration number. But since we want to know HOW the reg. # is calculated we will trace
inside the function (using T). We will then try to find out HOW the contents of EAX got in there.
Step 5: Once inside the interesting function you will see that we are dealing with a rather long function.
It wont be necessary for me to include the complete listing of this function, because we wont need all of it to make our key-gen.
But in order find out which part of the code is essential for the computation of the right registration number,
you have to trace STEP by STEP and figure out what EXACTLY is going on!
Afther doing this i found out that the first part of the function computes some kind of "key". Then this
"key" is stored in memory and in that way passed on to the second part of the function.
The second part of the function then computes the right registration number, based on this "key" AND
the name we entered.
The code that is essential and that we need for our key-gen is the following:
( Note that before the following code starts, the registers that are used will have the following values:
EBX will point to the first letter of the name we entered,
EDX will be zero,
EBP will be zero,
The "key" that we talked about earlier is stored in memory location 0040B828 and will
have 0xA4CC as its initial value. )
:00404425 movsx byte ptr edi, [ebx + edx] :<-- Put first letter of the name in EDI
:00404429 lea esi, [edx+01] :<-- ESI gets the "letter-number"
:0040442C call 00404470 :<-- Call function
:00404431 imul edi, eax :<-- EDI=EDI*EAX (eax is the return value of the the previous call)
:00404434 call 00404470 :<-- Call function
:00404439 mov edx, esi
:0040443B mov ecx, FFFFFFFF
:00404440 imul edi, eax :<-- EDI=EDI*EAX (eax is the return value of the previous call)
:00404443 imul edi, esi :<-- EDI=EDI*ESI ( esi is the number of the letter position)
:00404446 add ebp, edi :<-- EBP=EBP+EDI (beware that EBP will finally contain the right reg#)
:00404448 mov edi, ebx :<--these lines compute the lenght of the name we entered
:0040444A sub eax, eax :<--these lines compute the lenght of the name we entered
:0040444C repnz :<--these lines compute the lenght of the name we entered
:0040444D scasb :<--these lines compute the lenght of the name we entered
:0040444E not ecx :<--these lines compute the lenght of the name we entered
:00404450 dec ecx :<-- ECX now contains the lenght of the name
:00404451 cmp ecx, esi
:00404453 ja 00404425 :<-- If its not the end of the name , go do the same with the next letter
:00404455 mov eax, ebp :<-- SAVE EBP TO EAX !!!!
:00404457 pop ebp
:00404458 pop edi
:00404459 pop esi
:0040445A pop ebx
:0040445B ret
_____
:00404470 mov eax, [0040B828] :<-- Put "key" in EAX
:00404475 mul eax, eax, 015A4E35 :<-- EAX=EAX * 15A4E35
:0040447B inc eax :<-- EAX=EAX + 1
:0040447C mov [0040B828], eax :<-- Replace the "key" with the new value of EAX
:00404481 and eax, 7FFF0000 :<-- EAX=EAX && 7FFF0000
:00404486 shr eax, 10 :<-- EAX=EAX >>10
:00404489 ret
The above code consists of a loop that goes trough all the letters of the name we entered. With each
letter some value is calculated, all these values are added up together (in EBP). Then this value is stored
in EAX and the function RETurns. And that was what we were looking for, we wanted to know how EAX got its value!
Step 6: Now to make a key-gen we have to translate the above method of calculating the right reg# into a
c program. It could be done in the following way :
(Note : I am a bad c programmer I just began to use this language...)
#include
#include
main()
{
char Name[100];
int NameLength,Offset;
unsigned long Letter,DummyA;
unsigned long Key = 0xa4cc;
unsigned long Number = 0;
printf("Ize 2.04 crack by JM-DG\n");
printf("Enter your name: ");
gets(Name);
NameLength=strlen(Name);
for (Offset=0;Offset }
Long and detailed tutorial :
Tools!
For tools you need a minimum of debugger like SoftIce for Windows (hence WinIce), and a C compiler with Dos libraries.
Content!
In this tutorial I will show how to make a key-gen for Ize and Swiftsearch. The protection that these programs use is the well
known Enter-Name-and-Registration-Number method. After selecting 'register', a window pops up where you can enter your name and
your registration number. The strategy here is to find out where in memory the data you enter is stored and then to find out what
is done with it. Before you go on make sure you configure the SoftIce dat file correctly.
Tutorial number 1:
Scanline Swiftsearch 2.0!
Swiftsearch is a useful little program that you can use to search on the web. I will explain step by step how to crack it.
step 1. Start the program
step 2: Choose register from the menus. You will now get a window where you can enter your name and your registration number.
step 3: Enter SoftIce (ctrl-d)
step 4: We will now set a breakpoint on functions like GetWindowText(a) and GetDlgItemText(a) to find out where in memory the data that we just entered
is stored. The function that is used by this program is GetDlgItemTexta (trial and error, just try yourself so, in SoftIce type BPX GetDlgItemTexta
and exit SoftIce with the g command.
step 5: Now type a name and a registration number (I used jmdg and 12345) and press OK, this will put you back in SoftIce. Since you are now inside
the GetDlgItemTexta function press F11 to get out of it. You should see the following code:
lea eax, [ebp-2C] :<--- we are looking for this location
push eax
push 00000404
push [ebp+08]
call [USER32!GetDlgItemTextA]
mov edi, eax :<--- eax has the length of the string
and is stored in edi for later usage.
We see that EAX is loaded with a memory address and then pushed to the stack as a parameter for the function GetDlgItemTextA. Since the function
GetDlgItemTextA is already been run we can look at EBP-2c (with ED EDP-2c) and see that the name we entered is there. Now we know where the name
is stored in memory, normally it would be wise to write that address down, but we will see that in this case it wont be necessary.
So, what next? Now we have to allow the program to read the registration number we entered. Just type g and return and when back in SoftIce press F11.
You should see the following code:
push 0000000B
lea ecx, [ebp-18] : <--So, ebp-18 is where the reg. number
push ecx : is stored.
push 0000042A
push [ebp+08]
call [USER32!GetDlgItemTextA]
mov ebx, eax : <--save the lenght of string in EBX
test edi, edi : <--remember EDI had the lenght of the
jne 00402FBF : name we entered?
We see that the registration number is stored at location EBP-18 , check it with ED EBP-18. Again, normally it would be wise to note that address down.
Also we see that it is checked if the length of the name we gave was not zero. If it is not zero the program will continue.
Step 6: Ok, now we know where the data we entered is stored in memory. What next?
Now we have to find out what is DONE with it. Usually it would we wise to put breakpoints on those memory locations and find out where in the program
they are read. But in this case the answer is just a few F10's away. Press F10 until you see the following code :
cmp ebx, 0000000A :<--remember EPX had the length of the
je 00402FDE : registration code we entered?
These two lines are important. They check if the length of the registration code we entered is equal to 10. If not the registration number will be
considered wrong already. The program wont even bother to check it. Modify EBX or the FLAG register in the register window to allow the jump. Continue
Pressing F10 until you get to the following code (note that the adresses you will see could be different) :
:00402FDE xor esi, esi :<-- Clear ESI
:00402FE0 xor eax, eax :<-- Clear EAX
:00402FE2 test edi, edi
:00402FE4 jle 00402FF2
:00402FE6 movsx byte ptr ecx, [ebp + eax - 2C] :<-- ECX is loaded with a letter of the name we entered.
:00402FEB add esi, ecx :<-- Add the letter to ESI
:00402FED inc eax :<-- Increment EAX to get next letter
:00402FEE cmp eax, edi :<-- Did we reach the end of the string?
:00402FF0 jl 00402FE6 :<-- If not, go get the next letter.
Well, we see that the program adds together all the letters of the name we entered. Knowing that ESI contains the sum of the letters, lets continue
and find out what the program does with that value :
:00402FF2 push 0000000A
:00402FF4 lea eax, [ebp-18] :<-- Load EAX with the address of the reg. number we entered
:00402FF7 push 00000000
:00402FF9 push eax :<-- Push EAX (as a parameter for the following function)
:00402FFA call 00403870 :<-- Well, what do you think this function does?
:00402FFF add esp, 0000000C
:00403002 cmp eax, esi :<-- Hey!
:00403004 je 00403020
We see that a function is called and when RETurned ESI is compared with EAX. Hmm, lets look at what's in EAX. A '? EAX' reveals :
00003039 0000012345 "09"
Bingo. That's what we entered as the registration number. It should have been what's inside ESI. And we know what's inside ESI, the sum of
the letters of the name we entered!
Step 7: Now we know how the program computes the registration code we can make a key-gen.
But we should not forget that the program checks also that the registration number has 10
digits.
A simple C code that will compute the registration number for this program could look like this:
#include
#include
main()
{
char Name[100];
int NameLength,Offset;
long int Reg = 0, Dummy2 = 10;
int Dummy = 0;
int LengtDummy = 1;
int Lengt , Teller;
printf("Scanline SwiftSearch 2.0 crack by JM-DG.\n");
printf("Enter your name: ");
gets(Name);
NameLength=strlen(Name);
/* the for lus calculates the sum of the letters in Name */
/* and places that value in Reg */
for (Offset=0;Offset /* Then print the registration number */
printf("%lu\n", Reg);
}
Tutorial number 2
Ize 2.04 from Gadgetware
Ize from Gadgetware is a cute little program that will put a pair of eyes on your screen which will
follow your mousepointer. It has a register function where you can enter your name and a registration
number. The strategy in this case is still the same : Find out where in memory the entered information
is stored and then find out what is done with that information.
Step 1: Start Ize. Chose register and enter a name and a number. I used again 'jmdg' and '12345'.
Sterp 2: Enter (CTRL-D) Softice and set a breakpoint on GetDlgItemTextA.
Step 3: Leave SoftIce and press OK. This will put you back in Softice. You will be inside the GetDlgItemTextA
function. To get out of it press F11. You should see the following code :
mov esi, [esp + 0C]
push 00000064
push 0040C3A0 :<--On this memory location the NAME we entered will be stored.
mov edi, [USER32!GetDlgItemTextA] :<--Load edi with adress of GetDlgItemTextA
push 00004EE9
push esi
call edi :<-- Call GetDlgItemTextA
push 00000064 :<-- (you should be here now)
push 0040C210 :<--On this memory location the NUMBER we entered will be stored
push 00004EEA
push esi
call edi :<-- Call GetDlgItemTextA
We see that the function GetDlgItemTextA is called twice in this code fragment. The first call has
already happened. With ED 40C3A0 we can check that the name we entered is stored on that location.
To allow the program to read in the number we entered we type G and enter. Now we are inside the Get-
DlgItemTextA function again and we press f11 to get out of it. We check memory location 40C210 and
we see the number we entered is stored there.
Now we know the locations were the name and the number are stored,we note those down!
Step 4: Ok, what next? We now know where in memory the name and the number are stored. We need to find out
what the program does with those values. In order to do that we could set breakpoints on those memory
locations to see where they are read. But in this case it wont be necessary. The answer is right after the
above code :
push 0040C210 :<--save the location of the number we entered (as a parameter for the next call)
call 00404490 :<-- call this unknown function
add esp, 00000004
mov edi, eax :<-- save EAX (hmmmm)
We see a function being called with the number-location as a parameter. We could trace into the function and see what it does, but that is not
needed. With your experience of the Swiftsearch example you should be able to guess what this function does. It calculates the numerical value
of the registration number and puts it in EAX. To be sure we step further using F10 until we are past the call and check the contents of EAX
(with ? EAX). In my case it showed : 00003039 0000012345 "09".
Knowing that EDI contains our registration number we proceed:
push 0040C3A0 :<-- save the location of the name we entered (as a parameter for the next call)
push 00409080 :<-- save an unknown memory-location (as a parameter for the next call)
call 004043B0 :<--call to an unknown function
add esp, 00000008
cmp edi, eax :<--compare EDI (reg # we entered) with EAX (unknown, since the previous call changed it)
jne 004018A1 :<--jump if not equal
We see that a function is called with two parameters. One of the parameters is the location of the name
we entered. The other we dont know, but we can find out with ED 409080. We see the text 'Ize'.
This function calculates the right registration number using those two parameters. If you just want to
crack this program, you can place a breakpoint right after the call and check the contents of EAX. It will
contain the right registration number. But since we want to know HOW the reg. # is calculated we will trace
inside the function (using T). We will then try to find out HOW the contents of EAX got in there.
Step 5: Once inside the interesting function you will see that we are dealing with a rather long function.
It wont be necessary for me to include the complete listing of this function, because we wont need all of it to make our key-gen.
But in order find out which part of the code is essential for the computation of the right registration number,
you have to trace STEP by STEP and figure out what EXACTLY is going on!
Afther doing this i found out that the first part of the function computes some kind of "key". Then this
"key" is stored in memory and in that way passed on to the second part of the function.
The second part of the function then computes the right registration number, based on this "key" AND
the name we entered.
The code that is essential and that we need for our key-gen is the following:
( Note that before the following code starts, the registers that are used will have the following values:
EBX will point to the first letter of the name we entered,
EDX will be zero,
EBP will be zero,
The "key" that we talked about earlier is stored in memory location 0040B828 and will
have 0xA4CC as its initial value. )
:00404425 movsx byte ptr edi, [ebx + edx] :<-- Put first letter of the name in EDI
:00404429 lea esi, [edx+01] :<-- ESI gets the "letter-number"
:0040442C call 00404470 :<-- Call function
:00404431 imul edi, eax :<-- EDI=EDI*EAX (eax is the return value of the the previous call)
:00404434 call 00404470 :<-- Call function
:00404439 mov edx, esi
:0040443B mov ecx, FFFFFFFF
:00404440 imul edi, eax :<-- EDI=EDI*EAX (eax is the return value of the previous call)
:00404443 imul edi, esi :<-- EDI=EDI*ESI ( esi is the number of the letter position)
:00404446 add ebp, edi :<-- EBP=EBP+EDI (beware that EBP will finally contain the right reg#)
:00404448 mov edi, ebx :<--these lines compute the lenght of the name we entered
:0040444A sub eax, eax :<--these lines compute the lenght of the name we entered
:0040444C repnz :<--these lines compute the lenght of the name we entered
:0040444D scasb :<--these lines compute the lenght of the name we entered
:0040444E not ecx :<--these lines compute the lenght of the name we entered
:00404450 dec ecx :<-- ECX now contains the lenght of the name
:00404451 cmp ecx, esi
:00404453 ja 00404425 :<-- If its not the end of the name , go do the same with the next letter
:00404455 mov eax, ebp :<-- SAVE EBP TO EAX !!!!
:00404457 pop ebp
:00404458 pop edi
:00404459 pop esi
:0040445A pop ebx
:0040445B ret
_____
:00404470 mov eax, [0040B828] :<-- Put "key" in EAX
:00404475 mul eax, eax, 015A4E35 :<-- EAX=EAX * 15A4E35
:0040447B inc eax :<-- EAX=EAX + 1
:0040447C mov [0040B828], eax :<-- Replace the "key" with the new value of EAX
:00404481 and eax, 7FFF0000 :<-- EAX=EAX && 7FFF0000
:00404486 shr eax, 10 :<-- EAX=EAX >>10
:00404489 ret
The above code consists of a loop that goes trough all the letters of the name we entered. With each
letter some value is calculated, all these values are added up together (in EBP). Then this value is stored
in EAX and the function RETurns. And that was what we were looking for, we wanted to know how EAX got its value!
Step 6: Now to make a key-gen we have to translate the above method of calculating the right reg# into a
c program. It could be done in the following way :
(Note : I am a bad c programmer I just began to use this language...)
#include
#include
main()
{
char Name[100];
int NameLength,Offset;
unsigned long Letter,DummyA;
unsigned long Key = 0xa4cc;
unsigned long Number = 0;
printf("Ize 2.04 crack by JM-DG\n");
printf("Enter your name: ");
gets(Name);
NameLength=strlen(Name);
for (Offset=0;Offset }
Subscribe to:
Posts (Atom)
